From f2956cf42f04c7d6dcd5379b00ee779434a27d44 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Fri, 30 Sep 2016 10:34:22 +0200 Subject: [PATCH 001/259] ddns: Import patches for schokokeks.org support. Signed-off-by: Stefan Schantl --- lfs/ddns | 3 + ...dns-0001-New-provider-Schokokeks.org.patch | 47 ++++++++++++++++ ...okokeks.org-Fix-malformed-update-URL.patch | 55 +++++++++++++++++++ 3 files changed, 105 insertions(+) create mode 100644 src/patches/ddns-0001-New-provider-Schokokeks.org.patch create mode 100644 src/patches/ddns-0002-Schokokeks.org-Fix-malformed-update-URL.patch diff --git a/lfs/ddns b/lfs/ddns index 422f8e3b4..3d7efa591 100644 --- a/lfs/ddns +++ b/lfs/ddns @@ -71,6 +71,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ddns-0001-New-provider-Schokokeks.org.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ddns-0002-Schokokeks.org-Fix-malformed-update-URL.patch + cd $(DIR_APP) && [ -x "configure" ] || sh ./autogen.sh cd $(DIR_APP) && ./configure \ --prefix=/usr \ diff --git a/src/patches/ddns-0001-New-provider-Schokokeks.org.patch b/src/patches/ddns-0001-New-provider-Schokokeks.org.patch new file mode 100644 index 000000000..be123a523 --- /dev/null +++ b/src/patches/ddns-0001-New-provider-Schokokeks.org.patch @@ -0,0 +1,47 @@ +From 521c9d90f4e879ef3d9e1590f29e27990011ae46 Mon Sep 17 00:00:00 2001 +From: Steffen Peters +Date: Mon, 4 Jul 2016 22:14:10 +0200 +Subject: [PATCH 185/185] New provider: Schokokeks.org + +Signed-off-by: Steffen Peters +Signed-off-by: Stefan Schantl +--- + README | 1 + + src/ddns/providers.py | 12 ++++++++++++ + 2 files changed, 13 insertions(+) + +diff --git a/README b/README +index d8027a4..cedbf21 100644 +--- a/README ++++ b/README +@@ -75,6 +75,7 @@ SUPPORTED PROVIDERS: + opendns.com + ovh.com + regfish.com ++ schokokeks.org + selfhost.de + spdns.org + strato.com +diff --git a/src/ddns/providers.py b/src/ddns/providers.py +index 6b25cb6..c482dad 100644 +--- a/src/ddns/providers.py ++++ b/src/ddns/providers.py +@@ -1687,3 +1687,15 @@ class DDNSProviderZZZZ(DDNSProvider): + + # If we got here, some other update error happened. + raise DDNSUpdateError ++ ++class DDNSProviderSchokokeksDNS(DDNSProtocolDynDNS2, DDNSProvider): ++ handle = "schokokeks.org" ++ name = "Schokokeks" ++ website = "http://www.schokokeks.org/" ++ protocols = ("ipv4",) ++ ++ # Information about the format of the request is to be found ++ # https://wiki.schokokeks.org/DynDNS ++ ++ url = "https://dyndns.schokokeks.org/nic/update?myip=" ++ +-- +2.7.4 + diff --git a/src/patches/ddns-0002-Schokokeks.org-Fix-malformed-update-URL.patch b/src/patches/ddns-0002-Schokokeks.org-Fix-malformed-update-URL.patch new file mode 100644 index 000000000..e00dcf6b8 --- /dev/null +++ b/src/patches/ddns-0002-Schokokeks.org-Fix-malformed-update-URL.patch @@ -0,0 +1,55 @@ +From f77e6bc92825d65e881d5dc7fc443139278c0d5f Mon Sep 17 00:00:00 2001 +From: Stefan Schantl +Date: Fri, 28 Oct 2016 12:35:20 +0200 +Subject: [PATCH 3/3] Schockokeks.org: Fix malformed update URL. + +* Move Provider Class into correct alphabetical order. + +Signed-off-by: Stefan Schantl +Reviewed-by: Michael Tremer +Signed-off-by: Stefan Schantl +--- + src/ddns/providers.py | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +diff --git a/src/ddns/providers.py b/src/ddns/providers.py +index c482dad..2c30d42 100644 +--- a/src/ddns/providers.py ++++ b/src/ddns/providers.py +@@ -1424,6 +1424,17 @@ class DDNSProviderRegfish(DDNSProvider): + raise DDNSUpdateError + + ++class DDNSProviderSchokokeksDNS(DDNSProtocolDynDNS2, DDNSProvider): ++ handle = "schokokeks.org" ++ name = "Schokokeks" ++ website = "http://www.schokokeks.org/" ++ protocols = ("ipv4",) ++ ++ # Information about the format of the request is to be found ++ # https://wiki.schokokeks.org/DynDNS ++ url = "https://dyndns.schokokeks.org/nic/update" ++ ++ + class DDNSProviderSelfhost(DDNSProtocolDynDNS2, DDNSProvider): + handle = "selfhost.de" + name = "Selfhost.de" +@@ -1687,15 +1698,3 @@ class DDNSProviderZZZZ(DDNSProvider): + + # If we got here, some other update error happened. + raise DDNSUpdateError +- +-class DDNSProviderSchokokeksDNS(DDNSProtocolDynDNS2, DDNSProvider): +- handle = "schokokeks.org" +- name = "Schokokeks" +- website = "http://www.schokokeks.org/" +- protocols = ("ipv4",) +- +- # Information about the format of the request is to be found +- # https://wiki.schokokeks.org/DynDNS +- +- url = "https://dyndns.schokokeks.org/nic/update?myip=" +- +-- +2.7.4 + From 197033fab234d4698b097fdb1b653b8ae39b1aae Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Fri, 28 Oct 2016 15:35:53 +0200 Subject: [PATCH 002/259] Add DDNS to core 107. Signed-off-by: Stefan Schantl --- config/rootfiles/core/107/filelists/ddns | 1 + 1 file changed, 1 insertion(+) create mode 120000 config/rootfiles/core/107/filelists/ddns diff --git a/config/rootfiles/core/107/filelists/ddns b/config/rootfiles/core/107/filelists/ddns new file mode 120000 index 000000000..739516420 --- /dev/null +++ b/config/rootfiles/core/107/filelists/ddns @@ -0,0 +1 @@ +../../../common/ddns \ No newline at end of file From 6600eeac49362964f6813c8c106aa68d6afe3d0e Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Thu, 8 Jun 2017 14:13:24 +0200 Subject: [PATCH 003/259] guardian: Bump package version. During commit d68ead3decfdcc4ca4a1413e33f3c47270799836 the guardian.cgi has been changed, and therefore the package version of guardian needs to be bumped to ship the changed files. Signed-off-by: Stefan Schantl --- lfs/guardian | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lfs/guardian b/lfs/guardian index 2120a08a4..f3001c821 100644 --- a/lfs/guardian +++ b/lfs/guardian @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = guardian -PAK_VER = 13 +PAK_VER = 14 DEPS = "perl-inotify2 perl-Net-IP" From 6d1ebd1d4323984108c2682d84fe07e54f647061 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Wed, 27 Jun 2018 19:36:28 +0200 Subject: [PATCH 004/259] guardian.cgi: Remove support for owncloud Owncloud as an addon has been dropped for IPFire. As a result of this, we do not need this code anymore. Fixes #11572. Signed-off-by: Stefan Schantl --- html/cgi-bin/guardian.cgi | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/html/cgi-bin/guardian.cgi b/html/cgi-bin/guardian.cgi index e15501ef5..6144aca02 100644 --- a/html/cgi-bin/guardian.cgi +++ b/html/cgi-bin/guardian.cgi @@ -52,7 +52,6 @@ my $ignorefile ='/var/ipfire/guardian/guardian.ignore'; # file locations on IPFire systems. my %module_file_locations = ( "HTTPD" => "/var/log/httpd/error_log", - "OWNCLOUD" => "/var/owncloud/data/owncloud.log", "SNORT" => "/var/log/snort/alert", "SSH" => "/var/log/messages", ); @@ -65,11 +64,6 @@ our %mainsettings = (); &General::readhash("${General::swroot}/main/settings", \%mainsettings); &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); -# Pakfire meta file for owncloud. -# (File exists when the addon is installed.) -my $owncloud_meta = "/opt/pakfire/db/installed/meta-owncloud"; - - # File declarations. my $settingsfile = "${General::swroot}/guardian/settings"; my $ignoredfile = "${General::swroot}/guardian/ignored"; @@ -96,11 +90,6 @@ $settings{'GUARDIAN_FIREWALL_ACTION'} = 'DROP'; $settings{'GUARDIAN_LOGFILE'} = '/var/log/guardian/guardian.log'; $settings{'GUARDIAN_SNORT_PRIORITY_LEVEL'} = '3'; -# Default settings for owncloud if installed. -if ( -e "$owncloud_meta") { - $settings{'GUARDIAN_MONITOR_OWNCLOUD'} = 'off'; -} - my $errormessage = ''; &Header::showhttpheaders(); @@ -561,17 +550,7 @@ END on / off -END - # Display owncloud checkbox when the addon is installed. - if ( -e "$owncloud_meta" ) { - print"\n"; - print"$Lang::tr{'guardian block owncloud brute-force'}\n"; - print"on /\n"; - print" off\n"; - print"\n"; - } - print <
From b56b67330ce0927af61c38e1d02284154f912dda Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Wed, 27 Jun 2018 19:38:41 +0200 Subject: [PATCH 005/259] guardian: Update to 2.0.2 Signed-off-by: Stefan Schantl --- lfs/guardian | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/guardian b/lfs/guardian index f3001c821..45c571d05 100644 --- a/lfs/guardian +++ b/lfs/guardian @@ -24,7 +24,7 @@ include Config -VER = 2.0 +VER = 2.0.2 THISAPP = guardian-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = guardian -PAK_VER = 14 +PAK_VER = 15 DEPS = "perl-inotify2 perl-Net-IP" @@ -45,7 +45,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 15be3b14a70e21502368deca74903f5c +$(DL_FILE)_MD5 = f83a7ca312cd3cb3ddf79fb33826027d install : $(TARGET) From fbd430172f49cb746975f5543c4e184748537b4e Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Sat, 2 Dec 2017 15:17:49 +0100 Subject: [PATCH 006/259] ids.cgi: Drop old code for uploading a ruleset Signed-off-by: Stefan Schantl --- html/cgi-bin/ids.cgi | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 9863251e2..e7c00a5eb 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -32,8 +32,6 @@ require "${General::swroot}/header.pl"; sub refreshpage{&Header::openbox( 'Waiting', 1, "" );print "

$Lang::tr{'pagerefresh'}
";&Header::closebox();} -$a = new CGI; - my %color = (); my %mainsettings = (); &General::readhash("${General::swroot}/main/settings", \%mainsettings); @@ -60,7 +58,6 @@ $snortsettings{'RULES'} = ''; $snortsettings{'OINKCODE'} = ''; $snortsettings{'INSTALLDATE'} = ''; $snortsettings{'FILE'} = ''; -$snortsettings{'UPLOAD'} = ''; &Header::getcgihash(\%snortsettings, {'wantfile' => 1, 'filevar' => 'FH'}); @@ -307,7 +304,7 @@ if (!$errormessage) { # INSTALLMD5 is not in the form, so not retrieved by getcgihash &General::readhash("${General::swroot}/snort/settings", \%snortsettings); - if ($snortsettings{'ACTION'} eq $Lang::tr{'download new ruleset'} || $snortsettings{'ACTION'} eq $Lang::tr{'upload new ruleset'}) { + if ($snortsettings{'ACTION'} eq $Lang::tr{'download new ruleset'}) { my @df = `/bin/df -B M /var`; foreach my $line (@df) { next if $line =~ m/^Filesystem/; @@ -324,14 +321,6 @@ if (!$errormessage) { sleep(3); $return = `cat /var/tmp/log 2>/dev/null`; - } elsif ( $snortsettings{'ACTION'} eq $Lang::tr{'upload new ruleset'}) { - my $upload = $a->param("UPLOAD"); - open UPLOADFILE, ">/var/tmp/snortrules.tar.gz"; - binmode $upload; - while ( <$upload> ) { - print UPLOADFILE; - } - close UPLOADFILE; } if ($return =~ "ERROR") { From 422204ff08af8f1932e57bace8125baa149329a7 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Sat, 2 Dec 2017 15:24:12 +0100 Subject: [PATCH 007/259] ids.cgi: Use pure perl for directory listing Use pure perl for getting the filelist of available rule files instead of using a sub-shell and unix commands. Signed-off-by: Stefan Schantl --- html/cgi-bin/ids.cgi | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index e7c00a5eb..fce3a54bb 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -62,7 +62,8 @@ $snortsettings{'FILE'} = ''; &Header::getcgihash(\%snortsettings, {'wantfile' => 1, 'filevar' => 'FH'}); ####################### Added for snort rules control ################################# -my $snortrulepath; # change to "/etc/snort/rules" - maniac + +my $snortrulepath = "/etc/snort/rules"; my @snortconfig; my $restartsnortrequired = 0; my %snortrules; @@ -76,6 +77,29 @@ my $linkedrulefile = ''; my $border = ''; my $checkboxname = ''; +# Grab all available snort rules. +my @rules; + +# Open snort rules directory and do a directory listing. +opendir(DIR, $snortrulepath) or die $!; + # Loop through the direcory. + while (my $file = readdir(DIR)) { + + # We only want files. + next unless (-f "$snortrulepath/$file"); + + # Ignore empty files. + next if (-z "$snortrulepath/$file"); + + # Use a regular expression to find files ending in .conf + next unless ($file =~ m/\.rules$/); + + # Add the file to rulecategories array. + push(@rules, $file); + } + +closedir(DIR); + if (-e "/etc/snort/snort.conf") { @@ -85,13 +109,12 @@ if (-e "/etc/snort/snort.conf") { close(FILE); open(FILE, ">/etc/snort/snort.conf") or die 'Unable to write snort config file.'; - my @rules = `cd /etc/snort/rules/ && ls *.rules 2>/dev/null`; # With this loop the rule might be display with correct rulepath set - foreach (@rules) { - chomp $_; - my $temp = join(";",@snortconfig); + foreach (@rules) { + chomp $_; + my $temp = join(";",@snortconfig); if ( $temp =~ /$_/ ){next;} else { push(@snortconfig,"#include \$RULE_PATH/".$_);} - } + } # Loop over each line foreach my $line (@snortconfig) { From a70d269a9ad8ed8ee14f0d1de6426bf936750a3f Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Sat, 2 Dec 2017 15:31:19 +0100 Subject: [PATCH 008/259] ids.cgi: Move function to end of file Move the function for doing the page refresh stuff to the end of the file and do some layout changes for better reading the code. Signed-off-by: Stefan Schantl --- html/cgi-bin/ids.cgi | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index fce3a54bb..129f8f2d7 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -30,8 +30,6 @@ require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; -sub refreshpage{&Header::openbox( 'Waiting', 1, "" );print "

$Lang::tr{'pagerefresh'}
";&Header::closebox();} - my %color = (); my %mainsettings = (); &General::readhash("${General::swroot}/main/settings", \%mainsettings); @@ -685,6 +683,12 @@ END &Header::closebigbox(); &Header::closepage(); +sub refreshpage { + &Header::openbox( 'Waiting', 1, "" ); + print "

$Lang::tr{'pagerefresh'}
"; + &Header::closebox(); +} + sub downloadrulesfile { my $peer; my $peerport; From 3da6e01bcf1aefd1e495f64d251d0e39a94a4fdc Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Wed, 6 Dec 2017 09:51:46 +0100 Subject: [PATCH 009/259] ids.cgi: Refactor reading-in rule files. Move the code for reading and parsing the snort rule files into an own subfunction. * Drop code for reading in and modifying the snort main config file. * Rework code for parsing and adding the snort rules to the snortrules hash. * Drop code for gathering a description for the rule files, which does not because of a file layout change and sadly there is not suitable description shipped anymore by the snort team. Signed-off-by: Stefan Schantl --- html/cgi-bin/ids.cgi | 234 +++++++++++-------------------------------- 1 file changed, 56 insertions(+), 178 deletions(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 129f8f2d7..4ece996aa 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -62,7 +62,6 @@ $snortsettings{'FILE'} = ''; ####################### Added for snort rules control ################################# my $snortrulepath = "/etc/snort/rules"; -my @snortconfig; my $restartsnortrequired = 0; my %snortrules; my $rule = ''; @@ -75,9 +74,8 @@ my $linkedrulefile = ''; my $border = ''; my $checkboxname = ''; -# Grab all available snort rules. -my @rules; - +## Grab all available snort rules and store them in the snortrules hash. +# # Open snort rules directory and do a directory listing. opendir(DIR, $snortrulepath) or die $!; # Loop through the direcory. @@ -89,186 +87,19 @@ opendir(DIR, $snortrulepath) or die $!; # Ignore empty files. next if (-z "$snortrulepath/$file"); - # Use a regular expression to find files ending in .conf + # Use a regular expression to find files ending in .rules next unless ($file =~ m/\.rules$/); - # Add the file to rulecategories array. - push(@rules, $file); + # Ignore files which are not read-able. + next unless (-R "$snortrulepath/$file"); + + # Call subfunction to read-in rulefile and add rules to + # the snortrules hash. + &readrulesfile("$file"); } closedir(DIR); -if (-e "/etc/snort/snort.conf") { - - - # Open snort.conf file, read it in, close it, and re-open for writing - open(FILE, "/etc/snort/snort.conf") or die 'Unable to read snort config file.'; - @snortconfig = ; - close(FILE); - open(FILE, ">/etc/snort/snort.conf") or die 'Unable to write snort config file.'; - - foreach (@rules) { - chomp $_; - my $temp = join(";",@snortconfig); - if ( $temp =~ /$_/ ){next;} - else { push(@snortconfig,"#include \$RULE_PATH/".$_);} - } - - # Loop over each line - foreach my $line (@snortconfig) { - # Trim the line - chomp $line; - - # Check for a line with .rules - if ($line =~ /\.rules$/) { - # Parse out rule file name - $rule = $line; - $rule =~ s/\$RULE_PATH\///i; - $rule =~ s/ ?include ?//i; - $rule =~ s/\#//i; - my $snortrulepathrule = "$snortrulepath/$rule"; - - # Open rule file and read in contents - open(RULEFILE, "$snortrulepath/$rule") or die "Unable to read snort rule file for reading => $snortrulepath/$rule."; - my @snortrulefile = ; - close(RULEFILE); - open(RULEFILE, ">$snortrulepath/$rule") or die "Unable to write snort rule file for writing $snortrulepath/$rule"; - - # Local vars - my $dashlinecnt = 0; - my $desclook = 1; - my $snortruledesc = ''; - my %snortruledef = (); - my $rulecnt = 1; - - # Loop over rule file contents - foreach my $ruleline (@snortrulefile) { - chomp $ruleline; - - # If still looking for a description - if ($desclook) { - # If line does not start with a # anymore, then done looking for a description - if ($ruleline !~ /^\#/) { - $desclook = 0; - } - - # If see more than one dashed line, (start to) create rule file description - if ($dashlinecnt > 1) { - # Check for a line starting with a # - if ($ruleline =~ /^\#/ and $ruleline !~ /^\#alert/) { - # Create tempruleline - my $tempruleline = $ruleline; - - # Strip off # and clean up line - $tempruleline =~ s/\# ?//i; - - # Check for part of a description - if ($snortruledesc eq '') { - $snortruledesc = $tempruleline; - } else { - $snortruledesc .= " $tempruleline"; - } - } else { - # Must be done - $desclook = 0; - } - } - - # If have a dashed line, increment count - if ($ruleline =~ /\# ?\-+/) { - $dashlinecnt++; - } - } else { - # Parse out rule file rule's message for display - if ($ruleline =~ /(msg\:\"[^\"]+\";)/) { - my $msg = ''; - $msg = $1; - $msg =~ s/msg\:\"//i; - $msg =~ s/\";//i; - $snortruledef{$rulecnt}{'Description'} = $msg; - - # Check for 'Save' and rule file displayed in query string - if (($snortsettings{'ACTION'} eq $Lang::tr{'update'}) && ($ENV{'QUERY_STRING'} =~ /$rule/i)) { - # Check for a disable rule which is now enabled, or an enabled rule which is now disabled - if ((($ruleline =~ /^\#/) && (exists $snortsettings{"SNORT_RULE_$rule\_$rulecnt"})) || (($ruleline !~ /^\#/) && (!exists $snortsettings{"SNORT_RULE_$rule\_$rulecnt"}))) { - $restartsnortrequired = 1; - } - - # Strip out leading # from rule line - $ruleline =~ s/\# ?//i; - - # Check if it does not exists (which means it is disabled), append a # - if (!exists $snortsettings{"SNORT_RULE_$rule\_$rulecnt"}) { - $ruleline = "#"." $ruleline"; - } - } - - # Check if ruleline does not begin with a #, so it is enabled - if ($ruleline !~ /^\#/) { - $snortruledef{$rulecnt++}{'State'} = 'Enabled'; - } else { - # Otherwise it is disabled - $snortruledef{$rulecnt++}{'State'} = 'Disabled'; - } - } - } - - # Print ruleline to RULEFILE - print RULEFILE "$ruleline\n"; - } - - # Close RULEFILE - close(RULEFILE); - - # Check for 'Save' - if ($snortsettings{'ACTION'} eq $Lang::tr{'update'}) { - # Check for a disable rule which is now enabled, or an enabled rule which is now disabled - if ((($line =~ /^\#/) && (exists $snortsettings{"SNORT_RULE_$rule"})) || (($line !~ /^\#/) && (!exists $snortsettings{"SNORT_RULE_$rule"}))) { - $restartsnortrequired = 1; - } - - # Strip out leading # from rule line - $line =~ s/\# ?//i; - - # Check if it does not exists (which means it is disabled), append a # - if (!exists $snortsettings{"SNORT_RULE_$rule"}) { - $line = "# $line"; - } - - } - - # Check for rule state - if ($line =~ /^\#/) { - $snortrules{$rule}{"State"} = "Disabled"; - } else { - $snortrules{$rule}{"State"} = "Enabled"; - } - - # Set rule description - $snortrules{$rule}{"Description"} = $snortruledesc; - - # Loop over sorted rules - foreach my $ruledef (sort {$a <=> $b} keys(%snortruledef)) { - $snortrules{$rule}{"Definition"}{$ruledef}{'Description'} = $snortruledef{$ruledef}{'Description'}; - $snortrules{$rule}{"Definition"}{$ruledef}{'State'} = $snortruledef{$ruledef}{'State'}; - } - - $snortruledesc = ''; - print FILE "$line\n"; - } elsif ($line =~ /var RULE_PATH/) { - ($tmp, $tmp, $snortrulepath) = split(' ', $line); - print FILE "$line\n"; - } else { - print FILE "$line\n"; - } - } - close(FILE); - - if ($restartsnortrequired) { - system('/usr/local/bin/snortctrl restart >/dev/null'); - } -} - ####################### End added for snort rules control ################################# if ($snortsettings{'OINKCODE'} ne "") { @@ -713,3 +544,50 @@ sub downloadrulesfile { system("wget -r -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz $url"); } } + +sub readrulesfile ($) { + my $rulefile = shift; + + # Open rule file and read in contents + open(RULEFILE, "$snortrulepath/$rulefile") or die "Unable to read $rulefile!"; + + # Store file content in an array. + my @lines = ; + + # Close file. + close(RULEFILE); + + # Loop over rule file contents + foreach my $line (@lines) { + # Remove whitespaces. + chomp $line; + + # Skip blank lines. + next if ($line =~ /^\s*$/); + + # Local vars. + my $sid; + my $msg; + + # Gather rule sid and message from the ruleline. + if ($line =~ m/.*msg:\"(.*?)\"\; .* sid:(.*?); /) { + $msg = $1; + $sid = $2; + + # Check if a rule has been found. + if ($sid && $msg) { + # Add rule to the snortrules hash. + $snortrules{$rulefile}{$sid}{'Description'} = $msg; + + # Grab status of the rule. Check if ruleline starts with a "dash". + if ($line =~ /^\#/) { + # If yes, the rule is disabled. + $snortrules{$rulefile}{$sid}{'State'} = "Disabled"; + } else { + # Otherwise the rule is enabled. + $snortrules{$rulefile}{$sid}{'State'} = "Enabled"; + } + } + } + } +} From e3ab140634f8769399b258b8391ec58ec9035c1b Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Wed, 6 Dec 2017 11:19:42 +0100 Subject: [PATCH 010/259] ids.cgi: Remove comment lines for snort rules control Signed-off-by: Stefan Schantl --- html/cgi-bin/ids.cgi | 8 -------- 1 file changed, 8 deletions(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 4ece996aa..d78bcd20d 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -59,8 +59,6 @@ $snortsettings{'FILE'} = ''; &Header::getcgihash(\%snortsettings, {'wantfile' => 1, 'filevar' => 'FH'}); -####################### Added for snort rules control ################################# - my $snortrulepath = "/etc/snort/rules"; my $restartsnortrequired = 0; my %snortrules; @@ -100,8 +98,6 @@ opendir(DIR, $snortrulepath) or die $!; closedir(DIR); -####################### End added for snort rules control ################################# - if ($snortsettings{'OINKCODE'} ne "") { $errormessage = $Lang::tr{'invalid input for oink code'} unless ($snortsettings{'OINKCODE'} =~ /^[a-z0-9]+$/); } @@ -208,7 +204,6 @@ $selected{'RULES'}{$snortsettings{'RULES'}} = "selected='selected'"; &Header::openpage($Lang::tr{'intrusion detection system'}, 1, ''); -####################### Added for snort rules control ################################# print ""; print < @@ -232,7 +227,6 @@ print < END ; -####################### End added for snort rules control ################################# &Header::openbigbox('100%', 'left', '', $errormessage); @@ -357,7 +351,6 @@ if ($results ne '') { &Header::closebox(); -####################### Added for snort rules control ################################# if ( -e "${General::swroot}/snort/enable" || -e "${General::swroot}/snort/enable_green" || -e "${General::swroot}/snort/enable_blue" || -e "${General::swroot}/snort/enable_orange" ) { &Header::openbox('100%', 'LEFT', $Lang::tr{'intrusion detection system rules'}); # Output display table for rule files @@ -510,7 +503,6 @@ END &Header::closebox(); } -####################### End added for snort rules control ################################# &Header::closebigbox(); &Header::closepage(); From f7fcd1c020f0eaaacf9068182e9f64750ccf7ea7 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Wed, 6 Dec 2017 11:44:30 +0100 Subject: [PATCH 011/259] ids.cgi: Always display ruleset Display the rule categories any time and do not hide them if no instance of snort is runing. Signed-off-by: Stefan Schantl --- html/cgi-bin/ids.cgi | 264 +++++++++++++++++++++---------------------- 1 file changed, 131 insertions(+), 133 deletions(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index d78bcd20d..ccde15a22 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -351,145 +351,144 @@ if ($results ne '') { &Header::closebox(); -if ( -e "${General::swroot}/snort/enable" || -e "${General::swroot}/snort/enable_green" || -e "${General::swroot}/snort/enable_blue" || -e "${General::swroot}/snort/enable_orange" ) { - &Header::openbox('100%', 'LEFT', $Lang::tr{'intrusion detection system rules'}); - # Output display table for rule files - print "
"; +&Header::openbox('100%', 'LEFT', $Lang::tr{'intrusion detection system rules'}); + # Output display table for rule files + print "
"; - print ""; + print ""; - # Local vars - my $ruledisplaycnt = 1; - my $rulecnt = keys %snortrules; - $rulecnt++; - $rulecnt = $rulecnt / 2; + # Local vars + my $ruledisplaycnt = 1; + my $rulecnt = keys %snortrules; + $rulecnt++; + $rulecnt = $rulecnt / 2; - # Loop over each rule file - foreach my $rulefile (sort keys(%snortrules)) { - my $rulechecked = ''; + # Loop over each rule file + foreach my $rulefile (sort keys(%snortrules)) { + my $rulechecked = ''; - # Hide inkompatible Block rules - if ($rulefile =~'-BLOCK.rules') { - next; - } - - # Check if reached half-way through rule file rules to start new column - if ($ruledisplaycnt > $rulecnt) { - print "
"; - $ruledisplaycnt = 0; - } - - # Check if rule file is enabled - if ($snortrules{$rulefile}{"State"} eq 'Enabled') { - $rulechecked = 'CHECKED'; - } - - # Create rule file link, vars array, and display flag - my $rulefilelink = "?RULEFILE=$rulefile"; - my $rulefiletoclose = ''; - my @queryvars = (); - my $displayrulefilerules = 0; - - # Check for passed in query string - if ($ENV{'QUERY_STRING'}) { - # Split out vars - @queryvars = split(/\&/, $ENV{'QUERY_STRING'}); - - # Loop over values - foreach $value (@queryvars) { - # Split out var pairs - ($var, $linkedrulefile) = split(/=/, $value); - - # Check if var is 'RULEFILE' - if ($var eq 'RULEFILE') { - # Check if rulefile equals linkedrulefile - if ($rulefile eq $linkedrulefile) { - # Set display flag - $displayrulefilerules = 1; - - # Strip out rulefile from rulefilelink - $rulefilelink =~ s/RULEFILE=$linkedrulefile//g; - } else { - # Add linked rule file to rulefilelink - $rulefilelink .= "&RULEFILE=$linkedrulefile"; - } - } - } - } - - # Strip out extra & & ? from rulefilelink - $rulefilelink =~ s/^\?\&/\?/i; - - # Check for a single '?' and replace with page for proper link display - if ($rulefilelink eq '?') { - $rulefilelink = "ids.cgi"; - } - - # Output rule file name and checkbox - print ""; - print "
$rulefile
"; - - # Check for empty 'Description' - if ($snortrules{$rulefile}{'Description'} eq '') { - print ""; - } else { - # Output rule file 'Description' - print "
No description available
"; - } - - # Check for display flag - if ($displayrulefilerules) { - # Rule file definition rule display - print ""; + # Hide inkompatible Block rules + if ($rulefile =~'-BLOCK.rules') { + next; } + # Check if reached half-way through rule file rules to start new column + if ($ruledisplaycnt > $rulecnt) { + print "
$snortrules{$rulefile}{'Description'}
"; - - # Local vars - my $ruledefdisplaycnt = 0; - my $ruledefcnt = keys %{$snortrules{$rulefile}{"Definition"}}; - $ruledefcnt++; - $ruledefcnt = $ruledefcnt / 2; - - # Loop over rule file rules - foreach my $ruledef (sort {$a <=> $b} keys(%{$snortrules{$rulefile}{"Definition"}})) { - # Local vars - my $ruledefchecked = ''; - - # If have display 2 rules, start new row - if (($ruledefdisplaycnt % 2) == 0) { - print ""; - $ruledefdisplaycnt = 0; - } - - # Check for rules state - if ($snortrules{$rulefile}{'Definition'}{$ruledef}{'State'} eq 'Enabled') { - $ruledefchecked = 'CHECKED'; - } - - # Create rule file rule's checkbox - $checkboxname = "SNORT_RULE_$rulefile"; - $checkboxname .= "_$ruledef"; - print ""; - - # Increment count - $ruledefdisplaycnt++; - } - - # If do not have second rule for row, create empty cell - if (($ruledefdisplaycnt % 2) != 0) { - print ""; - } - - # Close display table - print "
$snortrules{$rulefile}{'Definition'}{$ruledef}{'Description'}
"; + $ruledisplaycnt = 0; + } + + # Check if rule file is enabled + if ($snortrules{$rulefile}{"State"} eq 'Enabled') { + $rulechecked = 'CHECKED'; + } + + # Create rule file link, vars array, and display flag + my $rulefilelink = "?RULEFILE=$rulefile"; + my $rulefiletoclose = ''; + my @queryvars = (); + my $displayrulefilerules = 0; + + # Check for passed in query string + if ($ENV{'QUERY_STRING'}) { + # Split out vars + @queryvars = split(/\&/, $ENV{'QUERY_STRING'}); + + # Loop over values + foreach $value (@queryvars) { + # Split out var pairs + ($var, $linkedrulefile) = split(/=/, $value); + + # Check if var is 'RULEFILE' + if ($var eq 'RULEFILE') { + # Check if rulefile equals linkedrulefile + if ($rulefile eq $linkedrulefile) { + # Set display flag + $displayrulefilerules = 1; + + # Strip out rulefile from rulefilelink + $rulefilelink =~ s/RULEFILE=$linkedrulefile//g; + } else { + # Add linked rule file to rulefilelink + $rulefilelink .= "&RULEFILE=$linkedrulefile"; + } + } + } + } + + # Strip out extra & & ? from rulefilelink + $rulefilelink =~ s/^\?\&/\?/i; + + # Check for a single '?' and replace with page for proper link display + if ($rulefilelink eq '?') { + $rulefilelink = "ids.cgi"; + } + + # Output rule file name and checkbox + print ""; + print ""; } - print "
$rulefile
"; + + # Check for empty 'Description' + if ($snortrules{$rulefile}{'Description'} eq '') { + print ""; + } else { + # Output rule file 'Description' + print "
No description available
"; + } + + # Check for display flag + if ($displayrulefilerules) { + # Rule file definition rule display + print "
$snortrules{$rulefile}{'Description'}
"; + + # Local vars + my $ruledefdisplaycnt = 0; + my $ruledefcnt = keys %{$snortrules{$rulefile}{"Definition"}}; + $ruledefcnt++; + $ruledefcnt = $ruledefcnt / 2; + + # Loop over rule file rules + foreach my $ruledef (sort {$a <=> $b} keys(%{$snortrules{$rulefile}{"Definition"}})) { + # Local vars + my $ruledefchecked = ''; + + # If have display 2 rules, start new row + if (($ruledefdisplaycnt % 2) == 0) { + print ""; + $ruledefdisplaycnt = 0; + } + + # Check for rules state + if ($snortrules{$rulefile}{'Definition'}{$ruledef}{'State'} eq 'Enabled') { + $ruledefchecked = 'CHECKED'; + } + + # Create rule file rule's checkbox + $checkboxname = "SNORT_RULE_$rulefile"; + $checkboxname .= "_$ruledef"; + print ""; + + # Increment count + $ruledefdisplaycnt++; + } + + # If do not have second rule for row, create empty cell + if (($ruledefdisplaycnt % 2) != 0) { + print ""; + } + # Close display table - print "
$snortrules{$rulefile}{'Definition'}{$ruledef}{'Description'}
"; - - # Increment ruledisplaycnt - $ruledisplaycnt++; + print "
"; - print <"; + + # Increment ruledisplaycnt + $ruledisplaycnt++; + } +print "
"; +print < @@ -500,8 +499,7 @@ if ( -e "${General::swroot}/snort/enable" || -e "${General::swroot}/snort/enable END ; - &Header::closebox(); -} +&Header::closebox(); &Header::closebigbox(); &Header::closepage(); From 177266446a3c9a9c63dbd4bd1af032339003ab3d Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Sun, 10 Dec 2017 10:07:41 +0100 Subject: [PATCH 012/259] ids.cgi: Rework code for displaying the single rules The complete ruleset will be grouped as categories by it's corresponding rulefile and printed in hidden tables. They easiely can be displayed by klicking on the show link and vice-versa. Signed-off-by: Stefan Schantl --- html/cgi-bin/ids.cgi | 185 +++++++++++++++++-------------------------- 1 file changed, 74 insertions(+), 111 deletions(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index ccde15a22..c31280fbd 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -204,7 +204,18 @@ $selected{'RULES'}{$snortsettings{'RULES'}} = "selected='selected'"; &Header::openpage($Lang::tr{'intrusion detection system'}, 1, ''); -print ""; +### Java Script ### +print < + // Tiny java script function to show/hide the rules + // of a given category. + function showhide(tblname) { + \$("#" + tblname).toggle(); + } + +END +; + print < - END ; &Header::closebox(); From 0b568bb9650bfe9200d45d7a57b500747e37a73f Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Sun, 10 Dec 2017 10:36:07 +0100 Subject: [PATCH 013/259] ids.cgi: Drop unused css code Signed-off-by: Stefan Schantl --- html/cgi-bin/ids.cgi | 23 ----------------------- 1 file changed, 23 deletions(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index c31280fbd..daf9b341b 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -216,29 +216,6 @@ print < - - -END -; - &Header::openbigbox('100%', 'left', '', $errormessage); ############### From 298723b9db481a07056377278a501d4a643c7a93 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Mon, 11 Dec 2017 08:33:36 +0100 Subject: [PATCH 014/259] ids.cgi: Re-add code to save the ruleset. The manually enabled or disabled rules by the user now will be written to own config files, which will be used by oinkmaster to keep these rules in the same state after a rules update has been performed. In short words, if you adjust your ruleset, the changes will not be lost again if you perform an update of your ruleset. * Grabbing and storing the cgi values now in an own hash (%cgiparams) * Introducing oinkmaster config files for enabled and disabled rules. Signed-off-by: Stefan Schantl --- html/cgi-bin/ids.cgi | 94 +++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 88 insertions(+), 6 deletions(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index daf9b341b..40d4b8887 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -36,6 +36,7 @@ my %mainsettings = (); &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); my %snortsettings=(); +my %cgiparams=(); my %checked=(); my %selected=(); my %netsettings=(); @@ -57,7 +58,8 @@ $snortsettings{'OINKCODE'} = ''; $snortsettings{'INSTALLDATE'} = ''; $snortsettings{'FILE'} = ''; -&Header::getcgihash(\%snortsettings, {'wantfile' => 1, 'filevar' => 'FH'}); +#Get GUI values +&Header::getcgihash(\%cgiparams); my $snortrulepath = "/etc/snort/rules"; my $restartsnortrequired = 0; @@ -98,6 +100,83 @@ opendir(DIR, $snortrulepath) or die $!; closedir(DIR); +# Save ruleset. +if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) { + my $enabled_sids_file = "${General::swroot}/snort/oinkmaster-enabled-sids.conf"; + my $disabled_sids_file = "${General::swroot}/snort/oinkmaster-disabled-sids.conf"; + + # Arrays to store sid which should be added to the corresponding files. + my @enabled_sids; + my @disabled_sids; + + # Loop through the hash of snortrules. + foreach my $rulefile(keys %snortrules) { + # Loop through the single rules of the rulefile. + foreach my $sid (keys %{$snortrules{$rulefile}}) { + # Check if there exists a key in the cgiparams hash for this sid. + if (exists($cgiparams{$sid})) { + # Look if the rule is disabled. + if ($snortrules{$rulefile}{$sid}{'State'} eq "off") { + # Check if the state has been set to 'on'. + if ($cgiparams{$sid} eq "on") { + # Add the sid to the enabled_sids array. + push(@enabled_sids, $sid); + + # Drop item from cgiparams hash. + delete $cgiparams{$sid}; + } + } + } else { + # Look if the rule is enabled. + if ($snortrules{$rulefile}{$sid}{'State'} eq "on") { + # Check if the state is 'on' and should be disabled. + # In this case there is no entry + # for the sid in the cgiparams hash. + # Add it to the disabled_sids array. + push(@disabled_sids, $sid); + + # Drop item from cgiparams hash. + delete $cgiparams{$sid}; + } + } + } + } + + # Check if the enabled_sids array contains any sid's. + if (@enabled_sids) { + # Open enabled sid's file for writing. + open(FILE, ">$enabled_sids_file") or die "Could not write to $enabled_sids_file. $!\n"; + + # Write header to file. + print FILE "#Autogenerated file. Any custom changes will be overwritten!\n"; + + # Loop through the array of enabled sids and write them to the file. + foreach my $sid (@enabled_sids) { + print FILE "enable_sid $sid\n"; + } + + # Close file after writing. + close(FILE); + } + + # Check if the enabled_sids array contains any sid's. + if (@disabled_sids) { + # Open disabled sid's file for writing. + open(FILE, ">$disabled_sids_file") or die "Could not write to $disabled_sids_file. $!\n"; + + # Write header to file. + print FILE "#Autogenerated file. Any custom changes will be overwritten!\n"; + + # Loop through the array of disabled sids and write them to the file. + foreach my $sid (@disabled_sids) { + print FILE "disable_sid $sid\n"; + } + + # Close file after writing. + close(FILE); + } +} + if ($snortsettings{'OINKCODE'} ne "") { $errormessage = $Lang::tr{'invalid input for oink code'} unless ($snortsettings{'OINKCODE'} =~ /^[a-z0-9]+$/); } @@ -340,6 +419,8 @@ if ($results ne '') { &Header::closebox(); &Header::openbox('100%', 'LEFT', $Lang::tr{'intrusion detection system rules'}); + print"
\n"; + # Output display table for rule files print "\n"; @@ -352,7 +433,7 @@ if ($results ne '') { my $rulechecked = ''; # Check if rule file is enabled - if ($snortrules{$rulefile}{"State"} eq 'Enabled') { + if ($snortrules{$rulefile}{"State"} eq 'On') { $rulechecked = 'CHECKED'; } @@ -400,7 +481,7 @@ if ($results ne '') { } # Set rule state - if ($snortrules{$rulefile}{$sid}{'State'} eq 'Enabled') { + if ($snortrules{$rulefile}{$sid}{'State'} eq 'on') { $ruledefchecked = 'CHECKED'; } @@ -432,11 +513,12 @@ if ($results ne '') { print < -
+  
+
END ; &Header::closebox(); @@ -512,10 +594,10 @@ sub readrulesfile ($) { # Grab status of the rule. Check if ruleline starts with a "dash". if ($line =~ /^\#/) { # If yes, the rule is disabled. - $snortrules{$rulefile}{$sid}{'State'} = "Disabled"; + $snortrules{$rulefile}{$sid}{'State'} = "off"; } else { # Otherwise the rule is enabled. - $snortrules{$rulefile}{$sid}{'State'} = "Enabled"; + $snortrules{$rulefile}{$sid}{'State'} = "on"; } } } From 0b89daee931885a9c34548009a556299d8adc62a Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Mon, 11 Dec 2017 08:46:18 +0100 Subject: [PATCH 015/259] ids.cgi: Code cleanup * Drop a lot of unused variables and code. * Re-ordering some code parts. * Add a lot of comments. Signed-off-by: Stefan Schantl --- html/cgi-bin/ids.cgi | 32 ++++++++++---------------------- 1 file changed, 10 insertions(+), 22 deletions(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 40d4b8887..86a469cb2 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -32,22 +32,22 @@ require "${General::swroot}/header.pl"; my %color = (); my %mainsettings = (); -&General::readhash("${General::swroot}/main/settings", \%mainsettings); -&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); - +my %netsettings = (); my %snortsettings=(); my %cgiparams=(); my %checked=(); my %selected=(); -my %netsettings=(); -our $errormessage = ''; -our $results = ''; -our $tempdir = ''; -our $url=''; + +# Read-in main settings, for language, theme and colors. +&General::readhash("${General::swroot}/main/settings", \%mainsettings); +&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); + +# Get netsettings. &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); &Header::showhttpheaders(); +# Default settings for snort. $snortsettings{'ENABLE_SNORT'} = 'off'; $snortsettings{'ENABLE_SNORT_GREEN'} = 'off'; $snortsettings{'ENABLE_SNORT_BLUE'} = 'off'; @@ -56,7 +56,6 @@ $snortsettings{'ACTION'} = ''; $snortsettings{'RULES'} = ''; $snortsettings{'OINKCODE'} = ''; $snortsettings{'INSTALLDATE'} = ''; -$snortsettings{'FILE'} = ''; #Get GUI values &Header::getcgihash(\%cgiparams); @@ -64,15 +63,8 @@ $snortsettings{'FILE'} = ''; my $snortrulepath = "/etc/snort/rules"; my $restartsnortrequired = 0; my %snortrules; -my $rule = ''; -my $table1colour = ''; -my $table2colour = ''; -my $var = ''; -my $value = ''; -my $tmp = ''; -my $linkedrulefile = ''; -my $border = ''; -my $checkboxname = ''; +my $errormessage; +my $url; ## Grab all available snort rules and store them in the snortrules hash. # @@ -412,10 +404,6 @@ print < Date: Mon, 11 Dec 2017 14:22:07 +0100 Subject: [PATCH 016/259] ids.cgi: Re-add code for enable/disable rulefiles The enabled rulefiles (rule categories) now will be added to an own file, which will be included by the snort main config file. This will allow us to update snort and push the new main config file without loosing the activated rulesets anymore. * Introducing snort-used-rulefiles.conf Signed-off-by: Stefan Schantl --- html/cgi-bin/ids.cgi | 66 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 64 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 86a469cb2..accb91983 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -61,6 +61,7 @@ $snortsettings{'INSTALLDATE'} = ''; &Header::getcgihash(\%cgiparams); my $snortrulepath = "/etc/snort/rules"; +my $snortusedrulefilesfile = "${General::swroot}/snort/snort-used-rulefiles.conf"; my $restartsnortrequired = 0; my %snortrules; my $errormessage; @@ -92,6 +93,40 @@ opendir(DIR, $snortrulepath) or die $!; closedir(DIR); +# Gather used rulefiles. +# +# Check if the file for activated rulefiles is not empty. +if(-f $snortusedrulefilesfile) { + # Open the file for used rulefile and read-in content. + open(FILE, $snortusedrulefilesfile) or die "Could not open $snortusedrulefilesfile. $!\n"; + + # Read-in content. + my @lines = ; + + # Close file. + close(FILE); + + # Loop through the array. + foreach my $line (@lines) { + # Remove newlines. + chomp($line); + + # Skip comments. + next if ($line =~ /\#/); + + # Skip blank lines. + next if ($line =~ /^\s*$/); + + # Gather rule sid and message from the ruleline. + if ($line =~ /.*include \$RULE_PATH\/(.*)/) { + my $rulefile = $1; + + # Add the rulefile to the %snortrules hash. + $snortrules{$rulefile}{'Rulefile'}{'State'} = "on"; + } + } +} + # Save ruleset. if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) { my $enabled_sids_file = "${General::swroot}/snort/oinkmaster-enabled-sids.conf"; @@ -100,9 +135,16 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) { # Arrays to store sid which should be added to the corresponding files. my @enabled_sids; my @disabled_sids; + my @enabled_rulefiles; # Loop through the hash of snortrules. foreach my $rulefile(keys %snortrules) { + # Check if the rulefile is enabled. + if ($cgiparams{$rulefile} eq "on") { + # Add rulefile to the array of enabled rulefiles. + push(@enabled_rulefiles, $rulefile); + } + # Loop through the single rules of the rulefile. foreach my $sid (keys %{$snortrules{$rulefile}}) { # Check if there exists a key in the cgiparams hash for this sid. @@ -167,6 +209,23 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) { # Close file after writing. close(FILE); } + + # Open file for used rulefiles. + open (FILE, ">$snortusedrulefilesfile") or die "Could not wirte to $snortusedrulefilesfile. $!\n"; + + # Write header to file. + print FILE "#Autogenerated file. Any custom changes will be overwritten!\n"; + + # Check if the enabled_rulefiles array contains any entries. + if (@enabled_rulefiles) { + # Loop through the array of rulefiles which should be loaded and write the to the file. + foreach my $file (@enabled_rulefiles) { + print FILE "include \$RULE_PATH/$file\n"; + } + } + + # Close file after writing. + close(FILE); } if ($snortsettings{'OINKCODE'} ne "") { @@ -421,14 +480,14 @@ END my $rulechecked = ''; # Check if rule file is enabled - if ($snortrules{$rulefile}{"State"} eq 'On') { + if ($snortrules{$rulefile}{'Rulefile'}{'State'} eq 'on') { $rulechecked = 'CHECKED'; } # Table and rows for the rule files. print"\n"; print"\n"; - print"\n"; + print"\n"; print"\n"; print"$rulefile\n"; print"\n"; @@ -453,6 +512,9 @@ END # Local vars my $ruledefchecked = ''; + # Skip rulefile itself. + next if ($sid eq "Rulefile"); + # If 2 rules have been displayed, start a new row if (($lines % 2) == 0) { print "\n"; From b65b5ef3775cc724da41a47b5285b7057a2250fd Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Tue, 12 Dec 2017 20:10:17 +0100 Subject: [PATCH 017/259] ids.cgi: Drop enabled rulefile from cgiparams hash after processing Signed-off-by: Stefan Schantl --- html/cgi-bin/ids.cgi | 3 +++ 1 file changed, 3 insertions(+) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index accb91983..3740bd801 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -143,6 +143,9 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) { if ($cgiparams{$rulefile} eq "on") { # Add rulefile to the array of enabled rulefiles. push(@enabled_rulefiles, $rulefile); + + # Drop item from cgiparams hash. + delete $cgiparams{$rulefile}; } # Loop through the single rules of the rulefile. From 603334734a0199f6d4558e70ef859fe86fe243d6 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Tue, 12 Dec 2017 20:12:38 +0100 Subject: [PATCH 018/259] ids.cgi: Drop enabled/disabled rules from cgiparams hash Signed-off-by: Stefan Schantl --- html/cgi-bin/ids.cgi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 3740bd801..8931ee6e2 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -160,7 +160,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) { push(@enabled_sids, $sid); # Drop item from cgiparams hash. - delete $cgiparams{$sid}; + delete $cgiparams{$rulefile}{$sid}; } } } else { @@ -173,7 +173,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) { push(@disabled_sids, $sid); # Drop item from cgiparams hash. - delete $cgiparams{$sid}; + delete $cgiparams{$rulefile}{$sid}; } } } From 466c67794b207f327a4b7478ce6f2c9c194df45f Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Tue, 12 Dec 2017 20:15:00 +0100 Subject: [PATCH 019/259] ids.cgi: Process enabled rulefiles in an own loop Signed-off-by: Stefan Schantl --- html/cgi-bin/ids.cgi | 3 +++ 1 file changed, 3 insertions(+) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 8931ee6e2..8a6e51b1d 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -147,7 +147,10 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) { # Drop item from cgiparams hash. delete $cgiparams{$rulefile}; } + } + # Loop through the hash of snortrules. + foreach my $rulefile (keys %snortrules) { # Loop through the single rules of the rulefile. foreach my $sid (keys %{$snortrules{$rulefile}}) { # Check if there exists a key in the cgiparams hash for this sid. From 376595057ba05eea8d9c6337d390374dec7749e0 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Tue, 12 Dec 2017 20:16:26 +0100 Subject: [PATCH 020/259] ids.cgi: Always write config files for enabled/disabled rule files If a single sid has been activated and then disabled without doing any other ruleset modifications only one of the oinkmaster files for enabled / disabled rules has been modified. In this case it was possible, that the same sid, was part of the file for enabled rules and part of the file for disabled rules at the same time. Signed-off-by: Stefan Schantl --- html/cgi-bin/ids.cgi | 50 ++++++++++++++++++++++---------------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 8a6e51b1d..dcf821888 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -182,42 +182,42 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) { } } + # Open enabled sid's file for writing. + open(FILE, ">$enabled_sids_file") or die "Could not write to $enabled_sids_file. $!\n"; + + # Write header to file. + print FILE "#Autogenerated file. Any custom changes will be overwritten!\n"; + # Check if the enabled_sids array contains any sid's. if (@enabled_sids) { - # Open enabled sid's file for writing. - open(FILE, ">$enabled_sids_file") or die "Could not write to $enabled_sids_file. $!\n"; - - # Write header to file. - print FILE "#Autogenerated file. Any custom changes will be overwritten!\n"; - # Loop through the array of enabled sids and write them to the file. foreach my $sid (@enabled_sids) { - print FILE "enable_sid $sid\n"; + print FILE "enablesid $sid\n"; } - - # Close file after writing. - close(FILE); } + # Close file after writing. + close(FILE); + + # Open disabled sid's file for writing. + open(FILE, ">$disabled_sids_file") or die "Could not write to $disabled_sids_file. $!\n"; + + # Write header to file. + print FILE "#Autogenerated file. Any custom changes will be overwritten!\n"; + # Check if the enabled_sids array contains any sid's. - if (@disabled_sids) { - # Open disabled sid's file for writing. - open(FILE, ">$disabled_sids_file") or die "Could not write to $disabled_sids_file. $!\n"; + if (@disabled_sids) { + # Loop through the array of disabled sids and write them to the file. + foreach my $sid (@disabled_sids) { + print FILE "disablesid $sid\n"; + } + } - # Write header to file. - print FILE "#Autogenerated file. Any custom changes will be overwritten!\n"; - - # Loop through the array of disabled sids and write them to the file. - foreach my $sid (@disabled_sids) { - print FILE "disable_sid $sid\n"; - } - - # Close file after writing. - close(FILE); - } + # Close file after writing. + close(FILE); # Open file for used rulefiles. - open (FILE, ">$snortusedrulefilesfile") or die "Could not wirte to $snortusedrulefilesfile. $!\n"; + open (FILE, ">$snortusedrulefilesfile") or die "Could not write to $snortusedrulefilesfile. $!\n"; # Write header to file. print FILE "#Autogenerated file. Any custom changes will be overwritten!\n"; From 56dacb580e16210837ba55648ddfc9e18b860f02 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Tue, 12 Dec 2017 20:24:11 +0100 Subject: [PATCH 021/259] ids.cgi: Move call of oinkmaster to an own subfunction Signed-off-by: Stefan Schantl --- html/cgi-bin/ids.cgi | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index dcf821888..5069dd46a 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -613,6 +613,11 @@ sub downloadrulesfile { } } +sub oinkmaster () { + # Call oinkmaster to generate ruleset. + system("/usr/local/bin/oinkmaster.pl -v -s -u file:///var/tmp/snortrules.tar.gz -C /var/ipfire/snort/oinkmaster.conf -o /etc/snort/rules >>/var/tmp/log 2>&1 &"); +} + sub readrulesfile ($) { my $rulefile = shift; From 525998650ab51df74317f362ccb1382870af4bbb Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Tue, 12 Dec 2017 20:24:50 +0100 Subject: [PATCH 022/259] ids.cgi: Rework code for downloading/updating the ruleset Signed-off-by: Stefan Schantl --- html/cgi-bin/ids.cgi | 88 +++++++++++++++++++++++++++----------------- 1 file changed, 55 insertions(+), 33 deletions(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 5069dd46a..2fd4a2f90 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -232,8 +232,60 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) { # Close file after writing. close(FILE); + + # Call oinkmaster to alter the ruleset. + &oinkmaster(); + +# Download new ruleset. +} elsif ($cgiparams{'RULESET'} eq $Lang::tr{'download new ruleset'}) { + # Local var. + my $return; + + # Call diskfree to gather the free disk space of /var. + my @df = `/bin/df -B M /var`; + + # Loop through the output. + foreach my $line (@df) { + # Ignore header line. + next if $line =~ m/^Filesystem/; + + # Search for a line with the device information. + if ($line =~ m/dev/ ) { + # Split the line into single pieces. + my @values = split(' ', $line); + my ($filesystem, $blocks, $used, $available, $used_perenctage, $mounted_on) = @values; + + # Check if the available disk space is more than 300MB. + if ($available < 300) { + # If there is not enough space, print out an error message. + $errormessage = "$Lang::tr{'not enough disk space'} < 300MB, /var $1MB"; + } else { + # Call subfunction to download the ruleset. + &downloadrulesfile(); + + # Sleep for 3 seconds. + sleep(3); + + # Gather return of the external wget. + $return = `cat /var/tmp/log 2>/dev/null`; + } + + # Check if there was an error. + if ($return =~ "ERROR") { + # Store error message for display. + $errormessage = "
".$return."
"; + } else { + # Call subfunction to launch oinkmaster. + &oinkmaster(); + + # Sleep for 2 seconds. + sleep(2); + } + } + } } + if ($snortsettings{'OINKCODE'} ne "") { $errormessage = $Lang::tr{'invalid input for oink code'} unless ($snortsettings{'OINKCODE'} =~ /^[a-z0-9]+$/); } @@ -284,41 +336,11 @@ if (!$errormessage) { system('/usr/local/bin/snortctrl restart >/dev/null'); } - - # INSTALLMD5 is not in the form, so not retrieved by getcgihash - &General::readhash("${General::swroot}/snort/settings", \%snortsettings); - - if ($snortsettings{'ACTION'} eq $Lang::tr{'download new ruleset'}) { - my @df = `/bin/df -B M /var`; - foreach my $line (@df) { - next if $line =~ m/^Filesystem/; - my $return; - - if ($line =~ m/dev/ ) { - $line =~ m/^.* (\d+)M.*$/; - my @temp = split(/ +/,$line); - if ($1<300) { - $errormessage = "$Lang::tr{'not enough disk space'} < 300MB, /var $1MB"; - } else { - if ( $snortsettings{'ACTION'} eq $Lang::tr{'download new ruleset'}) { - &downloadrulesfile(); - sleep(3); - $return = `cat /var/tmp/log 2>/dev/null`; - - } - - if ($return =~ "ERROR") { - $errormessage = "
".$return."
"; - } else { - system("/usr/local/bin/oinkmaster.pl -v -s -u file:///var/tmp/snortrules.tar.gz -C /var/ipfire/snort/oinkmaster.conf -o /etc/snort/rules >>/var/tmp/log 2>&1 &"); - sleep(2); - } - } - } - } - } } +# Read-in snortsettings +&General::readhash("${General::swroot}/snort/settings", \%snortsettings); + $checked{'ENABLE_SNORT'}{'off'} = ''; $checked{'ENABLE_SNORT'}{'on'} = ''; $checked{'ENABLE_SNORT'}{$snortsettings{'ENABLE_SNORT'}} = "checked='checked'"; From c51a044a2a93042605fc599eaccf69f49fa7bc87 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Wed, 13 Dec 2017 11:46:40 +0100 Subject: [PATCH 023/259] ids.cgi: Add check when altering the ruleset Add a check if the currently processing sid is nummeric, otherwise skip it. Signed-off-by: Stefan Schantl --- html/cgi-bin/ids.cgi | 3 +++ 1 file changed, 3 insertions(+) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 2fd4a2f90..63f914701 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -153,6 +153,9 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) { foreach my $rulefile (keys %snortrules) { # Loop through the single rules of the rulefile. foreach my $sid (keys %{$snortrules{$rulefile}}) { + # Skip the current sid if it is not numeric. + next unless ($sid =~ /\d+/ ); + # Check if there exists a key in the cgiparams hash for this sid. if (exists($cgiparams{$sid})) { # Look if the rule is disabled. From aa12410222aef6afa63a03a7eb74512bf92daad4 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Wed, 13 Dec 2017 11:50:01 +0100 Subject: [PATCH 024/259] ids.cgi: Drop old code for debuging purposes Signed-off-by: Stefan Schantl --- html/cgi-bin/ids.cgi | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 63f914701..ea5e2738e 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -379,19 +379,6 @@ END &Header::openbigbox('100%', 'left', '', $errormessage); -############### -# DEBUG DEBUG -# &Header::openbox('100%', 'left', 'DEBUG'); -# my $debugCount = 0; -# foreach my $line (sort keys %snortsettings) { -# print "$line = $snortsettings{$line}
\n"; -# $debugCount++; -# } -# print " Count: $debugCount\n"; -# &Header::closebox(); -# DEBUG DEBUG -############### - if ($errormessage) { &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); print "$errormessage\n"; From 500c5c55d0db331fe9b16afcdaedd9c5d218b327 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Wed, 13 Dec 2017 11:51:08 +0100 Subject: [PATCH 025/259] ids.cgi: Rework code which shows if oinkmaster is working Move the code for displaying a notice that snort currently is working into an own subfunction which will be called if oinkmaster currently is started. Signed-off-by: Stefan Schantl --- html/cgi-bin/ids.cgi | 68 +++++++++++++++++++++----------------------- 1 file changed, 32 insertions(+), 36 deletions(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index ea5e2738e..e5ac07d31 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -67,6 +67,14 @@ my %snortrules; my $errormessage; my $url; +# Try to determine if oinkmaster is running. +my $oinkmaster_pid = `pidof oinkmaster.pl -x`; + +# If oinkmaster is running display output. +if ($oinkmaster_pid) { + &working("$Lang::tr{'snort working'}"); +} + ## Grab all available snort rules and store them in the snortrules hash. # # Open snort rules directory and do a directory listing. @@ -386,37 +394,6 @@ if ($errormessage) { &Header::closebox(); } -my $return = `pidof oinkmaster.pl -x`; -chomp($return); -if ($return) { - &Header::openbox( 'Waiting', 1, "" ); - print < - - $Lang::tr{  - - $Lang::tr{'snort working'} - -
- -
- 
-END
-	my @output = `tail -20 /var/tmp/log`;
-	foreach (@output) {
-		print "$_";
-	}
-	print <
-		
-END
-	&Header::closebox();
-	&Header::closebigbox();
-	&Header::closepage();
-	exit;
-	refreshpage();
-}
-
 &Header::openbox('100%', 'left', $Lang::tr{'intrusion detection system'});
 print <
@@ -590,14 +567,33 @@ print <" );
-		print "

$Lang::tr{'pagerefresh'}
";
-	&Header::closebox();
+sub working ($) {
+	my $message = $_[0];
+
+        &Header::openpage($Lang::tr{'intrusion detection system'}, 1, '');
+        &Header::openbigbox('100%', 'left', '', $errormessage);
+        &Header::openbox( 'Waiting', 1, "" );
+        print <
+                
+                        
+                        
+                
+                
+                        
+        
$Lang::tr{$message

+                        

+                                
+                        

+                

+END
+        &Header::closebox();
+        &Header::closebigbox();
+        &Header::closepage();
+        exit;
 }
 
 sub downloadrulesfile {

From 8f22237bebe2d3880b27c671c173ffcf79040ed2 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 13 Dec 2017 11:53:44 +0100
Subject: [PATCH 026/259] ids.cgi: Remove logfile after wget has successfully
 downloaded the ruleset

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index e5ac07d31..a89a1d50d 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -286,6 +286,9 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 				# Store error message for display.
 				$errormessage = "
".$return."
";
 			} else {
+				# Remove logfile.
+				unlink("/var/tmp/log");
+
 				# Call subfunction to launch oinkmaster.
 				&oinkmaster();
 

From a232b58ca78648f60f19b2464395c93cfc046b78 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 13 Dec 2017 14:40:47 +0100
Subject: [PATCH 027/259] ids.cgi: Adjust code for saving snort settings

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 62 +++++++++++++++++++++-----------------------
 1 file changed, 29 insertions(+), 33 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index a89a1d50d..aa4ab4eac 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -33,6 +33,7 @@ require "${General::swroot}/header.pl";
 my %color = ();
 my %mainsettings = ();
 my %netsettings = ();
+my %snortrules = ();
 my %snortsettings=();
 my %cgiparams=();
 my %checked=();
@@ -52,7 +53,6 @@ $snortsettings{'ENABLE_SNORT'} = 'off';
 $snortsettings{'ENABLE_SNORT_GREEN'} = 'off';
 $snortsettings{'ENABLE_SNORT_BLUE'} = 'off';
 $snortsettings{'ENABLE_SNORT_ORANGE'} = 'off';
-$snortsettings{'ACTION'} = '';
 $snortsettings{'RULES'} = '';
 $snortsettings{'OINKCODE'} = '';
 $snortsettings{'INSTALLDATE'} = '';
@@ -62,10 +62,7 @@ $snortsettings{'INSTALLDATE'} = '';
 
 my $snortrulepath = "/etc/snort/rules";
 my $snortusedrulefilesfile = "${General::swroot}/snort/snort-used-rulefiles.conf";
-my $restartsnortrequired = 0;
-my %snortrules;
 my $errormessage;
-my $url;
 
 # Try to determine if oinkmaster is running.
 my $oinkmaster_pid = `pidof oinkmaster.pl -x`;
@@ -297,57 +294,56 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 			}
 		}
 	}
-}
+# Save snort settings.
+} elsif ($cgiparams{'SNORT'} eq $Lang::tr{'save'}) {
+	# Prevent form name from been stored in conf file.
+	delete $cgiparams{'SNORT'};
 
-
-if ($snortsettings{'OINKCODE'} ne "") {
-	$errormessage = $Lang::tr{'invalid input for oink code'} unless ($snortsettings{'OINKCODE'} =~ /^[a-z0-9]+$/);
-}
-
-if (!$errormessage) {
-	if ($snortsettings{'RULES'} eq 'subscripted') {
-		$url=" https://www.snort.org/rules/snortrules-snapshot-29111.tar.gz?oinkcode=$snortsettings{'OINKCODE'}";
-	} elsif ($snortsettings{'RULES'} eq 'registered') {
-		$url=" https://www.snort.org/rules/snortrules-snapshot-29111.tar.gz?oinkcode=$snortsettings{'OINKCODE'}";
-	} elsif ($snortsettings{'RULES'} eq 'community') {
-		$url=" https://www.snort.org/rules/community";
-	} else {
-		$url="http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz";
+	# Check if an oinkcode has been provided.
+	if ($cgiparams{'OINKCODE'}) {
+		# Check if the oinkcode contains unallowed chars.
+		unless ($cgiparams{'OINKCODE'} =~ /^[a-z0-9]+$/) {
+			$errormessage = $Lang::tr{'invalid input for oink code'};
+		}
 	}
 
-	if ($snortsettings{'ACTION'} eq $Lang::tr{'save'} && $snortsettings{'ACTION2'} eq "snort" ) {
-		&General::writehash("${General::swroot}/snort/settings", \%snortsettings);
-		if ($snortsettings{'ENABLE_SNORT'} eq 'on')
-		{
+	# Go on if there are no error messages.
+	if (!$errormessage) {
+		# Store settings into settings file.
+		&General::writehash("${General::swroot}/snort/settings", \%cgiparams);
+
+		# Create/Remove control files for snort.
+		if ($snortsettings{'ENABLE_SNORT'} eq 'on') {
 			system ('/usr/bin/touch', "${General::swroot}/snort/enable");
 		} else {
 			unlink "${General::swroot}/snort/enable";
 		}
-		if ($snortsettings{'ENABLE_SNORT_GREEN'} eq 'on')
-		{
+
+		if ($snortsettings{'ENABLE_SNORT_GREEN'} eq 'on') {
 			system ('/usr/bin/touch', "${General::swroot}/snort/enable_green");
 		} else {
 			unlink "${General::swroot}/snort/enable_green";
 		}
-		if ($snortsettings{'ENABLE_SNORT_BLUE'} eq 'on')
-		{
+
+		if ($snortsettings{'ENABLE_SNORT_BLUE'} eq 'on') {
 			system ('/usr/bin/touch', "${General::swroot}/snort/enable_blue");
 		} else {
 			unlink "${General::swroot}/snort/enable_blue";
 		}
-		if ($snortsettings{'ENABLE_SNORT_ORANGE'} eq 'on')
-		{
+
+		if ($snortsettings{'ENABLE_SNORT_ORANGE'} eq 'on') {
 			system ('/usr/bin/touch', "${General::swroot}/snort/enable_orange");
 		} else {
 			unlink "${General::swroot}/snort/enable_orange";
 		}
-		if ($snortsettings{'ENABLE_PREPROCESSOR_HTTP_INSPECT'} eq 'on')
-		{
+
+		if ($snortsettings{'ENABLE_PREPROCESSOR_HTTP_INSPECT'} eq 'on') {
 			system ('/usr/bin/touch', "${General::swroot}/snort/enable_preprocessor_http_inspect");
 		} else {
 			unlink "${General::swroot}/snort/enable_preprocessor_http_inspect";
 		}
 
+		# Call snortctrl to restart snort
 		system('/usr/local/bin/snortctrl restart >/dev/null');
 	}
 }
@@ -439,7 +435,7 @@ print <Oinkcode: 
 
 
-	

+	

 END
 ;
 if ( -e "/var/tmp/snortrules.tar.gz"){
@@ -454,7 +450,7 @@ print <

 
-	
+	

 

 

 

 

From afe26a0586678f59e25a2a4ae1877737da064bfd Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 13 Dec 2017 14:45:27 +0100
Subject: [PATCH 028/259] ids.cgi: Introduce ruleset-source.list

This new file will contain the vendor information and url
for downloading their ruleset. In future if the download location
or filename changes, we only need to adjust this one file and ship
it via a core update.

Also extend the downloadrulesfile to be able to directly call the
subfunction.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index aa4ab4eac..9eff5233d 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -606,6 +606,26 @@ sub downloadrulesfile {
 		return undef;
 	}
 
+	# Gather snort settings.
+	my %snortsettings = ();
+	&General::readhash("${General::swroot}/snort/settings", \%snortsettings);
+
+	# Get all available ruleset locations.
+	my %urls=();
+	&General::readhash("${General::swroot}/snort/ruleset-sources.list", \%urls);
+
+	# Grab the right url based on the configured vendor.
+	my $url = $urls{$snortsettings{'RULES'}};
+
+	# Check and pass oinkcode if the vendor requires one.
+	$url =~ s/\/$snortsettings{'OINKCODE'}/g;
+
+	# Abort if no url could be determined for the vendor.
+	unless($url) {
+		$errormessage = $Lang::tr{'could not download latest updates'};
+		return undef;
+	}
+
 	my %proxysettings=();
 	&General::readhash("${General::swroot}/proxy/settings", \%proxysettings);
 

From ef5171ab7175d381a11f196de4e18b7e8af769e2 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 13 Dec 2017 14:50:12 +0100
Subject: [PATCH 029/259] ids.cgi: Call oinkmaster without a log target

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 9eff5233d..2b9b7c0b1 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -642,7 +642,7 @@ sub downloadrulesfile {
 
 sub oinkmaster () {
 	# Call oinkmaster to generate ruleset.
-	system("/usr/local/bin/oinkmaster.pl -v -s -u file:///var/tmp/snortrules.tar.gz -C /var/ipfire/snort/oinkmaster.conf -o /etc/snort/rules >>/var/tmp/log 2>&1 &");
+	system("/usr/local/bin/oinkmaster.pl -v -s -u file:///var/tmp/snortrules.tar.gz -C /var/ipfire/snort/oinkmaster.conf -o /etc/snort/rules 2>&1 &");
 }
 
 sub readrulesfile ($) {

From 9f5247f60cc66716de0b5b8bd14e0de118763fb5 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 13 Dec 2017 14:53:51 +0100
Subject: [PATCH 030/259] general-functions.pl: readhash() Add code to handle
 optional comments in files

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/general-functions.pl | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl
index 0577afe28..2191768c9 100644
--- a/config/cfgroot/general-functions.pl
+++ b/config/cfgroot/general-functions.pl
@@ -149,6 +149,10 @@ sub readhash
 	while ()
 	{
 		chop;
+
+		# Skip comments.
+		next if ($_ =~ /\#/);
+
 		($var, $val) = split /=/, $_, 2;
 		if ($var)
 		{

From c6bcdda1af86f803e980947aa66490f277b791d9 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 13 Dec 2017 15:06:42 +0100
Subject: [PATCH 031/259] snort: Introduce ruleset-sources.list

This file contains the ruleset vendors and download urls and
will be used by the ids.cgi.

If an url or filename changes, we easily can adjust this file. In most
cases this will be needed when performing a snort update.

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/snort     |  1 +
 config/snort/ruleset-sources.list | 11 +++++++++++
 lfs/snort                         |  1 +
 3 files changed, 13 insertions(+)
 create mode 100644 config/snort/ruleset-sources.list

diff --git a/config/rootfiles/common/snort b/config/rootfiles/common/snort
index c83b15697..7da84b3bd 100644
--- a/config/rootfiles/common/snort
+++ b/config/rootfiles/common/snort
@@ -232,4 +232,5 @@ usr/sbin/snort
 #usr/share/doc/snort/WISHLIST
 #usr/share/doc/snort/generators
 #usr/share/man/man8/snort.8
+var/ipfire/snort/ruleset-sources.list
 var/log/snort
diff --git a/config/snort/ruleset-sources.list b/config/snort/ruleset-sources.list
new file mode 100644
index 000000000..04fc2a9f1
--- /dev/null
+++ b/config/snort/ruleset-sources.list
@@ -0,0 +1,11 @@
+# Ruleset for registered sourcefire users.
+registered = https://www.snort.org/downloads/registered/snortrules-snapshot-29110.tar.gz?oinkcode=
+
+# Ruleset for registered sourcefire users with valid subscription.
+subscripted = https://www.snort.org/downloads/registered/snortrules-snapshot-29110.tar.gz?oinkcode=
+
+# Community rules from sourcefire.
+community = https://www.snort.org/downloads/community/community-rules.tar.gz
+
+# Emerging threads community rules.
+emerging = http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz
diff --git a/lfs/snort b/lfs/snort
index a5d0535b0..83eba6c2e 100644
--- a/lfs/snort
+++ b/lfs/snort
@@ -99,5 +99,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	chown -R nobody:nobody /etc/snort
 	-mkdir -p /var/log/snort
 	chown -R snort:snort /var/log/snort
+	install -m 0644 $(DIR_SRC)/config/snort/ruleset-sources.list /var/ipfire/snort
 	@rm -rf $(DIR_APP) $(DIR_SRC)/snort*
 	@$(POSTBUILD)

From e524290c9cd90a6d95475f2738bcb65d990cfbd0 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 14 Dec 2017 08:31:41 +0100
Subject: [PATCH 032/259] ids.cgi: Drop old control code

The control file are not longer required, because the
initscript uses the settings file to determine if snort
should be started and binded to which interfaches.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 31 -------------------------------
 1 file changed, 31 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 2b9b7c0b1..995d9745d 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -312,37 +312,6 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 		# Store settings into settings file.
 		&General::writehash("${General::swroot}/snort/settings", \%cgiparams);
 
-		# Create/Remove control files for snort.
-		if ($snortsettings{'ENABLE_SNORT'} eq 'on') {
-			system ('/usr/bin/touch', "${General::swroot}/snort/enable");
-		} else {
-			unlink "${General::swroot}/snort/enable";
-		}
-
-		if ($snortsettings{'ENABLE_SNORT_GREEN'} eq 'on') {
-			system ('/usr/bin/touch', "${General::swroot}/snort/enable_green");
-		} else {
-			unlink "${General::swroot}/snort/enable_green";
-		}
-
-		if ($snortsettings{'ENABLE_SNORT_BLUE'} eq 'on') {
-			system ('/usr/bin/touch', "${General::swroot}/snort/enable_blue");
-		} else {
-			unlink "${General::swroot}/snort/enable_blue";
-		}
-
-		if ($snortsettings{'ENABLE_SNORT_ORANGE'} eq 'on') {
-			system ('/usr/bin/touch', "${General::swroot}/snort/enable_orange");
-		} else {
-			unlink "${General::swroot}/snort/enable_orange";
-		}
-
-		if ($snortsettings{'ENABLE_PREPROCESSOR_HTTP_INSPECT'} eq 'on') {
-			system ('/usr/bin/touch', "${General::swroot}/snort/enable_preprocessor_http_inspect");
-		} else {
-			unlink "${General::swroot}/snort/enable_preprocessor_http_inspect";
-		}
-
 		# Call snortctrl to restart snort
 		system('/usr/local/bin/snortctrl restart >/dev/null');
 	}

From 43263ea68ecbd2bddfc84b3cee64ffc0aa9911e5 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sun, 17 Dec 2017 19:08:25 +0100
Subject: [PATCH 033/259] ids.cgi: Rework downloader for rulesets

Doing the rules download in pure perl instead of using
the external wget.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 182 +++++++++++++++++++++++++++----------------
 1 file changed, 115 insertions(+), 67 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 995d9745d..52a9596b6 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -35,6 +35,7 @@ my %mainsettings = ();
 my %netsettings = ();
 my %snortrules = ();
 my %snortsettings=();
+my %rulesetsources = ();
 my %cgiparams=();
 my %checked=();
 my %selected=();
@@ -46,6 +47,38 @@ my %selected=();
 # Get netsettings.
 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
 
+# Get all available ruleset locations.
+&General::readhash("${General::swroot}/snort/ruleset-sources.list", \%rulesetsources);
+
+my $rulestarball = "/var/tmp/snortrules.tar.gz";
+my $snortrulepath = "/etc/snort/rules";
+my $snortusedrulefilesfile = "${General::swroot}/snort/snort-used-rulefiles.conf";
+my $errormessage;
+
+# Hook used to download and update the ruleset,
+# if the cgi got called from command line.
+if ($ENV{"REMOTE_ADDR"} eq "") {
+	# Read snortsettings.
+	&General::readhash("${General::swroot}/snort/settings", \%snortsettings);
+
+	# Download rules tarball.
+	$errormessage = &downloadruleset();
+
+	# Sleep for one second.
+	sleep(1);
+
+	# Check if there was an error message.
+	unless ($errormessage) {
+		# Call oinkmaster.
+		&oinkmaster();
+	} else {
+		# Call logger and log the errormessage.
+		system("logger -t oinkmaster $errormessage");
+	}
+
+exit(0);
+}
+
 &Header::showhttpheaders();
 
 # Default settings for snort.
@@ -55,15 +88,10 @@ $snortsettings{'ENABLE_SNORT_BLUE'} = 'off';
 $snortsettings{'ENABLE_SNORT_ORANGE'} = 'off';
 $snortsettings{'RULES'} = '';
 $snortsettings{'OINKCODE'} = '';
-$snortsettings{'INSTALLDATE'} = '';
 
 #Get GUI values
 &Header::getcgihash(\%cgiparams);
 
-my $snortrulepath = "/etc/snort/rules";
-my $snortusedrulefilesfile = "${General::swroot}/snort/snort-used-rulefiles.conf";
-my $errormessage;
-
 # Try to determine if oinkmaster is running.
 my $oinkmaster_pid = `pidof oinkmaster.pl -x`;
 
@@ -246,8 +274,10 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 
 # Download new ruleset.
 } elsif ($cgiparams{'RULESET'} eq $Lang::tr{'download new ruleset'}) {
-	# Local var.
-	my $return;
+	# Check if the red device is active.
+	unless (-e "${General::swroot}/red/active") {
+		$errormessage = $Lang::tr{'could not download latest updates'};
+	}
 
 	# Call diskfree to gather the free disk space of /var.
 	my @df = `/bin/df -B M /var`;
@@ -267,33 +297,30 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 			if ($available < 300) {
 				# If there is not enough space, print out an error message.
 				$errormessage = "$Lang::tr{'not enough disk space'} < 300MB, /var $1MB";
-			} else {
-				# Call subfunction to download the ruleset.
-				&downloadrulesfile();
 
-				# Sleep for 3 seconds.
-				sleep(3);
-
-				# Gather return of the external wget.
-				$return = `cat /var/tmp/log 2>/dev/null`;
-			}
-
-			# Check if there was an error.
-			if ($return =~ "ERROR") {
-				# Store error message for display.
-				$errormessage = "
".$return."
";
-			} else {
-				# Remove logfile.
-				unlink("/var/tmp/log");
-
-				# Call subfunction to launch oinkmaster.
-				&oinkmaster();
-
-				# Sleep for 2 seconds.
-				sleep(2);
+				# Break loop.
+				last;
 			}
 		}
 	}
+
+	# Check if any errors happend.
+	unless ($errormessage) {
+		# Call subfunction to download the ruleset.
+		$errormessage = &downloadruleset();
+	}
+
+	# Sleep for 1 second
+	sleep(1);
+
+	# Check if the downloader returend any error message.
+	unless ($errormessage) {
+		# Call subfunction to launch oinkmaster.
+		&oinkmaster();
+
+		# Sleep for 1 seconds.
+		sleep(1);
+	}
 # Save snort settings.
 } elsif ($cgiparams{'SNORT'} eq $Lang::tr{'save'}) {
 	# Prevent form name from been stored in conf file.
@@ -564,49 +591,70 @@ END
         exit;
 }
 
-sub downloadrulesfile {
-	my $peer;
-	my $peerport;
-
-	unlink("/var/tmp/log");
-
-	unless (-e "${General::swroot}/red/active") {
-		$errormessage = $Lang::tr{'could not download latest updates'};
-		return undef;
-	}
-
-	# Gather snort settings.
-	my %snortsettings = ();
-	&General::readhash("${General::swroot}/snort/settings", \%snortsettings);
-
-	# Get all available ruleset locations.
-	my %urls=();
-	&General::readhash("${General::swroot}/snort/ruleset-sources.list", \%urls);
-
-	# Grab the right url based on the configured vendor.
-	my $url = $urls{$snortsettings{'RULES'}};
-
-	# Check and pass oinkcode if the vendor requires one.
-	$url =~ s/\/$snortsettings{'OINKCODE'}/g;
-
-	# Abort if no url could be determined for the vendor.
-	unless($url) {
-		$errormessage = $Lang::tr{'could not download latest updates'};
-		return undef;
-	}
-
+sub downloadruleset {
+	# Read proxysettings.
 	my %proxysettings=();
 	&General::readhash("${General::swroot}/proxy/settings", \%proxysettings);
 
-	if ($_=$proxysettings{'UPSTREAM_PROXY'}) {
-		($peer, $peerport) = (/^(?:[a-zA-Z ]+\:\/\/)?(?:[A-Za-z0-9\_\.\-]*?(?:\:[A-Za-z0-9\_\.\-]*?)?\@)?([a-zA-Z0-9\.\_\-]*?)(?:\:([0-9]{1,5}))?(?:\/.*?)?$/);
+	# Load required perl module to handle the download.
+	use LWP::UserAgent;
+
+	# Init the download module.
+	my $downloader = LWP::UserAgent->new;
+
+	# Set timeout to 10 seconds.
+	$downloader->timeout(10);
+
+	# Check if an upstream proxy is configured.
+	if ($proxysettings{'UPSTREAM_PROXY'}) {
+		my ($peer, $peerport) = (/^(?:[a-zA-Z ]+\:\/\/)?(?:[A-Za-z0-9\_\.\-]*?(?:\:[A-Za-z0-9\_\.\-]*?)?\@)?([a-zA-Z0-9\.\_\-]*?)(?:\:([0-9]{1,5}))?(?:\/.*?)?$/);
+		my $proxy_url;
+
+		# Check if we got a peer.
+		if ($peer) {
+			$proxy_url = "http://";
+
+			# Check if the proxy requires authentication.
+			if (($proxysettings{'UPSTREAM_USER'}) && ($proxysettings{'UPSTREAM_PASSWORD'})) {
+				$proxy_url .= "$proxysettings{'UPSTREAM_USER'}\:$proxysettings{'UPSTREAM_PASSWORD'}\@";
+			}
+
+			# Add proxy server address and port.
+			$proxy_url .= "$peer\:$peerport";
+		} else {
+			# Break and return error message.
+			return "$Lang::tr{'could not download latest updates'}";
+		}
+
+		# Setup proxy settings.
+		$downloader->proxy('http', $proxy_url);
 	}
 
-	if ($peer) {
-		system("wget -r --proxy=on --proxy-user=$proxysettings{'UPSTREAM_USER'} --proxy-passwd=$proxysettings{'UPSTREAM_PASSWORD'} -e http_proxy=http://$peer:$peerport/ -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz $url");
-	} else {
-		system("wget -r -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz $url");
+	# Grab the right url based on the configured vendor.
+	my $url = $rulesetsources{$snortsettings{'RULES'}};
+
+        # Check if the vendor requires an oinkcode and add it if needed.
+        $url =~ s/\/$snortsettings{'OINKCODE'}/g;
+
+	# Abort if no url could be determined for the vendor.
+	unless ($url) {
+		# Abort and return errormessage.
+		return "$Lang::tr{'could not download latest updates'}";
 	}
+
+	# Pass the requested url to the downloader.
+	my $request = HTTP::Request->new(GET => $url);
+
+	# Perform the request and save the output into the "$rulestarball" file.
+	my $response = $downloader->request($request, $rulestarball);
+
+	# Check if there was any error.
+	unless ($response->is_success) {
+		return "$response->status_line";
+	}
+
+	# If we got here, everything worked fine. Return nothing.
+	return;
 }
 
 sub oinkmaster () {

From a6edfcbd9b762832939209e538e31e79c0d32b65 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sun, 17 Dec 2017 19:10:21 +0100
Subject: [PATCH 034/259] ids.cgi: Pipe the oinkmaster output to the logger
 binary

This will allow anybody, to access the log of oinkmaster and
get detailed information about any changes which have been done
on the ruleset.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 52a9596b6..80ef2343e 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -659,7 +659,7 @@ sub downloadruleset {
 
 sub oinkmaster () {
 	# Call oinkmaster to generate ruleset.
-	system("/usr/local/bin/oinkmaster.pl -v -s -u file:///var/tmp/snortrules.tar.gz -C /var/ipfire/snort/oinkmaster.conf -o /etc/snort/rules 2>&1 &");
+	system("/usr/local/bin/oinkmaster.pl -v -s -u file://$rulestarball -C /var/ipfire/snort/oinkmaster.conf -o /etc/snort/rules 2>&1 |logger -t oinkmaster");
 }
 
 sub readrulesfile ($) {

From 1504a375179cecc182dd40b8a5324eb2c1320ada Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 19 Dec 2017 11:56:04 +0100
Subject: [PATCH 035/259] ids.cgi: Rework snort configuration area

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 130 +++++++++++++++++++++++++++----------------
 1 file changed, 81 insertions(+), 49 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 80ef2343e..917cf2993 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -390,65 +390,97 @@ if ($errormessage) {
 }
 
 &Header::openbox('100%', 'left', $Lang::tr{'intrusion detection system'});
-print <
-
-
-	
-
-
-	
-
-
-	
+			
+		
+
+		
+			
+		
+
+		
+			
+
+		
+	
GREEN Snort
-END
-;
-if ($netsettings{'BLUE_DEV'} ne '') {
-  print "         BLUE Snort";
+
+my $rulesdate;
+
+# Check if a ruleset allready has been downloaded.
+if ( -f "$rulestarball"){
+	# Call stat on the filename to obtain detailed information.
+        my @Info = stat("$rulestarball");
+
+	# Grab details about the creation time.
+        $rulesdate = localtime($Info[9]);
 }
-if ($netsettings{'ORANGE_DEV'} ne '') {
-  print "         ORANGE Snort";
-}
-  print "         RED Snort";
 
 print <


$Lang::tr{'ids rules update'}

+		
+			
+
+			
+
+			\n";
+
+print "
+
+		
+			
+		
+
+		
+			
+		
+
+		
+			
-
-
-	
-
-
-	
-
-
-	";
+			
+		
 
-print <
-

+				RED Snort
+			
+				GREEN Snort
+			
+END
+;
+
+# Check if a blue device is configured.
+if ($netsettings{'BLUE_DEV'}) {
+  print "BLUE Snort\n";
+}
+
+print "\n";
+
+# Check if an orange device is configured.
+if ($netsettings{'ORANGE_DEV'}) {
+  print "ORANGE Snort\n";
+}
+
+print <
+		


$Lang::tr{'ids rules update'}

-	


-		$Lang::tr{'ids rules license'} www.snort.org$Lang::tr{'ids rules license1'}


-		$Lang::tr{'ids rules license2'} Get an Oinkcode, $Lang::tr{'ids rules license3'}
-	
Oinkcode: 


-END
-;
-if ( -e "/var/tmp/snortrules.tar.gz"){
-	my @Info = stat("/var/tmp/snortrules.tar.gz");
-	$snortsettings{'INSTALLDATE'} = localtime($Info[9]);
-}
-print " $Lang::tr{'updates installed'}: $snortsettings{'INSTALLDATE'}

-


-
-
-	
-
-

+		

+				
$Lang::tr{'ids rules license'} www.snort.org$Lang::tr{'ids rules license1'}

+				
$Lang::tr{'ids rules license2'} Get an Oinkcode, $Lang::tr{'ids rules license3'}

+			
Oinkcode: 


+				 $Lang::tr{'updates installed'}: $rulesdate
+			

+
+	


+
+	
+		
+			
+		
+	

 
 END
 ;

From c77bd4923503e58fc2429ffed5e377132394e7a4 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 19 Dec 2017 11:57:19 +0100
Subject: [PATCH 036/259] logs.cgi/log.dat: Add support for oinkmaster

This will allow to display the logged output of oinkmaster
via the webinterface.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/logs.cgi/log.dat | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/html/cgi-bin/logs.cgi/log.dat b/html/cgi-bin/logs.cgi/log.dat
index f241365a1..71f0502e6 100644
--- a/html/cgi-bin/logs.cgi/log.dat
+++ b/html/cgi-bin/logs.cgi/log.dat
@@ -63,6 +63,7 @@ my %sections = (
         'ipsec' => '(ipsec_[\w_]+: |pluto\[.*\]: |charon: |vpnwatch: )',
         'kernel' => '(kernel: (?!DROP_))',
         'ntp' => '(ntpd(?:ate)?\[.*\]: )',
+	'oinkmaster' => '(oinkmaster:)',
         'openvpn' => '(openvpnserver\[.*\]: |.*n2n\[.*\]: )',
         'pakfire' => '(pakfire:)',
         'red' => '(red:|pppd\[.*\]: |chat\[.*\]|pppoe\[.*\]|pptp\[.*\]|pppoa\[.*\]|pppoa3\[.*\]|pppoeci\[.*\]|ipppd|ipppd\[.*\]|kernel: ippp\d|kernel: isdn.*|ibod\[.*\]|dhcpcd\[.*\]|modem_run\[.*\])',
@@ -90,6 +91,7 @@ my %trsections = (
         'ipsec' => 'IPSec',
         'kernel' => "$Lang::tr{'kernel'}",
         'ntp' => 'NTP',
+	'oinkmaster' => 'Oinkmaster',
         'openvpn' => 'OpenVPN',
         'pakfire' => 'Pakfire',
         'red' => 'RED',

From c724524e2e9a0a5498ca7e29db8d1ec80a2a73af Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Mon, 12 Feb 2018 15:38:25 +0100
Subject: [PATCH 037/259] ids.cgi: Drop loading of File::Copy module.

