Merge remote-tracking branch 'stevee/next-suricata' into next

src/initscripts/networking/red.up/23-suricata

@@ -0,0 +1,33 @@
+#!/usr/bin/perl
+#
+# Helper script to regenerate the file which contains the HOME_NET declaration
+# including the assigned IP-address of red and any configured aliases.
+
+use strict;
+
+require '/var/ipfire/general-functions.pl';
+require "${General::swroot}/ids-functions.pl";
+
+# Hash to store the IDS settings.
+my %ids_settings = ();
+
+# Read-in IDS settings.
+&General::readhash("$IDS::ids_settings_file", \%ids_settings);
+
+# Check if suricata is enabled.
+if($ids_settings{'ENABLE_IDS'} eq "on") {
+	# Regenerate the file with HOME_NET details.
+	&IDS::generate_home_net_file();
+
+	# Set correct ownership.
+	&IDS::set_ownership("$IDS::homenet_file");
+
+	# Check if suricata is running.
+	if(&IDS::ids_is_running()) {
+		# Call suricatactrl to perform a restart of suricata.
+		&IDS::call_suricatactrl("restart");
+	} else {
+		# Call suricatactrl to start suricata.
+		&IDS::call_suricatactrl("start");
+	}
+}

src/initscripts/system/firewall

@@ -185,6 +185,12 @@ iptables_init() {
 	iptables -A INPUT -j GUARDIAN
 	iptables -A FORWARD -j GUARDIAN
 
+	# IPS (suricata) chains
+	iptables -N IPS
+	iptables -A INPUT -j IPS
+	iptables -A FORWARD -j IPS
+	iptables -A OUTPUT -j IPS
+
 	# Block non-established IPsec networks
 	iptables -N IPSECBLOCK
 	iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK

