Merge remote-tracking branch 'stevee/next-suricata' into next

html/cgi-bin/aliases.cgi

@@ -33,6 +33,7 @@ use strict;
 require '/var/ipfire/general-functions.pl';	# replace /var/ipcop with /var/ipcop in case of manual install
 require "${General::swroot}/lang.pl";
 require "${General::swroot}/header.pl";
+require "${General::swroot}/ids-functions.pl";
 
 my $configfwdfw		= "${General::swroot}/firewall/config";
 my $configinput		= "${General::swroot}/firewall/input";
@@ -105,6 +106,9 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
 	
 	# Rebuild configuration file if needed
 	&BuildConfiguration;
+
+	# Handle suricata related actions.
+	&HandleSuricata();
     }
 
     ERROR:						# Leave the faulty field untouched
@@ -139,6 +143,9 @@ if ($settings{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
 	
     # Rebuild configuration file
     &BuildConfiguration;
+
+    # Handle Suricata related actions.
+    &HandleSuricata();
 }
 
 if ($settings{'ACTION'} eq $Lang::tr{'add'}) {
@@ -220,6 +227,9 @@ if ($settings{'ACTION'} eq $Lang::tr{'add'}) {
 	&SortDataFile;				# sort newly added/modified entry
 
 	&BuildConfiguration;			# then re-build conf which use new data
+
+	# Handle Suricata related actions.
+	&HandleSuricata();
 	
 ##
 ## if entering data line is repetitive, choose here to not erase fields between each addition
@@ -251,6 +261,9 @@ if ($settings{'ACTION'} eq $Lang::tr{'remove'}) {
     &General::log($Lang::tr{'ip alias removed'});
 
     &BuildConfiguration;				# then re-build conf which use new data
+
+    # Handle Suricata related actions.
+    &HandleSuricata();
 }
 
 
@@ -557,3 +570,16 @@ sub BuildConfiguration {
     system '/usr/local/bin/setaliases';
 }
 
+#
+## Handle Suricata related actions.
+#
+sub HandleSuricata() {
+	# Check if suricata is running.
+	if(&IDS::ids_is_running()) {
+		# Re-generate file which contains the HOME_NET declaration.
+		&IDS::generate_home_net_file();
+
+		# Call suricatactrl to perform a restart of suricata.
+		&IDS::call_suricatactrl("restart");
+	}
+}

html/cgi-bin/logs.cgi/ids.dat

@@ -157,7 +157,7 @@ if ($multifile) {
 if ($cgiparams{'ACTION'} eq $Lang::tr{'export'})
 {
 	print "Content-type: text/plain\n\n";
-	print "IPFire IDS snort log\r\n";
+	print "IPFire IPS log\r\n";
 	print "Date: $cgiparams{'DAY'} $longmonths[$cgiparams{'MONTH'}]\r\n"; 
 	print "\r\n";
 
@@ -167,6 +167,10 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'export'})
 	{
 		my ($datetime,$title,$priority,$classification,$srcip,$srcport,$destip,$destport,$sid,$refs) = split(/\|/);
 		$refs =~ s/,$//;
+
+		# Skip event if no datetime and title are available.
+		next unless (($datetime) && ($title));
+
 		print "Date: $datetime\n";
 		print "Name: $title\n";
 		print "Priority: $priority\n";
@@ -250,7 +254,7 @@ END
 &Header::closebox();
 
 &Header::openbox('100%', 'left', $Lang::tr{'log'});
-print "<p><b>$Lang::tr{'snort hits'} $longmonthstr $daystr: $lines</b></p>";
+print "<p><b>$Lang::tr{'ids log hits'} $longmonthstr $daystr: $lines</b></p>";
 
 if ($start == -1) {
         $start = $lines - ${Header::viewsize}; }
@@ -285,6 +289,10 @@ foreach $_ (@slice)
 	else {
 		print "<tr bgcolor='$color{'color22'}'><td>\n"; }
 	my ($datetime,$title,$priority,$classification,$srcip,$srcport,$destip,$destport,$sid,$refs) = split(/\|/);
+
+	# Only show the current event if at least datetime and title are available.
+	next unless (($datetime) && ($title));
+
 	print <<END
 <table width='100%'>
 <tr>
@@ -351,7 +359,7 @@ END
 	}
 print <<END
 </tr>
-</table>
+</table><br>
 </td></tr>
 END
 	;
@@ -375,11 +383,26 @@ sub processevent
 	our ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport, $sid, @refs);
 