This is not required, at any time by the script.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 1 -
 1 file changed, 1 deletion(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 917cf2993..656ed2d9b 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -24,7 +24,6 @@ use strict;
 # enable only the following on debugging purpose
 #use warnings;
 #use CGI::Carp 'fatalsToBrowser';
-use File::Copy;
 
 require '/var/ipfire/general-functions.pl';
 require "${General::swroot}/lang.pl";

From 8dcebe5342c261eac9f7436ff382ac71d4890eca Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 14 Feb 2018 08:18:15 +0100
Subject: [PATCH 038/259] IDS: Introduce ids-functions.pl.

This library will contain a set of functions used by the IDS CGI script
and the planned update script for auto-updating the snort ruleset.

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl    | 64 ++++++++++++++++++++++++++++++
 config/rootfiles/common/configroot |  1 +
 html/cgi-bin/ids.cgi               |  1 +
 lfs/configroot                     |  1 +
 4 files changed, 67 insertions(+)
 create mode 100644 config/cfgroot/ids-functions.pl

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
new file mode 100644
index 000000000..52825ee42
--- /dev/null
+++ b/config/cfgroot/ids-functions.pl
@@ -0,0 +1,64 @@
+#!/usr/bin/perl -w
+############################################################################
+#                                                                          #
+# This file is part of the IPFire Firewall.                                #
+#                                                                          #
+# IPFire is free software; you can redistribute it and/or modify           #
+# it under the terms of the GNU General Public License as published by     #
+# the Free Software Foundation; either version 2 of the License, or        #
+# (at your option) any later version.                                      #
+#                                                                          #
+# IPFire is distributed in the hope that it will be useful,                #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of           #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
+# GNU General Public License for more details.                             #
+#                                                                          #
+# You should have received a copy of the GNU General Public License        #
+# along with IPFire; if not, write to the Free Software                    #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA #
+#                                                                          #
+# Copyright (C) 2018 IPFire Team .                        #
+#                                                                          #
+############################################################################
+
+package IDS;
+
+require '/var/ipfire/general-functions.pl';
+require "${General::swroot}/lang.pl";
+
+#
+## Function for checking if at least 300MB of free disk space are available
+## on the "/var" partition.
+#
+sub checkdiskspace () {
+	# Call diskfree to gather the free disk space of /var.
+	my @df = `/bin/df -B M /var`;
+
+	# Loop through the output.
+	foreach my $line (@df) {
+		# Ignore header line.
+		next if $line =~ m/^Filesystem/;
+
+		# Search for a line with the device information.
+		if ($line =~ m/dev/ ) {
+			# Split the line into single pieces.
+			my @values = split(' ', $line);
+			my ($filesystem, $blocks, $used, $available, $used_perenctage, $mounted_on) = @values;
+
+			# Check if the available disk space is more than 300MB.
+			if ($available < 300) {
+				# If there is not enough space, print out an error message.
+				my $errormessage = "$Lang::tr{'not enough disk space'} < 300MB, /var $available MB";
+
+				# Exit function and return the error message.
+				return $errormessage;
+			}
+		}
+	}
+
+	# Everything okay, return nothing.
+	return;
+}
+
+
+1;
diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot
index 87389915e..8fb66bdb8 100644
--- a/config/rootfiles/common/configroot
+++ b/config/rootfiles/common/configroot
@@ -77,6 +77,7 @@ var/ipfire/general-functions.pl
 var/ipfire/geoip-functions.pl
 var/ipfire/graphs.pl
 var/ipfire/header.pl
+var/ipfire/ids-functions.pl
 var/ipfire/isdn
 #var/ipfire/isdn/settings
 var/ipfire/key
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 656ed2d9b..40bb820a5 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -28,6 +28,7 @@ use strict;
 require '/var/ipfire/general-functions.pl';
 require "${General::swroot}/lang.pl";
 require "${General::swroot}/header.pl";
+require "${General::swroot}/ids-functions.pl";
 
 my %color = ();
 my %mainsettings = ();
diff --git a/lfs/configroot b/lfs/configroot
index c2833fd4a..c82a4eabe 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -80,6 +80,7 @@ $(TARGET) :
 	cp $(DIR_SRC)/config/cfgroot/network-functions.pl	$(CONFIG_ROOT)/
 	cp $(DIR_SRC)/config/cfgroot/geoip-functions.pl		$(CONFIG_ROOT)/
 	cp $(DIR_SRC)/config/cfgroot/aws-functions.pl		$(CONFIG_ROOT)/
+	cp $(DIR_SRC)/config/cfgroot/ids-functions.pl		$(CONFIG_ROOT)/
 	cp $(DIR_SRC)/config/cfgroot/lang.pl			$(CONFIG_ROOT)/
 	cp $(DIR_SRC)/config/cfgroot/countries.pl		$(CONFIG_ROOT)/
 	cp $(DIR_SRC)/config/cfgroot/graphs.pl			$(CONFIG_ROOT)/

From 59052432f4cc108631a9b264f2f48aaf6ea76873 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 14 Feb 2018 08:20:50 +0100
Subject: [PATCH 039/259] ids.cgi: Use ids-functions.pl for checking available
 discspace

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 26 ++------------------------
 1 file changed, 2 insertions(+), 24 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 40bb820a5..926d5adbe 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -279,30 +279,8 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 		$errormessage = $Lang::tr{'could not download latest updates'};
 	}
 
-	# Call diskfree to gather the free disk space of /var.
-	my @df = `/bin/df -B M /var`;
-
-	# Loop through the output.
-	foreach my $line (@df) {
-		# Ignore header line.
-		next if $line =~ m/^Filesystem/;
-
-		# Search for a line with the device information.
-		if ($line =~ m/dev/ ) {
-			# Split the line into single pieces.
-			my @values = split(' ', $line);
-			my ($filesystem, $blocks, $used, $available, $used_perenctage, $mounted_on) = @values;
-
-			# Check if the available disk space is more than 300MB.
-			if ($available < 300) {
-				# If there is not enough space, print out an error message.
-				$errormessage = "$Lang::tr{'not enough disk space'} < 300MB, /var $1MB";
-
-				# Break loop.
-				last;
-			}
-		}
-	}
+	# Check if there is enought free disk space available.
+	$errormessage = &IDS::checkdiskspace();
 
 	# Check if any errors happend.
 	unless ($errormessage) {

From eea2670b39ee6ba804d534e95b03d27059e45468 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 14 Feb 2018 08:52:21 +0100
Subject: [PATCH 040/259] ids.cgi: Move downloader code to ids-functions.pl

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 86 +++++++++++++++++++++++++++++++++
 html/cgi-bin/ids.cgi            | 71 +--------------------------
 2 files changed, 87 insertions(+), 70 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 52825ee42..75f806f2d 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -26,6 +26,9 @@ package IDS;
 require '/var/ipfire/general-functions.pl';
 require "${General::swroot}/lang.pl";
 
+# Location and name of the tarball which contains the ruleset.
+my $rulestarball = "/var/tmp/snortrules.tar.gz";
+
 #
 ## Function for checking if at least 300MB of free disk space are available
 ## on the "/var" partition.
@@ -60,5 +63,88 @@ sub checkdiskspace () {
 	return;
 }
 
+#
+## This function is responsible for downloading the configured snort ruleset.
+##
+## * At first it obtains from the stored snortsettings which ruleset should be downloaded.
+## * The next step is to get the download locations for all available rulesets.
+## * After that, the function will check if an upstream proxy should be used and grab the settings.
+## * The last step will be to generate the final download url, by obtaining the URL for the desired
+##   ruleset, add the settings for the upstream proxy and final grab the rules tarball from the server.
+#
+sub downloadruleset {
+	# Get snort settings.
+	my %snortsettings=();
+	&General::readhash("${General::swroot}/snort/settings", \%snortsettings);
+
+	# Get all available ruleset locations.
+	my %rulesetsources=();
+	&General::readhash("${General::swroot}/snort/ruleset-sources.list", \%rulesetsources);
+
+	# Read proxysettings.
+	my %proxysettings=();
+	&General::readhash("${General::swroot}/proxy/settings", \%proxysettings);
+
+	# Load required perl module to handle the download.
+	use LWP::UserAgent;
+
+	# Init the download module.
+	my $downloader = LWP::UserAgent->new;
+
+	# Set timeout to 10 seconds.
+	$downloader->timeout(10);
+
+	# Check if an upstream proxy is configured.
+	if ($proxysettings{'UPSTREAM_PROXY'}) {
+		my ($peer, $peerport) = (/^(?:[a-zA-Z ]+\:\/\/)?(?:[A-Za-z0-9\_\.\-]*?(?:\:[A-Za-z0-9\_\.\-]*?)?\@)?([a-zA-Z0-9\.\_\-]*?)(?:\:([0-9]{1,5}))?(?:\/.*?)?$/);
+		my $proxy_url;
+
+		# Check if we got a peer.
+		if ($peer) {
+			$proxy_url = "http://";
+
+			# Check if the proxy requires authentication.
+			if (($proxysettings{'UPSTREAM_USER'}) && ($proxysettings{'UPSTREAM_PASSWORD'})) {
+				$proxy_url .= "$proxysettings{'UPSTREAM_USER'}\:$proxysettings{'UPSTREAM_PASSWORD'}\@";
+			}
+
+			# Add proxy server address and port.
+			$proxy_url .= "$peer\:$peerport";
+		} else {
+			# Break and return error message.
+			return "$Lang::tr{'could not download latest updates'}";
+		}
+
+		# Setup proxy settings.
+		$downloader->proxy('http', $proxy_url);
+	}
+
+	# Grab the right url based on the configured vendor.
+	my $url = $rulesetsources{$snortsettings{'RULES'}};
+
+	# Check if the vendor requires an oinkcode and add it if needed.
+	$url =~ s/\/$snortsettings{'OINKCODE'}/g;
+
+	# Abort if no url could be determined for the vendor.
+	unless ($url) {
+		# Abort and return errormessage.
+		return "$Lang::tr{'could not download latest updates'}";
+	}
+
+	# Pass the requested url to the downloader.
+	my $request = HTTP::Request->new(GET => $url);
+
+	# Perform the request and save the output into the "$rulestarball" file.
+	my $response = $downloader->request($request, $rulestarball);
+
+	# Check if there was any error.
+	unless ($response->is_success) {
+		# Return error message.
+		return "$response->status_line";
+	}
+
+	# If we got here, everything worked fine. Return nothing.
+	return;
+}
 
 1;
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 926d5adbe..c7c246ea5 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -47,9 +47,6 @@ my %selected=();
 # Get netsettings.
 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
 
-# Get all available ruleset locations.
-&General::readhash("${General::swroot}/snort/ruleset-sources.list", \%rulesetsources);
-
 my $rulestarball = "/var/tmp/snortrules.tar.gz";
 my $snortrulepath = "/etc/snort/rules";
 my $snortusedrulefilesfile = "${General::swroot}/snort/snort-used-rulefiles.conf";
@@ -285,7 +282,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 	# Check if any errors happend.
 	unless ($errormessage) {
 		# Call subfunction to download the ruleset.
-		$errormessage = &downloadruleset();
+		$errormessage = &IDS::downloadruleset();
 	}
 
 	# Sleep for 1 second
@@ -601,72 +598,6 @@ END
         exit;
 }
 
-sub downloadruleset {
-	# Read proxysettings.
-	my %proxysettings=();
-	&General::readhash("${General::swroot}/proxy/settings", \%proxysettings);
-
-	# Load required perl module to handle the download.
-	use LWP::UserAgent;
-
-	# Init the download module.
-	my $downloader = LWP::UserAgent->new;
-
-	# Set timeout to 10 seconds.
-	$downloader->timeout(10);
-
-	# Check if an upstream proxy is configured.
-	if ($proxysettings{'UPSTREAM_PROXY'}) {
-		my ($peer, $peerport) = (/^(?:[a-zA-Z ]+\:\/\/)?(?:[A-Za-z0-9\_\.\-]*?(?:\:[A-Za-z0-9\_\.\-]*?)?\@)?([a-zA-Z0-9\.\_\-]*?)(?:\:([0-9]{1,5}))?(?:\/.*?)?$/);
-		my $proxy_url;
-
-		# Check if we got a peer.
-		if ($peer) {
-			$proxy_url = "http://";
-
-			# Check if the proxy requires authentication.
-			if (($proxysettings{'UPSTREAM_USER'}) && ($proxysettings{'UPSTREAM_PASSWORD'})) {
-				$proxy_url .= "$proxysettings{'UPSTREAM_USER'}\:$proxysettings{'UPSTREAM_PASSWORD'}\@";
-			}
-
-			# Add proxy server address and port.
-			$proxy_url .= "$peer\:$peerport";
-		} else {
-			# Break and return error message.
-			return "$Lang::tr{'could not download latest updates'}";
-		}
-
-		# Setup proxy settings.
-		$downloader->proxy('http', $proxy_url);
-	}
-
-	# Grab the right url based on the configured vendor.
-	my $url = $rulesetsources{$snortsettings{'RULES'}};
-
-        # Check if the vendor requires an oinkcode and add it if needed.
-        $url =~ s/\/$snortsettings{'OINKCODE'}/g;
-
-	# Abort if no url could be determined for the vendor.
-	unless ($url) {
-		# Abort and return errormessage.
-		return "$Lang::tr{'could not download latest updates'}";
-	}
-
-	# Pass the requested url to the downloader.
-	my $request = HTTP::Request->new(GET => $url);
-
-	# Perform the request and save the output into the "$rulestarball" file.
-	my $response = $downloader->request($request, $rulestarball);
-
-	# Check if there was any error.
-	unless ($response->is_success) {
-		return "$response->status_line";
-	}
-
-	# If we got here, everything worked fine. Return nothing.
-	return;
-}
-
 sub oinkmaster () {
 	# Call oinkmaster to generate ruleset.
 	system("/usr/local/bin/oinkmaster.pl -v -s -u file://$rulestarball -C /var/ipfire/snort/oinkmaster.conf -o /etc/snort/rules 2>&1 |logger -t oinkmaster");

From 25f5cb0d4b4a6c2418c219d975eb95e393b4e9af Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 14 Feb 2018 08:58:18 +0100
Subject: [PATCH 041/259] ids.cgi: Move function to call oinkmaster to
 ids-functions.pl

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl |  8 ++++++++
 html/cgi-bin/ids.cgi            | 11 ++++++-----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 75f806f2d..024a4f72e 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -147,4 +147,12 @@ sub downloadruleset {
 	return;
 }
 
+#
+## A tiny wrapper function to call the oinkmaster script.
+#
+sub oinkmaster () {
+	# Call oinkmaster to generate ruleset.
+	system("/usr/local/bin/oinkmaster.pl -v -s -u file://$rulestarball -C /var/ipfire/snort/oinkmaster.conf -o /etc/snort/rules 2>&1 |logger -t oinkmaster");
+}
+
 1;
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index c7c246ea5..47a70c61d 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -598,11 +598,12 @@ END
         exit;
 }
 
-sub oinkmaster () {
-	# Call oinkmaster to generate ruleset.
-	system("/usr/local/bin/oinkmaster.pl -v -s -u file://$rulestarball -C /var/ipfire/snort/oinkmaster.conf -o /etc/snort/rules 2>&1 |logger -t oinkmaster");
-}
-
+#
+## Private function to read-in and parse rules of a given rulefile.
+#
+## The given file will be read, parsed and all valid rules will be stored by ID,
+## message/description and it's state in the snortrules hash.
+#
 sub readrulesfile ($) {
 	my $rulefile = shift;
 

From ad1d8a8accc454e0bf36e93fa9b6c5890ccc5024 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 14 Feb 2018 09:00:03 +0100
Subject: [PATCH 042/259] ids.cgi: Drop dirty hook for updating the ruleset

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 24 ------------------------
 1 file changed, 24 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 47a70c61d..2f7ea23eb 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -52,30 +52,6 @@ my $snortrulepath = "/etc/snort/rules";
 my $snortusedrulefilesfile = "${General::swroot}/snort/snort-used-rulefiles.conf";
 my $errormessage;
 
-# Hook used to download and update the ruleset,
-# if the cgi got called from command line.
-if ($ENV{"REMOTE_ADDR"} eq "") {
-	# Read snortsettings.
-	&General::readhash("${General::swroot}/snort/settings", \%snortsettings);
-
-	# Download rules tarball.
-	$errormessage = &downloadruleset();
-
-	# Sleep for one second.
-	sleep(1);
-
-	# Check if there was an error message.
-	unless ($errormessage) {
-		# Call oinkmaster.
-		&oinkmaster();
-	} else {
-		# Call logger and log the errormessage.
-		system("logger -t oinkmaster $errormessage");
-	}
-
-exit(0);
-}
-
 &Header::showhttpheaders();
 
 # Default settings for snort.

From a69b96d2002c14d3fe65dcf90f9731a9c631b624 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 14 Feb 2018 10:15:39 +0100
Subject: [PATCH 043/259] ids.cgi: Use tarball information from
 ids-functions.pl

Directly use the value from the ids-functions.pl for the
location and filename of the tarball which includes the snort ruleset.

This will save to declare this information twice and prevents from any
failures if the location of filname every changes.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 2f7ea23eb..8ae4da774 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -47,7 +47,6 @@ my %selected=();
 # Get netsettings.
 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
 
-my $rulestarball = "/var/tmp/snortrules.tar.gz";
 my $snortrulepath = "/etc/snort/rules";
 my $snortusedrulefilesfile = "${General::swroot}/snort/snort-used-rulefiles.conf";
 my $errormessage;
@@ -345,9 +344,9 @@ if ($errormessage) {
 my $rulesdate;
 
 # Check if a ruleset allready has been downloaded.
-if ( -f "$rulestarball"){
+if ( -f "$IDS::rulestarball"){
 	# Call stat on the filename to obtain detailed information.
-        my @Info = stat("$rulestarball");
+        my @Info = stat("$IDS::rulestarball");
 
 	# Grab details about the creation time.
         $rulesdate = localtime($Info[9]);

From 3983aebdec7489ca0ce36956307a822ecdc820fd Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 14 Feb 2018 10:20:23 +0100
Subject: [PATCH 044/259] ids.cgi: Rework CGI logic to download a new ruleset

* Drop function to show a notice about snort is working.
* Introduce the log_error function which is responsible for log any
  error messages. Currently it writes it to a tempory file, which will
  be read by the WUI, the message will be displayed and the temporary file
  will be released again.
* Introduce a tiny function to easily perform a reload of the generated
  webpage.

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 35 ++++++++++++++
 html/cgi-bin/ids.cgi            | 84 ++++++++++++++++++++-------------
 2 files changed, 86 insertions(+), 33 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 024a4f72e..999c0ea41 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -29,6 +29,9 @@ require "${General::swroot}/lang.pl";
 # Location and name of the tarball which contains the ruleset.
 my $rulestarball = "/var/tmp/snortrules.tar.gz";
 
+# File to store any errors, which also will be read and displayed by the wui.
+my $storederrorfile = "/tmp/ids_storederror";
+
 #
 ## Function for checking if at least 300MB of free disk space are available
 ## on the "/var" partition.
@@ -155,4 +158,36 @@ sub oinkmaster () {
 	system("/usr/local/bin/oinkmaster.pl -v -s -u file://$rulestarball -C /var/ipfire/snort/oinkmaster.conf -o /etc/snort/rules 2>&1 |logger -t oinkmaster");
 }
 
+#
+## Function to do all the logging stuff if the downloading or updating of the ruleset fails.
+#
+sub log_error ($) {
+	my ($error) = @_;
+
+	# Remove any newline.
+	chomp($error);
+
+	# Call private function to write/store the error message in the storederrorfile.
+	&_store_error_message($error);
+}
+
+#
+## Private function to write a given error message to the storederror file.
+#
+sub _store_error_message ($) {
+        my ($message) = @_;
+
+	# Remove any newline.
+	chomp($message);
+
+        # Open file for writing.
+        open (ERRORFILE, ">$storederrorfile") or die "Could not write to $storederrorfile. $!\n";
+
+        # Write error to file.
+        print ERRORFILE "$message\n";
+
+        # Close file.
+        close (ERRORFILE);
+}
+
 1;
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 8ae4da774..1d61d9119 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -72,6 +72,22 @@ if ($oinkmaster_pid) {
 	&working("$Lang::tr{'snort working'}");
 }
 
+# Check if any error has been stored.
+if (-e $IDS::storederrorfile) {
+        # Open file to read in the stored error message.
+        open(FILE, "<$IDS::storederrorfile") or die "Could not open $IDS::storederrorfile. $!\n";
+
+        # Read the stored error message.
+        $errormessage = ;
+
+        # Close file.
+        close (FILE);
+
+        # Delete the file, which is now not longer required.
+        unlink($IDS::storederrorfile);
+}
+
+
 ## Grab all available snort rules and store them in the snortrules hash.
 #
 # Open snort rules directory and do a directory listing.
@@ -251,25 +267,43 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 		$errormessage = $Lang::tr{'could not download latest updates'};
 	}
 
-	# Check if there is enought free disk space available.
+	# Check if enought free disk space is availabe.
 	$errormessage = &IDS::checkdiskspace();
 
 	# Check if any errors happend.
 	unless ($errormessage) {
+		&Header::openpage($Lang::tr{'intrusion detection system'}, 1, '');
+		&Header::openbigbox('100%', 'left', '', $errormessage);
+		&Header::openbox( 'Waiting', 1,);
+			print <
+					
+						$Lang::tr{
+						$Lang::tr{'snort working'}
+					
+				
+END
+		&Header::closebox();
+		&Header::closebigbox();
+		&Header::closepage();
+
 		# Call subfunction to download the ruleset.
 		$errormessage = &IDS::downloadruleset();
-	}
 
-	# Sleep for 1 second
-	sleep(1);
+		# Check if the downloader returned an error.
+		if ($errormessage) {
+			# Call function to store the errormessage.
+			&IDS::log_error($errormessage);
 
-	# Check if the downloader returend any error message.
-	unless ($errormessage) {
-		# Call subfunction to launch oinkmaster.
-		&oinkmaster();
+			# Preform a reload of the page.
+			&reload();
+		} else {
+			# Call subfunction to launch oinkmaster.
+			&IDS::oinkmaster();
 
-		# Sleep for 1 seconds.
-		sleep(1);
+			# Perform a reload of the page.
+			&reload();
+		}
 	}
 # Save snort settings.
 } elsif ($cgiparams{'SNORT'} eq $Lang::tr{'save'}) {
@@ -547,30 +581,14 @@ END
 &Header::closebigbox();
 &Header::closepage();
 
-sub working ($) {
-	my $message = $_[0];
+#
+## A tiny function to perform a reload of the webpage after one second.
+#
+sub reload () {
+	print "\n";
 
-        &Header::openpage($Lang::tr{'intrusion detection system'}, 1, '');
-        &Header::openbigbox('100%', 'left', '', $errormessage);
-        &Header::openbox( 'Waiting', 1, "" );
-        print <
-                
-                        $Lang::tr{
-                        $message
-                
-                
-                        
-                        

-                                
-                        

-                
-        
-END
-        &Header::closebox();
-        &Header::closebigbox();
-        &Header::closepage();
-        exit;
+	# Stop the script.
+	exit;
 }
 
 #

From 77910792754776c740ddd415d4737340052a4d91 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 14 Feb 2018 12:14:06 +0100
Subject: [PATCH 045/259] ids-functions.pl: Make variables globally accessible

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 999c0ea41..c8b0c568d 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -27,10 +27,10 @@ require '/var/ipfire/general-functions.pl';
 require "${General::swroot}/lang.pl";
 
 # Location and name of the tarball which contains the ruleset.
-my $rulestarball = "/var/tmp/snortrules.tar.gz";
+our $rulestarball = "/var/tmp/snortrules.tar.gz";
 
 # File to store any errors, which also will be read and displayed by the wui.
-my $storederrorfile = "/tmp/ids_storederror";
+our $storederrorfile = "/tmp/ids_storederror";
 
 #
 ## Function for checking if at least 300MB of free disk space are available

From 0e40e1e772b2f29e71df807f9cb07098b0d23034 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 14 Feb 2018 14:00:57 +0100
Subject: [PATCH 046/259] ids-functions.pl: Use pure perl to log oinkmaster
 result to syslog

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index c8b0c568d..6d3cf7299 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -154,8 +154,30 @@ sub downloadruleset {
 ## A tiny wrapper function to call the oinkmaster script.
 #
 sub oinkmaster () {
+	# Load perl module to talk to the kernel syslog.
+	use Sys::Syslog qw(:DEFAULT setlogsock);
+
+	# Establish the connection to the syslog service.
+	openlog('oinkmaster', 'cons,pid', 'user');
+
 	# Call oinkmaster to generate ruleset.
-	system("/usr/local/bin/oinkmaster.pl -v -s -u file://$rulestarball -C /var/ipfire/snort/oinkmaster.conf -o /etc/snort/rules 2>&1 |logger -t oinkmaster");
+	open(OINKMASTER, "/usr/local/bin/oinkmaster.pl -v -s -u file://$rulestarball -C /var/ipfire/snort/oinkmaster.conf -o /etc/snort/rules|");
+
+	# Log output of oinkmaster to syslog.
+	while() {
+		# The syslog function works best with an array based input,
+		# so generate one before passing the message details to syslog.
+		my @syslog = ("INFO", "$_");
+
+		# Send the log message.
+		syslog(@syslog);
+	}
+
+	# Close the pipe to oinkmaster process.
+	close(OINKMASTER);
+
+	# Close the log handle.
+	closelog();
 }
 
 #

From eb5592c1ce15d579072689a7121ffbd87b3f22be Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 14 Feb 2018 14:01:50 +0100
Subject: [PATCH 047/259] ids-functions.pl: Also log errors to syslog

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 6d3cf7299..d88a5b4ca 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -189,10 +189,36 @@ sub log_error ($) {
 	# Remove any newline.
 	chomp($error);
 
+	# Call private function to log the error message to syslog.
+	&_log_to_syslog($error);
+
 	# Call private function to write/store the error message in the storederrorfile.
 	&_store_error_message($error);
 }
 
+#
+## Function to log a given error message to the kernel syslog.
+#
+sub _log_to_syslog ($) {
+	my ($message) = @_;
+
+	# Load perl module to talk to the kernel syslog.
+	use Sys::Syslog qw(:DEFAULT setlogsock);
+
+	# The syslog function works best with an array based input,
+	# so generate one before passing the message details to syslog.
+	my @syslog = ("ERR", " $message");
+
+	# Establish the connection to the syslog service.
+	openlog('oinkmaster', 'cons,pid', 'user');
+
+	# Send the log message.
+	syslog(@syslog);
+
+	# Close the log handle.
+	closelog();
+}
+
 #
 ## Private function to write a given error message to the storederror file.
 #

From 27760092c0a4973a92e1dcea8544866ae29d37da Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 14 Feb 2018 14:03:08 +0100
Subject: [PATCH 048/259] ids.cgi: Reimplement function to lock page and show
 working notice

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 48 ++++++++++++++++++++++++++++++--------------
 1 file changed, 33 insertions(+), 15 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 1d61d9119..a9515b72a 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -257,8 +257,14 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 	# Close file after writing.
 	close(FILE);
 
+	# Lock the webpage and print message.
+	&working_notice("$Lang::tr{'snort working'}");
+
 	# Call oinkmaster to alter the ruleset.
-	&oinkmaster();
+	&IDS::oinkmaster();
+
+	# Reload page.
+	&reload();
 
 # Download new ruleset.
 } elsif ($cgiparams{'RULESET'} eq $Lang::tr{'download new ruleset'}) {
@@ -272,20 +278,9 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 
 	# Check if any errors happend.
 	unless ($errormessage) {
-		&Header::openpage($Lang::tr{'intrusion detection system'}, 1, '');
-		&Header::openbigbox('100%', 'left', '', $errormessage);
-		&Header::openbox( 'Waiting', 1,);
-			print <
-					
-						$Lang::tr{
-						$Lang::tr{'snort working'}
-					
-				
-END
-		&Header::closebox();
-		&Header::closebigbox();
-		&Header::closepage();
+		# Lock the webpage and print notice about downloading
+		# a new ruleset.
+		&working_notice("$Lang::tr{'snort working'}");
 
 		# Call subfunction to download the ruleset.
 		$errormessage = &IDS::downloadruleset();
@@ -581,6 +576,29 @@ END
 &Header::closebigbox();
 &Header::closepage();
 
+#
+## A function to display a notice, to lock the webpage and
+## tell the user which action currently will be performed.
+#
+sub working_notice ($) {
+	my ($message) = @_;
+
+	&Header::openpage($Lang::tr{'intrusion detection system'}, 1, '');
+	&Header::openbigbox('100%', 'left', '', $errormessage);
+	&Header::openbox( 'Waiting', 1,);
+		print <
+				
+					$Lang::tr{
+					$message
+				
+			
+END
+	&Header::closebox();
+	&Header::closebigbox();
+	&Header::closepage();
+}
+
 #
 ## A tiny function to perform a reload of the webpage after one second.
 #

From fdfd8913ab5da218c9c5303f67bb5b707da8ee30 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 14 Feb 2018 14:08:29 +0100
Subject: [PATCH 049/259] ids.cgi: Drop code which is detecting if oinkmaster
 is running

This code is not longer required and therefore can be dropped.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index a9515b72a..57e7e0193 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -64,14 +64,6 @@ $snortsettings{'OINKCODE'} = '';
 #Get GUI values
 &Header::getcgihash(\%cgiparams);
 
-# Try to determine if oinkmaster is running.
-my $oinkmaster_pid = `pidof oinkmaster.pl -x`;
-
-# If oinkmaster is running display output.
-if ($oinkmaster_pid) {
-	&working("$Lang::tr{'snort working'}");
-}
-
 # Check if any error has been stored.
 if (-e $IDS::storederrorfile) {
         # Open file to read in the stored error message.

From 9d18656ba7dd1bf98d5cd41423c8e44d355f1c25 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 26 Jul 2018 15:51:15 +0200
Subject: [PATCH 050/259] ids.cgi: Rename snortrules hash to idsrules.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 46 ++++++++++++++++++++++----------------------
 1 file changed, 23 insertions(+), 23 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 57e7e0193..df2bfe5a5 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2015  IPFire Team                       #
+# Copyright (C) 2007-2018  IPFire Team                       #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -33,7 +33,7 @@ require "${General::swroot}/ids-functions.pl";
 my %color = ();
 my %mainsettings = ();
 my %netsettings = ();
-my %snortrules = ();
+my %idsrules = ();
 my %snortsettings=();
 my %rulesetsources = ();
 my %cgiparams=();
@@ -80,7 +80,7 @@ if (-e $IDS::storederrorfile) {
 }
 
 
-## Grab all available snort rules and store them in the snortrules hash.
+## Grab all available snort rules and store them in the idsrules hash.
 #
 # Open snort rules directory and do a directory listing.
 opendir(DIR, $snortrulepath) or die $!;
@@ -100,7 +100,7 @@ opendir(DIR, $snortrulepath) or die $!;
 		next unless (-R "$snortrulepath/$file");
 
 		# Call subfunction to read-in rulefile and add rules to
-		# the snortrules hash.
+		# the idsrules hash.
 		&readrulesfile("$file");
 	}
 
@@ -134,8 +134,8 @@ if(-f $snortusedrulefilesfile) {
 		if ($line =~ /.*include \$RULE_PATH\/(.*)/) {
 			my $rulefile = $1;
 
-			# Add the rulefile to the %snortrules hash.
-			$snortrules{$rulefile}{'Rulefile'}{'State'} = "on";
+			# Add the rulefile to the %idsrules hash.
+			$idsrules{$rulefile}{'Rulefile'}{'State'} = "on";
 		}
 	}
 }
@@ -150,8 +150,8 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 	my @disabled_sids;
 	my @enabled_rulefiles;
 
-	# Loop through the hash of snortrules.
-	foreach my $rulefile(keys %snortrules) {
+	# Loop through the hash of idsrules.
+	foreach my $rulefile(keys %idsrules) {
 		# Check if the rulefile is enabled.
 		if ($cgiparams{$rulefile} eq "on") {
 			# Add rulefile to the array of enabled rulefiles.
@@ -162,17 +162,17 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 		}
 	}
 
-	# Loop through the hash of snortrules.
-	foreach my $rulefile (keys %snortrules) {
+	# Loop through the hash of idsrules.
+	foreach my $rulefile (keys %idsrules) {
 		# Loop through the single rules of the rulefile.
-		foreach my $sid (keys %{$snortrules{$rulefile}}) {
+		foreach my $sid (keys %{$idsrules{$rulefile}}) {
 			# Skip the current sid if it is not numeric.
 			next unless ($sid =~ /\d+/ );
 
 			# Check if there exists a key in the cgiparams hash for this sid.
 			if (exists($cgiparams{$sid})) {
 				# Look if the rule is disabled.
-				if ($snortrules{$rulefile}{$sid}{'State'} eq "off") {
+				if ($idsrules{$rulefile}{$sid}{'State'} eq "off") {
 					# Check if the state has been set to 'on'.
 					if ($cgiparams{$sid} eq "on") {
 						# Add the sid to the enabled_sids array.
@@ -184,7 +184,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 				}
 			} else {
 				# Look if the rule is enabled.
-				if ($snortrules{$rulefile}{$sid}{'State'} eq "on") {
+				if ($idsrules{$rulefile}{$sid}{'State'} eq "on") {
 					# Check if the state is 'on' and should be disabled.
 					# In this case there is no entry
 					# for the sid in the cgiparams hash.
@@ -469,11 +469,11 @@ END
 	my $rulesetcount = 1;
 
 	# Loop over each rule file
-	foreach my $rulefile (sort keys(%snortrules)) {
+	foreach my $rulefile (sort keys(%idsrules)) {
 		my $rulechecked = '';
 
 		# Check if rule file is enabled
-		if ($snortrules{$rulefile}{'Rulefile'}{'State'} eq 'on') {
+		if ($idsrules{$rulefile}{'Rulefile'}{'State'} eq 'on') {
 			$rulechecked = 'CHECKED';
 		}
 
@@ -501,7 +501,7 @@ END
 		print "\n";
 
 		# Loop over rule file rules
-		foreach my $sid (sort {$a <=> $b} keys(%{$snortrules{$rulefile}})) {
+		foreach my $sid (sort {$a <=> $b} keys(%{$idsrules{$rulefile}})) {
 			# Local vars
 			my $ruledefchecked = '';
 
@@ -524,7 +524,7 @@ END
 			}
 
 			# Set rule state
-			if ($snortrules{$rulefile}{$sid}{'State'} eq 'on') {
+			if ($idsrules{$rulefile}{$sid}{'State'} eq 'on') {
 				$ruledefchecked = 'CHECKED';
 			}
 
@@ -532,7 +532,7 @@ END
 			print "\n";
-			print "";
+			print "";
 
 			# Increment rule count
 			$lines++;
@@ -605,7 +605,7 @@ sub reload () {
 ## Private function to read-in and parse rules of a given rulefile.
 #
 ## The given file will be read, parsed and all valid rules will be stored by ID,
-## message/description and it's state in the snortrules hash.
+## message/description and it's state in the idsrules hash.
 #
 sub readrulesfile ($) {
 	my $rulefile = shift;
@@ -638,16 +638,16 @@ sub readrulesfile ($) {
 
 			# Check if a rule has been found.
 			if ($sid && $msg) {
-				# Add rule to the snortrules hash.
-				$snortrules{$rulefile}{$sid}{'Description'} = $msg;
+				# Add rule to the idsrules hash.
+				$idsrules{$rulefile}{$sid}{'Description'} = $msg;
 
 				# Grab status of the rule. Check if ruleline starts with a "dash".
 				if ($line =~ /^\#/) {
 					# If yes, the rule is disabled.
-					$snortrules{$rulefile}{$sid}{'State'} = "off";
+					$idsrules{$rulefile}{$sid}{'State'} = "off";
 				} else {
 					# Otherwise the rule is enabled.
-					$snortrules{$rulefile}{$sid}{'State'} = "on";
+					$idsrules{$rulefile}{$sid}{'State'} = "on";
 				}
 			}
 		}

From 298ef5bafa8242fedf8b95ba8d8ad23e0c4c05b1 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 26 Jul 2018 15:56:47 +0200
Subject: [PATCH 051/259] IDS: Move rulepath declaration to ids-functions.pl

This will help if the path ever changed. Also remove hard coded rulepath
from oinkmaster call.

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl |  5 ++++-
 html/cgi-bin/ids.cgi            | 11 +++++------
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index d88a5b4ca..32002912d 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -32,6 +32,9 @@ our $rulestarball = "/var/tmp/snortrules.tar.gz";
 # File to store any errors, which also will be read and displayed by the wui.
 our $storederrorfile = "/tmp/ids_storederror";
 
+# Location where the rulefiles are stored.
+our $rulespath = "/etc/snort/rules";
+
 #
 ## Function for checking if at least 300MB of free disk space are available
 ## on the "/var" partition.
@@ -161,7 +164,7 @@ sub oinkmaster () {
 	openlog('oinkmaster', 'cons,pid', 'user');
 
 	# Call oinkmaster to generate ruleset.
-	open(OINKMASTER, "/usr/local/bin/oinkmaster.pl -v -s -u file://$rulestarball -C /var/ipfire/snort/oinkmaster.conf -o /etc/snort/rules|");
+	open(OINKMASTER, "/usr/local/bin/oinkmaster.pl -v -s -u file://$rulestarball -C /var/ipfire/snort/oinkmaster.conf -o $rulespath|");
 
 	# Log output of oinkmaster to syslog.
 	while() {
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index df2bfe5a5..7dc8793f6 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -47,7 +47,6 @@ my %selected=();
 # Get netsettings.
 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
 
-my $snortrulepath = "/etc/snort/rules";
 my $snortusedrulefilesfile = "${General::swroot}/snort/snort-used-rulefiles.conf";
 my $errormessage;
 
@@ -83,21 +82,21 @@ if (-e $IDS::storederrorfile) {
 ## Grab all available snort rules and store them in the idsrules hash.
 #
 # Open snort rules directory and do a directory listing.
-opendir(DIR, $snortrulepath) or die $!;
+opendir(DIR, $IDS::rulespath) or die $!;
 	# Loop through the direcory.
 	while (my $file = readdir(DIR)) {
 
 		# We only want files.
-		next unless (-f "$snortrulepath/$file");
+		next unless (-f "$IDS::rulespath/$file");
 
 		# Ignore empty files.
-		next if (-z "$snortrulepath/$file");
+		next if (-z "$IDS::rulespath/$file");
 
 		# Use a regular expression to find files ending in .rules
 		next unless ($file =~ m/\.rules$/);
 
 		# Ignore files which are not read-able.
-		next unless (-R "$snortrulepath/$file");
+		next unless (-R "$IDS::rulespath/$file");
 
 		# Call subfunction to read-in rulefile and add rules to
 		# the idsrules hash.
@@ -611,7 +610,7 @@ sub readrulesfile ($) {
 	my $rulefile = shift;
 
 	# Open rule file and read in contents
-	open(RULEFILE, "$snortrulepath/$rulefile") or die "Unable to read $rulefile!";
+	open(RULEFILE, "$IDS::rulespath/$rulefile") or die "Unable to read $rulefile!";
 
 	# Store file content in an array.
 	my @lines = ;

From 02844177afb86e070564ee776c5ca679d7cf374b Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 27 Jul 2018 07:58:23 +0200
Subject: [PATCH 052/259] IDS: Introduce settingsdir variable

The $settingsdir variable is declared in the ids-functions.pl and used to to
store the path where the various files which contains the settings for the IDS and
oinkmaster is located.

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl |  9 ++++++---
 html/cgi-bin/ids.cgi            | 16 ++++++++--------
 2 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 32002912d..74713d77a 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -26,6 +26,9 @@ package IDS;
 require '/var/ipfire/general-functions.pl';
 require "${General::swroot}/lang.pl";
 
+# Location where all config and settings files are stored.
+our $settingsdir = "${General::swroot}/snort";
+
 # Location and name of the tarball which contains the ruleset.
 our $rulestarball = "/var/tmp/snortrules.tar.gz";
 
@@ -81,11 +84,11 @@ sub checkdiskspace () {
 sub downloadruleset {
 	# Get snort settings.
 	my %snortsettings=();
-	&General::readhash("${General::swroot}/snort/settings", \%snortsettings);
+	&General::readhash("$settingsdir/settings", \%snortsettings);
 
 	# Get all available ruleset locations.
 	my %rulesetsources=();
-	&General::readhash("${General::swroot}/snort/ruleset-sources.list", \%rulesetsources);
+	&General::readhash("$settingsdir/ruleset-sources.list", \%rulesetsources);
 
 	# Read proxysettings.
 	my %proxysettings=();
@@ -164,7 +167,7 @@ sub oinkmaster () {
 	openlog('oinkmaster', 'cons,pid', 'user');
 
 	# Call oinkmaster to generate ruleset.
-	open(OINKMASTER, "/usr/local/bin/oinkmaster.pl -v -s -u file://$rulestarball -C /var/ipfire/snort/oinkmaster.conf -o $rulespath|");
+	open(OINKMASTER, "/usr/local/bin/oinkmaster.pl -v -s -u file://$rulestarball -C $settingsdir/oinkmaster.conf -o $rulespath|");
 
 	# Log output of oinkmaster to syslog.
 	while() {
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 7dc8793f6..71fc1ea60 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -47,7 +47,7 @@ my %selected=();
 # Get netsettings.
 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
 
-my $snortusedrulefilesfile = "${General::swroot}/snort/snort-used-rulefiles.conf";
+my $idsusedrulefilesfile = "$IDS::settingsdir/ids-used-rulefiles.conf";
 my $errormessage;
 
 &Header::showhttpheaders();
@@ -108,9 +108,9 @@ closedir(DIR);
 # Gather used rulefiles.
 #
 # Check if the file for activated rulefiles is not empty.
-if(-f $snortusedrulefilesfile) {
+if(-f $idsusedrulefilesfile) {
 	# Open the file for used rulefile and read-in content.
-	open(FILE, $snortusedrulefilesfile) or die "Could not open $snortusedrulefilesfile. $!\n";
+	open(FILE, $idsusedrulefilesfile) or die "Could not open $idsusedrulefilesfile. $!\n";
 
 	# Read-in content.
 	my @lines = ;
@@ -141,8 +141,8 @@ if(-f $snortusedrulefilesfile) {
 
 # Save ruleset.
 if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
-	my $enabled_sids_file = "${General::swroot}/snort/oinkmaster-enabled-sids.conf";
-	my $disabled_sids_file = "${General::swroot}/snort/oinkmaster-disabled-sids.conf";
+	my $enabled_sids_file = "$IDS::settingsdir/oinkmaster-enabled-sids.conf";
+	my $disabled_sids_file = "$IDS::settingsdir/oinkmaster-disabled-sids.conf";
 
 	# Arrays to store sid which should be added to the corresponding files.
 	my @enabled_sids;
@@ -232,7 +232,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 	close(FILE);
 
 	# Open file for used rulefiles.
-	open (FILE, ">$snortusedrulefilesfile") or die "Could not write to $snortusedrulefilesfile. $!\n";
+	open (FILE, ">$idsusedrulefilesfile") or die "Could not write to $idsusedrulefilesfile. $!\n";
 
 	# Write header to file.
 	print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
@@ -307,7 +307,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 	# Go on if there are no error messages.
 	if (!$errormessage) {
 		# Store settings into settings file.
-		&General::writehash("${General::swroot}/snort/settings", \%cgiparams);
+		&General::writehash("$IDS::settingsdir/settings", \%cgiparams);
 
 		# Call snortctrl to restart snort
 		system('/usr/local/bin/snortctrl restart >/dev/null');
@@ -315,7 +315,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 }
 
 # Read-in snortsettings
-&General::readhash("${General::swroot}/snort/settings", \%snortsettings);
+&General::readhash("$IDS::settingsdir/settings", \%snortsettings);
 
 $checked{'ENABLE_SNORT'}{'off'} = '';
 $checked{'ENABLE_SNORT'}{'on'} = '';

From 434001d0a0eb05946fccded7090e1e1fa6e2c64d Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sat, 28 Jul 2018 16:34:50 +0200
Subject: [PATCH 053/259] IDS: Rework error and log handling in
 ids-functions.pl

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 28 +++++++++++++++++-----------
 html/cgi-bin/ids.cgi            | 11 ++++++-----
 2 files changed, 23 insertions(+), 16 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 74713d77a..647aa1f4c 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -24,7 +24,6 @@
 package IDS;
 
 require '/var/ipfire/general-functions.pl';
-require "${General::swroot}/lang.pl";
 
 # Location where all config and settings files are stored.
 our $settingsdir = "${General::swroot}/snort";
@@ -59,11 +58,11 @@ sub checkdiskspace () {
 
 			# Check if the available disk space is more than 300MB.
 			if ($available < 300) {
-				# If there is not enough space, print out an error message.
-				my $errormessage = "$Lang::tr{'not enough disk space'} < 300MB, /var $available MB";
+				# Log error to syslog.
+				&_log_to_syslog("Not enough free disk space on /var. Only $available MB from 300 MB available.");
 
-				# Exit function and return the error message.
-				return $errormessage;
+				# Exit function and return "1" - False.
+				return 1;
 			}
 		}
 	}
@@ -120,8 +119,11 @@ sub downloadruleset {
 			# Add proxy server address and port.
 			$proxy_url .= "$peer\:$peerport";
 		} else {
-			# Break and return error message.
-			return "$Lang::tr{'could not download latest updates'}";
+			# Log error message and break.
+			&_log_to_syslog("Could not proper configure the proxy server access.");
+
+			# Return "1" - false.
+			return 1;
 		}
 
 		# Setup proxy settings.
@@ -136,8 +138,9 @@ sub downloadruleset {
 
 	# Abort if no url could be determined for the vendor.
 	unless ($url) {
-		# Abort and return errormessage.
-		return "$Lang::tr{'could not download latest updates'}";
+		# Log error and abort.
+		&_log_to_syslog("Unable to gather a download URL for the selected ruleset.");
+		return 1;
 	}
 
 	# Pass the requested url to the downloader.
@@ -148,8 +151,11 @@ sub downloadruleset {
 
 	# Check if there was any error.
 	unless ($response->is_success) {
-		# Return error message.
-		return "$response->status_line";
+		# Log error message.
+		&_log_to_syslog("Unable to download the ruleset. $response->status_line");
+
+		# Return "1" - false.
+		return 1;
 	}
 
 	# If we got here, everything worked fine. Return nothing.
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 71fc1ea60..2ada96f52 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -265,7 +265,9 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 	}
 
 	# Check if enought free disk space is availabe.
-	$errormessage = &IDS::checkdiskspace();
+	if(&IDS::checkdiskspace()) {
+		$errormessage = "$Lang::tr{'not enough disk space'}";
+	}
 
 	# Check if any errors happend.
 	unless ($errormessage) {
@@ -274,12 +276,11 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 		&working_notice("$Lang::tr{'snort working'}");
 
 		# Call subfunction to download the ruleset.
-		$errormessage = &IDS::downloadruleset();
+		if(&IDS::downloadruleset()) {
+			$errormessage = $Lang::tr{'could not download latest updates'};
 
-		# Check if the downloader returned an error.
-		if ($errormessage) {
 			# Call function to store the errormessage.
-			&IDS::log_error($errormessage);
+			&IDS::_store_error_message($errormessage);
 
 			# Preform a reload of the page.
 			&reload();

From 91cc908f84a44ba9dc6493938c00aa982eafed81 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Mon, 23 Jul 2018 20:19:19 +0200
Subject: [PATCH 054/259] yaml: New package

This is a build and runtime dependency for suricata.

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/yaml |  6 +++
 lfs/yaml                     | 79 ++++++++++++++++++++++++++++++++++++
 make.sh                      |  1 +
 3 files changed, 86 insertions(+)
 create mode 100644 config/rootfiles/common/yaml
 create mode 100644 lfs/yaml

diff --git a/config/rootfiles/common/yaml b/config/rootfiles/common/yaml
new file mode 100644
index 000000000..565fa373f
--- /dev/null
+++ b/config/rootfiles/common/yaml
@@ -0,0 +1,6 @@
+#usr/include/yaml.h
+usr/lib/libyaml-0.so.2
+usr/lib/libyaml-0.so.2.0.5
+#usr/lib/libyaml.la
+#usr/lib/libyaml.so
+#usr/lib/pkgconfig/yaml-0.1.pc
diff --git a/lfs/yaml b/lfs/yaml
new file mode 100644
index 000000000..c250bbbfe
--- /dev/null
+++ b/lfs/yaml
@@ -0,0 +1,79 @@
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2015  Michael Tremer & Christian Schmidt                      #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see .       #
+#                                                                             #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VER        = 0.2.1
+
+THISAPP    = yaml-$(VER)
+DL_FILE    = $(THISAPP).tar.gz
+DL_FROM    = $(URL_IPFIRE)
+DIR_APP    = $(DIR_SRC)/$(THISAPP)
+TARGET     = $(DIR_INFO)/$(THISAPP)
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects = $(DL_FILE)
+
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_MD5 = 72724b9736923c517e5a8fc6757ef03d
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+md5 : $(subst %,%_MD5,$(objects))
+
+###############################################################################
+# Downloading, checking, md5sum
+###############################################################################
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+	@$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+	@$(LOAD)
+
+$(subst %,%_MD5,$(objects)) :
+	@$(MD5)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+	@$(PREBUILD)
+	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+	cd $(DIR_APP) && ./configure \
+		--prefix=/usr \
+		--disable-static
+	cd $(DIR_APP) && make $(MAKETUNING)
+	cd $(DIR_APP) && make install
+	@rm -rf $(DIR_APP)
+	@$(POSTBUILD)
diff --git a/make.sh b/make.sh
index 47e1420d8..003c4dbd3 100755
--- a/make.sh
+++ b/make.sh
@@ -1290,6 +1290,7 @@ buildipfire() {
   lfsmake2 libdnet
   lfsmake2 daq
   lfsmake2 snort
+  lfsmake2 yaml
   lfsmake2 oinkmaster
   lfsmake2 squid
   lfsmake2 squidguard

From 3498300d87ec69f5676d33e54dca4f3c6897d20f Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Mon, 23 Jul 2018 20:20:29 +0200
Subject: [PATCH 055/259] libhtp: New package

This is build and runtime dependency for suricata.

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/libhtp | 22 ++++++++++
 lfs/libhtp                     | 80 ++++++++++++++++++++++++++++++++++
 make.sh                        |  1 +
 3 files changed, 103 insertions(+)
 create mode 100644 config/rootfiles/common/libhtp
 create mode 100644 lfs/libhtp

diff --git a/config/rootfiles/common/libhtp b/config/rootfiles/common/libhtp
new file mode 100644
index 000000000..9211ea713
--- /dev/null
+++ b/config/rootfiles/common/libhtp
@@ -0,0 +1,22 @@
+#usr/include/htp
+#usr/include/htp/bstr.h
+#usr/include/htp/bstr_builder.h
+#usr/include/htp/htp.h
+#usr/include/htp/htp_base64.h
+#usr/include/htp/htp_config.h
+#usr/include/htp/htp_connection_parser.h
+#usr/include/htp/htp_core.h
+#usr/include/htp/htp_decompressors.h
+#usr/include/htp/htp_hooks.h
+#usr/include/htp/htp_list.h
+#usr/include/htp/htp_multipart.h
+#usr/include/htp/htp_table.h
+#usr/include/htp/htp_transaction.h
+#usr/include/htp/htp_urlencoded.h
+#usr/include/htp/htp_utf8_decoder.h
+#usr/include/htp/htp_version.h
+#usr/lib/libhtp.la
+#usr/lib/libhtp.so
+usr/lib/libhtp.so.2
+usr/lib/libhtp.so.2.0.0
+#usr/lib/pkgconfig/htp.pc
diff --git a/lfs/libhtp b/lfs/libhtp
new file mode 100644
index 000000000..c8b8ad113
--- /dev/null
+++ b/lfs/libhtp
@@ -0,0 +1,80 @@
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2015  Michael Tremer & Christian Schmidt                      #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see .       #
+#                                                                             #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VER        = 0.5.27
+
+THISAPP    = libhtp-$(VER)
+DL_FILE    = $(THISAPP).tar.gz
+DL_FROM    = $(URL_IPFIRE)
+DIR_APP    = $(DIR_SRC)/$(THISAPP)
+TARGET     = $(DIR_INFO)/$(THISAPP)
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects = $(DL_FILE)
+
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_MD5 = 226def386a394911de75ffe9e038554a
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+md5 : $(subst %,%_MD5,$(objects))
+
+###############################################################################
+# Downloading, checking, md5sum
+###############################################################################
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+	@$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+	@$(LOAD)
+
+$(subst %,%_MD5,$(objects)) :
+	@$(MD5)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+	@$(PREBUILD)
+	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+	cd $(DIR_APP) && ./autogen.sh
+	cd $(DIR_APP) && ./configure \
+		--prefix=/usr \
+		--disable-static
+	cd $(DIR_APP) && make $(MAKETUNING)
+	cd $(DIR_APP) && make install
+	@rm -rf $(DIR_APP)
+	@$(POSTBUILD)
diff --git a/make.sh b/make.sh
index 003c4dbd3..4acc66b4a 100755
--- a/make.sh
+++ b/make.sh
@@ -1291,6 +1291,7 @@ buildipfire() {
   lfsmake2 daq
   lfsmake2 snort
   lfsmake2 yaml
+  lfsmake2 libhtp
   lfsmake2 oinkmaster
   lfsmake2 squid
   lfsmake2 squidguard

From 67752a9510d9db653ca8aee9355e8fa63d0f9316 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Mon, 23 Jul 2018 20:21:38 +0200
Subject: [PATCH 056/259] suricata: New package

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/suricata | 48 +++++++++++++++++
 lfs/suricata                     | 89 ++++++++++++++++++++++++++++++++
 make.sh                          |  1 +
 3 files changed, 138 insertions(+)
 create mode 100644 config/rootfiles/common/suricata
 create mode 100644 lfs/suricata

diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata
new file mode 100644
index 000000000..37ad01318
--- /dev/null
+++ b/config/rootfiles/common/suricata
@@ -0,0 +1,48 @@
+etc/suricata
+etc/suricata/classification.config
+etc/suricata/reference.config
+etc/suricata/rules
+etc/suricata/suricata-example.yaml
+etc/suricata/threshold.config
+usr/bin/suricata
+#usr/bin/suricatasc
+#usr/lib/python2.7/site-packages/suricatasc
+#usr/lib/python2.7/site-packages/suricatasc-0.9-py2.7.egg-info
+#usr/lib/python2.7/site-packages/suricatasc/__init__.py
+#usr/lib/python2.7/site-packages/suricatasc/__init__.pyc
+#usr/lib/python2.7/site-packages/suricatasc/suricatasc.py
+#usr/lib/python2.7/site-packages/suricatasc/suricatasc.pyc
+#usr/share/doc/suricata
+#usr/share/doc/suricata/AUTHORS
+#usr/share/doc/suricata/Basic_Setup.txt
+#usr/share/doc/suricata/CentOS5.txt
+#usr/share/doc/suricata/CentOS_56_Installation.txt
+#usr/share/doc/suricata/Debian_Installation.txt
+#usr/share/doc/suricata/Fedora_Core.txt
+#usr/share/doc/suricata/FreeBSD_8.txt
+#usr/share/doc/suricata/GITGUIDE
+#usr/share/doc/suricata/HTP_library_installation.txt
+#usr/share/doc/suricata/INSTALL
+#usr/share/doc/suricata/INSTALL.PF_RING
+#usr/share/doc/suricata/INSTALL.WINDOWS
+#usr/share/doc/suricata/Installation_from_GIT_with_PCRE-JIT.txt
+#usr/share/doc/suricata/Installation_from_GIT_with_PF_RING_on_Ubuntu_server_1104.txt
+#usr/share/doc/suricata/Installation_with_CUDA_and_PFRING_on_Scientific_Linux_6.txt
+#usr/share/doc/suricata/Installation_with_CUDA_and_PF_RING_on_Ubuntu_server_1104.txt
+#usr/share/doc/suricata/Installation_with_CUDA_on_Scientific_Linux_6.txt
+#usr/share/doc/suricata/Installation_with_CUDA_on_Ubuntu_server_1104.txt
+#usr/share/doc/suricata/Installation_with_PF_RING.txt
+#usr/share/doc/suricata/Mac_OS_X_106x.txt
+#usr/share/doc/suricata/NEWS
+#usr/share/doc/suricata/OpenBSD_Installation_from_GIT.txt
+#usr/share/doc/suricata/README
+#usr/share/doc/suricata/Setting_up_IPSinline_for_Linux.txt
+#usr/share/doc/suricata/TODO
+#usr/share/doc/suricata/Third_Party_Installation_Guides.txt
+#usr/share/doc/suricata/Ubuntu_Installation.txt
+#usr/share/doc/suricata/Ubuntu_Installation_from_GIT.txt
+#usr/share/doc/suricata/Windows.txt
+#usr/share/man/man1/suricata.1
+var/log/suricata
+var/log/suricata/certs
+var/log/suricata/files
diff --git a/lfs/suricata b/lfs/suricata
new file mode 100644
index 000000000..0873f54b4
--- /dev/null
+++ b/lfs/suricata
@@ -0,0 +1,89 @@
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2015  Michael Tremer & Christian Schmidt                      #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see .       #
+#                                                                             #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VER        = 4.0.5
+
+THISAPP    = suricata-$(VER)
+DL_FILE    = $(THISAPP).tar.gz
+DL_FROM    = $(URL_IPFIRE)
+DIR_APP    = $(DIR_SRC)/$(THISAPP)
+TARGET     = $(DIR_INFO)/$(THISAPP)
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects = $(DL_FILE)
+
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_MD5 = ea0cb823d6a86568152f75ade6de442f
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+md5 : $(subst %,%_MD5,$(objects))
+
+###############################################################################
+# Downloading, checking, md5sum
+###############################################################################
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+	@$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+	@$(LOAD)
+
+$(subst %,%_MD5,$(objects)) :
+	@$(MD5)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+	@$(PREBUILD)
+	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+	cd $(DIR_APP) && ./configure \
+		--prefix=/usr \
+		--sysconfdir=/etc \
+		--localstatedir=/var \
+		--enable-gccprotect \
+		--disable-gccmarch-native \
+		--enable-non-bundled-htp \
+		--enable-nfqueue \
+		--disable-static
+	cd $(DIR_APP) && make $(MAKETUNING)
+	cd $(DIR_APP) && make install
+	cd $(DIR_APP) && make install-conf
+	mv /etc/suricata/suricata.yaml /etc/suricata/suricata-example.yaml
+	-mkdir -p /etc/suricata/rules
+	-mkdir -p /var/log/suricata
+	@rm -rf $(DIR_APP)
+	@$(POSTBUILD)
diff --git a/make.sh b/make.sh
index 4acc66b4a..531ba801c 100755
--- a/make.sh
+++ b/make.sh
@@ -1292,6 +1292,7 @@ buildipfire() {
   lfsmake2 snort
   lfsmake2 yaml
   lfsmake2 libhtp
+  lfsmake2 suricata
   lfsmake2 oinkmaster
   lfsmake2 squid
   lfsmake2 squidguard

From 164eab662756366023016c88c27f1432f243832f Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Mon, 30 Jul 2018 21:36:07 +0200
Subject: [PATCH 057/259] ids-functions.pl: Move path details from snort to
 suricata

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 647aa1f4c..ec70e9681 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -26,16 +26,16 @@ package IDS;
 require '/var/ipfire/general-functions.pl';
 
 # Location where all config and settings files are stored.
-our $settingsdir = "${General::swroot}/snort";
+our $settingsdir = "${General::swroot}/suricata";
 
 # Location and name of the tarball which contains the ruleset.
-our $rulestarball = "/var/tmp/snortrules.tar.gz";
+our $rulestarball = "/var/tmp/idsrules.tar.gz";
 
 # File to store any errors, which also will be read and displayed by the wui.
 our $storederrorfile = "/tmp/ids_storederror";
 
 # Location where the rulefiles are stored.
-our $rulespath = "/etc/snort/rules";
+our $rulespath = "/etc/suricata/rules";
 
 #
 ## Function for checking if at least 300MB of free disk space are available

From 101c888174285f4d4e599902c7645d2e834ea027 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 2 Aug 2018 09:07:12 +0200
Subject: [PATCH 058/259] ids.cgi: Generate suricata compatiple used-rulefiles
 file

 * Rename filename to suricata-used-rulefiles.yaml
 * Adjust file generation as a yaml file to be compatible with suricata
 * Adjust code to correctly read-in and parse the changed file

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 2ada96f52..b42ede2ae 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -47,7 +47,7 @@ my %selected=();
 # Get netsettings.
 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
 
-my $idsusedrulefilesfile = "$IDS::settingsdir/ids-used-rulefiles.conf";
+my $idsusedrulefilesfile = "$IDS::settingsdir/suricata-used-rulefiles.yaml";
 my $errormessage;
 
 &Header::showhttpheaders();
@@ -130,7 +130,7 @@ if(-f $idsusedrulefilesfile) {
 		next if ($line =~ /^\s*$/);
 
 		# Gather rule sid and message from the ruleline.
-		if ($line =~ /.*include \$RULE_PATH\/(.*)/) {
+		if ($line =~ /.*- (.*)/) {
 			my $rulefile = $1;
 
 			# Add the rulefile to the %idsrules hash.
@@ -234,6 +234,10 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 	# Open file for used rulefiles.
 	open (FILE, ">$idsusedrulefilesfile") or die "Could not write to $idsusedrulefilesfile. $!\n";
 
+	# Write yaml header to the file.
+	print FILE "%YAML 1.1\n";
+	print FILE "---\n\n";
+
 	# Write header to file.
 	print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
 
@@ -241,7 +245,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 	if (@enabled_rulefiles) {
 		# Loop through the array of rulefiles which should be loaded and write the to the file.
 		foreach my $file (@enabled_rulefiles) {
-			print FILE "include \$RULE_PATH/$file\n";
+			print FILE " - $file\n";
 		}
 	}
 

From 4c6d6c1ee3308e8143b95867376f29876739a149 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 2 Aug 2018 09:10:25 +0200
Subject: [PATCH 059/259] suricata: Install very basic config file

This config file is mostly based on the example configuration shipped
by the suricata project and needs to be enhanched.

See #11808.

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/suricata |    1 +
 config/suricata/suricata.yaml    | 1702 ++++++++++++++++++++++++++++++
 lfs/suricata                     |    1 +
 3 files changed, 1704 insertions(+)
 create mode 100644 config/suricata/suricata.yaml

diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata
index 37ad01318..31d501cac 100644
--- a/config/rootfiles/common/suricata
+++ b/config/rootfiles/common/suricata
@@ -2,6 +2,7 @@ etc/suricata
 etc/suricata/classification.config
 etc/suricata/reference.config
 etc/suricata/rules
+etc/suricata/suricata.yaml
 etc/suricata/suricata-example.yaml
 etc/suricata/threshold.config
 usr/bin/suricata
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
new file mode 100644
index 000000000..0c0293603
--- /dev/null
+++ b/config/suricata/suricata.yaml
@@ -0,0 +1,1702 @@
+%YAML 1.1
+---
+
+# Suricata configuration file. In addition to the comments describing all
+# options in this file, full documentation can be found at:
+# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
+
+##
+## Step 1: inform Suricata about your network
+##
+
+vars:
+  # more specifc is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+
+
+##
+## Step 2: select the rules to enable or disable
+##
+
+default-rule-path: /etc/suricata/rules
+rule-files: !include /var/ipfire/suricata/suricata-used-rulefiles.yaml
+
+classification-file: /etc/suricata/classification.config
+reference-config-file: /etc/suricata/reference.config
+# threshold-file: /etc/suricata/threshold.config
+
+
+##
+## Step 3: select outputs to enable
+##
+
+# The default logging directory.  Any log or output file will be
+# placed here if its not specified with a full path name. This can be
+# overridden with the -l command line parameter.
+default-log-dir: /var/log/suricata/
+
+# global stats configuration
+stats:
+  enabled: yes
+  # The interval field (in seconds) controls at what interval
+  # the loggers are invoked.
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  # a line based alerts log similar to Snort's fast.log
+  - fast:
+      enabled: yes
+      filename: fast.log
+      append: yes
+      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
+
+  # Extensible Event Format (nicknamed EVE) event log in JSON format
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      #prefix: "@cee: " # prefix to prepend to each log entry
+      # the following are valid when type: syslog above
+      #identity: "suricata"
+      #facility: local5
+      #level: Info ## possible levels: Emergency, Alert, Critical,
+                   ## Error, Warning, Notice, Info, Debug
+      #redis:
+      #  server: 127.0.0.1
+      #  port: 6379
+      #  async: true ## if redis replies are read asynchronously
+      #  mode: list ## possible values: list|lpush (default), rpush, channel|publish
+      #             ## lpush and rpush are using a Redis list. "list" is an alias for lpush
+      #             ## publish is using a Redis channel. "channel" is an alias for publish
+      #  key: suricata ## key or channel to use (default to suricata)
+      # Redis pipelining set up. This will enable to only do a query every
+      # 'batch-size' events. This should lower the latency induced by network
+      # connection at the cost of some memory. There is no flushing implemented
+      # so this setting as to be reserved to high traffic suricata.
+      #  pipelining:
+      #    enabled: yes ## set enable to yes to enable query pipelining
+      #    batch-size: 10 ## number of entry to keep in buffer
+      types:
+        - alert:
+            # payload: yes             # enable dumping payload in Base64
+            # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+            # payload-printable: yes   # enable dumping payload in printable (lossy) format
+            # packet: yes              # enable dumping of packet (without stream segments)
+            # http-body: yes           # enable dumping of http body in Base64
+            # http-body-printable: yes # enable dumping of http body in printable format
+            metadata: yes              # add L7/applayer fields, flowbit and other vars to the alert
+
+            # Enable the logging of tagged packets for rules using the
+            # "tag" keyword.
+            tagged-packets: yes
+
+            # HTTP X-Forwarded-For support by adding an extra field or overwriting
+            # the source or destination IP address (depending on flow direction)
+            # with the one reported in the X-Forwarded-For HTTP header. This is
+            # helpful when reviewing alerts for traffic that is being reverse
+            # or forward proxied.
+            xff:
+              enabled: no
+              # Two operation modes are available, "extra-data" and "overwrite".
+              mode: extra-data
+              # Two proxy deployments are supported, "reverse" and "forward". In
+              # a "reverse" deployment the IP address used is the last one, in a
+              # "forward" deployment the first IP address is used.
+              deployment: reverse
+              # Header name where the actual IP address will be reported, if more
+              # than one IP address is present, the last IP address will be the
+              # one taken into consideration.
+              header: X-Forwarded-For
+        - http:
+            extended: yes     # enable this for extended logging information
+            # custom allows additional http fields to be included in eve-log
+            # the example below adds three additional fields when uncommented
+            #custom: [Accept-Encoding, Accept-Language, Authorization]
+        - dns:
+            # control logging of queries and answers
+            # default yes, no to disable
+            query: yes     # enable logging of DNS queries
+            answer: yes    # enable logging of DNS answers
+            # control which RR types are logged
+            # all enabled if custom not specified
+            #custom: [a, aaaa, cname, mx, ns, ptr, txt]
+        - tls:
+            extended: yes     # enable this for extended logging information
+            # output TLS transaction where the session is resumed using a
+            # session id
+            #session-resumption: no
+            # custom allows to control which tls fields that are included
+            # in eve-log
+            #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain]
+        - files:
+            force-magic: no   # force logging magic on all logged files
+            # force logging of checksums, available hash functions are md5,
+            # sha1 and sha256
+            #force-hash: [md5]
+        #- drop:
+        #    alerts: yes      # log alerts that caused drops
+        #    flows: all       # start or all: 'start' logs only a single drop
+        #                     # per flow direction. All logs each dropped pkt.
+        - smtp:
+            #extended: yes # enable this for extended logging information
+            # this includes: bcc, message-id, subject, x_mailer, user-agent
+            # custom fields logging from the list:
+            #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
+            #  x-originating-ip, in-reply-to, references, importance, priority,
+            #  sensitivity, organization, content-md5, date
+            #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
+            # output md5 of fields: body, subject
+            # for the body you need to set app-layer.protocols.smtp.mime.body-md5
+            # to yes
+            #md5: [body, subject]
+
+        #- dnp3
+        #- nfs
+        - ssh
+        - stats:
+            totals: yes       # stats for all threads merged together
+            threads: no       # per thread stats
+            deltas: no        # include delta values
+        # bi-directional flows
+        - flow
+        # uni-directional flows
+        #- netflow
+        # Vars log flowbits and other packet and flow vars
+        #- vars
+
+  # alert output for use with Barnyard2
+  - unified2-alert:
+      enabled: no
+      filename: unified2.alert
+
+      # File size limit.  Can be specified in kb, mb, gb.  Just a number
+      # is parsed as bytes.
+      #limit: 32mb
+
+      # By default unified2 log files have the file creation time (in
+      # unix epoch format) appended to the filename. Set this to yes to
+      # disable this behaviour.
+      #nostamp: no
+
+      # Sensor ID field of unified2 alerts.
+      #sensor-id: 0
+
+      # Include payload of packets related to alerts. Defaults to true, set to
+      # false if payload is not required.
+      #payload: yes
+
+      # HTTP X-Forwarded-For support by adding the unified2 extra header or
+      # overwriting the source or destination IP address (depending on flow
+      # direction) with the one reported in the X-Forwarded-For HTTP header.
+      # This is helpful when reviewing alerts for traffic that is being reverse
+      # or forward proxied.
+      xff:
+        enabled: no
+        # Two operation modes are available, "extra-data" and "overwrite". Note
+        # that in the "overwrite" mode, if the reported IP address in the HTTP
+        # X-Forwarded-For header is of a different version of the packet
+        # received, it will fall-back to "extra-data" mode.
+        mode: extra-data
+        # Two proxy deployments are supported, "reverse" and "forward". In
+        # a "reverse" deployment the IP address used is the last one, in a
+        # "forward" deployment the first IP address is used.
+        deployment: reverse
+        # Header name where the actual IP address will be reported, if more
+        # than one IP address is present, the last IP address will be the
+        # one taken into consideration.
+        header: X-Forwarded-For
+
+  # a line based log of HTTP requests (no alerts)
+  - http-log:
+      enabled: no
+      filename: http.log
+      append: yes
+      #extended: yes     # enable this for extended logging information
+      #custom: yes       # enabled the custom logging format (defined by customformat)
+      #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
+      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
+
+  # a line based log of TLS handshake parameters (no alerts)
+  - tls-log:
+      enabled: no  # Log TLS connections.
+      filename: tls.log # File to store TLS logs.
+      append: yes
+      #extended: yes     # Log extended information like fingerprint
+      #custom: yes       # enabled the custom logging format (defined by customformat)
+      #customformat: "%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D"
+      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
+      # output TLS transaction where the session is resumed using a
+      # session id
+      #session-resumption: no
+
+  # output module to store certificates chain to disk
+  - tls-store:
+      enabled: no
+      #certs-log-dir: certs # directory to store the certificates files
+
+  # a line based log of DNS requests and/or replies (no alerts)
+  - dns-log:
+      enabled: no
+      filename: dns.log
+      append: yes
+      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
+
+  # Packet log... log packets in pcap format. 3 modes of operation: "normal"
+  # "multi" and "sguil".
+  #
+  # In normal mode a pcap file "filename" is created in the default-log-dir,
+  # or are as specified by "dir".
+  # In multi mode, a file is created per thread. This will perform much
+  # better, but will create multiple files where 'normal' would create one.
+  # In multi mode the filename takes a few special variables:
+  # - %n -- thread number
+  # - %i -- thread id
+  # - %t -- timestamp (secs or secs.usecs based on 'ts-format'
+  # E.g. filename: pcap.%n.%t
+  #
+  # Note that it's possible to use directories, but the directories are not
+  # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the
+  # per thread directory.
+  #
+  # Also note that the limit and max-files settings are enforced per thread.
+  # So the size limit when using 8 threads with 1000mb files and 2000 files
+  # is: 8*1000*2000 ~ 16TiB.
+  #
+  # In Sguil mode "dir" indicates the base directory. In this base dir the
+  # pcaps are created in th directory structure Sguil expects:
+  #
+  # $sguil-base-dir/YYYY-MM-DD/$filename.
+  #
+  # By default all packets are logged except:
+  # - TCP streams beyond stream.reassembly.depth
+  # - encrypted streams after the key exchange
+  #
+  - pcap-log:
+      enabled: no
+      filename: log.pcap
+
+      # File size limit.  Can be specified in kb, mb, gb.  Just a number
+      # is parsed as bytes.
+      limit: 1000mb
+
+      # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
+      max-files: 2000
+
+      mode: normal # normal, multi or sguil.
+
+      # Directory to place pcap files. If not provided the default log
+      # directory will be used. Required for "sguil" mode.
+      #dir: /nsm_data/
+
+      #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
+      use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
+      honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.
+
+  # a full alerts log containing much information for signature writers
+  # or for investigating suspected false positives.
+  - alert-debug:
+      enabled: no
+      filename: alert-debug.log
+      append: yes
+      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
+
+  # alert output to prelude (http://www.prelude-technologies.com/) only
+  # available if Suricata has been compiled with --enable-prelude
+  - alert-prelude:
+      enabled: no
+      profile: suricata
+      log-packet-content: no
+      log-packet-header: yes
+
+  # Stats.log contains data from various counters of the suricata engine.
+  - stats:
+      enabled: yes
+      filename: stats.log
+      append: yes       # append to file (yes) or overwrite it (no)
+      totals: yes       # stats for all threads merged together
+      threads: no       # per thread stats
+      #null-values: yes  # print counters that have value 0
+
+  # a line based alerts log similar to fast.log into syslog
+  - syslog:
+      enabled: no
+      # reported identity to syslog. If ommited the program name (usually
+      # suricata) will be used.
+      #identity: "suricata"
+      facility: local5
+      #level: Info ## possible levels: Emergency, Alert, Critical,
+                   ## Error, Warning, Notice, Info, Debug
+
+  # a line based information for dropped packets in IPS mode
+  - drop:
+      enabled: no
+      filename: drop.log
+      append: yes
+      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
+
+  # output module to store extracted files to disk
+  #
+  # The files are stored to the log-dir in a format "file." where  is
+  # an incrementing number starting at 1. For each file "file." a meta
+  # file "file..meta" is created.
+  #
+  # File extraction depends on a lot of things to be fully done:
+  # - file-store stream-depth. For optimal results, set this to 0 (unlimited)
+  # - http request / response body sizes. Again set to 0 for optimal results.
+  # - rules that contain the "filestore" keyword.
+  - file-store:
+      enabled: no       # set to yes to enable
+      log-dir: files    # directory to store the files
+      force-magic: no   # force logging magic on all stored files
+      # force logging of checksums, available hash functions are md5,
+      # sha1 and sha256
+      #force-hash: [md5]
+      force-filestore: no # force storing of all files
+      # override global stream-depth for sessions in which we want to
+      # perform file extraction. Set to 0 for unlimited.
+      #stream-depth: 0
+      #waldo: file.waldo # waldo file to store the file_id across runs
+      # uncomment to disable meta file writing
+      #write-meta: no
+      # uncomment the following variable to define how many files can
+      # remain open for filestore by Suricata. Default value is 0 which
+      # means files get closed after each write
+      #max-open-files: 1000
+
+  # output module to log files tracked in a easily parsable json format
+  - file-log:
+      enabled: no
+      filename: files-json.log
+      append: yes
+      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
+
+      force-magic: no   # force logging magic on all logged files
+      # force logging of checksums, available hash functions are md5,
+      # sha1 and sha256
+      #force-hash: [md5]
+
+  # Log TCP data after stream normalization
+  # 2 types: file or dir. File logs into a single logfile. Dir creates
+  # 2 files per TCP session and stores the raw TCP data into them.
+  # Using 'both' will enable both file and dir modes.
+  #
+  # Note: limited by stream.depth
+  - tcp-data:
+      enabled: no
+      type: file
+      filename: tcp-data.log
+
+  # Log HTTP body data after normalization, dechunking and unzipping.
+  # 2 types: file or dir. File logs into a single logfile. Dir creates
+  # 2 files per HTTP session and stores the normalized data into them.
+  # Using 'both' will enable both file and dir modes.
+  #
+  # Note: limited by the body limit settings
+  - http-body-data:
+      enabled: no
+      type: file
+      filename: http-data.log
+
+  # Lua Output Support - execute lua script to generate alert and event
+  # output.
+  # Documented at:
+  # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output
+  - lua:
+      enabled: no
+      #scripts-dir: /etc/suricata/lua-output/
+      scripts:
+      #   - script1.lua
+
+# Logging configuration.  This is not about logging IDS alerts/events, but
+# output about what Suricata is doing, like startup messages, errors, etc.
+logging:
+  # The default log level, can be overridden in an output section.
+  # Note that debug level logging will only be emitted if Suricata was
+  # compiled with the --enable-debug configure option.
+  #
+  # This value is overriden by the SC_LOG_LEVEL env var.
+  default-log-level: notice
+
+  # The default output format.  Optional parameter, should default to
+  # something reasonable if not provided.  Can be overriden in an
+  # output section.  You can leave this out to get the default.
+  #
+  # This value is overriden by the SC_LOG_FORMAT env var.
+  #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
+
+  # A regex to filter output.  Can be overridden in an output section.
+  # Defaults to empty (no filter).
+  #
+  # This value is overriden by the SC_LOG_OP_FILTER env var.
+  default-output-filter:
+
+  # Define your logging outputs.  If none are defined, or they are all
+  # disabled you will get the default - console output.
+  outputs:
+  - console:
+      enabled: yes
+      # type: json
+  - file:
+      enabled: yes
+      level: info
+      filename: /var/log/suricata/suricata.log
+      # type: json
+  - syslog:
+      enabled: no
+      facility: local5
+      format: "[%i] <%d> -- "
+      # type: json
+
+
+##
+## Step 4: configure common capture settings
+##
+## See "Advanced Capture Options" below for more options, including NETMAP
+## and PF_RING.
+##
+
+# Linux high speed capture support
+af-packet:
+  - interface: eth0
+    # Number of receive threads. "auto" uses the number of cores
+    #threads: auto
+    # Default clusterid. AF_PACKET will load balance packets based on flow.
+    cluster-id: 99
+    # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
+    # This is only supported for Linux kernel > 3.1
+    # possible value are:
+    #  * cluster_round_robin: round robin load balancing
+    #  * cluster_flow: all packets of a given flow are send to the same socket
+    #  * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
+    #  * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
+    #  socket. Requires at least Linux 3.14.
+    #  * cluster_random: packets are sent randomly to sockets but with an equipartition.
+    #  Requires at least Linux 3.14.
+    #  * cluster_rollover: kernel rotates between sockets filling each socket before moving
+    #  to the next. Requires at least Linux 3.10.
+    # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
+    # with capture card using RSS (require cpu affinity tuning and system irq tuning)
+    cluster-type: cluster_flow
+    # In some fragmentation case, the hash can not be computed. If "defrag" is set
+    # to yes, the kernel will do the needed defragmentation before sending the packets.
+    defrag: yes
+    # After Linux kernel 3.10 it is possible to activate the rollover option: if a socket is
+    # full then kernel will send the packet on the next socket with room available. This option
+    # can minimize packet drop and increase the treated bandwidth on single intensive flow.
+    #rollover: yes
+    # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
+    #use-mmap: yes
+    # Lock memory map to avoid it goes to swap. Be careful that over suscribing could lock
+    # your system
+    #mmap-locked: yes
+    # Use tpacket_v3 capture mode, only active if use-mmap is true
+    # Don't use it in IPS or TAP mode as it causes severe latency
+    #tpacket-v3: yes
+    # Ring size will be computed with respect to max_pending_packets and number
+    # of threads. You can set manually the ring size in number of packets by setting
+    # the following value. If you are using flow cluster-type and have really network
+    # intensive single-flow you could want to set the ring-size independently of the number
+    # of threads:
+    #ring-size: 2048
+    # Block size is used by tpacket_v3 only. It should set to a value high enough to contain
+    # a decent number of packets. Size is in bytes so please consider your MTU. It should be
+    # a power of 2 and it must be multiple of page size (usually 4096).
+    #block-size: 32768
+    # tpacket_v3 block timeout: an open block is passed to userspace if it is not
+    # filled after block-timeout milliseconds.
+    #block-timeout: 10
+    # On busy system, this could help to set it to yes to recover from a packet drop
+    # phase. This will result in some packets (at max a ring flush) being non treated.
+    #use-emergency-flush: yes
+    # recv buffer size, increase value could improve performance
+    # buffer-size: 32768
+    # Set to yes to disable promiscuous mode
+    # disable-promisc: no
+    # Choose checksum verification mode for the interface. At the moment
+    # of the capture, some packets may be with an invalid checksum due to
+    # offloading to the network card of the checksum computation.
+    # Possible values are:
+    #  - kernel: use indication sent by kernel for each packet (default)
+    #  - yes: checksum validation is forced
+    #  - no: checksum validation is disabled
+    #  - auto: suricata uses a statistical approach to detect when
+    #  checksum off-loading is used.
+    # Warning: 'checksum-validation' must be set to yes to have any validation
+    #checksum-checks: kernel
+    # BPF filter to apply to this interface. The pcap filter syntax apply here.
+    #bpf-filter: port 80 or udp
+    # You can use the following variables to activate AF_PACKET tap or IPS mode.
+    # If copy-mode is set to ips or tap, the traffic coming to the current
+    # interface will be copied to the copy-iface interface. If 'tap' is set, the
+    # copy is complete. If 'ips' is set, the packet matching a 'drop' action
+    # will not be copied.
+    #copy-mode: ips
+    #copy-iface: eth1
+
+  # Put default values here. These will be used for an interface that is not
+  # in the list above.
+  - interface: default
+    #threads: auto
+    #use-mmap: no
+    #rollover: yes
+    #tpacket-v3: yes
+
+# Cross platform libpcap capture support
+pcap:
+  - interface: eth0
+    # On Linux, pcap will try to use mmaped capture and will use buffer-size
+    # as total of memory used by the ring. So set this to something bigger
+    # than 1% of your bandwidth.
+    #buffer-size: 16777216
+    #bpf-filter: "tcp and port 25"
+    # Choose checksum verification mode for the interface. At the moment
+    # of the capture, some packets may be with an invalid checksum due to
+    # offloading to the network card of the checksum computation.
+    # Possible values are:
+    #  - yes: checksum validation is forced
+    #  - no: checksum validation is disabled
+    #  - auto: suricata uses a statistical approach to detect when
+    #  checksum off-loading is used. (default)
+    # Warning: 'checksum-validation' must be set to yes to have any validation
+    #checksum-checks: auto
+    # With some accelerator cards using a modified libpcap (like myricom), you
+    # may want to have the same number of capture threads as the number of capture
+    # rings. In this case, set up the threads variable to N to start N threads
+    # listening on the same interface.
+    #threads: 16
+    # set to no to disable promiscuous mode:
+    #promisc: no
+    # set snaplen, if not set it defaults to MTU if MTU can be known
+    # via ioctl call and to full capture if not.
+    #snaplen: 1518
+  # Put default values here
+  - interface: default
+    #checksum-checks: auto
+
+# Settings for reading pcap files
+pcap-file:
+  # Possible values are:
+  #  - yes: checksum validation is forced
+  #  - no: checksum validation is disabled
+  #  - auto: suricata uses a statistical approach to detect when
+  #  checksum off-loading is used. (default)
+  # Warning: 'checksum-validation' must be set to yes to have checksum tested
+  checksum-checks: auto
+
+# See "Advanced Capture Options" below for more options, including NETMAP
+# and PF_RING.
+
+
+##
+## Step 5: App Layer Protocol Configuration
+##
+
+# Configure the app-layer parsers. The protocols section details each
+# protocol.
+#
+# The option "enabled" takes 3 values - "yes", "no", "detection-only".
+# "yes" enables both detection and the parser, "no" disables both, and
+# "detection-only" enables protocol detection only (parser disabled).
+app-layer:
+  protocols:
+    tls:
+      enabled: yes
+      detection-ports:
+        dp: 443
+
+      # Completely stop processing TLS/SSL session after the handshake
+      # completed. If bypass is enabled this will also trigger flow
+      # bypass. If disabled (the default), TLS/SSL session is still
+      # tracked for Heartbleed and other anomalies.
+      #no-reassemble: yes
+    dcerpc:
+      enabled: yes
+    ftp:
+      enabled: yes
+    ssh:
+      enabled: yes
+    smtp:
+      enabled: yes
+      # Configure SMTP-MIME Decoder
+      mime:
+        # Decode MIME messages from SMTP transactions
+        # (may be resource intensive)
+        # This field supercedes all others because it turns the entire
+        # process on or off
+        decode-mime: yes
+
+        # Decode MIME entity bodies (ie. base64, quoted-printable, etc.)
+        decode-base64: yes
+        decode-quoted-printable: yes
+
+        # Maximum bytes per header data value stored in the data structure
+        # (default is 2000)
+        header-value-depth: 2000
+
+        # Extract URLs and save in state data structure
+        extract-urls: yes
+        # Set to yes to compute the md5 of the mail body. You will then
+        # be able to journalize it.
+        body-md5: no
+      # Configure inspected-tracker for file_data keyword
+      inspected-tracker:
+        content-limit: 100000
+        content-inspect-min-size: 32768
+        content-inspect-window: 4096
+    imap:
+      enabled: detection-only
+    msn:
+      enabled: detection-only
+    smb:
+      enabled: yes
+      detection-ports:
+        dp: 139, 445
+    # smb2 detection is disabled internally inside the engine.
+    #smb2:
+    #  enabled: yes
+    # Note: NFS parser depends on Rust support: pass --enable-rust
+    # to configure.
+    nfs:
+      enabled: no
+    dns:
+      # memcaps. Globally and per flow/state.
+      #global-memcap: 16mb
+      #state-memcap: 512kb
+
+      # How many unreplied DNS requests are considered a flood.
+      # If the limit is reached, app-layer-event:dns.flooded; will match.
+      #request-flood: 500
+
+      tcp:
+        enabled: yes
+        detection-ports:
+          dp: 53
+      udp:
+        enabled: yes
+        detection-ports:
+          dp: 53
+    http:
+      enabled: yes
+      # memcap: 64mb
+
+      # default-config:           Used when no server-config matches
+      #   personality:            List of personalities used by default
+      #   request-body-limit:     Limit reassembly of request body for inspection
+      #                           by http_client_body & pcre /P option.
+      #   response-body-limit:    Limit reassembly of response body for inspection
+      #                           by file_data, http_server_body & pcre /Q option.
+      #   double-decode-path:     Double decode path section of the URI
+      #   double-decode-query:    Double decode query section of the URI
+      #   response-body-decompress-layer-limit:
+      #                           Limit to how many layers of compression will be
+      #                           decompressed. Defaults to 2.
+      #
+      # server-config:            List of server configurations to use if address matches
+      #   address:                List of ip addresses or networks for this block
+      #   personalitiy:           List of personalities used by this block
+      #   request-body-limit:     Limit reassembly of request body for inspection
+      #                           by http_client_body & pcre /P option.
+      #   response-body-limit:    Limit reassembly of response body for inspection
+      #                           by file_data, http_server_body & pcre /Q option.
+      #   double-decode-path:     Double decode path section of the URI
+      #   double-decode-query:    Double decode query section of the URI
+      #
+      #   uri-include-all:        Include all parts of the URI. By default the
+      #                           'scheme', username/password, hostname and port
+      #                           are excluded. Setting this option to true adds
+      #                           all of them to the normalized uri as inspected
+      #                           by http_uri, urilen, pcre with /U and the other
+      #                           keywords that inspect the normalized uri.
+      #                           Note that this does not affect http_raw_uri.
+      #                           Also, note that including all was the default in
+      #                           1.4 and 2.0beta1.
+      #
+      #   meta-field-limit:       Hard size limit for request and response size
+      #                           limits. Applies to request line and headers,
+      #                           response line and headers. Does not apply to
+      #                           request or response bodies. Default is 18k.
+      #                           If this limit is reached an event is raised.
+      #
+      # Currently Available Personalities:
+      #   Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
+      #   IIS_7_0, IIS_7_5, Apache_2
+      libhtp:
+         default-config:
+           personality: IDS
+
+           # Can be specified in kb, mb, gb.  Just a number indicates
+           # it's in bytes.
+           request-body-limit: 100kb
+           response-body-limit: 100kb
+
+           # inspection limits
+           request-body-minimal-inspect-size: 32kb
+           request-body-inspect-window: 4kb
+           response-body-minimal-inspect-size: 40kb
+           response-body-inspect-window: 16kb
+
+           # response body decompression (0 disables)
+           response-body-decompress-layer-limit: 2
+
+           # auto will use http-body-inline mode in IPS mode, yes or no set it statically
+           http-body-inline: auto
+
+           # Take a random value for inspection sizes around the specified value.
+           # This lower the risk of some evasion technics but could lead
+           # detection change between runs. It is set to 'yes' by default.
+           #randomize-inspection-sizes: yes
+           # If randomize-inspection-sizes is active, the value of various
+           # inspection size will be choosen in the [1 - range%, 1 + range%]
+           # range
+           # Default value of randomize-inspection-range is 10.
+           #randomize-inspection-range: 10
+
+           # decoding
+           double-decode-path: no
+           double-decode-query: no
+
+         server-config:
+
+           #- apache:
+           #    address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
+           #    personality: Apache_2
+           #    # Can be specified in kb, mb, gb.  Just a number indicates
+           #    # it's in bytes.
+           #    request-body-limit: 4096
+           #    response-body-limit: 4096
+           #    double-decode-path: no
+           #    double-decode-query: no
+
+           #- iis7:
+           #    address:
+           #      - 192.168.0.0/24
+           #      - 192.168.10.0/24
+           #    personality: IIS_7_0
+           #    # Can be specified in kb, mb, gb.  Just a number indicates
+           #    # it's in bytes.
+           #    request-body-limit: 4096
+           #    response-body-limit: 4096
+           #    double-decode-path: no
+           #    double-decode-query: no
+
+    # Note: Modbus probe parser is minimalist due to the poor significant field
+    # Only Modbus message length (greater than Modbus header length)
+    # And Protocol ID (equal to 0) are checked in probing parser
+    # It is important to enable detection port and define Modbus port
+    # to avoid false positive
+    modbus:
+      # How many unreplied Modbus requests are considered a flood.
+      # If the limit is reached, app-layer-event:modbus.flooded; will match.
+      #request-flood: 500
+
+      enabled: no
+      detection-ports:
+        dp: 502
+      # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
+      # is recommended to keep the TCP connection opened with a remote device
+      # and not to open and close it for each MODBUS/TCP transaction. In that
+      # case, it is important to set the depth of the stream reassembling as
+      # unlimited (stream.reassembly.depth: 0)
+
+      # Stream reassembly size for modbus. By default track it completely.
+      stream-depth: 0
+
+    # DNP3
+    dnp3:
+      enabled: no
+      detection-ports:
+        dp: 20000
+
+    # SCADA EtherNet/IP and CIP protocol support
+    enip:
+      enabled: no
+      detection-ports:
+        dp: 44818
+        sp: 44818
+
+    # Note: parser depends on experimental Rust support
+    # with --enable-rust-experimental passed to configure
+    ntp:
+      enabled: no
+
+# Limit for the maximum number of asn1 frames to decode (default 256)
+asn1-max-frames: 256
+
+
+##############################################################################
+##
+## Advanced settings below
+##
+##############################################################################
+
+##
+## Run Options
+##
+
+# Run suricata as user and group.
+#run-as:
+#  user: suri
+#  group: suri
+
+# Some logging module will use that name in event as identifier. The default
+# value is the hostname
+#sensor-name: suricata
+
+# Default location of the pid file. The pid file is only used in
+# daemon mode (start Suricata with -D). If not running in daemon mode
+# the --pidfile command line option must be used to create a pid file.
+#pid-file: /var/run/suricata.pid
+
+# Daemon working directory
+# Suricata will change directory to this one if provided
+# Default: "/"
+#daemon-directory: "/"
+
+# Suricata core dump configuration. Limits the size of the core dump file to
+# approximately max-dump. The actual core dump size will be a multiple of the
+# page size. Core dumps that would be larger than max-dump are truncated. On
+# Linux, the actual core dump size may be a few pages larger than max-dump.
+# Setting max-dump to 0 disables core dumping.
+# Setting max-dump to 'unlimited' will give the full core dump file.
+# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size
+# to be 'unlimited'.
+
+coredump:
+  max-dump: unlimited
+
+# If suricata box is a router for the sniffed networks, set it to 'router'. If
+# it is a pure sniffing setup, set it to 'sniffer-only'.
+# If set to auto, the variable is internally switch to 'router' in IPS mode
+# and 'sniffer-only' in IDS mode.
+# This feature is currently only used by the reject* keywords.
+host-mode: auto
+
+# Number of packets preallocated per thread. The default is 1024. A higher number 
+# will make sure each CPU will be more easily kept busy, but may negatively 
+# impact caching.
+#
+# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules
+# apply. In that case try something like 60000 or more. This is because the CUDA
+# pattern matcher buffers and scans as many packets as possible in parallel.
+#max-pending-packets: 1024
+
+# Runmode the engine should use. Please check --list-runmodes to get the available
+# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
+# load balancing).
+#runmode: autofp
+
+# Specifies the kind of flow load balancer used by the flow pinned autofp mode.
+#
+# Supported schedulers are:
+#
+# round-robin       - Flows assigned to threads in a round robin fashion.
+# active-packets    - Flows assigned to threads that have the lowest number of
+#                     unprocessed packets (default).
+# hash              - Flow alloted usihng the address hash. More of a random
+#                     technique. Was the default in Suricata 1.2.1 and older.
+#
+#autofp-scheduler: active-packets
+
+# Preallocated size for packet. Default is 1514 which is the classical
+# size for pcap on ethernet. You should adjust this value to the highest
+# packet size (MTU + hardware header) on your system.
+#default-packet-size: 1514
+
+# Unix command socket can be used to pass commands to suricata.
+# An external tool can then connect to get information from suricata
+# or trigger some modifications of the engine. Set enabled to yes
+# to activate the feature. In auto mode, the feature will only be
+# activated in live capture mode. You can use the filename variable to set
+# the file name of the socket.
+unix-command:
+  enabled: auto
+  #filename: custom.socket
+
+# Magic file. The extension .mgc is added to the value here.
+#magic-file: /usr/share/file/magic
+#magic-file: 
+
+legacy:
+  uricontent: enabled
+
+##
+## Detection settings
+##
+
+# Set the order of alerts bassed on actions
+# The default order is pass, drop, reject, alert
+# action-order:
+#   - pass
+#   - drop
+#   - reject
+#   - alert
+
+# IP Reputation
+#reputation-categories-file: /etc/suricata/iprep/categories.txt
+#default-reputation-path: /etc/suricata/iprep
+#reputation-files:
+# - reputation.list
+
+# When run with the option --engine-analysis, the engine will read each of
+# the parameters below, and print reports for each of the enabled sections
+# and exit.  The reports are printed to a file in the default log dir
+# given by the parameter "default-log-dir", with engine reporting
+# subsection below printing reports in its own report file.
+engine-analysis:
+  # enables printing reports for fast-pattern for every rule.
+  rules-fast-pattern: yes
+  # enables printing reports for each rule
+  rules: yes
+
+#recursion and match limits for PCRE where supported
+pcre:
+  match-limit: 3500
+  match-limit-recursion: 1500
+
+##
+## Advanced Traffic Tracking and Reconstruction Settings
+##
+
+# Host specific policies for defragmentation and TCP stream
+# reassembly. The host OS lookup is done using a radix tree, just
+# like a routing table so the most specific entry matches.
+host-os-policy:
+  # Make the default policy windows.
+  windows: [0.0.0.0/0]
+  bsd: []
+  bsd-right: []
+  old-linux: []
+  linux: []
+  old-solaris: []
+  solaris: []
+  hpux10: []
+  hpux11: []
+  irix: []
+  macos: []
+  vista: []
+  windows2k3: []
+
+# Defrag settings:
+
+defrag:
+  memcap: 32mb
+  hash-size: 65536
+  trackers: 65535 # number of defragmented flows to follow
+  max-frags: 65535 # number of fragments to keep (higher than trackers)
+  prealloc: yes
+  timeout: 60
+
+# Enable defrag per host settings
+#  host-config:
+#
+#    - dmz:
+#        timeout: 30
+#        address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
+#
+#    - lan:
+#        timeout: 45
+#        address:
+#          - 192.168.0.0/24
+#          - 192.168.10.0/24
+#          - 172.16.14.0/24
+
+# Flow settings:
+# By default, the reserved memory (memcap) for flows is 32MB. This is the limit
+# for flow allocation inside the engine. You can change this value to allow
+# more memory usage for flows.
+# The hash-size determine the size of the hash used to identify flows inside
+# the engine, and by default the value is 65536.
+# At the startup, the engine can preallocate a number of flows, to get a better
+# performance. The number of flows preallocated is 10000 by default.
+# emergency-recovery is the percentage of flows that the engine need to
+# prune before unsetting the emergency state. The emergency state is activated
+# when the memcap limit is reached, allowing to create new flows, but
+# prunning them with the emergency timeouts (they are defined below).
+# If the memcap is reached, the engine will try to prune flows
+# with the default timeouts. If it doens't find a flow to prune, it will set
+# the emergency bit and it will try again with more agressive timeouts.
+# If that doesn't work, then it will try to kill the last time seen flows
+# not in use.
+# The memcap can be specified in kb, mb, gb.  Just a number indicates it's
+# in bytes.
+
+flow:
+  memcap: 128mb
+  hash-size: 65536
+  prealloc: 10000
+  emergency-recovery: 30
+  #managers: 1 # default to one flow manager
+  #recyclers: 1 # default to one flow recycler thread
+
+# This option controls the use of vlan ids in the flow (and defrag)
+# hashing. Normally this should be enabled, but in some (broken)
+# setups where both sides of a flow are not tagged with the same vlan
+# tag, we can ignore the vlan id's in the flow hashing.
+vlan:
+  use-for-tracking: true
+
+# Specific timeouts for flows. Here you can specify the timeouts that the
+# active flows will wait to transit from the current state to another, on each
+# protocol. The value of "new" determine the seconds to wait after a hanshake or
+# stream startup before the engine free the data of that flow it doesn't
+# change the state to established (usually if we don't receive more packets
+# of that flow). The value of "established" is the amount of
+# seconds that the engine will wait to free the flow if it spend that amount
+# without receiving new packets or closing the connection. "closed" is the
+# amount of time to wait after a flow is closed (usually zero). "bypassed"
+# timeout controls locally bypassed flows. For these flows we don't do any other
+# tracking. If no packets have been seen after this timeout, the flow is discarded.
+#
+# There's an emergency mode that will become active under attack circumstances,
+# making the engine to check flow status faster. This configuration variables
+# use the prefix "emergency-" and work similar as the normal ones.
+# Some timeouts doesn't apply to all the protocols, like "closed", for udp and
+# icmp.
+
+flow-timeouts:
+
+  default:
+    new: 30
+    established: 300
+    closed: 0
+    bypassed: 100
+    emergency-new: 10
+    emergency-established: 100
+    emergency-closed: 0
+    emergency-bypassed: 50
+  tcp:
+    new: 60
+    established: 600
+    closed: 60
+    bypassed: 100
+    emergency-new: 5
+    emergency-established: 100
+    emergency-closed: 10
+    emergency-bypassed: 50
+  udp:
+    new: 30
+    established: 300
+    bypassed: 100
+    emergency-new: 10
+    emergency-established: 100
+    emergency-bypassed: 50
+  icmp:
+    new: 30
+    established: 300
+    bypassed: 100
+    emergency-new: 10
+    emergency-established: 100
+    emergency-bypassed: 50
+
+# Stream engine settings. Here the TCP stream tracking and reassembly
+# engine is configured.
+#
+# stream:
+#   memcap: 32mb                # Can be specified in kb, mb, gb.  Just a
+#                               # number indicates it's in bytes.
+#   checksum-validation: yes    # To validate the checksum of received
+#                               # packet. If csum validation is specified as
+#                               # "yes", then packet with invalid csum will not
+#                               # be processed by the engine stream/app layer.
+#                               # Warning: locally generated trafic can be
+#                               # generated without checksum due to hardware offload
+#                               # of checksum. You can control the handling of checksum
+#                               # on a per-interface basis via the 'checksum-checks'
+#                               # option
+#   prealloc-sessions: 2k       # 2k sessions prealloc'd per stream thread
+#   midstream: false            # don't allow midstream session pickups
+#   async-oneside: false        # don't enable async stream handling
+#   inline: no                  # stream inline mode
+#   drop-invalid: yes           # in inline mode, drop packets that are invalid with regards to streaming engine
+#   max-synack-queued: 5        # Max different SYN/ACKs to queue
+#   bypass: no                  # Bypass packets when stream.depth is reached
+#
+#   reassembly:
+#     memcap: 64mb              # Can be specified in kb, mb, gb.  Just a number
+#                               # indicates it's in bytes.
+#     depth: 1mb                # Can be specified in kb, mb, gb.  Just a number
+#                               # indicates it's in bytes.
+#     toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
+#                               # this size.  Can be specified in kb, mb,
+#                               # gb.  Just a number indicates it's in bytes.
+#     toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
+#                               # this size.  Can be specified in kb, mb,
+#                               # gb.  Just a number indicates it's in bytes.
+#     randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
+#                               # This lower the risk of some evasion technics but could lead
+#                               # detection change between runs. It is set to 'yes' by default.
+#     randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is
+#                               # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size
+#                               # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same
+#                               # calculation for toclient-chunk-size.
+#                               # Default value of randomize-chunk-range is 10.
+#
+#     raw: yes                  # 'Raw' reassembly enabled or disabled.
+#                               # raw is for content inspection by detection
+#                               # engine.
+#
+#     segment-prealloc: 2048    # number of segments preallocated per thread
+#
+#     check-overlap-different-data: true|false
+#                               # check if a segment contains different data
+#                               # than what we've already seen for that
+#                               # position in the stream.
+#                               # This is enabled automatically if inline mode
+#                               # is used or when stream-event:reassembly_overlap_different_data;
+#                               # is used in a rule.
+#
+stream:
+  memcap: 64mb
+  checksum-validation: yes      # reject wrong csums
+  inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
+  reassembly:
+    memcap: 256mb
+    depth: 1mb                  # reassemble 1mb into a stream
+    toserver-chunk-size: 2560
+    toclient-chunk-size: 2560
+    randomize-chunk-size: yes
+    #randomize-chunk-range: 10
+    #raw: yes
+    #segment-prealloc: 2048
+    #check-overlap-different-data: true
+
+# Host table:
+#
+# Host table is used by tagging and per host thresholding subsystems.
+#
+host:
+  hash-size: 4096
+  prealloc: 1000
+  memcap: 32mb
+
+# IP Pair table:
+#
+# Used by xbits 'ippair' tracking.
+#
+#ippair:
+#  hash-size: 4096
+#  prealloc: 1000
+#  memcap: 32mb
+
+# Decoder settings
+
+decoder:
+  # Teredo decoder is known to not be completely accurate
+  # it will sometimes detect non-teredo as teredo.
+  teredo:
+    enabled: true
+
+
+##
+## Performance tuning and profiling
+##
+
+# The detection engine builds internal groups of signatures. The engine
+# allow us to specify the profile to use for them, to manage memory on an
+# efficient way keeping a good performance. For the profile keyword you
+# can use the words "low", "medium", "high" or "custom". If you use custom
+# make sure to define the values at "- custom-values" as your convenience.
+# Usually you would prefer medium/high/low.
+#
+# "sgh mpm-context", indicates how the staging should allot mpm contexts for
+# the signature groups.  "single" indicates the use of a single context for
+# all the signature group heads.  "full" indicates a mpm-context for each
+# group head.  "auto" lets the engine decide the distribution of contexts
+# based on the information the engine gathers on the patterns from each
+# group head.
+#
+# The option inspection-recursion-limit is used to limit the recursive calls
+# in the content inspection code.  For certain payload-sig combinations, we
+# might end up taking too much time in the content inspection code.
+# If the argument specified is 0, the engine uses an internally defined
+# default limit.  On not specifying a value, we use no limits on the recursion.
+detect:
+  profile: medium
+  custom-values:
+    toclient-groups: 3
+    toserver-groups: 25
+  sgh-mpm-context: auto
+  inspection-recursion-limit: 3000
+  # If set to yes, the loading of signatures will be made after the capture
+  # is started. This will limit the downtime in IPS mode.
+  #delayed-detect: yes
+
+  prefilter:
+    # default prefiltering setting. "mpm" only creates MPM/fast_pattern
+    # engines. "auto" also sets up prefilter engines for other keywords.
+    # Use --list-keywords=all to see which keywords support prefiltering.
+    default: mpm
+
+  # the grouping values above control how many groups are created per
+  # direction. Port whitelisting forces that port to get it's own group.
+  # Very common ports will benefit, as well as ports with many expensive
+  # rules.
+  grouping:
+    #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
+    #udp-whitelist: 53, 135, 5060
+
+  profiling:
+    # Log the rules that made it past the prefilter stage, per packet
+    # default is off. The threshold setting determines how many rules
+    # must have made it past pre-filter for that rule to trigger the
+    # logging.
+    #inspect-logging-threshold: 200
+    grouping:
+      dump-to-disk: false
+      include-rules: false      # very verbose
+      include-mpm-stats: false
+
+# Select the multi pattern algorithm you want to run for scan/search the
+# in the engine.
+#
+# The supported algorithms are:
+# "ac"      - Aho-Corasick, default implementation
+# "ac-bs"   - Aho-Corasick, reduced memory implementation
+# "ac-cuda" - Aho-Corasick, CUDA implementation
+# "ac-ks"   - Aho-Corasick, "Ken Steele" variant
+# "hs"      - Hyperscan, available when built with Hyperscan support
+#
+# The default mpm-algo value of "auto" will use "hs" if Hyperscan is
+# available, "ac" otherwise.
+#
+# The mpm you choose also decides the distribution of mpm contexts for
+# signature groups, specified by the conf - "detect.sgh-mpm-context".
+# Selecting "ac" as the mpm would require "detect.sgh-mpm-context"
+# to be set to "single", because of ac's memory requirements, unless the
+# ruleset is small enough to fit in one's memory, in which case one can
+# use "full" with "ac".  Rest of the mpms can be run in "full" mode.
+#
+# There is also a CUDA pattern matcher (only available if Suricata was
+# compiled with --enable-cuda: b2g_cuda. Make sure to update your
+# max-pending-packets setting above as well if you use b2g_cuda.
+
+mpm-algo: auto
+
+# Select the matching algorithm you want to use for single-pattern searches.
+#
+# Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only
+# available if Suricata has been built with Hyperscan support).
+#
+# The default of "auto" will use "hs" if available, otherwise "bm".
+
+spm-algo: auto
+
+# Suricata is multi-threaded. Here the threading can be influenced.
+threading:
+  set-cpu-affinity: no
+  # Tune cpu affinity of threads. Each family of threads can be bound
+  # on specific CPUs.
+  #
+  # These 2 apply to the all runmodes:
+  # management-cpu-set is used for flow timeout handling, counters
+  # worker-cpu-set is used for 'worker' threads
+  #
+  # Additionally, for autofp these apply:
+  # receive-cpu-set is used for capture threads
+  # verdict-cpu-set is used for IPS verdict threads
+  #
+  cpu-affinity:
+    - management-cpu-set:
+        cpu: [ 0 ]  # include only these cpus in affinity settings
+    - receive-cpu-set:
+        cpu: [ 0 ]  # include only these cpus in affinity settings
+    - worker-cpu-set:
+        cpu: [ "all" ]
+        mode: "exclusive"
+        # Use explicitely 3 threads and don't compute number by using
+        # detect-thread-ratio variable:
+        # threads: 3
+        prio:
+          low: [ 0 ]
+          medium: [ "1-2" ]
+          high: [ 3 ]
+          default: "medium"
+    #- verdict-cpu-set:
+    #    cpu: [ 0 ]
+    #    prio:
+    #      default: "high"
+  #
+  # By default Suricata creates one "detect" thread per available CPU/CPU core.
+  # This setting allows controlling this behaviour. A ratio setting of 2 will
+  # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this
+  # will result in 4 detect threads. If values below 1 are used, less threads
+  # are created. So on a dual core CPU a setting of 0.5 results in 1 detect
+  # thread being created. Regardless of the setting at a minimum 1 detect
+  # thread will always be created.
+  #
+  detect-thread-ratio: 1.0
+
+# Luajit has a strange memory requirement, it's 'states' need to be in the
+# first 2G of the process' memory.
+#
+# 'luajit.states' is used to control how many states are preallocated.
+# State use: per detect script: 1 per detect thread. Per output script: 1 per
+# script.
+luajit:
+  states: 128
+
+# Profiling settings. Only effective if Suricata has been built with the
+# the --enable-profiling configure flag.
+#
+profiling:
+  # Run profiling for every xth packet. The default is 1, which means we
+  # profile every packet. If set to 1000, one packet is profiled for every
+  # 1000 received.
+  #sample-rate: 1000
+
+  # rule profiling
+  rules:
+
+    # Profiling can be disabled here, but it will still have a
+    # performance impact if compiled in.
+    enabled: yes
+    filename: rule_perf.log
+    append: yes
+
+    # Sort options: ticks, avgticks, checks, matches, maxticks
+    # If commented out all the sort options will be used.
+    #sort: avgticks
+
+    # Limit the number of sids for which stats are shown at exit (per sort).
+    limit: 10
+
+    # output to json
+    json: yes
+
+  # per keyword profiling
+  keywords:
+    enabled: yes
+    filename: keyword_perf.log
+    append: yes
+
+  # per rulegroup profiling
+  rulegroups:
+    enabled: yes
+    filename: rule_group_perf.log
+    append: yes
+
+  # packet profiling
+  packets:
+
+    # Profiling can be disabled here, but it will still have a
+    # performance impact if compiled in.
+    enabled: yes
+    filename: packet_stats.log
+    append: yes
+
+    # per packet csv output
+    csv:
+
+      # Output can be disabled here, but it will still have a
+      # performance impact if compiled in.
+      enabled: no
+      filename: packet_stats.csv
+
+  # profiling of locking. Only available when Suricata was built with
+  # --enable-profiling-locks.
+  locks:
+    enabled: no
+    filename: lock_stats.log
+    append: yes
+
+  pcap-log:
+    enabled: no
+    filename: pcaplog_stats.log
+    append: yes
+
+##
+## Netfilter integration
+##
+
+# When running in NFQ inline mode, it is possible to use a simulated
+# non-terminal NFQUEUE verdict.
+# This permit to do send all needed packet to suricata via this a rule:
+#        iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE
+# And below, you can have your standard filtering ruleset. To activate
+# this mode, you need to set mode to 'repeat'
+# If you want packet to be sent to another queue after an ACCEPT decision
+# set mode to 'route' and set next-queue value.
+# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance
+# by processing several packets before sending a verdict (worker runmode only).
+# On linux >= 3.6, you can set the fail-open option to yes to have the kernel
+# accept the packet if suricata is not able to keep pace.
+# bypass mark and mask can be used to implement NFQ bypass. If bypass mark is
+# set then the NFQ bypass is activated. Suricata will set the bypass mark/mask
+# on packet of a flow that need to be bypassed. The Nefilter ruleset has to
+# directly accept all packets of a flow once a packet has been marked.
+nfq:
+#  mode: accept
+#  repeat-mark: 1
+#  repeat-mask: 1
+#  bypass-mark: 1
+#  bypass-mask: 1
+#  route-queue: 2
+#  batchcount: 20
+#  fail-open: yes
+
+#nflog support
+nflog:
+    # netlink multicast group
+    # (the same as the iptables --nflog-group param)
+    # Group 0 is used by the kernel, so you can't use it
+  - group: 2
+    # netlink buffer size
+    buffer-size: 18432
+    # put default value here
+  - group: default
+    # set number of packet to queue inside kernel
+    qthreshold: 1
+    # set the delay before flushing packet in the queue inside kernel
+    qtimeout: 100
+    # netlink max buffer size
+    max-size: 20000
+
+##
+## Advanced Capture Options
+##
+
+# general settings affecting packet capture
+capture:
+  # disable NIC offloading. It's restored when Suricata exists.
+  # Enabled by default
+  #disable-offloading: false
+  #
+  # disable checksum validation. Same as setting '-k none' on the
+  # commandline
+  #checksum-validation: none
+
+# Netmap support
+#
+# Netmap operates with NIC directly in driver, so you need FreeBSD wich have
+# built-in netmap support or compile and install netmap module and appropriate
+# NIC driver on your Linux system.
+# To reach maximum throughput disable all receive-, segmentation-,
+# checksum- offloadings on NIC.
+# Disabling Tx checksum offloading is *required* for connecting OS endpoint
+# with NIC endpoint.
+# You can find more information at https://github.com/luigirizzo/netmap
+#
+netmap:
+   # To specify OS endpoint add plus sign at the end (e.g. "eth0+")
+ - interface: eth2
+   # Number of receive threads. "auto" uses number of RSS queues on interface.
+   #threads: auto
+   # You can use the following variables to activate netmap tap or IPS mode.
+   # If copy-mode is set to ips or tap, the traffic coming to the current
+   # interface will be copied to the copy-iface interface. If 'tap' is set, the
+   # copy is complete. If 'ips' is set, the packet matching a 'drop' action
+   # will not be copied.
+   # To specify the OS as the copy-iface (so the OS can route packets, or forward
+   # to a service running on the same machine) add a plus sign at the end
+   # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0
+   # for return packets. Hardware checksumming must be *off* on the interface if
+   # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD
+   # or 'ethtool -K eth0 tx off rx off' for Linux).
+   #copy-mode: tap
+   #copy-iface: eth3
+   # Set to yes to disable promiscuous mode
+   # disable-promisc: no
+   # Choose checksum verification mode for the interface. At the moment
+   # of the capture, some packets may be with an invalid checksum due to
+   # offloading to the network card of the checksum computation.
+   # Possible values are:
+   #  - yes: checksum validation is forced
+   #  - no: checksum validation is disabled
+   #  - auto: suricata uses a statistical approach to detect when
+   #  checksum off-loading is used.
+   # Warning: 'checksum-validation' must be set to yes to have any validation
+   #checksum-checks: auto
+   # BPF filter to apply to this interface. The pcap filter syntax apply here.
+   #bpf-filter: port 80 or udp
+ #- interface: eth3
+   #threads: auto
+   #copy-mode: tap
+   #copy-iface: eth2
+   # Put default values here
+ - interface: default
+
+# PF_RING configuration. for use with native PF_RING support
+# for more info see http://www.ntop.org/products/pf_ring/
+pfring:
+  - interface: eth0
+    # Number of receive threads (>1 will enable experimental flow pinned
+    # runmode)
+    threads: 1
+
+    # Default clusterid.  PF_RING will load balance packets based on flow.
+    # All threads/processes that will participate need to have the same
+    # clusterid.
+    cluster-id: 99
+
+    # Default PF_RING cluster type. PF_RING can load balance per flow.
+    # Possible values are cluster_flow or cluster_round_robin.
+    cluster-type: cluster_flow
+    # bpf filter for this interface
+    #bpf-filter: tcp
+    # Choose checksum verification mode for the interface. At the moment
+    # of the capture, some packets may be with an invalid checksum due to
+    # offloading to the network card of the checksum computation.
+    # Possible values are:
+    #  - rxonly: only compute checksum for packets received by network card.
+    #  - yes: checksum validation is forced
+    #  - no: checksum validation is disabled
+    #  - auto: suricata uses a statistical approach to detect when
+    #  checksum off-loading is used. (default)
+    # Warning: 'checksum-validation' must be set to yes to have any validation
+    #checksum-checks: auto
+  # Second interface
+  #- interface: eth1
+  #  threads: 3
+  #  cluster-id: 93
+  #  cluster-type: cluster_flow
+  # Put default values here
+  - interface: default
+    #threads: 2
+
+# For FreeBSD ipfw(8) divert(4) support.
+# Please make sure you have ipfw_load="YES" and ipdivert_load="YES"
+# in /etc/loader.conf or kldload'ing the appropriate kernel modules.
+# Additionally, you need to have an ipfw rule for the engine to see
+# the packets from ipfw.  For Example:
+#
+#   ipfw add 100 divert 8000 ip from any to any
+#
+# The 8000 above should be the same number you passed on the command
+# line, i.e. -d 8000
+#
+ipfw:
+
+  # Reinject packets at the specified ipfw rule number.  This config
+  # option is the ipfw rule number AT WHICH rule processing continues
+  # in the ipfw processing system after the engine has finished
+  # inspecting the packet for acceptance.  If no rule number is specified,
+  # accepted packets are reinjected at the divert rule which they entered
+  # and IPFW rule processing continues.  No check is done to verify
+  # this will rule makes sense so care must be taken to avoid loops in ipfw.
+  #
+  ## The following example tells the engine to reinject packets
+  # back into the ipfw firewall AT rule number 5500:
+  #
+  # ipfw-reinjection-rule-number: 5500
+
+
+napatech:
+    # The Host Buffer Allowance for all streams
+    # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back)
+    # This may be enabled when sharing streams with another application.
+    # Otherwise, it should be turned off.
+    hba: -1
+
+    # use_all_streams set to "yes" will query the Napatech service for all configured
+    # streams and listen on all of them. When set to "no" the streams config array
+    # will be used.
+    use-all-streams: yes
+
+    # The streams to listen on.  This can be either:
+    #   a list of individual streams (e.g. streams: [0,1,2,3])
+    # or
+    #   a range of streams (e.g. streams: ["0-3"])
+    streams: ["0-3"]
+
+# Tilera mpipe configuration. for use on Tilera TILE-Gx.
+mpipe:
+
+  # Load balancing modes: "static", "dynamic", "sticky", or "round-robin".
+  load-balance: dynamic
+
+  # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536
+  iqueue-packets: 2048
+
+  # List of interfaces we will listen on.
+  inputs:
+  - interface: xgbe2
+  - interface: xgbe3
+  - interface: xgbe4
+
+
+  # Relative weight of memory for packets of each mPipe buffer size.
+  stack:
+    size128: 0
+    size256: 9
+    size512: 0
+    size1024: 0
+    size1664: 7
+    size4096: 0
+    size10386: 0
+    size16384: 0
+
+##
+## Hardware accelaration
+##
+
+# Cuda configuration.
+cuda:
+  # The "mpm" profile.  On not specifying any of these parameters, the engine's
+  # internal default values are used, which are same as the ones specified in
+  # in the default conf file.
+  mpm:
+    # The minimum length required to buffer data to the gpu.
+    # Anything below this is MPM'ed on the CPU.
+    # Can be specified in kb, mb, gb.  Just a number indicates it's in bytes.
+    # A value of 0 indicates there's no limit.
+    data-buffer-size-min-limit: 0
+    # The maximum length for data that we would buffer to the gpu.
+    # Anything over this is MPM'ed on the CPU.
+    # Can be specified in kb, mb, gb.  Just a number indicates it's in bytes.
+    data-buffer-size-max-limit: 1500
+    # The ring buffer size used by the CudaBuffer API to buffer data.
+    cudabuffer-buffer-size: 500mb
+    # The max chunk size that can be sent to the gpu in a single go.
+    gpu-transfer-size: 50mb
+    # The timeout limit for batching of packets in microseconds.
+    batching-timeout: 2000
+    # The device to use for the mpm.  Currently we don't support load balancing
+    # on multiple gpus.  In case you have multiple devices on your system, you
+    # can specify the device to use, using this conf.  By default we hold 0, to
+    # specify the first device cuda sees.  To find out device-id associated with
+    # the card(s) on the system run "suricata --list-cuda-cards".
+    device-id: 0
+    # No of Cuda streams used for asynchronous processing. All values > 0 are valid.
+    # For this option you need a device with Compute Capability > 1.0.
+    cuda-streams: 2
+
+##
+## Include other configs
+##
+
+# Includes.  Files included here will be handled as if they were
+# inlined in this configuration file.
+#include: include1.yaml
+#include: include2.yaml
diff --git a/lfs/suricata b/lfs/suricata
index 0873f54b4..d6b016838 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -83,6 +83,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && make install
 	cd $(DIR_APP) && make install-conf
 	mv /etc/suricata/suricata.yaml /etc/suricata/suricata-example.yaml
+	install -m 0644 $(DIR_SRC)/config/suricata/suricata.yaml /etc/suricata
 	-mkdir -p /etc/suricata/rules
 	-mkdir -p /var/log/suricata
 	@rm -rf $(DIR_APP)

From 72b2109c726c1ab78918648a6aa540cf137692b0 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 2 Aug 2018 15:47:31 +0200
Subject: [PATCH 060/259] configroot: Move from snort to suricata

Create /var/ipfire/suricata and /var/ipfire/suricata/settings instead of
/var/ipfire/snort and /var/ipfire/snort/settings.

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/configroot | 4 ++--
 lfs/configroot                     | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot
index 8fb66bdb8..6a0688238 100644
--- a/config/rootfiles/common/configroot
+++ b/config/rootfiles/common/configroot
@@ -176,8 +176,8 @@ var/ipfire/remote
 #var/ipfire/remote/settings
 var/ipfire/sensors
 #var/ipfire/sensors/settings
-var/ipfire/snort
-#var/ipfire/snort/settings
+var/ipfire/suricata
+#var/ipfire/suricata/settings
 var/ipfire/time
 #var/ipfire/time/settings
 var/ipfire/updatexlrator
diff --git a/lfs/configroot b/lfs/configroot
index c82a4eabe..8d5c34b5d 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -54,7 +54,7 @@ $(TARGET) :
 			ethernet extrahd/bin fwlogs fwhosts firewall isdn key langs logging mac main \
 			menu.d modem nfs optionsfw \
 			ovpn patches pakfire portfw ppp private proxy/advanced/cre \
-			proxy/calamaris/bin qos/bin red remote sensors snort time \
+			proxy/calamaris/bin qos/bin red remote sensors suricata time \
 			updatexlrator/bin updatexlrator/autocheck urlfilter/autoupdate urlfilter/bin upnp vpn \
 			wakeonlan wireless ; do \
 	        mkdir -p $(CONFIG_ROOT)/$$i; \
@@ -69,7 +69,7 @@ $(TARGET) :
 	    isdn/settings mac/settings main/hosts main/routing main/settings optionsfw/settings \
 	    ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
 	    ppp/settings-5 ppp/settings proxy/settings proxy/squid.conf proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \
-	    qos/tosconfig snort/settings upnp/settings vpn/config vpn/settings vpn/ipsec.conf \
+	    qos/tosconfig suricata/settings upnp/settings vpn/config vpn/settings vpn/ipsec.conf \
 	    vpn/ipsec.secrets vpn/caconfig wakeonlan/clients.conf wireless/config wireless/settings; do \
 	    touch $(CONFIG_ROOT)/$$i; \
 	done

From 1d9b87914053e54550c6f2a76377a8001bbf1da6 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 2 Aug 2018 19:29:36 +0200
Subject: [PATCH 061/259] ids-ruleset-sources: New package

Move the file which contains the download URL's for the IDS rulesets
into an own common package. This will allow us in future to easily ship
a changed file with a core update.

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/ids-ruleset-sources |  1 +
 config/suricata/ruleset-sources             | 11 +++++
 lfs/ids-ruleset-sources                     | 53 +++++++++++++++++++++
 3 files changed, 65 insertions(+)
 create mode 100644 config/rootfiles/common/ids-ruleset-sources
 create mode 100644 config/suricata/ruleset-sources
 create mode 100644 lfs/ids-ruleset-sources

diff --git a/config/rootfiles/common/ids-ruleset-sources b/config/rootfiles/common/ids-ruleset-sources
new file mode 100644
index 000000000..7e15e20f0
--- /dev/null
+++ b/config/rootfiles/common/ids-ruleset-sources
@@ -0,0 +1 @@
+/var/ipfire/suricata/ruleset-sources
diff --git a/config/suricata/ruleset-sources b/config/suricata/ruleset-sources
new file mode 100644
index 000000000..04fc2a9f1
--- /dev/null
+++ b/config/suricata/ruleset-sources
@@ -0,0 +1,11 @@
+# Ruleset for registered sourcefire users.
+registered = https://www.snort.org/downloads/registered/snortrules-snapshot-29110.tar.gz?oinkcode=
+
+# Ruleset for registered sourcefire users with valid subscription.
+subscripted = https://www.snort.org/downloads/registered/snortrules-snapshot-29110.tar.gz?oinkcode=
+
+# Community rules from sourcefire.
+community = https://www.snort.org/downloads/community/community-rules.tar.gz
+
+# Emerging threads community rules.
+emerging = http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz
diff --git a/lfs/ids-ruleset-sources b/lfs/ids-ruleset-sources
new file mode 100644
index 000000000..d55b1a074
--- /dev/null
+++ b/lfs/ids-ruleset-sources
@@ -0,0 +1,53 @@
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2007  Michael Tremer & Christian Schmidt                      #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see .       #
+#                                                                             #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VER        = ipfire
+
+THISAPP    = ids-ruleset-sources
+TARGET     = $(DIR_INFO)/$(THISAPP)
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+install : $(TARGET)
+
+check :
+
+download :
+
+md5 :
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) :
+	@$(PREBUILD)
+	# Simple install the ruleset sources file.
+	install -m 644 $(DIR_SRC)/config/suricata/ruleset-sources \
+		/var/ipfire/suricata/
+	@$(POSTBUILD)

From bce84f3975eb04ac94ffe2e14039c1a6a8ac8030 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 2 Aug 2018 19:31:52 +0200
Subject: [PATCH 062/259] ids-functions.pl: Rename ruleset-sources.list to
 ruleset-sources

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index ec70e9681..9c469413d 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -37,6 +37,10 @@ our $storederrorfile = "/tmp/ids_storederror";
 # Location where the rulefiles are stored.
 our $rulespath = "/etc/suricata/rules";
 
+# File which contains a list of all supported ruleset sources.
+# (Sourcefire, Emergingthreads, etc..)
+our $rulesetsourcesfile = "$settingsdir/ruleset-sources";
+
 #
 ## Function for checking if at least 300MB of free disk space are available
 ## on the "/var" partition.
@@ -87,7 +91,7 @@ sub downloadruleset {
 
 	# Get all available ruleset locations.
 	my %rulesetsources=();
-	&General::readhash("$settingsdir/ruleset-sources.list", \%rulesetsources);
+	&General::readhash($rulesetsourcesfile, \%rulesetsources);
 
 	# Read proxysettings.
 	my %proxysettings=();

From 101d3ece24c99a9696bb2dfe0add1cdfdebbbf91 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 2 Aug 2018 19:33:37 +0200
Subject: [PATCH 063/259] ids-ruleset-sources: Update download URL for snort
 rules

Signed-off-by: Stefan Schantl 
---
 config/suricata/ruleset-sources | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/suricata/ruleset-sources b/config/suricata/ruleset-sources
index 04fc2a9f1..8f3659049 100644
--- a/config/suricata/ruleset-sources
+++ b/config/suricata/ruleset-sources
@@ -1,8 +1,8 @@
 # Ruleset for registered sourcefire users.
-registered = https://www.snort.org/downloads/registered/snortrules-snapshot-29110.tar.gz?oinkcode=
+registered = https://www.snort.org/downloads/registered/snortrules-snapshot-29111.tar.gz?oinkcode=
 
 # Ruleset for registered sourcefire users with valid subscription.
-subscripted = https://www.snort.org/downloads/registered/snortrules-snapshot-29110.tar.gz?oinkcode=
+subscripted = https://www.snort.org/downloads/registered/snortrules-snapshot-29111.tar.gz?oinkcode=
 
 # Community rules from sourcefire.
 community = https://www.snort.org/downloads/community/community-rules.tar.gz

From d72b3e64c2515546b78a7cf099157799481da130 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 2 Aug 2018 19:54:22 +0200
Subject: [PATCH 064/259] suricata: Introduce basic initscript

Add a very basic initscript, which currently allows to start/stop/restart suricata and
check if the daemon is running.

The script will detect when starting suricata how many CPU cores are present on the system and
will launch suricata in inline mode (NFQUEUE) and listen to as much queues as CPU cores are
detected.

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/armv5tel/initscripts |  1 +
 config/rootfiles/common/i586/initscripts     |  1 +
 config/rootfiles/common/x86_64/initscripts   |  1 +
 src/initscripts/system/suricata              | 65 ++++++++++++++++++++
 4 files changed, 68 insertions(+)
 create mode 100644 src/initscripts/system/suricata

diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts
index 66a7be55b..c4265905e 100644
--- a/config/rootfiles/common/armv5tel/initscripts
+++ b/config/rootfiles/common/armv5tel/initscripts
@@ -79,6 +79,7 @@ etc/rc.d/init.d/snort
 etc/rc.d/init.d/squid
 etc/rc.d/init.d/sshd
 etc/rc.d/init.d/static-routes
+etc/rc.d/init.d/suricata
 etc/rc.d/init.d/swap
 etc/rc.d/init.d/swconfig
 etc/rc.d/init.d/sysctl
diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts
index 8f3d41476..115343977 100644
--- a/config/rootfiles/common/i586/initscripts
+++ b/config/rootfiles/common/i586/initscripts
@@ -79,6 +79,7 @@ etc/rc.d/init.d/snort
 etc/rc.d/init.d/squid
 etc/rc.d/init.d/sshd
 etc/rc.d/init.d/static-routes
+etc/rc.d/init.d/suricata
 etc/rc.d/init.d/swap
 etc/rc.d/init.d/sysctl
 etc/rc.d/init.d/sysklogd
diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts
index 8f3d41476..115343977 100644
--- a/config/rootfiles/common/x86_64/initscripts
+++ b/config/rootfiles/common/x86_64/initscripts
@@ -79,6 +79,7 @@ etc/rc.d/init.d/snort
 etc/rc.d/init.d/squid
 etc/rc.d/init.d/sshd
 etc/rc.d/init.d/static-routes
+etc/rc.d/init.d/suricata
 etc/rc.d/init.d/swap
 etc/rc.d/init.d/sysctl
 etc/rc.d/init.d/sysklogd
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
new file mode 100644
index 000000000..e2950281c
--- /dev/null
+++ b/src/initscripts/system/suricata
@@ -0,0 +1,65 @@
+#!/bin/sh
+########################################################################
+# Begin $rc_base/init.d/suricata
+#
+# Description : Suricata Initscript
+#
+# Author      : Stefan Schantl 
+#
+# Version     : 01.00
+#
+# Notes       :
+#
+########################################################################
+
+. /etc/sysconfig/rc
+. ${rc_functions}
+
+PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
+
+eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings)
+
+case "$1" in
+        start)
+		# Get amount of CPU cores.
+		NFQUEUES=
+		CPUCOUNT=0
+		while read line; do
+			[ "$line" ] && [ -z "${line%processor*}" ] && NFQUEUES+="-q $CPUCOUNT " && ((CPUCOUNT++))
+		done /dev/null 2>/dev/null
+
+		# Don't report returncode of rm if suricata was not started
+		exit 0
+        ;;
+                
+        status)
+                statusproc /usr/bin/suricata
+                ;;
+                
+        restart)
+                $0 stop
+                $0 start
+                ;;
+                
+        *)
+                echo "Usage: $0 {start|stop|restart|status}"
+                exit 1
+                ;;
+esac
+
+chmod 644 /var/log/suricata/* 2>/dev/null
+
+# End $rc_base/init.d/suricata

From ef640882ab4ff5f26fb7b4bf9a5f00ca4f94d172 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 2 Aug 2018 19:58:41 +0200
Subject: [PATCH 065/259] make.sh: Add ids-ruleset-source

I accidently forgot to commit this file in 1d9b87914053e54550c6f2a76377a8001bbf1da6

Signed-off-by: Stefan Schantl 
---
 make.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/make.sh b/make.sh
index 531ba801c..844581677 100755
--- a/make.sh
+++ b/make.sh
@@ -1294,6 +1294,7 @@ buildipfire() {
   lfsmake2 libhtp
   lfsmake2 suricata
   lfsmake2 oinkmaster
+  lfsmake2 ids-ruleset-sources
   lfsmake2 squid
   lfsmake2 squidguard
   lfsmake2 calamaris

From 74b7d695c630c971fb4774e93c39b4954d7bb5fe Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 3 Aug 2018 09:50:31 +0200
Subject: [PATCH 066/259] misc-progs: Rename snortctrl to suricatactrl

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/misc-progs             | 2 +-
 src/misc-progs/Makefile                        | 2 +-
 src/misc-progs/{snortctrl.c => suricatactrl.c} | 8 ++++----
 3 files changed, 6 insertions(+), 6 deletions(-)
 rename src/misc-progs/{snortctrl.c => suricatactrl.c} (74%)

diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs
index 789179513..c48a474b2 100644
--- a/config/rootfiles/common/misc-progs
+++ b/config/rootfiles/common/misc-progs
@@ -26,8 +26,8 @@ usr/local/bin/redctrl
 #usr/local/bin/sambactrl
 usr/local/bin/setaliases
 usr/local/bin/smartctrl
-usr/local/bin/snortctrl
 usr/local/bin/squidctrl
+usr/local/bin/suricatactrl
 usr/local/bin/sshctrl
 usr/local/bin/syslogdctrl
 usr/local/bin/timectrl
diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile
index c3329b130..bea54e773 100644
--- a/src/misc-progs/Makefile
+++ b/src/misc-progs/Makefile
@@ -24,7 +24,7 @@ LIBS    = -lsmooth -lnewt
 
 PROGS = iowrap
 SUID_PROGS = squidctrl sshctrl ipfirereboot \
-	ipsecctrl timectrl dhcpctrl snortctrl \
+	ipsecctrl timectrl dhcpctrl suricatactrl \
 	applejuicectrl rebuildhosts backupctrl collectdctrl \
 	logwatch wioscan wiohelper openvpnctrl firewallctrl \
 	wirelessctrl getipstat qosctrl launch-ether-wake \
diff --git a/src/misc-progs/snortctrl.c b/src/misc-progs/suricatactrl.c
similarity index 74%
rename from src/misc-progs/snortctrl.c
rename to src/misc-progs/suricatactrl.c
index 57025757c..dbc5c64ad 100644
--- a/src/misc-progs/snortctrl.c
+++ b/src/misc-progs/suricatactrl.c
@@ -19,16 +19,16 @@ int main(int argc, char *argv[]) {
 		exit(1);
 
 	if (argc < 2) {
-		fprintf(stderr, "\nNo argument given.\n\nsnortctrl (start|stop|restart)\n\n");
+		fprintf(stderr, "\nNo argument given.\n\nidsctrl (start|stop|restart)\n\n");
 		exit(1);
 	}
 
 	if (strcmp(argv[1], "start") == 0) {
-		safe_system("/etc/rc.d/init.d/snort start");
+		safe_system("/etc/rc.d/init.d/suricata start");
 	} else if (strcmp(argv[1], "stop") == 0) {
-		safe_system("/etc/rc.d/init.d/snort stop");
+		safe_system("/etc/rc.d/init.d/suricata stop");
 	} else if (strcmp(argv[1], "restart") == 0) {
-		safe_system("/etc/rc.d/init.d/snort restart");
+		safe_system("/etc/rc.d/init.d/suricata restart");
 	} else {
 		fprintf(stderr, "\nBad argument given.\n\nsnortctrl (start|stop|restart)\n\n");
 		exit(1);

From 914cca3d8e834c6ab051126f628daeef073b7106 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 3 Aug 2018 10:02:34 +0200
Subject: [PATCH 067/259] initscripts: Link against suricata initscript in
 runlevels and red.up hook

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/aarch64/initscripts  | 7 ++++---
 config/rootfiles/common/armv5tel/initscripts | 6 +++---
 config/rootfiles/common/i586/initscripts     | 6 +++---
 config/rootfiles/common/x86_64/initscripts   | 6 +++---
 lfs/initscripts                              | 8 ++++----
 5 files changed, 17 insertions(+), 16 deletions(-)

diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts
index 66a7be55b..26475e26c 100644
--- a/config/rootfiles/common/aarch64/initscripts
+++ b/config/rootfiles/common/aarch64/initscripts
@@ -53,7 +53,7 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/10-static-routes
 etc/rc.d/init.d/networking/red.up/20-firewall
-etc/rc.d/init.d/networking/red.up/23-RS-snort
+etc/rc.d/init.d/networking/red.up/23-RS-suricata
 etc/rc.d/init.d/networking/red.up/24-RS-qos
 etc/rc.d/init.d/networking/red.up/27-RS-squid
 etc/rc.d/init.d/networking/red.up/30-ddns
@@ -79,6 +79,7 @@ etc/rc.d/init.d/snort
 etc/rc.d/init.d/squid
 etc/rc.d/init.d/sshd
 etc/rc.d/init.d/static-routes
+etc/rc.d/init.d/suricata
 etc/rc.d/init.d/swap
 etc/rc.d/init.d/swconfig
 etc/rc.d/init.d/sysctl
@@ -104,7 +105,7 @@ etc/rc.d/rc0.d/K45random
 etc/rc.d/rc0.d/K47setclock
 etc/rc.d/rc0.d/K49cyrus-sasl
 etc/rc.d/rc0.d/K51vnstat
-etc/rc.d/rc0.d/K78snort
+etc/rc.d/rc0.d/K78suricata
 etc/rc.d/rc0.d/K79leds
 etc/rc.d/rc0.d/K79unbound
 etc/rc.d/rc0.d/K80network
@@ -155,7 +156,7 @@ etc/rc.d/rc6.d/K45random
 etc/rc.d/rc6.d/K47setclock
 etc/rc.d/rc6.d/K49cyrus-sasl
 etc/rc.d/rc6.d/K51vnstat
-etc/rc.d/rc6.d/K78snort
+etc/rc.d/rc6.d/K78suricata
 etc/rc.d/rc6.d/K79leds
 etc/rc.d/rc6.d/K79unbound
 etc/rc.d/rc6.d/K80network
diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts
index c4265905e..26475e26c 100644
--- a/config/rootfiles/common/armv5tel/initscripts
+++ b/config/rootfiles/common/armv5tel/initscripts
@@ -53,7 +53,7 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/10-static-routes
 etc/rc.d/init.d/networking/red.up/20-firewall
-etc/rc.d/init.d/networking/red.up/23-RS-snort
+etc/rc.d/init.d/networking/red.up/23-RS-suricata
 etc/rc.d/init.d/networking/red.up/24-RS-qos
 etc/rc.d/init.d/networking/red.up/27-RS-squid
 etc/rc.d/init.d/networking/red.up/30-ddns
@@ -105,7 +105,7 @@ etc/rc.d/rc0.d/K45random
 etc/rc.d/rc0.d/K47setclock
 etc/rc.d/rc0.d/K49cyrus-sasl
 etc/rc.d/rc0.d/K51vnstat
-etc/rc.d/rc0.d/K78snort
+etc/rc.d/rc0.d/K78suricata
 etc/rc.d/rc0.d/K79leds
 etc/rc.d/rc0.d/K79unbound
 etc/rc.d/rc0.d/K80network
@@ -156,7 +156,7 @@ etc/rc.d/rc6.d/K45random
 etc/rc.d/rc6.d/K47setclock
 etc/rc.d/rc6.d/K49cyrus-sasl
 etc/rc.d/rc6.d/K51vnstat
-etc/rc.d/rc6.d/K78snort
+etc/rc.d/rc6.d/K78suricata
 etc/rc.d/rc6.d/K79leds
 etc/rc.d/rc6.d/K79unbound
 etc/rc.d/rc6.d/K80network
diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts
index 115343977..e4ef0cfc0 100644
--- a/config/rootfiles/common/i586/initscripts
+++ b/config/rootfiles/common/i586/initscripts
@@ -53,7 +53,7 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/10-static-routes
 etc/rc.d/init.d/networking/red.up/20-firewall
-etc/rc.d/init.d/networking/red.up/23-RS-snort
+etc/rc.d/init.d/networking/red.up/23-RS-suricata
 etc/rc.d/init.d/networking/red.up/24-RS-qos
 etc/rc.d/init.d/networking/red.up/27-RS-squid
 etc/rc.d/init.d/networking/red.up/30-ddns
@@ -104,7 +104,7 @@ etc/rc.d/rc0.d/K45random
 etc/rc.d/rc0.d/K47setclock
 etc/rc.d/rc0.d/K49cyrus-sasl
 etc/rc.d/rc0.d/K51vnstat
-etc/rc.d/rc0.d/K78snort
+etc/rc.d/rc0.d/K78suricata
 etc/rc.d/rc0.d/K79leds
 etc/rc.d/rc0.d/K79unbound
 etc/rc.d/rc0.d/K80network
@@ -155,7 +155,7 @@ etc/rc.d/rc6.d/K45random
 etc/rc.d/rc6.d/K47setclock
 etc/rc.d/rc6.d/K49cyrus-sasl
 etc/rc.d/rc6.d/K51vnstat
-etc/rc.d/rc6.d/K78snort
+etc/rc.d/rc6.d/K78suricata
 etc/rc.d/rc6.d/K79leds
 etc/rc.d/rc6.d/K79unbound
 etc/rc.d/rc6.d/K80network
diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts
index 115343977..e4ef0cfc0 100644
--- a/config/rootfiles/common/x86_64/initscripts
+++ b/config/rootfiles/common/x86_64/initscripts
@@ -53,7 +53,7 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/10-static-routes
 etc/rc.d/init.d/networking/red.up/20-firewall
-etc/rc.d/init.d/networking/red.up/23-RS-snort
+etc/rc.d/init.d/networking/red.up/23-RS-suricata
 etc/rc.d/init.d/networking/red.up/24-RS-qos
 etc/rc.d/init.d/networking/red.up/27-RS-squid
 etc/rc.d/init.d/networking/red.up/30-ddns
@@ -104,7 +104,7 @@ etc/rc.d/rc0.d/K45random
 etc/rc.d/rc0.d/K47setclock
 etc/rc.d/rc0.d/K49cyrus-sasl
 etc/rc.d/rc0.d/K51vnstat
-etc/rc.d/rc0.d/K78snort
+etc/rc.d/rc0.d/K78suricata
 etc/rc.d/rc0.d/K79leds
 etc/rc.d/rc0.d/K79unbound
 etc/rc.d/rc0.d/K80network
@@ -155,7 +155,7 @@ etc/rc.d/rc6.d/K45random
 etc/rc.d/rc6.d/K47setclock
 etc/rc.d/rc6.d/K49cyrus-sasl
 etc/rc.d/rc6.d/K51vnstat
-etc/rc.d/rc6.d/K78snort
+etc/rc.d/rc6.d/K78suricata
 etc/rc.d/rc6.d/K79leds
 etc/rc.d/rc6.d/K79unbound
 etc/rc.d/rc6.d/K80network
diff --git a/lfs/initscripts b/lfs/initscripts
index 1058779f1..2b94ca794 100644
--- a/lfs/initscripts
+++ b/lfs/initscripts
@@ -121,8 +121,8 @@ $(TARGET) :
 	ln -sf ../init.d/fcron       /etc/rc.d/rc0.d/K08fcron
 	ln -sf ../init.d/fcron       /etc/rc.d/rc3.d/S40fcron
 	ln -sf ../init.d/fcron       /etc/rc.d/rc6.d/K08fcron
-	ln -sf ../init.d/snort       /etc/rc.d/rc0.d/K78snort
-	ln -sf ../init.d/snort       /etc/rc.d/rc6.d/K78snort
+	ln -sf ../init.d/suricata    /etc/rc.d/rc0.d/K78suricata
+	ln -sf ../init.d/suricata    /etc/rc.d/rc6.d/K78suricata
 	ln -sf ../init.d/network     /etc/rc.d/rc0.d/K80network
 	ln -sf ../init.d/network     /etc/rc.d/rc3.d/S20network
 	ln -sf ../init.d/network     /etc/rc.d/rc6.d/K80network
@@ -186,8 +186,8 @@ $(TARGET) :
 	ln -sf ../init.d/wlanclient  /etc/rc.d/rc3.d/S19wlanclient
 	ln -sf ../init.d/wlanclient  /etc/rc.d/rc6.d/K82wlanclient
 
-	ln -sf ../../../../../usr/local/bin/snortctrl \
-		/etc/rc.d/init.d/networking/red.up/23-RS-snort
+	ln -sf ../../../../../usr/local/bin/suricatactrl \
+		/etc/rc.d/init.d/networking/red.up/23-RS-suricata
 	ln -sf ../../../../../usr/local/bin/qosctrl \
 		/etc/rc.d/init.d/networking/red.up/24-RS-qos
 	ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/27-RS-squid

From 843a8c570c6784ef6c66d214fbbbc2e67e4505c2 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 3 Aug 2018 10:19:35 +0200
Subject: [PATCH 068/259] snort: Drop package

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/aarch64/initscripts  |   1 -
 config/rootfiles/common/armv5tel/initscripts |   1 -
 config/rootfiles/common/i586/initscripts     |   1 -
 config/rootfiles/common/snort                | 236 ---------
 config/rootfiles/common/x86_64/initscripts   |   1 -
 config/snort/ruleset-sources.list            |  11 -
 config/snort/snort.conf                      | 524 -------------------
 lfs/snort                                    | 104 ----
 make.sh                                      |   1 -
 src/initscripts/system/snort                 | 146 ------
 10 files changed, 1026 deletions(-)
 delete mode 100644 config/rootfiles/common/snort
 delete mode 100644 config/snort/ruleset-sources.list
 delete mode 100644 config/snort/snort.conf
 delete mode 100644 lfs/snort
 delete mode 100644 src/initscripts/system/snort

diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts
index 26475e26c..eec46c3c2 100644
--- a/config/rootfiles/common/aarch64/initscripts
+++ b/config/rootfiles/common/aarch64/initscripts
@@ -75,7 +75,6 @@ etc/rc.d/init.d/rngd
 etc/rc.d/init.d/sendsignals
 etc/rc.d/init.d/setclock
 etc/rc.d/init.d/smartenabler
-etc/rc.d/init.d/snort
 etc/rc.d/init.d/squid
 etc/rc.d/init.d/sshd
 etc/rc.d/init.d/static-routes
diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts
index 26475e26c..eec46c3c2 100644
--- a/config/rootfiles/common/armv5tel/initscripts
+++ b/config/rootfiles/common/armv5tel/initscripts
@@ -75,7 +75,6 @@ etc/rc.d/init.d/rngd
 etc/rc.d/init.d/sendsignals
 etc/rc.d/init.d/setclock
 etc/rc.d/init.d/smartenabler
-etc/rc.d/init.d/snort
 etc/rc.d/init.d/squid
 etc/rc.d/init.d/sshd
 etc/rc.d/init.d/static-routes
diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts
index e4ef0cfc0..2d2f1afcf 100644
--- a/config/rootfiles/common/i586/initscripts
+++ b/config/rootfiles/common/i586/initscripts
@@ -75,7 +75,6 @@ etc/rc.d/init.d/rngd
 etc/rc.d/init.d/sendsignals
 etc/rc.d/init.d/setclock
 etc/rc.d/init.d/smartenabler
-etc/rc.d/init.d/snort
 etc/rc.d/init.d/squid
 etc/rc.d/init.d/sshd
 etc/rc.d/init.d/static-routes
diff --git a/config/rootfiles/common/snort b/config/rootfiles/common/snort
deleted file mode 100644
index 7da84b3bd..000000000
--- a/config/rootfiles/common/snort
+++ /dev/null
@@ -1,236 +0,0 @@
-#etc/snort
-etc/snort/rules
-#etc/snort/rules/classification.config
-#etc/snort/rules/reference.config
-etc/snort/snort.conf
-etc/snort/snort.conf.template
-etc/snort/unicode.map
-usr/bin/u2boat
-usr/bin/u2spewfoo
-#usr/include/snort
-#usr/include/snort/dynamic_output
-#usr/include/snort/dynamic_output/bitop.h
-#usr/include/snort/dynamic_output/ipv6_port.h
-#usr/include/snort/dynamic_output/obfuscation.h
-#usr/include/snort/dynamic_output/output_api.h
-#usr/include/snort/dynamic_output/output_common.h
-#usr/include/snort/dynamic_output/output_lib.h
-#usr/include/snort/dynamic_output/preprocids.h
-#usr/include/snort/dynamic_output/sfPolicy.h
-#usr/include/snort/dynamic_output/sf_dynamic_common.h
-#usr/include/snort/dynamic_output/sf_ip.h
-#usr/include/snort/dynamic_output/sf_protocols.h
-#usr/include/snort/dynamic_output/sf_snort_packet.h
-#usr/include/snort/dynamic_output/sfrt.h
-#usr/include/snort/dynamic_output/sfrt_dir.h
-#usr/include/snort/dynamic_output/sfrt_trie.h
-#usr/include/snort/dynamic_output/snort_debug.h
-#usr/include/snort/dynamic_output/stream_api.h
-#usr/include/snort/dynamic_preproc
-#usr/include/snort/dynamic_preproc/appdata_adjuster.h
-#usr/include/snort/dynamic_preproc/bitop.h
-#usr/include/snort/dynamic_preproc/cpuclock.h
-#usr/include/snort/dynamic_preproc/file_api.h
-#usr/include/snort/dynamic_preproc/idle_processing.h
-#usr/include/snort/dynamic_preproc/ipv6_port.h
-#usr/include/snort/dynamic_preproc/mempool.h
-#usr/include/snort/dynamic_preproc/mpse_methods.h
-#usr/include/snort/dynamic_preproc/obfuscation.h
-#usr/include/snort/dynamic_preproc/packet_time.h
-#usr/include/snort/dynamic_preproc/perf_indicators.h
-#usr/include/snort/dynamic_preproc/preprocids.h
-#usr/include/snort/dynamic_preproc/profiler.h
-#usr/include/snort/dynamic_preproc/reg_test.h
-#usr/include/snort/dynamic_preproc/reload_api.h
-#usr/include/snort/dynamic_preproc/segment_mem.h
-#usr/include/snort/dynamic_preproc/session_api.h
-#usr/include/snort/dynamic_preproc/sfPolicy.h
-#usr/include/snort/dynamic_preproc/sfPolicyUserData.h
-#usr/include/snort/dynamic_preproc/sf_decompression.h
-#usr/include/snort/dynamic_preproc/sf_dynamic_common.h
-#usr/include/snort/dynamic_preproc/sf_dynamic_define.h
-#usr/include/snort/dynamic_preproc/sf_dynamic_engine.h
-#usr/include/snort/dynamic_preproc/sf_dynamic_meta.h
-#usr/include/snort/dynamic_preproc/sf_dynamic_preproc_lib.h
-#usr/include/snort/dynamic_preproc/sf_dynamic_preprocessor.h
-#usr/include/snort/dynamic_preproc/sf_ip.h
-#usr/include/snort/dynamic_preproc/sf_preproc_info.h
-#usr/include/snort/dynamic_preproc/sf_protocols.h
-#usr/include/snort/dynamic_preproc/sf_sdlist_types.h
-#usr/include/snort/dynamic_preproc/sf_seqnums.h
-#usr/include/snort/dynamic_preproc/sf_snort_packet.h
-#usr/include/snort/dynamic_preproc/sf_snort_plugin_api.h
-#usr/include/snort/dynamic_preproc/sfcommon.h
-#usr/include/snort/dynamic_preproc/sfcontrol.h
-#usr/include/snort/dynamic_preproc/sfrt.h
-#usr/include/snort/dynamic_preproc/sfrt_dir.h
-#usr/include/snort/dynamic_preproc/sfrt_flat.h
-#usr/include/snort/dynamic_preproc/sfrt_flat_dir.h
-#usr/include/snort/dynamic_preproc/sfrt_trie.h
-#usr/include/snort/dynamic_preproc/sidechannel_define.h
-#usr/include/snort/dynamic_preproc/snort_bounds.h
-#usr/include/snort/dynamic_preproc/snort_debug.h
-#usr/include/snort/dynamic_preproc/ssl.h
-#usr/include/snort/dynamic_preproc/ssl_config.h
-#usr/include/snort/dynamic_preproc/ssl_ha.h
-#usr/include/snort/dynamic_preproc/ssl_include.h
-#usr/include/snort/dynamic_preproc/ssl_inspect.h
-#usr/include/snort/dynamic_preproc/ssl_session.h
-#usr/include/snort/dynamic_preproc/str_search.h
-#usr/include/snort/dynamic_preproc/stream_api.h
-#usr/lib/pkgconfig/snort.pc
-#usr/lib/pkgconfig/snort_output.pc
-#usr/lib/pkgconfig/snort_preproc.pc
-#usr/lib/snort
-usr/lib/snort/dynamic_output
-#usr/lib/snort/dynamic_output/libsf_dynamic_output.a
-#usr/lib/snort/dynamic_output/libsf_dynamic_output.la
-usr/lib/snort/dynamic_preproc
-#usr/lib/snort/dynamic_preproc/libsf_dynamic_preproc.a
-#usr/lib/snort/dynamic_preproc/libsf_dynamic_preproc.la
-#usr/lib/snort/dynamic_preproc/libsf_dynamic_utils.a
-#usr/lib/snort/dynamic_preproc/libsf_dynamic_utils.la
-usr/lib/snort_dynamicengine
-#usr/lib/snort_dynamicengine/libsf_engine.a
-#usr/lib/snort_dynamicengine/libsf_engine.la
-#usr/lib/snort_dynamicengine/libsf_engine.so
-#usr/lib/snort_dynamicengine/libsf_engine.so.0
-#usr/lib/snort_dynamicengine/libsf_engine.so.0.0.0
-usr/lib/snort_dynamicpreprocessor
-#usr/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_dnp3_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_dnp3_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_dnp3_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_dnp3_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_dnp3_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_dns_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_dns_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_gtp_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_gtp_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_gtp_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_gtp_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_gtp_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_imap_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_imap_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_imap_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_imap_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_imap_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_modbus_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_modbus_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_modbus_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_modbus_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_modbus_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_pop_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_pop_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_pop_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_pop_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_pop_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_reputation_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_reputation_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_reputation_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_reputation_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_reputation_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_sip_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_sip_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_sip_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_sip_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_sip_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so.0.0.0
-usr/sbin/snort
-#usr/share/doc/snort
-#usr/share/doc/snort/AUTHORS
-#usr/share/doc/snort/BUGS
-#usr/share/doc/snort/CREDITS
-#usr/share/doc/snort/INSTALL
-#usr/share/doc/snort/NEWS
-#usr/share/doc/snort/OpenDetectorDeveloperGuide.pdf
-#usr/share/doc/snort/PROBLEMS
-#usr/share/doc/snort/README
-#usr/share/doc/snort/README.GTP
-#usr/share/doc/snort/README.PLUGINS
-#usr/share/doc/snort/README.PerfProfiling
-#usr/share/doc/snort/README.SMTP
-#usr/share/doc/snort/README.UNSOCK
-#usr/share/doc/snort/README.WIN32
-#usr/share/doc/snort/README.active
-#usr/share/doc/snort/README.alert_order
-#usr/share/doc/snort/README.appid
-#usr/share/doc/snort/README.asn1
-#usr/share/doc/snort/README.counts
-#usr/share/doc/snort/README.csv
-#usr/share/doc/snort/README.daq
-#usr/share/doc/snort/README.dcerpc2
-#usr/share/doc/snort/README.decode
-#usr/share/doc/snort/README.decoder_preproc_rules
-#usr/share/doc/snort/README.dnp3
-#usr/share/doc/snort/README.dns
-#usr/share/doc/snort/README.event_queue
-#usr/share/doc/snort/README.file
-#usr/share/doc/snort/README.file_ips
-#usr/share/doc/snort/README.filters
-#usr/share/doc/snort/README.flowbits
-#usr/share/doc/snort/README.frag3
-#usr/share/doc/snort/README.ftptelnet
-#usr/share/doc/snort/README.gre
-#usr/share/doc/snort/README.ha
-#usr/share/doc/snort/README.http_inspect
-#usr/share/doc/snort/README.imap
-#usr/share/doc/snort/README.ipip
-#usr/share/doc/snort/README.ipv6
-#usr/share/doc/snort/README.modbus
-#usr/share/doc/snort/README.multipleconfigs
-#usr/share/doc/snort/README.normalize
-#usr/share/doc/snort/README.pcap_readmode
-#usr/share/doc/snort/README.pop
-#usr/share/doc/snort/README.ppm
-#usr/share/doc/snort/README.reload
-#usr/share/doc/snort/README.reputation
-#usr/share/doc/snort/README.sensitive_data
-#usr/share/doc/snort/README.sfportscan
-#usr/share/doc/snort/README.sip
-#usr/share/doc/snort/README.ssh
-#usr/share/doc/snort/README.ssl
-#usr/share/doc/snort/README.stream5
-#usr/share/doc/snort/README.tag
-#usr/share/doc/snort/README.thresholding
-#usr/share/doc/snort/README.u2boat
-#usr/share/doc/snort/README.unified2
-#usr/share/doc/snort/README.variables
-#usr/share/doc/snort/TODO
-#usr/share/doc/snort/USAGE
-#usr/share/doc/snort/WISHLIST
-#usr/share/doc/snort/generators
-#usr/share/man/man8/snort.8
-var/ipfire/snort/ruleset-sources.list
-var/log/snort
diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts
index e4ef0cfc0..2d2f1afcf 100644
--- a/config/rootfiles/common/x86_64/initscripts
+++ b/config/rootfiles/common/x86_64/initscripts
@@ -75,7 +75,6 @@ etc/rc.d/init.d/rngd
 etc/rc.d/init.d/sendsignals
 etc/rc.d/init.d/setclock
 etc/rc.d/init.d/smartenabler
-etc/rc.d/init.d/snort
 etc/rc.d/init.d/squid
 etc/rc.d/init.d/sshd
 etc/rc.d/init.d/static-routes
diff --git a/config/snort/ruleset-sources.list b/config/snort/ruleset-sources.list
deleted file mode 100644
index 04fc2a9f1..000000000
--- a/config/snort/ruleset-sources.list
+++ /dev/null
@@ -1,11 +0,0 @@
-# Ruleset for registered sourcefire users.
-registered = https://www.snort.org/downloads/registered/snortrules-snapshot-29110.tar.gz?oinkcode=
-
-# Ruleset for registered sourcefire users with valid subscription.
-subscripted = https://www.snort.org/downloads/registered/snortrules-snapshot-29110.tar.gz?oinkcode=
-
-# Community rules from sourcefire.
-community = https://www.snort.org/downloads/community/community-rules.tar.gz
-
-# Emerging threads community rules.
-emerging = http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz
diff --git a/config/snort/snort.conf b/config/snort/snort.conf
deleted file mode 100644
index 950ae3e55..000000000
--- a/config/snort/snort.conf
+++ /dev/null
@@ -1,524 +0,0 @@
-###################################################
-# IPFire snort.conf 
-#
-# some parts of this file are changed/updated by the webif
-###################################################
-# VERSIONS : 2.9.5.0
-
-include /etc/snort/vars
-
-###################################################
-# Step #1: Set the network variables.  For more information, see README.variables
-###################################################
-
-# taken from /etc/snort vars
-#ipvar HOME_NET any
-
-# Set up the external network addresses. Leave as "any" in most situations
-ipvar EXTERNAL_NET any
-
-# List of DNS servers on your network 
-#ipvar DNS_SERVERS $HOME_NET
-
-# List of SMTP servers on your network
-ipvar SMTP_SERVERS $HOME_NET
-
-# List of web servers on your network
-ipvar HTTP_SERVERS $HOME_NET
-
-# List of sql servers on your network 
-ipvar SQL_SERVERS $HOME_NET
-
-# List of telnet servers on your network
-ipvar TELNET_SERVERS $HOME_NET
-
-# List of ssh servers on your network
-ipvar SSH_SERVERS $HOME_NET
-
-# List of ftp servers on your network
-ipvar FTP_SERVERS $HOME_NET
-
-# List of sip servers on your network
-ipvar SIP_SERVERS $HOME_NET
-
-# List of ports you run web servers on
-portvar HTTP_PORTS [80,81,82,83,84,85,86,87,88,89,311,383,444,591,593,631,901,1220,1414,1741,1830,2301,2381,2809,3037,3057,3128,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555]
-
-# List of ports you want to look for SHELLCODE on.
-portvar SHELLCODE_PORTS !80
-
-# List of ports you might see oracle attacks on
-portvar ORACLE_PORTS 1024:
-
-# List of ports you want to look for SSH connections on:
-portvar SSH_PORTS [22,222]
-
-# List of ports you run ftp servers on
-portvar FTP_PORTS [21,2100,3535]
-
-# List of ports you run SIP servers on
-portvar SIP_PORTS [5060,5061,5600]
-
-# List of file data ports for file inspection
-portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
-
-# List of GTP ports for GTP preprocessor
-portvar GTP_PORTS [2123,2152,3386]
-
-# other variables, these should not be modified
-ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
-
-# Path to your rules files (this can be a relative path)
-# Note for Windows users:  You are advised to make this an absolute path,
-# such as:  c:\snort\rules
-var RULE_PATH /etc/snort/rules
-var SO_RULE_PATH /etc/snort/so_rules
-var PREPROC_RULE_PATH /etc/snort/preproc_rules
-
-# If you are using reputation preprocessor set these
-# Currently there is a bug with relative paths, they are relative to where snort is
-# not relative to snort.conf like the above variables
-# This is completely inconsistent with how other vars work, BUG 89986
-# Set the absolute path appropriately
-var WHITE_LIST_PATH /etc/snort/rules
-var BLACK_LIST_PATH /etc/snort/rules
-
-
-###################################################
-# Step #2: Configure the decoder.  For more information, see README.decode
-###################################################
-
-# Stop generic decode events:
-config disable_decode_alerts
-
-# Stop Alerts on experimental TCP options
-config disable_tcpopt_experimental_alerts
-
-# Stop Alerts on obsolete TCP options
-config disable_tcpopt_obsolete_alerts
-
-# Stop Alerts on T/TCP alerts
-# config disable_tcpopt_ttcp_alerts
-
-# Stop Alerts on all other TCPOption type events:
-config disable_tcpopt_alerts
-
-# Stop Alerts on invalid ip options
-# config disable_ipopt_alerts
-
-# Alert if value in length field (IP, TCP, UDP) is greater th elength of the packet
-# config enable_decode_oversized_alerts
-
-# Same as above, but drop packet if in Inline mode (requires enable_decode_oversized_alerts)
-# config enable_decode_oversized_drops
-
-# Configure IP / TCP checksum mode
-config checksum_mode: all
-
-# Configure maximum number of flowbit references.  For more information, see README.flowbits
-# config flowbits_size: 64
-
-# Configure ports to ignore 
-# config ignore_ports: tcp 21 6667:6671 1356
-# config ignore_ports: udp 1:17 53
-
-# Configure active response for non inline operation. For more information, see REAMDE.active
-# config response: eth0 attempts 2
-
-# Configure DAQ related options for inline operation. For more information, see README.daq
-#
-# config daq: 
-# config daq_dir: 
-# config daq_mode: 
-# config daq_var: 
-#
-#  ::= pcap | afpacket | dump | nfq | ipq | ipfw
-#  ::= read-file | passive | inline
-#  ::= arbitrary = ::= path as to where to look for DAQ module so's
-
-# Configure specific UID and GID to run snort as after dropping privs. For more information see snort -h command line options
-#
-# config set_gid:
-# config set_uid:
-
-# Configure default snaplen. Snort defaults to MTU of in use interface. For more information see README
-#
-# config snaplen:
-#
-
-# Configure default bpf_file to use for filtering what traffic reaches snort. For more information see snort -h command line options (-F)
-#
-# config bpf_file:
-#
-
-# Configure default log directory for snort to log to.  For more information see snort -h command line options (-l)
-#
-# config logdir:
-
-
-###################################################
-# Step #3: Configure the base detection engine.  For more information, see  README.decode
-###################################################
-
-# Configure PCRE match limitations
-config pcre_match_limit: 3500
-config pcre_match_limit_recursion: 1500
-
-# Configure the detection engine  See the Snort Manual, Configuring Snort - Includes - Config
-config detection: search-method ac-split search-optimize max-pattern-len 20
-
-# Configure the event queue.  For more information, see README.event_queue
-config event_queue: max_queue 8 log 5 order_events content_length
-
-###################################################
-## Configure GTP if it is to be used.
-## For more information, see README.GTP
-####################################################
-
-# config enable_gtp
-
-###################################################
-# Per packet and rule latency enforcement
-# For more information see README.ppm
-###################################################
-
-# Per Packet latency configuration
-#config ppm: max-pkt-time 250, \
-#   fastpath-expensive-packets, \
-#   pkt-log
-
-# Per Rule latency configuration
-#config ppm: max-rule-time 200, \
-#   threshold 3, \
-#   suspend-expensive-rules, \
-#   suspend-timeout 20, \
-#   rule-log alert
-
-###################################################
-# Configure Perf Profiling for debugging
-# For more information see README.PerfProfiling
-###################################################
-
-#config profile_rules: print all, sort avg_ticks
-#config profile_preprocs: print all, sort avg_ticks
-
-###################################################
-# Configure protocol aware flushing
-# For more information see README.stream5
-###################################################
-config paf_max: 16000
-
-###################################################
-# Step #4: Configure dynamic loaded libraries.  
-# For more information, see Snort Manual, Configuring Snort - Dynamic Modules
-###################################################
-
-# path to dynamic preprocessor libraries
-dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
-
-# path to base preprocessor engine
-dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
-
-# path to dynamic rules libraries
-# dynamicdetection directory /usr/local/lib/snort_dynamicrules
-
-
-###################################################
-# Step #5: Configure preprocessors
-# For more information, see the Snort Manual, Configuring Snort - Preprocessors
-###################################################
-
-# GTP Control Channle Preprocessor. For more information, see README.GTP
-# preprocessor gtp: ports { 2123 3386 2152 }
-
-# Inline packet normalization. For more information, see README.normalize
-# Does nothing in IDS mode
-preprocessor normalize_ip4
-preprocessor normalize_tcp: ips ecn stream
-preprocessor normalize_icmp4
-preprocessor normalize_ip6
-preprocessor normalize_icmp6
-
-# Target-based IP defragmentation.  For more inforation, see README.frag3
-preprocessor frag3_global: max_frags 65536
-preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180
-
-# Target-Based stateful inspection/stream reassembly.  For more inforation, see README.stream5
-preprocessor stream5_global: track_tcp yes, \
-   track_udp yes, \
-   track_icmp no, \ 
-   max_tcp 262144, \
-   max_udp 131072, \
-   max_active_responses 2, \
-   min_response_seconds 5
-preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
-   overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
-    ports client 21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 139 143 \
-        161 222 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6665 6666 6667 6668 6669 \
-        7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \
-    ports both 80 81 82 83 84 85 86 87 88 89 110 311 383 443 444 465 563 591 593 631 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3037 3057 3128 3702 4343 4848 5250 6080 6988 7907 7000 7001 7144 7145 7510 7802 7777 7779 \
-        7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \
-        7917 7918 7919 7920 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8222 8243 8280 8300 8500 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555
-preprocessor stream5_udp: timeout 180
-
-# performance statistics.  For more information, see the Snort Manual, Configuring Snort - Preprocessors - Performance Monitor
-# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
-
-# HTTP normalization and anomaly detection.  For more information, see README.http_inspect
-preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
-preprocessor http_inspect_server: server default \
-    http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
-    chunk_length 500000 \
-    server_flow_depth 0 \
-    client_flow_depth 0 \
-    post_depth 65495 \
-    oversize_dir_length 500 \
-    max_header_length 750 \
-    max_headers 100 \
-    max_spaces 200 \
-    small_chunk_length { 10 5 } \
-    ports { 80 81 82 83 84 85 86 87 88 89 311 383 444 591 593 631 901 1220 1414 1741 1830 2301 2381 2809 3037 3057 3128 3702 4343 4848 5250 6080 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8500 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555 } \
-    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
-    enable_cookie \
-    extended_response_inspection \
-    inspect_gzip \
-    normalize_utf \
-    unlimited_decompress \
-    normalize_javascript \
-    apache_whitespace no \
-    ascii no \
-    bare_byte no \
-    directory no \
-    double_decode no \
-    iis_backslash no \
-    iis_delimiter no \
-    iis_unicode no \
-    multi_slash no \
-    utf_8 no \
-    u_encode yes \
-    webroot no
-
-# ONC-RPC normalization and anomaly detection.  For more information, see the Snort Manual, Configuring Snort - Preprocessors - RPC Decode
-preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete
-
-# Back Orifice detection.
-preprocessor bo
-
-# FTP / Telnet normalization and anomaly detection.  For more information, see README.ftptelnet
-preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no check_encrypted
-preprocessor ftp_telnet_protocol: telnet \
-    ayt_attack_thresh 20 \
-    normalize ports { 23 } \
-    detect_anomalies
-preprocessor ftp_telnet_protocol: ftp server default \
-    def_max_param_len 100 \
-    ports { 21 2100 3535 } \
-    telnet_cmds yes \
-    ignore_telnet_erase_cmds yes \
-    ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
-    ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
-    ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
-    ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
-    ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
-    ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
-    ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
-    ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
-    ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
-    ftp_cmds { XSEN XSHA1 XSHA256 } \
-    alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \
-    alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \
-    alt_max_param_len 256 { CWD RNTO } \
-    alt_max_param_len 400 { PORT } \
-    alt_max_param_len 512 { SIZE } \
-    chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
-    chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
-    chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
-    chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
-    chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
-    chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
-    chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \ 
-    chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
-    cmd_validity ALLO < int [ char R int ] > \    
-    cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
-    cmd_validity MACB < string > \
-    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
-    cmd_validity MODE < char ASBCZ > \
-    cmd_validity PORT < host_port > \
-    cmd_validity PROT < char CSEP > \
-    cmd_validity STRU < char FRPO [ string ] > \    
-    cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >
-preprocessor ftp_telnet_protocol: ftp client default \
-    max_resp_len 256 \
-    bounce yes \
-    ignore_telnet_erase_cmds yes \
-    telnet_cmds yes
-
-
-# SMTP normalization and anomaly detection.  For more information, see README.SMTP
-preprocessor smtp: ports { 25 465 587 691 } \
-    inspection_type stateful \
-    b64_decode_depth 0 \
-    qp_decode_depth 0 \
-    bitenc_decode_depth 0 \
-    uu_decode_depth 0 \
-    log_mailfrom \
-    log_rcptto \
-    log_filename \
-    log_email_hdrs \
-    normalize cmds \
-    normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
-    normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
-    normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
-    normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
-    max_command_line_len 512 \
-    max_header_line_len 1000 \
-    max_response_line_len 512 \
-    alt_max_command_line_len 260 { MAIL } \
-    alt_max_command_line_len 300 { RCPT } \
-    alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
-    alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
-    alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
-    valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \ 
-    valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
-    valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
-    valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
-    xlink2state { enabled }
-
-# Portscan detection.  For more information, see README.sfportscan
-preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level { medium }
-
-# ARP spoof detection.  For more information, see the Snort Manual - Configuring Snort - Preprocessors - ARP Spoof Preprocessor
-# preprocessor arpspoof
-# preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
-
-# SSH anomaly detection.  For more information, see README.ssh
-preprocessor ssh: server_ports { 22 222 } \
-                  autodetect \
-                  max_client_bytes 19600 \
-                  max_encrypted_packets 20 \
-                  max_server_version_len 100 \
-                  enable_respoverflow enable_ssh1crc32 \
-                  enable_srvoverflow enable_protomismatch
-
-# SMB / DCE-RPC normalization and anomaly detection.  For more information, see README.dcerpc2
-preprocessor dcerpc2: memcap 102400, events [co ]
-preprocessor dcerpc2_server: default, policy WinXP, \
-    detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
-    autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
-    smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
-
-# DNS anomaly detection.  For more information, see README.dns
-preprocessor dns: ports { 53 } enable_rdata_overflow
-
-# SSL anomaly detection and traffic bypass.  For more information, see README.ssl
-preprocessor ssl: ports { 443 444 465 563 636 989 992 993 994 995 7801 7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted
-
-# SDF sensitive data preprocessor.  For more information see README.sensitive_data
-preprocessor sensitive_data: alert_threshold 25
-
-# SIP Session Initiation Protocol preprocessor.  For more information see README.sip
-preprocessor sip: max_sessions 40000, \
-   ports { 5060 5061 5600 }, \
-   methods { invite \
-             cancel \
-             ack \
-             bye \
-             register \
-             options \
-             refer \
-             subscribe \
-             update \
-             join \
-             info \
-             message \
-             notify \
-             benotify \
-             do \
-             qauth \
-             sprack \
-             publish \
-             service \
-             unsubscribe \
-             prack }, \
-   max_uri_len 512, \
-   max_call_id_len 80, \
-   max_requestName_len 20, \
-   max_from_len 256, \
-   max_to_len 256, \
-   max_via_len 1024, \
-   max_contact_len 512, \
-   max_content_len 2048 
-
-# IMAP preprocessor.  For more information see README.imap
-preprocessor imap: \
-   ports { 143 } \
-   b64_decode_depth 0 \
-   qp_decode_depth 0 \
-   bitenc_decode_depth 0 \
-   uu_decode_depth 0
-
-# POP preprocessor. For more information see README.pop
-preprocessor pop: \
-   ports { 110 } \
-   b64_decode_depth 0 \
-   qp_decode_depth 0 \
-   bitenc_decode_depth 0 \
-   uu_decode_depth 0
-
-# Modbus preprocessor. For more information see README.modbus
-preprocessor modbus: ports { 502 }
-
-# DNP3 preprocessor. For more information see README.dnp3
-preprocessor dnp3: ports { 20000 } \
-   memcap 262144 \
-   check_crc
-
-# Reputation preprocessor. For more information see README.reputation
-#preprocessor reputation: \
-#   memcap 500, \
-#   priority whitelist, \
-#   nested_ip inner, \
-#   whitelist $WHITE_LIST_PATH/white_list.rules, \
-#   blacklist $BLACK_LIST_PATH/black_list.rules 
-
-
-###################################################
-# Step #6: Configure output plugins
-# For more information, see Snort Manual, Configuring Snort - Output Modules
-###################################################
-
-# unified2 
-# Recommended for most installs
-# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
-
-# Additional configuration for specific types of installs
-# output alert_unified2: filename snort.alert, limit 128, nostamp
-# output log_unified2: filename snort.log, limit 128, nostamp 
-
-# syslog
-# output alert_syslog: LOG_AUTH LOG_ALERT
-
-# pcap
-# output log_tcpdump: tcpdump.log
-
-# database
-# output database: alert, , user= password= test dbname= host=
-# output database: log, , user= password= test dbname= host=
-
-# prelude
-# output alert_prelude
-
-# metadata reference data.  do not modify these lines
-include /etc/snort/rules/classification.config
-include /etc/snort/rules/reference.config
-
-
-###################################################
-# Step #7: Customize your rule set
-# For more information, see Snort Manual, Writing Snort Rules
-###################################################
-
-#
-# site specific rules
-#
diff --git a/lfs/snort b/lfs/snort
deleted file mode 100644
index 83eba6c2e..000000000
--- a/lfs/snort
+++ /dev/null
@@ -1,104 +0,0 @@
-###############################################################################
-#                                                                             #
-# IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2017  IPFire Team                       #
-#                                                                             #
-# This program is free software: you can redistribute it and/or modify        #
-# it under the terms of the GNU General Public License as published by        #
-# the Free Software Foundation, either version 3 of the License, or           #
-# (at your option) any later version.                                         #
-#                                                                             #
-# This program is distributed in the hope that it will be useful,             #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
-# GNU General Public License for more details.                                #
-#                                                                             #
-# You should have received a copy of the GNU General Public License           #
-# along with this program.  If not, see .       #
-#                                                                             #
-###############################################################################
-
-###############################################################################
-# Definitions
-###############################################################################
-
-include Config
-
-VER        = 2.9.11.1
-
-THISAPP    = snort-$(VER)
-DL_FILE    = $(THISAPP).tar.gz
-DL_FROM    = $(URL_IPFIRE)
-DIR_APP    = $(DIR_SRC)/$(THISAPP)
-TARGET     = $(DIR_INFO)/$(THISAPP)
-
-###############################################################################
-# Top-level Rules
-###############################################################################
-
-objects = $(DL_FILE)
-
-$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-
-$(DL_FILE)_MD5 = 378e3938b2b5c8e358f942d0ffce18cc
-
-install : $(TARGET)
-
-check : $(patsubst %,$(DIR_CHK)/%,$(objects))
-
-download :$(patsubst %,$(DIR_DL)/%,$(objects))
-
-md5 : $(subst %,%_MD5,$(objects))
-
-###############################################################################
-# Downloading, checking, md5sum
-###############################################################################
-
-$(patsubst %,$(DIR_CHK)/%,$(objects)) :
-	@$(CHECK)
-
-$(patsubst %,$(DIR_DL)/%,$(objects)) :
-	@$(LOAD)
-
-$(subst %,%_MD5,$(objects)) :
-	@$(MD5)
-
-###############################################################################
-# Installation Details
-###############################################################################
-
-$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
-	@$(PREBUILD)
-	@rm -rf $(DIR_APP) $(DIR_SRC)/snort* && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
-	cd $(DIR_APP) && ./configure \
-		--prefix=/usr \
-		--sysconfdir=/etc/snort \
-		--target=i586 \
-		--enable-linux-smp-stats \
-		--enable-gre --enable-mpls \
-		--enable-targetbased \
-		--enable-ppm \
-		--enable-non-ether-decoders \
-		--enable-perfprofiling \
-		--enable-active-response \
-		--enable-normalizer \
-		--enable-reload \
-		--enable-react \
-		--enable-flexresp3
-
-	cd $(DIR_APP) && make
-	cd $(DIR_APP) && make install
-	mv /usr/bin/snort /usr/sbin/
-	-mkdir -p /etc/snort/rules
-
-	cd $(DIR_APP) && install -m 0644  \
-		etc/reference.config etc/classification.config /etc/snort/rules
-	cd $(DIR_APP) && install -m 0644 etc/unicode.map /etc/snort
-	install -m 0644 $(DIR_SRC)/config/snort/snort.conf /etc/snort
-	cp /etc/snort/snort.conf /etc/snort/snort.conf.template
-	chown -R nobody:nobody /etc/snort
-	-mkdir -p /var/log/snort
-	chown -R snort:snort /var/log/snort
-	install -m 0644 $(DIR_SRC)/config/snort/ruleset-sources.list /var/ipfire/snort
-	@rm -rf $(DIR_APP) $(DIR_SRC)/snort*
-	@$(POSTBUILD)
diff --git a/make.sh b/make.sh
index 844581677..c8970a0bd 100755
--- a/make.sh
+++ b/make.sh
@@ -1289,7 +1289,6 @@ buildipfire() {
   lfsmake2 setup
   lfsmake2 libdnet
   lfsmake2 daq
-  lfsmake2 snort
   lfsmake2 yaml
   lfsmake2 libhtp
   lfsmake2 suricata
diff --git a/src/initscripts/system/snort b/src/initscripts/system/snort
deleted file mode 100644
index 5c4304247..000000000
--- a/src/initscripts/system/snort
+++ /dev/null
@@ -1,146 +0,0 @@
-#!/bin/sh
-########################################################################
-# Begin $rc_base/init.d/snort
-#
-# Description : Snort Initscript
-#
-# Authors     : Michael Tremer for ipfire.org - mitch@ipfire.org
-#
-# Version     : 01.00
-#
-# Notes       :
-#
-########################################################################
-
-. /etc/sysconfig/rc
-. ${rc_functions}
-
-PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
-
-eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-eval $(/usr/local/bin/readhash /var/ipfire/snort/settings)
-
-ALIASFILE="/var/ipfire/ethernet/aliases"
-
-case "$1" in
-        start)
-		if [ "$BLUE_NETADDRESS" ]; then
-			BLUE_NET="$BLUE_NETADDRESS/$BLUE_NETMASK,"
-			BLUE_IP="$BLUE_ADDRESS,"
-		fi
-
-		if [ "$ORANGE_NETADDRESS" ]; then
-			ORANGE_NET="$ORANGE_NETADDRESS/$ORANGE_NETMASK,"
-			ORANGE_IP="$ORANGE_ADDRESS,"
-		fi
-
-		if [ "$ENABLE_SNORT_ORANGE" == "on" ]; then
-			DEVICES+="$ORANGE_DEV "
-			HOMENET+="$ORANGE_IP"
-		else
-			HOMENET+="$ORANGE_NET"
-		fi
-
-		if [ "$ENABLE_SNORT_BLUE" == "on" ]; then
-			DEVICES+="$BLUE_DEV "
-			HOMENET+="$BLUE_IP"
-		else
-			HOMENET+="$BLUE_NET"
-		fi
-
-		if [ "$ENABLE_SNORT_GREEN" == "on" ]; then
-			DEVICES+="$GREEN_DEV "
-			HOMENET+="$GREEN_ADDRESS,"
-		else
-			HOMENET+="$GREEN_NETADDRESS/$GREEN_NETMASK,"
-		fi
-
-		if [ "$ENABLE_SNORT" == "on" ]; then
-			DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null`
-			LOCAL_IP=`cat /var/ipfire/red/local-ipaddress 2>/dev/null`
-			if [ "$LOCAL_IP" ]; then
-				HOMENET+="$LOCAL_IP,"
-			fi
-
-			# Check if the red device is set to static and
-			# any aliases have been configured.
-			if [ "${RED_TYPE}" == "STATIC" ] && [ -s "${ALIASFILE}" ]; then
-				# Read in aliases file.
-				while IFS="," read -r address mode remark; do
-					# Check if the alias is enabled.
-					[ "${mode}" = "on" ] || continue
-
-					# Add alias to the list of HOMENET addresses.
-					HOMENET+="${address},"
-				done < "${ALIASFILE}"
-			fi
-		fi
-		HOMENET+="127.0.0.1"
-		echo "ipvar HOME_NET [$HOMENET]" > /etc/snort/vars
-
-		DNS1=`cat /var/ipfire/red/dns1 2>/dev/null`
-		DNS2=`cat /var/ipfire/red/dns2 2>/dev/null`
-
-		if [ "$DNS2" ]; then
-			echo "ipvar DNS_SERVERS [$DNS1,$DNS2]" >> /etc/snort/vars
-		else
-			echo "ipvar DNS_SERVERS $DNS1" >> /etc/snort/vars
-		fi
-
-                for DEVICE in $DEVICES; do
-                        boot_mesg "Starting Intrusion Detection System on $DEVICE..."
-                        /usr/sbin/snort -c /etc/snort/snort.conf -i $DEVICE -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path /var/run
-                        evaluate_retval
-			sleep 1
-                        chmod 644 /var/run/snort_$DEVICE.pid
-                done
-	;;
-
-        stop)
-               DEVICES=""
-               if [ -r /var/run/snort_$BLUE_DEV.pid ]; then
-                 DEVICES+="$BLUE_DEV "
-               fi
-               
-               if [ -r /var/run/snort_$GREEN_DEV.pid ]; then
-                 DEVICES+="$GREEN_DEV "
-              fi
-             
-              if [ -r /var/run/snort_$ORANGE_DEV.pid ]; then
-                 DEVICES+="$ORANGE_DEV "
-              fi
-      
-              RED=`cat /var/ipfire/red/iface 2>/dev/null`
-              if [ -r /var/run/snort_$RED.pid ]; then
-                 DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null`
-              fi
-       
-              for DEVICE in $DEVICES; do
-                 boot_mesg "Stopping Intrusion Detection System on $DEVICE..."
-                 killproc -p /var/run/snort_$DEVICE.pid /var/run
-              done
-              
-              rm /var/run/snort_* >/dev/null 2>/dev/null
-
-		# Don't report returncode of rm if snort was not started
-		exit 0
-        ;;
-                
-        status)
-                statusproc /usr/sbin/snort
-                ;;
-                
-        restart)
-                $0 stop
-                $0 start
-                ;;
-                
-        *)
-                echo "Usage: $0 {start|stop|restart|status}"
-                exit 1
-                ;;
-esac
-
-chmod 644 /var/log/snort/* 2>/dev/null
-
-# End $rc_base/init.d/snort