src/initscripts/system/snort

@@ -1,146 +0,0 @@
-#!/bin/sh
-########################################################################
-# Begin $rc_base/init.d/snort
-#
-# Description : Snort Initscript
-#
-# Authors     : Michael Tremer for ipfire.org - mitch@ipfire.org
-#
-# Version     : 01.00
-#
-# Notes       :
-#
-########################################################################
-
-. /etc/sysconfig/rc
-. ${rc_functions}
-
-PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
-
-eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-eval $(/usr/local/bin/readhash /var/ipfire/snort/settings)
-
-ALIASFILE="/var/ipfire/ethernet/aliases"
-
-case "$1" in
-        start)
-		if [ "$BLUE_NETADDRESS" ]; then
-			BLUE_NET="$BLUE_NETADDRESS/$BLUE_NETMASK,"
-			BLUE_IP="$BLUE_ADDRESS,"
-		fi
-
-		if [ "$ORANGE_NETADDRESS" ]; then
-			ORANGE_NET="$ORANGE_NETADDRESS/$ORANGE_NETMASK,"
-			ORANGE_IP="$ORANGE_ADDRESS,"
-		fi
-
-		if [ "$ENABLE_SNORT_ORANGE" == "on" ]; then
-			DEVICES+="$ORANGE_DEV "
-			HOMENET+="$ORANGE_IP"
-		else
-			HOMENET+="$ORANGE_NET"
-		fi
-
-		if [ "$ENABLE_SNORT_BLUE" == "on" ]; then
-			DEVICES+="$BLUE_DEV "
-			HOMENET+="$BLUE_IP"
-		else
-			HOMENET+="$BLUE_NET"
-		fi
-
-		if [ "$ENABLE_SNORT_GREEN" == "on" ]; then
-			DEVICES+="$GREEN_DEV "
-			HOMENET+="$GREEN_ADDRESS,"
-		else
-			HOMENET+="$GREEN_NETADDRESS/$GREEN_NETMASK,"
-		fi
-
-		if [ "$ENABLE_SNORT" == "on" ]; then
-			DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null`
-			LOCAL_IP=`cat /var/ipfire/red/local-ipaddress 2>/dev/null`
-			if [ "$LOCAL_IP" ]; then
-				HOMENET+="$LOCAL_IP,"
-			fi
-
-			# Check if the red device is set to static and
-			# any aliases have been configured.
-			if [ "${RED_TYPE}" == "STATIC" ] && [ -s "${ALIASFILE}" ]; then
-				# Read in aliases file.
-				while IFS="," read -r address mode remark; do
-					# Check if the alias is enabled.
-					[ "${mode}" = "on" ] || continue
-
-					# Add alias to the list of HOMENET addresses.
-					HOMENET+="${address},"
-				done < "${ALIASFILE}"
-			fi
-		fi
-		HOMENET+="127.0.0.1"
-		echo "ipvar HOME_NET [$HOMENET]" > /etc/snort/vars
-
-		DNS1=`cat /var/ipfire/red/dns1 2>/dev/null`
-		DNS2=`cat /var/ipfire/red/dns2 2>/dev/null`
-
-		if [ "$DNS2" ]; then
-			echo "ipvar DNS_SERVERS [$DNS1,$DNS2]" >> /etc/snort/vars
-		else
-			echo "ipvar DNS_SERVERS $DNS1" >> /etc/snort/vars
-		fi
-
-                for DEVICE in $DEVICES; do
-                        boot_mesg "Starting Intrusion Detection System on $DEVICE..."
-                        /usr/sbin/snort -c /etc/snort/snort.conf -i $DEVICE -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path /var/run
-                        evaluate_retval
-			sleep 1
-                        chmod 644 /var/run/snort_$DEVICE.pid
-                done
-	;;
-
-        stop)
-               DEVICES=""
-               if [ -r /var/run/snort_$BLUE_DEV.pid ]; then
-                 DEVICES+="$BLUE_DEV "
-               fi
-               
-               if [ -r /var/run/snort_$GREEN_DEV.pid ]; then
-                 DEVICES+="$GREEN_DEV "
-              fi
-             
-              if [ -r /var/run/snort_$ORANGE_DEV.pid ]; then
-                 DEVICES+="$ORANGE_DEV "
-              fi
-      
-              RED=`cat /var/ipfire/red/iface 2>/dev/null`
-              if [ -r /var/run/snort_$RED.pid ]; then
-                 DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null`
-              fi
-       
-              for DEVICE in $DEVICES; do
-                 boot_mesg "Stopping Intrusion Detection System on $DEVICE..."
-                 killproc -p /var/run/snort_$DEVICE.pid /var/run
-              done
-              
-              rm /var/run/snort_* >/dev/null 2>/dev/null
-
-		# Don't report returncode of rm if snort was not started
-		exit 0
-        ;;
-                
-        status)
-                statusproc /usr/sbin/snort
-                ;;
-                
-        restart)
-                $0 stop
-                $0 start
-                ;;
-                
-        *)
-                echo "Usage: $0 {start|stop|restart|status}"
-                exit 1
-                ;;
-esac
-
-chmod 644 /var/log/snort/* 2>/dev/null
-
-# End $rc_base/init.d/snort