 	my $filestr='';
+	my $readmode='';
 	if ($datediff==0) {
-		$filestr="/var/log/snort/alert";
+		# If there is no datediff, directly assign the suricata fast.log.
+		$filestr="/var/log/suricata/fast.log";
 	} else {
-		$filestr="/var/log/snort/alert.$datediff";
-		$filestr = "$filestr.gz" if -f "$filestr.gz";
+		# If there is a datediff, assign the datediff to the filestring.
+		$filestr="/var/log/suricata/fast.log.$datediff";
+
+		# The files are compressed add the extension to the filestring.
+		$filestr="$filestr.gz";
+
+		# If the file does not exist, try to fallback to legacy snort alert file.
+		unless (-f $filestr) {
+			# Assign snort alert file, the datediff and extension for compressed file.
+			$filestr = "/var/log/snort/alert.$datediff";
+			$filestr = "$filestr.gz";
+
+			# Assign "snort" as readmode.
+			$readmode="snort";
+		}
 	}
 	if (!(open (LOG,($filestr =~ /.gz$/ ? "gzip -dc $filestr |" : $filestr)))) {
 		$errormessage="$errormessage$Lang::tr{'date not in logs'}: $filestr $Lang::tr{'could not be opened'}";
@@ -388,15 +411,26 @@ sub processevent
 
 		while(<LOG>) {
 			$line++;
-			if ($_ =~ m/\[\*\*\]/) {
+			if (($_ =~ m/\[\*\*\]/) && ($readmode eq "snort")) {
 				unless ($line == 1 || $date ne "$monthstr/$daystr") {
 					&append;
 					$line = 1;
 				}
-				($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport, $sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a");
+				($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport,$sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a");
 				@refs = ();
 				$_ =~ m/:([0-9]{1,5})\] (.*) \[\*\*\]/;
 				$title = &Header::cleanhtml($2,"y");
+			} else {
+				&append;
+				$line = 1;
+
+				# Assign default values.
+				($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport,$sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a");
+				@refs = ();
+
+				# Gather title details from line.
+				$_ =~ m/:([0-9]{1,5})\] (.*) \[\*\*\]/;
+				$title = &Header::cleanhtml($2,"y");
 			}
 			if ($_ =~ m/Classification: (.*)\] \[Priority: (\d)\]/) {
 				$classification = &Header::cleanhtml($1,"y");
@@ -413,7 +447,7 @@ sub processevent
 				$destport = $10;
 			}
 
-			if ($_  =~ m/^([0-9\/]{3,5})\-([0-9\:]{5,8})\.([0-9]{1,14})/) {
+			if ($_  =~ m/^([0-9\/]{3,10})\-([0-9\:]{5,8})\.([0-9]{1,14})/) {
 				($date,$time) = ($1,$2);
 			}
 			if ($_ =~ m/\[Xref \=\>.*\]/) {

html/cgi-bin/logs.cgi/log.dat

@@ -63,10 +63,11 @@ my %sections = (
         'ipsec' => '(ipsec_[\w_]+: |pluto\[.*\]: |charon: |vpnwatch: )',
         'kernel' => '(kernel: (?!DROP_))',
         'ntp' => '(ntpd(?:ate)?\[.*\]: )',
+	'oinkmaster' => '(oinkmaster\[.*\]: )',
         'openvpn' => '(openvpnserver\[.*\]: |.*n2n\[.*\]: )',
         'pakfire' => '(pakfire:)',
         'red' => '(red:|pppd\[.*\]: |chat\[.*\]|pppoe\[.*\]|pptp\[.*\]|pppoa\[.*\]|pppoa3\[.*\]|pppoeci\[.*\]|ipppd|ipppd\[.*\]|kernel: ippp\d|kernel: isdn.*|ibod\[.*\]|dhcpcd\[.*\]|modem_run\[.*\])',
-        'snort' => '(snort\[.*\]: )',
+        'suricata' => '(suricata\[.*\]: )',
         'squid' => '(squid\[.*\]: |squid: )',
         'ssh' => '(sshd(?:\(.*\))?\[.*\]: )',
         'unbound' => '(unbound: \[.*:.*\])(.*:.*$)',
@@ -90,10 +91,11 @@ my %trsections = (
         'ipsec' => 'IPSec',
         'kernel' => "$Lang::tr{'kernel'}",
         'ntp' => 'NTP',
+	'oinkmaster' => 'Oinkmaster',
         'openvpn' => 'OpenVPN',
         'pakfire' => 'Pakfire',
         'red' => 'RED',
-        'snort' => "$Lang::tr{'intrusion detection'}",
+        'suricata' => "$Lang::tr{'intrusion detection'}",
         'squid' => "$Lang::tr{'web proxy'}",
         'ssh' => 'SSH',
         'unbound' => 'DNS: Unbound',