From d33874f4969f48d5dd880b212900220ba932d8f0 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 3 Aug 2018 10:20:18 +0200
Subject: [PATCH 069/259] daq: Drop package

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/daq | 33 ----------------
 lfs/daq                     | 77 -------------------------------------
 make.sh                     |  1 -
 3 files changed, 111 deletions(-)
 delete mode 100644 config/rootfiles/common/daq
 delete mode 100644 lfs/daq

diff --git a/config/rootfiles/common/daq b/config/rootfiles/common/daq
deleted file mode 100644
index 6c156e3d9..000000000
--- a/config/rootfiles/common/daq
+++ /dev/null
@@ -1,33 +0,0 @@
-#usr/bin/daq-modules-config
-#usr/include/daq.h
-#usr/include/daq_api.h
-#usr/include/daq_common.h
-#usr/include/sfbpf.h
-#usr/include/sfbpf_dlt.h
-usr/lib/daq
-#usr/lib/daq/daq_afpacket.la
-#usr/lib/daq/daq_afpacket.so
-#usr/lib/daq/daq_dump.la
-#usr/lib/daq/daq_dump.so
-#usr/lib/daq/daq_ipfw.la
-#usr/lib/daq/daq_ipfw.so
-#usr/lib/daq/daq_ipq.la
-#usr/lib/daq/daq_ipq.so
-#usr/lib/daq/daq_nfq.la
-#usr/lib/daq/daq_nfq.so
-#usr/lib/daq/daq_pcap.la
-#usr/lib/daq/daq_pcap.so
-#usr/lib/libdaq.a
-#usr/lib/libdaq.la
-#usr/lib/libdaq.so
-usr/lib/libdaq.so.2
-usr/lib/libdaq.so.2.0.4
-#usr/lib/libdaq_static.a
-#usr/lib/libdaq_static.la
-#usr/lib/libdaq_static_modules.a
-#usr/lib/libdaq_static_modules.la
-#usr/lib/libsfbpf.a
-#usr/lib/libsfbpf.la
-#usr/lib/libsfbpf.so
-usr/lib/libsfbpf.so.0
-usr/lib/libsfbpf.so.0.0.1
diff --git a/lfs/daq b/lfs/daq
deleted file mode 100644
index 35f8241aa..000000000
--- a/lfs/daq
+++ /dev/null
@@ -1,77 +0,0 @@
-###############################################################################
-#                                                                             #
-# IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2015  IPFire Team                       #
-#                                                                             #
-# This program is free software: you can redistribute it and/or modify        #
-# it under the terms of the GNU General Public License as published by        #
-# the Free Software Foundation, either version 3 of the License, or           #
-# (at your option) any later version.                                         #
-#                                                                             #
-# This program is distributed in the hope that it will be useful,             #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
-# GNU General Public License for more details.                                #
-#                                                                             #
-# You should have received a copy of the GNU General Public License           #
-# along with this program.  If not, see .       #
-#                                                                             #
-###############################################################################
-
-###############################################################################
-# Definitions
-###############################################################################
-
-include Config
-
-VER        = 2.0.6
-
-THISAPP    = daq-$(VER)
-DL_FILE    = $(THISAPP).tar.gz
-DL_FROM    = $(URL_IPFIRE)
-DIR_APP    = $(DIR_SRC)/$(THISAPP)
-TARGET     = $(DIR_INFO)/$(THISAPP)
-
-###############################################################################
-# Top-level Rules
-###############################################################################
-
-objects = $(DL_FILE)
-
-$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-
-$(DL_FILE)_MD5 = 2cd6da422a72c129c685fc4bb848c24c
-
-install : $(TARGET)
-
-check : $(patsubst %,$(DIR_CHK)/%,$(objects))
-
-download :$(patsubst %,$(DIR_DL)/%,$(objects))
-
-md5 : $(subst %,%_MD5,$(objects))
-
-###############################################################################
-# Downloading, checking, md5sum
-###############################################################################
-
-$(patsubst %,$(DIR_CHK)/%,$(objects)) :
-	@$(CHECK)
-
-$(patsubst %,$(DIR_DL)/%,$(objects)) :
-	@$(LOAD)
-
-$(subst %,%_MD5,$(objects)) :
-	@$(MD5)
-
-###############################################################################
-# Installation Details
-###############################################################################
-
-$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
-	@$(PREBUILD)
-	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
-	cd $(DIR_APP) && ./configure --prefix=/usr
-	cd $(DIR_APP) && make
-	cd $(DIR_APP) && make install
-	@rm -rf $(DIR_APP)
-	@$(POSTBUILD)
diff --git a/make.sh b/make.sh
index c8970a0bd..d75c7b4f5 100755
--- a/make.sh
+++ b/make.sh
@@ -1288,7 +1288,6 @@ buildipfire() {
   lfsmake2 setserial
   lfsmake2 setup
   lfsmake2 libdnet
-  lfsmake2 daq
   lfsmake2 yaml
   lfsmake2 libhtp
   lfsmake2 suricata

From 06b569a4429eb5641343fdf4c3472825dc327f09 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 3 Aug 2018 13:48:46 +0200
Subject: [PATCH 070/259] oinkmaster: Install config file to
 /var/ipfire/suricata

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/oinkmaster | 2 +-
 lfs/oinkmaster                     | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/rootfiles/common/oinkmaster b/config/rootfiles/common/oinkmaster
index be14b54d6..2557353fa 100644
--- a/config/rootfiles/common/oinkmaster
+++ b/config/rootfiles/common/oinkmaster
@@ -1,2 +1,2 @@
 usr/local/bin/oinkmaster.pl
-var/ipfire/snort/oinkmaster.conf
+var/ipfire/suricata/oinkmaster.conf
diff --git a/lfs/oinkmaster b/lfs/oinkmaster
index 6cc075fa4..2dc67b9a7 100644
--- a/lfs/oinkmaster
+++ b/lfs/oinkmaster
@@ -71,8 +71,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf  $(DIR_DL)/$(DL_FILE)
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/oinkmaster-2.0-add_community_rules.patch
 	cd $(DIR_APP) && chown nobody:nobody oinkmaster.pl
-	cd $(DIR_APP) && cp -f oinkmaster.conf /var/ipfire/snort/
-	cd /var/ipfire/snort && patch -Np1 < $(DIR_SRC)/src/patches/oinkmaster-tmp.patch
+	cd $(DIR_APP) && cp -f oinkmaster.conf /var/ipfire/suricata/
+	cd /var/ipfire/suricata && patch -Np1 < $(DIR_SRC)/src/patches/oinkmaster-tmp.patch
 	cd $(DIR_APP) && install -m 0755 oinkmaster.pl /usr/local/bin/
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)

From ab114c276b0d719b9a9c43dea05870e4ceedbdbc Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 3 Aug 2018 13:51:59 +0200
Subject: [PATCH 071/259] ids.cgi: Call suricatactrl for restarting the IDS

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index b42ede2ae..4d7552d26 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -314,8 +314,8 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 		# Store settings into settings file.
 		&General::writehash("$IDS::settingsdir/settings", \%cgiparams);
 
-		# Call snortctrl to restart snort
-		system('/usr/local/bin/snortctrl restart >/dev/null');
+		# Call suricatactrl to restart the IDS
+		system('/usr/local/bin/suricatactrl restart >/dev/null');
 	}
 }
 

From 1cae702c22ed31784393980968634626af8fe653 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sat, 4 Aug 2018 16:48:27 +0200
Subject: [PATCH 072/259] ids-functions.pl: Add function to get the available
 network zones

The get_available_network_zones() function uses the /var/ipfire/ethernet/settings
file and translates the configured mode into an array, which contains the names
of the configured network zones.

The array will be returned and easily can be used to loop over this list of
available network zones and perform any kind of actions in other scripts.

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 36 +++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 9c469413d..acf097bb8 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -254,4 +254,40 @@ sub _store_error_message ($) {
         close (ERRORFILE);
 }
 
+#
+## Function to get a list of all available network zones.
+#
+sub get_available_network_zones () {
+	# Get netsettings.
+	my %netsettings = ();
+	&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
+
+	# Obtain the configuration type from the netsettings hash.
+	my $config_type = $netsettings{'CONFIG_TYPE'};
+
+	# Hash which contains the conversation from the config mode
+	# to the existing network interface names. They are stored like
+	# an array.
+	#
+	# Mode "0" red is a modem and green
+	# Mode "1" red is a netdev and green
+	# Mode "2" red, green and orange
+	# Mode "3" red, green and blue
+	# Mode "4" red, green, blue, orange
+	my %config_type_to_interfaces = (
+		"0" => [ "red", "green" ],
+		"1" => [ "red", "green" ],
+		"2" => [ "red", "green", "orange" ],
+		"3" => [ "red", "green", "blue" ],
+		"4" => [ "red", "green", "blue", "orange" ]
+	);
+
+	# Obtain and dereference the corresponding network interaces based on the read
+	# network config type.
+	my @network_zones = @{ $config_type_to_interfaces{$config_type} };
+
+	# Return them.
+	return @network_zones;
+}
+
 1;

From 1286e0d41e75dd691a54ac130ae6d70bfc284e14 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sun, 5 Aug 2018 12:57:44 +0200
Subject: [PATCH 073/259] ids.cgi: Rework section to configure the IDS

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi   | 90 +++++++++++++++++++++++-------------------
 langs/de/cgi-bin/de.pl |  4 ++
 langs/en/cgi-bin/en.pl |  4 ++
 3 files changed, 58 insertions(+), 40 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 4d7552d26..0dce9e994 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -32,9 +32,8 @@ require "${General::swroot}/ids-functions.pl";
 
 my %color = ();
 my %mainsettings = ();
-my %netsettings = ();
 my %idsrules = ();
-my %snortsettings=();
+my %idssettings=();
 my %rulesetsources = ();
 my %cgiparams=();
 my %checked=();
@@ -44,22 +43,15 @@ my %selected=();
 &General::readhash("${General::swroot}/main/settings", \%mainsettings);
 &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
 
-# Get netsettings.
-&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
+# Get the available network zones, based on the config type of the system and store
+# the list of zones in an array.
+my @network_zones = &IDS::get_available_network_zones();
 
 my $idsusedrulefilesfile = "$IDS::settingsdir/suricata-used-rulefiles.yaml";
 my $errormessage;
 
 &Header::showhttpheaders();
 
-# Default settings for snort.
-$snortsettings{'ENABLE_SNORT'} = 'off';
-$snortsettings{'ENABLE_SNORT_GREEN'} = 'off';
-$snortsettings{'ENABLE_SNORT_BLUE'} = 'off';
-$snortsettings{'ENABLE_SNORT_ORANGE'} = 'off';
-$snortsettings{'RULES'} = '';
-$snortsettings{'OINKCODE'} = '';
-
 #Get GUI values
 &Header::getcgihash(\%cgiparams);
 
@@ -319,27 +311,18 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 	}
 }
 
-# Read-in snortsettings
-&General::readhash("$IDS::settingsdir/settings", \%snortsettings);
+# Read-in idssettings
+&General::readhash("$IDS::settingsdir/settings", \%idssettings);
 
-$checked{'ENABLE_SNORT'}{'off'} = '';
-$checked{'ENABLE_SNORT'}{'on'} = '';
-$checked{'ENABLE_SNORT'}{$snortsettings{'ENABLE_SNORT'}} = "checked='checked'";
-$checked{'ENABLE_SNORT_GREEN'}{'off'} = '';
-$checked{'ENABLE_SNORT_GREEN'}{'on'} = '';
-$checked{'ENABLE_SNORT_GREEN'}{$snortsettings{'ENABLE_SNORT_GREEN'}} = "checked='checked'";
-$checked{'ENABLE_SNORT_BLUE'}{'off'} = '';
-$checked{'ENABLE_SNORT_BLUE'}{'on'} = '';
-$checked{'ENABLE_SNORT_BLUE'}{$snortsettings{'ENABLE_SNORT_BLUE'}} = "checked='checked'";
-$checked{'ENABLE_SNORT_ORANGE'}{'off'} = '';
-$checked{'ENABLE_SNORT_ORANGE'}{'on'} = '';
-$checked{'ENABLE_SNORT_ORANGE'}{$snortsettings{'ENABLE_SNORT_ORANGE'}} = "checked='checked'";
+$checked{'ENABLE_IDS'}{'off'} = '';
+$checked{'ENABLE_IDS'}{'on'} = '';
+$checked{'ENABLE_IDS'}{$idssettings{'ENABLE_IDS'}} = "checked='checked'";
 $selected{'RULES'}{'nothing'} = '';
 $selected{'RULES'}{'community'} = '';
 $selected{'RULES'}{'emerging'} = '';
 $selected{'RULES'}{'registered'} = '';
 $selected{'RULES'}{'subscripted'} = '';
-$selected{'RULES'}{$snortsettings{'RULES'}} = "selected='selected'";
+$selected{'RULES'}{$idssettings{'RULES'}} = "selected='selected'";
 
 &Header::openpage($Lang::tr{'intrusion detection system'}, 1, '');
 
@@ -382,33 +365,60 @@ print <
 		
+		
+
+		
+			
+
+		
+			
+		
 END
 ;
 
-# Check if a blue device is configured.
-if ($netsettings{'BLUE_DEV'}) {
-  print "BLUE Snort\n";
-}
+# Loop through the array of available networks and print config options.
+foreach my $zone (@network_zones) {
+	my $checked_input;
+	my $checked_forward;
 
-print "\n";
+	# Convert current zone name to upper case.
+	my $zone_upper = uc($zone);
 
-print "\n";
+	print "\n";
+
+	print "\n";
+	print "\n";
 }
 
 print <
 		
 
 		
@@ -438,7 +448,7 @@ print <
 
 		
-			
+			
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 6e3dba4db..53d3141c2 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1323,6 +1323,10 @@
 'idle' => 'Leerlauf',
 'idle timeout' => 'Leerlauf-Wartezeit in Min. (0 zum Deaktivieren):',
 'idle timeout not set' => 'Leerlauf-Wartezeit nicht angegeben.',
+'ids activate' => 'Aktiviere',
+'ids analyze incomming traffic' => 'Analysiere eingehende (INPUT) Packete',
+'ids analyze routing traffic' => 'Analysiere zu routende (FORWARD) Packete',
+'ids active on' => 'Aktiv auf',
 'ids log viewer' => 'Ansicht IDS-Protokoll',
 'ids logs' => 'IDS-Protokolldateien',
 'ids preprocessor' => 'IDS-Präprozessor',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 3ec5af57e..e6fd9b18b 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1353,6 +1353,10 @@
 'idle' => 'Idle',
 'idle timeout' => 'Idle timeout (mins; 0 to disable):',
 'idle timeout not set' => 'Idle timeout not set.',
+'ids activate' => 'Activate',
+'ids analyze incomming traffic' => 'Analyze incomming (INPUT) traffic',
+'ids analyze routing traffic' => 'Analyze to-route (FORWARD) traffic',
+'ids active on' => 'Active on',
 'ids log viewer' => 'IDS log viewer',
 'ids logs' => 'IDS Logs',
 'ids preprocessor' => 'IDS preprocessor',

From 796eea2154ae581aeae68be92bd04f105d0a939b Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sun, 5 Aug 2018 14:23:45 +0200
Subject: [PATCH 074/259] ids-functions.pl: Add function to check if the IDS is
 running

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index acf097bb8..ebbf61585 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -41,6 +41,9 @@ our $rulespath = "/etc/suricata/rules";
 # (Sourcefire, Emergingthreads, etc..)
 our $rulesetsourcesfile = "$settingsdir/ruleset-sources";
 
+# The pidfile of the IDS.
+our $idspidfile = "/var/run/suricata.pid";
+
 #
 ## Function for checking if at least 300MB of free disk space are available
 ## on the "/var" partition.
@@ -290,4 +293,32 @@ sub get_available_network_zones () {
 	return @network_zones;
 }
 
+#
+## Function to check if the IDS is running.
+#
+sub ids_is_running () {
+	if(-f $idspidfile) {
+		# Open PID file for reading.
+		open(PIDFILE, "$idspidfile") or die "Could not open $idspidfile. $!\n";
+
+		# Grab the process-id.
+		my $pid = ;
+
+		# Close filehandle.
+		close(PIDFILE);
+
+		# Remove any newline.
+		chomp($pid);
+
+		# Check if a directory for the process-id exists in proc.
+		if(-d "/proc/$pid") {
+			# The IDS daemon is running return the process id.
+			return $pid;
+		}
+	}
+
+	# Return nothing - IDS is not running.
+	return;
+}
+
 1;

From 8766096429b7d19a78d632e96a84b32f058f8e80 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sun, 5 Aug 2018 14:24:20 +0200
Subject: [PATCH 075/259] ids.cgi: Display if the IDS is running

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 85 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 0dce9e994..0a814f1a1 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -347,8 +347,63 @@ if ($errormessage) {
 	&Header::closebox();
 }
 
+# Draw current state of the IDS
 &Header::openbox('100%', 'left', $Lang::tr{'intrusion detection system'});
 
+# Check if the IDS is running and obtain the process-id.
+my $pid = &IDS::ids_is_running();
+
+# Display some useful information, if suricata daemon is running.
+if ($pid) {
+	# Gather used memory.
+	my $memory = &get_memory_usage($pid);
+
+	print <
+			
+				
+			
+
+			
+				
+				
+			
+
+			
+				
+				
+				
+			
+
+			
+				
+				
+				
+			
+		
\n";
 			print "\n";
 			print "$snortrules{$rulefile}{$sid}{'Description'}$idsrules{$rulefile}{$sid}{'Description'}

 			
-				RED Snort
+				$Lang::tr{'ids activate'} $Lang::tr{'intrusion detection system'}
 			
 
 			
-				GREEN Snort
+				 
+			



+		

+				$Lang::tr{'ids analyze incomming traffic'}
 			
 
 			
+				$Lang::tr{'ids analyze routing traffic'}
+			
\n";
+	# Grab checkbox status from settings hash.
+	if ($idssettings{"ENABLE_IDS_INPUT_$zone_upper"} eq "on") {
+		$checked_input = "checked = 'checked'";
+	}
 
-# Check if an orange device is configured.
-if ($netsettings{'ORANGE_DEV'}) {
-  print "ORANGE Snort\n";
+	# Do the same for the forward setting.
+	if ($idssettings{"ENABLE_IDS_FORWARD_$zone_upper"} eq "on") {
+		$checked_forward = "checked = 'checked'";
+	}
+
+	print "
\n";
+	print "$Lang::tr{'ids active on'} $Lang::tr{$zone}\n";
+	print "\n";
+	print "$Lang::tr{'ids active on'} $Lang::tr{$zone}\n";
+	print "
Oinkcode: Oinkcode: 
 		

 
 		
$Lang::tr{'intrusion detection'}
$Lang::tr{'guardian daemon'}$Lang::tr{'running'}
PID$Lang::tr{'memory'}
$pid$memory KB

+END
+} else {
+	# Otherwise display a hint that the service is not launched.
+	print <
+			
+				$Lang::tr{'intrusion detection'}
+			
+
+			
+				$Lang::tr{'guardian daemon'}
+				$Lang::tr{'stopped'}
+			
+		
+
+		
br>
+END
+}
+&Header::closebox();
+
+# Draw elements for IDS configuration.
+&Header::openbox('100%', 'center', $Lang::tr{'settings'});
+
 my $rulesdate;
 
 # Check if a ruleset allready has been downloaded.
@@ -667,3 +722,33 @@ sub readrulesfile ($) {
 		}
         }
 }
+
+# Function to get the used memory of a given process-id.
+sub get_memory_usage($) {
+	my $pid = @_;
+
+	my $memory=0;
+
+	# Try to open statm file for the given process-id on the pseudo
+	# file system proc.
+        if (open(FILE, "/proc/$pid/statm")) {
+		# Read file content.
+                my $temp = ;
+
+		# Splitt file content and store in an array.
+                my @memory = split(/ /,$temp);
+
+		# Close file handle.
+                close(FILE);
+
+		# Calculate memory usage.
+		$memory+=$memory[0];
+
+		# Return memory usage.
+		return $memory;
+        }
+
+	# If the file could not be open, return nothing.
+	return;
+}
+

From e0bfd338ee5c847b16ea534acf84fba645974ec7 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sun, 5 Aug 2018 19:42:33 +0200
Subject: [PATCH 076/259] ids.cgi: Rename form name from SNORT to IDS

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 0a814f1a1..353a0662b 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -289,9 +289,9 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 		}
 	}
 # Save snort settings.
-} elsif ($cgiparams{'SNORT'} eq $Lang::tr{'save'}) {
+} elsif ($cgiparams{'IDS'} eq $Lang::tr{'save'}) {
 	# Prevent form name from been stored in conf file.
-	delete $cgiparams{'SNORT'};
+	delete $cgiparams{'IDS'};
 
 	# Check if an oinkcode has been provided.
 	if ($cgiparams{'OINKCODE'}) {
@@ -395,8 +395,6 @@ END
 				$Lang::tr{'stopped'}
 			
 		
-
-		
br>
 END
 }
 &Header::closebox();
@@ -518,7 +516,7 @@ print <
 		
-			
+			
 		
 	
 

From 8d2f6b0b59c3448dfa0fcab683fafc9604873a57 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 9 Aug 2018 15:33:25 +0200
Subject: [PATCH 077/259] ids.cgi: Dynamically generate the HOME_NET details
 for suricata.

Introduce generate_home_net_file() which uses the current network
config to obtain the network address and subnetmask for each
available network zone, generate and write these HOME_NET information
into a yaml compatible file which can be included into the suricata
configuration file.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 95 ++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 91 insertions(+), 4 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 353a0662b..bd22b0865 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -47,7 +47,12 @@ my %selected=();
 # the list of zones in an array.
 my @network_zones = &IDS::get_available_network_zones();
 
+# File where the used rulefiles are stored.
 my $idsusedrulefilesfile = "$IDS::settingsdir/suricata-used-rulefiles.yaml";
+
+# File where the addresses of the homenet are stored.
+my $idshomenetfile = "$IDS::settingsdir/suricata-homenet.yaml";
+
 my $errormessage;
 
 &Header::showhttpheaders();
@@ -305,10 +310,10 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 	if (!$errormessage) {
 		# Store settings into settings file.
 		&General::writehash("$IDS::settingsdir/settings", \%cgiparams);
-
-		# Call suricatactrl to restart the IDS
-		system('/usr/local/bin/suricatactrl restart >/dev/null');
 	}
+
+	# Generate file to store the home net.
+	&generate_home_net_file();
 }
 
 # Read-in idssettings
@@ -721,7 +726,9 @@ sub readrulesfile ($) {
         }
 }
 
-# Function to get the used memory of a given process-id.
+#
+## Function to get the used memory of a given process-id.
+#
 sub get_memory_usage($) {
 	my $pid = @_;
 
@@ -750,3 +757,83 @@ sub get_memory_usage($) {
 	return;
 }
 
+#
+## Function to generate the file which contains the home net information.
+#
+sub generate_home_net_file() {
+	my %netsettings;
+
+	# Read-in network settings.
+	&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
+
+	# Get available network zones.
+	my @network_zones = &IDS::get_available_network_zones();
+
+	# Temporary array to store network address and prefix of the configured
+	# networks.
+	my @networks;
+
+	# Loop through the array of available network zones.
+	foreach my $zone (@network_zones) {
+		# Skip the red network - It never can be part to the home_net!
+		next if($zone eq "red");
+
+		# Convert current zone name into upper case.
+		$zone = uc($zone);
+
+		# Generate key to access the required data from the netsettings hash.
+		my $zone_netaddress = $zone . "_NETADDRESS";
+		my $zone_netmask = $zone . "_NETMASK";
+
+		# Obtain the settings from the netsettings hash.
+		my $netaddress = $netsettings{$zone_netaddress};
+		my $netmask = $netsettings{$zone_netmask};
+
+		# Convert the subnetmask into prefix notation.
+		my $prefix = &Network::convert_netmask2prefix($netmask);
+
+		# Generate full network string.
+		my $network = join("/", $netaddress,$prefix);
+
+		# Check if the network is valid.
+		if(&Network::check_subnet($network)) {
+			# Add the generated network to the array of networks.
+			push(@networks, $network);
+		}
+	}
+
+	# Format home net declaration.
+	my $line = "\"\[";
+
+	# Loop through the array of networks.
+	foreach my $network (@networks) {
+		# Add the network to the line.
+		$line = "$line" . "$network";
+
+		# Check if the current network was the last in the array.
+		if ($network eq $networks[-1]) {
+			# Close the line.
+			$line = "$line" . "\]\"";
+		} else {
+			# Add "," for the next network.
+			$line = "$line" . "\,";
+		}
+	}
+
+	# Open file to store the addresses of the home net.
+	open(FILE, ">$idshomenetfile") or die "Could not open $idshomenetfile. $!\n";
+
+	# Print yaml header.
+	print FILE "%YAML 1.1\n";
+	print FILE "---\n\n";
+
+	# Print notice about autogenerated file.
+	print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+
+	# Print the generated and required HOME_NET declaration to the file.
+	print FILE "HOME_NET:\t$line\n";
+
+	# Close file handle.
+	close(FILE);
+
+}

From 5240a80987920b1b807e6609a6c10fb666235e21 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sat, 11 Aug 2018 22:10:29 +0200
Subject: [PATCH 078/259] ids-functions.pl: Add function to call suricatactrl
 binary

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index ebbf61585..761b39e78 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -44,6 +44,12 @@ our $rulesetsourcesfile = "$settingsdir/ruleset-sources";
 # The pidfile of the IDS.
 our $idspidfile = "/var/run/suricata.pid";
 
+# Location of suricatactrl.
+my $suricatactrl = "/usr/local/bin/suricatactrl";
+
+# Array with allowed commands of suricatactrl.
+my @suricatactrl_cmds = ( 'start', 'stop', 'restart', 'reload' );
+
 #
 ## Function for checking if at least 300MB of free disk space are available
 ## on the "/var" partition.
@@ -321,4 +327,29 @@ sub ids_is_running () {
 	return;
 }
 
+#
+## Function to call suricatactrl binary with a given command.
+#
+sub call_suricatactrl ($) {
+	# Get called option.
+	my ($option) = @_;
+
+	# Loop through the array of supported commands and check if
+	# the given one is part of it.
+	foreach my $cmd (@suricatactrl_cmds) {
+		# Skip current command unless the given one has been found.
+		next unless($cmd eq $option);
+
+		# Call the suricatactrl binary and pass the requrested
+		# option to it.
+		system("$suricatactrl $option &>/dev/null");
+
+		# Return "1" - True.
+		return 1;
+	}
+
+	# Command not found - return nothing.
+	return;
+}
+
 1;

From e2e7880dc73fc98aa7409b2de2384e5c9e436f29 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sat, 11 Aug 2018 22:11:18 +0200
Subject: [PATCH 079/259] ids.cgi: Add code to start/stop/reload the IDS when
 neccessary

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index bd22b0865..0daf7903e 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -255,6 +255,12 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 	# Call oinkmaster to alter the ruleset.
 	&IDS::oinkmaster();
 
+	# Check if the IDS is running.
+	if(&IDS::is_ids_running()) {
+		# Call suricatactrl to perform a reload.
+		&IDS::call_suricatactrl("reload");
+	}
+
 	# Reload page.
 	&reload();
 
@@ -289,6 +295,12 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 			# Call subfunction to launch oinkmaster.
 			&IDS::oinkmaster();
 
+			# Check if the IDS is running.
+			if(&IDS::is_ids_running()) {
+				# Call suricatactrl to perform a reload.
+				&IDS::call_suricatactrl("reload");
+			}
+
 			# Perform a reload of the page.
 			&reload();
 		}
@@ -314,6 +326,21 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 
 	# Generate file to store the home net.
 	&generate_home_net_file();
+
+	# Check if the IDS currently is running.
+	if(&IDS::ids_is_running()) {
+		# Check if ENABLE_IDS is set to on.
+		if($cgiparams{'ENABLE_IDS'} eq "on") {
+			# Call suricatactrl to perform a reload of suricata.
+			&IDS::call_suricatactrl("reload");
+		} else {
+			# Call suricatactrl to stop suricata.
+			&IDS::call_suricatactrl("stop");
+		}
+	} else {
+		# Call suricatactrl to start suricata.
+		&IDS::call_suricatactrl("start");
+	}
 }
 
 # Read-in idssettings

From 6187da5055dac1a10402d3c6eeaf1f9bed7f3890 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sat, 11 Aug 2018 22:28:07 +0200
Subject: [PATCH 080/259] IDS: Add reload option to initscript

Signed-off-by: Stefan Schantl 
---
 src/initscripts/system/suricata | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index e2950281c..a49da8335 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -53,9 +53,14 @@ case "$1" in
                 $0 stop
                 $0 start
                 ;;
+	reload)
+		# Send SIGUSR2 to the suricata process to perform a reload
+		# of the ruleset.
+		kill -USR2 $(pidof suricata)
+		;;
                 
         *)
-                echo "Usage: $0 {start|stop|restart|status}"
+                echo "Usage: $0 {start|stop|restart|reload|status}"
                 exit 1
                 ;;
 esac

From 423030555835840a1821b56408b5a19e6dcfe7e0 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sun, 12 Aug 2018 07:05:24 +0200
Subject: [PATCH 081/259] suricata: Use HOME_NET declaration from external file

Use the gernerated HOME_NET details from
/var/ipfire/suricata/suricata-homenet.yaml which will be
generated by the WUI.

Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 0c0293603..8d6ed9ada 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -12,11 +12,8 @@
 vars:
   # more specifc is better for alert accuracy and performance
   address-groups:
-    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
-    #HOME_NET: "[192.168.0.0/16]"
-    #HOME_NET: "[10.0.0.0/8]"
-    #HOME_NET: "[172.16.0.0/12]"
-    #HOME_NET: "any"
+    # Include HOME_NET declaration from external file.
+    include /var/ipfire/suricata/suricata-homenet.yaml
 
     EXTERNAL_NET: "!$HOME_NET"
     #EXTERNAL_NET: "any"

From cc60d3dfd3cd6ae9d38470d40edd646691e422ac Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sun, 12 Aug 2018 18:40:31 +0200
Subject: [PATCH 082/259] suricata: Fix include of used rulefiles yaml

Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 8d6ed9ada..c7c1e40d7 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -47,7 +47,8 @@ vars:
 ##
 
 default-rule-path: /etc/suricata/rules
-rule-files: !include /var/ipfire/suricata/suricata-used-rulefiles.yaml
+rule-files:
+    include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
 
 classification-file: /etc/suricata/classification.config
 reference-config-file: /etc/suricata/reference.config

From 7c82ee6165d04597c371944490b085c240482424 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 16 Aug 2018 18:50:39 +0200
Subject: [PATCH 083/259] firewall: Add chains for IPS (suricata)

Signed-off-by: Stefan Schantl 
---
 src/initscripts/system/firewall | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 707209987..9a79cb1aa 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -185,6 +185,11 @@ iptables_init() {
 	iptables -A INPUT -j GUARDIAN
 	iptables -A FORWARD -j GUARDIAN
 
+	# IPS (suricata) chains
+	iptables -N IPS
+	iptables -A INPUT -j IPS
+	iptables -A FORWARD -j IPS
+
 	# Block non-established IPsec networks
 	iptables -N IPSECBLOCK
 	iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK

From 3c2c54831fd7a5f1813376ceb45c22774631a5e7 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 16 Aug 2018 18:51:13 +0200
Subject: [PATCH 084/259] suricata: Add code to create iptables rules to the
 initscript

Signed-off-by: Stefan Schantl 
---
 src/initscripts/system/suricata | 58 ++++++++++++++++++++++++++++++---
 1 file changed, 54 insertions(+), 4 deletions(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index a49da8335..60a00cc48 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -17,9 +17,21 @@
 
 PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
 
-eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings)
 
+# Name of the firewall chain.
+FW_CHAIN="IPS"
+
+# Optional options for the Netfilter queue.
+NFQ_OPTS="--queue-bypass "
+
+# Array containing the 4 possible network zones.
+network_zones=( red green blue orange )
+
+# Mark and Mask options.
+MARK="0x1"
+MASK="0x1"
+
 case "$1" in
         start)
 		# Get amount of CPU cores.
@@ -29,15 +41,53 @@ case "$1" in
 			[ "$line" ] && [ -z "${line%processor*}" ] && NFQUEUES+="-q $CPUCOUNT " && ((CPUCOUNT++))
 		done  0 ]; then
+						# Balance beetween all queues.
+						NFQ_OPTIONS+="--queue-balance 0:"
+						NFQ_OPTIONS+=$(($CPUCOUNT-1))
+					else
+						# Send all packets to queue 0.
+						NFQ_OPTIONS+="--queue-num 0"
+					fi
+
+					# Create firewall rules to queue the traffic and pass to
+					# the IDS.
+					iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE "$NFQ_OPTIONS"
+					iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE "$NFQ_OPTIONS"
+				fi
+			done
+
+			# Start the IDS.
+			boot_mesg "Starting Intrusion Detection System..."
+			/usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES
+			evaluate_retval
+		fi
 	;;
 
         stop)
 		boot_mesg "Stopping Intrusion Detection System..."
 		killproc -p /var/run/suricata.pid /var/run
 
+		# Flush firewall chain.
+		iptables -F $FW_CHAIN
+
 		# Remove suricata control socket.              
 		rm /var/run/suricata/* >/dev/null 2>/dev/null
 

From 04b5c77a450ceb8fd83898a90f096175580a058f Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 17 Aug 2018 07:36:54 +0200
Subject: [PATCH 085/259] ruleset-sources: Move to suricata optimized ruleset
 when using emerginthreads.

Signed-off-by: Stefan Schantl 
---
 config/suricata/ruleset-sources | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/suricata/ruleset-sources b/config/suricata/ruleset-sources
index 8f3659049..20133ac8c 100644
--- a/config/suricata/ruleset-sources
+++ b/config/suricata/ruleset-sources
@@ -8,4 +8,4 @@ subscripted = https://www.snort.org/downloads/registered/snortrules-snapshot-291
 community = https://www.snort.org/downloads/community/community-rules.tar.gz
 
 # Emerging threads community rules.
-emerging = http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz
+emerging = https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz

From 00a031145e32d31a08037dda3c8a3cc7cc6c815e Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 17 Aug 2018 08:24:19 +0200
Subject: [PATCH 086/259] suricata: Give 644 permissions to the suricata
 pidfile

Signed-off-by: Stefan Schantl 
---
 src/initscripts/system/suricata | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 60a00cc48..45e04d463 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -32,6 +32,9 @@ network_zones=( red green blue orange )
 MARK="0x1"
 MASK="0x1"
 
+# PID file of suricata.
+PID_FILE="/var/run/suricata.pid"
+
 case "$1" in
         start)
 		# Get amount of CPU cores.
@@ -78,12 +81,15 @@ case "$1" in
 			boot_mesg "Starting Intrusion Detection System..."
 			/usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES
 			evaluate_retval
+
+			# Allow reading the pidfile.
+			chmod 644 $PID_FILE
 		fi
 	;;
 
         stop)
 		boot_mesg "Stopping Intrusion Detection System..."
-		killproc -p /var/run/suricata.pid /var/run
+		killproc -p $PID_FILE /var/run
 
 		# Flush firewall chain.
 		iptables -F $FW_CHAIN

From 55658ee381aeeac19c63a0da8822fc3f727b135b Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 17 Aug 2018 08:45:47 +0200
Subject: [PATCH 087/259] suricata: Fix detection of enabled IDS on zone in
 initscript

I accidently commited the wrong file in the previous commit.
This is the fixed and working version.

Signed-off-by: Stefan Schantl 
---
 src/initscripts/system/suricata | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 45e04d463..57eeec157 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -51,8 +51,12 @@ case "$1" in
 				# Convert zone into upper case.
 				zone_upper=${zone^^}
 
+				# Generate variable name for checking if the IDS is
+				# enabled on the zone.
+				enable_ids_zone="ENABLE_IDS_$zone_upper"
+
 				# Check if the IDS is enabled for this network zone.
-				if [ "$ENABLE_IDS_$$zone_upper" == "on" ]; then
+				if [ "${!enable_ids_zone}" == "on" ]; then
 					# Generate name of the network interface.
 					network_device=$zone
 					network_device+="0"
@@ -72,8 +76,8 @@ case "$1" in
 
 					# Create firewall rules to queue the traffic and pass to
 					# the IDS.
-					iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE "$NFQ_OPTIONS"
-					iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE "$NFQ_OPTIONS"
+					iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+					iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
 				fi
 			done
 

From 88daf7eb3a9ba5ceb3df9f8197ea3cb5cfd4f30b Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 17 Aug 2018 08:49:06 +0200
Subject: [PATCH 088/259] ids-functions.pl: Log correct error message if
 download fails

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 761b39e78..0e1f2876b 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -164,8 +164,11 @@ sub downloadruleset {
 
 	# Check if there was any error.
 	unless ($response->is_success) {
+		# Obtain error.
+		my $error = $response->content;
+
 		# Log error message.
-		&_log_to_syslog("Unable to download the ruleset. $response->status_line");
+		&_log_to_syslog("Unable to download the ruleset. \($error\)");
 
 		# Return "1" - false.
 		return 1;

From d9711d91ef57f846eb09fd77ec9e7a58d745dc6d Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sat, 18 Aug 2018 10:01:14 +0200
Subject: [PATCH 089/259] ids-functions.pl: Display error if oinkmaster cannot
 be executed

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 0e1f2876b..cb16e1b49 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -189,7 +189,7 @@ sub oinkmaster () {
 	openlog('oinkmaster', 'cons,pid', 'user');
 
 	# Call oinkmaster to generate ruleset.
-	open(OINKMASTER, "/usr/local/bin/oinkmaster.pl -v -s -u file://$rulestarball -C $settingsdir/oinkmaster.conf -o $rulespath|");
+	open(OINKMASTER, "/usr/local/bin/oinkmaster.pl -v -s -u file://$rulestarball -C $settingsdir/oinkmaster.conf -o $rulespath|") or die "Could not execute oinkmaster $!\n";
 
 	# Log output of oinkmaster to syslog.
 	while() {

From a4ccfcbbc6073684768d951006232d410df091a1 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sat, 18 Aug 2018 10:16:12 +0200
Subject: [PATCH 090/259] ids.cgi: Allow to switch between IDS/IPS mode

Add the option to select the runmode for suricata, wheater it
should run in intrusion detection mode or intrusion prevention mode.

If the option has not configured yet, it defaults to IPS mode.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi   | 53 +++++++++++++++++++++++-------------------
 langs/de/cgi-bin/de.pl |  7 +++---
 langs/en/cgi-bin/en.pl |  7 +++---
 3 files changed, 37 insertions(+), 30 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 0daf7903e..6a6e5c285 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -346,9 +346,18 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 # Read-in idssettings
 &General::readhash("$IDS::settingsdir/settings", \%idssettings);
 
+# If the runmode has not been configured yet, set default value.
+unless(exists($idssettings{'RUN_MODE'})) {
+        # Set default to IPS.
+        $idssettings{'RUN_MODE'} = 'IPS';
+}
+
 $checked{'ENABLE_IDS'}{'off'} = '';
 $checked{'ENABLE_IDS'}{'on'} = '';
 $checked{'ENABLE_IDS'}{$idssettings{'ENABLE_IDS'}} = "checked='checked'";
+$checked{'RUN_MODE'}{'IDS'} = '';
+$checked{'RUN_MODE'}{'IPS'} = '';
+$checked{'RUN_MODE'}{$idssettings{'RUN_MODE'}} = "checked='checked'";
 $selected{'RULES'}{'nothing'} = '';
 $selected{'RULES'}{'community'} = '';
 $selected{'RULES'}{'emerging'} = '';
@@ -449,28 +458,35 @@ print <
 	
-			
+		
 
-			
+			
+		
+
+		
+			
+		
+
+		
+			
-			
-			
-
-			
+			
+
+		
 END
 ;
 
@@ -483,24 +499,13 @@ foreach my $zone (@network_zones) {
 	my $zone_upper = uc($zone);
 
 	# Grab checkbox status from settings hash.
-	if ($idssettings{"ENABLE_IDS_INPUT_$zone_upper"} eq "on") {
+	if ($idssettings{"ENABLE_IDS_$zone_upper"} eq "on") {
 		$checked_input = "checked = 'checked'";
 	}
 
-	# Do the same for the forward setting.
-	if ($idssettings{"ENABLE_IDS_FORWARD_$zone_upper"} eq "on") {
-		$checked_forward = "checked = 'checked'";
-	}
-
-	print "\n";
 	print "\n";
-
-	print "\n";
-	print "\n";
 }
 
 print < 'Leerlauf-Wartezeit in Min. (0 zum Deaktivieren):',
 'idle timeout not set' => 'Leerlauf-Wartezeit nicht angegeben.',
 'ids activate' => 'Aktiviere',
-'ids analyze incomming traffic' => 'Analysiere eingehende (INPUT) Packete',
-'ids analyze routing traffic' => 'Analysiere zu routende (FORWARD) Packete',
+'ids traffic analyze' => 'Packet-Analyse',
 'ids active on' => 'Aktiv auf',
 'ids log viewer' => 'Ansicht IDS-Protokoll',
 'ids logs' => 'IDS-Protokolldateien',
@@ -1371,7 +1370,8 @@
 'intrusion detection system' => 'Einbruchsdetektierung',
 'intrusion detection system log viewer' => 'Betrachter der IDS-Protokolldateien',
 'intrusion detection system rules' => 'Regeln für die Einbruchsdetektierung',
-'intrusion detection system2' => 'Intrusion Detection System:',
+'intrusion detection system2' => 'Intrusion Detection System',
+'intrusion prevention system' => 'Intrusion Prevention System',
 'invalid broadcast ip' => 'Ungültige Broadcast-IP',
 'invalid cache size' => 'Ungültige Cache-Größe.',
 'invalid characters found in pre-shared key' => 'Ungültige Zeichen im Pre-Shared Schlüssel gefunden.',
@@ -2044,6 +2044,7 @@
 'rsvd dst port overlap' => 'Dieser Zielportbereich überlappt mit einem Port, der für die ausschließliche Benutzung durch IPFire reserviert ist:',
 'rsvd src port overlap' => 'Dieser Quellportbereich überlappt mit einem Port, der für die ausschließliche Benutzung durch IPFire reserviert ist:',
 'rules already up to date' => 'Regeln sind schon aktuell',
+'runmode' => 'Runmode',
 'running' => 'LÄUFT',
 'safe removal of umounted device' => 'Sie können gefahrlos das abgemeldete Gerät entfernen',
 'samba' => 'Samba',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index e6fd9b18b..38df540ce 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1354,8 +1354,7 @@
 'idle timeout' => 'Idle timeout (mins; 0 to disable):',
 'idle timeout not set' => 'Idle timeout not set.',
 'ids activate' => 'Activate',
-'ids analyze incomming traffic' => 'Analyze incomming (INPUT) traffic',
-'ids analyze routing traffic' => 'Analyze to-route (FORWARD) traffic',
+'ids traffic analyze' => 'Traffic analyzing',
 'ids active on' => 'Active on',
 'ids log viewer' => 'IDS log viewer',
 'ids logs' => 'IDS Logs',
@@ -1402,7 +1401,8 @@
 'intrusion detection system' => 'Intrusion Detection System',
 'intrusion detection system log viewer' => 'Intrusion Detection System Log Viewer',
 'intrusion detection system rules' => 'intrusion detection system rules',
-'intrusion detection system2' => 'Intrusion Detection System:',
+'intrusion detection system2' => 'Intrusion Detection System',
+'intrusion prevention system' => 'Intrusion Prevention System',
 'invalid broadcast ip' => 'Invalid broadcast IP',
 'invalid cache size' => 'Invalid cache size.',
 'invalid characters found in pre-shared key' => 'Invalid characters found in pre-shared key.',
@@ -2078,6 +2078,7 @@
 'rsvd dst port overlap' => 'Destination Port Range overlaps a port reserved for IPFire:',
 'rsvd src port overlap' => 'Source Port Range overlaps a port reserved for IPFire:',
 'rules already up to date' => 'Rules already up to date',
+'runmode' => 'Runmode',
 'running' => 'RUNNING',
 'safe removal of umounted device' => 'You can safely remove the unmounted device',
 'samba' => 'Samba',

From bbb6efae56957c1ec70d5ee7668c4cc68b4dd2b2 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sat, 18 Aug 2018 14:48:30 +0200
Subject: [PATCH 091/259] ids.cgi: Add backend code to handle switch between
 IDS and IPS mode

This commit adds the required backend code to allow switching
between IDS and IPS mode of suricata.

Technically the behaviour of suricata is specified by the rules -
each of them can contain the action "alert" or "drop" (There are
more actions supported but these two are currently the important one)

When running in IDS mode, the ruleset does not need to be touched,
because the default action is "alert". When switching to IPS mode,
the CGI writes a single line to "oinkmaster-modify-sids.conf" which
is included by oinkmaster and modify the action for each single rule
from alert to drop.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 45 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 6a6e5c285..6aa9ae9b9 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -307,6 +307,12 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 	}
 # Save snort settings.
 } elsif ($cgiparams{'IDS'} eq $Lang::tr{'save'}) {
+	my %oldidssettings;
+	my $reload_page;
+
+	# Read-in current (old) IDS settings.
+	&General::readhash("$IDS::settingsdir/settings", \%oldidssettings);
+
 	# Prevent form name from been stored in conf file.
 	delete $cgiparams{'IDS'};
 
@@ -327,6 +333,39 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 	# Generate file to store the home net.
 	&generate_home_net_file();
 
+	# File which contains wheater the rules should be changed.
+	my $modify_sids_file = "$IDS::settingsdir/oinkmaster-modify-sids.conf";
+
+	# Open modify sid's file for writing.
+	open(FILE, ">$modify_sids_file") or die "Could not write to $modify_sids_file. $!\n";
+
+	# Write file header.
+	print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+
+	# Check if the configured runmode is IPS.
+	if ($cgiparams{'RUN_MODE'} eq 'IPS') {
+		# Tell oinkmaster to switch all rules from alert to drop.
+		print FILE "modifysid \* \"alert\" \| \"drop\"\n";
+	}
+
+	# Close file handle.
+	close(FILE);
+
+	# Check if the runmode has been changed.
+	if($cgiparams{'RUN_MODE'} ne $oldidssettings{'RUN_MODE'}) {
+		# Check if a ruleset exists.
+		if (%idsrules) {
+			# Lock the webpage and print message.
+			&working_notice("$Lang::tr{'snort working'}");
+
+			# Call oinkmaster to alter the ruleset.
+			&IDS::oinkmaster();
+
+			# Set reload_page to "True".
+			$reload_page="True";
+		}
+	}
+
 	# Check if the IDS currently is running.
 	if(&IDS::ids_is_running()) {
 		# Check if ENABLE_IDS is set to on.
@@ -341,6 +380,12 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 		# Call suricatactrl to start suricata.
 		&IDS::call_suricatactrl("start");
 	}
+
+	# Check if the page should be reloaded.
+	if ($reload_page) {
+		# Perform a reload of the page.
+		&reload();
+	}
 }
 
 # Read-in idssettings

From 5a28e721e08104e35c0e7f23a1aee4dff3fbae45 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 21 Aug 2018 19:18:01 +0200
Subject: [PATCH 092/259] ids.cgi: Fix check if the IDS is running

The correct function name is ids_is_running()!

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 6aa9ae9b9..61039f9da 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -256,7 +256,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 	&IDS::oinkmaster();
 
 	# Check if the IDS is running.
-	if(&IDS::is_ids_running()) {
+	if(&IDS::ids_is_running()) {
 		# Call suricatactrl to perform a reload.
 		&IDS::call_suricatactrl("reload");
 	}
@@ -296,7 +296,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 			&IDS::oinkmaster();
 
 			# Check if the IDS is running.
-			if(&IDS::is_ids_running()) {
+			if(&IDS::ids_is_running()) {
 				# Call suricatactrl to perform a reload.
 				&IDS::call_suricatactrl("reload");
 			}

From a5d617520b144e22fd2b31795d2b04c8170f93ef Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 22 Aug 2018 08:38:16 +0200
Subject: [PATCH 093/259] ids.cgi: Add function to read the enabled/disabled
 sid files

This function is used to read-in the files for enabled or disabled sid
files and stores the sid and their state into a temporary hash which will
be returned by the function.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 51 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 61039f9da..bb124bdfe 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -914,3 +914,54 @@ sub generate_home_net_file() {
 	close(FILE);
 
 }
+
+#
+## Function to read-in the given enabled or disables sids file.
+#
+sub read_enabled_disabled_sids_file($) {
+	my ($file) = @_;
+
+	# Temporary hash to store the sids and their state. It will be
+	# returned at the end of this function.
+	my %temphash;
+
+	# Open the given filename.
+	open(FILE, "$file") or die "Could not open $file. $!\n";
+
+	# Loop through the file.
+	while() {
+		# Remove newlines.
+		chomp $_;
+
+		# Skip blank lines.
+		next if ($_ =~ /^\s*$/);
+
+		# Skip coments.
+		next if ($_ =~ /^\#/);
+
+		# Splitt line into sid and state part.
+		my ($state, $sid) = split(" ", $_);
+
+		# Skip line if the sid is not numeric.
+		next unless ($sid =~ /\d+/ );
+
+		# Check if the sid was enabled.
+		if ($state eq "enablesid") {
+			# Add the sid and its state as enabled to the temporary hash.
+			$temphash{$sid} = "enabled";
+		# Check if the sid was disabled.
+		} elsif ($state eq "disablesid") {
+			# Add the sid and its state as disabled to the temporary hash.
+			$temphash{$sid} = "disabled";
+		# Invalid state - skip the current sid and state.
+		} else {
+			next;
+		}
+	}
+
+	# Close filehandle.
+	close(FILE);
+
+	# Return the hash.
+	return %temphash;
+}

From d2212836226ee8212eef3226acf3a4e6fa65643a Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 22 Aug 2018 08:39:57 +0200
Subject: [PATCH 094/259] ids.cgi: Rework handling of enabled/disabled sids

Now the enabled or disabled sids are stored in a single
hash instead of two arrays, which easily can be modified.

When saving the ruleset, the new read_enabled_disabled_sids() function
will be used to read-in the current (old) saved enabled or disabled sids
and add them to the new hash structure.

After adding or modifiying sids to the hash, the entries will be written
to the corresponding files.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 73 +++++++++++++++++++++++++-------------------
 1 file changed, 41 insertions(+), 32 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index bb124bdfe..76848f71a 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -141,11 +141,12 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 	my $enabled_sids_file = "$IDS::settingsdir/oinkmaster-enabled-sids.conf";
 	my $disabled_sids_file = "$IDS::settingsdir/oinkmaster-disabled-sids.conf";
 
-	# Arrays to store sid which should be added to the corresponding files.
-	my @enabled_sids;
-	my @disabled_sids;
+	# Arrays to store which rulefiles have been enabled and will be used.
 	my @enabled_rulefiles;
 
+	# Hash to store the user-enabled and disabled sids.
+	my %enabled_disabled_sids;
+
 	# Loop through the hash of idsrules.
 	foreach my $rulefile(keys %idsrules) {
 		# Check if the rulefile is enabled.
@@ -158,6 +159,13 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 		}
 	}
 
+	# Read-in the files for enabled/disabled sids.
+	# This will be done by calling the read_enabled_disabled_sids_file function two times
+	# and merge the returned hashes together into the enabled_disabled_sids hash.
+	%enabled_disabled_sids = (
+		&read_enabled_disabled_sids_file($disabled_sids_file),
+		&read_enabled_disabled_sids_file($enabled_sids_file));
+
 	# Loop through the hash of idsrules.
 	foreach my $rulefile (keys %idsrules) {
 		# Loop through the single rules of the rulefile.
@@ -171,8 +179,8 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 				if ($idsrules{$rulefile}{$sid}{'State'} eq "off") {
 					# Check if the state has been set to 'on'.
 					if ($cgiparams{$sid} eq "on") {
-						# Add the sid to the enabled_sids array.
-						push(@enabled_sids, $sid);
+						# Add/Modify the sid to/in the enabled_disabled_sids hash.
+						$enabled_disabled_sids{$sid} = "enabled";
 
 						# Drop item from cgiparams hash.
 						delete $cgiparams{$rulefile}{$sid};
@@ -184,8 +192,8 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 					# Check if the state is 'on' and should be disabled.
 					# In this case there is no entry
 					# for the sid in the cgiparams hash.
-					# Add it to the disabled_sids array.
-					push(@disabled_sids, $sid);
+					# Add/Modify it to/in the enabled_disabled_sids hash.
+					$enabled_disabled_sids{$sid} = "disabled";
 
 					# Drop item from cgiparams hash.
 					delete $cgiparams{$rulefile}{$sid};
@@ -195,38 +203,39 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 	}
 
 	# Open enabled sid's file for writing.
-	open(FILE, ">$enabled_sids_file") or die "Could not write to $enabled_sids_file. $!\n";
-
-	# Write header to file.
-	print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
-
-	# Check if the enabled_sids array contains any sid's.
-	if (@enabled_sids) {
-		# Loop through the array of enabled sids and write them to the file.
-		foreach my $sid (@enabled_sids) {
-			print FILE "enablesid $sid\n";
-		}
-	}
-
-	# Close file after writing.
-	close(FILE);
+	open(ENABLED_FILE, ">$enabled_sids_file") or die "Could not write to $enabled_sids_file. $!\n";
 
 	# Open disabled sid's file for writing.
-	open(FILE, ">$disabled_sids_file") or die "Could not write to $disabled_sids_file. $!\n";
+	open(DISABLED_FILE, ">$disabled_sids_file") or die "Could not write to $disabled_sids_file. $!\n";
 
-	# Write header to file.
-	print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+	# Write header to the files.
+	print ENABLED_FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+	print DISABLED_FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
 
-	# Check if the enabled_sids array contains any sid's.
-        if (@disabled_sids) {
-		# Loop through the array of disabled sids and write them to the file.
-		foreach my $sid (@disabled_sids) {
-			print FILE "disablesid $sid\n";
+	# Check if the hash for enabled/disabled files contains any entries.
+	if (%enabled_disabled_sids) {
+		# Loop through the hash.
+		foreach my $sid (keys %enabled_disabled_sids) {
+			# Check if the sid is enabled.
+			if ($enabled_disabled_sids{$sid} eq "enabled") {
+				# Print the sid to the enabled_sids file.
+				print ENABLED_FILE "enablesid $sid\n";
+			# Check if the sid is disabled.
+			} elsif ($enabled_disabled_sids{$sid} eq "disabled") {
+				# Print the sid to the disabled_sids file.
+				print DISABLED_FILE "disablesid $sid\n";
+			# Something strange happende - skip the current sid.
+			} else {
+				next;
+			}
 		}
 	}
 
-	# Close file after writing.
-	close(FILE);
+	# Close file for enabled_sids after writing.
+	close(ENABLED_FILE);
+
+	# Close file for disabled_sids after writing.
+	close(DISABLED_FILE);
 
 	# Open file for used rulefiles.
 	open (FILE, ">$idsusedrulefilesfile") or die "Could not write to $idsusedrulefilesfile. $!\n";

From c5486ccb9793029e58f0e6156d7d2f4d21de6cd0 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 22 Aug 2018 10:37:44 +0200
Subject: [PATCH 095/259] oinkmaster: Ship IPFire specific config file

Ship an IPFire specific configuration file for oinkmaster.

This allows oinkmaster to do all the great rule modifications which
have been introduced by the new ids.cgi file.

Signed-off-by: Stefan Schantl 
---
 config/oinkmaster/oinkmaster.conf | 432 ++++++++++++++++++++++++++++++
 lfs/oinkmaster                    |   3 +-
 2 files changed, 434 insertions(+), 1 deletion(-)
 create mode 100644 config/oinkmaster/oinkmaster.conf

diff --git a/config/oinkmaster/oinkmaster.conf b/config/oinkmaster/oinkmaster.conf
new file mode 100644
index 000000000..a04e32987
--- /dev/null
+++ b/config/oinkmaster/oinkmaster.conf
@@ -0,0 +1,432 @@
+# $Id: oinkmaster.conf,v 1.132 2006/02/02 12:05:08 andreas_o Exp $ #
+
+# This file is pretty big by default, but don't worry. 
+# The only things required are "path" and "update_files". You must also 
+# set "url" to point to the correct rules archive for your version of 
+# Snort, unless you prefer to specify this on the command line.
+# The rest in here is just a few recommended defaults, and examples
+# how to use all the other optional features and give some ideas how they 
+# could be used.
+
+# Remember not to let untrusted users edit Oinkmaster configuration
+# files, as things like the PATH to use during execution is defined
+# in here.
+
+
+# Use "url = " to specify the location of the rules archive to 
+# download. The url must begin with http://, https://, ftp://, file:// 
+# or scp:// and end with .tar.gz or .tgz, and the file must be a 
+# gzipped tarball what contains a directory named "rules".
+# You can also point to a local directory with dir://.
+# Multiple "url = " lines can be specified to grab multiple rules
+# archives from different locations.
+#
+# Note: if URL is specified on the command line, it overrides all 
+#       possible URLs specified in the configuration file(s).
+#
+# The location of the official Snort rules you should use depends
+# on which Snort version you run. Basically, you should go to
+# http://www.snort.org/rules/ and follow the instructions
+# there to pick the right URL for your version of Snort
+# (and remember to update the URL when upgrading Snort in the
+# future). You can of course also specify locations to third party 
+# rules.
+#
+# As of March 2005, you must register on the Snort site to get access 
+# to the official Snort rules. This will get you an "oinkcode".
+# You then specify the URL as
+# http://www.snort.org/pub-bin/oinkmaster.cgi//
+# For example, if your code is 5a081649c06a277e1022e1284b and
+# you use Snort 2.4, the url to use would be (without the wrap):
+# http://www.snort.org/pub-bin/oinkmaster.cgi/
+# 5a081649c06a277e1022e1284bdc8fabda70e2a4/snortrules-snapshot-2.4.tar.gz
+# See the Oinkmaster FAQ Q1 and http://www.snort.org/rules/ for
+# more information.
+
+
+# URL examples follows. Replace  with the code you get on the 
+# Snort site in your registered user profile.
+
+# Example for Snort 2.4
+# url = http://www.snort.org/pub-bin/oinkmaster.cgi//snortrules-snapshot-2.4.tar.gz
+# url = http://www.snort.org/pub-bin/oinkmaster.cgi//snortrules-snapshot-2.4.tar.gz
+
+# Example for Snort-current ("current" means cvs snapshots).
+#url = http://www.snort.org/pub-bin/oinkmaster.cgi//snortrules-snapshot-CURRENT.tar.gz
+
+# Example for Community rules
+# url = http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules.tar.gz
+
+# Example for rules from the Bleeding Snort project
+# url = http://www.bleedingsnort.com/bleeding.rules.tar.gz
+
+# If you prefer to download the rules archive from outside Oinkmaster,
+# you can then point to the file on your local filesystem by using
+# file://, for example:
+# url = file:///tmp/snortrules.tar.gz
+
+# In rare cases you may want to grab the rules directly from a
+# local directory (don't confuse this with the output directory).
+# url = dir:///etc/snort/src/rules
+
+# Example to use scp to copy the rules archive from another host.
+# Only OpenSSH is tested. See the FAQ for more information.
+# url = scp://user@somehost.example.com:/somedir/snortrules.tar.gz
+
+# If you use -u scp://... and need to specify a private ssh key (passed 
+# as -i  to the scp command) you can specify it here or add an 
+# entry in ~/.ssh/config for the Oinkmaster user as described in the 
+# OpenSSH manual. 
+# scp_key = /home/oinkmaster/oinkmaster_privkey
+
+
+# The PATH to use during execution. If you prefer to use external 
+# binaries (i.e. use_external_bins=1, see below), tar and gzip must be 
+# found, and also wget if downloading via ftp, http or https. All with 
+# optional .exe suffix. If you're on Cygwin, make sure that the path 
+# contains the Cygwin binaries and not the native Win32 binaries or 
+# you will get problems.
+# Assume UNIX style by default:
+path = /bin:/usr/bin:/usr/local/bin
+
+# Example if running native Win32 or standalone Cygwin:
+# path = c:\oinkmaster;c:\oinkmaster\bin
+
+# Example if running standalone Cygwin and you prefer Cygwin style path:
+# path = /cygdrive/c/oinkmaster:/cygdrive/c/oinkmaster/bin
+
+
+# We normally use external binaries (wget, tar and gzip) since they're 
+# already available on most systems and do a good job. If you have the 
+# Perl modules Archive::Tar, IO::Zlib and LWP::UserAgent, you can use
+# those instead if you like. You can set use_external_bins below to 
+# choose which method you prefer. It's set to 0 by default on Win32 
+# (i.e. use Perl modules), and 1 on other systems (i.e. use external 
+# binaries). The reason for that is that the required Perl modules
+# are included on Windows/ActivePerl 5.8.1+, so it's easier to use 
+# those than to install the ported Unix tools. (Note that if you're 
+# using scp to download the archive, external scp  binary is still 
+# used.) 
+# use_external_bins = 0
+
+
+# Temporary directory to use. This directory must exist when starting and
+# Oinkmaster will then create a temporary sub directory in here.
+# Keep it as a #comment if you want to use the default.
+# The default will be checked for in the environment variables TMP,
+# TMPDIR or TEMPDIR, or otherwise use "/tmp" if none of them was set.
+
+# Example for UNIX.
+# tmpdir = /home/oinkmaster/tmp/
+
+# Example if running native Win32 or Cygwin.
+# tmpdir = c:\tmp
+
+# Example if running Cygwin and you prefer Cygwin style path.
+# tmpdir = /cygdrive/c/tmp
+
+
+# The umask to use during execution if you want it to be something
+# else than the current value when starting Oinkmaster.
+# This will affect the mode bits when writing new files.
+# Keep it commented out to keep your system's current umask.
+# umask = 0027
+
+
+# Files in the archive(s) matching this regular expression will be 
+# checked for changes, and then updated or added if needed.
+# All other files will be ignored. You can then choose to skip
+# individual files by specifying the "skipfile" keyword below.
+# Normally you shouldn't need to change this one.
+update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
+
+
+# Regexp of keywords that starts a Snort rule.
+# May be useful if you create your own ruletypes and want those
+# lines to be regarded as rules as well.
+# rule_actions = alert|drop|log|pass|reject|sdrop|activate|dynamic
+
+
+# If the number of rules files in the downloaded archive matching the
+# 'update_files' regexp is below min_files, or if the number
+# of rules is below min_rules, the rules are regarded as broken
+# and the update is aborted with an error message.
+# Both are set to 1 by default (i.e. the archive is only regarded as
+# broken if it's totally empty).
+# If you download from multiple URLs, the count is the total number
+# of files/rules across all archives.
+# min_files = 1
+# min_rules = 1
+
+
+# By default, a basic sanity check is performed on most paths/filenames 
+# to see if they contain illegal characters that may screw things up. 
+# If this check is too strict for your system (e.g. you get bogus 
+# "illegal characters in filename" errors because of your local language 
+# etc) and you're sure you want to disable the checks completely,
+# set use_path_checks to 0.
+# use_path_checks = 1
+
+
+# If you want Oinkmaster to send a User-Agent HTTP header string
+# other than the default one for wget/LWP, set this variable.
+# user_agent = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
+
+
+# You can include other files anywhere in here by using
+# "include ".  will be parsed just like a regular 
+# oinkmaster.conf as soon as the include statement is seen, and then 
+# return and continue parsing the rest of the original file. If an 
+# option is redefined, it will override the previous value. You can use 
+# as many "include" statements as you wish, and also include even more 
+# files from included files. Example to load stuff from "/etc/foo.conf".
+# include /etc/foo.conf
+
+# Include file for enabled sids.
+include /var/ipfire/suricata/oinkmaster-enabled-sids.conf
+
+# Include file for disabled sids.
+include /var/ipfire/suricata/oinkmaster-disabled-sids.conf
+
+# Include file which defines the runmode of suricata.
+include /var/ipfire/suricata/oinkmaster-modify-sids.conf
+
+#######################################################################
+# Files to totally skip (i.e. never update or check for changes)      #
+#                                                                     #
+# Syntax: skipfile filename                                           #
+# or:     skipfile filename1, filename2, filename3, ...               #
+#######################################################################
+
+# Ignore local.rules from the rules archive by default since we might 
+# have put some local rules in our own local.rules and we don't want it 
+# to get overwritten by the empty one from the archive after each 
+# update.
+skipfile local.rules
+
+# The file deleted.rules contains rules that have been deleted from 
+# other files, so there is usually no point in updating it.
+skipfile deleted.rules
+
+# Also skip snort.conf by default since we don't want to overwrite our 
+# own snort.conf if we have it in the same directory as the rules. If 
+# you have your own production copy of snort.conf in another directory, 
+# it may be really nice to check for changes in this file though, 
+# especially since variables are sometimes added or modified and 
+# new/old files are included/excluded.
+#skipfile snort.conf
+
+# You may want to consider ignoring threshold.conf for the same reasons 
+# as for snort.conf, i.e. if you customize it locally and don't want it 
+# to become overwritten by the default one. It may be better to put 
+# local thresholding/suppressing in some local file and still update 
+# and use the official one though, in case important stuff is added to 
+# it some day. We do update it by default, but it's your call.
+# skipfile threshold.conf
+
+# If you update from multiple URLs at the same time you may need to 
+# ignore the sid-msg.map (and generate it yourself if you need one) as 
+# it's usually included in each rules tarball. See the FAQ for more info.
+# skipfile sid-msg.map
+
+
+
+##########################################################################
+# SIDs to modify after each update (only for the skilled/stupid/brave).  #
+# Don't use it unless you have to. There is nothing that stops you from  #
+# modifying rules in such ways that they become invalid or generally     #
+# break things. You have been warned.                                    #
+# If you just want to disable SIDs, please skip this section and have a  #
+# look at the "disablesid" keyword below.                                #
+#                                                                        #
+# You may specify multiple modifysid directives for the same SID (they   #
+# will be processed in order of appearance), and you may also specify a  #
+# list of SIDs on which the substitution should be applied.              #
+# If the argument is in the form something.something it's regarded       #
+# as a filename and the substitution will apply on all rules in that     #
+# file. The wildcard ("*") can be used to apply the substitution on all  #
+# rules regardless of the SID or file. Please avoid using #comments      #
+# at the end of modifysid lines, they may confuse the parser in some     #
+# situations.                                                            #
+#                                                                        #
+# Syntax:                                                                #
+#   modifysid SID "replacethis" | "withthis"                             #    
+# or:                                                                    #
+#   modifysid SID1, SID2, SID3, ... "replacethis" | "withthis"           #
+# or:                                                                    #
+#   modifysid file "replacethis" | "withthis"                            #    
+# or:                                                                    #
+#   modifysid * "replacethis" | "withthis"                               #
+#                                                                        #
+# The strings within the quotes will basically be passed to a            #
+# s/replacethis/withthis/ statement in Perl, so they must be valid       #
+# regular expressions. The strings are case-insensitive and only the     #
+# first occurrence will be replaced. If there are multiple occurrences   #
+# you want to replace, simply repeat the same modifysid line.            #
+# As the strings are regular expressions, you MUST escape special        #
+# characters like $ \ / ( ) | by prepending a "\" to them.               #
+#                                                                        #
+# If you specify a modifysid statement for a multi-line rule, Oinkmaster #
+# will first translate the rule into a single-line version and then      #
+# perform the substitution, so you don't have to care about the trailing #
+# backslashes and newlines.                                              #
+#                                                                        #
+# If you use backreference variables in the substitution expression,     #
+# it's strongly recommended to specify them as ${1} instead of $1 and so #
+# on, to avoid parsing confusion with unexpected results in some         #
+# situations. Note that modifysid statements will process both active    #
+# and inactive (disabled) rules.                                         #
+#                                                                        #
+# You may want to check out README.templates and template-examples.conf  #
+# to find how you can simplify the modifysid usage by using templates.   #
+##########################################################################
+
+# Example to enable a rule (in this case SID 1325) that is disabled by
+# default, by simply replacing leading "#alert" with "alert".
+# (You should really use 'enablesid' for this though.)
+# Oinkmaster removes whitespaces next to the leading "#" so you don't
+# have to worry about that, but be careful about possible whitespace in
+# other places when writing the regexps.
+# modifysid 1325 "^#alert" | "alert"
+
+# You could also do this to enable it no matter what type of rule it is
+# (alert, log, pass, etc).
+# modifysid 1325 "^#" | ""
+
+# Example to add "tag" stuff to SID 1325.
+# modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;"
+
+# Example to make SID 1378 a 'drop' rule (valid if you're running 
+# Snort_inline).
+# modifysid 1378 "^alert" | "drop"
+
+# Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET 
+# in SID 302.
+# modifysid 302 "\$EXTERNAL_NET" | "\$HOME_NET"
+
+# You can also specify that a substitution should apply on multiple SIDs.
+# modifysid 302,429,1821 "\$EXTERNAL_NET" | "\$HOME_NET"
+
+# You can take advantage of the fact that it's regular expressions and
+# do more complex stuff. This example (for Snort_inline) adds a 'replace'
+# statement to SID 1324 that replaces "/bin/sh" with "/foo/sh".
+# modifysid 1324 "(content\s*:\s*"\/bin\/sh"\s*;)" | \
+#                "${1} replace:"\/foo\/sh";"
+
+# If you for some reason would like to add a comment inside the actual 
+# rules file, like the reason why you disabled this rule, you can do 
+# like this (you would normally add such comments in oinkmaster.conf 
+# though).
+# modifysid 1324 "(.+)" | "# 20020101: disabled this rule just for fun:\n#${1}"
+
+# Here is an example that is actually useful. Let's say you don't care 
+# about incoming welchia pings (detected by SID 483 at the time of 
+# writing) but you want to know when infected hosts on your network 
+# scans hosts on the outside. (Remember that watching for outgoing 
+# malicious packets is often just as important as watching for incoming 
+# ones, especially in this case.) The rule currently looks like
+# "alert icmp $EXTERNAL_NET any -> $HOME_NET any ..."
+# but we want to switch that so it becomes
+# "alert icmp $HOME_NET any -> $EXTERNAL_NET any ...".
+# Here is how it could be done.
+# modifysid 483 \
+# "(.+) \$EXTERNAL_NET (.+) \$HOME_NET (.+)" | \
+# "${1} \$HOME_NET ${2} \$EXTERNAL_NET ${3}"
+
+# The wildcard (modifysid * ...) can be used to do all kinds of 
+# interesting things. The substitution expression will be applied on all 
+# matching rules. First, a silly example to replace "foo" with "bar" in 
+# all rules (that have the string "foo" in them, that is.) 
+# modifysid * "foo" | "bar"
+
+# If you for some reason don't want to use the stream preprocessor to 
+# match established streams, you may want to replace the 'flow' 
+# statement with 'flags:A+;' in all those rules.
+# modifysid * "flow:[a-z,_ ]+;" | "flags:A+;"
+
+# Example to convert all rules of classtype attempted-admin to 'drop' 
+# rules (for Snort_inline only, obviously).
+# modifysid * "^alert (.*classtype\s*:\s*attempted-admin)" | "drop ${1}"
+
+# This one will append some text to the 'msg' string for all rules that 
+# have the 'tag' keyword in them.
+# modifysid * "(.*msg:\s*".+?)"(\s*;.+;\s*tag:.*)" | \
+#             "${1}, going to tag this baby"${2}"
+
+# There may be times when you want to replace multiple occurrences of a 
+# certain keyword/string in a rule and not just the first one. To 
+# replace the first two occurrences of "foo" with "bar" in SID 100, 
+# simply repeat the modifysid statement:
+# modifysid 100 "foo" | "bar"
+# modifysid 100 "foo" | "bar"
+ 
+# Or you can even specify a SID list but repeat the same SID as many 
+# times as required, like:
+# modifysid 100,100,100 "foo" | "bar"
+
+# Enable all rules in the file exploit.rules.
+# modifysid exploit.rules "^#" | ""
+
+# Enable all rules in exploit.rules, icmp-info.rules and also SID 1171.
+# modifysid exploit.rules, snmp.rules, 1171 "^#" | ""
+
+
+
+########################################################################
+# SIDs that we don't want to update.                                   #
+# If you for some reason don't want a specific rule to be updated      #
+# (e.g. you made local modifications to it and you never want to       #
+# update it and don't care about changes in the official version), you #
+# can specify a "localsid" statement for it. This means that the old   #
+# version of the rule (i.e. the one in the rules file on your          #
+# harddrive) is always kept, regardless if the official version has    #
+# been updated. Please do not use this feature unless in special       #
+# cases as it's easy to end up with many signatures that aren't        #
+# maintained anymore. See the FAQ for details about this and hints     #
+# about better solutions regarding customization of rules.             #
+#                                                                      #
+# Syntax:  localsid SID                                                #
+# or:      localsid SID1, SID2, SID3, ...                              #
+########################################################################
+
+# Example to never update SID 1325.
+# localsid 1325
+
+
+
+########################################################################
+# SIDs to enable after each update.                                    #
+# Will simply remove all the leading '#' for a specified SID (if it's  #
+# a multi-line rule, the leading '#' for all lines are removed.)       #
+# These will be processed after all the modifysid and disablesid       #
+# statements. Using 'enablesid' on a rule that is not disabled is a    #
+# NOOP.                                                                #
+#                                                                      #
+# Syntax:  enablesid SID                                               #
+# or:      enablesid SID1, SID2, SID3, ...                             #
+########################################################################
+
+# Example to enable SID 1325.
+# enablesid 1325
+
+
+
+########################################################################
+# SIDs to comment out, i.e. disable, after each update by placing a    #
+# '#' in front of the rule (if it's a multi-line rule, it will be put  #
+# in front of all lines).                                              #
+#                                                                      #
+# Syntax:  disablesid SID                                              #
+# or:      disablesid SID1, SID2, SID3, ...                            #
+########################################################################
+
+# You can specify one SID per line.
+# disablesid 1
+# disablesid 2
+# disablesid 3
+
+# And also as comma-separated lists.
+# disablesid 4,5,6
+
+# It's a good idea to also add comment about why you disable the sid:
+# disablesid 1324    # 20020101: disabled this SID just because I can
diff --git a/lfs/oinkmaster b/lfs/oinkmaster
index 2dc67b9a7..ce2df4c67 100644
--- a/lfs/oinkmaster
+++ b/lfs/oinkmaster
@@ -71,7 +71,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf  $(DIR_DL)/$(DL_FILE)
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/oinkmaster-2.0-add_community_rules.patch
 	cd $(DIR_APP) && chown nobody:nobody oinkmaster.pl
-	cd $(DIR_APP) && cp -f oinkmaster.conf /var/ipfire/suricata/
+	cd $(DIR_APP) && install -m 0644 $(DIR_SRC)/config/oinkmaster/oinkmaster.conf \
+		/var/ipfire/suricata/
 	cd /var/ipfire/suricata && patch -Np1 < $(DIR_SRC)/src/patches/oinkmaster-tmp.patch
 	cd $(DIR_APP) && install -m 0755 oinkmaster.pl /usr/local/bin/
 	@rm -rf $(DIR_APP)

From 308ba5e74c27e50e9fda4278749256d3ff541d5e Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 24 Aug 2018 07:37:10 +0200
Subject: [PATCH 096/259] ids-functions.pl: Add function to create empty files

This generic function can be used to create any kind of emtpy files -
it just requires the full path and filename to work.

