Merge branch 'master-IDSv3' into temp-c164-development

config/backup/backup.pl

@@ -159,6 +159,12 @@ restore_backup() {
 		rm -rf "/var/ipfire/snort"
 	fi
 
+	# IDS multiple providers converter.
+	if [ -e "/var/ipfire/suricata/rules-settings" ]; then
+		# Run the converter
+		convert-ids-multiple-providers
+	fi
+
 	# Convert DNS settings
 	convert-dns-settings
 

config/backup/include

@@ -49,7 +49,7 @@
 /var/ipfire/qos/bin/qos.sh
 /var/ipfire/suricata/*.conf
 /var/ipfire/suricata/*.yaml
-/var/ipfire/suricata/rules-settings
+/var/ipfire/suricata/providers-settings
 /var/ipfire/*/settings
 /var/ipfire/time/
 /var/ipfire/urlfilter
@@ -59,4 +59,5 @@
 /var/log/rrd/*
 /var/log/rrd/collectd
 /var/log/vnstat
-/var/tmp/idsrules.tar.gz
+/var/tmp/idsrules-*.tar.gz
+/var/tmp/idsrules-*.rules

config/oinkmaster/oinkmaster.conf

@@ -182,11 +182,8 @@ update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
 # files from included files. Example to load stuff from "/etc/foo.conf".
 # include /etc/foo.conf
 
-# Include file for enabled sids.
-include /var/ipfire/suricata/oinkmaster-enabled-sids.conf
-
-# Include file for disabled sids.
-include /var/ipfire/suricata/oinkmaster-disabled-sids.conf
+# Include file for provider specific includes.
+include /var/ipfire/suricata/oinkmaster-provider-includes.conf
 
 # Include file which defines the runmode of suricata.
 include /var/ipfire/suricata/oinkmaster-modify-sids.conf

config/rootfiles/common/configroot

@@ -4,6 +4,7 @@ usr/sbin/convert-portfw
 usr/sbin/convert-snort
 usr/sbin/convert-xtaccess
 usr/sbin/convert-ids-modifysids-file
+usr/sbin/convert-ids-multiple-providers
 usr/sbin/firewall-policy
 #var/ipfire
 var/ipfire/addon-lang