html/cgi-bin/services.cgi

@@ -56,6 +56,7 @@ my %servicenames =(
 	$Lang::tr{'secure shell server'} => 'sshd',
 	$Lang::tr{'vpn'} => 'charon',
 	$Lang::tr{'web proxy'} => 'squid',
+	$Lang::tr{'intrusion detection system'} => 'suricata',
 	'OpenVPN' => 'openvpn'
 );
 
@@ -71,31 +72,16 @@ my %link =(
 	$Lang::tr{'vpn'} => "<a href=\'vpnmain.cgi\'>$Lang::tr{'vpn'}</a>",
 	$Lang::tr{'web proxy'} => "<a href=\'proxy.cgi\'>$Lang::tr{'web proxy'}</a>",
 	'OpenVPN' => "<a href=\'ovpnmain.cgi\'>OpenVPN</a>",
-	"$Lang::tr{'intrusion detection system'} (GREEN)" => "<a href=\'ids.cgi\'>$Lang::tr{'intrusion detection system'} (GREEN)</a>",
-	"$Lang::tr{'intrusion detection system'} (RED)" => "<a href=\'ids.cgi\'>$Lang::tr{'intrusion detection system'} (RED)</a>",
-	"$Lang::tr{'intrusion detection system'} (ORANGE)" => "<a href=\'ids.cgi\'>$Lang::tr{'intrusion detection system'} (ORANGE)</a>",
-	"$Lang::tr{'intrusion detection system'} (BLUE)" => "<a href=\'ids.cgi\'>$Lang::tr{'intrusion detection system'} (BLUE)</a>"
+	"$Lang::tr{'intrusion detection system'}" => "<a href=\'ids.cgi\'>$Lang::tr{'intrusion detection system'}</a>",
+);
+
+# Hash to overwrite the process name of a process if it differs fromt the launch command.
+my %overwrite_exename_hash = (
+	"suricata" => "Suricata-Main"
 );
 
 my $lines=0; # Used to count the outputlines to make different bgcolor
 
-my $iface = '';
-if (open(FILE, "${General::swroot}/red/iface")){
-	$iface = <FILE>;
-	close FILE;
-	chomp $iface;
-}
-
-$servicenames{"$Lang::tr{'intrusion detection system'} (RED)"}   = "snort_${iface}";
-$servicenames{"$Lang::tr{'intrusion detection system'} (GREEN)"} = "snort_$netsettings{'GREEN_DEV'}";
-
-if ($netsettings{'ORANGE_DEV'} ne ''){
-	$servicenames{"$Lang::tr{'intrusion detection system'} (ORANGE)"} = "snort_$netsettings{'ORANGE_DEV'}";
-}
-if ($netsettings{'BLUE_DEV'} ne ''){
-	$servicenames{"$Lang::tr{'intrusion detection system'} (BLUE)"} = "snort_$netsettings{'BLUE_DEV'}";
-}
-
 my @querry = split(/\?/,$ENV{'QUERY_STRING'});
 $querry[0] = '' unless defined $querry[0];
 $querry[1] = 'hour' unless defined $querry[1];
@@ -258,7 +244,20 @@ sub isrunning{
 	my $memory;
 
 	$cmd =~ /(^[a-z]+)/;
-	$exename = $1;
+
+	# Check if the exename needs to be overwritten.
+	# This happens if the expected process name string
+	# differs from the real one. This may happened if
+	# a service uses multiple processes or threads.
+	if (exists($overwrite_exename_hash{$1})) {
+		# Grab the string which will be reported by
+		# the process from the corresponding hash.
+		$exename = $overwrite_exename_hash{$1};
+	} else {
+		# Directly expect the launched command as
+		# process name.
+		$exename = $1;
+	}
 
 	if (open(FILE, "/var/run/${cmd}.pid")){
 		$pid = <FILE>; chomp $pid;