If the specified file exists at calltime, the function will abort
to prevent from overwriting existing files and content.

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index cb16e1b49..6f7f3ee7e 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -355,4 +355,26 @@ sub call_suricatactrl ($) {
 	return;
 }
 
+#
+## Function to create a new empty file.
+#
+sub create_empty_file($) {
+	my ($file) = @_;
+
+	# Check if the given file exists.
+	if(-e $file) {
+		# Do nothing to prevent from overwriting existing files.
+		return;
+	}
+
+	# Open the file for writing.
+	open(FILE, ">$file") or die "Could not write to $file. $!\n";
+
+	# Close file handle.
+	close(FILE);
+
+	# Return true.
+	return 1;
+}
+
 1;

From 01ba4be48d1687d621b1d7242085aa077552cacd Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 24 Aug 2018 07:39:04 +0200
Subject: [PATCH 097/259] ids.cgi: Create oinkmaster related files at first
 call

With this commit, the CGI file will create the oinkmaster related
files during first run if they does not exist.

Fixes #11822.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 76848f71a..d3c68711c 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -53,8 +53,22 @@ my $idsusedrulefilesfile = "$IDS::settingsdir/suricata-used-rulefiles.yaml";
 # File where the addresses of the homenet are stored.
 my $idshomenetfile = "$IDS::settingsdir/suricata-homenet.yaml";
 
+# File which contains the enabled sids.
+my $enabled_sids_file = "$IDS::settingsdir/oinkmaster-enabled-sids.conf";
+
+# File which contains the disabled sids.
+my $disabled_sids_file = "$IDS::settingsdir/oinkmaster-disabled-sids.conf";
+
+# File which contains wheater the rules should be changed.
+my $modify_sids_file = "$IDS::settingsdir/oinkmaster-modify-sids.conf";
+
 my $errormessage;
 
+# Create oinkmaster related files if they does not exist yet.
+unless (-f "$enabled_sids_file") { &IDS::create_empty_file($enabled_sids_file); }
+unless (-f "$disabled_sids_file") { &IDS::create_empty_file($disabled_sids_file); }
+unless (-f "$modify_sids_file") { &IDS::create_empty_file($modify_sids_file); }
+
 &Header::showhttpheaders();
 
 #Get GUI values
@@ -138,9 +152,6 @@ if(-f $idsusedrulefilesfile) {
 
 # Save ruleset.
 if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
-	my $enabled_sids_file = "$IDS::settingsdir/oinkmaster-enabled-sids.conf";
-	my $disabled_sids_file = "$IDS::settingsdir/oinkmaster-disabled-sids.conf";
-
 	# Arrays to store which rulefiles have been enabled and will be used.
 	my @enabled_rulefiles;
 
@@ -342,9 +353,6 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 	# Generate file to store the home net.
 	&generate_home_net_file();
 
-	# File which contains wheater the rules should be changed.
-	my $modify_sids_file = "$IDS::settingsdir/oinkmaster-modify-sids.conf";
-
 	# Open modify sid's file for writing.
 	open(FILE, ">$modify_sids_file") or die "Could not write to $modify_sids_file. $!\n";
 

From 5f630673850f01e4e1284d163a80772b2f7a46af Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 24 Aug 2018 10:04:33 +0200
Subject: [PATCH 098/259] suricata: Fix initscript when using a single core
 machine

Signed-off-by: Stefan Schantl 
---
 src/initscripts/system/suricata | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 57eeec157..93c2636f3 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -65,7 +65,7 @@ case "$1" in
 					NFQ_OPTIONS=$NFQ_OPTS
 
 					# Check if there are multiple cpu cores available.
-					if [ "$CPUCOUNT" > 0 ]; then
+					if [ "$CPUCOUNT" -gt "1" ]; then
 						# Balance beetween all queues.
 						NFQ_OPTIONS+="--queue-balance 0:"
 						NFQ_OPTIONS+=$(($CPUCOUNT-1))

From 13d077fdf2093a2e468b5cda1e9e44fa99ee03cc Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 24 Aug 2018 10:28:42 +0200
Subject: [PATCH 099/259] suricata.yaml: Fix include statement for homenet file

Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index c7c1e40d7..de69a412a 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -13,7 +13,7 @@ vars:
   # more specifc is better for alert accuracy and performance
   address-groups:
     # Include HOME_NET declaration from external file.
-    include /var/ipfire/suricata/suricata-homenet.yaml
+    include: /var/ipfire/suricata/suricata-homenet.yaml
 
     EXTERNAL_NET: "!$HOME_NET"
     #EXTERNAL_NET: "any"

From af5e823247876c313f516a98efe38ad38db5a01f Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 24 Aug 2018 10:54:07 +0200
Subject: [PATCH 100/259] suricata.yaml: Adjust classification and reference
 config location

Both files are included in the various rulesets, therefore use them
from the rules folder.

Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index de69a412a..a8059772b 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -50,8 +50,8 @@ default-rule-path: /etc/suricata/rules
 rule-files:
     include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
 
-classification-file: /etc/suricata/classification.config
-reference-config-file: /etc/suricata/reference.config
+classification-file: /etc/suricata/rules/classification.config
+reference-config-file: /etc/suricata/rules/reference.config
 # threshold-file: /etc/suricata/threshold.config
 
 

From 335114b207971fa88bc768c7dea49747b15b4fae Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 24 Aug 2018 11:11:15 +0200
Subject: [PATCH 101/259] suricata.yaml: Start moving to IPFire specific
 configuration

Remove a lot of stuff and options which are deactivated during compiling,
unsupported by the plattform or not used in IPFire.

Add an advice to the full documented suricata-example.yaml file which also
is shipped by IPFire.

More work needs to be done.

See #11808

Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 762 +---------------------------------
 1 file changed, 20 insertions(+), 742 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index a8059772b..94e488cd1 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -1,16 +1,12 @@
 %YAML 1.1
 ---
 
-# Suricata configuration file. In addition to the comments describing all
-# options in this file, full documentation can be found at:
-# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
-
 ##
-## Step 1: inform Suricata about your network
+## IPFire specific configuration file - an untouched example configuration
+## can be found in suricata-example.yaml.
 ##
 
 vars:
-  # more specifc is better for alert accuracy and performance
   address-groups:
     # Include HOME_NET declaration from external file.
     include: /var/ipfire/suricata/suricata-homenet.yaml
@@ -41,13 +37,12 @@ vars:
     FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
     FTP_PORTS: 21
 
-
 ##
-## Step 2: select the rules to enable or disable
+## Ruleset specific options.
 ##
-
 default-rule-path: /etc/suricata/rules
 rule-files:
+    # Include enabled ruleset files from external file.
     include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
 
 classification-file: /etc/suricata/rules/classification.config
@@ -56,12 +51,8 @@ reference-config-file: /etc/suricata/rules/reference.config
 
 
 ##
-## Step 3: select outputs to enable
+## Logging options.
 ##
-
-# The default logging directory.  Any log or output file will be
-# placed here if its not specified with a full path name. This can be
-# overridden with the -l command line parameter.
 default-log-dir: /var/log/suricata/
 
 # global stats configuration
@@ -80,365 +71,15 @@ outputs:
       append: yes
       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
 
-  # Extensible Event Format (nicknamed EVE) event log in JSON format
-  - eve-log:
-      enabled: yes
-      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
-      filename: eve.json
-      #prefix: "@cee: " # prefix to prepend to each log entry
-      # the following are valid when type: syslog above
-      #identity: "suricata"
-      #facility: local5
-      #level: Info ## possible levels: Emergency, Alert, Critical,
-                   ## Error, Warning, Notice, Info, Debug
-      #redis:
-      #  server: 127.0.0.1
-      #  port: 6379
-      #  async: true ## if redis replies are read asynchronously
-      #  mode: list ## possible values: list|lpush (default), rpush, channel|publish
-      #             ## lpush and rpush are using a Redis list. "list" is an alias for lpush
-      #             ## publish is using a Redis channel. "channel" is an alias for publish
-      #  key: suricata ## key or channel to use (default to suricata)
-      # Redis pipelining set up. This will enable to only do a query every
-      # 'batch-size' events. This should lower the latency induced by network
-      # connection at the cost of some memory. There is no flushing implemented
-      # so this setting as to be reserved to high traffic suricata.
-      #  pipelining:
-      #    enabled: yes ## set enable to yes to enable query pipelining
-      #    batch-size: 10 ## number of entry to keep in buffer
-      types:
-        - alert:
-            # payload: yes             # enable dumping payload in Base64
-            # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
-            # payload-printable: yes   # enable dumping payload in printable (lossy) format
-            # packet: yes              # enable dumping of packet (without stream segments)
-            # http-body: yes           # enable dumping of http body in Base64
-            # http-body-printable: yes # enable dumping of http body in printable format
-            metadata: yes              # add L7/applayer fields, flowbit and other vars to the alert
-
-            # Enable the logging of tagged packets for rules using the
-            # "tag" keyword.
-            tagged-packets: yes
-
-            # HTTP X-Forwarded-For support by adding an extra field or overwriting
-            # the source or destination IP address (depending on flow direction)
-            # with the one reported in the X-Forwarded-For HTTP header. This is
-            # helpful when reviewing alerts for traffic that is being reverse
-            # or forward proxied.
-            xff:
-              enabled: no
-              # Two operation modes are available, "extra-data" and "overwrite".
-              mode: extra-data
-              # Two proxy deployments are supported, "reverse" and "forward". In
-              # a "reverse" deployment the IP address used is the last one, in a
-              # "forward" deployment the first IP address is used.
-              deployment: reverse
-              # Header name where the actual IP address will be reported, if more
-              # than one IP address is present, the last IP address will be the
-              # one taken into consideration.
-              header: X-Forwarded-For
-        - http:
-            extended: yes     # enable this for extended logging information
-            # custom allows additional http fields to be included in eve-log
-            # the example below adds three additional fields when uncommented
-            #custom: [Accept-Encoding, Accept-Language, Authorization]
-        - dns:
-            # control logging of queries and answers
-            # default yes, no to disable
-            query: yes     # enable logging of DNS queries
-            answer: yes    # enable logging of DNS answers
-            # control which RR types are logged
-            # all enabled if custom not specified
-            #custom: [a, aaaa, cname, mx, ns, ptr, txt]
-        - tls:
-            extended: yes     # enable this for extended logging information
-            # output TLS transaction where the session is resumed using a
-            # session id
-            #session-resumption: no
-            # custom allows to control which tls fields that are included
-            # in eve-log
-            #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain]
-        - files:
-            force-magic: no   # force logging magic on all logged files
-            # force logging of checksums, available hash functions are md5,
-            # sha1 and sha256
-            #force-hash: [md5]
-        #- drop:
-        #    alerts: yes      # log alerts that caused drops
-        #    flows: all       # start or all: 'start' logs only a single drop
-        #                     # per flow direction. All logs each dropped pkt.
-        - smtp:
-            #extended: yes # enable this for extended logging information
-            # this includes: bcc, message-id, subject, x_mailer, user-agent
-            # custom fields logging from the list:
-            #  reply-to, bcc, message-id, subject, x-mailer, user-agent, received,
-            #  x-originating-ip, in-reply-to, references, importance, priority,
-            #  sensitivity, organization, content-md5, date
-            #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc]
-            # output md5 of fields: body, subject
-            # for the body you need to set app-layer.protocols.smtp.mime.body-md5
-            # to yes
-            #md5: [body, subject]
-
-        #- dnp3
-        #- nfs
-        - ssh
-        - stats:
-            totals: yes       # stats for all threads merged together
-            threads: no       # per thread stats
-            deltas: no        # include delta values
-        # bi-directional flows
-        - flow
-        # uni-directional flows
-        #- netflow
-        # Vars log flowbits and other packet and flow vars
-        #- vars
-
-  # alert output for use with Barnyard2
-  - unified2-alert:
-      enabled: no
-      filename: unified2.alert
-
-      # File size limit.  Can be specified in kb, mb, gb.  Just a number
-      # is parsed as bytes.
-      #limit: 32mb
-
-      # By default unified2 log files have the file creation time (in
-      # unix epoch format) appended to the filename. Set this to yes to
-      # disable this behaviour.
-      #nostamp: no
-
-      # Sensor ID field of unified2 alerts.
-      #sensor-id: 0
-
-      # Include payload of packets related to alerts. Defaults to true, set to
-      # false if payload is not required.
-      #payload: yes
-
-      # HTTP X-Forwarded-For support by adding the unified2 extra header or
-      # overwriting the source or destination IP address (depending on flow
-      # direction) with the one reported in the X-Forwarded-For HTTP header.
-      # This is helpful when reviewing alerts for traffic that is being reverse
-      # or forward proxied.
-      xff:
-        enabled: no
-        # Two operation modes are available, "extra-data" and "overwrite". Note
-        # that in the "overwrite" mode, if the reported IP address in the HTTP
-        # X-Forwarded-For header is of a different version of the packet
-        # received, it will fall-back to "extra-data" mode.
-        mode: extra-data
-        # Two proxy deployments are supported, "reverse" and "forward". In
-        # a "reverse" deployment the IP address used is the last one, in a
-        # "forward" deployment the first IP address is used.
-        deployment: reverse
-        # Header name where the actual IP address will be reported, if more
-        # than one IP address is present, the last IP address will be the
-        # one taken into consideration.
-        header: X-Forwarded-For
-
-  # a line based log of HTTP requests (no alerts)
-  - http-log:
-      enabled: no
-      filename: http.log
-      append: yes
-      #extended: yes     # enable this for extended logging information
-      #custom: yes       # enabled the custom logging format (defined by customformat)
-      #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
-      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
-
-  # a line based log of TLS handshake parameters (no alerts)
-  - tls-log:
-      enabled: no  # Log TLS connections.
-      filename: tls.log # File to store TLS logs.
-      append: yes
-      #extended: yes     # Log extended information like fingerprint
-      #custom: yes       # enabled the custom logging format (defined by customformat)
-      #customformat: "%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D"
-      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
-      # output TLS transaction where the session is resumed using a
-      # session id
-      #session-resumption: no
-
-  # output module to store certificates chain to disk
-  - tls-store:
-      enabled: no
-      #certs-log-dir: certs # directory to store the certificates files
-
-  # a line based log of DNS requests and/or replies (no alerts)
-  - dns-log:
-      enabled: no
-      filename: dns.log
-      append: yes
-      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
-
-  # Packet log... log packets in pcap format. 3 modes of operation: "normal"
-  # "multi" and "sguil".
-  #
-  # In normal mode a pcap file "filename" is created in the default-log-dir,
-  # or are as specified by "dir".
-  # In multi mode, a file is created per thread. This will perform much
-  # better, but will create multiple files where 'normal' would create one.
-  # In multi mode the filename takes a few special variables:
-  # - %n -- thread number
-  # - %i -- thread id
-  # - %t -- timestamp (secs or secs.usecs based on 'ts-format'
-  # E.g. filename: pcap.%n.%t
-  #
-  # Note that it's possible to use directories, but the directories are not
-  # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the
-  # per thread directory.
-  #
-  # Also note that the limit and max-files settings are enforced per thread.
-  # So the size limit when using 8 threads with 1000mb files and 2000 files
-  # is: 8*1000*2000 ~ 16TiB.
-  #
-  # In Sguil mode "dir" indicates the base directory. In this base dir the
-  # pcaps are created in th directory structure Sguil expects:
-  #
-  # $sguil-base-dir/YYYY-MM-DD/$filename.
-  #
-  # By default all packets are logged except:
-  # - TCP streams beyond stream.reassembly.depth
-  # - encrypted streams after the key exchange
-  #
-  - pcap-log:
-      enabled: no
-      filename: log.pcap
-
-      # File size limit.  Can be specified in kb, mb, gb.  Just a number
-      # is parsed as bytes.
-      limit: 1000mb
-
-      # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit"
-      max-files: 2000
-
-      mode: normal # normal, multi or sguil.
-
-      # Directory to place pcap files. If not provided the default log
-      # directory will be used. Required for "sguil" mode.
-      #dir: /nsm_data/
-
-      #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec
-      use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
-      honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged.
-
-  # a full alerts log containing much information for signature writers
-  # or for investigating suspected false positives.
-  - alert-debug:
-      enabled: no
-      filename: alert-debug.log
-      append: yes
-      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
-
-  # alert output to prelude (http://www.prelude-technologies.com/) only
-  # available if Suricata has been compiled with --enable-prelude
-  - alert-prelude:
-      enabled: no
-      profile: suricata
-      log-packet-content: no
-      log-packet-header: yes
-
   # Stats.log contains data from various counters of the suricata engine.
   - stats:
       enabled: yes
       filename: stats.log
-      append: yes       # append to file (yes) or overwrite it (no)
+      append: no       # append to file (yes) or overwrite it (no)
       totals: yes       # stats for all threads merged together
       threads: no       # per thread stats
       #null-values: yes  # print counters that have value 0
 
-  # a line based alerts log similar to fast.log into syslog
-  - syslog:
-      enabled: no
-      # reported identity to syslog. If ommited the program name (usually
-      # suricata) will be used.
-      #identity: "suricata"
-      facility: local5
-      #level: Info ## possible levels: Emergency, Alert, Critical,
-                   ## Error, Warning, Notice, Info, Debug
-
-  # a line based information for dropped packets in IPS mode
-  - drop:
-      enabled: no
-      filename: drop.log
-      append: yes
-      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
-
-  # output module to store extracted files to disk
-  #
-  # The files are stored to the log-dir in a format "file." where  is
-  # an incrementing number starting at 1. For each file "file." a meta
-  # file "file..meta" is created.
-  #
-  # File extraction depends on a lot of things to be fully done:
-  # - file-store stream-depth. For optimal results, set this to 0 (unlimited)
-  # - http request / response body sizes. Again set to 0 for optimal results.
-  # - rules that contain the "filestore" keyword.
-  - file-store:
-      enabled: no       # set to yes to enable
-      log-dir: files    # directory to store the files
-      force-magic: no   # force logging magic on all stored files
-      # force logging of checksums, available hash functions are md5,
-      # sha1 and sha256
-      #force-hash: [md5]
-      force-filestore: no # force storing of all files
-      # override global stream-depth for sessions in which we want to
-      # perform file extraction. Set to 0 for unlimited.
-      #stream-depth: 0
-      #waldo: file.waldo # waldo file to store the file_id across runs
-      # uncomment to disable meta file writing
-      #write-meta: no
-      # uncomment the following variable to define how many files can
-      # remain open for filestore by Suricata. Default value is 0 which
-      # means files get closed after each write
-      #max-open-files: 1000
-
-  # output module to log files tracked in a easily parsable json format
-  - file-log:
-      enabled: no
-      filename: files-json.log
-      append: yes
-      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
-
-      force-magic: no   # force logging magic on all logged files
-      # force logging of checksums, available hash functions are md5,
-      # sha1 and sha256
-      #force-hash: [md5]
-
-  # Log TCP data after stream normalization
-  # 2 types: file or dir. File logs into a single logfile. Dir creates
-  # 2 files per TCP session and stores the raw TCP data into them.
-  # Using 'both' will enable both file and dir modes.
-  #
-  # Note: limited by stream.depth
-  - tcp-data:
-      enabled: no
-      type: file
-      filename: tcp-data.log
-
-  # Log HTTP body data after normalization, dechunking and unzipping.
-  # 2 types: file or dir. File logs into a single logfile. Dir creates
-  # 2 files per HTTP session and stores the normalized data into them.
-  # Using 'both' will enable both file and dir modes.
-  #
-  # Note: limited by the body limit settings
-  - http-body-data:
-      enabled: no
-      type: file
-      filename: http-data.log
-
-  # Lua Output Support - execute lua script to generate alert and event
-  # output.
-  # Documented at:
-  # https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Lua_Output
-  - lua:
-      enabled: no
-      #scripts-dir: /etc/suricata/lua-output/
-      scripts:
-      #   - script1.lua
-
-# Logging configuration.  This is not about logging IDS alerts/events, but
-# output about what Suricata is doing, like startup messages, errors, etc.
 logging:
   # The default log level, can be overridden in an output section.
   # Note that debug level logging will only be emitted if Suricata was
@@ -447,13 +88,6 @@ logging:
   # This value is overriden by the SC_LOG_LEVEL env var.
   default-log-level: notice
 
-  # The default output format.  Optional parameter, should default to
-  # something reasonable if not provided.  Can be overriden in an
-  # output section.  You can leave this out to get the default.
-  #
-  # This value is overriden by the SC_LOG_FORMAT env var.
-  #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- "
-
   # A regex to filter output.  Can be overridden in an output section.
   # Defaults to empty (no filter).
   #
@@ -464,158 +98,32 @@ logging:
   # disabled you will get the default - console output.
   outputs:
   - console:
-      enabled: yes
+      enabled: no
       # type: json
   - file:
-      enabled: yes
+      enabled: no
       level: info
       filename: /var/log/suricata/suricata.log
       # type: json
   - syslog:
-      enabled: no
+      enabled: yes
       facility: local5
       format: "[%i] <%d> -- "
       # type: json
 
-
 ##
-## Step 4: configure common capture settings
-##
-## See "Advanced Capture Options" below for more options, including NETMAP
-## and PF_RING.
+## Netfilter configuration
 ##
 
-# Linux high speed capture support
-af-packet:
-  - interface: eth0
-    # Number of receive threads. "auto" uses the number of cores
-    #threads: auto
-    # Default clusterid. AF_PACKET will load balance packets based on flow.
-    cluster-id: 99
-    # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
-    # This is only supported for Linux kernel > 3.1
-    # possible value are:
-    #  * cluster_round_robin: round robin load balancing
-    #  * cluster_flow: all packets of a given flow are send to the same socket
-    #  * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket
-    #  * cluster_qm: all packets linked by network card to a RSS queue are sent to the same
-    #  socket. Requires at least Linux 3.14.
-    #  * cluster_random: packets are sent randomly to sockets but with an equipartition.
-    #  Requires at least Linux 3.14.
-    #  * cluster_rollover: kernel rotates between sockets filling each socket before moving
-    #  to the next. Requires at least Linux 3.10.
-    # Recommended modes are cluster_flow on most boxes and cluster_cpu or cluster_qm on system
-    # with capture card using RSS (require cpu affinity tuning and system irq tuning)
-    cluster-type: cluster_flow
-    # In some fragmentation case, the hash can not be computed. If "defrag" is set
-    # to yes, the kernel will do the needed defragmentation before sending the packets.
-    defrag: yes
-    # After Linux kernel 3.10 it is possible to activate the rollover option: if a socket is
-    # full then kernel will send the packet on the next socket with room available. This option
-    # can minimize packet drop and increase the treated bandwidth on single intensive flow.
-    #rollover: yes
-    # To use the ring feature of AF_PACKET, set 'use-mmap' to yes
-    #use-mmap: yes
-    # Lock memory map to avoid it goes to swap. Be careful that over suscribing could lock
-    # your system
-    #mmap-locked: yes
-    # Use tpacket_v3 capture mode, only active if use-mmap is true
-    # Don't use it in IPS or TAP mode as it causes severe latency
-    #tpacket-v3: yes
-    # Ring size will be computed with respect to max_pending_packets and number
-    # of threads. You can set manually the ring size in number of packets by setting
-    # the following value. If you are using flow cluster-type and have really network
-    # intensive single-flow you could want to set the ring-size independently of the number
-    # of threads:
-    #ring-size: 2048
-    # Block size is used by tpacket_v3 only. It should set to a value high enough to contain
-    # a decent number of packets. Size is in bytes so please consider your MTU. It should be
-    # a power of 2 and it must be multiple of page size (usually 4096).
-    #block-size: 32768
-    # tpacket_v3 block timeout: an open block is passed to userspace if it is not
-    # filled after block-timeout milliseconds.
-    #block-timeout: 10
-    # On busy system, this could help to set it to yes to recover from a packet drop
-    # phase. This will result in some packets (at max a ring flush) being non treated.
-    #use-emergency-flush: yes
-    # recv buffer size, increase value could improve performance
-    # buffer-size: 32768
-    # Set to yes to disable promiscuous mode
-    # disable-promisc: no
-    # Choose checksum verification mode for the interface. At the moment
-    # of the capture, some packets may be with an invalid checksum due to
-    # offloading to the network card of the checksum computation.
-    # Possible values are:
-    #  - kernel: use indication sent by kernel for each packet (default)
-    #  - yes: checksum validation is forced
-    #  - no: checksum validation is disabled
-    #  - auto: suricata uses a statistical approach to detect when
-    #  checksum off-loading is used.
-    # Warning: 'checksum-validation' must be set to yes to have any validation
-    #checksum-checks: kernel
-    # BPF filter to apply to this interface. The pcap filter syntax apply here.
-    #bpf-filter: port 80 or udp
-    # You can use the following variables to activate AF_PACKET tap or IPS mode.
-    # If copy-mode is set to ips or tap, the traffic coming to the current
-    # interface will be copied to the copy-iface interface. If 'tap' is set, the
-    # copy is complete. If 'ips' is set, the packet matching a 'drop' action
-    # will not be copied.
-    #copy-mode: ips
-    #copy-iface: eth1
-
-  # Put default values here. These will be used for an interface that is not
-  # in the list above.
-  - interface: default
-    #threads: auto
-    #use-mmap: no
-    #rollover: yes
-    #tpacket-v3: yes
-
-# Cross platform libpcap capture support
-pcap:
-  - interface: eth0
-    # On Linux, pcap will try to use mmaped capture and will use buffer-size
-    # as total of memory used by the ring. So set this to something bigger
-    # than 1% of your bandwidth.
-    #buffer-size: 16777216
-    #bpf-filter: "tcp and port 25"
-    # Choose checksum verification mode for the interface. At the moment
-    # of the capture, some packets may be with an invalid checksum due to
-    # offloading to the network card of the checksum computation.
-    # Possible values are:
-    #  - yes: checksum validation is forced
-    #  - no: checksum validation is disabled
-    #  - auto: suricata uses a statistical approach to detect when
-    #  checksum off-loading is used. (default)
-    # Warning: 'checksum-validation' must be set to yes to have any validation
-    #checksum-checks: auto
-    # With some accelerator cards using a modified libpcap (like myricom), you
-    # may want to have the same number of capture threads as the number of capture
-    # rings. In this case, set up the threads variable to N to start N threads
-    # listening on the same interface.
-    #threads: 16
-    # set to no to disable promiscuous mode:
-    #promisc: no
-    # set snaplen, if not set it defaults to MTU if MTU can be known
-    # via ioctl call and to full capture if not.
-    #snaplen: 1518
-  # Put default values here
-  - interface: default
-    #checksum-checks: auto
-
-# Settings for reading pcap files
-pcap-file:
-  # Possible values are:
-  #  - yes: checksum validation is forced
-  #  - no: checksum validation is disabled
-  #  - auto: suricata uses a statistical approach to detect when
-  #  checksum off-loading is used. (default)
-  # Warning: 'checksum-validation' must be set to yes to have checksum tested
-  checksum-checks: auto
-
-# See "Advanced Capture Options" below for more options, including NETMAP
-# and PF_RING.
-
+nfq:
+   mode: repeat
+   repeat-mark: 1
+   repeat-mask: 1
+   bypass-mark: 1
+   bypass-mask: 1
+#  route-queue: 2
+#  batchcount: 20
+   fail-open: yes
 
 ##
 ## Step 5: App Layer Protocol Configuration
@@ -939,7 +447,7 @@ host-mode: auto
 # activated in live capture mode. You can use the filename variable to set
 # the file name of the socket.
 unix-command:
-  enabled: auto
+  enabled: no
   #filename: custom.socket
 
 # Magic file. The extension .mgc is added to the value here.
@@ -1356,15 +864,6 @@ threading:
   #
   detect-thread-ratio: 1.0
 
-# Luajit has a strange memory requirement, it's 'states' need to be in the
-# first 2G of the process' memory.
-#
-# 'luajit.states' is used to control how many states are preallocated.
-# State use: per detect script: 1 per detect thread. Per output script: 1 per
-# script.
-luajit:
-  states: 128
-
 # Profiling settings. Only effective if Suricata has been built with the
 # the --enable-profiling configure flag.
 #
@@ -1434,227 +933,6 @@ profiling:
     filename: pcaplog_stats.log
     append: yes
 
-##
-## Netfilter integration
-##
-
-# When running in NFQ inline mode, it is possible to use a simulated
-# non-terminal NFQUEUE verdict.
-# This permit to do send all needed packet to suricata via this a rule:
-#        iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE
-# And below, you can have your standard filtering ruleset. To activate
-# this mode, you need to set mode to 'repeat'
-# If you want packet to be sent to another queue after an ACCEPT decision
-# set mode to 'route' and set next-queue value.
-# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance
-# by processing several packets before sending a verdict (worker runmode only).
-# On linux >= 3.6, you can set the fail-open option to yes to have the kernel
-# accept the packet if suricata is not able to keep pace.
-# bypass mark and mask can be used to implement NFQ bypass. If bypass mark is
-# set then the NFQ bypass is activated. Suricata will set the bypass mark/mask
-# on packet of a flow that need to be bypassed. The Nefilter ruleset has to
-# directly accept all packets of a flow once a packet has been marked.
-nfq:
-#  mode: accept
-#  repeat-mark: 1
-#  repeat-mask: 1
-#  bypass-mark: 1
-#  bypass-mask: 1
-#  route-queue: 2
-#  batchcount: 20
-#  fail-open: yes
-
-#nflog support
-nflog:
-    # netlink multicast group
-    # (the same as the iptables --nflog-group param)
-    # Group 0 is used by the kernel, so you can't use it
-  - group: 2
-    # netlink buffer size
-    buffer-size: 18432
-    # put default value here
-  - group: default
-    # set number of packet to queue inside kernel
-    qthreshold: 1
-    # set the delay before flushing packet in the queue inside kernel
-    qtimeout: 100
-    # netlink max buffer size
-    max-size: 20000
-
-##
-## Advanced Capture Options
-##
-
-# general settings affecting packet capture
-capture:
-  # disable NIC offloading. It's restored when Suricata exists.
-  # Enabled by default
-  #disable-offloading: false
-  #
-  # disable checksum validation. Same as setting '-k none' on the
-  # commandline
-  #checksum-validation: none
-
-# Netmap support
-#
-# Netmap operates with NIC directly in driver, so you need FreeBSD wich have
-# built-in netmap support or compile and install netmap module and appropriate
-# NIC driver on your Linux system.
-# To reach maximum throughput disable all receive-, segmentation-,
-# checksum- offloadings on NIC.
-# Disabling Tx checksum offloading is *required* for connecting OS endpoint
-# with NIC endpoint.
-# You can find more information at https://github.com/luigirizzo/netmap
-#
-netmap:
-   # To specify OS endpoint add plus sign at the end (e.g. "eth0+")
- - interface: eth2
-   # Number of receive threads. "auto" uses number of RSS queues on interface.
-   #threads: auto
-   # You can use the following variables to activate netmap tap or IPS mode.
-   # If copy-mode is set to ips or tap, the traffic coming to the current
-   # interface will be copied to the copy-iface interface. If 'tap' is set, the
-   # copy is complete. If 'ips' is set, the packet matching a 'drop' action
-   # will not be copied.
-   # To specify the OS as the copy-iface (so the OS can route packets, or forward
-   # to a service running on the same machine) add a plus sign at the end
-   # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0
-   # for return packets. Hardware checksumming must be *off* on the interface if
-   # using an OS endpoint (e.g. 'ifconfig eth0 -rxcsum -txcsum -rxcsum6 -txcsum6' for FreeBSD
-   # or 'ethtool -K eth0 tx off rx off' for Linux).
-   #copy-mode: tap
-   #copy-iface: eth3
-   # Set to yes to disable promiscuous mode
-   # disable-promisc: no
-   # Choose checksum verification mode for the interface. At the moment
-   # of the capture, some packets may be with an invalid checksum due to
-   # offloading to the network card of the checksum computation.
-   # Possible values are:
-   #  - yes: checksum validation is forced
-   #  - no: checksum validation is disabled
-   #  - auto: suricata uses a statistical approach to detect when
-   #  checksum off-loading is used.
-   # Warning: 'checksum-validation' must be set to yes to have any validation
-   #checksum-checks: auto
-   # BPF filter to apply to this interface. The pcap filter syntax apply here.
-   #bpf-filter: port 80 or udp
- #- interface: eth3
-   #threads: auto
-   #copy-mode: tap
-   #copy-iface: eth2
-   # Put default values here
- - interface: default
-
-# PF_RING configuration. for use with native PF_RING support
-# for more info see http://www.ntop.org/products/pf_ring/
-pfring:
-  - interface: eth0
-    # Number of receive threads (>1 will enable experimental flow pinned
-    # runmode)
-    threads: 1
-
-    # Default clusterid.  PF_RING will load balance packets based on flow.
-    # All threads/processes that will participate need to have the same
-    # clusterid.
-    cluster-id: 99
-
-    # Default PF_RING cluster type. PF_RING can load balance per flow.
-    # Possible values are cluster_flow or cluster_round_robin.
-    cluster-type: cluster_flow
-    # bpf filter for this interface
-    #bpf-filter: tcp
-    # Choose checksum verification mode for the interface. At the moment
-    # of the capture, some packets may be with an invalid checksum due to
-    # offloading to the network card of the checksum computation.
-    # Possible values are:
-    #  - rxonly: only compute checksum for packets received by network card.
-    #  - yes: checksum validation is forced
-    #  - no: checksum validation is disabled
-    #  - auto: suricata uses a statistical approach to detect when
-    #  checksum off-loading is used. (default)
-    # Warning: 'checksum-validation' must be set to yes to have any validation
-    #checksum-checks: auto
-  # Second interface
-  #- interface: eth1
-  #  threads: 3
-  #  cluster-id: 93
-  #  cluster-type: cluster_flow
-  # Put default values here
-  - interface: default
-    #threads: 2
-
-# For FreeBSD ipfw(8) divert(4) support.
-# Please make sure you have ipfw_load="YES" and ipdivert_load="YES"
-# in /etc/loader.conf or kldload'ing the appropriate kernel modules.
-# Additionally, you need to have an ipfw rule for the engine to see
-# the packets from ipfw.  For Example:
-#
-#   ipfw add 100 divert 8000 ip from any to any
-#
-# The 8000 above should be the same number you passed on the command
-# line, i.e. -d 8000
-#
-ipfw:
-
-  # Reinject packets at the specified ipfw rule number.  This config
-  # option is the ipfw rule number AT WHICH rule processing continues
-  # in the ipfw processing system after the engine has finished
-  # inspecting the packet for acceptance.  If no rule number is specified,
-  # accepted packets are reinjected at the divert rule which they entered
-  # and IPFW rule processing continues.  No check is done to verify
-  # this will rule makes sense so care must be taken to avoid loops in ipfw.
-  #
-  ## The following example tells the engine to reinject packets
-  # back into the ipfw firewall AT rule number 5500:
-  #
-  # ipfw-reinjection-rule-number: 5500
-
-
-napatech:
-    # The Host Buffer Allowance for all streams
-    # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back)
-    # This may be enabled when sharing streams with another application.
-    # Otherwise, it should be turned off.
-    hba: -1
-
-    # use_all_streams set to "yes" will query the Napatech service for all configured
-    # streams and listen on all of them. When set to "no" the streams config array
-    # will be used.
-    use-all-streams: yes
-
-    # The streams to listen on.  This can be either:
-    #   a list of individual streams (e.g. streams: [0,1,2,3])
-    # or
-    #   a range of streams (e.g. streams: ["0-3"])
-    streams: ["0-3"]
-
-# Tilera mpipe configuration. for use on Tilera TILE-Gx.
-mpipe:
-
-  # Load balancing modes: "static", "dynamic", "sticky", or "round-robin".
-  load-balance: dynamic
-
-  # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536
-  iqueue-packets: 2048
-
-  # List of interfaces we will listen on.
-  inputs:
-  - interface: xgbe2
-  - interface: xgbe3
-  - interface: xgbe4
-
-
-  # Relative weight of memory for packets of each mPipe buffer size.
-  stack:
-    size128: 0
-    size256: 9
-    size512: 0
-    size1024: 0
-    size1664: 7
-    size4096: 0
-    size10386: 0
-    size16384: 0
-
 ##
 ## Hardware accelaration
 ##

From 9074853d8df16e729d7e3fe3fb6c465877614f2e Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 24 Aug 2018 14:26:24 +0200
Subject: [PATCH 102/259] suricatactrl: Add reload command

Signed-off-by: Stefan Schantl 
---
 src/misc-progs/suricatactrl.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/misc-progs/suricatactrl.c b/src/misc-progs/suricatactrl.c
index dbc5c64ad..a084d4178 100644
--- a/src/misc-progs/suricatactrl.c
+++ b/src/misc-progs/suricatactrl.c
@@ -29,8 +29,10 @@ int main(int argc, char *argv[]) {
 		safe_system("/etc/rc.d/init.d/suricata stop");
 	} else if (strcmp(argv[1], "restart") == 0) {
 		safe_system("/etc/rc.d/init.d/suricata restart");
+	} else if (strcmp(argv[1], "reload") == 0) {
+		safe_system("/etc/rc.d/init.d/suricata reload");
 	} else {
-		fprintf(stderr, "\nBad argument given.\n\nsnortctrl (start|stop|restart)\n\n");
+		fprintf(stderr, "\nBad argument given.\n\nsnortctrl (start|stop|restart|reload)\n\n");
 		exit(1);
 	}
 

From 68123effb80c3509cb4855c46d3ff378ba7f13a0 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 24 Aug 2018 14:54:34 +0200
Subject: [PATCH 103/259] suricatactrl: Add fix-rules-dir command

This command is used to set the ownership and permissions
back to nobody:nobdoy which is used by the WUI to write the
ruleset.

Signed-off-by: Stefan Schantl 
---
 src/misc-progs/suricatactrl.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/misc-progs/suricatactrl.c b/src/misc-progs/suricatactrl.c
index a084d4178..61b76273d 100644
--- a/src/misc-progs/suricatactrl.c
+++ b/src/misc-progs/suricatactrl.c
@@ -19,7 +19,7 @@ int main(int argc, char *argv[]) {
 		exit(1);
 
 	if (argc < 2) {
-		fprintf(stderr, "\nNo argument given.\n\nidsctrl (start|stop|restart)\n\n");
+		fprintf(stderr, "\nNo argument given.\n\nsuricatactrl (start|stop|restart|reload)\n\n");
 		exit(1);
 	}
 
@@ -31,8 +31,10 @@ int main(int argc, char *argv[]) {
 		safe_system("/etc/rc.d/init.d/suricata restart");
 	} else if (strcmp(argv[1], "reload") == 0) {
 		safe_system("/etc/rc.d/init.d/suricata reload");
+	} else if (strcmp(argv[1], "fix-rules-dir") == 0) {
+		safe_system("chown nobody:nobody /etc/suricata/rules/*");
 	} else {
-		fprintf(stderr, "\nBad argument given.\n\nsnortctrl (start|stop|restart|reload)\n\n");
+		fprintf(stderr, "\nBad argument given.\n\nsuricatactrl (start|stop|restart|reload)\n\n");
 		exit(1);
 	}
 

From 330759d88a4adfbf5fc23cb575607b8b99b1b62b Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 24 Aug 2018 14:55:40 +0200
Subject: [PATCH 104/259] ids-functions.pl: Add priviate function
 _check_rulesdir_permissions()

This function checks if all files located in /etc/suricata/rules are
writable by the effective user and group (nobody:nobody) and if not
calls suricatactl to fix it.

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 6f7f3ee7e..783fd0166 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -48,7 +48,7 @@ our $idspidfile = "/var/run/suricata.pid";
 my $suricatactrl = "/usr/local/bin/suricatactrl";
 
 # Array with allowed commands of suricatactrl.
-my @suricatactrl_cmds = ( 'start', 'stop', 'restart', 'reload' );
+my @suricatactrl_cmds = ( 'start', 'stop', 'restart', 'reload', 'fix-rules-dir' );
 
 #
 ## Function for checking if at least 300MB of free disk space are available
@@ -182,6 +182,9 @@ sub downloadruleset {
 ## A tiny wrapper function to call the oinkmaster script.
 #
 sub oinkmaster () {
+	# Check if the files in rulesdir have the correct permissions.
+	&_check_rulesdir_permissions();
+
 	# Load perl module to talk to the kernel syslog.
 	use Sys::Syslog qw(:DEFAULT setlogsock);
 
@@ -377,4 +380,27 @@ sub create_empty_file($) {
 	return 1;
 }
 
+#
+## Private function to check if the file permission of the rulespath are correct.
+## If not, call suricatactrl to fix them.
+#
+sub _check_rulesdir_permissions() {
+	# Open snort rules directory and do a directory listing.
+	opendir(DIR, $rulespath) or die $!;
+	# Loop through the direcory.
+	while (my $file = readdir(DIR)) {
+		# We only want files.
+		next unless (-f "$rulespath/$file");
+
+		# Check if the file is writable by the user.
+		if (-W "$rulespath/$file") {
+			# Everything is okay - go on to the next file.
+			next;
+		} else {
+			# There are wrong permissions, call suricatactrl to fix it.
+			&call_suricatactrl("fix-rules-dir");
+		}
+	}
+}
+
 1;

From baeae346589a793b2d9dca39017e1eb7c00d5bf1 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 24 Aug 2018 15:15:09 +0200
Subject: [PATCH 105/259] lfs/suricata: Move classification and reference
 config to /etc/suricata/rules

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/suricata | 10 +++++-----
 lfs/suricata                     |  1 +
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata
index 31d501cac..9c350f69c 100644
--- a/config/rootfiles/common/suricata
+++ b/config/rootfiles/common/suricata
@@ -1,7 +1,7 @@
 etc/suricata
-etc/suricata/classification.config
-etc/suricata/reference.config
-etc/suricata/rules
+#etc/suricata/rules
+etc/suricata/rules/classification.config
+etc/suricata/rules/reference.config
 etc/suricata/suricata.yaml
 etc/suricata/suricata-example.yaml
 etc/suricata/threshold.config
@@ -45,5 +45,5 @@ usr/bin/suricata
 #usr/share/doc/suricata/Windows.txt
 #usr/share/man/man1/suricata.1
 var/log/suricata
-var/log/suricata/certs
-var/log/suricata/files
+#var/log/suricata/certs
+#var/log/suricata/files
diff --git a/lfs/suricata b/lfs/suricata
index d6b016838..a37fd2953 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -85,6 +85,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	mv /etc/suricata/suricata.yaml /etc/suricata/suricata-example.yaml
 	install -m 0644 $(DIR_SRC)/config/suricata/suricata.yaml /etc/suricata
 	-mkdir -p /etc/suricata/rules
+	mv /etc/suricata/*.config /etc/suricata/rules/
 	-mkdir -p /var/log/suricata
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)

From 4892f82ca19ad29b2213825a9fc2200d9b801252 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sat, 25 Aug 2018 15:22:53 +0200
Subject: [PATCH 106/259] suricata: Fix rootfile

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/suricata | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata
index 9c350f69c..960390456 100644
--- a/config/rootfiles/common/suricata
+++ b/config/rootfiles/common/suricata
@@ -2,9 +2,9 @@ etc/suricata
 #etc/suricata/rules
 etc/suricata/rules/classification.config
 etc/suricata/rules/reference.config
+etc/suricata/rules/threshold.config
 etc/suricata/suricata.yaml
 etc/suricata/suricata-example.yaml
-etc/suricata/threshold.config
 usr/bin/suricata
 #usr/bin/suricatasc
 #usr/lib/python2.7/site-packages/suricatasc

From e568796bb0a0fc2072c2494936ec678f4c7fe17f Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sat, 25 Aug 2018 15:48:58 +0200
Subject: [PATCH 107/259] ids-functions.pl: Also check and fix the permissions
 of rulespath

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 6 ++++++
 src/misc-progs/suricatactrl.c   | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 783fd0166..28f08182a 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -385,6 +385,12 @@ sub create_empty_file($) {
 ## If not, call suricatactrl to fix them.
 #
 sub _check_rulesdir_permissions() {
+	# Check if the rulepath main directory is writable.
+	unless (-W $rulespath) {
+		# If not call suricatctrl to fix it.
+		&call_suricatactrl("fix-rules-dir");
+	}
+
 	# Open snort rules directory and do a directory listing.
 	opendir(DIR, $rulespath) or die $!;
 	# Loop through the direcory.
diff --git a/src/misc-progs/suricatactrl.c b/src/misc-progs/suricatactrl.c
index 61b76273d..cc674e0f5 100644
--- a/src/misc-progs/suricatactrl.c
+++ b/src/misc-progs/suricatactrl.c
@@ -32,7 +32,7 @@ int main(int argc, char *argv[]) {
 	} else if (strcmp(argv[1], "reload") == 0) {
 		safe_system("/etc/rc.d/init.d/suricata reload");
 	} else if (strcmp(argv[1], "fix-rules-dir") == 0) {
-		safe_system("chown nobody:nobody /etc/suricata/rules/*");
+		safe_system("chown -R nobody:nobody /etc/suricata/rules/");
 	} else {
 		fprintf(stderr, "\nBad argument given.\n\nsuricatactrl (start|stop|restart|reload)\n\n");
 		exit(1);

From be52c68a2db2455f8118190a6bb37594891480a1 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Mon, 27 Aug 2018 15:11:28 +0200
Subject: [PATCH 108/259] ids-functions.pl: Early abort downloadruleset() if no
 ruleset is configured

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 28f08182a..a514d7989 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -98,6 +98,15 @@ sub downloadruleset {
 	my %snortsettings=();
 	&General::readhash("$settingsdir/settings", \%snortsettings);
 
+	# Check if a ruleset has been configured.
+	unless($snortsettings{'RULES'}) {
+		# Log that no ruleset has been configured and abort.
+		&_log_to_syslog("No ruleset source has been configured.");
+
+		# Return "1".
+		return 1;
+	}
+
 	# Get all available ruleset locations.
 	my %rulesetsources=();
 	&General::readhash($rulesetsourcesfile, \%rulesetsources);

From 004b13b7e801c18d399740c4e9b7866c9685637c Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 29 Aug 2018 10:55:32 +0200
Subject: [PATCH 109/259] ids.cgi: Fix get_memory_usage()

Change the get_memory_usage() function to grab and return the
memory usage of the entire process, containing all sub-processes and
threads.

Fixes #11821

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 34 +++++++++++++++++++++-------------
 1 file changed, 21 insertions(+), 13 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index d3c68711c..045211298 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -824,28 +824,36 @@ sub readrulesfile ($) {
 ## Function to get the used memory of a given process-id.
 #
 sub get_memory_usage($) {
-	my $pid = @_;
+	my ($pid) = @_;
 
-	my $memory=0;
+	my $memory = 0;
 
-	# Try to open statm file for the given process-id on the pseudo
+	# Try to open the status file for the given process-id on the pseudo
 	# file system proc.
-        if (open(FILE, "/proc/$pid/statm")) {
-		# Read file content.
-                my $temp = ;
+	if (open(FILE, "/proc/$pid/status")) {
+		# Loop through the entire file.
+		while () {
+			# Splitt current line content and store them into variables.
+			my ($key, $value) = split(":", $_, 2);
 
-		# Splitt file content and store in an array.
-                my @memory = split(/ /,$temp);
+			# Check if the current key is the one which contains the memory usage.
+			# The wanted one is VmRSS which contains the Real-memory (resident set)
+			# of the entire process.
+			if ($key eq "VmRSS") {
+				# Found the memory usage add it to the memory variable.
+				$memory += $value;
+
+				# Break the loop.
+				last;
+			}
+		}
 
 		# Close file handle.
-                close(FILE);
-
-		# Calculate memory usage.
-		$memory+=$memory[0];
+		close(FILE);
 
 		# Return memory usage.
 		return $memory;
-        }
+	}
 
 	# If the file could not be open, return nothing.
 	return;

From 00512a5ac800205a9f46cd0936909d5c921e6643 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 29 Aug 2018 11:50:59 +0200
Subject: [PATCH 110/259] ids.cgi: Create file for used rulefiles on first
 execution if not present

Create this file on first execution of the script if it does not exist yet.
This will allow suricata to imediately be started. Otherwise the ruleset has
to be downloaded and configured before this file has been created and suricata
could be launched.

Fixes #11833.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 045211298..979dcbcb7 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -64,10 +64,11 @@ my $modify_sids_file = "$IDS::settingsdir/oinkmaster-modify-sids.conf";
 
 my $errormessage;
 
-# Create oinkmaster related files if they does not exist yet.
+# Create files if they does not exist yet.
 unless (-f "$enabled_sids_file") { &IDS::create_empty_file($enabled_sids_file); }
 unless (-f "$disabled_sids_file") { &IDS::create_empty_file($disabled_sids_file); }
 unless (-f "$modify_sids_file") { &IDS::create_empty_file($modify_sids_file); }
+unless (-f "$idsusedrulefilesfile") { &IDS::create_empty_file($idsusedrulefilesfile); }
 
 &Header::showhttpheaders();
 

From d2e6bf6e5f0a3867664c68cd85dff686a08b696c Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 29 Aug 2018 12:27:12 +0200
Subject: [PATCH 111/259] suricata: Do not ship an example configuration file

Stop shipping a full example configuration file for suricata.

Fixes #11836.

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/suricata | 1 -
 lfs/suricata                     | 6 +++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata
index 960390456..0a4d9c3a4 100644
--- a/config/rootfiles/common/suricata
+++ b/config/rootfiles/common/suricata
@@ -4,7 +4,6 @@ etc/suricata/rules/classification.config
 etc/suricata/rules/reference.config
 etc/suricata/rules/threshold.config
 etc/suricata/suricata.yaml
-etc/suricata/suricata-example.yaml
 usr/bin/suricata
 #usr/bin/suricatasc
 #usr/lib/python2.7/site-packages/suricatasc
diff --git a/lfs/suricata b/lfs/suricata
index a37fd2953..ca234549e 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -82,7 +82,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && make $(MAKETUNING)
 	cd $(DIR_APP) && make install
 	cd $(DIR_APP) && make install-conf
-	mv /etc/suricata/suricata.yaml /etc/suricata/suricata-example.yaml
+
+	# Remove default suricata config file.
+	rm -rvf /etc/suricata/suricata.yaml
+
+	# Install IPFire related config file.
 	install -m 0644 $(DIR_SRC)/config/suricata/suricata.yaml /etc/suricata
 	-mkdir -p /etc/suricata/rules
 	mv /etc/suricata/*.config /etc/suricata/rules/

From 21cab141ec018b885abf2849b82acb22684f0c80 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 29 Aug 2018 12:34:08 +0200
Subject: [PATCH 112/259] suricata: Rule files are now located in
 /var/lib/suricata

Place the rulefiles from now in "/var/lib/suricata".

Fixes #11834

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl  |  2 +-
 config/rootfiles/common/suricata |  8 ++++----
 config/suricata/suricata.yaml    |  8 ++++----
 lfs/suricata                     | 12 ++++++++++--
 src/misc-progs/suricatactrl.c    |  2 +-
 5 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index a514d7989..3f6cb3ee2 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -35,7 +35,7 @@ our $rulestarball = "/var/tmp/idsrules.tar.gz";
 our $storederrorfile = "/tmp/ids_storederror";
 
 # Location where the rulefiles are stored.
-our $rulespath = "/etc/suricata/rules";
+our $rulespath = "/var/lib/suricata";
 
 # File which contains a list of all supported ruleset sources.
 # (Sourcefire, Emergingthreads, etc..)
diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata
index 0a4d9c3a4..98504c46f 100644
--- a/config/rootfiles/common/suricata
+++ b/config/rootfiles/common/suricata
@@ -1,8 +1,4 @@
 etc/suricata
-#etc/suricata/rules
-etc/suricata/rules/classification.config
-etc/suricata/rules/reference.config
-etc/suricata/rules/threshold.config
 etc/suricata/suricata.yaml
 usr/bin/suricata
 #usr/bin/suricatasc
@@ -43,6 +39,10 @@ usr/bin/suricata
 #usr/share/doc/suricata/Ubuntu_Installation_from_GIT.txt
 #usr/share/doc/suricata/Windows.txt
 #usr/share/man/man1/suricata.1
+#var/lib/suricata
+var/lib/suricata/classification.config
+var/lib/suricata/reference.config
+var/lib/suricata/threshold.config
 var/log/suricata
 #var/log/suricata/certs
 #var/log/suricata/files
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 94e488cd1..54e7e519c 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -40,14 +40,14 @@ vars:
 ##
 ## Ruleset specific options.
 ##
-default-rule-path: /etc/suricata/rules
+default-rule-path: /var/lib/suricata
 rule-files:
     # Include enabled ruleset files from external file.
     include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
 
-classification-file: /etc/suricata/rules/classification.config
-reference-config-file: /etc/suricata/rules/reference.config
-# threshold-file: /etc/suricata/threshold.config
+classification-file: /var/lib/suricata/classification.config
+reference-config-file: /var/lib/suricata/reference.config
+# threshold-file: /var/lib/suricata/threshold.config
 
 
 ##
diff --git a/lfs/suricata b/lfs/suricata
index ca234549e..3cabd73c8 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -88,8 +88,16 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 
 	# Install IPFire related config file.
 	install -m 0644 $(DIR_SRC)/config/suricata/suricata.yaml /etc/suricata
-	-mkdir -p /etc/suricata/rules
-	mv /etc/suricata/*.config /etc/suricata/rules/
+
+	# Create emtpy rules directory.
+	-mkdir -p /var/lib/suricata
+
+	# Move config files for references, threshold and classification
+	# to the rules directory.
+	mv /etc/suricata/*.config /var/lib/suricata
+
+	# Create logging directory.
 	-mkdir -p /var/log/suricata
+
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)
diff --git a/src/misc-progs/suricatactrl.c b/src/misc-progs/suricatactrl.c
index cc674e0f5..00f861ba3 100644
--- a/src/misc-progs/suricatactrl.c
+++ b/src/misc-progs/suricatactrl.c
@@ -32,7 +32,7 @@ int main(int argc, char *argv[]) {
 	} else if (strcmp(argv[1], "reload") == 0) {
 		safe_system("/etc/rc.d/init.d/suricata reload");
 	} else if (strcmp(argv[1], "fix-rules-dir") == 0) {
-		safe_system("chown -R nobody:nobody /etc/suricata/rules/");
+		safe_system("chown -R nobody:nobody /var/lib/suricata");
 	} else {
 		fprintf(stderr, "\nBad argument given.\n\nsuricatactrl (start|stop|restart|reload)\n\n");
 		exit(1);

From 762a33f17ca8d86b979e22ddd538e76d32287d94 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 30 Aug 2018 14:13:37 +0200
Subject: [PATCH 113/259] suricata: Add files to be backuped

Now all oinkmaster related config files and suricata
related yaml files in "/var/ipfire/suricata/" will be
included into the backups.

Also the entire ruleset is part of the backup, so after a
backup has been restored, the IDS can be used in the same way
as before.

Fixes #11835.

Signed-off-by: Stefan Schantl 
---
 config/backup/include | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/backup/include b/config/backup/include
index 6982b1c92..bc9ff4b18 100644
--- a/config/backup/include
+++ b/config/backup/include
@@ -42,10 +42,13 @@
 /var/ipfire/proxy
 /var/ipfire/qos/*
 /var/ipfire/qos/bin/qos.sh
+/var/ipfire/suricata/*.conf
+/var/ipfire/suricata/*.yaml
 /var/ipfire/*/settings
 /var/ipfire/time/
 /var/ipfire/urlfilter
 /var/ipfire/vpn
+/var/lib/suricata
 /var/log/ip-acct/*
 /var/log/rrd/*
 /var/log/rrd/collectd

From fd72c85eb8bb11978957dc39da8a5822715a5453 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 30 Aug 2018 15:12:29 +0200
Subject: [PATCH 114/259] Enable threshold file in suricata.yaml

Enable and specify the path to the threshold-file in the suricata.yaml,
otherwise the programm is trying to read it from a build-in default
location and prints the following error message:

Error opening file: "/etc/suricata//threshold.config": No such file or directory

Fixes #11837.

Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 54e7e519c..6c1a7de00 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -47,7 +47,7 @@ rule-files:
 
 classification-file: /var/lib/suricata/classification.config
 reference-config-file: /var/lib/suricata/reference.config
-# threshold-file: /var/lib/suricata/threshold.config
+threshold-file: /var/lib/suricata/threshold.config
 
 
 ##

From 80bcd4dd1a424e1353aa0839e873ce9292cea3db Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 30 Aug 2018 18:18:26 +0200
Subject: [PATCH 115/259] ids.cgi: Hide rules config section if no rules a
 present

Do not show the rules config section anymore if there is not
ruleset available.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 163 ++++++++++++++++++++++---------------------
 1 file changed, 84 insertions(+), 79 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 979dcbcb7..641a88da8 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -625,100 +625,103 @@ END
 
 &Header::closebox();
 
-&Header::openbox('100%', 'LEFT', $Lang::tr{'intrusion detection system rules'});
-	print"
\n";
+# Only show the section for configuring the ruleset if one is present.
+if (%idsrules) {
+	&Header::openbox('100%', 'LEFT', $Lang::tr{'intrusion detection system rules'});
 
-	# Output display table for rule files
-	print "

 		

+			
 				$Lang::tr{'ids activate'} $Lang::tr{'intrusion detection system'}
 			

-				 
+		


$Lang::tr{'runmode'}

+				$Lang::tr{'intrusion detection system2'}    
+				$Lang::tr{'intrusion prevention system'}
 			
 		

 
 		



+			

 		

 
 		

-				$Lang::tr{'ids analyze incomming traffic'}
-			
-				$Lang::tr{'ids analyze routing traffic'}
-			$Lang::tr{'ids traffic analyze'}

 		
\n";
-	print "$Lang::tr{'ids active on'} $Lang::tr{$zone}\n";
+	print "$Lang::tr{'enabled on'} $Lang::tr{$zone}\n";
 	print "\n";
-	print "$Lang::tr{'ids active on'} $Lang::tr{$zone}\n";
-	print "
\n";
+		print"\n";
 
-	# Local variable required for java script to show/hide
-	# rules of a rulefile.
-	my $rulesetcount = 1;
-
-	# Loop over each rule file
-	foreach my $rulefile (sort keys(%idsrules)) {
-		my $rulechecked = '';
-
-		# Check if rule file is enabled
-		if ($idsrules{$rulefile}{'Rulefile'}{'State'} eq 'on') {
-			$rulechecked = 'CHECKED';
-		}
-
-		# Table and rows for the rule files.
-		print"\n";
-		print"\n";
-		print"\n";
-		print"\n";
-		print"\n";
-
-		# Rows which will be hidden per default and will contain the single rules.
-		print"\n";
-		print"";
-
-		# Finished whith the rule file, increase count.
-		$rulesetcount++;
-	}
-
-	# Close display table
-	print "
\n";
-		print"\n";
-		print"$rulefile\n";
-		print"SHOW\n";
-		print"
";
+		print "";
 
 print <
@@ -731,7 +734,9 @@ print <
 END
 ;
-&Header::closebox();
+	&Header::closebox();
+}
+
 &Header::closebigbox();
 &Header::closepage();
 

From f5ddcad1cc38cfcc3b01f819bc4c4f01e6d1c189 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 6 Sep 2018 12:09:34 +0200
Subject: [PATCH 116/259] logs.cgi/ids.dat: Adjust code to show suricata events

As default show the events generated by suricata and if
for a certain selected date no suricata log is available
try to fall-back to read the events from the old snort
alert files (if available).

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/logs.cgi/ids.dat | 38 +++++++++++++++++++++++++++++------
 1 file changed, 32 insertions(+), 6 deletions(-)

diff --git a/html/cgi-bin/logs.cgi/ids.dat b/html/cgi-bin/logs.cgi/ids.dat
index 030fd4b64..ab8cac2b6 100644
--- a/html/cgi-bin/logs.cgi/ids.dat
+++ b/html/cgi-bin/logs.cgi/ids.dat
@@ -375,11 +375,26 @@ sub processevent
 	our ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport, $sid, @refs);
 
 	my $filestr='';
+	my $readmode='';
 	if ($datediff==0) {
-		$filestr="/var/log/snort/alert";
+		# If there is no datediff, directly assign the suricata fast.log.
+		$filestr="/var/log/suricata/fast.log";
 	} else {
-		$filestr="/var/log/snort/alert.$datediff";
-		$filestr = "$filestr.gz" if -f "$filestr.gz";
+		# If there is a datediff, assign the datediff to the filestring.
+		$filestr="/var/log/suricata/fast.log.$datediff";
+
+		# The files are compressed add the extension to the filestring.
+		$filestr="$filestr.gz";
+
+		# If the file does not exist, try to fallback to legacy snort alert file.
+		unless (-f $filestr) {
+			# Assign snort alert file, the datediff and extension for compressed file.
+			$filestr = "/var/log/snort/alert.$datediff";
+			$filestr = "$filestr.gz";
+
+			# Assign "snort" as readmode.
+			$readmode="snort";
+		}
 	}
 	if (!(open (LOG,($filestr =~ /.gz$/ ? "gzip -dc $filestr |" : $filestr)))) {
 		$errormessage="$errormessage$Lang::tr{'date not in logs'}: $filestr $Lang::tr{'could not be opened'}";
@@ -388,15 +403,26 @@ sub processevent
 
 		while() {
 			$line++;
-			if ($_ =~ m/\[\*\*\]/) {
+			if (($_ =~ m/\[\*\*\]/) && ($readmode eq "snort")) {
 				unless ($line == 1 || $date ne "$monthstr/$daystr") {
 					&append;
 					$line = 1;
 				}
-				($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport, $sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a");
+				($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport,$sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a");
 				@refs = ();
 				$_ =~ m/:([0-9]{1,5})\] (.*) \[\*\*\]/;
 				$title = &Header::cleanhtml($2,"y");
+			} else {
+				&append;
+				$line = 1;
+
+				# Assign default values.
+				($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport,$sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a");
+				@refs = ();
+
+				# Gather title details from line.
+				$_ =~ m/:([0-9]{1,5})\] (.*) \[\*\*\]/;
+				$title = &Header::cleanhtml($2,"y");
 			}
 			if ($_ =~ m/Classification: (.*)\] \[Priority: (\d)\]/) {
 				$classification = &Header::cleanhtml($1,"y");
@@ -413,7 +439,7 @@ sub processevent
 				$destport = $10;
 			}
 
-			if ($_  =~ m/^([0-9\/]{3,5})\-([0-9\:]{5,8})\.([0-9]{1,14})/) {
+			if ($_  =~ m/^([0-9\/]{3,10})\-([0-9\:]{5,8})\.([0-9]{1,14})/) {
 				($date,$time) = ($1,$2);
 			}
 			if ($_ =~ m/\[Xref \=\>.*\]/) {

From 63d911cdc5d3e8a706f222e2094f2f7350c5fa02 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 6 Sep 2018 13:22:18 +0200
Subject: [PATCH 117/259] logs.cgi/ids.dat: Ease list of reported events

Just ease the strict layout by adding a simple line break.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/logs.cgi/ids.dat | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/cgi-bin/logs.cgi/ids.dat b/html/cgi-bin/logs.cgi/ids.dat
index ab8cac2b6..fba1cbc19 100644
--- a/html/cgi-bin/logs.cgi/ids.dat
+++ b/html/cgi-bin/logs.cgi/ids.dat
@@ -351,7 +351,7 @@ END
 	}
 print <
-
+

 
 END
 	;

From 6f3b3cd089cea0f308c0b67e17ed864f6aa50b83 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 6 Sep 2018 13:28:20 +0200
Subject: [PATCH 118/259] logs.cgi/ids.dat: Dont display/export empty events.

Check if the current processed event has at least datetime and a title.
Otherwise skip it.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/logs.cgi/ids.dat | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/html/cgi-bin/logs.cgi/ids.dat b/html/cgi-bin/logs.cgi/ids.dat
index fba1cbc19..21737511f 100644
--- a/html/cgi-bin/logs.cgi/ids.dat
+++ b/html/cgi-bin/logs.cgi/ids.dat
@@ -167,6 +167,10 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'export'})
 	{
 		my ($datetime,$title,$priority,$classification,$srcip,$srcport,$destip,$destport,$sid,$refs) = split(/\|/);
 		$refs =~ s/,$//;
+
+		# Skip event if no datetime and title are available.
+		next unless (($datetime) && ($title));
+
 		print "Date: $datetime\n";
 		print "Name: $title\n";
 		print "Priority: $priority\n";
@@ -285,6 +289,10 @@ foreach $_ (@slice)
 	else {
 		print "\n"; }
 	my ($datetime,$title,$priority,$classification,$srcip,$srcport,$destip,$destport,$sid,$refs) = split(/\|/);
+
+	# Only show the current event if at least datetime and title are available.
+	next unless (($datetime) && ($title));
+
 	print <
 

From b7e29743944953c973e3f858c10ab627949f898d Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 11 Sep 2018 10:21:00 +0200
Subject: [PATCH 119/259] ids.cgi: Introduce whitelisting of IP-addresses

If an IP-address has been added to the whitelist, any traffic from
this host will not longer inspected by suricata.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 345 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 343 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 641a88da8..55f45c5c8 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -38,6 +38,7 @@ my %rulesetsources = ();
 my %cgiparams=();
 my %checked=();
 my %selected=();
+my %ignored=();
 
 # Read-in main settings, for language, theme and colors.
 &General::readhash("${General::swroot}/main/settings", \%mainsettings);
@@ -62,6 +63,12 @@ my $disabled_sids_file = "$IDS::settingsdir/oinkmaster-disabled-sids.conf";
 # File which contains wheater the rules should be changed.
 my $modify_sids_file = "$IDS::settingsdir/oinkmaster-modify-sids.conf";
 
+# File which stores the configured settings for whitelisted addresses.
+my $ignoredfile = "$IDS::settingsdir/ignored";
+
+# File which contains the rules to whitelist addresses on suricata.
+my $whitelistfile = "$IDS::rulespath/whitelist.rules";
+
 my $errormessage;
 
 # Create files if they does not exist yet.
@@ -69,12 +76,157 @@ unless (-f "$enabled_sids_file") { &IDS::create_empty_file($enabled_sids_file);
 unless (-f "$disabled_sids_file") { &IDS::create_empty_file($disabled_sids_file); }
 unless (-f "$modify_sids_file") { &IDS::create_empty_file($modify_sids_file); }
 unless (-f "$idsusedrulefilesfile") { &IDS::create_empty_file($idsusedrulefilesfile); }
+unless (-f "$ignoredfile") { &IDS::create_empty_file($ignoredfile); }
+unless (-f "$whitelistfile" ) { &IDS::create_empty_file($whitelistfile); }
 
 &Header::showhttpheaders();
 
 #Get GUI values
 &Header::getcgihash(\%cgiparams);
 
+## Add/edit an entry to the ignore file.
+#
+if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq $Lang::tr{'update'})) {
+
+	# Check if any input has been performed.
+	if ($cgiparams{'IGNORE_ENTRY_ADDRESS'} ne '') {
+
+		# Check if the given input is no valid IP-address or IP-address with subnet, display an error message.
+		if ((!&General::validip($cgiparams{'IGNORE_ENTRY_ADDRESS'})) && (!&General::validipandmask($cgiparams{'IGNORE_ENTRY_ADDRESS'}))) {
+			$errormessage = "$Lang::tr{'guardian invalid address or subnet'}";
+		}
+	} else {
+		$errormessage = "$Lang::tr{'guardian empty input'}";
+	}
+
+	# Go further if there was no error.
+	if ($errormessage eq '') {
+		my %ignored = ();
+		my $id;
+		my $status;
+
+		# Assign hash values.
+		my $new_entry_address = $cgiparams{'IGNORE_ENTRY_ADDRESS'};
+		my $new_entry_remark = $cgiparams{'IGNORE_ENTRY_REMARK'};
+
+		# Read-in ignoredfile.
+		&General::readhasharray($ignoredfile, \%ignored);
+
+		# Check if we should edit an existing entry and got an ID.
+		if (($cgiparams{'WHITELIST'} eq $Lang::tr{'update'}) && ($cgiparams{'ID'})) {
+			# Assin the provided id.
+			$id = $cgiparams{'ID'};
+
+			# Undef the given ID.
+			undef($cgiparams{'ID'});
+
+			# Grab the configured status of the corresponding entry.
+			$status = $ignored{$id}[2];
+		} else {
+			# Each newly added entry automatically should be enabled.
+			$status = "enabled";
+
+			# Generate the ID for the new entry.
+			#
+			# Sort the keys by their ID and store them in an array.
+			my @keys = sort { $a <=> $b } keys %ignored;
+
+			# Reverse the key array.
+			my @reversed = reverse(@keys);
+
+			# Obtain the last used id.
+			my $last_id = @reversed[0];
+
+			# Increase the last id by one and use it as id for the new entry.
+			$id = ++$last_id;
+		}
+
+		# Add/Modify the entry to/in the ignored hash.
+		$ignored{$id} = ["$new_entry_address", "$new_entry_remark", "$status"];
+
+		# Write the changed ignored hash to the ignored file.
+		&General::writehasharray($ignoredfile, \%ignored);
+
+		# Regenerate the ignore file.
+		&GenerateIgnoreFile();
+	}
+
+	# Check if the IDS is running.
+	if(&IDS::ids_is_running()) {
+		# Call suricatactrl to perform a reload.
+		&IDS::call_suricatactrl("reload");
+	}
+
+## Toggle Enabled/Disabled for an existing entry on the ignore list.
+#
+
+} elsif ($cgiparams{'WHITELIST'} eq $Lang::tr{'toggle enable disable'}) {
+	my %ignored = ();
+
+	# Only go further, if an ID has been passed.
+	if ($cgiparams{'ID'}) {
+		# Assign the given ID.
+		my $id = $cgiparams{'ID'};
+
+		# Undef the given ID.
+		undef($cgiparams{'ID'});
+
+		# Read-in ignoredfile.
+		&General::readhasharray($ignoredfile, \%ignored);
+
+		# Grab the configured status of the corresponding entry.
+		my $status = $ignored{$id}[2];
+
+		# Switch the status.
+		if ($status eq "disabled") {
+			$status = "enabled";
+		} else {
+			$status = "disabled";
+		}
+
+		# Modify the status of the existing entry.
+		$ignored{$id} = ["$ignored{$id}[0]", "$ignored{$id}[1]", "$status"];
+
+		# Write the changed ignored hash to the ignored file.
+		&General::writehasharray($ignoredfile, \%ignored);
+
+		# Regenerate the ignore file.
+		&GenerateIgnoreFile();
+
+		# Check if the IDS is running.
+		if(&IDS::ids_is_running()) {
+			# Call suricatactrl to perform a reload.
+			&IDS::call_suricatactrl("reload");
+		}
+	}
+
+## Remove entry from ignore list.
+#
+} elsif ($cgiparams{'WHITELIST'} eq $Lang::tr{'remove'}) {
+	my %ignored = ();
+
+	# Read-in ignoredfile.
+	&General::readhasharray($ignoredfile, \%ignored);
+
+	# Drop entry from the hash.
+	delete($ignored{$cgiparams{'ID'}});
+
+	# Undef the given ID.
+	undef($cgiparams{'ID'});
+
+	# Write the changed ignored hash to the ignored file.
+	&General::writehasharray($ignoredfile, \%ignored);
+
+	# Regenerate the ignore file.
+	&GenerateIgnoreFile();
+
+	# Check if the IDS is running.
+	if(&IDS::ids_is_running()) {
+		# Call suricatactrl to perform a reload.
+		&IDS::call_suricatactrl("reload");
+	}
+}
+
 # Check if any error has been stored.
 if (-e $IDS::storederrorfile) {
         # Open file to read in the stored error message.
@@ -110,6 +262,9 @@ opendir(DIR, $IDS::rulespath) or die $!;
 		# Ignore files which are not read-able.
 		next unless (-R "$IDS::rulespath/$file");
 
+		# Skip whitelist rules file.
+		next if( $file eq "whitelist.rules");
+
 		# Call subfunction to read-in rulefile and add rules to
 		# the idsrules hash.
 		&readrulesfile("$file");
@@ -261,7 +416,10 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 
 	# Check if the enabled_rulefiles array contains any entries.
 	if (@enabled_rulefiles) {
-		# Loop through the array of rulefiles which should be loaded and write the to the file.
+		# Allways load the whitelist.
+		print FILE " - whitelist.rules\n";
+
+		# Loop through the array of rulefiles which should be loaded and write them to the file.
 		foreach my $file (@enabled_rulefiles) {
 			print FILE " - $file\n";
 		}
@@ -415,6 +573,9 @@ unless(exists($idssettings{'RUN_MODE'})) {
         $idssettings{'RUN_MODE'} = 'IPS';
 }
 
+# Read-in ignored hosts.
+&General::readhasharray("$IDS::settingsdir/ignored", \%ignored);
+
 $checked{'ENABLE_IDS'}{'off'} = '';
 $checked{'ENABLE_IDS'}{'on'} = '';
 $checked{'ENABLE_IDS'}{$idssettings{'ENABLE_IDS'}} = "checked='checked'";
@@ -625,6 +786,138 @@ END
 
 &Header::closebox();
 
+#
+# Whitelist / Ignorelist
+#
+&Header::openbox('100%', 'center', $Lang::tr{'guardian ignored hosts'});
+
+print <
+		
+			$Lang::tr{'ip address'}
+			$Lang::tr{'remark'}
+			
+		
+END
+		# Check if some hosts have been added to be ignored.
+		if (keys (%ignored)) {
+			my $col = "";
+
+			# Loop through all entries of the hash.
+			while( (my $key) = each %ignored)  {
+				# Assign data array positions to some nice variable names.
+				my $address = $ignored{$key}[0];
+				my $remark = $ignored{$key}[1];
+				my $status  = $ignored{$key}[2];
+
+				# Check if the key (id) number is even or not.
+				if ($cgiparams{'ID'} eq $key) {
+					$col="bgcolor='${Header::colouryellow}'";
+				} elsif ($key % 2) {
+					$col="bgcolor='$color{'color22'}'";
+				} else {
+					$col="bgcolor='$color{'color20'}'";
+				}
+
+				# Choose icon for the checkbox.
+				my $gif;
+				my $gdesc;
+
+				# Check if the status is enabled and select the correct image and description.
+				if ($status eq 'enabled' ) {
+					$gif = 'on.gif';
+					$gdesc = $Lang::tr{'click to disable'};
+				} else {
+					$gif = 'off.gif';
+					$gdesc = $Lang::tr{'click to enable'};
+				}
+
+print <
+					$address
+					$remark
+
+					
+						
+							
+							
+							
+						
+					
+
+					
+						

+							
+							
+							
+						

+					
+
+					
+						

+							
+							
+							
+						

+					
+				
+END
+			}
+		} else {
+			# Print notice that currently no hosts are ignored.
+			print "\n";
+			print "$Lang::tr{'guardian no entries'}\n";
+			print "\n";
+		}
+
+	print "\n";
+
+	# Section to add new elements or edit existing ones.
+print <
+	

+	

+
+	

+		
+END
+
+	# Assign correct headline and button text.
+	my $buttontext;
+	my $entry_address;
+	my $entry_remark;
+
+	# Check if an ID (key) has been given, in this case an existing entry should be edited.
+	if ($cgiparams{'ID'} ne '') {
+		$buttontext = $Lang::tr{'update'};
+			print "\n";
+
+			# Grab address and remark for the given key.
+			$entry_address = $ignored{$cgiparams{'ID'}}[0];
+			$entry_remark = $ignored{$cgiparams{'ID'}}[1];
+		} else {
+			$buttontext = $Lang::tr{'add'};
+			print "\n";
+		}
+
+print <
+			
+			
+				
+				
+
+				
+				
+				
+			
+			
+		
$Lang::tr{'update'}
$Lang::tr{'dnsforward add a new entry'}
$Lang::tr{'ip address'}: $Lang::tr{'remark'}: 

+	

+END
+
+&Header::closebox();
+
 # Only show the section for configuring the ruleset if one is present.
 if (%idsrules) {
 	&Header::openbox('100%', 'LEFT', $Lang::tr{'intrusion detection system rules'});
@@ -823,7 +1116,7 @@ sub readrulesfile ($) {
 				}
 			}
 		}
-        }
+	}
 }
 
 #
@@ -946,6 +1239,54 @@ sub generate_home_net_file() {
 
 }
 
+#
+## Function to generate the rules file with whitelisted addresses.
+#
+sub GenerateIgnoreFile() {
+	my %ignored = ();
+
+	# SID range 1000000-1999999 Reserved for Local Use
+	# Put your custom rules in this range to avoid conflicts
+	my $sid = 1500000;
+
+	# Read-in ignoredfile.
+	&General::readhasharray($ignoredfile, \%ignored);
+
+	# Open ignorefile for writing.
+	open(FILE, ">$whitelistfile") or die "Could not write to $whitelistfile. $!\n";
+
+	# Config file header.
+	print FILE "# Autogenerated file.\n";
+	print FILE "# All user modifications will be overwritten.\n\n";
+
+	# Add all user defined addresses to the whitelist.
+	#
+	# Check if the hash contains any elements.
+	if (keys (%ignored)) {
+		# Loop through the entire hash and write the host/network
+		# and remark to the ignore file.
+		while ( (my $key) = each %ignored) {
+			my $address = $ignored{$key}[0];
+			my $remark = $ignored{$key}[1];
+			my $status = $ignored{$key}[2];
+
+			# Check if the status of the entry is "enabled".
+			if ($status eq "enabled") {
+				# Check if the address/network is valid.
+				if ((&General::validip($address)) || (&General::validipandmask($address))) {
+					# Write rule line to the file to pass any traffic from this IP
+					print FILE "pass ip $address any -> any any (msg:\"pass all traffic from/to $address\"\; sid:$sid\;)\n";
+
+					# Increment sid.
+					$sid++;
+				}
+			}
+                }
+	}
+
+	close(FILE);
+}
+
 #
 ## Function to read-in the given enabled or disables sids file.
 #

From 43ab7d9c30fb24bebd716e264530d7db3e84a007 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 11 Sep 2018 12:00:31 +0200
Subject: [PATCH 120/259] ids.cgi: Set state of used rulefile to on if it
 contains rules

Only set the state of a used rulefile to "on" if it is present in
the %idsrules hash. This happens if it contains at least one rule.

This prevents from showing a rulefile in the ruleset section if, it
does not exist anymore or does not contains any rules at all.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 55f45c5c8..edf67963b 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -300,8 +300,13 @@ if(-f $idsusedrulefilesfile) {
 		if ($line =~ /.*- (.*)/) {
 			my $rulefile = $1;
 
-			# Add the rulefile to the %idsrules hash.
-			$idsrules{$rulefile}{'Rulefile'}{'State'} = "on";
+			# Check if the current rulefile exists in the %idsrules hash.
+			# If not, the file probably does not exist anymore or contains
+			# no rules.
+			if($idsrules{$rulefile}) {
+				# Add the rulefile state to the %idsrules hash.
+				$idsrules{$rulefile}{'Rulefile'}{'State'} = "on";
+			}
 		}
 	}
 }

From 5508f18c012c5be264c9562b9327a41a2bebb2f8 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 11 Sep 2018 12:28:28 +0200
Subject: [PATCH 121/259] logs.cgi/log.dat: Fix pattern to display oinkmaster
 related messages

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/logs.cgi/log.dat | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/cgi-bin/logs.cgi/log.dat b/html/cgi-bin/logs.cgi/log.dat
index 71f0502e6..26b558b19 100644
--- a/html/cgi-bin/logs.cgi/log.dat
+++ b/html/cgi-bin/logs.cgi/log.dat
@@ -63,7 +63,7 @@ my %sections = (
         'ipsec' => '(ipsec_[\w_]+: |pluto\[.*\]: |charon: |vpnwatch: )',
         'kernel' => '(kernel: (?!DROP_))',
         'ntp' => '(ntpd(?:ate)?\[.*\]: )',
-	'oinkmaster' => '(oinkmaster:)',
+	'oinkmaster' => '(oinkmaster\[.*\]: )',
         'openvpn' => '(openvpnserver\[.*\]: |.*n2n\[.*\]: )',
         'pakfire' => '(pakfire:)',
         'red' => '(red:|pppd\[.*\]: |chat\[.*\]|pppoe\[.*\]|pptp\[.*\]|pppoa\[.*\]|pppoa3\[.*\]|pppoeci\[.*\]|ipppd|ipppd\[.*\]|kernel: ippp\d|kernel: isdn.*|ibod\[.*\]|dhcpcd\[.*\]|modem_run\[.*\])',

From dae534f2ca7172a1171d77fe6acd034591233d58 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 26 Sep 2018 13:02:28 +0200
Subject: [PATCH 122/259] ids.cgi: Only write oinkmaster-modify-sids.conf if
 neccessary.