config/suricata/convert-ids-multiple-providers

@@ -0,0 +1,284 @@
+#!/usr/bin/perl
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2021 IPFire Development Team <info@ipfire.org>                #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
+
+use strict;
+
+require '/var/ipfire/general-functions.pl';
+require "${General::swroot}/ids-functions.pl";
+
+# Old file declarations
+my $old_rules_settings_file = "$IDS::settingsdir/rules-settings";
+my $old_used_rulefiles_file = "$IDS::settingsdir/suricata-used-rulefiles.yaml";
+my $old_enabled_sids_file = "$IDS::settingsdir/oinkmaster-enabled-sids.conf";
+my $old_disabled_sids_file = "$IDS::settingsdir/oinkmaster-disabled-sids.conf";
+my $old_rules_tarball = "/var/tmp/idsrules.tar.gz";
+
+# Script wide variable to store the used ruleset provider.
+my $ruleset_provider;
+
+# Hashes to store the old and new settings.
+my %old_rules_settings = ();
+my %idssettings = ();
+my %providers_settings = ();
+
+exit unless(-f $IDS::ids_settings_file and -f $old_rules_settings_file);
+
+# Read-in all settings.
+&General::readhash($old_rules_settings_file, \%old_rules_settings);
+&General::readhash($IDS::ids_settings_file, \%idssettings);
+
+#
+## Step 1: Create new file layout
+#
+&IDS::check_and_create_filelayout();
+
+#
+## Step 2: Migrate automatic update interval.
+#
+
+# Get old configured autoupdate interval.
+my $autoupdate_interval = $old_rules_settings{'AUTOUPDATE_INTERVAL'};
+
+# Check for valid intervals.
+if ($autoupdate_interval eq "off" || $autoupdate_interval eq "daily" || $autoupdate_interval eq "weekly") {
+	# Put the setting to the new configuration location.
+	$idssettings{'AUTOUPDATE_INTERVAL'} = $autoupdate_interval;
+} else {
+	# Swith to default which should be weekly.
+	$idssettings{'AUTOUPDATE_INTERVAL'} = "weekly";
+}
+
+# Store the updated idssettings file.
+&General::writehash($IDS::ids_settings_file, \%idssettings);
+
+#
+## Step 3: Migrate the providers settings.
+#
+
+# Try to get the previously configured provider.
+$ruleset_provider = $old_rules_settings{'RULES'};
+
+# Exit the script if no ruleset provider has configured.
+exit unless ($ruleset_provider);
+
+# Defaults.
+my $id = "1";
+my $enabled = "enabled";
+my $autoupdate_status = "enabled";
+
+# Try to get a configured subscription code.
+my $subscription_code = $old_rules_settings{'OINKCODE'};
+
+# Check if the autoupdate should be disabled.
+if ($idssettings{'AUTOUPDATE_INTERVAL'} eq "off") {
+	# Set the autoupdate for the provider to disabled.
+	$autoupdate_status = "disabled";
+}
+
+# Create and assign the provider structure to the providers hash.
+$providers_settings{$id} = [ "$ruleset_provider", "$subscription_code", "$autoupdate_status", "$enabled" ];
+
+# Write the converted provider settings to the new providers-settings file.
+&General::writehasharray($IDS::providers_settings_file, \%providers_settings);
+
+# Set correct ownership.
+&IDS::set_ownership("$IDS::providers_settings_file");
+
+# Remove old rules settings file.
+unlink($old_rules_settings_file);
+
+#
+## Step 4: Rename downloaded rulestarball to new name sheme.
+#
+
+# Check if a rulestarball exists.
+if (-f $old_rules_tarball) {
+	# Load perl module which contains the move command.
+	use File::Copy;
+
+	# Call function to generate the path and filename for the new rules tarball name.
+	my $new_rules_tarball = &IDS::_get_dl_rulesfile($ruleset_provider);
+
+	# Move the rulestarball to the new location.
+	move($old_rules_tarball, $new_rules_tarball);
+
+	# Set correct ownership.
+	&IDS::set_ownership("$new_rules_tarball");
+}
+
+#
+## Step 5: Migrate oinkmaster configuration files for enabled and disabled rules.
+#
+
+# Read-in old enabled / disabled sids files.
+my %enabled_disabled_sids = (
+	&IDS::read_enabled_disabled_sids_file($old_enabled_sids_file),
+	&IDS::read_enabled_disabled_sids_file($old_disabled_sids_file)
+);
+
+# Check if any modifications have been done.
+if (%enabled_disabled_sids) {
+	# Get path and filename for new file.
+	my $oinkmaster_provider_modified_sids_file = &IDS::get_oinkmaster_provider_modified_sids_file($ruleset_provider);
+
+	# Open the new file for writing.
+	open (FILE, ">", $oinkmaster_provider_modified_sids_file) or die "Could not write to $oinkmaster_provider_modified_sids_file. $!\n";
+
+	# Write header to the files.
+	print PROVIDER_MOD_FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+
+	# Loop through the hash.