src/initscripts/system/suricata

@@ -0,0 +1,174 @@
+#!/bin/sh
+########################################################################
+# Begin $rc_base/init.d/suricata
+#
+# Description : Suricata Initscript
+#
+# Author      : Stefan Schantl <stefan.schantl@ipfire.org>
+#
+# Version     : 01.00
+#
+# Notes       :
+#
+########################################################################
+
+. /etc/sysconfig/rc
+. ${rc_functions}
+
+PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
+
+eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings)
+
+# Name of the firewall chain.
+FW_CHAIN="IPS"
+
+# Optional options for the Netfilter queue.
+NFQ_OPTS="--queue-bypass "
+
+# Array containing the 4 possible network zones.
+network_zones=( red green blue orange )
+
+# Mark and Mask options.
+MARK="0x70000000"
+MASK="0x70000000"
+
+# PID file of suricata.
+PID_FILE="/var/run/suricata.pid"
+
+# Function to get the amount of CPU cores of the system.
+function get_cpu_count {
+	CPUCOUNT=0
+
+	# Loop through "/proc/cpuinfo" and count the amount of CPU cores.
+	while read line; do
+		[ "$line" ] && [ -z "${line%processor*}" ]  && ((CPUCOUNT++))
+	done </proc/cpuinfo
+
+	echo $CPUCOUNT
+}
+
+# Function to create the firewall rules to pass the traffic to suricata.
+function generate_fw_rules {
+	cpu_count=$(get_cpu_count)
+
+	# Flush the firewall chain.
+	iptables -F "$FW_CHAIN"
+
+	# Loop through the array of network zones.
+	for zone in "${network_zones[@]}"; do
+		# Convert zone into upper case.
+		zone_upper=${zone^^}
+
+		# Generate variable name for checking if the IDS is
+		# enabled on the zone.
+		enable_ids_zone="ENABLE_IDS_$zone_upper"
+
+		# Check if the IDS is enabled for this network zone.
+		if [ "${!enable_ids_zone}" == "on" ]; then
+			# Generate name of the network interface.
+			network_device=$zone
+			network_device+="0"
+
+			# Assign NFQ_OPTS
+			NFQ_OPTIONS=$NFQ_OPTS
+
+			# Check if there are multiple cpu cores available.
+			if [ "$cpu_count" -gt "1" ]; then
+				# Balance beetween all queues.
+				NFQ_OPTIONS+="--queue-balance 0:"
+				NFQ_OPTIONS+=$(($cpu_count-1))
+			else
+				# Send all packets to queue 0.
+				NFQ_OPTIONS+="--queue-num 0"
+			fi
+
+			# Create firewall rules to queue the traffic and pass to
+			# the IDS.
+			iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+			iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+		fi
+	done
+
+	# Clear repeat bit, so that it does not confuse IPsec or QoS
+	iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}"
+}
+
+# Function to flush the firewall chain.
+function flush_fw_chain {
+	# Call iptables and flush the chain
+	iptables -F "$FW_CHAIN"
+}
+
+case "$1" in
+        start)
+		# Get amount of CPU cores.
+		cpu_count=$(get_cpu_count)
+
+		# Numer of NFQUES.
+		NFQUEUES=
+
+		for i in $(seq 0 $((cpu_count-1)) ); do
+			NFQUEUES+="-q $i "
+		done
+
+		# Check if the IDS should be started.
+		if [ "$ENABLE_IDS" == "on" ]; then
+			# Start the IDS.
+			boot_mesg "Starting Intrusion Detection System..."
+			/usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES >/dev/null 2>/dev/null
+			evaluate_retval
+
+			# Allow reading the pidfile.
+			chmod 644 $PID_FILE
+
+			# Flush the firewall chain
+			flush_fw_chain
+
+			# Generate firewall rules
+			generate_fw_rules
+		fi
+	;;
+
+        stop)
+		boot_mesg "Stopping Intrusion Detection System..."
+		killproc -p $PID_FILE /var/run
+
+		# Flush firewall chain.
+		flush_fw_chain
+
+		# Remove suricata control socket.              
+		rm /var/run/suricata/* >/dev/null 2>/dev/null
+
+		# Don't report returncode of rm if suricata was not started
+		exit 0
+        ;;
+                
+        status)
+                statusproc /usr/bin/suricata
+                ;;
+                
+        restart)
+                $0 stop
+                $0 start
+                ;;
+	reload)
+		# Send SIGUSR2 to the suricata process to perform a reload
+		# of the ruleset.
+		kill -USR2 $(pidof suricata)
+
+		# Flush the firewall chain.
+		flush_fw_chain
+
+		# Generate firewall rules.
+		generate_fw_rules
+		;;
+                
+        *)
+                echo "Usage: $0 {start|stop|restart|reload|status}"
+                exit 1
+                ;;
+esac
+
+chmod 644 /var/log/suricata/* 2>/dev/null
+
+# End $rc_base/init.d/suricata