Only write to the file if the runmode of the IDS has been changed.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index edf67963b..f451c5ed4 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -517,23 +517,23 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 	# Generate file to store the home net.
 	&generate_home_net_file();
 
-	# Open modify sid's file for writing.
-	open(FILE, ">$modify_sids_file") or die "Could not write to $modify_sids_file. $!\n";
-
-	# Write file header.
-	print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
-
-	# Check if the configured runmode is IPS.
-	if ($cgiparams{'RUN_MODE'} eq 'IPS') {
-		# Tell oinkmaster to switch all rules from alert to drop.
-		print FILE "modifysid \* \"alert\" \| \"drop\"\n";
-	}
-
-	# Close file handle.
-	close(FILE);
-
 	# Check if the runmode has been changed.
 	if($cgiparams{'RUN_MODE'} ne $oldidssettings{'RUN_MODE'}) {
+		# Open modify sid's file for writing.
+		open(FILE, ">$modify_sids_file") or die "Could not write to $modify_sids_file. $!\n";
+
+		# Write file header.
+		print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+
+		# Check if the configured runmode is IPS.
+		if ($cgiparams{'RUN_MODE'} eq 'IPS') {
+			# Tell oinkmaster to switch all rules from alert to drop.
+			print FILE "modifysid \* \"alert\" \| \"drop\"\n";
+		}
+
+		# Close file handle.
+		close(FILE);
+
 		# Check if a ruleset exists.
 		if (%idsrules) {
 			# Lock the webpage and print message.

From 6ce504a2f2c405c7a7baab6f74be779f903d89de Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 26 Sep 2018 13:54:14 +0200
Subject: [PATCH 123/259] suricatactrl: Add "cron" command

This command allows to enable the automatic update
of the used IDS ruleset and to specify the update interval.

Signed-off-by: Stefan Schantl 
---
 src/misc-progs/suricatactrl.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/misc-progs/suricatactrl.c b/src/misc-progs/suricatactrl.c
index 00f861ba3..cca0873e6 100644
--- a/src/misc-progs/suricatactrl.c
+++ b/src/misc-progs/suricatactrl.c
@@ -33,6 +33,18 @@ int main(int argc, char *argv[]) {
 		safe_system("/etc/rc.d/init.d/suricata reload");
 	} else if (strcmp(argv[1], "fix-rules-dir") == 0) {
 		safe_system("chown -R nobody:nobody /var/lib/suricata");
+	} else if (strcmp(argv[1], "cron") == 0) {
+			safe_system("rm /etc/fcron.*/suricata >/dev/null 2>&1");
+		if (strcmp(argv[2], "off") == 0) {
+			return(1);
+		} else if (strcmp(argv[2], "daily") == 0){
+                        safe_system("ln -s /usr/local/bin/update-ids-ruleset /etc/fcron.daily/suricata");
+                } else if (strcmp(argv[2], "weekly") == 0){
+                        safe_system("ln -s /usr/local/bin/update-ids-ruleset /etc/fcron.weekly/suricata");
+                } else{
+                        printf("invalid parameter(s)\n");
+                return(1);
+                }
 	} else {
 		fprintf(stderr, "\nBad argument given.\n\nsuricatactrl (start|stop|restart|reload)\n\n");
 		exit(1);

From ed06bc811ffe055e2dadd226d27332892f4725db Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 26 Sep 2018 14:09:53 +0200
Subject: [PATCH 124/259] ids-functions.pl: Add backend code to handle the
 "cron" function of suricatactrl

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 39 +++++++++++++++++++++++++++------
 1 file changed, 32 insertions(+), 7 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 3f6cb3ee2..e7cd5b2b3 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -48,7 +48,10 @@ our $idspidfile = "/var/run/suricata.pid";
 my $suricatactrl = "/usr/local/bin/suricatactrl";
 
 # Array with allowed commands of suricatactrl.
-my @suricatactrl_cmds = ( 'start', 'stop', 'restart', 'reload', 'fix-rules-dir' );
+my @suricatactrl_cmds = ( 'start', 'stop', 'restart', 'reload', 'fix-rules-dir', 'cron' );
+
+# Array with supported cron intervals.
+my @cron_intervals = ('off', 'daily', 'weekly' );
 
 #
 ## Function for checking if at least 300MB of free disk space are available
@@ -347,7 +350,7 @@ sub ids_is_running () {
 #
 sub call_suricatactrl ($) {
 	# Get called option.
-	my ($option) = @_;
+	my ($option, $interval) = @_;
 
 	# Loop through the array of supported commands and check if
 	# the given one is part of it.
@@ -355,12 +358,34 @@ sub call_suricatactrl ($) {
 		# Skip current command unless the given one has been found.
 		next unless($cmd eq $option);
 
-		# Call the suricatactrl binary and pass the requrested
-		# option to it.
-		system("$suricatactrl $option &>/dev/null");
+		# Check if the given command is "cron".
+		if ($option eq "cron") {
+			# Check if an interval has been given.
+			if ($interval) {
+				# Check if the given interval is valid.
+				foreach my $element (@cron_intervals) {
+					# Skip current element until the given one has been found.
+					next unless($element eq $interval);
 
-		# Return "1" - True.
-		return 1;
+					# Call the suricatactrl binary and pass the "cron" command
+					# with the requrested interval.
+					system("$suricatactrl $option $interval &>/dev/null");
+
+					# Return "1" - True.
+					return 1;
+				}
+			}
+
+			# If we got here, the given interval is not supported or none has been given. - Return nothing.
+			return;
+		} else {
+			# Call the suricatactrl binary and pass the requrested
+			# option to it.
+			system("$suricatactrl $option &>/dev/null");
+
+			# Return "1" - True.
+			return 1;
+		}
 	}
 
 	# Command not found - return nothing.

From 82979dec3655138b5c8467a63fc423b30961ef9c Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 26 Sep 2018 14:11:31 +0200
Subject: [PATCH 125/259] IDS: Introduce update-ids-ruleset

This script periodly will be called by fcron
and is responsible for downloading and altering
the ruleset, if autoupdate of the configured ruleset is
enabled.

Signed-off-by: Stefan Schantl 
---
 src/scripts/update-ids-ruleset | 67 ++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)
 create mode 100644 src/scripts/update-ids-ruleset

diff --git a/src/scripts/update-ids-ruleset b/src/scripts/update-ids-ruleset
new file mode 100644
index 000000000..fe4f83844
--- /dev/null
+++ b/src/scripts/update-ids-ruleset
@@ -0,0 +1,67 @@
+#!/usr/bin/perl
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2018 IPFire Team                             #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see .       #
+#                                                                             #
+###############################################################################
+
+use strict;
+
+require '/var/ipfire/general-functions.pl';
+require "${General::swroot}/ids-functions.pl";
+require "${General::swroot}/lang.pl";
+
+# Check if the red device is active.
+unless (-e "${General::swroot}/red/active") {
+	# Store notice in the syslog.
+	&IDS::_log_to_syslog("The system is offline.");
+
+	# Store error message for displaying in the WUI.
+	&IDS::_store_error_message("$Lang::tr{'could not download latest updates'}");
+
+	# Exit.
+	exit 0;
+}
+
+# Check if enought free disk space is availabe.
+if(&IDS::checkdiskspace()) {
+	# Store the error message for displaying in the WUI.
+	&IDS::_store_error_message("$Lang::tr{'not enough disk space'}");
+
+	# Exit.
+	exit 0;
+}
+
+# Call the download function and gather the new ruleset.
+if(&IDS::downloadruleset()) {
+	# Store error message for displaying in the WUI.
+	&IDS::_store_error_message("$Lang::tr{'could not download latest updates'}");
+
+	# Exit.
+	exit 0;
+}
+
+# Call oinkmaster to alter the ruleset.
+&IDS::oinkmaster();
+
+# Check if the IDS is running.
+if(&IDS::ids_is_running()) {
+	# Call suricatactrl to perform a reload.
+	&IDS::call_suricatactrl("reload");
+}
+
+1;

From 3aadbbca38882cf6e8af2370c26234de0940a099 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 26 Sep 2018 14:38:46 +0200
Subject: [PATCH 126/259] stage2: Rootfile update for update-ids-ruleset script

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/stage2 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2
index 5665f2301..a50232e66 100644
--- a/config/rootfiles/common/stage2
+++ b/config/rootfiles/common/stage2
@@ -102,6 +102,7 @@ usr/local/bin/settime
 usr/local/bin/timecheck
 usr/local/bin/timezone-transition
 usr/local/bin/update-lang-cache
+usr/local/bin/update-ids-ruleset
 usr/local/bin/xt_geoip_build
 usr/local/bin/xt_geoip_update
 #usr/local/include

From 6c9458342b72d5eef122e4e146872ded98751d05 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 26 Sep 2018 14:42:47 +0200
Subject: [PATCH 127/259] IDS: Update language files

Signed-off-by: Stefan Schantl 
---
 langs/de/cgi-bin/de.pl | 3 ++-
 langs/en/cgi-bin/en.pl | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index ae95cfa05..f80846755 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1324,6 +1324,7 @@
 'idle timeout' => 'Leerlauf-Wartezeit in Min. (0 zum Deaktivieren):',
 'idle timeout not set' => 'Leerlauf-Wartezeit nicht angegeben.',
 'ids activate' => 'Aktiviere',
+'ids automatic rules update' => 'Automatische Regeln-Aktualisierung',
 'ids traffic analyze' => 'Packet-Analyse',
 'ids active on' => 'Aktiv auf',
 'ids log viewer' => 'Ansicht IDS-Protokoll',
@@ -1333,7 +1334,7 @@
 'ids rules license1' => ' registrieren.',
 'ids rules license2' => 'Bestätigen Sie die Lizenz; aktivieren Sie Ihren Account, indem Sie auf den Link, den Sie per Mail erhalten haben, klicken. Gehen Sie dann zu',
 'ids rules license3' => 'klicken Sie den "Generate code"-Knopf und kopieren Sie den 40-Zeichen Oinkcode in das untere Feld.',
-'ids rules update' => 'Snort Regeln Update',
+'ids rules update' => 'IDS-Regeln',
 'iface' => 'Iface',
 'ignore filter' => '"Ignorieren"-Filter',
 'ike encryption' => 'IKE Verschlüsselung:',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 38df540ce..c82028fcc 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1354,6 +1354,7 @@
 'idle timeout' => 'Idle timeout (mins; 0 to disable):',
 'idle timeout not set' => 'Idle timeout not set.',
 'ids activate' => 'Activate',
+'ids automatic rules update' => 'Automatic rules update',
 'ids traffic analyze' => 'Traffic analyzing',
 'ids active on' => 'Active on',
 'ids log viewer' => 'IDS log viewer',
@@ -1363,7 +1364,7 @@
 'ids rules license1' => '.',
 'ids rules license2' => 'Acknowledge the license, activate your account by visiting the url you got via mail. Then go to',
 'ids rules license3' => 'press the "Generate code"-button and copy the 40 character Oinkcode into the field below.',
-'ids rules update' => 'Snort rules update',
+'ids rules update' => 'IDS rules',
 'iface' => 'Iface',
 'ignore filter' => 'Ignore filter',
 'ike encryption' => 'IKE Encryption:',

From eadad5fda6e7a798ad63261da4629673bd88cf76 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 26 Sep 2018 14:43:09 +0200
Subject: [PATCH 128/259] ids.cgi: Add support for autoupdate of the IDS
 ruleset

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index f451c5ed4..3e4822cd4 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -517,6 +517,12 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 	# Generate file to store the home net.
 	&generate_home_net_file();
 
+	# Check if the the automatic rule update hass been touched.
+	if($cgiparams{'AUTOUPDATE_INTERVAL'} ne $oldidssettings{'AUTOUPDATE_INTERVAL'}) {
+		# Call suricatactrl to set the new interval.
+		&IDS::call_suricatactrl("cron", $cgiparams{'AUTOUPDATE_INTERVAL'});
+	}
+
 	# Check if the runmode has been changed.
 	if($cgiparams{'RUN_MODE'} ne $oldidssettings{'RUN_MODE'}) {
 		# Open modify sid's file for writing.
@@ -593,6 +599,10 @@ $selected{'RULES'}{'emerging'} = '';
 $selected{'RULES'}{'registered'} = '';
 $selected{'RULES'}{'subscripted'} = '';
 $selected{'RULES'}{$idssettings{'RULES'}} = "selected='selected'";
+$selected{'AUTOUPDATE_INTERVAL'}{'off'} = '';
+$selected{'AUTOUPDATE_INTERVAL'}{'daily'} = '';
+$selected{'AUTOUPDATE_INTERVAL'}{'weekly'} = '';
+$selected{'AUTOUPDATE_INTERVAL'}{$idssettings{'AUTOUPDATE_INTERVAL'}} = "selected='selected'";
 
 &Header::openpage($Lang::tr{'intrusion detection system'}, 1, '');
 
@@ -745,11 +755,12 @@ print <
 
 		
-			$Lang::tr{'ids rules update'}
+			$Lang::tr{'ids rules update'}
+			$Lang::tr{'ids automatic rules update'}
 		
 
 		
-			
 				
 				
 				
@@ -757,6 +768,14 @@ print <$Lang::tr{'subscripted user rules'}
 			
 			
+
+			
+				
+			
 		
 
 		

From 89a12b3843d22a355adf1989e9bd823e170a2387 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Mon, 1 Oct 2018 20:14:00 +0200
Subject: [PATCH 129/259] suricata: Set correct ownership for /var/lib/suricata

Signed-off-by: Stefan Schantl 
---
 lfs/suricata | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lfs/suricata b/lfs/suricata
index 0c3593d37..d1afe2105 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -96,6 +96,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	# to the rules directory.
 	mv /etc/suricata/*.config /var/lib/suricata
 
+	# Set correct ownership for /var/lib/suricata
+	chown nobody:nobody /var/lib/suricata
+
 	# Create logging directory.
 	-mkdir -p /var/log/suricata
 

From 5d3b16c6df1a83d6eacb69a32176941a1e09a157 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 12 Oct 2018 13:08:35 +0200
Subject: [PATCH 130/259] suricata: Rootfile update

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/suricata | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata
index 98504c46f..32aa54dbb 100644
--- a/config/rootfiles/common/suricata
+++ b/config/rootfiles/common/suricata
@@ -39,7 +39,7 @@ usr/bin/suricata
 #usr/share/doc/suricata/Ubuntu_Installation_from_GIT.txt
 #usr/share/doc/suricata/Windows.txt
 #usr/share/man/man1/suricata.1
-#var/lib/suricata
+var/lib/suricata
 var/lib/suricata/classification.config
 var/lib/suricata/reference.config
 var/lib/suricata/threshold.config

From b59cdbeea5eb2a83ac5c0be51541c471bd1cd809 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 12 Oct 2018 15:12:10 +0200
Subject: [PATCH 131/259] ids-functions.pl: Add private function to cleanup the
 rules directory.

This private function is used to remove any files which are stored in the
IDS rules directory and prevent from any old (unneeded or conflicting) files
after an update or complete change of the ruleset source.

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index e7cd5b2b3..73a1add5c 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -443,4 +443,23 @@ sub _check_rulesdir_permissions() {
 	}
 }
 
+#
+## Private function to cleanup the directory which contains
+## the IDS rules, before extracting and modifing the new ruleset.
+#
+sub _cleanup_rulesdir() {
+	# Loop through the rules-directory.
+	while ($item = glob($rulespath/*)) {
+		# Skip element if it is a directory.
+		next if -d $item;
+
+		# Delete the current processed item, if not, exit this function
+		# and return an error message.
+		unlink($item) or return "Could not delete $item. $!\n";
+	}
+
+	# Return noting;
+	return;
+}
+
 1;

From 883820bdcb24414e965bd92844bb0b9c438b312b Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 12 Oct 2018 15:16:32 +0200
Subject: [PATCH 132/259] ids-functions.pl: Call &_cleanup_rulesdir() function
 before calling oinkmaster.

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 73a1add5c..a621c8fa4 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -197,6 +197,9 @@ sub oinkmaster () {
 	# Check if the files in rulesdir have the correct permissions.
 	&_check_rulesdir_permissions();
 
+	# Cleanup the rules directory before filling it with the new rulest.
+	&_cleanup_rulesdir();
+
 	# Load perl module to talk to the kernel syslog.
 	use Sys::Syslog qw(:DEFAULT setlogsock);
 

From 4ce424884914e6ee5a721124eaec89b634c19f48 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 12 Oct 2018 15:18:38 +0200
Subject: [PATCH 133/259] ids-functions.pl: Fix typo

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index a621c8fa4..16232cc91 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -461,7 +461,7 @@ sub _cleanup_rulesdir() {
 		unlink($item) or return "Could not delete $item. $!\n";
 	}
 
-	# Return noting;
+	# Return nothing;
 	return;
 }
 

From 8cf04a165696c512c8c2cb1f3d282c1f0cc88787 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 12 Oct 2018 15:43:16 +0200
Subject: [PATCH 134/259] ids-functions.pl: Rework &_cleanup_rulesdir()
 function

* Use a directory listing and delete the files.
* Keep files with "config" as file extension.

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 16232cc91..684566731 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -451,14 +451,20 @@ sub _check_rulesdir_permissions() {
 ## the IDS rules, before extracting and modifing the new ruleset.
 #
 sub _cleanup_rulesdir() {
-	# Loop through the rules-directory.
-	while ($item = glob($rulespath/*)) {
-		# Skip element if it is a directory.
-		next if -d $item;
+	# Open rules directory and do a directory listing.
+	opendir(DIR, $rulespath) or die $!;
 
-		# Delete the current processed item, if not, exit this function
+	# Loop through the direcory.
+	while (my $file = readdir(DIR)) {
+		# We only want files.
+		next unless (-f "$rulespath/$file");
+
+		# Skip element if it has config as file extension.
+		next if ($file =~ m/\.config$/);
+
+		# Delete the current processed file, if not, exit this function
 		# and return an error message.
-		unlink($item) or return "Could not delete $item. $!\n";
+		unlink($rulespath/$file) or return "Could not delete $rulespath/$file. $!\n";
 	}
 
 	# Return nothing;

From 208cb3363fc13bc9b918aeacb26e4c98d1d963d3 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Mon, 17 Dec 2018 15:03:10 +0100
Subject: [PATCH 135/259] suricata: Update to 4.0.6

Signed-off-by: Stefan Schantl 
---
 lfs/suricata | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lfs/suricata b/lfs/suricata
index d1afe2105..2e7a5c5dc 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 4.0.5
+VER        = 4.0.6
 
 THISAPP    = suricata-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = ea0cb823d6a86568152f75ade6de442f
+$(DL_FILE)_MD5 = e8e9a401fef3b3ca1027c268c38c8f4b
 
 install : $(TARGET)
 

From f5ad510e3c0f416a1507999f5ad20ab171df9c07 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Mon, 17 Dec 2018 15:04:48 +0100
Subject: [PATCH 136/259] suricata: Use "2" as repeat-mark and repeat-mask.

The previous used "1" was already used to mark source-natted
packets.

Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml   | 8 ++++----
 src/initscripts/system/suricata | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 6c1a7de00..94e13f501 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -117,10 +117,10 @@ logging:
 
 nfq:
    mode: repeat
-   repeat-mark: 1
-   repeat-mask: 1
-   bypass-mark: 1
-   bypass-mask: 1
+   repeat-mark: 2
+   repeat-mask: 2
+#   bypass-mark: 1
+#   bypass-mask: 1
 #  route-queue: 2
 #  batchcount: 20
    fail-open: yes
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 93c2636f3..99097a8e3 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -29,8 +29,8 @@ NFQ_OPTS="--queue-bypass "
 network_zones=( red green blue orange )
 
 # Mark and Mask options.
-MARK="0x1"
-MASK="0x1"
+MARK="0x2"
+MASK="0x2"
 
 # PID file of suricata.
 PID_FILE="/var/run/suricata.pid"

From 1201c1e74695fffeae36ba8a8a6adfe422a53ddd Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 18 Dec 2018 14:12:52 +0100
Subject: [PATCH 137/259] ids-functions.pl: Fix sub _cleanup_rulesdir()
 function

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 684566731..2cf1ad7ce 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -464,7 +464,7 @@ sub _cleanup_rulesdir() {
 
 		# Delete the current processed file, if not, exit this function
 		# and return an error message.
-		unlink($rulespath/$file) or return "Could not delete $rulespath/$file. $!\n";
+		unlink("$rulespath/$file") or return "Could not delete $rulespath/$file. $!\n";
 	}
 
 	# Return nothing;

From 96da5803a77ac8cae85fc8bc37e2153a19b5ab26 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 18 Dec 2018 14:16:13 +0100
Subject: [PATCH 138/259] ids-functions.pl: Introduce filesize check for
 downloader

The downloader now requests the html header for the rulestarball
and obtain the size of the file bevore downloading it.

After success the size of the downloaded file will be compared with
the requested one before. If they do not match, an error will be gained.

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 47 +++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 2cf1ad7ce..1556c5b85 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -168,6 +168,34 @@ sub downloadruleset {
 		return 1;
 	}
 
+	# Pass the requrested url to the downloader.
+	my $request = HTTP::Request->new(HEAD => $url);
+
+	# Accept the html header.
+	$request->header('Accept' => 'text/html');
+
+	# Perform the request and fetch the html header.
+	my $response = $downloader->request($request);
+
+	# Check if there was any error.
+	unless ($response->is_success) {
+		# Obtain error.
+		my $error = $response->content;
+
+		# Log error message.
+		&_log_to_syslog("Unable to download the ruleset. \($error\)");
+
+		# Return "1" - false.
+		return 1;
+	}
+
+	# Assign the fetched header object.
+	my $header = $response->headers;
+
+	# Grab the remote file size from the object and store it in the
+	# variable.
+	my $remote_filesize = $header->content_length;
+
 	# Pass the requested url to the downloader.
 	my $request = HTTP::Request->new(GET => $url);
 
@@ -186,6 +214,25 @@ sub downloadruleset {
 		return 1;
 	}
 
+	# Load perl stat module.
+	use File::stat;
+
+	# Perform stat on the rulestarball.
+	my $stat = stat($rulestarball);
+
+	# Grab the local filesize of the downloaded tarball.
+	my $local_filesize = $stat->size;
+
+	# Check if both file sizes match.
+	unless ($remote_filesize eq $local_filesize) {
+		# Log error message.
+		&_log_to_syslog("Unable to completely download the ruleset. ");
+		&_log_to_syslog("Only got $local_filesize Bytes instead of $remote_filesize Bytes. ");
+
+		# Return "1" - false.
+		return 1;
+	}
+
 	# If we got here, everything worked fine. Return nothing.
 	return;
 }

From 25b6545a6e5523d67484e15c5d8bafd941c8c9ae Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 18 Dec 2018 15:14:08 +0100
Subject: [PATCH 139/259] ids-functions.pl: Use temporary file in downloader.

Download the requested rules tarball into a temporay file
and if every thing is fine, replace the old by the
downloaded one.

In addition with the previously implemented file size check,
we are saved now from a corrupt rules tarball on disk.

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 1556c5b85..cf7452ef9 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -196,11 +196,18 @@ sub downloadruleset {
 	# variable.
 	my $remote_filesize = $header->content_length;
 
+	# Load perl module to deal with temporary files.
+	use File::Temp;
+
+	# Generate temporay file name, located in "/var/tmp" and with a suffix of ".tar.gz".
+	my $tmp = File::Temp->new( SUFFIX => ".tar.gz", DIR => "/var/tmp/", UNLINK => 0 );
+	my $tmpfile = $tmp->filename();
+
 	# Pass the requested url to the downloader.
 	my $request = HTTP::Request->new(GET => $url);
 
-	# Perform the request and save the output into the "$rulestarball" file.
-	my $response = $downloader->request($request, $rulestarball);
+	# Perform the request and save the output into the tmpfile.
+	my $response = $downloader->request($request, $tmpfile);
 
 	# Check if there was any error.
 	unless ($response->is_success) {
@@ -217,8 +224,8 @@ sub downloadruleset {
 	# Load perl stat module.
 	use File::stat;
 
-	# Perform stat on the rulestarball.
-	my $stat = stat($rulestarball);
+	# Perform stat on the tmpfile.
+	my $stat = stat($tmpfile);
 
 	# Grab the local filesize of the downloaded tarball.
 	my $local_filesize = $stat->size;
@@ -229,10 +236,19 @@ sub downloadruleset {
 		&_log_to_syslog("Unable to completely download the ruleset. ");
 		&_log_to_syslog("Only got $local_filesize Bytes instead of $remote_filesize Bytes. ");
 
+		# Delete temporary file.
+		unlink("$tmpfile");
+
 		# Return "1" - false.
 		return 1;
 	}
 
+	# Load file copy module, which contains the move() function.
+	use File::Copy;
+
+	# Overwrite existing rules tarball with the new downloaded one.
+	move("$tmpfile", "$rulestarball");
+
 	# If we got here, everything worked fine. Return nothing.
 	return;
 }

From 8353c3fd36c3e56861b9996c489836e4554c1ebd Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 18 Dec 2018 15:19:30 +0100
Subject: [PATCH 140/259] ids.cgi: Allways use the whitelist

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 3e4822cd4..fb0aeebd7 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -419,11 +419,11 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 	# Write header to file.
 	print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
 
+	# Allways load the whitelist.
+	print FILE " - whitelist.rules\n";
+
 	# Check if the enabled_rulefiles array contains any entries.
 	if (@enabled_rulefiles) {
-		# Allways load the whitelist.
-		print FILE " - whitelist.rules\n";
-
 		# Loop through the array of rulefiles which should be loaded and write them to the file.
 		foreach my $file (@enabled_rulefiles) {
 			print FILE " - $file\n";

From 0a1bba1a1d3ec8995f482b291d25c84374d11085 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 20 Dec 2018 11:55:13 +0100
Subject: [PATCH 141/259] ids.cgi: Access ruleset by its own name

This improves accessing the single rules of a rule category.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 38 +++++++++++++++++++++++++++++---------
 1 file changed, 29 insertions(+), 9 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index fb0aeebd7..ae7f8b427 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -951,10 +951,6 @@ if (%idsrules) {
 		# Output display table for rule files
 		print "\n";
 
-		# Local variable required for java script to show/hide
-		# rules of a rulefile.
-		my $rulesetcount = 1;
-
 		# Loop over each rule file
 		foreach my $rulefile (sort keys(%idsrules)) {
 			my $rulechecked = '';
@@ -964,6 +960,9 @@ if (%idsrules) {
 				$rulechecked = 'CHECKED';
 			}
 
+			# Convert rulefile name into category name.
+			my $categoryname = &_rulefile_to_category($rulefile);
+
 			# Table and rows for the rule files.
 			print"\n";
 			print"\n";
 			print"\n";
 			print"\n";
 			print"\n";
 
 			# Rows which will be hidden per default and will contain the single rules.
-			print"\n";
+			print"\n";
 			print"
\n";
@@ -971,12 +970,12 @@ if (%idsrules) {
 			print"$rulefile\n";
-			print"SHOW\n";
+			print"SHOW\n";
 			print"
";
-
-			# Finished whith the rule file, increase count.
-			$rulesetcount++;
 		}
 
 		# Close display table
@@ -1361,3 +1357,27 @@ sub read_enabled_disabled_sids_file($) {
 	# Return the hash.
 	return %temphash;
 }
+
+#
+## Private function to convert a given rulefile to a category name.
+## ( No file extension anymore and if the name contained a dot, it
+## would be replaced by a underline sign.)
+#
+sub _rulefile_to_category($) {
+        my ($filename) = @_;
+
+	# Splitt the filename into single chunks and store them in a
+	# temorary array.
+        my @parts = split(/\./, $filename);
+
+	# Return / Remove last element of the temporary array.
+	# This removes the file extension.
+        pop @parts;
+
+	# Join together the single elements of the temporary array.
+	# If these are more than one, use a "underline" for joining.
+        my $category = join '_', @parts;
+
+	# Return the converted filename.
+        return $category;
+}

From ebdd0f9a90da800cc6173f6f30fb0621dddc354b Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 20 Dec 2018 13:18:48 +0100
Subject: [PATCH 142/259] ids.cgi: Prevent from starting suricata without
 ruleset or selected network zone

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi   | 26 ++++++++++++++++++++++++++
 langs/de/cgi-bin/de.pl |  2 ++
 langs/en/cgi-bin/en.pl |  2 ++
 3 files changed, 30 insertions(+)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index ae7f8b427..90059e179 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -493,6 +493,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 } elsif ($cgiparams{'IDS'} eq $Lang::tr{'save'}) {
 	my %oldidssettings;
 	my $reload_page;
+	my $monitored_zones = 0;
 
 	# Read-in current (old) IDS settings.
 	&General::readhash("$IDS::settingsdir/settings", \%oldidssettings);
@@ -508,6 +509,31 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 		}
 	}
 
+	# Check if the IDS should be enabled.
+	if ($cgiparams{'ENABLE_IDS'} eq "on") {
+		# Check if any ruleset is available. Otherwise abort and display an error.
+		unless(%idsrules) {
+			$errormessage = $Lang::tr{'ids no ruleset available'};
+		}
+
+		# Loop through the array of available interfaces.
+		foreach my $zone (@network_zones) {
+			# Convert interface name into upper case.
+			my $zone_upper = uc($zone);
+
+			# Check if the IDS is enabled for this interaces.
+			if ($cgiparams{"ENABLE_IDS_$zone_upper"}) {
+				# Increase count.
+				$monitored_zones++;
+			}
+		}
+
+		# Check if at least one zone should be monitored, or show an error.
+		unless ($monitored_zones >= 1) {
+			$errormessage = $Lang::tr{'ids no network zone'};
+		}
+	}
+
 	# Go on if there are no error messages.
 	if (!$errormessage) {
 		# Store settings into settings file.
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index e32c22fb6..f25074065 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1329,6 +1329,8 @@
 'ids active on' => 'Aktiv auf',
 'ids log viewer' => 'Ansicht IDS-Protokoll',
 'ids logs' => 'IDS-Protokolldateien',
+'ids no network zone' => 'Mindestends eine Netzwerk-Zone muss überwacht werden!',
+'ids no ruleset available' => 'Kein Regelset verfügbar, bitte downloaden Sie eines!',
 'ids preprocessor' => 'IDS-Präprozessor',
 'ids rules license' => 'Um  Sourcefire VRT Zertifizierte Regeln zu nutzen, müssen Sie sich unter',
 'ids rules license1' => ' registrieren.',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 09d7fa1c4..3b8ae2a70 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1359,6 +1359,8 @@
 'ids active on' => 'Active on',
 'ids log viewer' => 'IDS log viewer',
 'ids logs' => 'IDS Logs',
+'ids no network zone' => 'At least one network zone has to be monitored!';
+'ids no ruleset available' => 'No ruleset available, please download one!',
 'ids preprocessor' => 'IDS preprocessor',
 'ids rules license' => 'To utilize Sourcefire VRT Certified Rules, you need to register on',
 'ids rules license1' => '.',

From aac8e30831b037034e932044b0ca941105f40d70 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sun, 23 Dec 2018 21:05:37 +0100
Subject: [PATCH 143/259] langs/en.pl: Fix typo

Signed-off-by: Stefan Schantl 
---
 langs/en/cgi-bin/en.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 3b8ae2a70..670a38e83 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1359,7 +1359,7 @@
 'ids active on' => 'Active on',
 'ids log viewer' => 'IDS log viewer',
 'ids logs' => 'IDS Logs',
-'ids no network zone' => 'At least one network zone has to be monitored!';
+'ids no network zone' => 'At least one network zone has to be monitored!',
 'ids no ruleset available' => 'No ruleset available, please download one!',
 'ids preprocessor' => 'IDS preprocessor',
 'ids rules license' => 'To utilize Sourcefire VRT Certified Rules, you need to register on',

From ea5c8eeb83a65791960d6cb5de6c7dc78db02fda Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sun, 23 Dec 2018 21:06:14 +0100
Subject: [PATCH 144/259] ids.cgi: Seperate IPS and ruleset settings

Now each of both have their own corresponding configuration areas.
The taken settings will be saved in "/var/ipfire/suricata/settings" for
all IDS/IPS related settings and in "/var/ipfire/suricata/rules-settings" for
ruleset related settings.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi   | 164 ++++++++++++++++++++++++++++-------------
 langs/de/cgi-bin/de.pl |   2 +
 langs/en/cgi-bin/en.pl |   2 +
 3 files changed, 115 insertions(+), 53 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 90059e179..ffbe0e239 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -34,6 +34,7 @@ my %color = ();
 my %mainsettings = ();
 my %idsrules = ();
 my %idssettings=();
+my %rulessettings=();
 my %rulesetsources = ();
 my %cgiparams=();
 my %checked=();
@@ -63,6 +64,12 @@ my $disabled_sids_file = "$IDS::settingsdir/oinkmaster-disabled-sids.conf";
 # File which contains wheater the rules should be changed.
 my $modify_sids_file = "$IDS::settingsdir/oinkmaster-modify-sids.conf";
 
+# File which stores the configured IPS settings.
+my $idssettingsfile = "$IDS::settingsdir/settings";
+
+# File which stores the configured rules-settings.
+my $rulessettingsfile = "$IDS::settingsdir/rules-settings";
+
 # File which stores the configured settings for whitelisted addresses.
 my $ignoredfile = "$IDS::settingsdir/ignored";
 
@@ -76,6 +83,8 @@ unless (-f "$enabled_sids_file") { &IDS::create_empty_file($enabled_sids_file);
 unless (-f "$disabled_sids_file") { &IDS::create_empty_file($disabled_sids_file); }
 unless (-f "$modify_sids_file") { &IDS::create_empty_file($modify_sids_file); }
 unless (-f "$idsusedrulefilesfile") { &IDS::create_empty_file($idsusedrulefilesfile); }
+unless (-f "$idssettingsfile") { &IDS::create_empty_file($idssettingsfile); }
+unless (-f "$rulessettingsfile") { &IDS::create_empty_file($rulessettingsfile); }
 unless (-f "$ignoredfile") { &IDS::create_empty_file($ignoredfile); }
 unless (-f "$whitelistfile" ) { &IDS::create_empty_file($whitelistfile); }
 
@@ -311,8 +320,38 @@ if(-f $idsusedrulefilesfile) {
 	}
 }
 
+# Save ruleset configuration.
+if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
+	my %oldsettings;
+
+	# Read-in current (old) IDS settings.
+	&General::readhash("$rulessettingsfile", \%oldsettings);
+
+	# Prevent form name from been stored in conf file.
+	delete $cgiparams{'RULESET'};
+
+	# Check if an oinkcode has been provided.
+	if ($cgiparams{'OINKCODE'}) {
+		# Check if the oinkcode contains unallowed chars.
+		unless ($cgiparams{'OINKCODE'} =~ /^[a-z0-9]+$/) {
+			$errormessage = $Lang::tr{'invalid input for oink code'};
+		}
+	}
+
+	# Go on if there are no error messages.
+	if (!$errormessage) {
+		# Store settings into settings file.
+		&General::writehash("$rulessettingsfile", \%cgiparams);
+	}
+
+	# Check if the the automatic rule update hass been touched.
+	if($cgiparams{'AUTOUPDATE_INTERVAL'} ne $oldsettings{'AUTOUPDATE_INTERVAL'}) {
+		# Call suricatactrl to set the new interval.
+		&IDS::call_suricatactrl("cron", $cgiparams{'AUTOUPDATE_INTERVAL'});
+	}
+
 # Save ruleset.
-if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
+} elsif ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 	# Arrays to store which rulefiles have been enabled and will be used.
 	my @enabled_rulefiles;
 
@@ -496,19 +535,11 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 	my $monitored_zones = 0;
 
 	# Read-in current (old) IDS settings.
-	&General::readhash("$IDS::settingsdir/settings", \%oldidssettings);
+	&General::readhash("$idssettingsfile", \%oldidssettings);
 
 	# Prevent form name from been stored in conf file.
 	delete $cgiparams{'IDS'};
 
-	# Check if an oinkcode has been provided.
-	if ($cgiparams{'OINKCODE'}) {
-		# Check if the oinkcode contains unallowed chars.
-		unless ($cgiparams{'OINKCODE'} =~ /^[a-z0-9]+$/) {
-			$errormessage = $Lang::tr{'invalid input for oink code'};
-		}
-	}
-
 	# Check if the IDS should be enabled.
 	if ($cgiparams{'ENABLE_IDS'} eq "on") {
 		# Check if any ruleset is available. Otherwise abort and display an error.
@@ -537,18 +568,12 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 	# Go on if there are no error messages.
 	if (!$errormessage) {
 		# Store settings into settings file.
-		&General::writehash("$IDS::settingsdir/settings", \%cgiparams);
+		&General::writehash("$idssettingsfile", \%cgiparams);
 	}
 
 	# Generate file to store the home net.
 	&generate_home_net_file();
 
-	# Check if the the automatic rule update hass been touched.
-	if($cgiparams{'AUTOUPDATE_INTERVAL'} ne $oldidssettings{'AUTOUPDATE_INTERVAL'}) {
-		# Call suricatactrl to set the new interval.
-		&IDS::call_suricatactrl("cron", $cgiparams{'AUTOUPDATE_INTERVAL'});
-	}
-
 	# Check if the runmode has been changed.
 	if($cgiparams{'RUN_MODE'} ne $oldidssettings{'RUN_MODE'}) {
 		# Open modify sid's file for writing.
@@ -601,8 +626,9 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
 	}
 }
 
-# Read-in idssettings
-&General::readhash("$IDS::settingsdir/settings", \%idssettings);
+# Read-in idssettings and rulesetsettings
+&General::readhash("$idssettingsfile", \%idssettings);
+&General::readhash("$rulessettingsfile", \%rulessettings);
 
 # If the runmode has not been configured yet, set default value.
 unless(exists($idssettings{'RUN_MODE'})) {
@@ -610,6 +636,12 @@ unless(exists($idssettings{'RUN_MODE'})) {
         $idssettings{'RUN_MODE'} = 'IPS';
 }
 
+# If no autoupdate intervall has been configured yet, set default value.
+unless(exists($rulessettings{'AUTOUPDATE_INTERVAL'})) {
+	# Set default to "weekly".
+	$rulessettings{'AUTOUPDATE_INTERVAL'} = 'weekly';
+}
+
 # Read-in ignored hosts.
 &General::readhasharray("$IDS::settingsdir/ignored", \%ignored);
 
@@ -624,11 +656,11 @@ $selected{'RULES'}{'community'} = '';
 $selected{'RULES'}{'emerging'} = '';
 $selected{'RULES'}{'registered'} = '';
 $selected{'RULES'}{'subscripted'} = '';
-$selected{'RULES'}{$idssettings{'RULES'}} = "selected='selected'";
+$selected{'RULES'}{$rulessettings{'RULES'}} = "selected='selected'";
 $selected{'AUTOUPDATE_INTERVAL'}{'off'} = '';
 $selected{'AUTOUPDATE_INTERVAL'}{'daily'} = '';
 $selected{'AUTOUPDATE_INTERVAL'}{'weekly'} = '';
-$selected{'AUTOUPDATE_INTERVAL'}{$idssettings{'AUTOUPDATE_INTERVAL'}} = "selected='selected'";
+$selected{'AUTOUPDATE_INTERVAL'}{$rulessettings{'AUTOUPDATE_INTERVAL'}} = "selected='selected'";
 
 &Header::openpage($Lang::tr{'intrusion detection system'}, 1, '');
 
@@ -708,17 +740,6 @@ END
 # Draw elements for IDS configuration.
 &Header::openbox('100%', 'center', $Lang::tr{'settings'});
 
-my $rulesdate;
-
-# Check if a ruleset allready has been downloaded.
-if ( -f "$IDS::rulestarball"){
-	# Call stat on the filename to obtain detailed information.
-        my @Info = stat("$IDS::rulestarball");
-
-	# Grab details about the creation time.
-        $rulesdate = localtime($Info[9]);
-}
-
 print <
 	
@@ -775,19 +796,45 @@ foreach my $zone (@network_zones) {
 
 print <
+        

 
+        


+
+        
+                
+                        
+                
+        

+
+END
+;
+
+&Header::closebox();
+
+# Draw elements for ruleset configuration.
+&Header::openbox('100%', 'center', $Lang::tr{'ids ruleset settings'});
+
+my $rulesdate;
+
+# Check if a ruleset allready has been downloaded.
+if ( -f "$IDS::rulestarball"){
+	# Call stat on the filename to obtain detailed information.
+	my @Info = stat("$IDS::rulestarball");
+
+	# Grab details about the creation time.
+	$rulesdate = localtime($Info[9]);
+}
+
+print <
+        
-			
+			
+			
-			
-			
-		
-
-		
-			
 
-			
-			
-			
+			
-			
+
+			

 		


$Lang::tr{'ids rules update'}$Lang::tr{'ids automatic rules update'}
 		

 
 		
$Lang::tr{'ids rules update'}$Lang::tr{'ids automatic rules update'}

+			
 				

+			
 				
$Lang::tr{'ids rules license'} www.snort.org$Lang::tr{'ids rules license1'}

 				
$Lang::tr{'ids rules license2'} Get an Oinkcode, $Lang::tr{'ids rules license3'}

 					
 		

 
 		
Oinkcode: Oinkcode: 
 		

 
 		


-				 $Lang::tr{'updates installed'}: $rulesdate
+					 
+END
+;
+		# Check if a ruleset source has been configured yet.
+		unless($rulessettings{'RULES'}) {
+			# If no ruleset settings have been saved yet, disable the button to download / update the ruleset.
+			print"\n";
+		} else {
+			# Ruleset setting have been saved. - Check if a ruleset already is downloaded.
+			if (%idsrules) {
+				# Allow to press the button and show it as "update ruleset".
+				print"\n";
+			} else {
+				# Also allow to press the button, but show it as "download new ruleset".
+				print"\n";
+			}
+		}
+print <
 			
 
 		

 	

-
-	


-
-	
-		
-			
-		
-	

 
 END
 ;
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index f25074065..43fd917a0 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1331,6 +1331,7 @@
 'ids logs' => 'IDS-Protokolldateien',
 'ids no network zone' => 'Mindestends eine Netzwerk-Zone muss überwacht werden!',
 'ids no ruleset available' => 'Kein Regelset verfügbar, bitte downloaden Sie eines!',
+'ids ruleset settings' => 'Regelset-Einstellungen',
 'ids preprocessor' => 'IDS-Präprozessor',
 'ids rules license' => 'Um  Sourcefire VRT Zertifizierte Regeln zu nutzen, müssen Sie sich unter',
 'ids rules license1' => ' registrieren.',
@@ -2368,6 +2369,7 @@
 'unnamed' => 'Unbenannt',
 'update' => 'Aktualisieren',
 'update accelerator' => 'Update-Accelerator',
+'update ruleset' => 'Regelsatz aktualisieren',
 'update time' => 'Aktualisiere die Uhrzeit:',
 'update transcript' => 'Aktualisieren',
 'updatedatabase' => 'Datenbank auf Stand der letzten Reports setzen',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 670a38e83..467bd2351 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1361,6 +1361,7 @@
 'ids logs' => 'IDS Logs',
 'ids no network zone' => 'At least one network zone has to be monitored!',
 'ids no ruleset available' => 'No ruleset available, please download one!',
+'ids ruleset settings' => 'Ruleset settings',
 'ids preprocessor' => 'IDS preprocessor',
 'ids rules license' => 'To utilize Sourcefire VRT Certified Rules, you need to register on',
 'ids rules license1' => '.',
@@ -2409,6 +2410,7 @@
 'unnamed' => 'Unnamed',
 'update' => 'Update',
 'update accelerator' => 'Update Accelerator',
+'update ruleset' => 'Update ruleset',
 'update time' => 'Update the time:',
 'update transcript' => 'Update transcript',
 'updatedatabase' => 'Update Database with last report',

From 01d02eb63bbb2142b5f154f75f028448bdd47ca5 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Mon, 24 Dec 2018 10:03:18 +0100
Subject: [PATCH 145/259] ids.cgi: Change RUN_MODE to MONITOR_TRAFFIC_ONLY

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi   | 86 ++++++++++++++++++------------------------
 langs/de/cgi-bin/de.pl |  2 +
 langs/en/cgi-bin/en.pl |  2 +
 3 files changed, 40 insertions(+), 50 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index ffbe0e239..f2362d2dc 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -574,23 +574,23 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 	# Generate file to store the home net.
 	&generate_home_net_file();
 
-	# Check if the runmode has been changed.
-	if($cgiparams{'RUN_MODE'} ne $oldidssettings{'RUN_MODE'}) {
-		# Open modify sid's file for writing.
-		open(FILE, ">$modify_sids_file") or die "Could not write to $modify_sids_file. $!\n";
+	# Open modify sid's file for writing.
+	open(FILE, ">$modify_sids_file") or die "Could not write to $modify_sids_file. $!\n";
 
-		# Write file header.
-		print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+	# Write file header.
+	print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
 
-		# Check if the configured runmode is IPS.
-		if ($cgiparams{'RUN_MODE'} eq 'IPS') {
-			# Tell oinkmaster to switch all rules from alert to drop.
-			print FILE "modifysid \* \"alert\" \| \"drop\"\n";
-		}
+	# Check if the traffic only should be monitored.
+	unless($cgiparams{'MONITOR_TRAFFIC_ONLY'} eq 'on') {
+		# Tell oinkmaster to switch all rules from alert to drop.
+		print FILE "modifysid \* \"alert\" \| \"drop\"\n";
+	}
 
-		# Close file handle.
-		close(FILE);
+	# Close file handle.
+	close(FILE);
 
+	# Check if "MONITOR_TRAFFIC_ONLY" has been changed.
+	if($cgiparams{'MONITOR_TRAFFIC_ONLY'} ne $oldidssettings{'MONITOR_TRAFFIC_ONLY'}) {
 		# Check if a ruleset exists.
 		if (%idsrules) {
 			# Lock the webpage and print message.
@@ -630,12 +630,6 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 &General::readhash("$idssettingsfile", \%idssettings);
 &General::readhash("$rulessettingsfile", \%rulessettings);
 
-# If the runmode has not been configured yet, set default value.
-unless(exists($idssettings{'RUN_MODE'})) {
-        # Set default to IPS.
-        $idssettings{'RUN_MODE'} = 'IPS';
-}
-
 # If no autoupdate intervall has been configured yet, set default value.
 unless(exists($rulessettings{'AUTOUPDATE_INTERVAL'})) {
 	# Set default to "weekly".
@@ -648,9 +642,9 @@ unless(exists($rulessettings{'AUTOUPDATE_INTERVAL'})) {
 $checked{'ENABLE_IDS'}{'off'} = '';
 $checked{'ENABLE_IDS'}{'on'} = '';
 $checked{'ENABLE_IDS'}{$idssettings{'ENABLE_IDS'}} = "checked='checked'";
-$checked{'RUN_MODE'}{'IDS'} = '';
-$checked{'RUN_MODE'}{'IPS'} = '';
-$checked{'RUN_MODE'}{$idssettings{'RUN_MODE'}} = "checked='checked'";
+$checked{'MONITOR_TRAFFIC_ONLY'}{'off'} = '';
+$checked{'MONITOR_TRAFFIC_ONLY'}{'on'} = '';
+$checked{'MONITOR_TRAFFIC_ONLY'}{$idssettings{'MONITOR_TRAFFIC_ONLY'}} = "checked='checked'";
 $selected{'RULES'}{'nothing'} = '';
 $selected{'RULES'}{'community'} = '';
 $selected{'RULES'}{'emerging'} = '';
@@ -737,6 +731,17 @@ END
 }
 &Header::closebox();
 
+my $rulesdate;
+
+# Check if a ruleset allready has been downloaded.
+if ( -f "$IDS::rulestarball"){
+        # Call stat on the filename to obtain detailed information.
+        my @Info = stat("$IDS::rulestarball");
+
+        # Grab details about the creation time.
+        $rulesdate = localtime($Info[9]);
+}
+
 # Draw elements for IDS configuration.
 &Header::openbox('100%', 'center', $Lang::tr{'settings'});
 
@@ -744,32 +749,24 @@ print <
 	
-			
-		
 
-		
-			
-		
-
-		
-			
-		
-
-		
-			
-			
+			
+			
+			
+			
-			
+			
@@ -790,7 +787,7 @@ foreach my $zone (@network_zones) {
 	}
 
 	print "\n";
 }
 
@@ -814,17 +811,6 @@ END
 # Draw elements for ruleset configuration.
 &Header::openbox('100%', 'center', $Lang::tr{'ids ruleset settings'});
 
-my $rulesdate;
-
-# Check if a ruleset allready has been downloaded.
-if ( -f "$IDS::rulestarball"){
-	# Call stat on the filename to obtain detailed information.
-	my @Info = stat("$IDS::rulestarball");
-
-	# Grab details about the creation time.
-	$rulesdate = localtime($Info[9]);
-}
-
 print <
         

 		

+			
 				$Lang::tr{'ids activate'} $Lang::tr{'intrusion detection system'}
 			


$Lang::tr{'runmode'}

-				$Lang::tr{'intrusion detection system2'}    
-				$Lang::tr{'intrusion prevention system'}
+			
+				$Lang::tr{'ids monitor traffic only'}
 			
 		

 
 		










 		

 
 		
$Lang::tr{'ids traffic analyze'}
$Lang::tr{'ids monitored interfaces'}

 		

 
 		
\n";
-	print "$Lang::tr{'enabled on'} $Lang::tr{$zone}\n";
+	print "$Lang::tr{$zone}\n";
 	print "

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 43fd917a0..bba191293 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1329,6 +1329,8 @@
 'ids active on' => 'Aktiv auf',
 'ids log viewer' => 'Ansicht IDS-Protokoll',
 'ids logs' => 'IDS-Protokolldateien',
+'ids monitored interfaces' => 'Überwachte Netzwerkzonen',
+'ids monitor traffic only' => 'Netzwerk-Pakete nur überpfrüfen',
 'ids no network zone' => 'Mindestends eine Netzwerk-Zone muss überwacht werden!',
 'ids no ruleset available' => 'Kein Regelset verfügbar, bitte downloaden Sie eines!',
 'ids ruleset settings' => 'Regelset-Einstellungen',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 467bd2351..fa701f53a 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1359,6 +1359,8 @@
 'ids active on' => 'Active on',
 'ids log viewer' => 'IDS log viewer',
 'ids logs' => 'IDS Logs',
+'ids monitored interfaces' => 'Monitored interfaces',
+'ids monitor traffic only' => 'Monitor traffic only',
 'ids no network zone' => 'At least one network zone has to be monitored!',
 'ids no ruleset available' => 'No ruleset available, please download one!',
 'ids ruleset settings' => 'Ruleset settings',

From 99b372b51d01e7c35ac6b24bea72ec9c739681c9 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Mon, 24 Dec 2018 13:18:14 +0100
Subject: [PATCH 146/259] ids.cgi: Colourize network zones

Colourize the network with the proper colour.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index f2362d2dc..df8810a0b 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -88,6 +88,14 @@ unless (-f "$rulessettingsfile") { &IDS::create_empty_file($rulessettingsfile);
 unless (-f "$ignoredfile") { &IDS::create_empty_file($ignoredfile); }
 unless (-f "$whitelistfile" ) { &IDS::create_empty_file($whitelistfile); }
 
+# Hash which contains the colour code of a network zone.
+my %colourhash = (
+	'red' => $Header::colourred,
+	'green' => $Header::colourgreen,
+	'blue' => $Header::colourblue,
+	'orange' => $Header::colourorange
+);
+
 &Header::showhttpheaders();
 
 #Get GUI values
@@ -787,7 +795,8 @@ foreach my $zone (@network_zones) {
 	}
 
 	print "\n";
 }
 

From 53817b89c0eb5f03830777982c86c58e4c097fa6 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Mon, 24 Dec 2018 13:19:06 +0100
Subject: [PATCH 147/259] ids.cgi: Hack to use the correct language string for
 red network zone.

This hack is needed because "red" is used as "internet" in the language files
and "red1" contains the correct "red" translations.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index df8810a0b..e3643f24c 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -789,6 +789,14 @@ foreach my $zone (@network_zones) {
 	# Convert current zone name to upper case.
 	my $zone_upper = uc($zone);
 
+	# Set zone name.
+	my $zone_name = $zone;
+
+	# Dirty hack to get the correct language string for the red zone.
+	if ($zone eq "red") {
+		$zone_name = "red1";
+	}
+
 	# Grab checkbox status from settings hash.
 	if ($idssettings{"ENABLE_IDS_$zone_upper"} eq "on") {
 		$checked_input = "checked = 'checked'";
@@ -796,7 +804,7 @@ foreach my $zone (@network_zones) {
 
 	print "\n";
 }
 

From b02e30fd81e3e095ea3cd74cb8f0b056d68e10e7 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 25 Dec 2018 18:26:21 +0100
Subject: [PATCH 148/259] ids.cgi: Move variable declaration to
 ids-functions.pl

Also move some functions from the cgi file to the library file.

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 153 ++++++++++++++++++++++++++
 html/cgi-bin/ids.cgi            | 186 +++++---------------------------
 2 files changed, 178 insertions(+), 161 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index cf7452ef9..1b445ab24 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -28,6 +28,30 @@ require '/var/ipfire/general-functions.pl';
 # Location where all config and settings files are stored.
 our $settingsdir = "${General::swroot}/suricata";
 
+# File where the used rulefiles are stored.
+our $used_rulefiles_file = "$settingsdir/suricata-used-rulefiles.yaml";
+
+# File where the addresses of the homenet are stored.
+our $homenet_file = "$settingsdir/suricata-homenet.yaml";
+
+# File which contains the enabled sids.
+our $enabled_sids_file = "$settingsdir/oinkmaster-enabled-sids.conf";
+
+# File which contains the disabled sids.
+our $disabled_sids_file = "$settingsdir/oinkmaster-disabled-sids.conf";
+
+# File which contains wheater the rules should be changed.
+our $modify_sids_file = "$settingsdir/oinkmaster-modify-sids.conf";
+
+# File which stores the configured IPS settings.
+our $ids_settings_file = "$settingsdir/settings";
+
+# File which stores the configured rules-settings.
+our $rules_settings_file = "$settingsdir/rules-settings";
+
+# File which stores the configured settings for whitelisted addresses.
+our $ignored_file = "$settingsdir/ignored";
+
 # Location and name of the tarball which contains the ruleset.
 our $rulestarball = "/var/tmp/idsrules.tar.gz";
 
@@ -37,6 +61,9 @@ our $storederrorfile = "/tmp/ids_storederror";
 # Location where the rulefiles are stored.
 our $rulespath = "/var/lib/suricata";
 
+# File which contains the rules to whitelist addresses on suricata.
+our $whitelist_file = "$rulespath/whitelist.rules";
+
 # File which contains a list of all supported ruleset sources.
 # (Sourcefire, Emergingthreads, etc..)
 our $rulesetsourcesfile = "$settingsdir/ruleset-sources";
@@ -53,6 +80,21 @@ my @suricatactrl_cmds = ( 'start', 'stop', 'restart', 'reload', 'fix-rules-dir',
 # Array with supported cron intervals.
 my @cron_intervals = ('off', 'daily', 'weekly' );
 
+#
+## Function to check and create all IDS related files, if the does not exist.
+#
+sub check_and_create_filelayout() {
+	# Check if the files exist and if not, create them.
+	unless (-f "$enabled_sids_file") { &create_empty_file($enabled_sids_file); }
+	unless (-f "$disabled_sids_file") { &create_empty_file($disabled_sids_file); }
+	unless (-f "$modify_sids_file") { &create_empty_file($modify_sids_file); }
+	unless (-f "$used_rulefiles_file") { &create_empty_file($used_rulefiles_file); }
+	unless (-f "$ids_settings_file") { &create_empty_file($ids_settings_file); }
+	unless (-f "$rules_settings_file") { &create_empty_file($rules_settings_file); }
+	unless (-f "$ignored_file") { &create_empty_file($ignored_file); }
+	unless (-f "$whitelist_file" ) { &create_empty_file($whitelist_file); }
+}
+
 #
 ## Function for checking if at least 300MB of free disk space are available
 ## on the "/var" partition.
@@ -534,4 +576,115 @@ sub _cleanup_rulesdir() {
 	return;
 }
 
+#
+## Function to generate the file which contains the home net information.
+#
+sub generate_home_net_file() {
+	my %netsettings;
+
+	# Read-in network settings.
+	&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
+
+	# Get available network zones.
+	my @network_zones = &get_available_network_zones();
+
+	# Temporary array to store network address and prefix of the configured
+	# networks.
+	my @networks;
+
+	# Loop through the array of available network zones.
+	foreach my $zone (@network_zones) {
+		# Skip the red network - It never can be part to the home_net!
+		next if($zone eq "red");
+
+		# Convert current zone name into upper case.
+		$zone = uc($zone);
+
+		# Generate key to access the required data from the netsettings hash.
+		my $zone_netaddress = $zone . "_NETADDRESS";
+		my $zone_netmask = $zone . "_NETMASK";
+
+		# Obtain the settings from the netsettings hash.
+		my $netaddress = $netsettings{$zone_netaddress};
+		my $netmask = $netsettings{$zone_netmask};
+
+		# Convert the subnetmask into prefix notation.
+		my $prefix = &Network::convert_netmask2prefix($netmask);
+
+		# Generate full network string.
+		my $network = join("/", $netaddress,$prefix);
+
+		# Check if the network is valid.
+		if(&Network::check_subnet($network)) {
+			# Add the generated network to the array of networks.
+			push(@networks, $network);
+		}
+	}
+
+	# Format home net declaration.
+	my $line = "\"\[";
+
+	# Loop through the array of networks.
+	foreach my $network (@networks) {
+		# Add the network to the line.
+		$line = "$line" . "$network";
+
+		# Check if the current network was the last in the array.
+		if ($network eq $networks[-1]) {
+			# Close the line.
+			$line = "$line" . "\]\"";
+		} else {
+			# Add "," for the next network.
+			$line = "$line" . "\,";
+		}
+	}
+
+	# Open file to store the addresses of the home net.
+	open(FILE, ">$homenet_file") or die "Could not open $homenet_file. $!\n";
+
+	# Print yaml header.
+	print FILE "%YAML 1.1\n";
+	print FILE "---\n\n";
+
+	# Print notice about autogenerated file.
+	print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+
+	# Print the generated and required HOME_NET declaration to the file.
+	print FILE "HOME_NET:\t$line\n";
+
+	# Close file handle.
+	close(FILE);
+}
+
+#
+## Function to generate and write the file for used rulefiles.
+#
+sub write_used_rulefiles_file(@) {
+	my @files = @_;
+
+	# Open file for used rulefiles.
+	open (FILE, ">$used_rulefiles_file") or die "Could not write to $used_rulefiles_file. $!\n";
+
+	# Write yaml header to the file.
+	print FILE "%YAML 1.1\n";
+	print FILE "---\n\n";
+
+	# Write header to file.
+	print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+
+	# Allways use the whitelist.
+	print FILE " - whitelist.rules\n";
+
+	# Loop through the array of given files.
+	foreach my $file (@files) {
+		# Check if the given filename exists and write it to the file of used rulefiles.
+		if(-f "$rulespath/$file") {
+			print FILE " - $file\n";
+		}
+	}
+
+	# Close file after writing.
+	close(FILE);
+}
+
 1;
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index e3643f24c..6a5dce802 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -49,44 +49,10 @@ my %ignored=();
 # the list of zones in an array.
 my @network_zones = &IDS::get_available_network_zones();
 
-# File where the used rulefiles are stored.
-my $idsusedrulefilesfile = "$IDS::settingsdir/suricata-used-rulefiles.yaml";
-
-# File where the addresses of the homenet are stored.
-my $idshomenetfile = "$IDS::settingsdir/suricata-homenet.yaml";
-
-# File which contains the enabled sids.
-my $enabled_sids_file = "$IDS::settingsdir/oinkmaster-enabled-sids.conf";
-
-# File which contains the disabled sids.
-my $disabled_sids_file = "$IDS::settingsdir/oinkmaster-disabled-sids.conf";
-
-# File which contains wheater the rules should be changed.
-my $modify_sids_file = "$IDS::settingsdir/oinkmaster-modify-sids.conf";
-
-# File which stores the configured IPS settings.
-my $idssettingsfile = "$IDS::settingsdir/settings";
-
-# File which stores the configured rules-settings.
-my $rulessettingsfile = "$IDS::settingsdir/rules-settings";
-
-# File which stores the configured settings for whitelisted addresses.
-my $ignoredfile = "$IDS::settingsdir/ignored";
-
-# File which contains the rules to whitelist addresses on suricata.
-my $whitelistfile = "$IDS::rulespath/whitelist.rules";
-
 my $errormessage;
 
 # Create files if they does not exist yet.
-unless (-f "$enabled_sids_file") { &IDS::create_empty_file($enabled_sids_file); }
-unless (-f "$disabled_sids_file") { &IDS::create_empty_file($disabled_sids_file); }
-unless (-f "$modify_sids_file") { &IDS::create_empty_file($modify_sids_file); }
-unless (-f "$idsusedrulefilesfile") { &IDS::create_empty_file($idsusedrulefilesfile); }
-unless (-f "$idssettingsfile") { &IDS::create_empty_file($idssettingsfile); }
-unless (-f "$rulessettingsfile") { &IDS::create_empty_file($rulessettingsfile); }
-unless (-f "$ignoredfile") { &IDS::create_empty_file($ignoredfile); }
-unless (-f "$whitelistfile" ) { &IDS::create_empty_file($whitelistfile); }
+&IDS::check_and_create_filelayout();
 
 # Hash which contains the colour code of a network zone.
 my %colourhash = (
@@ -127,7 +93,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq
 		my $new_entry_remark = $cgiparams{'IGNORE_ENTRY_REMARK'};
 
 		# Read-in ignoredfile.
-		&General::readhasharray($ignoredfile, \%ignored);
+		&General::readhasharray($IDS::ignored_file, \%ignored);
 
 		# Check if we should edit an existing entry and got an ID.
 		if (($cgiparams{'WHITELIST'} eq $Lang::tr{'update'}) && ($cgiparams{'ID'})) {
@@ -162,7 +128,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq
 		$ignored{$id} = ["$new_entry_address", "$new_entry_remark", "$status"];
 
 		# Write the changed ignored hash to the ignored file.
-		&General::writehasharray($ignoredfile, \%ignored);
+		&General::writehasharray($IDS::ignored_file, \%ignored);
 
 		# Regenerate the ignore file.
 		&GenerateIgnoreFile();
@@ -189,7 +155,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq
 		undef($cgiparams{'ID'});
 
 		# Read-in ignoredfile.
-		&General::readhasharray($ignoredfile, \%ignored);
+		&General::readhasharray($IDS::ignored_file, \%ignored);
 
 		# Grab the configured status of the corresponding entry.
 		my $status = $ignored{$id}[2];
@@ -205,7 +171,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq
 		$ignored{$id} = ["$ignored{$id}[0]", "$ignored{$id}[1]", "$status"];
 
 		# Write the changed ignored hash to the ignored file.
-		&General::writehasharray($ignoredfile, \%ignored);
+		&General::writehasharray($IDS::ignored_file, \%ignored);
 
 		# Regenerate the ignore file.
 		&GenerateIgnoreFile();
@@ -223,7 +189,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq
 	my %ignored = ();
 
 	# Read-in ignoredfile.
-	&General::readhasharray($ignoredfile, \%ignored);
+	&General::readhasharray($IDS::ignored_file, \%ignored);
 
 	# Drop entry from the hash.
 	delete($ignored{$cgiparams{'ID'}});
@@ -232,7 +198,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq
 	undef($cgiparams{'ID'});
 
 	# Write the changed ignored hash to the ignored file.
-	&General::writehasharray($ignoredfile, \%ignored);
+	&General::writehasharray($IDS::ignored_file, \%ignored);
 
 	# Regenerate the ignore file.
 	&GenerateIgnoreFile();
@@ -292,9 +258,9 @@ closedir(DIR);
 # Gather used rulefiles.
 #
 # Check if the file for activated rulefiles is not empty.
-if(-f $idsusedrulefilesfile) {
+if(-f $IDS::used_rulefiles_file) {
 	# Open the file for used rulefile and read-in content.
-	open(FILE, $idsusedrulefilesfile) or die "Could not open $idsusedrulefilesfile. $!\n";
+	open(FILE, $IDS::used_rulefiles_file) or die "Could not open $IDS::used_rulefiles_file. $!\n";
 
 	# Read-in content.
 	my @lines = ;
@@ -333,7 +299,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 	my %oldsettings;
 
 	# Read-in current (old) IDS settings.
-	&General::readhash("$rulessettingsfile", \%oldsettings);
+	&General::readhash("$IDS::rules_settings_file", \%oldsettings);
 
 	# Prevent form name from been stored in conf file.
 	delete $cgiparams{'RULESET'};
@@ -349,7 +315,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 	# Go on if there are no error messages.
 	if (!$errormessage) {
 		# Store settings into settings file.
-		&General::writehash("$rulessettingsfile", \%cgiparams);
+		&General::writehash("$IDS::rules_settings_file", \%cgiparams);
 	}
 
 	# Check if the the automatic rule update hass been touched.
@@ -382,8 +348,8 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 	# This will be done by calling the read_enabled_disabled_sids_file function two times
 	# and merge the returned hashes together into the enabled_disabled_sids hash.
 	%enabled_disabled_sids = (
-		&read_enabled_disabled_sids_file($disabled_sids_file),
-		&read_enabled_disabled_sids_file($enabled_sids_file));
+		&read_enabled_disabled_sids_file($IDS::disabled_sids_file),
+		&read_enabled_disabled_sids_file($IDS::enabled_sids_file));
 
 	# Loop through the hash of idsrules.
 	foreach my $rulefile (keys %idsrules) {
@@ -422,10 +388,10 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 	}
 
 	# Open enabled sid's file for writing.
-	open(ENABLED_FILE, ">$enabled_sids_file") or die "Could not write to $enabled_sids_file. $!\n";
+	open(ENABLED_FILE, ">$IDS::enabled_sids_file") or die "Could not write to $IDS::enabled_sids_file. $!\n";
 
 	# Open disabled sid's file for writing.
-	open(DISABLED_FILE, ">$disabled_sids_file") or die "Could not write to $disabled_sids_file. $!\n";
+	open(DISABLED_FILE, ">$IDS::disabled_sids_file") or die "Could not write to $IDS::disabled_sids_file. $!\n";
 
 	# Write header to the files.
 	print ENABLED_FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
@@ -456,29 +422,8 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 	# Close file for disabled_sids after writing.
 	close(DISABLED_FILE);
 
-	# Open file for used rulefiles.
-	open (FILE, ">$idsusedrulefilesfile") or die "Could not write to $idsusedrulefilesfile. $!\n";
-
-	# Write yaml header to the file.
-	print FILE "%YAML 1.1\n";
-	print FILE "---\n\n";
-
-	# Write header to file.
-	print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
-
-	# Allways load the whitelist.
-	print FILE " - whitelist.rules\n";
-
-	# Check if the enabled_rulefiles array contains any entries.
-	if (@enabled_rulefiles) {
-		# Loop through the array of rulefiles which should be loaded and write them to the file.
-		foreach my $file (@enabled_rulefiles) {
-			print FILE " - $file\n";
-		}
-	}
-
-	# Close file after writing.
-	close(FILE);
+	# Call function to generate and write the used rulefiles file.
+	&IDS::write_used_rulefiles_file(@enabled_rulefiles);
 
 	# Lock the webpage and print message.
 	&working_notice("$Lang::tr{'snort working'}");
@@ -543,7 +488,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 	my $monitored_zones = 0;
 
 	# Read-in current (old) IDS settings.
-	&General::readhash("$idssettingsfile", \%oldidssettings);
+	&General::readhash("$IDS::ids_settings_file", \%oldidssettings);
 
 	# Prevent form name from been stored in conf file.
 	delete $cgiparams{'IDS'};
@@ -576,14 +521,14 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 	# Go on if there are no error messages.
 	if (!$errormessage) {
 		# Store settings into settings file.
-		&General::writehash("$idssettingsfile", \%cgiparams);
+		&General::writehash("$IDS::ids_settings_file", \%cgiparams);
 	}
 
 	# Generate file to store the home net.
-	&generate_home_net_file();
+	&IDS::generate_home_net_file();
 
 	# Open modify sid's file for writing.
-	open(FILE, ">$modify_sids_file") or die "Could not write to $modify_sids_file. $!\n";
+	open(FILE, ">$IDS::modify_sids_file") or die "Could not write to $IDS::modify_sids_file. $!\n";
 
 	# Write file header.
 	print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
@@ -635,8 +580,8 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 }
 
 # Read-in idssettings and rulesetsettings
-&General::readhash("$idssettingsfile", \%idssettings);
-&General::readhash("$rulessettingsfile", \%rulessettings);
+&General::readhash("$IDS::ids_settings_file", \%idssettings);
+&General::readhash("$IDS::rules_settings_file", \%rulessettings);
 
 # If no autoupdate intervall has been configured yet, set default value.
 unless(exists($rulessettings{'AUTOUPDATE_INTERVAL'})) {
@@ -1265,87 +1210,6 @@ sub get_memory_usage($) {
 	return;
 }
 
-#
-## Function to generate the file which contains the home net information.
-#
-sub generate_home_net_file() {
-	my %netsettings;
-
-	# Read-in network settings.
-	&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
-
-	# Get available network zones.
-	my @network_zones = &IDS::get_available_network_zones();
-
-	# Temporary array to store network address and prefix of the configured
-	# networks.
-	my @networks;
-
-	# Loop through the array of available network zones.
-	foreach my $zone (@network_zones) {
-		# Skip the red network - It never can be part to the home_net!
-		next if($zone eq "red");
-
-		# Convert current zone name into upper case.
-		$zone = uc($zone);
-
-		# Generate key to access the required data from the netsettings hash.
-		my $zone_netaddress = $zone . "_NETADDRESS";
-		my $zone_netmask = $zone . "_NETMASK";
-
-		# Obtain the settings from the netsettings hash.
-		my $netaddress = $netsettings{$zone_netaddress};
-		my $netmask = $netsettings{$zone_netmask};
-
-		# Convert the subnetmask into prefix notation.
-		my $prefix = &Network::convert_netmask2prefix($netmask);
-
-		# Generate full network string.
-		my $network = join("/", $netaddress,$prefix);
-
-		# Check if the network is valid.
-		if(&Network::check_subnet($network)) {
-			# Add the generated network to the array of networks.
-			push(@networks, $network);
-		}
-	}
-
-	# Format home net declaration.
-	my $line = "\"\[";
-
-	# Loop through the array of networks.
-	foreach my $network (@networks) {
-		# Add the network to the line.
-		$line = "$line" . "$network";
-
-		# Check if the current network was the last in the array.
-		if ($network eq $networks[-1]) {
-			# Close the line.
-			$line = "$line" . "\]\"";
-		} else {
-			# Add "," for the next network.
-			$line = "$line" . "\,";
-		}
-	}
-
-	# Open file to store the addresses of the home net.
-	open(FILE, ">$idshomenetfile") or die "Could not open $idshomenetfile. $!\n";
-
-	# Print yaml header.
-	print FILE "%YAML 1.1\n";
-	print FILE "---\n\n";
-
-	# Print notice about autogenerated file.
-	print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
-
-	# Print the generated and required HOME_NET declaration to the file.
-	print FILE "HOME_NET:\t$line\n";
-
-	# Close file handle.
-	close(FILE);
-
-}
-
 #
 ## Function to generate the rules file with whitelisted addresses.
 #
@@ -1357,10 +1221,10 @@ sub GenerateIgnoreFile() {
 	my $sid = 1500000;
 
 	# Read-in ignoredfile.
-	&General::readhasharray($ignoredfile, \%ignored);
+	&General::readhasharray($IDS::ignored_file, \%ignored);
 
 	# Open ignorefile for writing.
-	open(FILE, ">$whitelistfile") or die "Could not write to $whitelistfile. $!\n";
+	open(FILE, ">$IDS::whitelist_file") or die "Could not write to $IDS::whitelist_file. $!\n";
 
 	# Config file header.
 	print FILE "# Autogenerated file.\n";

From 74cc8f5a3ddafb065dffd885222246842fc8304c Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 25 Dec 2018 18:40:34 +0100
Subject: [PATCH 149/259] ids-functions.pl: Introduce function
 write_modify_sids_file()

This function is used to write the corresponding file which
tells oinkmaster to alter the whole ruleset and finally
switches suricata into an IPS or IDS.

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 22 ++++++++++++++++++++++
 html/cgi-bin/ids.cgi            | 19 +++++++++----------
 2 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 1b445ab24..55786c157 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -687,4 +687,26 @@ sub write_used_rulefiles_file(@) {
 	close(FILE);
 }
 
+#
+## Function to generate and write the file for modify the ruleset.
+#
+sub write_modify_sids_file($) {
+	my ($ruleaction) = @_;
+
+	# Open modify sid's file for writing.
+	open(FILE, ">$IDS::modify_sids_file") or die "Could not write to $IDS::modify_sids_file. $!\n";
+
+	# Write file header.
+	print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+
+	# Check if the traffic only should be monitored.
+	unless($ruleaction eq "alert") {
+		# Tell oinkmaster to switch all rules from alert to drop.
+		print FILE "modifysid \* \"alert\" \| \"drop\"\n";
+	}
+
+	# Close file handle.
+	close(FILE);
+}
+
 1;
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 6a5dce802..c5fa93ce7 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -527,20 +527,19 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 	# Generate file to store the home net.
 	&IDS::generate_home_net_file();
 
-	# Open modify sid's file for writing.
-	open(FILE, ">$IDS::modify_sids_file") or die "Could not write to $IDS::modify_sids_file. $!\n";
-
-	# Write file header.
-	print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+	# Temporary variable to set the ruleaction.
+	# Default is "drop" to use suricata as IPS.
+	my $ruleaction="drop";
 
 	# Check if the traffic only should be monitored.
-	unless($cgiparams{'MONITOR_TRAFFIC_ONLY'} eq 'on') {
-		# Tell oinkmaster to switch all rules from alert to drop.
-		print FILE "modifysid \* \"alert\" \| \"drop\"\n";
+	if($cgiparams{'MONITOR_TRAFFIC_ONLY'} eq 'on') {
+		# Switch the ruleaction to "alert".
+		# Suricata acts as an IDS only.
+		$ruleaction="alert";
 	}
 
-	# Close file handle.
-	close(FILE);
+	# Write the modify sid's file and pass the taken ruleaction.
+	&IDS::write_modify_sids_file($ruleaction);
 
 	# Check if "MONITOR_TRAFFIC_ONLY" has been changed.
 	if($cgiparams{'MONITOR_TRAFFIC_ONLY'} ne $oldidssettings{'MONITOR_TRAFFIC_ONLY'}) {

From 2ee510888c4f4a0836ef4afe5b6e30c2b94f7ddb Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 25 Dec 2018 20:19:12 +0100
Subject: [PATCH 150/259] ids-functions.pl: Fix typo

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 55786c157..e44427299 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -694,7 +694,7 @@ sub write_modify_sids_file($) {
 	my ($ruleaction) = @_;
 
 	# Open modify sid's file for writing.
-	open(FILE, ">$IDS::modify_sids_file") or die "Could not write to $IDS::modify_sids_file. $!\n";
+	open(FILE, ">$modify_sids_file") or die "Could not write to $modify_sids_file. $!\n";
 
 	# Write file header.
 	print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";

From 04a0d07c97087c9d66e09155058beacee031d627 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 26 Dec 2018 16:05:46 +0100
Subject: [PATCH 151/259] ids-functions.pl: Add function to get the version of
 suricata

The get_suricata_version() function is used to get the version
of the on the system installed version of suricata. You can
specify the how detailed the returned result should be "major" will
return only the major version, were "minor" will provide the major
and minor version (1.2 for example). All other calls will be answered
with the full version string (1.2.3).

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 37 +++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index e44427299..7c6b884c5 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -709,4 +709,41 @@ sub write_modify_sids_file($) {
 	close(FILE);
 }
 
+#
+## Function to gather the version of suricata.
+#
+sub get_suricata_version($) {
+	my ($format) = @_;
+
+	# Execute piped suricata command and return the version information.
+	open(SURICATA, "suricata -V |") or die "Couldn't execute program: $!";
+
+	# Grab and store the output of the piped program.
+	my $version_string = ;
+
+	# Close pipe.
+        close(SURICATA);
+
+	# Remove newlines.
+        chomp($version_string);
+
+	# Grab the version from the version string. 
+	$version_string =~ /([0-9]+([.][0-9]+)+)/;
+
+	# Splitt the version into single chunks.
+	my ($major_ver, $minor_ver, $patchlevel) = split(/\./, $1);
+
+	# Check and return the requested version sheme.
+	if ($format eq "major") {
+		# Return the full version.
+		return "$major_ver";
+	} elsif ($format eq "minor") {
+		# Return the major and minor part.
+		return "$major_ver.$minor_ver";
+	} else {
+		# Return the full version string.
+		return "$major_ver.$minor_ver.$patchlevel";
+	} 
+}
+
 1;

From 6994f00174d222a6e7dd9b812c5bebaad1e3fa3e Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 26 Dec 2018 16:33:54 +0100
Subject: [PATCH 152/259] ids-functions.pl: Downloader now also uses upstream
 proxy for HTTPS

Fixes #11953

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 7c6b884c5..c35bed7e5 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -194,7 +194,7 @@ sub downloadruleset {
 		}
 
 		# Setup proxy settings.
-		$downloader->proxy('http', $proxy_url);
+		$downloader->proxy(['http', 'https'], $proxy_url);
 	}
 
 	# Grab the right url based on the configured vendor.

From ed809cf07a5ccacc5817f682fc9103a2f52163d6 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 28 Dec 2018 07:36:19 +0100
Subject: [PATCH 153/259] Ship update-ids-ruleset script also on x86_64 and
 aarch64

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/aarch64/stage2 | 1 +
 config/rootfiles/common/x86_64/stage2  | 1 +
 2 files changed, 2 insertions(+)

diff --git a/config/rootfiles/common/aarch64/stage2 b/config/rootfiles/common/aarch64/stage2
index 110114c47..eaba3c8c2 100644
--- a/config/rootfiles/common/aarch64/stage2
+++ b/config/rootfiles/common/aarch64/stage2
@@ -103,6 +103,7 @@ usr/local/bin/scanhd
 usr/local/bin/settime
 usr/local/bin/timecheck
 usr/local/bin/timezone-transition
+usr/local/bin/update-ids-ruleset
 usr/local/bin/update-lang-cache
 usr/local/bin/xt_geoip_build
 usr/local/bin/xt_geoip_update
diff --git a/config/rootfiles/common/x86_64/stage2 b/config/rootfiles/common/x86_64/stage2
index 110114c47..eaba3c8c2 100644
--- a/config/rootfiles/common/x86_64/stage2
+++ b/config/rootfiles/common/x86_64/stage2
@@ -103,6 +103,7 @@ usr/local/bin/scanhd
 usr/local/bin/settime
 usr/local/bin/timecheck
 usr/local/bin/timezone-transition
+usr/local/bin/update-ids-ruleset
 usr/local/bin/update-lang-cache
 usr/local/bin/xt_geoip_build
 usr/local/bin/xt_geoip_update

From b749416ad71126d6a05eb92b1409f097cc127617 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sun, 6 Jan 2019 14:11:30 +0100
Subject: [PATCH 154/259] ids-functions.pl: Downloader should reads settings
 from correct file

In commit ea5c8eeb83a65791960d6cb5de6c7dc78db02fda the taken settings
for the ruleset have been stored into an own file.

The Downloader now uses this file to read-in which ruleset should be used
and downloaded.

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index c35bed7e5..87fc76dd0 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -130,21 +130,21 @@ sub checkdiskspace () {
 }
 
 #
-## This function is responsible for downloading the configured snort ruleset.
+## This function is responsible for downloading the configured IDS ruleset.
 ##
-## * At first it obtains from the stored snortsettings which ruleset should be downloaded.
+## * At first it obtains from the stored rules settings which ruleset should be downloaded.
 ## * The next step is to get the download locations for all available rulesets.
 ## * After that, the function will check if an upstream proxy should be used and grab the settings.
 ## * The last step will be to generate the final download url, by obtaining the URL for the desired
 ##   ruleset, add the settings for the upstream proxy and final grab the rules tarball from the server.
 #
 sub downloadruleset {
-	# Get snort settings.
-	my %snortsettings=();
-	&General::readhash("$settingsdir/settings", \%snortsettings);
+	# Get rules settings.
+	my %rulessettings=();
+	&General::readhash("$rules_settings_file", \%rulessettings);
 
 	# Check if a ruleset has been configured.
-	unless($snortsettings{'RULES'}) {
+	unless($rulessettings{'RULES'}) {
 		# Log that no ruleset has been configured and abort.
 		&_log_to_syslog("No ruleset source has been configured.");
 
@@ -198,10 +198,10 @@ sub downloadruleset {
 	}
 
 	# Grab the right url based on the configured vendor.
-	my $url = $rulesetsources{$snortsettings{'RULES'}};
+	my $url = $rulesetsources{$rulessettings{'RULES'}};
 
 	# Check if the vendor requires an oinkcode and add it if needed.
-	$url =~ s/\/$snortsettings{'OINKCODE'}/g;
+	$url =~ s/\/$rulessettings{'OINKCODE'}/g;
 
 	# Abort if no url could be determined for the vendor.
 	unless ($url) {

From 9283e9b9cf8326453086d9777b264d7e50b9660a Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 22 Jan 2019 13:25:13 +0100
Subject: [PATCH 155/259] ids.cgi: Move and rename GenerateIgnoreList()
 function to ids-functions.pl

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 48 +++++++++++++++++++++++++++++
 html/cgi-bin/ids.cgi            | 54 ++-------------------------------
 2 files changed, 51 insertions(+), 51 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 87fc76dd0..2a358b1cc 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -746,4 +746,52 @@ sub get_suricata_version($) {
 	} 
 }
 
+#
+## Function to generate the rules file with whitelisted addresses.
+#
+sub generate_ignore_file() {
+	my %ignored = ();
+
+	# SID range 1000000-1999999 Reserved for Local Use
+	# Put your custom rules in this range to avoid conflicts
+	my $sid = 1500000;
+
+	# Read-in ignoredfile.
+	&General::readhasharray($IDS::ignored_file, \%ignored);
+
+	# Open ignorefile for writing.
+	open(FILE, ">$IDS::whitelist_file") or die "Could not write to $IDS::whitelist_file. $!\n";
+
+	# Config file header.
+	print FILE "# Autogenerated file.\n";
+	print FILE "# All user modifications will be overwritten.\n\n";
+
+	# Add all user defined addresses to the whitelist.
+	#
+	# Check if the hash contains any elements.
+	if (keys (%ignored)) {
+		# Loop through the entire hash and write the host/network
+		# and remark to the ignore file.
+		while ( (my $key) = each %ignored) {
+			my $address = $ignored{$key}[0];
+			my $remark = $ignored{$key}[1];
+			my $status = $ignored{$key}[2];
+
+			# Check if the status of the entry is "enabled".
+			if ($status eq "enabled") {
+				# Check if the address/network is valid.
+				if ((&General::validip($address)) || (&General::validipandmask($address))) {
+					# Write rule line to the file to pass any traffic from this IP
+					print FILE "pass ip $address any -> any any (msg:\"pass all traffic from/to $address\"\; sid:$sid\;)\n";
+
+					# Increment sid.
+					$sid++;
+				}
+			}
+		}
+	}
+
+	close(FILE);
+}
+
 1;
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 0c3664547..6807e9e05 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -131,7 +131,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq
 		&General::writehasharray($IDS::ignored_file, \%ignored);
 
 		# Regenerate the ignore file.
-		&GenerateIgnoreFile();
+		&IDS::generate_ignore_file();
 	}
 
 	# Check if the IDS is running.
@@ -174,7 +174,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq
 		&General::writehasharray($IDS::ignored_file, \%ignored);
 
 		# Regenerate the ignore file.
-		&GenerateIgnoreFile();
+		&IDS::generate_ignore_file();
 
 		# Check if the IDS is running.
 		if(&IDS::ids_is_running()) {
@@ -201,7 +201,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq
 	&General::writehasharray($IDS::ignored_file, \%ignored);
 
 	# Regenerate the ignore file.
-	&GenerateIgnoreFile();
+	&IDS::generate_ignore_file();
 
 	# Check if the IDS is running.
 	if(&IDS::ids_is_running()) {
@@ -1208,54 +1208,6 @@ sub get_memory_usage($) {
 	return;
 }
 
-#
-## Function to generate the rules file with whitelisted addresses.
-#
-sub GenerateIgnoreFile() {
-	my %ignored = ();
-
-	# SID range 1000000-1999999 Reserved for Local Use
-	# Put your custom rules in this range to avoid conflicts
-	my $sid = 1500000;
-
-	# Read-in ignoredfile.
-	&General::readhasharray($IDS::ignored_file, \%ignored);
-
-	# Open ignorefile for writing.
-	open(FILE, ">$IDS::whitelist_file") or die "Could not write to $IDS::whitelist_file. $!\n";
-
-	# Config file header.
-	print FILE "# Autogenerated file.\n";
-	print FILE "# All user modifications will be overwritten.\n\n";
-
-	# Add all user defined addresses to the whitelist.
-	#
-	# Check if the hash contains any elements.
-	if (keys (%ignored)) {
-		# Loop through the entire hash and write the host/network
-		# and remark to the ignore file.
-		while ( (my $key) = each %ignored) {
-			my $address = $ignored{$key}[0];
-			my $remark = $ignored{$key}[1];
-			my $status = $ignored{$key}[2];
-
-			# Check if the status of the entry is "enabled".
-			if ($status eq "enabled") {
-				# Check if the address/network is valid.
-				if ((&General::validip($address)) || (&General::validipandmask($address))) {
-					# Write rule line to the file to pass any traffic from this IP
-					print FILE "pass ip $address any -> any any (msg:\"pass all traffic from/to $address\"\; sid:$sid\;)\n";
-
-					# Increment sid.
-					$sid++;
-				}
-			}
-                }
-	}
-
-	close(FILE);
-}
-
 #
 ## Function to read-in the given enabled or disables sids file.
 #

From 5b0b4182a8a0f7fa17548983a4e15aeed3aa2234 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 22 Jan 2019 15:36:00 +0100
Subject: [PATCH 156/259] convert-snort: Settings converter from snort to
 suricata

Signed-off-by: Stefan Schantl 
---
 config/suricata/convert-snort | 331 ++++++++++++++++++++++++++++++++++
 1 file changed, 331 insertions(+)
 create mode 100644 config/suricata/convert-snort

diff --git a/config/suricata/convert-snort b/config/suricata/convert-snort
new file mode 100644
index 000000000..dfd83a530
--- /dev/null
+++ b/config/suricata/convert-snort
@@ -0,0 +1,331 @@
+#!/usr/bin/perl
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2019 IPFire Development Team                 #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see .       #
+#                                                                             #
+###############################################################################
+
+use strict;
+
+require '/var/ipfire/general-functions.pl';
+require "${General::swroot}/ids-functions.pl";
+
+# Snort settings file, which contains the settings from the WUI.
+my $snort_settings_file = "${General::swroot}/snort/settings";
+
+# Main snort config file.
+my $snort_config_file = "/etc/snort/snort.conf";
+
+# Snort rules tarball.
+my $snort_rules_tarball = "/var/tmp/snortrules.tar.gz";
+
+# Check if a snort settings file exists.
+unless( -f "$snort_settings_file") {
+        print "$snort_settings_file not found - Nothing to do. Exiting!\n";
+        exit(0);
+}
+
+# Check if the snort settings file is empty.
+if (-z "$snort_settings_file") {
+	print "$snort_settings_file is empty - Nothing to do. Exiting!\n";
+	exit(0);
+}
+
+#
+## Step 1: Setup directory and file layout, if not present and set correct
+##         ownership. The converter runs as a privileged user, but the files
+##         needs to be full access-able by the WUI user and group (nobody:nobody).
+#
+
+# User and group of the WUI.
+my $uname = "nobody";
+my $grname = "nobody";
+
+# The chown function implemented in perl requies the user and group as nummeric id's.
+my $uid = getpwnam($uname);
+my $gid = getgrnam($grname);
+
+# Check if the settings directory exists.
+unless (-d $IDS::settingsdir) {
+	# Create the directory.
+	mkdir($IDS::settingsdir);
+}
+
+# Check if the rules directory exists.
+unless (-d $IDS::rulespath) {
+	# Create the directory.
+	mkdir($IDS::rulespath);
+}
+
+# Set correct ownership for the settings and rules folder.
+chown($uid, $gid, $IDS::settingsdir);
+chown($uid, $gid, $IDS::rulespath);
+
+# Create file layout, if not exists yet.
+&IDS::check_and_create_filelayout();
+
+# Set correct ownership for the files - Open settings directory and do a directory listing.
+opendir(DIR, $IDS::settingsdir) or die $!;
+        # Loop through the direcory.
+        while (my $file = readdir(DIR)) {
+
+                # We only want files.
+                next unless (-f "$IDS::settingsdir/$file");
+
+		# Set correct ownership for the files.
+		chown($uid, $gid, "$IDS::settingsdir/$file");
+	}
+
+closedir(DIR);
+
+#
+## Step 2: Import snort settings and convert to the required format for the new IDS
+##         (suricata).
+#
+
+# Hash which contains the "old" snort settings.
+my %snortsettings;
+
+# Hash which contains the IDS (suricata) settings.
+#
+# Add default value for MONITOR_TRAFFIC_ONLY which will be "on"
+# when migrating from snort to the new IDS.
+my %idssettings = (
+	"MONITOR_TRAFFIC_ONLY" => "on",
+);
+
+# Hash which contains the RULES settings.
+#
+# Set default value for UPDATE_INTERVAL to weekly.
+my %rulessettings = (
+	"AUTOUPDATE_INTERVAL" => "weekly",
+);
+
+# Get all available network zones.
+my @network_zones = &IDS::get_available_network_zones();
+
+# Read-in snort settings file.
+&General::readhash("$snort_settings_file", \%snortsettings);
+
+# Loop through the array of network zones.
+foreach my $zone (@network_zones) {
+	# Convert current zone into upper case.
+	my $zone_upper = uc($zone);
+
+	# Check if the current network zone is "red".
+	if($zone eq "red") {
+		# Check if snort was enabled and enabled on red.
+		if ($snortsettings{"ENABLE_SNORT"} eq "on") {
+			# Enable the IDS.
+			$idssettings{"ENABLE_IDS"} = "on";
+
+			# Enable the IDS on RED.
+			$idssettings{"ENABLE_IDS_$zone_upper"} = "on";
+		}
+	} else {
+		# Check if snort was enabled on the current zone.
+		if ($snortsettings{"ENABLE_SNORT_$zone_upper"} eq "on") {
+			# Enable the IDS on this zone too.
+			$idssettings{"ENABLE_IDS_$zone_upper"} = "on";
+		}
+	}
+}
+
+# Grab the choosen ruleset from snort settings hash and store it in the rules
+# settings hash.
+$rulessettings{"RULES"} = $snortsettings{"RULES"};
+
+# Check if an oinkcode has been provided.
+if($snortsettings{"OINKCODE"}) {
+	# Take the oinkcode from snort settings hash and store it in the rules
+	# settings hash.
+	$rulessettings{"OINKCODE"} = $snortsettings{"OINKCODE"};
+}
+
+#
+## Step 3: Import guardian settings and whitelist if the addon is installed.
+#
+
+# Pakfire meta file for owncloud.
+# (File exists when the addon is installed.)
+my $guardian_meta = "/opt/pakfire/db/installed/meta-guardian";
+
+# Check if the guardian addon is installed.
+if (-f $guardian_meta) {
+	# File which contains the taken setting for guardian.
+	my $guardian_settings_file = "${General::swroot}/guardian/settings";
+
+	# File which contains the white-listed hosts.
+	my $guardian_ignored_file = "${General::swroot}/guardian/ignored";
+
+	# Hash which will contain the settings of guardian.
+	my %guardiansettings;
+
+	# Check if the settings file of guardian is empty.
+	unless (-z $guardian_settings_file) {
+		# Read-in settings.
+		&General::readhash("$guardian_settings_file", \%guardiansettings);
+	}
+
+	# Check if guardian is not configured to take actions on snort events.
+	if ($guardiansettings{"GUARDIAN_MONITOR_SNORT"} eq "on") {
+		# Change the IDS into MONITOR_TRAFFIC_ONLY mode.
+		$idssettings{"MONITOR_TRAFFIC_ONLY"} = "off";
+	}
+
+	# Check if guardian has any white-listed hosts configured.
+	unless (-z $guardian_ignored_file) {
+		# Temporary hash to store the ignored hosts.
+		my %ignored_hosts;
+
+		# Read-in white-listed hosts and store them in the hash.
+		&General::readhasharray($guardian_ignored_file, \%ignored_hosts);
+
+		# Write-out the white-listed hosts for the IDS system.
+		&General::writehasharray($IDS::ignored_file, \%ignored_hosts);
+
+		# Call subfunction to generate the file for white-listing the hosts.
+		&IDS::generate_ignored_file();
+	}
+
+}
+
+#
+## Step 4: Save IDS and rules settings.
+#
+
+# Write IDS settings.
+&General::writehash("$IDS::ids_settings_file", \%idssettings);
+
+# Write rules settings.
+&General::writehash("$IDS::rules_settings_file", \%rulessettings);
+
+#
+## Step 5: Generate and write the file to modify the ruleset.
+#
+
+# Converters default is to only monitor the traffic, so set the IDS action to
+# "alert".
+my $IDS_action = "alert";
+
+# Check if the traffic only should be monitored.
+if ($idssettings{"MONITOR_TRAFFIC_ONLY"} eq "off") {
+	# Swith IDS action to alert only.
+	$IDS_action = "drop";
+}
+
+# Call subfunction and pass the desired IDS action.
+&IDS::write_modify_sids_file($IDS_action);
+
+#
+## Step 6: Move rulestarball to its new location.
+#
+
+# Check if a rulestarball has been downloaded yet.
+if (-f $snort_rules_tarball) {
+	# Load perl module which contains the move command.
+	use File::Copy;
+
+	# Move the rulestarball to the new location.
+	move($snort_rules_tarball, $IDS::rulestarball);
+
+	# Set correct ownership.
+	chown($uid, $gid, $IDS::rulestarball);
+}
+
+#
+## Step 7: Call oinkmaster to extract and setup the rules structures.
+#
+
+# Check if a rulestarball is present.
+if (-f $IDS::rulestarball) {
+	# Launch oinkmaster by calling the subfunction.
+	&IDS::oinkmaster();
+}
+
+#
+## Step 8: Grab used ruleset files from snort config file and convert
+##         them into the new format.
+#
+
+# Check if the snort config file exists.
+unless (-f $snort_config_file) {
+	print "$snort_config_file does not exist - Nothing to do. Exiting!\n";
+	exit(0);
+}
+
+# Array to store the enabled rules files.
+my @enabled_rule_files;
+
+# Open snort config file.
+open(SNORTCONF, $snort_config_file) or die "Could not open $snort_config_file. $!\n";
+
+# Loop through the file content.
+while (my $line = ) {
+	# Skip comments.
+	next if ($line =~ /\#/);
+
+	# Skip blank  lines.
+	next if ($line =~ /^\s*$/);
+
+	# Remove newlines.
+	chomp($line);
+
+	# Check for a line with .rules
+	if ($line =~ /\.rules$/) {
+		# Parse out rule file name
+		my $rulefile = $line;
+		$rulefile =~ s/\$RULE_PATH\///i;
+		$rulefile =~ s/ ?include ?//i;
+
+		# Add the enabled rulefile to the array of enabled rule files.
+		push(@enabled_rule_files, $rulefile);
+	}
+}
+
+# Close filehandle.
+close(SNORTCONF);
+
+# Pass the array of enabled rule files to the subfunction and write the file.
+&IDS::write_used_rulefiles_file(@enabled_rule_files);
+
+#
+## Step 9: Generate file for the HOME Net.
+#
+
+# Call subfunction to generate the file.
+&IDS::generate_home_net_file();
+
+#
+## Step 10: Setup automatic ruleset updates.
+#
+
+# Check if a ruleset is configured.
+if($rulessettings{"RULES"}) {
+	# Call suricatactrl and setup the periodic update mechanism.
+	&IDS::call_suricatactrl("cron", $rulessettings{'AUTOUPDATE_INTERVAL'});
+}
+
+#
+## Step 11: Start the IDS if enabled.
+#
+
+# Check if the IDS should be started.
+if($idssettings{"ENABLE_IDS"} eq "on") {
+	# Call suricatactrl and launch the IDS.
+	&IDS::call_suricatactrl("start");
+}

From 85a62b05237a4087c9b80d0efadc71b2da45abfa Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 29 Jan 2019 08:26:15 +0100
Subject: [PATCH 157/259] IDS: Install snort to suricata converter

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/configroot | 1 +
 lfs/configroot                     | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot
index 5115f7e94..4c9f6fb62 100644
--- a/config/rootfiles/common/configroot
+++ b/config/rootfiles/common/configroot
@@ -1,6 +1,7 @@
 usr/sbin/convert-dmz
 usr/sbin/convert-outgoingfw
 usr/sbin/convert-portfw
+usr/sbin/convert-snort
 usr/sbin/convert-xtaccess
 usr/sbin/firewall-policy
 #var/ipfire
diff --git a/lfs/configroot b/lfs/configroot
index 4c99bded3..6f4dbd459 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -134,6 +134,9 @@ $(TARGET) :
 	echo  "POLICY=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
 	echo  "POLICY1=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
 
+	# Install snort to suricata converter.
+	cp $(DIR_SRC)/config/suricata/convert-snort	/usr/sbin/convert-snort
+
 	# Add conntrack helper default settings
 	for proto in FTP H323 IRC SIP TFTP; do \
 		echo "CONNTRACK_$${proto}=on" >> $(CONFIG_ROOT)/optionsfw/settings; \

From 8c27372438dd267648cba48b86d85a594f14be1c Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 29 Jan 2019 08:40:34 +0100
Subject: [PATCH 158/259] backup.pl: Run snort to suricata converter when a
 backup gets restored.

Signed-off-by: Stefan Schantl 
---
 config/backup/backup.pl | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/config/backup/backup.pl b/config/backup/backup.pl
index 3accbcfff..5737740e5 100644
--- a/config/backup/backup.pl
+++ b/config/backup/backup.pl
@@ -129,6 +129,15 @@ restore_backup() {
 	# Convert old OpenVPN CCD files (CN change, Core Update 75)
 	convert-ovpn
 
+	# Snort to suricata converter.
+	if [ -d "/var/ipfire/snort" ]; then
+		# Run converter
+		convert-snort
+
+		# Remove old configuration directory.
+		rm -rf "/var/ipfire/snort"
+	fi
+
 	return 0
 }
 

From 1fedede6a0982500847ef5d8747b5d3483991a05 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 29 Jan 2019 08:50:16 +0100
Subject: [PATCH 159/259] ids-functions.pl: Add set_ownership() function.

This function is used to change the ownership of a given file
or directory to the user "nobody" and the group "nobody", which is
used by the WUI.

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 44 +++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 2a358b1cc..d8044b4e8 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -794,4 +794,48 @@ sub generate_ignore_file() {
 	close(FILE);
 }
 
+#
+## Function to set correct ownership for single files and directories.
+#
+
+sub set_ownership($) {
+	my ($target) = @_;
+
+	# User and group of the WUI.
+	my $uname = "nobody";
+	my $grname = "nobody";
+
+	# The chown function implemented in perl requies the user and group as nummeric id's.
+	my $uid = getpwnam($uname);
+	my $gid = getgrnam($grname);
+
+	# Check if the given target exists.
+	unless ($target) {
+		# Stop the script and print error message.
+		die "The $target does not exist. Cannot change the ownership!\n";
+	}
+
+	# Check weather the target is a file or directory.
+	if (-f $target) {
+		# Change ownership ot the single file.
+		chown($uid, $gid, "$target");
+	} elsif (-d $target) {
+		# Do a directory listing.
+		opendir(DIR, $target) or die $!;
+			# Loop through the direcory.
+			while (my $file = readdir(DIR)) {
+
+				# We only want files.
+				next unless (-f "$target/$file");
+
+				# Set correct ownership for the files.
+				chown($uid, $gid, "$target/$file");
+			}
+
+		closedir(DIR);
+
+		# Change ownership of the directory.
+		chown($uid, $gid, "$target");
+	}
+}
 1;

From 3c59b1fab85f76f75e0b6bb89cd9c007b2416b57 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 29 Jan 2019 08:58:08 +0100
Subject: [PATCH 160/259] ids-functions.pl: Set correct ownership for the
 stored error file.

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index d8044b4e8..efe89b512 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -387,6 +387,9 @@ sub _store_error_message ($) {
 
         # Close file.
         close (ERRORFILE);
+
+	# Set correct ownership for the file.
+	&set_ownership("$storederrorfile");
 }
 
 #

From 9f9651e06aac68d650be585a7dd15a8a6c502d5c Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 29 Jan 2019 09:00:26 +0100
Subject: [PATCH 161/259] logs.cgi/log.dat: Change search pattern from snort to
 suricata

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/logs.cgi/log.dat | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/logs.cgi/log.dat b/html/cgi-bin/logs.cgi/log.dat
index 03b845433..136fed77c 100644
--- a/html/cgi-bin/logs.cgi/log.dat
+++ b/html/cgi-bin/logs.cgi/log.dat
@@ -67,7 +67,7 @@ my %sections = (
         'openvpn' => '(openvpnserver\[.*\]: |.*n2n\[.*\]: )',
         'pakfire' => '(pakfire:)',
         'red' => '(red:|pppd\[.*\]: |chat\[.*\]|pppoe\[.*\]|pptp\[.*\]|pppoa\[.*\]|pppoa3\[.*\]|pppoeci\[.*\]|ipppd|ipppd\[.*\]|kernel: ippp\d|kernel: isdn.*|ibod\[.*\]|dhcpcd\[.*\]|modem_run\[.*\])',
-        'snort' => '(snort\[.*\]: )',
+        'suricata' => '(suricata\[.*\]: )',
         'squid' => '(squid\[.*\]: |squid: )',
         'ssh' => '(sshd(?:\(.*\))?\[.*\]: )',
         'unbound' => '(unbound: \[.*:.*\])(.*:.*$)',
@@ -95,7 +95,7 @@ my %trsections = (
         'openvpn' => 'OpenVPN',
         'pakfire' => 'Pakfire',
         'red' => 'RED',
-        'snort' => "$Lang::tr{'intrusion detection'}",
+        'suricata' => "$Lang::tr{'intrusion detection'}",
         'squid' => "$Lang::tr{'web proxy'}",
         'ssh' => 'SSH',
         'unbound' => 'DNS: Unbound',

From 4fbd88bfad631b932973321004af3e26b6ca19d5 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 29 Jan 2019 09:01:20 +0100
Subject: [PATCH 162/259] ruleset-sources: Add Emerging-Threads Pro ruleset

Signed-off-by: Stefan Schantl 
---
 config/suricata/ruleset-sources | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/config/suricata/ruleset-sources b/config/suricata/ruleset-sources
index 20133ac8c..5c8487395 100644
--- a/config/suricata/ruleset-sources
+++ b/config/suricata/ruleset-sources
@@ -9,3 +9,7 @@ community = https://www.snort.org/downloads/community/community-rules.tar.gz
 
 # Emerging threads community rules.
 emerging = https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz
+
+# Emerging threads pro rules.
+emerging_pro = https://rules.emergingthreatspro.com//suricata-4.0/etpro.rules.tar.gz
+

From 36e69d34b1a59258bf17b886db323653dac1a13d Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 29 Jan 2019 09:05:29 +0100
Subject: [PATCH 163/259] convert-snort: Use set_ownership() from
 ids-functions.pl

Signed-off-by: Stefan Schantl 
---
 config/suricata/convert-snort | 28 +++-------------------------
 1 file changed, 3 insertions(+), 25 deletions(-)

diff --git a/config/suricata/convert-snort b/config/suricata/convert-snort
index dfd83a530..68d6d3379 100644
--- a/config/suricata/convert-snort
+++ b/config/suricata/convert-snort
@@ -51,14 +51,6 @@ if (-z "$snort_settings_file") {
 ##         needs to be full access-able by the WUI user and group (nobody:nobody).
 #
 
-# User and group of the WUI.
-my $uname = "nobody";
-my $grname = "nobody";
-
-# The chown function implemented in perl requies the user and group as nummeric id's.
-my $uid = getpwnam($uname);
-my $gid = getgrnam($grname);
-
 # Check if the settings directory exists.
 unless (-d $IDS::settingsdir) {
 	# Create the directory.
@@ -71,26 +63,12 @@ unless (-d $IDS::rulespath) {
 	mkdir($IDS::rulespath);
 }
 
-# Set correct ownership for the settings and rules folder.
-chown($uid, $gid, $IDS::settingsdir);
-chown($uid, $gid, $IDS::rulespath);
-
 # Create file layout, if not exists yet.
 &IDS::check_and_create_filelayout();
 
-# Set correct ownership for the files - Open settings directory and do a directory listing.
-opendir(DIR, $IDS::settingsdir) or die $!;
-        # Loop through the direcory.
-        while (my $file = readdir(DIR)) {
-
-                # We only want files.
-                next unless (-f "$IDS::settingsdir/$file");
-
-		# Set correct ownership for the files.
-		chown($uid, $gid, "$IDS::settingsdir/$file");
-	}
-
-closedir(DIR);
+# Set correct ownership for settingsdir and rulespath.
+&IDS::set_ownership("$IDS::settingsdir");
+&IDS::set_ownership("$IDS::rulespath");
 
 #
 ## Step 2: Import snort settings and convert to the required format for the new IDS

From ca8c92108af8ed2fce390592d8bd536f9caa2458 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 29 Jan 2019 09:09:11 +0100
Subject: [PATCH 164/259] update-ids-ruleset: Set correct ownership for
 rulesdir and files

Signed-off-by: Stefan Schantl 
---
 src/scripts/update-ids-ruleset | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/scripts/update-ids-ruleset b/src/scripts/update-ids-ruleset
index fe4f83844..05d2ea61b 100644
--- a/src/scripts/update-ids-ruleset
+++ b/src/scripts/update-ids-ruleset
@@ -58,6 +58,9 @@ if(&IDS::downloadruleset()) {
 # Call oinkmaster to alter the ruleset.
 &IDS::oinkmaster();
 
+# Set correct ownership for the rulesdir and files.
+&IDS::set_ownership("$IDS::rulespath");
+
 # Check if the IDS is running.
 if(&IDS::ids_is_running()) {
 	# Call suricatactrl to perform a reload.

From 68699ecffff5e8c0d35883403451bec881bd33ec Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 29 Jan 2019 11:23:54 +0100
Subject: [PATCH 165/259] Revert "Add DDNS to core 107."

This reverts commit 197033fab234d4698b097fdb1b653b8ae39b1aae.
---
 config/rootfiles/core/107/filelists/ddns | 1 -
 1 file changed, 1 deletion(-)
 delete mode 120000 config/rootfiles/core/107/filelists/ddns

diff --git a/config/rootfiles/core/107/filelists/ddns b/config/rootfiles/core/107/filelists/ddns
deleted file mode 120000
index 739516420..000000000
--- a/config/rootfiles/core/107/filelists/ddns
+++ /dev/null
@@ -1 +0,0 @@
-../../../common/ddns
\ No newline at end of file

From 80592396611f06069a05494da2b228aad29af72a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Peter=20M=C3=BCller?= 
Date: Wed, 23 Jan 2019 21:22:41 +0100
Subject: [PATCH 166/259] Suricata: drop unused cuda HW acceleration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

As stated in https://bugzilla.ipfire.org/show_bug.cgi?id=11808#c5 ,
Cuda hardware acceleration is unused and so the configuration file
section can be removed.

This partially addresses #11808.

Signed-off-by: Peter Müller 
Cc: Stefan Schantl 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 35 -----------------------------------
 1 file changed, 35 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 94e13f501..55b6c05cf 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -933,41 +933,6 @@ profiling:
     filename: pcaplog_stats.log
     append: yes
 
-##
-## Hardware accelaration
-##
-
-# Cuda configuration.
-cuda:
-  # The "mpm" profile.  On not specifying any of these parameters, the engine's
-  # internal default values are used, which are same as the ones specified in
-  # in the default conf file.
-  mpm:
-    # The minimum length required to buffer data to the gpu.
-    # Anything below this is MPM'ed on the CPU.
-    # Can be specified in kb, mb, gb.  Just a number indicates it's in bytes.
-    # A value of 0 indicates there's no limit.
-    data-buffer-size-min-limit: 0
-    # The maximum length for data that we would buffer to the gpu.
-    # Anything over this is MPM'ed on the CPU.
-    # Can be specified in kb, mb, gb.  Just a number indicates it's in bytes.
-    data-buffer-size-max-limit: 1500
-    # The ring buffer size used by the CudaBuffer API to buffer data.
-    cudabuffer-buffer-size: 500mb
-    # The max chunk size that can be sent to the gpu in a single go.
-    gpu-transfer-size: 50mb
-    # The timeout limit for batching of packets in microseconds.
-    batching-timeout: 2000
-    # The device to use for the mpm.  Currently we don't support load balancing
-    # on multiple gpus.  In case you have multiple devices on your system, you
-    # can specify the device to use, using this conf.  By default we hold 0, to
-    # specify the first device cuda sees.  To find out device-id associated with
-    # the card(s) on the system run "suricata --list-cuda-cards".
-    device-id: 0
-    # No of Cuda streams used for asynchronous processing. All values > 0 are valid.
-    # For this option you need a device with Compute Capability > 1.0.
-    cuda-streams: 2
-
 ##
 ## Include other configs
 ##

From 17c2c09bcc50376ef805a194eec8688a3dfcbc29 Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Tue, 29 Jan 2019 12:03:37 +0000
Subject: [PATCH 167/259] suricata: Scan outgoing traffic, too

Connections from the firewall and through the proxy must be filtered, too

Signed-off-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 src/initscripts/system/firewall | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 9a79cb1aa..a4fcee2ce 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -189,6 +189,7 @@ iptables_init() {
 	iptables -N IPS
 	iptables -A INPUT -j IPS
 	iptables -A FORWARD -j IPS
+	iptables -A OUTPUT -j IPS
 
 	# Block non-established IPsec networks
 	iptables -N IPSECBLOCK

From bc4a2223cccc4165f213ec3520aee23b2550a4d2 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 30 Jan 2019 09:25:34 +0100
Subject: [PATCH 168/259] ids.cgi: Remove help text for obtaining an oinkcode

This information is only valid for sourcefire (snort) rulesets, may
confuse users and therefore should be handled in the wiki.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 6807e9e05..fa5bf2399 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -798,10 +798,7 @@ print <
 
 		
-			
+			

From 029b8ed2b1e039d216fc974db413cd5f3f718a3d Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 30 Jan 2019 09:27:37 +0100
Subject: [PATCH 169/259] ids.cgi: Show/Hide subscription code area
 dynamically.

Dynamically (Java Script) show/hide the area for entering the
subscription code / oinkcode based on the choosen ruleset.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index fa5bf2399..6fbc0b7b7 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -612,6 +612,22 @@ $selected{'AUTOUPDATE_INTERVAL'}{$rulessettings{'AUTOUPDATE_INTERVAL'}} = "selec
 ### Java Script ###
 print <
+	// JQuery function to show/hide the text input field for
+	// Oinkcode/Subscription code.
+	\$(function() {
+		\$('#RULES').change(function(){
+			if(\$('#RULES').val() == 'registered') {
+				\$('#code').show();
+			} else if(\$('#RULES').val() == 'subscripted') {
+				\$('#code').show();
+			} else if(\$('#RULES').val() == 'emerging_pro') {
+				\$('#code').show();
+			} else {
+				\$('#code').hide();
+			}
+		});
+	});
+
 	// Tiny java script function to show/hide the rules
 	// of a given category.
 	function showhide(tblname) {
@@ -780,7 +796,7 @@ print <
 
 		
-			
 
-		
-			
+		
+			

From 674912fc3abe6283566c4e51a5360dcbf5850f36 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 30 Jan 2019 09:33:47 +0100
Subject: [PATCH 170/259] ids.cgi: Draw daemon status and setting in the same
 box.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 6fbc0b7b7..1bb193ad9 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -696,7 +696,6 @@ END
 		
\n";
-	print "$Lang::tr{$zone}\n";
+	print "\n";
+	print " $Lang::tr{'enabled on'} $Lang::tr{$zone}\n";
 	print "\n";
 	print "\n";
-	print " $Lang::tr{'enabled on'} $Lang::tr{$zone}\n";
+	print " $Lang::tr{'enabled on'} $Lang::tr{$zone_name}\n";
 	print "

-				
$Lang::tr{'ids rules license'} www.snort.org$Lang::tr{'ids rules license1'}

-				
$Lang::tr{'ids rules license2'} Get an Oinkcode, $Lang::tr{'ids rules license3'}

-			


 		

 
 		

 		
Oinkcode: 

 
 		

 END
 }
-&Header::closebox();
 
 my $rulesdate;
 
@@ -709,10 +708,10 @@ if ( -f "$IDS::rulestarball"){
         $rulesdate = localtime($Info[9]);
 }
 
-# Draw elements for IDS configuration.
-&Header::openbox('100%', 'center', $Lang::tr{'settings'});
-
 print <
$Lang::tr{'settings'}

+
 

 	

From d618d67e010e94e1ef26f2570abe9d6748e90416 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 30 Jan 2019 09:39:17 +0100
Subject: [PATCH 171/259] ids.cgi: Only show "update ruleset" button if a
 ruleset is present

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 13 ++-----------
 1 file changed, 2 insertions(+), 11 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 1bb193ad9..61993a243 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -826,19 +826,10 @@ print <
 END
 ;
-		# Check if a ruleset source has been configured yet.
-		unless($rulessettings{'RULES'}) {
-			# If no ruleset settings have been saved yet, disable the button to download / update the ruleset.
-			print"\n";
-		} else {
-			# Ruleset setting have been saved. - Check if a ruleset already is downloaded.
+			# Check if a ruleset has been downloaded yet.
 			if (%idsrules) {
-				# Allow to press the button and show it as "update ruleset".
+				# Display button to update the ruleset.
 				print"\n";
-			} else {
-				# Also allow to press the button, but show it as "download new ruleset".
-				print"\n";
-			}
 		}
 print <

From 34a3843865bfcb6c88cb10773570b96cd61363d6 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 30 Jan 2019 09:42:28 +0100
Subject: [PATCH 172/259] ids.cgi: Add dropdown option for Emergingthreats.net
 Pro rules.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi   | 1 +
 langs/en/cgi-bin/en.pl | 1 +
 2 files changed, 2 insertions(+)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 61993a243..1086ae968 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -797,6 +797,7 @@ print <
 			\n";
 			print"\n";
 			print"\n";
 			print"\n";
 
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 5a7d3af03..445473813 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1358,6 +1358,7 @@
 'ids automatic rules update' => 'Automatic rules update',
 'ids traffic analyze' => 'Traffic analyzing',
 'ids active on' => 'Active on',
+'ids hide' => 'Hide',
 'ids log viewer' => 'IDS log viewer',
 'ids logs' => 'IDS Logs',
 'ids monitored interfaces' => 'Monitored interfaces',
@@ -1371,6 +1372,7 @@
 'ids rules license2' => 'Acknowledge the license, activate your account by visiting the url you got via mail. Then go to',
 'ids rules license3' => 'press the "Generate code"-button and copy the 40 character Oinkcode into the field below.',
 'ids rules update' => 'IDS rules',
+'ids show' => 'Show',
 'iface' => 'Iface',
 'ignore filter' => 'Ignore filter',
 'ike encryption' => 'IKE Encryption:',

From d6f725e1857b19fefce67fc3bb63f7a379f549d4 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 30 Jan 2019 10:57:31 +0100
Subject: [PATCH 177/259] update-ids-ruleset: Improve error reporting if the
 system is offline

Signed-off-by: Stefan Schantl 
---
 src/scripts/update-ids-ruleset | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/scripts/update-ids-ruleset b/src/scripts/update-ids-ruleset
index 05d2ea61b..d988d2556 100644
--- a/src/scripts/update-ids-ruleset
+++ b/src/scripts/update-ids-ruleset
@@ -31,7 +31,7 @@ unless (-e "${General::swroot}/red/active") {
 	&IDS::_log_to_syslog("The system is offline.");
 
 	# Store error message for displaying in the WUI.
-	&IDS::_store_error_message("$Lang::tr{'could not download latest updates'}");
+	&IDS::_store_error_message("$Lang::tr{'could not download latest updates'} - $Lang::tr{'system is offline'}");
 
 	# Exit.
 	exit 0;

From 77c3130174cd492f0bae12205cfd3000b9b7798c Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 30 Jan 2019 11:57:49 +0100
Subject: [PATCH 178/259] ids-functions.pl: Add get_aliases()

This subfunction is used to get all configured and enabled aliases
for the RED network zone. They will be returned as an array.

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 46 +++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index efe89b512..114d5763d 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -841,4 +841,50 @@ sub set_ownership($) {
 		chown($uid, $gid, "$target");
 	}
 }
+
+#
+## Function to read-in the aliases file and returns all configured and enabled aliases.
+#
+sub get_aliases() {
+	# Location of the aliases file.
+	my $aliases_file = "${General::swroot}/ethernet/aliases";
+
+	# Array to store the aliases.
+	my @aliases;
+
+	# Check if the file is empty.
+	if (-z $aliases_file) {
+		# Abort nothing to do.
+		return;
+	}
+
+	# Open the aliases file.
+	open(ALIASES, $aliases_file) or die "Could not open $aliases_file. $!\n";
+
+	# Loop through the file content.
+	while (my $line = ) {
+		# Remove newlines.
+		chomp($line);
+
+		# Splitt line content into single chunks.
+		my ($address, $state, $remark) = split(/\,/, $line);
+
+		# Check if the state of the current processed alias is "on".
+		if ($state eq "on") {
+			# Check if the address is valid.
+			if(&Network::check_ip_address($address)) {
+				# Add the alias to the array of aliases.
+				push(@aliases, $address);
+			}
+		}
+	}
+
+	# Close file handle.
+	close(ALIASES);
+
+	# Return the array.
+	return @aliases;
+}
+
+
 1;

From 23c0347ac5d386e215c56ae9fa3af97e66f1c23f Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 30 Jan 2019 12:04:54 +0100
Subject: [PATCH 179/259] ids-functions.pl: Add RED address and aliases to the
 HOME_NET

Reference: #11981

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 114d5763d..a7c158522 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -597,9 +597,6 @@ sub generate_home_net_file() {
 
 	# Loop through the array of available network zones.
 	foreach my $zone (@network_zones) {
-		# Skip the red network - It never can be part to the home_net!
-		next if($zone eq "red");
-
 		# Convert current zone name into upper case.
 		$zone = uc($zone);
 
@@ -622,6 +619,24 @@ sub generate_home_net_file() {
 			# Add the generated network to the array of networks.
 			push(@networks, $network);
 		}
+
+		# Check if the current processed zone is red.
+		if($zone eq "RED") {
+			# Check if the configured RED_TYPE is static.
+			if ($netsettings{'RED_TYPE'} eq "STATIC") {
+				# Get configured and enabled aliases.
+				my @aliases = &get_aliases();
+
+				# Loop through the array.
+				foreach my $alias (@aliases) {
+					# Add "/32" prefix.
+					my $network = join("/", $alias, "32");
+
+					# Add the generated network to the array of networks.
+					push(@networks, $network);
+				}
+			}
+		}
 	}
 
 	# Format home net declaration.

From c9b07d6a0cdb54c71d5aef4a75c40d505585a0fe Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 30 Jan 2019 13:43:38 +0100
Subject: [PATCH 180/259] initscripts/suricata: Generate firewall rules on
 start and reload

Fixes #11978

Signed-off-by: Stefan Schantl 
---
 src/initscripts/system/suricata | 121 +++++++++++++++++++++-----------
 1 file changed, 81 insertions(+), 40 deletions(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 99097a8e3..b406b920a 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -35,52 +35,81 @@ MASK="0x2"
 # PID file of suricata.
 PID_FILE="/var/run/suricata.pid"
 
+# Function to get the amount of CPU cores of the system.
+function get_cpu_count {
+	CPUCOUNT=0
+
+	# Loop through "/proc/cpuinfo" and count the amount of CPU cores.
+	while read line; do
+		[ "$line" ] && [ -z "${line%processor*}" ]  && ((CPUCOUNT++))
+	done /dev/null 2>/dev/null
@@ -117,6 +152,12 @@ case "$1" in
 		# Send SIGUSR2 to the suricata process to perform a reload
 		# of the ruleset.
 		kill -USR2 $(pidof suricata)
+
+		# Flush the firewall chain.
+		flush_fw_chain
+
+		# Generate firewall rules.
+		generate_fw_rules
 		;;
                 
         *)

From 912d7472a86b1347f3165c1850ed05ba2b7b641f Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 31 Jan 2019 08:55:05 +0100
Subject: [PATCH 181/259] ids.cgi: Automatically download ruleset if the
 ruleset source has been changed.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index ba2136b2f..ae644876c 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -323,8 +323,8 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 		&IDS::call_suricatactrl("cron", $cgiparams{'AUTOUPDATE_INTERVAL'});
 	}
 
-	# Check if a ruleset is present - if not download it.
-	unless (%idsrules) {
+	# Check if a ruleset is present - if not or the source has been changed download it.
+	unless ((%idsrules) || ($oldsettings{'RULES'} eq $cgiparams{'RULES'})) {
 		# Check if the red device is active.
 		unless (-e "${General::swroot}/red/active") {
 			$errormessage = "$Lang::tr{'could not download latest updates'} - $Lang::tr{'system is offline'}";

From de8e1e5b6ce6c8d82dc8e67c92af338206252dc2 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 31 Jan 2019 09:41:35 +0100
Subject: [PATCH 182/259] ids-functions.pl: Add function to the the current
 assigned IP-address of RED.

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index a7c158522..1f782b5c1 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -901,5 +901,36 @@ sub get_aliases() {
 	return @aliases;
 }
 
+#
+## Function to grab the current assigned IP-address on red.
+#
+sub get_red_address() {
+	# File, which contains the current IP-address of the red interface.
+	my $file = "${General::swroot}/red/local-ipaddress";
+
+	# Check if the file exists.
+	if (-e $file) {
+		# Open the given file.
+		open(FILE, "$file") or die "Could not open $file.";
+
+		# Obtain the address from the first line of the file.
+		my $address = ;
+
+		# Close filehandle
+		close(FILE);
+
+		# Remove newlines.
+		chomp $address;
+
+		# Check if the grabbed address is valid.
+		if (&General::validip($address)) {
+			# Return the address.
+			return $address;
+		}
+	}
+
+	# Return nothing.
+	return;
+}
 
 1;

From bcbc9897e392a237105fc2e12af2323804bd2a42 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 31 Jan 2019 09:50:47 +0100
Subject: [PATCH 183/259] ids-functions.pl: Grab address for RED by using
 get_red_address() function.

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 61 ++++++++++++++++++++-------------
 1 file changed, 37 insertions(+), 24 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 1f782b5c1..4452b4be3 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -597,31 +597,20 @@ sub generate_home_net_file() {
 
 	# Loop through the array of available network zones.
 	foreach my $zone (@network_zones) {
-		# Convert current zone name into upper case.
-		$zone = uc($zone);
-
-		# Generate key to access the required data from the netsettings hash.
-		my $zone_netaddress = $zone . "_NETADDRESS";
-		my $zone_netmask = $zone . "_NETMASK";
-
-		# Obtain the settings from the netsettings hash.
-		my $netaddress = $netsettings{$zone_netaddress};
-		my $netmask = $netsettings{$zone_netmask};
-
-		# Convert the subnetmask into prefix notation.
-		my $prefix = &Network::convert_netmask2prefix($netmask);
-
-		# Generate full network string.
-		my $network = join("/", $netaddress,$prefix);
-
-		# Check if the network is valid.
-		if(&Network::check_subnet($network)) {
-			# Add the generated network to the array of networks.
-			push(@networks, $network);
-		}
-
 		# Check if the current processed zone is red.
-		if($zone eq "RED") {
+		if($zone eq "red") {
+			# Grab the IP-address of the red interface.
+			my $red_address = &get_red_address();
+
+			# Check if an address has been obtained.
+			if ($red_address) {
+				# Generate full network string.
+				my $red_network = join("/", $red_address, "32");
+
+				# Add the red network to the array of networks.
+				push(@networks, $red_network);
+			}
+
 			# Check if the configured RED_TYPE is static.
 			if ($netsettings{'RED_TYPE'} eq "STATIC") {
 				# Get configured and enabled aliases.
@@ -636,6 +625,30 @@ sub generate_home_net_file() {
 					push(@networks, $network);
 				}
 			}
+		# Process remaining network zones.
+		} else {
+			# Convert current zone name into upper case.
+			$zone = uc($zone);
+
+			# Generate key to access the required data from the netsettings hash.
+			my $zone_netaddress = $zone . "_NETADDRESS";
+			my $zone_netmask = $zone . "_NETMASK";
+
+			# Obtain the settings from the netsettings hash.
+			my $netaddress = $netsettings{$zone_netaddress};
+			my $netmask = $netsettings{$zone_netmask};
+
+			# Convert the subnetmask into prefix notation.
+			my $prefix = &Network::convert_netmask2prefix($netmask);
+
+			# Generate full network string.
+			my $network = join("/", $netaddress,$prefix);
+
+			# Check if the network is valid.
+			if(&Network::check_subnet($network)) {
+				# Add the generated network to the array of networks.
+				push(@networks, $network);
+			}
 		}
 	}
 

From 067e1847dc1012316b23d7eb8dba8e25a65cd757 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 1 Feb 2019 14:34:25 +0100
Subject: [PATCH 184/259] suricata.yaml: Add port 222 to list of SSH Ports

The SSH-server listened on port "222" as default on IPFire in the past.

Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 55b6c05cf..48035a67e 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -31,7 +31,7 @@ vars:
     HTTP_PORTS: "80"
     SHELLCODE_PORTS: "!80"
     ORACLE_PORTS: 1521
-    SSH_PORTS: 22
+    SSH_PORTS: "[22,222]"
     DNP3_PORTS: 20000
     MODBUS_PORTS: 502
     FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"

From 4924cfdc7312ce8c31101fefebf3f0371e7cd779 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 5 Feb 2019 11:55:37 +0100
Subject: [PATCH 185/259] ids-functions.pl: Fix show HTTP error code and
 message

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 4452b4be3..98bf5806b 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -222,7 +222,7 @@ sub downloadruleset {
 	# Check if there was any error.
 	unless ($response->is_success) {
 		# Obtain error.
-		my $error = $response->content;
+		my $error = $response->status_line();
 
 		# Log error message.
 		&_log_to_syslog("Unable to download the ruleset. \($error\)");
@@ -232,7 +232,7 @@ sub downloadruleset {
 	}
 
 	# Assign the fetched header object.
-	my $header = $response->headers;
+	my $header = $response->headers();
 
 	# Grab the remote file size from the object and store it in the
 	# variable.

From 81592314ebe93ae942f28a1bc9037185f155ccda Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 5 Feb 2019 12:01:43 +0100
Subject: [PATCH 186/259] ids-functions.pl: Use GET method to fetch Header data
 of a file

The sourcfire web servers does not support the HEAD request so we have to do
this with a GET here.

Fixes #11987

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 98bf5806b..afccf4326 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -211,7 +211,7 @@ sub downloadruleset {
 	}
 
 	# Pass the requrested url to the downloader.
-	my $request = HTTP::Request->new(HEAD => $url);
+	my $request = HTTP::Request->new(GET => $url);
 
 	# Accept the html header.
 	$request->header('Accept' => 'text/html');

From b7a9b4edc28a678cd9d2b01e0ab6304597409860 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 5 Feb 2019 12:13:28 +0100
Subject: [PATCH 187/259] ids.cgi: Update automatic download texts

Update the showed texts in the dropdown box as mentioned in the
bug report.

Fixes #11985

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi   | 6 +++---
 langs/de/cgi-bin/de.pl | 3 +++
 langs/en/cgi-bin/en.pl | 3 +++
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index ae644876c..56d39fd60 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -859,9 +859,9 @@ print <
 				
 			
 		
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 3df9470d2..0912c89ff 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -83,6 +83,8 @@
 'ConnSched time' => 'Zeit:',
 'ConnSched up' => 'Herauf',
 'ConnSched weekdays' => 'Wochentage:',
+'Daily' => 'Täglich',
+'Disabled' => 'Deaktiviert',
 'Edit an existing route' => 'Eine existierende Route editieren',
 'Enter TOS' => 'Aktivieren oder deaktivieren Sie die TOS-Bits 
 und klicken Sie danach auf Speichern.',
 'Existing Files' => 'Dateien in der Datenbank',
@@ -121,6 +123,7 @@
 'Utilization on' => 'Auslastung auf',
 'Verbose' => 'Verbose',
 'WakeOnLan' => 'Wake On LAN',
+'Weekly' => 'Wöchentlich',
 'a ca certificate with this name already exists' => 'Ein CA-Zertifikat mit diesem Namen existiert bereits.',
 'a connection with this common name already exists' => 'Eine Verbindung mit diesem gemeinsamen Namen existiert bereits.',
 'a connection with this name already exists' => 'Eine Verbindung mit diesem Namen existiert bereits.',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 445473813..781df25cf 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -83,6 +83,8 @@
 'ConnSched time' => 'Time:',
 'ConnSched up' => 'Up',
 'ConnSched weekdays' => 'Days of the week:',
+'Daily' => 'Daily',
+'Disabled' => 'Disabled',
 'Edit an existing route' => 'Edit an existing route',
 'Enter TOS' => 'Activate or deactivate TOS-bits 
 and then press Save.',
 'Existing Files' => 'Files in database',
@@ -121,6 +123,7 @@
 'Utilization on' => 'Utilization on',
 'Verbose' => 'Verbose:',
 'WakeOnLan' => 'Wake On Lan',
+'Weekly' => 'Weekly',
 'a ca certificate with this name already exists' => 'A CA certificate with this name already exists.',
 'a connection with this common name already exists' => 'A connection with this common name already exists.',
 'a connection with this name already exists' => 'A connection with this name already exists.',

From 5709768b0bab2b860911fcad66da8e0aec5c4eaa Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 5 Feb 2019 12:36:30 +0100
Subject: [PATCH 188/259] ids.cgi: Fix downloading rules if source changed

Fix the if statement to detect wheater the ruleset has been
changed and automatically download the new one.

Fixes #11984.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 56d39fd60..151181fdc 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -324,7 +324,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 	}
 
 	# Check if a ruleset is present - if not or the source has been changed download it.
-	unless ((%idsrules) || ($oldsettings{'RULES'} eq $cgiparams{'RULES'})) {
+	if((! %idsrules) || ($oldsettings{'RULES'} ne $cgiparams{'RULES'})) {
 		# Check if the red device is active.
 		unless (-e "${General::swroot}/red/active") {
 			$errormessage = "$Lang::tr{'could not download latest updates'} - $Lang::tr{'system is offline'}";

From 97870bf29cd93669beef30b876e21f2fed5d6405 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 5 Feb 2019 12:43:49 +0100
Subject: [PATCH 189/259] ids.cgi: Stop suricata when the rulest source has
 been changed

If the ruleset source has been changed, it has to be configured again.
This happens because of different rule categories, filenames rule ID's etc.

In case suricata currently is running it has to be stopped and after the configuration
has been done by the user, it can be launched again.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 151181fdc..1f096aea4 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -352,6 +352,14 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 				&IDS::oinkmaster();
 			}
 
+			# Check if the IDS is running.
+			if(&IDS::ids_is_running()) {
+				# Call suricatactrl to stop the IDS - because of the changed
+				# ruleset - the use has to configure it before suricata can be
+				# used again.
+				&IDS::call_suricatactrl("stop");
+			}
+
 			# Perform a reload of the page.
 			&reload();
 		}

From 318e7137e79f29574a5cc9677615a48b2a9b3e40 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 5 Feb 2019 13:25:27 +0100
Subject: [PATCH 190/259] IDS: Rename IDS strings to IPS

Reference: #11986

Signed-off-by: Stefan Schantl 
---
 langs/de/cgi-bin/de.pl | 18 +++++++++---------
 langs/en/cgi-bin/en.pl | 16 ++++++++--------
 2 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 0912c89ff..12975a2df 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1330,8 +1330,8 @@
 'ids automatic rules update' => 'Automatische Regeln-Aktualisierung',
 'ids traffic analyze' => 'Packet-Analyse',
 'ids active on' => 'Aktiv auf',
-'ids log viewer' => 'Ansicht IDS-Protokoll',
-'ids logs' => 'IDS-Protokolldateien',
+'ids log viewer' => 'Ansicht IPS-Protokoll',
+'ids logs' => 'IPS-Protokolldateien',
 'ids monitored interfaces' => 'Überwachte Netzwerkzonen',
 'ids monitor traffic only' => 'Netzwerk-Pakete nur überpfrüfen',
 'ids no network zone' => 'Mindestends eine Netzwerk-Zone muss überwacht werden!',
@@ -1342,7 +1342,7 @@
 'ids rules license1' => ' registrieren.',
 'ids rules license2' => 'Bestätigen Sie die Lizenz; aktivieren Sie Ihren Account, indem Sie auf den Link, den Sie per Mail erhalten haben, klicken. Gehen Sie dann zu',
 'ids rules license3' => 'klicken Sie den "Generate code"-Knopf und kopieren Sie den 40-Zeichen Oinkcode in das untere Feld.',
-'ids rules update' => 'IDS-Regeln',
+'ids rules update' => 'IPS-Regeln',
 'iface' => 'Iface',
 'ignore filter' => '"Ignorieren"-Filter',
 'ike encryption' => 'IKE Verschlüsselung:',
@@ -1375,12 +1375,12 @@
 'interface' => 'Schnittstelle',
 'interfaces' => 'Interfaces',
 'internet' => 'INTERNET',
-'intrusion detection' => 'Einbruchdetektierung',
-'intrusion detection system' => 'Einbruchsdetektierung',
-'intrusion detection system log viewer' => 'Betrachter der IDS-Protokolldateien',
-'intrusion detection system rules' => 'Regeln für die Einbruchsdetektierung',
-'intrusion detection system2' => 'Intrusion Detection System',
-'intrusion prevention system' => 'Intrusion Prevention System',
+'intrusion detection' => 'Intrusion-Prevention',
+'intrusion detection system' => 'Intrusion-Prevention-System',
+'intrusion detection system log viewer' => 'Betrachter der IPS-Protokolldateien',
+'intrusion detection system rules' => 'Regelset',
+'intrusion detection system2' => 'Intrusion-Prevention-System',
+'intrusion prevention system' => 'Intrusion-Prevention-System',
 'invalid broadcast ip' => 'Ungültige Broadcast-IP',
 'invalid cache size' => 'Ungültige Cache-Größe.',
 'invalid characters found in pre-shared key' => 'Ungültige Zeichen im Pre-Shared Schlüssel gefunden.',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 781df25cf..0316683e6 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1362,8 +1362,8 @@
 'ids traffic analyze' => 'Traffic analyzing',
 'ids active on' => 'Active on',
 'ids hide' => 'Hide',
-'ids log viewer' => 'IDS log viewer',
-'ids logs' => 'IDS Logs',
+'ids log viewer' => 'IPS log viewer',
+'ids logs' => 'IPS Logs',
 'ids monitored interfaces' => 'Monitored interfaces',
 'ids monitor traffic only' => 'Monitor traffic only',
 'ids no network zone' => 'At least one network zone has to be monitored!',
@@ -1374,7 +1374,7 @@
 'ids rules license1' => '.',
 'ids rules license2' => 'Acknowledge the license, activate your account by visiting the url you got via mail. Then go to',
 'ids rules license3' => 'press the "Generate code"-button and copy the 40 character Oinkcode into the field below.',
-'ids rules update' => 'IDS rules',
+'ids rules update' => 'IPS rules',
 'ids show' => 'Show',
 'iface' => 'Iface',
 'ignore filter' => 'Ignore filter',
@@ -1409,11 +1409,11 @@
 'interface' => 'Interface',
 'interfaces' => 'Interfaces',
 'internet' => 'INTERNET',
-'intrusion detection' => 'Intrusion Detection',
-'intrusion detection system' => 'Intrusion Detection System',
-'intrusion detection system log viewer' => 'Intrusion Detection System Log Viewer',
-'intrusion detection system rules' => 'intrusion detection system rules',
-'intrusion detection system2' => 'Intrusion Detection System',
+'intrusion detection' => 'Intrusion Prevention',
+'intrusion detection system' => 'Intrusion Prevention System',
+'intrusion detection system log viewer' => 'Intrusion Prevention System Log Viewer',
+'intrusion detection system rules' => 'Ruleset',
+'intrusion detection system2' => 'Intrusion Prevention System',
 'intrusion prevention system' => 'Intrusion Prevention System',
 'invalid broadcast ip' => 'Invalid broadcast IP',
 'invalid cache size' => 'Invalid cache size.',

From cc9057c0148cddb231be85caa4c38d4cf721f0c3 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 5 Feb 2019 13:51:08 +0100
Subject: [PATCH 191/259] ids.cgi: Change lang string from "Activate IPS" to
 "Enable IPS"

Reference #11986

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi   | 2 +-
 langs/de/cgi-bin/de.pl | 2 +-
 langs/en/cgi-bin/en.pl | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 1f096aea4..442105356 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -775,7 +775,7 @@ if (%idsrules) {
 		

 		

-		
-			\n";
 }
 
-print <
-        

-				$Lang::tr{'ids activate'} $Lang::tr{'intrusion detection system'}
+	

$Lang::tr{'settings'}

+
+	
+		
+			
+				
+
+				
+			
 
-			
-		
+			
+				
+				
+				
+				
+			
 
-		
-			
-			
-			
-			
-		
+			
+				
+			
 
-		
-			
-		
-
-		
+			
 END
 ;
 
-# Loop through the array of available networks and print config options.
-foreach my $zone (@network_zones) {
-	my $checked_input;
-	my $checked_forward;
+	# Loop through the array of available networks and print config options.
+	foreach my $zone (@network_zones) {
+		my $checked_input;
+		my $checked_forward;
 
-	# Convert current zone name to upper case.
-	my $zone_upper = uc($zone);
+		# Convert current zone name to upper case.
+		my $zone_upper = uc($zone);
 
-	# Set zone name.
-	my $zone_name = $zone;
+		# Set zone name.
+		my $zone_name = $zone;
 
-	# Dirty hack to get the correct language string for the red zone.
-	if ($zone eq "red") {
-		$zone_name = "red1";
+		# Dirty hack to get the correct language string for the red zone.
+		if ($zone eq "red") {
+			$zone_name = "red1";
+		}
+
+		# Grab checkbox status from settings hash.
+		if ($idssettings{"ENABLE_IDS_$zone_upper"} eq "on") {
+			$checked_input = "checked = 'checked'";
+		}
+
+		print "\n";
 	}
 
-	# Grab checkbox status from settings hash.
-	if ($idssettings{"ENABLE_IDS_$zone_upper"} eq "on") {
-		$checked_input = "checked = 'checked'";
-	}
+print <
+		

+					$Lang::tr{'ids activate'} $Lang::tr{'intrusion detection system'}
+				
+					$Lang::tr{'ids monitor traffic only'}
 			

-				$Lang::tr{'ids monitor traffic only'}
-			
















$Lang::tr{'ids monitored interfaces'}
$Lang::tr{'ids monitored interfaces'}
\n";
+		print "\n";
+		print " $Lang::tr{'enabled on'} $Lang::tr{$zone_name}\n";
+		print "

+
+		


+
+		
+			
+				
+			
+		

+	
+END
+;
 
-	print "		\n";
-	print "\n";
-	print " $Lang::tr{'enabled on'} $Lang::tr{$zone_name}\n";
-	print "

-
-        


-
-        
-                
-                        
-                
-        

-
-END
-;
-
 &Header::closebox();
 
 # Draw elements for ruleset configuration.

From e0cec9fe99c957a686182f6002185744edd8254d Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 30 Jan 2019 10:53:17 +0100
Subject: [PATCH 176/259] ids.cgi: Dynamically generate SHOW/HIDE for expanding
 or collapsing a ruleset category

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi   | 18 ++++++++++++++++--
 langs/en/cgi-bin/en.pl |  2 ++
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 604d216c8..ba2136b2f 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -644,8 +644,13 @@ $selected{'AUTOUPDATE_INTERVAL'}{$rulessettings{'AUTOUPDATE_INTERVAL'}} = "selec
 &Header::openpage($Lang::tr{'intrusion detection system'}, 1, '');
 
 ### Java Script ###
+print"
 END
@@ -1043,7 +1057,7 @@ if (%idsrules) {
 			print"		$rulefile\n";
-			print"SHOW\n";
+			print"$Lang::tr{'ids show'}\n";
 			print"

 			

 				
-					$Lang::tr{'ids activate'} $Lang::tr{'intrusion detection system'}
+					$Lang::tr{'ids enable'} $Lang::tr{'intrusion detection system'}
 				
 
 				
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 12975a2df..8497ce4c3 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1326,10 +1326,10 @@
 'idle' => 'Leerlauf',
 'idle timeout' => 'Leerlauf-Wartezeit in Min. (0 zum Deaktivieren):',
 'idle timeout not set' => 'Leerlauf-Wartezeit nicht angegeben.',
-'ids activate' => 'Aktiviere',
 'ids automatic rules update' => 'Automatische Regeln-Aktualisierung',
 'ids traffic analyze' => 'Packet-Analyse',
 'ids active on' => 'Aktiv auf',
+'ids enable' => 'Aktiviere',
 'ids log viewer' => 'Ansicht IPS-Protokoll',
 'ids logs' => 'IPS-Protokolldateien',
 'ids monitored interfaces' => 'Überwachte Netzwerkzonen',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 0316683e6..2ff4cfa49 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1357,10 +1357,10 @@
 'idle' => 'Idle',
 'idle timeout' => 'Idle timeout (mins; 0 to disable):',
 'idle timeout not set' => 'Idle timeout not set.',
-'ids activate' => 'Activate',
 'ids automatic rules update' => 'Automatic rules update',
 'ids traffic analyze' => 'Traffic analyzing',
 'ids active on' => 'Active on',
+'ids enable' => 'Enable',
 'ids hide' => 'Hide',
 'ids log viewer' => 'IPS log viewer',
 'ids logs' => 'IPS Logs',

From af0065691c6d3fcb14c646d1ec0b9c83bdd3313d Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 5 Feb 2019 13:57:40 +0100
Subject: [PATCH 192/259] suricata: Do not display messages when starting up

Fixes #11979.

Signed-off-by: Stefan Schantl 
---
 src/initscripts/system/suricata | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index b406b920a..458aed44d 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -112,7 +112,7 @@ case "$1" in
 		if [ "$ENABLE_IDS" == "on" ]; then
 			# Start the IDS.
 			boot_mesg "Starting Intrusion Detection System..."
-			/usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES
+			/usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES >/dev/null 2>/dev/null
 			evaluate_retval
 
 			# Allow reading the pidfile.

From 9e9b477d7c4fbad483f6307cf63bf475dd79141b Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 5 Feb 2019 14:14:11 +0100
Subject: [PATCH 193/259] ids.cgi: Rework "Enable IPS" section

Just use one language string for a maximum of flexiblity for the
transloators.

Fixes #11986

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi   | 4 ++--
 langs/de/cgi-bin/de.pl | 2 +-
 langs/en/cgi-bin/en.pl | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 442105356..1235d4776 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -775,11 +775,11 @@ if (%idsrules) {
 		
 
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 8497ce4c3..e2aa1861d 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1329,7 +1329,7 @@
 'ids automatic rules update' => 'Automatische Regeln-Aktualisierung',
 'ids traffic analyze' => 'Packet-Analyse',
 'ids active on' => 'Aktiv auf',
-'ids enable' => 'Aktiviere',
+'ids enable' => 'Intrusion-Prevention-System aktivieren',
 'ids log viewer' => 'Ansicht IPS-Protokoll',
 'ids logs' => 'IPS-Protokolldateien',
 'ids monitored interfaces' => 'Überwachte Netzwerkzonen',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 2ff4cfa49..5c44ee9b1 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1360,7 +1360,7 @@
 'ids automatic rules update' => 'Automatic rules update',
 'ids traffic analyze' => 'Traffic analyzing',
 'ids active on' => 'Active on',
-'ids enable' => 'Enable',
+'ids enable' => 'Enable Intrusion Prevention System',
 'ids hide' => 'Hide',
 'ids log viewer' => 'IPS log viewer',
 'ids logs' => 'IPS Logs',

From 422dc4caf97696ac34b65410784f22875f3412c0 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Tue, 5 Feb 2019 14:34:44 +0100
Subject: [PATCH 194/259] ids.cgi: Fix HTML formated spaces.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 1235d4776..388abf2d7 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -775,11 +775,11 @@ if (%idsrules) {
 		

 			

 				
-					$Lang::tr{'ids enable'} $Lang::tr{'intrusion detection system'}
+					 $Lang::tr{'ids enable'}
 				
 
 				
-					$Lang::tr{'ids monitor traffic only'}
+					 $Lang::tr{'ids monitor traffic only'}
 			
 			

 
@@ -821,7 +821,7 @@ END
 
 		print "\n";
 	}
 

From c17a9778d62d964ac7d8e8da156ba0f08baf8748 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 6 Feb 2019 10:00:17 +0100
Subject: [PATCH 195/259] Revert "ids-functions.pl: Use GET method to fetch
 Header data of a file"

Using the GET method will download the file twice and does not provide the
desired mechanism here.

This reverts commit 81592314ebe93ae942f28a1bc9037185f155ccda.
---
 config/cfgroot/ids-functions.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index afccf4326..98bf5806b 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -211,7 +211,7 @@ sub downloadruleset {
 	}
 
 	# Pass the requrested url to the downloader.
-	my $request = HTTP::Request->new(GET => $url);
+	my $request = HTTP::Request->new(HEAD => $url);
 
 	# Accept the html header.
 	$request->header('Accept' => 'text/html');

From 155b3b56a8e4c8765c473b853445e2957b0b852f Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 6 Feb 2019 10:58:59 +0100
Subject: [PATCH 196/259] ids-functions.pl: Do not send HEAD requests to
 sourcefire (snort.org) servers

Using this feature to fetch the size of the requested tarball is not allowed by these
servers, so skip this feature for their rulesets.

Fixes #11987

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 53 +++++++++++++++++++--------------
 1 file changed, 31 insertions(+), 22 deletions(-)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 98bf5806b..45159ffe9 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -210,34 +210,43 @@ sub downloadruleset {
 		return 1;
 	}
 
-	# Pass the requrested url to the downloader.
-	my $request = HTTP::Request->new(HEAD => $url);
+	# Variable to store the filesize of the remote object.
+	my $remote_filesize;
 
-	# Accept the html header.
-	$request->header('Accept' => 'text/html');
+	# The sourcfire (snort rules) does not allow to send "HEAD" requests, so skip this check
+	# for this webserver.
+	#
+	# Check if the ruleset source contains "snort.org".
+	unless ($url =~ /\.snort\.org/) {
+		# Pass the requrested url to the downloader.
+		my $request = HTTP::Request->new(HEAD => $url);
 
-	# Perform the request and fetch the html header.
-	my $response = $downloader->request($request);
+		# Accept the html header.
+		$request->header('Accept' => 'text/html');
 
-	# Check if there was any error.
-	unless ($response->is_success) {
-		# Obtain error.
-		my $error = $response->status_line();
+		# Perform the request and fetch the html header.
+		my $response = $downloader->request($request);
 
-		# Log error message.
-		&_log_to_syslog("Unable to download the ruleset. \($error\)");
+		# Check if there was any error.
+		unless ($response->is_success) {
+			# Obtain error.
+			my $error = $response->status_line();
 
-		# Return "1" - false.
-		return 1;
+			# Log error message.
+			&_log_to_syslog("Unable to download the ruleset. \($error\)");
+
+			# Return "1" - false.
+			return 1;
+		}
+
+		# Assign the fetched header object.
+		my $header = $response->headers();
+
+		# Grab the remote file size from the object and store it in the
+		# variable.
+		$remote_filesize = $header->content_length;
 	}
 
-	# Assign the fetched header object.
-	my $header = $response->headers();
-
-	# Grab the remote file size from the object and store it in the
-	# variable.
-	my $remote_filesize = $header->content_length;
-
 	# Load perl module to deal with temporary files.
 	use File::Temp;
 
@@ -273,7 +282,7 @@ sub downloadruleset {
 	my $local_filesize = $stat->size;
 
 	# Check if both file sizes match.
-	unless ($remote_filesize eq $local_filesize) {
+	if (($remote_filesize) && ($remote_filesize ne $local_filesize)) {
 		# Log error message.
 		&_log_to_syslog("Unable to completely download the ruleset. ");
 		&_log_to_syslog("Only got $local_filesize Bytes instead of $remote_filesize Bytes. ");

From f644a167ab06e5324c021144e08c00413472b143 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 6 Feb 2019 12:48:08 +0100
Subject: [PATCH 197/259] ids.cgi: Only perform actions when saving ruleset
 settings, if there are no error messages

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 80 ++++++++++++++++++++++----------------------
 1 file changed, 40 insertions(+), 40 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 388abf2d7..717e49882 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -315,53 +315,53 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 	if (!$errormessage) {
 		# Store settings into settings file.
 		&General::writehash("$IDS::rules_settings_file", \%cgiparams);
-	}
 
-	# Check if the the automatic rule update hass been touched.
-	if($cgiparams{'AUTOUPDATE_INTERVAL'} ne $oldsettings{'AUTOUPDATE_INTERVAL'}) {
-		# Call suricatactrl to set the new interval.
-		&IDS::call_suricatactrl("cron", $cgiparams{'AUTOUPDATE_INTERVAL'});
-	}
-
-	# Check if a ruleset is present - if not or the source has been changed download it.
-	if((! %idsrules) || ($oldsettings{'RULES'} ne $cgiparams{'RULES'})) {
-		# Check if the red device is active.
-		unless (-e "${General::swroot}/red/active") {
-			$errormessage = "$Lang::tr{'could not download latest updates'} - $Lang::tr{'system is offline'}";
+		# Check if the the automatic rule update hass been touched.
+		if($cgiparams{'AUTOUPDATE_INTERVAL'} ne $oldsettings{'AUTOUPDATE_INTERVAL'}) {
+			# Call suricatactrl to set the new interval.
+			&IDS::call_suricatactrl("cron", $cgiparams{'AUTOUPDATE_INTERVAL'});
 		}
 
-		# Check if enought free disk space is availabe.
-		if(&IDS::checkdiskspace()) {
-			$errormessage = "$Lang::tr{'not enough disk space'}";
-		}
-
-		# Check if any errors happend.
-		unless ($errormessage) {
-			# Lock the webpage and print notice about downloading
-			# a new ruleset.
-			&working_notice("$Lang::tr{'snort working'}");
-
-			# Call subfunction to download the ruleset.
-			if(&IDS::downloadruleset()) {
-				$errormessage = $Lang::tr{'could not download latest updates'};
-
-				# Call function to store the errormessage.
-				&IDS::_store_error_message($errormessage);
-			} else {
-				# Call subfunction to launch oinkmaster.
-				&IDS::oinkmaster();
+		# Check if a ruleset is present - if not or the source has been changed download it.
+		if((! %idsrules) || ($oldsettings{'RULES'} ne $cgiparams{'RULES'})) {
+			# Check if the red device is active.
+			unless (-e "${General::swroot}/red/active") {
+				$errormessage = "$Lang::tr{'could not download latest updates'} - $Lang::tr{'system is offline'}";
 			}
 
-			# Check if the IDS is running.
-			if(&IDS::ids_is_running()) {
-				# Call suricatactrl to stop the IDS - because of the changed
-				# ruleset - the use has to configure it before suricata can be
-				# used again.
-				&IDS::call_suricatactrl("stop");
+			# Check if enought free disk space is availabe.
+			if(&IDS::checkdiskspace()) {
+				$errormessage = "$Lang::tr{'not enough disk space'}";
 			}
 
-			# Perform a reload of the page.
-			&reload();
+			# Check if any errors happend.
+			unless ($errormessage) {
+				# Lock the webpage and print notice about downloading
+				# a new ruleset.
+				&working_notice("$Lang::tr{'snort working'}");
+
+				# Call subfunction to download the ruleset.
+				if(&IDS::downloadruleset()) {
+					$errormessage = $Lang::tr{'could not download latest updates'};
+
+					# Call function to store the errormessage.
+					&IDS::_store_error_message($errormessage);
+				} else {
+					# Call subfunction to launch oinkmaster.
+					&IDS::oinkmaster();
+				}
+
+				# Check if the IDS is running.
+				if(&IDS::ids_is_running()) {
+					# Call suricatactrl to stop the IDS - because of the changed
+					# ruleset - the use has to configure it before suricata can be
+					# used again.
+					&IDS::call_suricatactrl("stop");
+				}
+
+				# Perform a reload of the page.
+				&reload();
+			}
 		}
 	}
 

From 613f58fbfa9f536d9c84bc76354f7775b3e9b57f Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 6 Feb 2019 12:49:01 +0100
Subject: [PATCH 198/259] ids.cgi: Check if the selected ruleset requires an
 oinkcode

Fixes #11983

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi   | 24 +++++++++++++++++++-----
 langs/de/cgi-bin/de.pl |  1 +
 langs/en/cgi-bin/en.pl |  1 +
 3 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 717e49882..60e40d7de 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -296,18 +296,32 @@ if(-f $IDS::used_rulefiles_file) {
 # Save ruleset configuration.
 if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 	my %oldsettings;
+	my %rulesetsources;
 
 	# Read-in current (old) IDS settings.
 	&General::readhash("$IDS::rules_settings_file", \%oldsettings);
 
+	# Get all available ruleset locations.
+	&General::readhash("$IDS::rulesetsourcesfile", \%rulesetsources);
+
 	# Prevent form name from been stored in conf file.
 	delete $cgiparams{'RULESET'};
 
-	# Check if an oinkcode has been provided.
-	if ($cgiparams{'OINKCODE'}) {
-		# Check if the oinkcode contains unallowed chars.
-		unless ($cgiparams{'OINKCODE'} =~ /^[a-z0-9]+$/) {
-			$errormessage = $Lang::tr{'invalid input for oink code'};
+	# Grab the URL based on the choosen vendor.
+	my $url = $rulesetsources{$cgiparams{'RULES'}};
+
+	# Check if the choosen vendor (URL) requires an subscription/oinkcode.
+	if ($url =~ /\/ ) {
+		# Check if an subscription/oinkcode has been provided.
+		if ($cgiparams{'OINKCODE'}) {
+			# Check if the oinkcode contains unallowed chars.
+			unless ($cgiparams{'OINKCODE'} =~ /^[a-z0-9]+$/) {
+				$errormessage = $Lang::tr{'invalid input for oink code'};
+			}
+		} else {
+			# Print an error message, that an subsription/oinkcode is required for this
+			# vendor.
+			$errormessage = $Lang::tr{'ids oinkcode required'};
 		}
 	}
 
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index e2aa1861d..d2924152a 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1336,6 +1336,7 @@
 'ids monitor traffic only' => 'Netzwerk-Pakete nur überpfrüfen',
 'ids no network zone' => 'Mindestends eine Netzwerk-Zone muss überwacht werden!',
 'ids no ruleset available' => 'Kein Regelset verfügbar, bitte downloaden Sie eines!',
+'ids oinkcode required' => 'Für das ausgewählte Regelset wird eine Subscription oder ein Oinkcode benötigt',
 'ids ruleset settings' => 'Regelset-Einstellungen',
 'ids preprocessor' => 'IDS-Präprozessor',
 'ids rules license' => 'Um  Sourcefire VRT Zertifizierte Regeln zu nutzen, müssen Sie sich unter',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 5c44ee9b1..fa7b7d2f2 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1368,6 +1368,7 @@
 'ids monitor traffic only' => 'Monitor traffic only',
 'ids no network zone' => 'At least one network zone has to be monitored!',
 'ids no ruleset available' => 'No ruleset available, please download one!',
+'ids oinkcode required' => 'The selected ruleset requires a subscription or an oinkcode',
 'ids ruleset settings' => 'Ruleset settings',
 'ids preprocessor' => 'IDS preprocessor',
 'ids rules license' => 'To utilize Sourcefire VRT Certified Rules, you need to register on',

From d8f19ebb5accbf4e850e881fbd0be8fd9d66660c Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 6 Feb 2019 13:12:50 +0100
Subject: [PATCH 199/259] IDS: Edit german translation for "ids oinkcode
 required".

Signed-off-by: Stefan Schantl 
---
 langs/de/cgi-bin/de.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index d2924152a..4c934174f 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1336,7 +1336,7 @@
 'ids monitor traffic only' => 'Netzwerk-Pakete nur überpfrüfen',
 'ids no network zone' => 'Mindestends eine Netzwerk-Zone muss überwacht werden!',
 'ids no ruleset available' => 'Kein Regelset verfügbar, bitte downloaden Sie eines!',
-'ids oinkcode required' => 'Für das ausgewählte Regelset wird eine Subscription oder ein Oinkcode benötigt',
+'ids oinkcode required' => 'Für das ausgewählte Regelset wird ein Abonnement oder ein Oinkcode benötigt',
 'ids ruleset settings' => 'Regelset-Einstellungen',
 'ids preprocessor' => 'IDS-Präprozessor',
 'ids rules license' => 'Um  Sourcefire VRT Zertifizierte Regeln zu nutzen, müssen Sie sich unter',

From 8117fff863431671939d5aa1c11c0a84e56298a2 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 6 Feb 2019 15:23:46 +0100
Subject: [PATCH 200/259] IDS: Call helper script when red interface gets up

The helper script will be automatically called when the red interface gets up
and will re-generate the HOME_NET file, to take care if the IP-address of this
interface has changed.

Fixes #11989

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/aarch64/initscripts   |  2 +-
 config/rootfiles/common/armv5tel/initscripts  |  2 +-
 config/rootfiles/common/i586/initscripts      |  2 +-
 config/rootfiles/common/x86_64/initscripts    |  2 +-
 lfs/initscripts                               |  2 --
 src/initscripts/networking/red.up/23-suricata | 30 +++++++++++++++++++
 6 files changed, 34 insertions(+), 6 deletions(-)
 create mode 100644 src/initscripts/networking/red.up/23-suricata

diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts
index 07216d285..ed4f727d9 100644
--- a/config/rootfiles/common/aarch64/initscripts
+++ b/config/rootfiles/common/aarch64/initscripts
@@ -53,7 +53,7 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/10-static-routes
 etc/rc.d/init.d/networking/red.up/20-firewall
-etc/rc.d/init.d/networking/red.up/23-RS-suricata
+etc/rc.d/init.d/networking/red.up/23-suricata
 etc/rc.d/init.d/networking/red.up/24-RS-qos
 etc/rc.d/init.d/networking/red.up/27-RS-squid
 etc/rc.d/init.d/networking/red.up/30-ddns
diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts
index 07216d285..ed4f727d9 100644
--- a/config/rootfiles/common/armv5tel/initscripts
+++ b/config/rootfiles/common/armv5tel/initscripts
@@ -53,7 +53,7 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/10-static-routes
 etc/rc.d/init.d/networking/red.up/20-firewall
-etc/rc.d/init.d/networking/red.up/23-RS-suricata
+etc/rc.d/init.d/networking/red.up/23-suricata
 etc/rc.d/init.d/networking/red.up/24-RS-qos
 etc/rc.d/init.d/networking/red.up/27-RS-squid
 etc/rc.d/init.d/networking/red.up/30-ddns
diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts
index 7037030f9..07a123a48 100644
--- a/config/rootfiles/common/i586/initscripts
+++ b/config/rootfiles/common/i586/initscripts
@@ -53,7 +53,7 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/10-static-routes
 etc/rc.d/init.d/networking/red.up/20-firewall
-etc/rc.d/init.d/networking/red.up/23-RS-suricata
+etc/rc.d/init.d/networking/red.up/23-suricata
 etc/rc.d/init.d/networking/red.up/24-RS-qos
 etc/rc.d/init.d/networking/red.up/27-RS-squid
 etc/rc.d/init.d/networking/red.up/30-ddns
diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts
index 7037030f9..07a123a48 100644
--- a/config/rootfiles/common/x86_64/initscripts
+++ b/config/rootfiles/common/x86_64/initscripts
@@ -53,7 +53,7 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/10-static-routes
 etc/rc.d/init.d/networking/red.up/20-firewall
-etc/rc.d/init.d/networking/red.up/23-RS-suricata
+etc/rc.d/init.d/networking/red.up/23-suricata
 etc/rc.d/init.d/networking/red.up/24-RS-qos
 etc/rc.d/init.d/networking/red.up/27-RS-squid
 etc/rc.d/init.d/networking/red.up/30-ddns
diff --git a/lfs/initscripts b/lfs/initscripts
index 0bdc1c785..055e106d0 100644
--- a/lfs/initscripts
+++ b/lfs/initscripts
@@ -188,8 +188,6 @@ $(TARGET) :
 	ln -sf ../init.d/wlanclient  /etc/rc.d/rc3.d/S19wlanclient
 	ln -sf ../init.d/wlanclient  /etc/rc.d/rc6.d/K82wlanclient
 
-	ln -sf ../../../../../usr/local/bin/suricatactrl \
-		/etc/rc.d/init.d/networking/red.up/23-RS-suricata
 	ln -sf ../../../../../usr/local/bin/qosctrl \
 		/etc/rc.d/init.d/networking/red.up/24-RS-qos
 	ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/27-RS-squid
diff --git a/src/initscripts/networking/red.up/23-suricata b/src/initscripts/networking/red.up/23-suricata
new file mode 100644
index 000000000..d8b7a2b8f
--- /dev/null
+++ b/src/initscripts/networking/red.up/23-suricata
@@ -0,0 +1,30 @@
+#!/usr/bin/perl
+#
+# Helper script to regenerate the file which contains the HOME_NET declaration
+# including the assigned IP-address of red and any configured aliases.
+
+use strict;
+
+require '/var/ipfire/general-functions.pl';
+require "${General::swroot}/ids-functions.pl";
+
+# Hash to store the IDS settings.
+my %ids_settings = ();
+
+# Read-in IDS settings.
+&General::readhash("$IDS::ids_settings_file", \%ids_settings);
+
+# Check if suricata is enabled.
+if($ids_settings{'ENABLE_IDS'} eq "on") {
+	# Regenerate the file with HOME_NET details.
+	&IDS::generate_home_net_file();
+
+	# Set correct ownership.
+	&IDS::set_ownership("$IDS::homenet_file");
+
+	# Check if suricata is running.
+	if(&IDS::ids_is_running()) {
+		# Call suricatactrl to perform a restart of suricata.
+		&IDS::call_suricatactrl("restart");
+	}
+}

From f6eb1a40a00625b7a83984461242e86347e48579 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 6 Feb 2019 15:59:02 +0100
Subject: [PATCH 201/259] aliases.cgi: Handle suricata related actions when
 dealing with aliases

When working with aliases (adding/modifying/removing), the file which
contains the HOME_NET declarations needs to be re-generated and suricata
requires a restart afterwards.

Fixes #11990

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/aliases.cgi | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/html/cgi-bin/aliases.cgi b/html/cgi-bin/aliases.cgi
index 7c3ba91ae..4e61eb65e 100644
--- a/html/cgi-bin/aliases.cgi
+++ b/html/cgi-bin/aliases.cgi
@@ -33,6 +33,7 @@ use strict;
 require '/var/ipfire/general-functions.pl';	# replace /var/ipcop with /var/ipcop in case of manual install
 require "${General::swroot}/lang.pl";
 require "${General::swroot}/header.pl";
+require "${General::swroot}/ids-functions.pl";
 
 my $configfwdfw		= "${General::swroot}/firewall/config";
 my $configinput		= "${General::swroot}/firewall/input";
@@ -105,6 +106,9 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
 	
 	# Rebuild configuration file if needed
 	&BuildConfiguration;
+
+	# Handle suricata related actions.
+	&HandleSuricata();
     }
 
     ERROR:						# Leave the faulty field untouched
@@ -139,6 +143,9 @@ if ($settings{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
 	
     # Rebuild configuration file
     &BuildConfiguration;
+
+    # Handle Suricata related actions.
+    &HandleSuricata();
 }
 
 if ($settings{'ACTION'} eq $Lang::tr{'add'}) {
@@ -220,6 +227,9 @@ if ($settings{'ACTION'} eq $Lang::tr{'add'}) {
 	&SortDataFile;				# sort newly added/modified entry
 
 	&BuildConfiguration;			# then re-build conf which use new data
+
+	# Handle Suricata related actions.
+	&HandleSuricata();
 	
 ##
 ## if entering data line is repetitive, choose here to not erase fields between each addition
@@ -251,6 +261,9 @@ if ($settings{'ACTION'} eq $Lang::tr{'remove'}) {
     &General::log($Lang::tr{'ip alias removed'});
 
     &BuildConfiguration;				# then re-build conf which use new data
+
+    # Handle Suricata related actions.
+    &HandleSuricata();
 }
 
 
@@ -557,3 +570,16 @@ sub BuildConfiguration {
     system '/usr/local/bin/setaliases';
 }
 
+#
+## Handle Suricata related actions.
+#
+sub HandleSuricata() {
+	# Check if suricata is running.
+	if(&IDS::ids_is_running()) {
+		# Re-generate file which contains the HOME_NET declaration.
+		&IDS::generate_home_net_file();
+
+		# Call suricatactrl to perform a restart of suricata.
+		&IDS::call_suricatactrl("restart");
+	}
+}

From 5f2145eb59d3f0f7cbc70cd4f071302fd56213ea Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 7 Feb 2019 07:44:11 +0100
Subject: [PATCH 202/259] ids.cgi: Show "Update Ruleset"-Button only if
 automatic updates are disabled

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 60e40d7de..5ed3ed9f2 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -902,8 +902,8 @@ print <
 END
 ;
-			# Check if a ruleset has been downloaded yet.
-			if (%idsrules) {
+			# Show the "Update Ruleset"-Button only if a ruleset has been downloaded yet and automatic updates are disabled.
+			if ((%idsrules) && ($rulessettings{'AUTOUPDATE_INTERVAL'} eq "off")) {
 				# Display button to update the ruleset.
 				print"\n";
 		}

From 8076deba79f9bbd4e551fdfe1eb49e8a77b2c19e Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 7 Feb 2019 07:59:20 +0100
Subject: [PATCH 203/259] ids-functions.pl: Add code to lock/unlock ids page
 while autoupdating the ruleset

Reference #11991

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 45159ffe9..042a97691 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -58,6 +58,9 @@ our $rulestarball = "/var/tmp/idsrules.tar.gz";
 # File to store any errors, which also will be read and displayed by the wui.
 our $storederrorfile = "/tmp/ids_storederror";
 
+# File to lock the WUI, while the autoupdate script runs.
+our $ids_page_lock_file = "/tmp/ids_page_locked";
+
 # Location where the rulefiles are stored.
 our $rulespath = "/var/lib/suricata";
 
@@ -955,4 +958,21 @@ sub get_red_address() {
 	return;
 }
 
+#
+## Function to write the lock file for locking the WUI, while
+## the autoupdate script runs.
+#
+sub lock_ids_page() {
+	# Call subfunction to create the file.
+	&create_empty_file($ids_page_lock_file);
+}
+
+#
+## Function to release the lock of the WUI, again.
+#
+sub unlock_ids_page() {
+	# Delete lock file.
+	unlink($ids_page_lock_file);
+}
+
 1;

From 5206a3358d18b8ec9b1ceca3e95a56516ae7b4ab Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 7 Feb 2019 08:06:49 +0100
Subject: [PATCH 204/259] update-ids-ruleset: Lock and Unlock the IDS page
 during runtime

Reference #11991

Signed-off-by: Stefan Schantl 
---
 src/scripts/update-ids-ruleset | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/scripts/update-ids-ruleset b/src/scripts/update-ids-ruleset
index d988d2556..14ea25ec6 100644
--- a/src/scripts/update-ids-ruleset
+++ b/src/scripts/update-ids-ruleset
@@ -46,6 +46,9 @@ if(&IDS::checkdiskspace()) {
 	exit 0;
 }
 
+# Lock the IDS page.
+&IDS::lock_ids_page();
+
 # Call the download function and gather the new ruleset.
 if(&IDS::downloadruleset()) {
 	# Store error message for displaying in the WUI.
@@ -61,6 +64,9 @@ if(&IDS::downloadruleset()) {
 # Set correct ownership for the rulesdir and files.
 &IDS::set_ownership("$IDS::rulespath");
 
+# Unlock the IDS page.
+&IDS::unlock_ids_page();
+
 # Check if the IDS is running.
 if(&IDS::ids_is_running()) {
 	# Call suricatactrl to perform a reload.

From 9074e3d74cc931244892d306b38c298ce8dd0f2b Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 7 Feb 2019 08:24:15 +0100
Subject: [PATCH 205/259] ids.cgi: Lock page while autoupdate script is running

Fixes #11991

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi   | 16 ++++++++++++++++
 langs/de/cgi-bin/de.pl |  1 +
 langs/en/cgi-bin/en.pl |  1 +
 3 files changed, 18 insertions(+)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 5ed3ed9f2..82d79a369 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -210,6 +210,22 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq
 	}
 }
 
+# Check if the page is locked, in this case, the ids_page_lock_file exists.
+if (-e $IDS::ids_page_lock_file) {
+	# Lock the webpage and print notice about autoupgrade of the ruleset
+	# is in progess.
+	&working_notice("$Lang::tr{'ids ruleset autoupdate in progress'}");
+
+	# Loop and check if the file still exists.
+	while(-e $IDS::ids_page_lock_file) {
+		# Sleep for a second and re-check.
+		sleep 1;
+	}
+
+	# Page has been unlocked, perform a reload.
+	&reload();
+}
+
 # Check if any error has been stored.
 if (-e $IDS::storederrorfile) {
         # Open file to read in the stored error message.
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 4c934174f..50731f915 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1344,6 +1344,7 @@
 'ids rules license2' => 'Bestätigen Sie die Lizenz; aktivieren Sie Ihren Account, indem Sie auf den Link, den Sie per Mail erhalten haben, klicken. Gehen Sie dann zu',
 'ids rules license3' => 'klicken Sie den "Generate code"-Knopf und kopieren Sie den 40-Zeichen Oinkcode in das untere Feld.',
 'ids rules update' => 'IPS-Regeln',
+'ids ruleset autoupdate in progress' => 'Das Regelset wird gerade aktualisiert ... Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde.',
 'iface' => 'Iface',
 'ignore filter' => '"Ignorieren"-Filter',
 'ike encryption' => 'IKE Verschlüsselung:',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index fa7b7d2f2..adfe2350a 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1376,6 +1376,7 @@
 'ids rules license2' => 'Acknowledge the license, activate your account by visiting the url you got via mail. Then go to',
 'ids rules license3' => 'press the "Generate code"-button and copy the 40 character Oinkcode into the field below.',
 'ids rules update' => 'IPS rules',
+'ids ruleset autoupdate in progress' => 'Ruleset update in progress ... Please wait until all operations have completed successfully.',
 'ids show' => 'Show',
 'iface' => 'Iface',
 'ignore filter' => 'Ignore filter',

From e566e977f7605758df450c6128d1484cc5fb2a35 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 7 Feb 2019 08:28:29 +0100
Subject: [PATCH 206/259] Add german translation for "system is offline"

Signed-off-by: Stefan Schantl 
---
 langs/de/cgi-bin/de.pl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 50731f915..f73c159db 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -2229,6 +2229,7 @@
 'system has hwrng' => 'Dieses System hat einen Hardware-Zufallszahlengenerator.',
 'system has rdrand' => 'Dieses System unterstützt Intel(R) RDRAND.',
 'system information' => 'Systeminformationen',
+'system is offline' => 'Das System ist offline.',
 'system log viewer' => 'Betrachter der Systemprotokolldateien',
 'system logs' => 'Systemprotokolldateien',
 'system status information' => 'System-Statusinformationen',

From 5bd8940d68186e1ad2cbbb376c4bae6d512630bb Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 7 Feb 2019 08:51:31 +0100
Subject: [PATCH 207/259] ids.cgi: Improve showed messages while the IDS is
 working

Reference #11993

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi   | 14 +++++++-------
 langs/de/cgi-bin/de.pl |  3 +++
 langs/en/cgi-bin/en.pl |  3 +++
 3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 82d79a369..54db48b7d 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -241,9 +241,9 @@ if (-e $IDS::storederrorfile) {
         unlink($IDS::storederrorfile);
 }
 
-## Grab all available snort rules and store them in the idsrules hash.
+## Grab all available rules and store them in the idsrules hash.
 #
-# Open snort rules directory and do a directory listing.
+# Open rules directory and do a directory listing.
 opendir(DIR, $IDS::rulespath) or die $!;
 	# Loop through the direcory.
 	while (my $file = readdir(DIR)) {
@@ -368,7 +368,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 			unless ($errormessage) {
 				# Lock the webpage and print notice about downloading
 				# a new ruleset.
-				&working_notice("$Lang::tr{'snort working'}");
+				&working_notice("$Lang::tr{'ids working'}");
 
 				# Call subfunction to download the ruleset.
 				if(&IDS::downloadruleset()) {
@@ -497,7 +497,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 	&IDS::write_used_rulefiles_file(@enabled_rulefiles);
 
 	# Lock the webpage and print message.
-	&working_notice("$Lang::tr{'snort working'}");
+	&working_notice("$Lang::tr{'ids apply ruleset changes'}");
 
 	# Call oinkmaster to alter the ruleset.
 	&IDS::oinkmaster();
@@ -527,7 +527,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 	unless ($errormessage) {
 		# Lock the webpage and print notice about downloading
 		# a new ruleset.
-		&working_notice("$Lang::tr{'snort working'}");
+		&working_notice("$Lang::tr{'ids download new ruleset'}");
 
 		# Call subfunction to download the ruleset.
 		if(&IDS::downloadruleset()) {
@@ -552,7 +552,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 			&reload();
 		}
 	}
-# Save snort settings.
+# Save IDS settings.
 } elsif ($cgiparams{'IDS'} eq $Lang::tr{'save'}) {
 	my %oldidssettings;
 	my $reload_page;
@@ -617,7 +617,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 		# Check if a ruleset exists.
 		if (%idsrules) {
 			# Lock the webpage and print message.
-			&working_notice("$Lang::tr{'snort working'}");
+			&working_notice("$Lang::tr{'ids working'}");
 
 			# Call oinkmaster to alter the ruleset.
 			&IDS::oinkmaster();
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index f73c159db..edf0a078c 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1326,10 +1326,12 @@
 'idle' => 'Leerlauf',
 'idle timeout' => 'Leerlauf-Wartezeit in Min. (0 zum Deaktivieren):',
 'idle timeout not set' => 'Leerlauf-Wartezeit nicht angegeben.',
+'ids apply ruleset changes' => 'Regel-Änderungen werden übernommen ... Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde.',
 'ids automatic rules update' => 'Automatische Regeln-Aktualisierung',
 'ids traffic analyze' => 'Packet-Analyse',
 'ids active on' => 'Aktiv auf',
 'ids enable' => 'Intrusion-Prevention-System aktivieren',
+'ids download new ruleset' => 'Das neue Regelset wird heruntergeladen und entpackt ... Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde.',
 'ids log viewer' => 'Ansicht IPS-Protokoll',
 'ids logs' => 'IPS-Protokolldateien',
 'ids monitored interfaces' => 'Überwachte Netzwerkzonen',
@@ -1345,6 +1347,7 @@
 'ids rules license3' => 'klicken Sie den "Generate code"-Knopf und kopieren Sie den 40-Zeichen Oinkcode in das untere Feld.',
 'ids rules update' => 'IPS-Regeln',
 'ids ruleset autoupdate in progress' => 'Das Regelset wird gerade aktualisiert ... Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde.',
+'ids working' => 'Änderungen werden übernommen ... Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde.',
 'iface' => 'Iface',
 'ignore filter' => '"Ignorieren"-Filter',
 'ike encryption' => 'IKE Verschlüsselung:',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index adfe2350a..5218bc34e 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1357,9 +1357,11 @@
 'idle' => 'Idle',
 'idle timeout' => 'Idle timeout (mins; 0 to disable):',
 'idle timeout not set' => 'Idle timeout not set.',
+'ids apply ruleset changes' => 'The ruleset changes will be applied ... Please wait until all operations have completed successfully.',
 'ids automatic rules update' => 'Automatic rules update',
 'ids traffic analyze' => 'Traffic analyzing',
 'ids active on' => 'Active on',
+'ids download new ruleset' => 'Downloading and unpacking new ruleset ... Please wait until all operations have completed successfully.',
 'ids enable' => 'Enable Intrusion Prevention System',
 'ids hide' => 'Hide',
 'ids log viewer' => 'IPS log viewer',
@@ -1378,6 +1380,7 @@
 'ids rules update' => 'IPS rules',
 'ids ruleset autoupdate in progress' => 'Ruleset update in progress ... Please wait until all operations have completed successfully.',
 'ids show' => 'Show',
+'ids working' => 'Changes will be applied ... Please wait until all operations have completed successfully.',
 'iface' => 'Iface',
 'ignore filter' => 'Ignore filter',
 'ike encryption' => 'IKE Encryption:',

From dd8d6f5ee8c6262b96319b84751a73044be23e39 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 7 Feb 2019 09:00:35 +0100
Subject: [PATCH 208/259] logs.cgi/ids.dat: Do not call the IDS snort again

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/logs.cgi/ids.dat | 4 ++--
 langs/de/cgi-bin/de.pl        | 1 +
 langs/en/cgi-bin/en.pl        | 1 +
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/logs.cgi/ids.dat b/html/cgi-bin/logs.cgi/ids.dat
index 21737511f..e374f5711 100644
--- a/html/cgi-bin/logs.cgi/ids.dat
+++ b/html/cgi-bin/logs.cgi/ids.dat
@@ -157,7 +157,7 @@ if ($multifile) {
 if ($cgiparams{'ACTION'} eq $Lang::tr{'export'})
 {
 	print "Content-type: text/plain\n\n";
-	print "IPFire IDS snort log\r\n";
+	print "IPFire IPS log\r\n";
 	print "Date: $cgiparams{'DAY'} $longmonths[$cgiparams{'MONTH'}]\r\n"; 
 	print "\r\n";
 
@@ -254,7 +254,7 @@ END
 &Header::closebox();
 
 &Header::openbox('100%', 'left', $Lang::tr{'log'});
-print "
$Lang::tr{'snort hits'} $longmonthstr $daystr: $lines
";
+print "
$Lang::tr{'ids log hits'} $longmonthstr $daystr: $lines
";
 
 if ($start == -1) {
         $start = $lines - ${Header::viewsize}; }
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index edf0a078c..54c85a64e 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1333,6 +1333,7 @@
 'ids enable' => 'Intrusion-Prevention-System aktivieren',
 'ids download new ruleset' => 'Das neue Regelset wird heruntergeladen und entpackt ... Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde.',
 'ids log viewer' => 'Ansicht IPS-Protokoll',
+'ids log hits' => 'Gesamtanzahl der aktivierten Regeln für',
 'ids logs' => 'IPS-Protokolldateien',
 'ids monitored interfaces' => 'Überwachte Netzwerkzonen',
 'ids monitor traffic only' => 'Netzwerk-Pakete nur überpfrüfen',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 5218bc34e..8ce703620 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1364,6 +1364,7 @@
 'ids download new ruleset' => 'Downloading and unpacking new ruleset ... Please wait until all operations have completed successfully.',
 'ids enable' => 'Enable Intrusion Prevention System',
 'ids hide' => 'Hide',
+'ids log hits' => 'Total of number of activated rules for',
 'ids log viewer' => 'IPS log viewer',
 'ids logs' => 'IPS Logs',
 'ids monitored interfaces' => 'Monitored interfaces',

From e8ae413a79a9c5eea8952ca42449128d79682216 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 7 Feb 2019 09:02:32 +0100
Subject: [PATCH 209/259] langs: Remove snort related and unused strings

Fixes #11993.

Signed-off-by: Stefan Schantl 
---
 langs/de/cgi-bin/de.pl | 8 --------
 langs/en/cgi-bin/en.pl | 7 -------
 2 files changed, 15 deletions(-)

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 54c85a64e..8a611103c 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1341,12 +1341,6 @@
 'ids no ruleset available' => 'Kein Regelset verfügbar, bitte downloaden Sie eines!',
 'ids oinkcode required' => 'Für das ausgewählte Regelset wird ein Abonnement oder ein Oinkcode benötigt',
 'ids ruleset settings' => 'Regelset-Einstellungen',
-'ids preprocessor' => 'IDS-Präprozessor',
-'ids rules license' => 'Um  Sourcefire VRT Zertifizierte Regeln zu nutzen, müssen Sie sich unter',
-'ids rules license1' => ' registrieren.',
-'ids rules license2' => 'Bestätigen Sie die Lizenz; aktivieren Sie Ihren Account, indem Sie auf den Link, den Sie per Mail erhalten haben, klicken. Gehen Sie dann zu',
-'ids rules license3' => 'klicken Sie den "Generate code"-Knopf und kopieren Sie den 40-Zeichen Oinkcode in das untere Feld.',
-'ids rules update' => 'IPS-Regeln',
 'ids ruleset autoupdate in progress' => 'Das Regelset wird gerade aktualisiert ... Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde.',
 'ids working' => 'Änderungen werden übernommen ... Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde.',
 'iface' => 'Iface',
@@ -2143,8 +2137,6 @@
 'smtphost' => 'Smtp Host',
 'smtpport' => 'Smtp Port',
 'snat new source ip address' => 'Neue Quell-IP-Adresse',
-'snort hits' => 'Gesamtanzahl der aktivierten Intrusion-Regeln für',
-'snort working' => 'Snort führt gerade eine Aufgabe aus... Bitte warten Sie, bis diese erfolgreich beendet wurde.',
 'socket options' => 'Socket Options',
 'software version' => 'Software-Version',
 'sort ascending' => 'Sortiere aufsteigend',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 8ce703620..e74c2ded1 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1373,11 +1373,6 @@
 'ids no ruleset available' => 'No ruleset available, please download one!',
 'ids oinkcode required' => 'The selected ruleset requires a subscription or an oinkcode',
 'ids ruleset settings' => 'Ruleset settings',
-'ids preprocessor' => 'IDS preprocessor',
-'ids rules license' => 'To utilize Sourcefire VRT Certified Rules, you need to register on',
-'ids rules license1' => '.',
-'ids rules license2' => 'Acknowledge the license, activate your account by visiting the url you got via mail. Then go to',
-'ids rules license3' => 'press the "Generate code"-button and copy the 40 character Oinkcode into the field below.',
 'ids rules update' => 'IPS rules',
 'ids ruleset autoupdate in progress' => 'Ruleset update in progress ... Please wait until all operations have completed successfully.',
 'ids show' => 'Show',
@@ -2184,8 +2179,6 @@
 'smtphost' => 'SMTP host',
 'smtpport' => 'SMTP port',
 'snat new source ip address' => 'New source IP address',
-'snort hits' => 'Total of number of Intrusion rules activated for',
-'snort working' => 'Snort is working ... Please wait until all operations have completed successfully.',
 'socket options' => 'Socket options',
 'software version' => 'Software Version',
 'sort ascending' => 'Sort ascending',

From ee7fe87ea6341f201bad78910d1055ed17560766 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 7 Feb 2019 09:46:01 +0100
Subject: [PATCH 210/259] ids.cgi: Change name of the button to apply the
 ruleset changes

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi   | 6 ++----
 langs/de/cgi-bin/de.pl | 1 +
 langs/en/cgi-bin/en.pl | 1 +
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 54db48b7d..11b2e69ab 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -396,7 +396,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 	}
 
 # Save ruleset.
-} elsif ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
+} elsif ($cgiparams{'RULESET'} eq $Lang::tr{'ids apply'}) {
 	# Arrays to store which rulefiles have been enabled and will be used.
 	my @enabled_rulefiles;
 
@@ -1164,9 +1164,7 @@ if (%idsrules) {
 print <
 
-	
+	

 			

 				
-					 $Lang::tr{'ids enable'}
+					 $Lang::tr{'ids enable'}
 				
 
 				
-					 $Lang::tr{'ids monitor traffic only'}
+					 $Lang::tr{'ids monitor traffic only'}
 			
 			
\n";
 		print "\n";
-		print " $Lang::tr{'enabled on'} $Lang::tr{$zone_name}\n";
+		print " $Lang::tr{'enabled on'} $Lang::tr{$zone_name}\n";
 		print "

-		  
-	
 

 

 
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 8a611103c..00862ad2e 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1326,6 +1326,7 @@
 'idle' => 'Leerlauf',
 'idle timeout' => 'Leerlauf-Wartezeit in Min. (0 zum Deaktivieren):',
 'idle timeout not set' => 'Leerlauf-Wartezeit nicht angegeben.',
+'ids apply' => 'Übernehmen',
 'ids apply ruleset changes' => 'Regel-Änderungen werden übernommen ... Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde.',
 'ids automatic rules update' => 'Automatische Regeln-Aktualisierung',
 'ids traffic analyze' => 'Packet-Analyse',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index e74c2ded1..5dc248c5a 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1357,6 +1357,7 @@
 'idle' => 'Idle',
 'idle timeout' => 'Idle timeout (mins; 0 to disable):',
 'idle timeout not set' => 'Idle timeout not set.',
+'ids apply' => 'Apply',
 'ids apply ruleset changes' => 'The ruleset changes will be applied ... Please wait until all operations have completed successfully.',
 'ids automatic rules update' => 'Automatic rules update',
 'ids traffic analyze' => 'Traffic analyzing',

From 5fbd7b29829caf0bcadcccd6f56ead51e2fb812e Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 7 Feb 2019 10:33:29 +0100
Subject: [PATCH 211/259] ids.cgi: Format and show date of the current ruleset
 again

Fixes #11992

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 11b2e69ab..313714486 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -783,17 +783,6 @@ END
 END
 }
 
-my $rulesdate;
-
-# Check if a ruleset allready has been downloaded.
-if ( -f "$IDS::rulestarball"){
-        # Call stat on the filename to obtain detailed information.
-        my @Info = stat("$IDS::rulestarball");
-
-        # Grab details about the creation time.
-        $rulesdate = localtime($Info[9]);
-}
-
 # Only show this area, if a ruleset is present.
 if (%idsrules) {
 
@@ -1069,7 +1058,20 @@ END
 
 # Only show the section for configuring the ruleset if one is present.
 if (%idsrules) {
-	&Header::openbox('100%', 'LEFT', $Lang::tr{'intrusion detection system rules'});
+	# Load neccessary perl modules for file stat and to format the timestamp.
+	use File::stat;
+	use POSIX qw( strftime );
+
+	# Call stat on the rulestarball.
+	my $stat = stat("$IDS::rulestarball");
+
+	# Get timestamp the file creation.
+	my $mtime = $stat->mtime;
+
+	# Convert into human read-able format.
+	my $rulesdate = strftime('%Y-%m-%d %H:%M:%S', localtime($mtime));
+
+	&Header::openbox('100%', 'LEFT', "$Lang::tr{'intrusion detection system rules'} ($rulesdate)" );
 
 		print"
\n";
 

From 05a635ec04f1ca7ee85a1511757ef3fea28cdb5c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Peter=20M=C3=BCller?= 
Date: Thu, 7 Feb 2019 17:38:00 +0000
Subject: [PATCH 212/259] Suricata: detect TLS traffic on IMAPS/POP3S/SSMTP
 ports as, well
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Partially fixes #11808

Signed-off-by: Peter Müller 
Cc: Stefan Schantl 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 48035a67e..dd7e53584 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -140,7 +140,7 @@ app-layer:
     tls:
       enabled: yes
       detection-ports:
-        dp: 443
+        dp: "[443,465,993,995]"
 
       # Completely stop processing TLS/SSL session after the handshake
       # completed. If bypass is enabled this will also trigger flow

From 8723bb91aeff7dbbc173c6f7b8052a76203cb0a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Peter=20M=C3=BCller?= 
Date: Thu, 7 Feb 2019 17:41:00 +0000
Subject: [PATCH 213/259] Suricata: enable full detection for missing protocols
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

These are IMAP and MSN, which can be safely enabled.

Partially fixes #11808

Signed-off-by: Peter Müller 
Cc: Stefan Schantl 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index dd7e53584..d7302788c 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -182,9 +182,9 @@ app-layer:
         content-inspect-min-size: 32768
         content-inspect-window: 4096
     imap:
-      enabled: detection-only
+      enabled: yes
     msn:
-      enabled: detection-only
+      enabled: yes
     smb:
       enabled: yes
       detection-ports:

From ad99f959e2b83dd9f1275c1d385140271c8926ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Peter=20M=C3=BCller?= 
Date: Thu, 7 Feb 2019 17:47:00 +0000
Subject: [PATCH 214/259] Suricata: detect DNS events on port 853, too
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

As DNS over TLS popularity is increasing, port 853 becomes
more interesting for an attacker as a bypass method. Enabling
this port for DNS monitoring makes sense in order to avoid
unusual activity (non-DNS traffic) as well as "normal" DNS
attacks.

Partially fixes #11808

Signed-off-by: Peter Müller 
Cc: Stefan Schantl 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index d7302788c..67b9e8a7d 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -208,11 +208,11 @@ app-layer:
       tcp:
         enabled: yes
         detection-ports:
-          dp: 53
+          dp: "[53,853]"
       udp:
         enabled: yes
         detection-ports:
-          dp: 53
+          dp: "[53,853]"
     http:
       enabled: yes
       # memcap: 64mb

From 4434236e00a6e5fddbf031ca4777d2c00ad34482 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 8 Feb 2019 09:55:46 +0100
Subject: [PATCH 215/259] ruleset-sources: Update sourcefire rulesets to latest
 snapshot version

Signed-off-by: Stefan Schantl 
---
 config/suricata/ruleset-sources | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/suricata/ruleset-sources b/config/suricata/ruleset-sources
index 5c8487395..cf6baa18e 100644
--- a/config/suricata/ruleset-sources
+++ b/config/suricata/ruleset-sources
@@ -1,11 +1,11 @@
 # Ruleset for registered sourcefire users.
-registered = https://www.snort.org/downloads/registered/snortrules-snapshot-29111.tar.gz?oinkcode=
+registered = https://www.snort.org/rules/snortrules-snapshot-29120.tar.gz?oinkcode=
 
 # Ruleset for registered sourcefire users with valid subscription.
-subscripted = https://www.snort.org/downloads/registered/snortrules-snapshot-29111.tar.gz?oinkcode=
+subscripted = https://www.snort.org/rules/snortrules-snapshot-29120.tar.gz?oinkcode=
 
 # Community rules from sourcefire.
-community = https://www.snort.org/downloads/community/community-rules.tar.gz
+community = https://www.snort.org/rules/community
 
 # Emerging threads community rules.
 emerging = https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz

From f3cbcfeff9e8ce263c812a25a24c7f4f14d4a64f Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 8 Feb 2019 09:56:36 +0100
Subject: [PATCH 216/259] libhtp: Update to 0.5.29

Signed-off-by: Stefan Schantl 
---
 lfs/libhtp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lfs/libhtp b/lfs/libhtp
index c8b8ad113..212514dfb 100644
--- a/lfs/libhtp
+++ b/lfs/libhtp
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 0.5.27
+VER        = 0.5.29
 
 THISAPP    = libhtp-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 226def386a394911de75ffe9e038554a
+$(DL_FILE)_MD5 = 5feb73647723db5b458d00faddb30954
 
 install : $(TARGET)
 

From 99b2e30636aa404f9fac355fcbbbe0a2e8f84e0a Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 14 Feb 2019 11:43:31 +0100
Subject: [PATCH 217/259] ids-ruleset-sources: Fix rootfile

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/ids-ruleset-sources | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/rootfiles/common/ids-ruleset-sources b/config/rootfiles/common/ids-ruleset-sources
index 7e15e20f0..698fd1268 100644
--- a/config/rootfiles/common/ids-ruleset-sources
+++ b/config/rootfiles/common/ids-ruleset-sources
@@ -1 +1 @@
-/var/ipfire/suricata/ruleset-sources
+var/ipfire/suricata/ruleset-sources

From b09c13f1b6276885cfc457fa04896bfd7ba240e6 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 14 Feb 2019 12:15:41 +0100
Subject: [PATCH 218/259] convert-snort: Call subfunction to change ownership
 of rulestarball

Signed-off-by: Stefan Schantl 
---
 config/suricata/convert-snort | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/suricata/convert-snort b/config/suricata/convert-snort
index 68d6d3379..fabf70ee7 100644
--- a/config/suricata/convert-snort
+++ b/config/suricata/convert-snort
@@ -222,7 +222,7 @@ if (-f $snort_rules_tarball) {
 	move($snort_rules_tarball, $IDS::rulestarball);
 
 	# Set correct ownership.
-	chown($uid, $gid, $IDS::rulestarball);
+	&IDS::set_ownership("$IDS::rulestarball");
 }
 
 #

From 78690361abbff86772850947e1dac97eecfa0648 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Thu, 14 Feb 2019 12:37:13 +0100
Subject: [PATCH 219/259] convert-snort: Always create directory and filelayout

Signed-off-by: Stefan Schantl 
---
 config/suricata/convert-snort | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/config/suricata/convert-snort b/config/suricata/convert-snort
index fabf70ee7..0df5a451a 100644
--- a/config/suricata/convert-snort
+++ b/config/suricata/convert-snort
@@ -33,18 +33,6 @@ my $snort_config_file = "/etc/snort/snort.conf";
 # Snort rules tarball.
 my $snort_rules_tarball = "/var/tmp/snortrules.tar.gz";
 
-# Check if a snort settings file exists.
-unless( -f "$snort_settings_file") {
-        print "$snort_settings_file not found - Nothing to do. Exiting!\n";
-        exit(0);
-}
-
-# Check if the snort settings file is empty.
-if (-z "$snort_settings_file") {
-	print "$snort_settings_file is empty - Nothing to do. Exiting!\n";
-	exit(0);
-}
-
 #
 ## Step 1: Setup directory and file layout, if not present and set correct
 ##         ownership. The converter runs as a privileged user, but the files
@@ -70,6 +58,18 @@ unless (-d $IDS::rulespath) {
 &IDS::set_ownership("$IDS::settingsdir");
 &IDS::set_ownership("$IDS::rulespath");
 
+# Check if a snort settings file exists.
+unless( -f "$snort_settings_file") {
+	print "$snort_settings_file not found - Nothing to do. Exiting!\n";
+	exit(0);
+}
+
+# Check if the snort settings file is empty.
+if (-z "$snort_settings_file") {
+	print "$snort_settings_file is empty - Nothing to do. Exiting!\n";
+	exit(0);
+}
+
 #
 ## Step 2: Import snort settings and convert to the required format for the new IDS
 ##         (suricata).

From 1ef235f08dab44779d3b97854f25e234b6124cab Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 15 Feb 2019 11:22:14 +0100
Subject: [PATCH 220/259] logrotate: Rotate suricata logs instead of snort ones

Signed-off-by: Stefan Schantl 
---
 config/etc/logrotate.conf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/etc/logrotate.conf b/config/etc/logrotate.conf
index d38570de5..f15ee92c3 100644
--- a/config/etc/logrotate.conf
+++ b/config/etc/logrotate.conf
@@ -28,16 +28,16 @@ include /etc/logrotate.d
     endscript
 }
 
-/var/log/snort/alert  {
+/var/log/suricata/*.log {
     weekly
     copytruncate
     compress
     ifempty
     missingok
     postrotate
-	/bin/find /var/log/snort -path '/var/log/snort/[0-9]*' -prune -exec /bin/rm -rf {} \;
-	/bin/find /var/log/snort -name 'snort.log.*' -mtime +28 -exec /bin/rm -rf {} \;
-	/etc/init.d/snort restart
+	/bin/find /var/log/suricata -path '/var/log/suricata/[0-9]*' -prune -exec /bin/rm -rf {} \;
+	/bin/find /var/log/suricata -name 'fast.log.*' -mtime +28 -exec /bin/rm -rf {} \;
+	/bin/kill -HUP `cat /var/run/suricata.pid 2> /dev/null` 2> /dev/null || true
     endscript
 }
 

From 0d8cc90f4dead04de7181634377fe11115678f34 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 15 Feb 2019 12:18:45 +0100
Subject: [PATCH 221/259] services.cgi: Show status of suricata instead of
 snort

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/services.cgi | 43 +++++++++++++++++++--------------------
 1 file changed, 21 insertions(+), 22 deletions(-)

diff --git a/html/cgi-bin/services.cgi b/html/cgi-bin/services.cgi
index 64fdbba05..26ab4f314 100644
--- a/html/cgi-bin/services.cgi
+++ b/html/cgi-bin/services.cgi
@@ -56,6 +56,7 @@ my %servicenames =(
 	$Lang::tr{'secure shell server'} => 'sshd',
 	$Lang::tr{'vpn'} => 'charon',
 	$Lang::tr{'web proxy'} => 'squid',
+	$Lang::tr{'intrusion detection system'} => 'suricata',
 	'OpenVPN' => 'openvpn'
 );
 
@@ -71,31 +72,16 @@ my %link =(
 	$Lang::tr{'vpn'} => "$Lang::tr{'vpn'}",
 	$Lang::tr{'web proxy'} => "$Lang::tr{'web proxy'}",
 	'OpenVPN' => "OpenVPN",
-	"$Lang::tr{'intrusion detection system'} (GREEN)" => "$Lang::tr{'intrusion detection system'} (GREEN)",
-	"$Lang::tr{'intrusion detection system'} (RED)" => "$Lang::tr{'intrusion detection system'} (RED)",
-	"$Lang::tr{'intrusion detection system'} (ORANGE)" => "$Lang::tr{'intrusion detection system'} (ORANGE)",
-	"$Lang::tr{'intrusion detection system'} (BLUE)" => "$Lang::tr{'intrusion detection system'} (BLUE)"
+	"$Lang::tr{'intrusion detection system'}" => "$Lang::tr{'intrusion detection system'}",
+);
+
+# Hash to overwrite the process name of a process if it differs fromt the launch command.
+my %overwrite_exename_hash = (
+	"suricata" => "Suricata-Main"
 );
 
 my $lines=0; # Used to count the outputlines to make different bgcolor
 
-my $iface = '';
-if (open(FILE, "${General::swroot}/red/iface")){
-	$iface = ;
-	close FILE;
-	chomp $iface;
-}
-
-$servicenames{"$Lang::tr{'intrusion detection system'} (RED)"}   = "snort_${iface}";
-$servicenames{"$Lang::tr{'intrusion detection system'} (GREEN)"} = "snort_$netsettings{'GREEN_DEV'}";
-
-if ($netsettings{'ORANGE_DEV'} ne ''){
-	$servicenames{"$Lang::tr{'intrusion detection system'} (ORANGE)"} = "snort_$netsettings{'ORANGE_DEV'}";
-}
-if ($netsettings{'BLUE_DEV'} ne ''){
-	$servicenames{"$Lang::tr{'intrusion detection system'} (BLUE)"} = "snort_$netsettings{'BLUE_DEV'}";
-}
-
 my @querry = split(/\?/,$ENV{'QUERY_STRING'});
 $querry[0] = '' unless defined $querry[0];
 $querry[1] = 'hour' unless defined $querry[1];
@@ -258,7 +244,20 @@ sub isrunning{
 	my $memory;
 
 	$cmd =~ /(^[a-z]+)/;
-	$exename = $1;
+
+	# Check if the exename needs to be overwritten.
+	# This happens if the expected process name string
+	# differs from the real one. This may happened if
+	# a service uses multiple processes or threads.
+	if (exists($overwrite_exename_hash{$1})) {
+		# Grab the string which will be reported by
+		# the process from the corresponding hash.
+		$exename = $overwrite_exename_hash{$1};
+	} else {
+		# Directly expect the launched command as
+		# process name.
+		$exename = $1;
+	}
 
 	if (open(FILE, "/var/run/${cmd}.pid")){
 		$pid = ; chomp $pid;

From d215f6e9809e3a7e0b7356c985803291067d923e Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 15 Feb 2019 12:39:56 +0100
Subject: [PATCH 222/259] collectd: Stop collecting process details for snort

Signed-off-by: Stefan Schantl 
---
 config/collectd/collectd.conf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf
index aea72fc3f..e336a9d3f 100644
--- a/config/collectd/collectd.conf
+++ b/config/collectd/collectd.conf
@@ -71,7 +71,6 @@ include "/etc/collectd.precache"
 	Process "squid"
 	Process "squidguard"
 	Process "charon"
-	Process "snort"
 	Process "openvpn"
 	Process "qemu"
 	Process "rtorrent"

From 77c07352a58a67e88a507feba982fe0f73518f59 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 15 Feb 2019 13:26:55 +0100
Subject: [PATCH 223/259] Suricata: Start service on red.up event if requested

Signed-off-by: Stefan Schantl 
---
 src/initscripts/networking/red.up/23-suricata | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/initscripts/networking/red.up/23-suricata b/src/initscripts/networking/red.up/23-suricata
index d8b7a2b8f..1514909ee 100644
--- a/src/initscripts/networking/red.up/23-suricata
+++ b/src/initscripts/networking/red.up/23-suricata
@@ -26,5 +26,8 @@ if($ids_settings{'ENABLE_IDS'} eq "on") {
 	if(&IDS::ids_is_running()) {
 		# Call suricatactrl to perform a restart of suricata.
 		&IDS::call_suricatactrl("restart");
+	} else {
+		# Call suricatactrl to start suricata.
+		&IDS::call_suricatactrl("start");
 	}
 }

From 20b4c4d863d40f4b6cc1fd68eed17d1214a05f9e Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Mon, 18 Feb 2019 10:01:47 +0100
Subject: [PATCH 224/259] suricata: Swith to "16" as repeat-mark and
 repeat-mask.

Marks "1-3" are used for marking source-natted packets on the
interfaces and 4 up to 6 for TOS and QOS. The mark "32" is used by IPsec.

See commit: f5ad510e3c0f416a1507999f5ad20ab171df9c07

Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml   | 4 ++--
 src/initscripts/system/suricata | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 67b9e8a7d..4fbd32b85 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -117,8 +117,8 @@ logging:
 
 nfq:
    mode: repeat
-   repeat-mark: 2
-   repeat-mask: 2
+   repeat-mark: 16
+   repeat-mask: 16
 #   bypass-mark: 1
 #   bypass-mask: 1
 #  route-queue: 2
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 458aed44d..d2c758660 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -29,8 +29,8 @@ NFQ_OPTS="--queue-bypass "
 network_zones=( red green blue orange )
 
 # Mark and Mask options.
-MARK="0x2"
-MASK="0x2"
+MARK="0x16"
+MASK="0x16"
 
 # PID file of suricata.
 PID_FILE="/var/run/suricata.pid"

From 7c3b7cdcca852e4f5e5ee46b5291b8ba522535ec Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Mon, 18 Feb 2019 10:55:27 +0100
Subject: [PATCH 225/259] ids-functions.pl: Tune rules to always monitor in
 both directions.

This will allow to scan the traffic from an EXTERNAL_NET to the HOME_NET and from
the HOME_NET to the EXTERNAL_NET.

Reference: 10273

Signed-off-by: Stefan Schantl 
---
 config/cfgroot/ids-functions.pl | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 042a97691..016c0e49d 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -742,6 +742,9 @@ sub write_modify_sids_file($) {
 	# Write file header.
 	print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
 
+	# Tune rules to monitor in both directions.
+	print FILE "modifysid \* \"\-\>\" \| \"\<\>\"\n";
+
 	# Check if the traffic only should be monitored.
 	unless($ruleaction eq "alert") {
 		# Tell oinkmaster to switch all rules from alert to drop.

From 06f57f72309f268d4f6b3490b33912813fbf1f1e Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Mon, 18 Feb 2019 10:28:13 +0000
Subject: [PATCH 226/259] general-functions.pl: Only skip lines with a # at the
 beginning

This accidientially dropped all lines that include #. That resulted
in colour codes not being loaded from file any more.

Signed-off-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 config/cfgroot/general-functions.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl
index 2d3eb73d7..04e36969c 100644
--- a/config/cfgroot/general-functions.pl
+++ b/config/cfgroot/general-functions.pl
@@ -151,7 +151,7 @@ sub readhash
 		chop;
 
 		# Skip comments.
-		next if ($_ =~ /\#/);
+		next if ($_ =~ /^#/);
 
 		($var, $val) = split /=/, $_, 2;
 		if ($var)

From d0f9526beb718ca934de9f8cea749bec4b04f3ad Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Mon, 18 Feb 2019 13:29:47 +0100
Subject: [PATCH 227/259] ids.cgi: Add language string for ignored hosts
 section.

Fixes #12002.

Signed-off-by: Stefan Schantl 
---
 html/cgi-bin/ids.cgi   | 2 +-
 langs/de/cgi-bin/de.pl | 1 +
 langs/en/cgi-bin/en.pl | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 313714486..98c6f57b4 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -927,7 +927,7 @@ END
 #
 # Whitelist / Ignorelist
 #
-&Header::openbox('100%', 'center', $Lang::tr{'guardian ignored hosts'});
+&Header::openbox('100%', 'center', $Lang::tr{'ids ignored hosts'});
 
 print <
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 00862ad2e..3467230d1 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1333,6 +1333,7 @@
 'ids active on' => 'Aktiv auf',
 'ids enable' => 'Intrusion-Prevention-System aktivieren',
 'ids download new ruleset' => 'Das neue Regelset wird heruntergeladen und entpackt ... Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde.',
+'ids ignored hosts' => 'Ignorierte Hosts',
 'ids log viewer' => 'Ansicht IPS-Protokoll',
 'ids log hits' => 'Gesamtanzahl der aktivierten Regeln für',
 'ids logs' => 'IPS-Protokolldateien',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 5dc248c5a..7e84be392 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1365,6 +1365,7 @@
 'ids download new ruleset' => 'Downloading and unpacking new ruleset ... Please wait until all operations have completed successfully.',
 'ids enable' => 'Enable Intrusion Prevention System',
 'ids hide' => 'Hide',
+'ids ignored hosts' => 'Ignored hosts',
 'ids log hits' => 'Total of number of activated rules for',
 'ids log viewer' => 'IPS log viewer',
 'ids logs' => 'IPS Logs',

From 5d7d8749dc005bd883e3b7d53d953f334cdea5b4 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Mon, 18 Feb 2019 13:33:41 +0100
Subject: [PATCH 228/259] convert-snort: Set correct ownership after
 modify_sids_file has been generated.

Signed-off-by: Stefan Schantl 
---
 config/suricata/convert-snort | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/suricata/convert-snort b/config/suricata/convert-snort
index 0df5a451a..20ba35310 100644
--- a/config/suricata/convert-snort
+++ b/config/suricata/convert-snort
@@ -209,6 +209,9 @@ if ($idssettings{"MONITOR_TRAFFIC_ONLY"} eq "off") {
 # Call subfunction and pass the desired IDS action.
 &IDS::write_modify_sids_file($IDS_action);
 
+# Set correct ownership.
+&IDS::set_ownership("$IDS::modify_sids_file");
+
 #
 ## Step 6: Move rulestarball to its new location.
 #

From cc636c4741e7928276a1a5c7048b4fc0693c7f23 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Fri, 22 Feb 2019 10:04:27 +0100
Subject: [PATCH 229/259] convert-snort: Try to download ruleset if none is
 present.

Signed-off-by: Stefan Schantl 
---
 config/suricata/convert-snort | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/config/suricata/convert-snort b/config/suricata/convert-snort
index 20ba35310..ca650b149 100644
--- a/config/suricata/convert-snort
+++ b/config/suricata/convert-snort
@@ -226,6 +226,14 @@ if (-f $snort_rules_tarball) {
 
 	# Set correct ownership.
 	&IDS::set_ownership("$IDS::rulestarball");
+
+# In case no tarball is present, try to download the ruleset.
+} else {
+	# Check if enought disk space is available.
+	if(&IDS::checkdiskspace()) {
+		# Call the download function and grab the new ruleset.
+		&IDS::downloadruleset();
+	}
 }
 
 #
@@ -236,6 +244,9 @@ if (-f $snort_rules_tarball) {
 if (-f $IDS::rulestarball) {
 	# Launch oinkmaster by calling the subfunction.
 	&IDS::oinkmaster();
+
+	# Set correct ownership for the rulesdir and files.
+	&IDS::set_ownership("$IDS::rulespath");
 }
 
 #

From 1f3c61b66c77898707791519b837e61b1d2e6ad0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Peter=20M=C3=BCller?= 
Date: Fri, 22 Feb 2019 20:16:00 +0000
Subject: [PATCH 230/259] Suricata: detect TLS traffic on port 444, too
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This is the default port for IPFire's administrative web interface
and should be monitored by Suricata, too.

Signed-off-by: Peter Müller 
c: Stefan Schantl 
Acked-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 4fbd32b85..0ff06f4ae 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -140,7 +140,7 @@ app-layer:
     tls:
       enabled: yes
       detection-ports:
-        dp: "[443,465,993,995]"
+        dp: "[443,444,465,993,995]"
 
       # Completely stop processing TLS/SSL session after the handshake
       # completed. If bypass is enabled this will also trigger flow

From 16446608cbe53bcd0873ed48b907b697441d31d1 Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Thu, 28 Feb 2019 14:28:07 +0000
Subject: [PATCH 231/259] suricata: Set max-pending-packets to 1024

Signed-off-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 0ff06f4ae..b468c9c14 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -412,11 +412,7 @@ host-mode: auto
 # Number of packets preallocated per thread. The default is 1024. A higher number 
 # will make sure each CPU will be more easily kept busy, but may negatively 
 # impact caching.
-#
-# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules
-# apply. In that case try something like 60000 or more. This is because the CUDA
-# pattern matcher buffers and scans as many packets as possible in parallel.
-#max-pending-packets: 1024
+max-pending-packets: 1024
 
 # Runmode the engine should use. Please check --list-runmodes to get the available
 # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned

From 9f726f8f536fb271e00c51ca7d10dac143dd3045 Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Thu, 28 Feb 2019 14:28:08 +0000
Subject: [PATCH 232/259] suricata: Set default packet size to 1514

We usually use a MTU of 1500 + Ethernet header

Signed-off-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index b468c9c14..c2fd4ebc9 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -434,7 +434,7 @@ max-pending-packets: 1024
 # Preallocated size for packet. Default is 1514 which is the classical
 # size for pcap on ethernet. You should adjust this value to the highest
 # packet size (MTU + hardware header) on your system.
-#default-packet-size: 1514
+default-packet-size: 1514
 
 # Unix command socket can be used to pass commands to suricata.
 # An external tool can then connect to get information from suricata

From 5196d8ddbb097c4485a01a0fee58ade94b7255ac Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Thu, 28 Feb 2019 14:28:09 +0000
Subject: [PATCH 233/259] suricata: Set detection profile to high

This will merge rules more aggressively so that the engine
is only processing those that can actually match.

Memory is cheap. People with little memory should not run
suricata anyways.

Signed-off-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index c2fd4ebc9..86ed44a40 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -745,7 +745,7 @@ decoder:
 # If the argument specified is 0, the engine uses an internally defined
 # default limit.  On not specifying a value, we use no limits on the recursion.
 detect:
-  profile: medium
+  profile: high
   custom-values:
     toclient-groups: 3
     toserver-groups: 25

From 75fba6cd248af6925d62452c15d4a21a2a7a204a Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Thu, 28 Feb 2019 14:28:10 +0000
Subject: [PATCH 234/259] suricata: Drop profiling section from configuration

This is not compiled in as it slows down detection and is
only really useful for debugging

Signed-off-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 69 -----------------------------------
 1 file changed, 69 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 86ed44a40..ee53ab1a6 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -860,75 +860,6 @@ threading:
   #
   detect-thread-ratio: 1.0
 
-# Profiling settings. Only effective if Suricata has been built with the
-# the --enable-profiling configure flag.
-#
-profiling:
-  # Run profiling for every xth packet. The default is 1, which means we
-  # profile every packet. If set to 1000, one packet is profiled for every
-  # 1000 received.
-  #sample-rate: 1000
-
-  # rule profiling
-  rules:
-
-    # Profiling can be disabled here, but it will still have a
-    # performance impact if compiled in.
-    enabled: yes
-    filename: rule_perf.log
-    append: yes
-
-    # Sort options: ticks, avgticks, checks, matches, maxticks
-    # If commented out all the sort options will be used.
-    #sort: avgticks
-
-    # Limit the number of sids for which stats are shown at exit (per sort).
-    limit: 10
-
-    # output to json
-    json: yes
-
-  # per keyword profiling
-  keywords:
-    enabled: yes
-    filename: keyword_perf.log
-    append: yes
-
-  # per rulegroup profiling
-  rulegroups:
-    enabled: yes
-    filename: rule_group_perf.log
-    append: yes
-
-  # packet profiling
-  packets:
-
-    # Profiling can be disabled here, but it will still have a
-    # performance impact if compiled in.
-    enabled: yes
-    filename: packet_stats.log
-    append: yes
-
-    # per packet csv output
-    csv:
-
-      # Output can be disabled here, but it will still have a
-      # performance impact if compiled in.
-      enabled: no
-      filename: packet_stats.csv
-
-  # profiling of locking. Only available when Suricata was built with
-  # --enable-profiling-locks.
-  locks:
-    enabled: no
-    filename: lock_stats.log
-    append: yes
-
-  pcap-log:
-    enabled: no
-    filename: pcaplog_stats.log
-    append: yes
-
 ##
 ## Include other configs
 ##

From bc2cb52953c92ad9209576de316f2076cfdb4caf Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Thu, 28 Feb 2019 14:28:11 +0000
Subject: [PATCH 235/259] suricata: Drop some commented stuff from
 configuration

The file is really large and we should not carry anything we will
never use.

Signed-off-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 32 --------------------------------
 1 file changed, 32 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index ee53ab1a6..c0101557f 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -367,29 +367,6 @@ asn1-max-frames: 256
 ##
 ##############################################################################
 
-##
-## Run Options
-##
-
-# Run suricata as user and group.
-#run-as:
-#  user: suri
-#  group: suri
-
-# Some logging module will use that name in event as identifier. The default
-# value is the hostname
-#sensor-name: suricata
-
-# Default location of the pid file. The pid file is only used in
-# daemon mode (start Suricata with -D). If not running in daemon mode
-# the --pidfile command line option must be used to create a pid file.
-#pid-file: /var/run/suricata.pid
-
-# Daemon working directory
-# Suricata will change directory to this one if provided
-# Default: "/"
-#daemon-directory: "/"
-
 # Suricata core dump configuration. Limits the size of the core dump file to
 # approximately max-dump. The actual core dump size will be a multiple of the
 # page size. Core dumps that would be larger than max-dump are truncated. On
@@ -859,12 +836,3 @@ threading:
   # thread will always be created.
   #
   detect-thread-ratio: 1.0
-
-##
-## Include other configs
-##
-
-# Includes.  Files included here will be handled as if they were
-# inlined in this configuration file.
-#include: include1.yaml
-#include: include2.yaml

From fe5bd1862f2dfce5b3123ed2d2bbb5a360f1cd40 Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Thu, 28 Feb 2019 14:28:12 +0000
Subject: [PATCH 236/259] suricata: Drop sections that require Rust

Signed-off-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index c0101557f..d7b3c94c4 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -192,10 +192,6 @@ app-layer:
     # smb2 detection is disabled internally inside the engine.
     #smb2:
     #  enabled: yes
-    # Note: NFS parser depends on Rust support: pass --enable-rust
-    # to configure.
-    nfs:
-      enabled: no
     dns:
       # memcaps. Globally and per flow/state.
       #global-memcap: 16mb
@@ -352,11 +348,6 @@ app-layer:
         dp: 44818
         sp: 44818
 
-    # Note: parser depends on experimental Rust support
-    # with --enable-rust-experimental passed to configure
-    ntp:
-      enabled: no
-
 # Limit for the maximum number of asn1 frames to decode (default 256)
 asn1-max-frames: 256
 

From cf976e93c419d2c268979397ec87e05a2b8b7636 Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Thu, 28 Feb 2019 14:28:14 +0000
Subject: [PATCH 237/259] suricata: Allow 32MB of RAM for DNS decoding

Signed-off-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index d7b3c94c4..6ecd4e179 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -194,12 +194,12 @@ app-layer:
     #  enabled: yes
     dns:
       # memcaps. Globally and per flow/state.
-      #global-memcap: 16mb
-      #state-memcap: 512kb
+      global-memcap: 32mb
+      state-memcap: 512kb
 
       # How many unreplied DNS requests are considered a flood.
       # If the limit is reached, app-layer-event:dns.flooded; will match.
-      #request-flood: 500
+      request-flood: 512
 
       tcp:
         enabled: yes

From 682f1fdaca919284af877894aecd1282595c1430 Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Thu, 28 Feb 2019 14:28:16 +0000
Subject: [PATCH 238/259] suricata: We do not use any IP reputation lists

Signed-off-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 6ecd4e179..44cdd8940 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -433,12 +433,6 @@ legacy:
 #   - reject
 #   - alert
 
-# IP Reputation
-#reputation-categories-file: /etc/suricata/iprep/categories.txt
-#default-reputation-path: /etc/suricata/iprep
-#reputation-files:
-# - reputation.list
-
 # When run with the option --engine-analysis, the engine will read each of
 # the parameters below, and print reports for each of the enabled sections
 # and exit.  The reports are printed to a file in the default log dir

From 0e28ea9f3e72e0f4db9274c3b7021711d0c0c258 Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Thu, 28 Feb 2019 14:28:17 +0000
Subject: [PATCH 239/259] suricata: Log to syslog

Signed-off-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 config/etc/syslog.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/etc/syslog.conf b/config/etc/syslog.conf
index d5f525a0e..b2b548969 100644
--- a/config/etc/syslog.conf
+++ b/config/etc/syslog.conf
@@ -5,7 +5,7 @@
 # Log anything (except mail) of level info or higher.
 # Don't log private authentication messages!
 # local0.* any dhcpcd log (even debug) in messages
-cron.none;daemon.*;local0.*;local2.*;*.info;mail.none;authpriv.*	-/var/log/messages
+cron.none;daemon.*;local0.*;local2.*;local5.*;*.info;mail.none;authpriv.*	-/var/log/messages
 
 # Log crons
 #cron.*										-/var/log/cron.log

From 83b576c892c82652b0b56efc200e52fd1dee30f9 Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Thu, 28 Feb 2019 14:28:18 +0000
Subject: [PATCH 240/259] suricata: Use the correct path for the magic database

Signed-off-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 44cdd8940..1a10613af 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -414,9 +414,8 @@ unix-command:
   enabled: no
   #filename: custom.socket
 
-# Magic file. The extension .mgc is added to the value here.
-#magic-file: /usr/share/file/magic
-#magic-file: 
+# Magic file
+magic-file: /usr/share/misc/magic.mgc
 
 legacy:
   uricontent: enabled

From 7eed864c93d143ef943b9f3f8bdf7b40a440cb71 Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Thu, 28 Feb 2019 14:28:19 +0000
Subject: [PATCH 241/259] suricata: Use 64MB of RAM for defragmentation

Signed-off-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 16 +---------------
 1 file changed, 1 insertion(+), 15 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 1a10613af..494d59aad 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -474,27 +474,13 @@ host-os-policy:
 # Defrag settings:
 
 defrag:
-  memcap: 32mb
+  memcap: 64mb
   hash-size: 65536
   trackers: 65535 # number of defragmented flows to follow
   max-frags: 65535 # number of fragments to keep (higher than trackers)
   prealloc: yes
   timeout: 60
 
-# Enable defrag per host settings
-#  host-config:
-#
-#    - dmz:
-#        timeout: 30
-#        address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
-#
-#    - lan:
-#        timeout: 45
-#        address:
-#          - 192.168.0.0/24
-#          - 192.168.10.0/24
-#          - 172.16.14.0/24
-
 # Flow settings:
 # By default, the reserved memory (memcap) for flows is 32MB. This is the limit
 # for flow allocation inside the engine. You can change this value to allow

From 47cb057145c76d5faf7987de9e779bf07a029336 Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Thu, 28 Feb 2019 14:28:20 +0000
Subject: [PATCH 242/259] suricata: Use up to 256MB of RAM for the flow cache

Signed-off-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 494d59aad..255ce1a33 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -502,12 +502,12 @@ defrag:
 # in bytes.
 
 flow:
-  memcap: 128mb
+  memcap: 256mb
   hash-size: 65536
   prealloc: 10000
   emergency-recovery: 30
-  #managers: 1 # default to one flow manager
-  #recyclers: 1 # default to one flow recycler thread
+  managers: 1
+  recyclers: 1
 
 # This option controls the use of vlan ids in the flow (and defrag)
 # hashing. Normally this should be enabled, but in some (broken)

From ab1444b4f4b9324e96fbb240929334b27611e12f Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Thu, 28 Feb 2019 14:28:21 +0000
Subject: [PATCH 243/259] suricata: Log to syslog like a normal process

Signed-off-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 255ce1a33..7eb8027b2 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -108,7 +108,7 @@ logging:
   - syslog:
       enabled: yes
       facility: local5
-      format: "[%i] <%d> -- "
+      format: ""
       # type: json
 
 ##

From 0b340f0938e5f292f74f5f2e60b3d46d473f2096 Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Thu, 28 Feb 2019 14:28:22 +0000
Subject: [PATCH 244/259] suricata: Increase memory size for the stream engine

This change also ensures that suricata has a decent number
of streams preallocated to be able to handle any bursts in traffic.

Signed-off-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 7eb8027b2..013105910 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -627,7 +627,8 @@ flow-timeouts:
 #                               # is used in a rule.
 #
 stream:
-  memcap: 64mb
+  memcap: 256mb
+  prealloc-sessions: 4k
   checksum-validation: yes      # reject wrong csums
   inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
   reassembly:
@@ -636,10 +637,9 @@ stream:
     toserver-chunk-size: 2560
     toclient-chunk-size: 2560
     randomize-chunk-size: yes
-    #randomize-chunk-range: 10
-    #raw: yes
-    #segment-prealloc: 2048
-    #check-overlap-different-data: true
+    raw: yes
+    segment-prealloc: 2048
+    check-overlap-different-data: true
 
 # Host table:
 #

From 890f1bf2954328f5e811757754d815dedf6f92c1 Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Thu, 28 Feb 2019 14:28:23 +0000
Subject: [PATCH 245/259] suricata: Disable decoding for Teredo

This decoder is not very accurate and Teredo has been
disabled in Windows by default. Nobody will use this.

Signed-off-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 013105910..369ed2ab2 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -665,7 +665,7 @@ decoder:
   # Teredo decoder is known to not be completely accurate
   # it will sometimes detect non-teredo as teredo.
   teredo:
-    enabled: true
+    enabled: false
 
 
 ##

From 99d75ac72e66928f5218c222b0b3fd8fbfba179f Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Thu, 28 Feb 2019 14:28:24 +0000
Subject: [PATCH 246/259] suricata: Start capture first and then load rules

Signed-off-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 369ed2ab2..083fc5411 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -698,9 +698,10 @@ detect:
     toserver-groups: 25
   sgh-mpm-context: auto
   inspection-recursion-limit: 3000
+
   # If set to yes, the loading of signatures will be made after the capture
   # is started. This will limit the downtime in IPS mode.
-  #delayed-detect: yes
+  delayed-detect: yes
 
   prefilter:
     # default prefiltering setting. "mpm" only creates MPM/fast_pattern

From c9ee3592f00f0edc9467643a27ba1505cc8f879a Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Thu, 28 Feb 2019 14:28:25 +0000
Subject: [PATCH 247/259] suricata: Fix syntax error

Signed-off-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 083fc5411..9e2221b03 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -628,7 +628,7 @@ flow-timeouts:
 #
 stream:
   memcap: 256mb
-  prealloc-sessions: 4k
+  prealloc-sessions: 4096
   checksum-validation: yes      # reject wrong csums
   inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
   reassembly:

From 5d04cfe7d582bc58a4e4f9995fe5f67fcc456456 Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Thu, 28 Feb 2019 19:37:38 +0000
Subject: [PATCH 248/259] suricata: Use highest bit to mark packets

We are using the netfilter MARK in IPsec & QoS and this
is causing conflicts.

Therefore, we use the highest bit in the IPS chain now
and clear it afterwards because we do not really care about
this after the packets have been passed through suricata.

Then, no other application has to worry about suricata.

Fixes: #12010
Signed-off-by: Arne Fitzenreiter 
Signed-off-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml   | 4 ++--
 src/initscripts/system/suricata | 7 +++++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 9e2221b03..d3ebbcfe4 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -117,8 +117,8 @@ logging:
 
 nfq:
    mode: repeat
-   repeat-mark: 16
-   repeat-mask: 16
+   repeat-mark: 1879048192
+   repeat-mask: 1879048192
 #   bypass-mark: 1
 #   bypass-mask: 1
 #  route-queue: 2
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index d2c758660..e755dfaff 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -29,8 +29,8 @@ NFQ_OPTS="--queue-bypass "
 network_zones=( red green blue orange )
 
 # Mark and Mask options.
-MARK="0x16"
-MASK="0x16"
+MARK="0x70000000"
+MASK="0x70000000"
 
 # PID file of suricata.
 PID_FILE="/var/run/suricata.pid"
@@ -88,6 +88,9 @@ function generate_fw_rules {
 			iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
 		fi
 	done
+
+	# Clear repeat bit, so that it does not confuse IPsec or QoS
+	iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
 }
 
 # Function to flush the firewall chain.

From 96495c9aa2a46896ebb5cbbdfa5fd4b961864215 Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Sat, 2 Mar 2019 17:18:37 +0000
Subject: [PATCH 249/259] Revert "Suricata: detect DNS events on port 853, too"

This reverts commit ad99f959e2b83dd9f1275c1d385140271c8926ae.

It does not make any sense to try to decode the TLS connection
with the DNS decoder.

Therefore should 853 (TCP only) be added to the TLS decoder.

Signed-off-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index d3ebbcfe4..767f84074 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -140,7 +140,7 @@ app-layer:
     tls:
       enabled: yes
       detection-ports:
-        dp: "[443,444,465,993,995]"
+        dp: "[443,444,465,853,993,995]"
 
       # Completely stop processing TLS/SSL session after the handshake
       # completed. If bypass is enabled this will also trigger flow
@@ -204,11 +204,11 @@ app-layer:
       tcp:
         enabled: yes
         detection-ports:
-          dp: "[53,853]"
+          dp: 53
       udp:
         enabled: yes
         detection-ports:
-          dp: "[53,853]"
+          dp: 53
     http:
       enabled: yes
       # memcap: 64mb

From 8efbd71caad61912817c5cf28974364a34dc6390 Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Sat, 2 Mar 2019 17:18:38 +0000
Subject: [PATCH 250/259] suricata: Configure HTTP decoder

This will now scan all request and response bodies where possible
and use up to 256MB of RAM

Signed-off-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 66 +++--------------------------------
 1 file changed, 5 insertions(+), 61 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 767f84074..84c4aa2a7 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -211,7 +211,7 @@ app-layer:
           dp: 53
     http:
       enabled: yes
-      # memcap: 64mb
+      memcap: 256mb
 
       # default-config:           Used when no server-config matches
       #   personality:            List of personalities used by default
@@ -225,32 +225,6 @@ app-layer:
       #                           Limit to how many layers of compression will be
       #                           decompressed. Defaults to 2.
       #
-      # server-config:            List of server configurations to use if address matches
-      #   address:                List of ip addresses or networks for this block
-      #   personalitiy:           List of personalities used by this block
-      #   request-body-limit:     Limit reassembly of request body for inspection
-      #                           by http_client_body & pcre /P option.
-      #   response-body-limit:    Limit reassembly of response body for inspection
-      #                           by file_data, http_server_body & pcre /Q option.
-      #   double-decode-path:     Double decode path section of the URI
-      #   double-decode-query:    Double decode query section of the URI
-      #
-      #   uri-include-all:        Include all parts of the URI. By default the
-      #                           'scheme', username/password, hostname and port
-      #                           are excluded. Setting this option to true adds
-      #                           all of them to the normalized uri as inspected
-      #                           by http_uri, urilen, pcre with /U and the other
-      #                           keywords that inspect the normalized uri.
-      #                           Note that this does not affect http_raw_uri.
-      #                           Also, note that including all was the default in
-      #                           1.4 and 2.0beta1.
-      #
-      #   meta-field-limit:       Hard size limit for request and response size
-      #                           limits. Applies to request line and headers,
-      #                           response line and headers. Does not apply to
-      #                           request or response bodies. Default is 18k.
-      #                           If this limit is reached an event is raised.
-      #
       # Currently Available Personalities:
       #   Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
       #   IIS_7_0, IIS_7_5, Apache_2
@@ -260,14 +234,8 @@ app-layer:
 
            # Can be specified in kb, mb, gb.  Just a number indicates
            # it's in bytes.
-           request-body-limit: 100kb
-           response-body-limit: 100kb
-
-           # inspection limits
-           request-body-minimal-inspect-size: 32kb
-           request-body-inspect-window: 4kb
-           response-body-minimal-inspect-size: 40kb
-           response-body-inspect-window: 16kb
+           request-body-limit: 0
+           response-body-limit: 0
 
            # response body decompression (0 disables)
            response-body-decompress-layer-limit: 2
@@ -278,41 +246,17 @@ app-layer:
            # Take a random value for inspection sizes around the specified value.
            # This lower the risk of some evasion technics but could lead
            # detection change between runs. It is set to 'yes' by default.
-           #randomize-inspection-sizes: yes
+           randomize-inspection-sizes: yes
            # If randomize-inspection-sizes is active, the value of various
            # inspection size will be choosen in the [1 - range%, 1 + range%]
            # range
            # Default value of randomize-inspection-range is 10.
-           #randomize-inspection-range: 10
+           randomize-inspection-range: 10
 
            # decoding
            double-decode-path: no
            double-decode-query: no
 
-         server-config:
-
-           #- apache:
-           #    address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
-           #    personality: Apache_2
-           #    # Can be specified in kb, mb, gb.  Just a number indicates
-           #    # it's in bytes.
-           #    request-body-limit: 4096
-           #    response-body-limit: 4096
-           #    double-decode-path: no
-           #    double-decode-query: no
-
-           #- iis7:
-           #    address:
-           #      - 192.168.0.0/24
-           #      - 192.168.10.0/24
-           #    personality: IIS_7_0
-           #    # Can be specified in kb, mb, gb.  Just a number indicates
-           #    # it's in bytes.
-           #    request-body-limit: 4096
-           #    response-body-limit: 4096
-           #    double-decode-path: no
-           #    double-decode-query: no
-
     # Note: Modbus probe parser is minimalist due to the poor significant field
     # Only Modbus message length (greater than Modbus header length)
     # And Protocol ID (equal to 0) are checked in probing parser

From 26c758cf4870d834dfe4d20bb2ce76f701befd61 Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Sat, 2 Mar 2019 17:18:39 +0000
Subject: [PATCH 251/259] suricata: Drop parsers I have never heard of

Signed-off-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 34 ----------------------------------
 1 file changed, 34 deletions(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 84c4aa2a7..8b4ab8c3b 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -257,40 +257,6 @@ app-layer:
            double-decode-path: no
            double-decode-query: no
 
-    # Note: Modbus probe parser is minimalist due to the poor significant field
-    # Only Modbus message length (greater than Modbus header length)
-    # And Protocol ID (equal to 0) are checked in probing parser
-    # It is important to enable detection port and define Modbus port
-    # to avoid false positive
-    modbus:
-      # How many unreplied Modbus requests are considered a flood.
-      # If the limit is reached, app-layer-event:modbus.flooded; will match.
-      #request-flood: 500
-
-      enabled: no
-      detection-ports:
-        dp: 502
-      # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
-      # is recommended to keep the TCP connection opened with a remote device
-      # and not to open and close it for each MODBUS/TCP transaction. In that
-      # case, it is important to set the depth of the stream reassembling as
-      # unlimited (stream.reassembly.depth: 0)
-
-      # Stream reassembly size for modbus. By default track it completely.
-      stream-depth: 0
-
-    # DNP3
-    dnp3:
-      enabled: no
-      detection-ports:
-        dp: 20000
-
-    # SCADA EtherNet/IP and CIP protocol support
-    enip:
-      enabled: no
-      detection-ports:
-        dp: 44818
-        sp: 44818
 
 # Limit for the maximum number of asn1 frames to decode (default 256)
 asn1-max-frames: 256

From b051eb68b6c12f619b1c3a76009d41ad59550b6b Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sun, 3 Mar 2019 15:10:02 +0100
Subject: [PATCH 252/259] libcap-ng: New package

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/libcap-ng | 44 +++++++++++++++++
 lfs/libcap-ng                     | 80 +++++++++++++++++++++++++++++++
 make.sh                           |  1 +
 3 files changed, 125 insertions(+)
 create mode 100644 config/rootfiles/common/libcap-ng
 create mode 100644 lfs/libcap-ng

diff --git a/config/rootfiles/common/libcap-ng b/config/rootfiles/common/libcap-ng
new file mode 100644
index 000000000..9c0b5e156
--- /dev/null
+++ b/config/rootfiles/common/libcap-ng
@@ -0,0 +1,44 @@
+#usr/bin/captest
+#usr/bin/filecap
+#usr/bin/netcap
+#usr/bin/pscap
+#usr/include/cap-ng.h
+#usr/lib/libcap-ng.la
+#usr/lib/libcap-ng.so
+usr/lib/libcap-ng.so.0
+usr/lib/libcap-ng.so.0.0.0
+#usr/lib/pkgconfig/libcap-ng.pc
+#usr/lib/python2.7/site-packages/_capng.la
+#usr/lib/python2.7/site-packages/_capng.so
+#usr/lib/python2.7/site-packages/capng.py
+#usr/lib/python2.7/site-packages/capng.pyc
+#usr/lib/python2.7/site-packages/capng.pyo
+#usr/lib/python3.6/site-packages/__pycache__/capng.cpython-36.opt-1.pyc
+#usr/lib/python3.6/site-packages/__pycache__/capng.cpython-36.pyc
+#usr/lib/python3.6/site-packages/_capng.la
+#usr/lib/python3.6/site-packages/_capng.so
+#usr/lib/python3.6/site-packages/capng.py
+#usr/share/aclocal/cap-ng.m4
+#usr/share/man/man3/capng_apply.3
+#usr/share/man/man3/capng_capability_to_name.3
+#usr/share/man/man3/capng_change_id.3
+#usr/share/man/man3/capng_clear.3
+#usr/share/man/man3/capng_fill.3
+#usr/share/man/man3/capng_get_caps_fd.3
+#usr/share/man/man3/capng_get_caps_process.3
+#usr/share/man/man3/capng_have_capabilities.3
+#usr/share/man/man3/capng_have_capability.3
+#usr/share/man/man3/capng_lock.3
+#usr/share/man/man3/capng_name_to_capability.3
+#usr/share/man/man3/capng_print_caps_numeric.3
+#usr/share/man/man3/capng_print_caps_text.3
+#usr/share/man/man3/capng_restore_state.3
+#usr/share/man/man3/capng_save_state.3
+#usr/share/man/man3/capng_set_caps_fd.3
+#usr/share/man/man3/capng_setpid.3
+#usr/share/man/man3/capng_update.3
+#usr/share/man/man3/capng_updatev.3
+#usr/share/man/man8/captest.8
+#usr/share/man/man8/filecap.8
+#usr/share/man/man8/netcap.8
+#usr/share/man/man8/pscap.8
diff --git a/lfs/libcap-ng b/lfs/libcap-ng
new file mode 100644
index 000000000..0cbe3e634
--- /dev/null
+++ b/lfs/libcap-ng
@@ -0,0 +1,80 @@
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2007-2018  IPFire Team                       #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see .       #
+#                                                                             #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VER        = 0.7.9
+
+THISAPP    = libcap-ng-$(VER)
+DL_FILE    = $(THISAPP).tar.gz
+DL_FROM    = $(URL_IPFIRE)
+DIR_APP    = $(DIR_SRC)/$(THISAPP)
+TARGET     = $(DIR_INFO)/$(THISAPP)
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects = $(DL_FILE)
+
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_MD5 = 2398d695508fab9ce33668c53a89b0e9
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+md5 : $(subst %,%_MD5,$(objects))
+
+###############################################################################
+# Downloading, checking, md5sum
+###############################################################################
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+	@$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+	@$(LOAD)
+
+$(subst %,%_MD5,$(objects)) :
+	@$(MD5)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+	@$(PREBUILD)
+	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+	cd $(DIR_APP) && ./configure \
+		--prefix=/usr \
+		--disable-static
+
+	cd $(DIR_APP) && make $(MAKETUNING)
+	cd $(DIR_APP) && make install
+	@rm -rf $(DIR_APP)
+	@$(POSTBUILD)
diff --git a/make.sh b/make.sh
index 122aeebd0..690922e22 100755
--- a/make.sh
+++ b/make.sh
@@ -1220,6 +1220,7 @@ buildipfire() {
   lfsmake2 attr
   lfsmake2 acl
   lfsmake2 libcap
+  lfsmake2 libcap-ng
   lfsmake2 pciutils
   lfsmake2 usbutils
   lfsmake2 libxml2

From 1fbf0788bf66da1b93774a19d4b0db52b0fdfc73 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sun, 10 Mar 2019 13:27:52 +0100
Subject: [PATCH 253/259] Move IDS/IPS menu entry to firewall section

Fixes #12011.

Signed-off-by: Stefan Schantl 
---
 config/menu/40-services.menu | 5 -----
 config/menu/50-firewall.menu | 5 +++++
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/config/menu/40-services.menu b/config/menu/40-services.menu
index 2f4d96e73..83ce3bc1f 100644
--- a/config/menu/40-services.menu
+++ b/config/menu/40-services.menu
@@ -25,11 +25,6 @@
 				'title' => "Quality of Service",
 				'enabled' => 1,
 				};
-    $subservices->{'60.ids'} = {'caption' => $Lang::tr{'intrusion detection'},
-				'enabled' => 1,
-				'uri' => '/cgi-bin/ids.cgi',
-				'title' => "$Lang::tr{'intrusion detection system'}",
-				};
     $subservices->{'70.extrahd'} = {'caption' => "ExtraHD",
 				'enabled' => 1,
 				'uri' => '/cgi-bin/extrahd.cgi',
diff --git a/config/menu/50-firewall.menu b/config/menu/50-firewall.menu
index 7271b3212..77642b0ac 100644
--- a/config/menu/50-firewall.menu
+++ b/config/menu/50-firewall.menu
@@ -40,6 +40,11 @@
 				'title' => "Universal Plug and Play",
 				'enabled' => 0,
 				};
+     $subfirewall->{'80.ids'} = {'caption' => $Lang::tr{'intrusion detection'},
+                                'uri' => '/cgi-bin/ids.cgi',
+                                'title' => "$Lang::tr{'intrusion detection system'}",
+				'enabled' => 1,
+                                };
 	$subfirewall->{'90.iptables'} = {
 				'caption' => $Lang::tr{'ipts'},
 				'uri' => '/cgi-bin/iptables.cgi',

From 2bec60c34725c759c98f4da276fc8149162b3397 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sun, 10 Mar 2019 17:34:03 +0100
Subject: [PATCH 254/259] suricata: Update to 4.1.3

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/suricata | 64 +++++++++++++++++++++-----------
 config/suricata/suricata.yaml    | 13 +++++++
 lfs/suricata                     |  4 +-
 3 files changed, 58 insertions(+), 23 deletions(-)

diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata
index 32aa54dbb..859879db0 100644
--- a/config/rootfiles/common/suricata
+++ b/config/rootfiles/common/suricata
@@ -1,44 +1,66 @@
 etc/suricata
 etc/suricata/suricata.yaml
 usr/bin/suricata
+#usr/bin/suricatactl
 #usr/bin/suricatasc
+#usr/lib/python2.7/site-packages/suricata
+#usr/lib/python2.7/site-packages/suricata-4.1.3-py2.7.egg-info
+#usr/lib/python2.7/site-packages/suricata/__init__.py
+#usr/lib/python2.7/site-packages/suricata/__init__.pyc
+#usr/lib/python2.7/site-packages/suricata/config
+#usr/lib/python2.7/site-packages/suricata/config/__init__.py
+#usr/lib/python2.7/site-packages/suricata/config/__init__.pyc
+#usr/lib/python2.7/site-packages/suricata/config/defaults.py
+#usr/lib/python2.7/site-packages/suricata/config/defaults.pyc
+#usr/lib/python2.7/site-packages/suricata/ctl
+#usr/lib/python2.7/site-packages/suricata/ctl/__init__.py
+#usr/lib/python2.7/site-packages/suricata/ctl/__init__.pyc
+#usr/lib/python2.7/site-packages/suricata/ctl/filestore.py
+#usr/lib/python2.7/site-packages/suricata/ctl/filestore.pyc
+#usr/lib/python2.7/site-packages/suricata/ctl/loghandler.py
+#usr/lib/python2.7/site-packages/suricata/ctl/loghandler.pyc
+#usr/lib/python2.7/site-packages/suricata/ctl/main.py
+#usr/lib/python2.7/site-packages/suricata/ctl/main.pyc
+#usr/lib/python2.7/site-packages/suricata/ctl/test_filestore.py
+#usr/lib/python2.7/site-packages/suricata/ctl/test_filestore.pyc
+#usr/lib/python2.7/site-packages/suricata/sc
+#usr/lib/python2.7/site-packages/suricata/sc/__init__.py
+#usr/lib/python2.7/site-packages/suricata/sc/__init__.pyc
+#usr/lib/python2.7/site-packages/suricata/sc/suricatasc.py
+#usr/lib/python2.7/site-packages/suricata/sc/suricatasc.pyc
 #usr/lib/python2.7/site-packages/suricatasc
-#usr/lib/python2.7/site-packages/suricatasc-0.9-py2.7.egg-info
 #usr/lib/python2.7/site-packages/suricatasc/__init__.py
 #usr/lib/python2.7/site-packages/suricatasc/__init__.pyc
-#usr/lib/python2.7/site-packages/suricatasc/suricatasc.py
-#usr/lib/python2.7/site-packages/suricatasc/suricatasc.pyc
 #usr/share/doc/suricata
 #usr/share/doc/suricata/AUTHORS
 #usr/share/doc/suricata/Basic_Setup.txt
-#usr/share/doc/suricata/CentOS5.txt
-#usr/share/doc/suricata/CentOS_56_Installation.txt
-#usr/share/doc/suricata/Debian_Installation.txt
-#usr/share/doc/suricata/Fedora_Core.txt
-#usr/share/doc/suricata/FreeBSD_8.txt
 #usr/share/doc/suricata/GITGUIDE
-#usr/share/doc/suricata/HTP_library_installation.txt
 #usr/share/doc/suricata/INSTALL
 #usr/share/doc/suricata/INSTALL.PF_RING
 #usr/share/doc/suricata/INSTALL.WINDOWS
-#usr/share/doc/suricata/Installation_from_GIT_with_PCRE-JIT.txt
-#usr/share/doc/suricata/Installation_from_GIT_with_PF_RING_on_Ubuntu_server_1104.txt
-#usr/share/doc/suricata/Installation_with_CUDA_and_PFRING_on_Scientific_Linux_6.txt
-#usr/share/doc/suricata/Installation_with_CUDA_and_PF_RING_on_Ubuntu_server_1104.txt
-#usr/share/doc/suricata/Installation_with_CUDA_on_Scientific_Linux_6.txt
-#usr/share/doc/suricata/Installation_with_CUDA_on_Ubuntu_server_1104.txt
-#usr/share/doc/suricata/Installation_with_PF_RING.txt
-#usr/share/doc/suricata/Mac_OS_X_106x.txt
 #usr/share/doc/suricata/NEWS
-#usr/share/doc/suricata/OpenBSD_Installation_from_GIT.txt
 #usr/share/doc/suricata/README
 #usr/share/doc/suricata/Setting_up_IPSinline_for_Linux.txt
 #usr/share/doc/suricata/TODO
 #usr/share/doc/suricata/Third_Party_Installation_Guides.txt
-#usr/share/doc/suricata/Ubuntu_Installation.txt
-#usr/share/doc/suricata/Ubuntu_Installation_from_GIT.txt
-#usr/share/doc/suricata/Windows.txt
 #usr/share/man/man1/suricata.1
+#usr/share/suricata
+#usr/share/suricata/rules
+#usr/share/suricata/rules/app-layer-events.rules
+#usr/share/suricata/rules/decoder-events.rules
+#usr/share/suricata/rules/dnp3-events.rules
+#usr/share/suricata/rules/dns-events.rules
+#usr/share/suricata/rules/files.rules
+#usr/share/suricata/rules/http-events.rules
+#usr/share/suricata/rules/ipsec-events.rules
+#usr/share/suricata/rules/kerberos-events.rules
+#usr/share/suricata/rules/modbus-events.rules
+#usr/share/suricata/rules/nfs-events.rules
+#usr/share/suricata/rules/ntp-events.rules
+#usr/share/suricata/rules/smb-events.rules
+#usr/share/suricata/rules/smtp-events.rules
+#usr/share/suricata/rules/stream-events.rules
+#usr/share/suricata/rules/tls-events.rules
 var/lib/suricata
 var/lib/suricata/classification.config
 var/lib/suricata/reference.config
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 8b4ab8c3b..539ef38dd 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -20,6 +20,7 @@ vars:
     DNS_SERVERS: "$HOME_NET"
     TELNET_SERVERS: "$HOME_NET"
     AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
     DNP3_SERVER: "$HOME_NET"
     DNP3_CLIENT: "$HOME_NET"
     MODBUS_CLIENT: "$HOME_NET"
@@ -62,6 +63,14 @@ stats:
   # the loggers are invoked.
   interval: 8
 
+  # Add decode events as stats.
+  #decoder-events: true
+  # Decoder event prefix in stats. Has been 'decoder' before, but that leads
+  # to missing events in the eve.stats records. See issue #2225.
+  decoder-events-prefix: "decoder.event"
+  # Add stream events as stats.
+  #stream-events: false
+
 # Configure the type of alert (and other) logging you would like.
 outputs:
   # a line based alerts log similar to Snort's fast.log
@@ -137,6 +146,10 @@ nfq:
 # "detection-only" enables protocol detection only (parser disabled).
 app-layer:
   protocols:
+    krb5:
+      enabled: no # Requires rust
+    ikev2:
+      enabled: yes
     tls:
       enabled: yes
       detection-ports:
diff --git a/lfs/suricata b/lfs/suricata
index 2e7a5c5dc..8a1e50240 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 4.0.6
+VER        = 4.1.3
 
 THISAPP    = suricata-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = e8e9a401fef3b3ca1027c268c38c8f4b
+$(DL_FILE)_MD5 = 35c4a8e6be3910831649a073950195df
 
 install : $(TARGET)
 

From 38081b8be19b56b7298d5a01e7218b774759406c Mon Sep 17 00:00:00 2001
From: Michael Tremer 
Date: Sat, 2 Mar 2019 17:26:34 +0000
Subject: [PATCH 255/259] suricata: Run as non-root user

This patch does not have any effect (yet) and is untested
because suricata needs to be built against libcap-ng which
is currently not being packaged for IPFire.

Signed-off-by: Michael Tremer 
Signed-off-by: Stefan Schantl 
---
 config/suricata/suricata.yaml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 539ef38dd..3b50157bf 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -281,6 +281,15 @@ asn1-max-frames: 256
 ##
 ##############################################################################
 
+##
+## Run Options
+##
+
+# Run suricata as user and group.
+run-as:
+  user: suricata
+  group: suricata
+
 # Suricata core dump configuration. Limits the size of the core dump file to
 # approximately max-dump. The actual core dump size will be a multiple of the
 # page size. Core dumps that would be larger than max-dump are truncated. On

From fd378b3b08f8458fd7c32e9eb0e2566de53ed02a Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sun, 10 Mar 2019 18:50:37 +0100
Subject: [PATCH 256/259] Rename snort user and group to suricata

This only affects new installations.

Signed-off-by: Stefan Schantl 
---
 config/etc/group  | 2 +-
 config/etc/passwd | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/etc/group b/config/etc/group
index 198b68aa3..b9a6c403f 100644
--- a/config/etc/group
+++ b/config/etc/group
@@ -26,7 +26,7 @@ pcap:x:77:
 wbpriv:x:88:squid
 nobody:x:99:
 users:x:100:
-snort:x:101:
+suricata:x:101:
 logwatch:x:102:
 cron:x:104:
 syslogd:x:105:
diff --git a/config/etc/passwd b/config/etc/passwd
index 7eb4718f1..a42a264b8 100644
--- a/config/etc/passwd
+++ b/config/etc/passwd
@@ -10,7 +10,7 @@ stunnel:x:51:51:stunnel Daemon:/var/lib/stunnel:/bin/false
 sshd:x:74:74:sshd:/var/empty:/bin/false
 nobody:x:99:99:Nobody:/home/nobody:/bin/false
 postfix:x:100:100::/var/spool/postfix:/bin/false
-snort:x:101:101:ftp:/var/log/snort:/bin/false
+suricata:x:101:101:Suricata:/var/log/suricata:/bin/false
 logwatch:x:102:102::/var/log/logwatch:/bin/false
 cron:x:104:104::/:/bin/false
 syslogd:x:105:105:/var/empty:/bin/false

From f717b1dc55595b4353fd7d3b44a057d282d19b62 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Sun, 10 Mar 2019 18:52:40 +0100
Subject: [PATCH 257/259] IDS: Set owner of suricata logging directory to
 correct user

Signed-off-by: Stefan Schantl 
---
 lfs/suricata | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lfs/suricata b/lfs/suricata
index 8a1e50240..07dfed25b 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -102,5 +102,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	# Create logging directory.
 	-mkdir -p /var/log/suricata
 
+	# Set correct ownership for /var/log/suricata.
+	chown suricata:suricata /var/log/suricata
+
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)

From e8b1b397c1dd4b158520b8c7905cd66b864c1051 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 13 Mar 2019 10:03:48 +0100
Subject: [PATCH 258/259] suricata: Remove unneeded stuff during build

Signed-off-by: Stefan Schantl 
---
 config/rootfiles/common/suricata | 47 --------------------------------
 lfs/suricata                     |  7 ++++-
 2 files changed, 6 insertions(+), 48 deletions(-)

diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata
index 859879db0..ac48dbce9 100644
--- a/config/rootfiles/common/suricata
+++ b/config/rootfiles/common/suricata
@@ -1,36 +1,6 @@
 etc/suricata
 etc/suricata/suricata.yaml
 usr/bin/suricata
-#usr/bin/suricatactl
-#usr/bin/suricatasc
-#usr/lib/python2.7/site-packages/suricata
-#usr/lib/python2.7/site-packages/suricata-4.1.3-py2.7.egg-info
-#usr/lib/python2.7/site-packages/suricata/__init__.py
-#usr/lib/python2.7/site-packages/suricata/__init__.pyc
-#usr/lib/python2.7/site-packages/suricata/config
-#usr/lib/python2.7/site-packages/suricata/config/__init__.py
-#usr/lib/python2.7/site-packages/suricata/config/__init__.pyc
-#usr/lib/python2.7/site-packages/suricata/config/defaults.py
-#usr/lib/python2.7/site-packages/suricata/config/defaults.pyc
-#usr/lib/python2.7/site-packages/suricata/ctl
-#usr/lib/python2.7/site-packages/suricata/ctl/__init__.py
-#usr/lib/python2.7/site-packages/suricata/ctl/__init__.pyc
-#usr/lib/python2.7/site-packages/suricata/ctl/filestore.py
-#usr/lib/python2.7/site-packages/suricata/ctl/filestore.pyc
-#usr/lib/python2.7/site-packages/suricata/ctl/loghandler.py
-#usr/lib/python2.7/site-packages/suricata/ctl/loghandler.pyc
-#usr/lib/python2.7/site-packages/suricata/ctl/main.py
-#usr/lib/python2.7/site-packages/suricata/ctl/main.pyc
-#usr/lib/python2.7/site-packages/suricata/ctl/test_filestore.py
-#usr/lib/python2.7/site-packages/suricata/ctl/test_filestore.pyc
-#usr/lib/python2.7/site-packages/suricata/sc
-#usr/lib/python2.7/site-packages/suricata/sc/__init__.py
-#usr/lib/python2.7/site-packages/suricata/sc/__init__.pyc
-#usr/lib/python2.7/site-packages/suricata/sc/suricatasc.py
-#usr/lib/python2.7/site-packages/suricata/sc/suricatasc.pyc
-#usr/lib/python2.7/site-packages/suricatasc
-#usr/lib/python2.7/site-packages/suricatasc/__init__.py
-#usr/lib/python2.7/site-packages/suricatasc/__init__.pyc
 #usr/share/doc/suricata
 #usr/share/doc/suricata/AUTHORS
 #usr/share/doc/suricata/Basic_Setup.txt
@@ -44,23 +14,6 @@ usr/bin/suricata
 #usr/share/doc/suricata/TODO
 #usr/share/doc/suricata/Third_Party_Installation_Guides.txt
 #usr/share/man/man1/suricata.1
-#usr/share/suricata
-#usr/share/suricata/rules
-#usr/share/suricata/rules/app-layer-events.rules
-#usr/share/suricata/rules/decoder-events.rules
-#usr/share/suricata/rules/dnp3-events.rules
-#usr/share/suricata/rules/dns-events.rules
-#usr/share/suricata/rules/files.rules
-#usr/share/suricata/rules/http-events.rules
-#usr/share/suricata/rules/ipsec-events.rules
-#usr/share/suricata/rules/kerberos-events.rules
-#usr/share/suricata/rules/modbus-events.rules
-#usr/share/suricata/rules/nfs-events.rules
-#usr/share/suricata/rules/ntp-events.rules
-#usr/share/suricata/rules/smb-events.rules
-#usr/share/suricata/rules/smtp-events.rules
-#usr/share/suricata/rules/stream-events.rules
-#usr/share/suricata/rules/tls-events.rules
 var/lib/suricata
 var/lib/suricata/classification.config
 var/lib/suricata/reference.config
diff --git a/lfs/suricata b/lfs/suricata
index 07dfed25b..0a561ef8b 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -78,7 +78,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 		--disable-gccmarch-native \
 		--enable-non-bundled-htp \
 		--enable-nfqueue \
-		--disable-static
+		--disable-static \
+		--disable-python \
+		--disable-suricata-update
 	cd $(DIR_APP) && make $(MAKETUNING)
 	cd $(DIR_APP) && make install
 	cd $(DIR_APP) && make install-conf
@@ -89,6 +91,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	# Install IPFire related config file.
 	install -m 0644 $(DIR_SRC)/config/suricata/suricata.yaml /etc/suricata
 
+	# Remove shipped rules.
+	rm -rvf /usr/share/suricata
+
 	# Create emtpy rules directory.
 	-mkdir -p /var/lib/suricata
 

From e776d33c7018a314acfb8909e9581a26d544d7e7 Mon Sep 17 00:00:00 2001
From: Stefan Schantl 
Date: Wed, 13 Mar 2019 12:14:30 +0100
Subject: [PATCH 259/259] suricata: Fix amount of listened nfqueues

Signed-off-by: Stefan Schantl 
---
 src/initscripts/system/suricata | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index e755dfaff..ae434df65 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -107,7 +107,7 @@ case "$1" in
 		# Numer of NFQUES.
 		NFQUEUES=
 
-		for i in $(seq 0 $cpu_count); do
+		for i in $(seq 0 $((cpu_count-1)) ); do
 			NFQUEUES+="-q $i "
 		done