+	foreach my $sid (keys %enabled_disabled_sids) {
+		# Check if the sid is enabled.
+		if ($enabled_disabled_sids{$sid} eq "enabled") {
+			# Print the sid as enabled to the file.
+			print FILE "enablesid $sid\n";
+		# Check if the sid is disabled.
+		} elsif ($enabled_disabled_sids{$sid} eq "disabled") {
+			# Print the sid as disabled to the file.
+			print FILE "disablesid $sid\n";
+		# Something strange happende - skip the current sid.
+		} else {
+			next;
+		}
+	}
+
+	# Close the file handle.
+	close(FILE);
+
+	# Add the provider modifications file to the oinkmaster provider includes file.
+	&IDS::alter_oinkmaster_provider_includes_file("add", "$ruleset_provider");
+
+	# Set correct ownership for the new generated file.
+	&IDS::set_ownership("$oinkmaster_provider_modified_sids_file");
+}
+
+# Set correct ownership for the main file.
+&IDS::set_ownership("$IDS::oinkmaster_provider_includes_file");
+
+# Remove old files.
+unlink($old_enabled_sids_file);
+unlink($old_disabled_sids_file);
+
+#
+## Step 6: Call oinkmaster and regenerate the ruleset structures.
+#
+&IDS::oinkmaster();
+
+# Set correct ownerships.
+&IDS::set_ownership("$IDS::rulespath");
+
+#
+## Step 7: Migrate used rulefiles into new format.
+#
+
+# Check if the a used rulesfile exists.
+if (-f $old_used_rulefiles_file) {
+	# Array to collect the used rulefiles.
+	my @used_rulefiles = ();
+
+	# Open the file or used rulefiles and read-in content.
+	open(FILE, $old_used_rulefiles_file) or die "Could not open $old_used_rulefiles_file. $!\n";
+
+	while (<FILE>) {
+		# Assign the current line to a nice variable.
+		my $line = $_;
+
+		# Remove newlines.
+		chomp($line);
+
+		# Skip comments.
+		next if ($line =~ /\#/);
+
+		# Skip blank  lines.
+		next if ($line =~ /^\s*$/);
+
+		# Gather the rulefile.
+		if ($line =~ /.*- (.*)/) {
+			my $rulefile = $1;
+
+			# Skip whitelist.rules and local.rules
+			next if ($rulefile eq "whitelist.rules" || $rulefile eq "local.rules");
+
+			# Splitt the filename into chunks.
+			my @filename = split("-", $rulefile);
+
+			# Reverse the array.
+			@filename = reverse(@filename);
+
+			# Get the amount of elements in the array.
+			my $elements = @filename;
+
+			# Remove last element of the hash.
+			# It contains the vendor name, which will be replaced.
+			if ($elements >= 3) {
+				# Remove last element from hash.
+				pop(@filename);
+			}
+
+			# Check if the last element of the filename does not
+			# contain the providers name.
+			if ($filename[-1] ne "$ruleset_provider") {
+				# Add provider name as last element.
+				push(@filename, $ruleset_provider);
+			}
+
+			# Reverse the array back.
+			@filename = reverse(@filename);
+
+			# Generate the name for the rulesfile.
+			$rulefile = join("-", @filename);
+
+			# Add the rulefile to the array of used rulesfiles.
+			push(@used_rulefiles, $rulefile);
+		}
+	}
+
+	# Close the file.
+	close(FILE);
+
+	# Write the new provider exclusive used rulesfiles file.
+	&IDS::write_used_provider_rulefiles_file($ruleset_provider, @used_rulefiles);
+
+	# Write main used rulefiles file.
+	&IDS::write_main_used_rulefiles_file("$ruleset_provider");
+
+	# Get the provider specific used rulefiles file name.
+	my $provider_used_rulefiles_file = &IDS::get_used_provider_rulesfile_file($ruleset_provider);
+
+	# Set correct ownerships.
+	&IDS::set_ownership("$provider_used_rulefiles_file");
+	&IDS::set_ownership("$IDS::suricata_used_providers_file");
+	&IDS::set_ownership("$IDS::suricata_default_rulefiles_file");
+}
+
+# Remove old used rulefiles file.
+unlink($old_used_rulefiles_file);
+
+#
+## Step 8: Reload the IDS ruleset if running.
+#
+
+# Check if the IDS is running.
+if(&IDS::ids_is_running()) {
+	# Call suricatactrl to restart it.
+	&IDS::call_suricatactrl("restart");
+}

config/suricata/convert-snort

@@ -118,14 +118,10 @@ my %snortsettings;
 #
 # Add default value for MONITOR_TRAFFIC_ONLY which will be "on"
 # when migrating from snort to the new IDS.
-my %idssettings = (
-	"MONITOR_TRAFFIC_ONLY" => "on",
-);
-
-# Hash which contains the RULES settings.
 #
 # Set default value for UPDATE_INTERVAL to weekly.
-my %rulessettings = (
+my %idssettings = (
+	"MONITOR_TRAFFIC_ONLY" => "on",
 	"AUTOUPDATE_INTERVAL" => "weekly",
 );
 
@@ -159,17 +155,27 @@ foreach my $zone (@network_zones) {
 	}
 }
 
-# Grab the choosen ruleset from snort settings hash and store it in the rules
-# settings hash.
-$rulessettings{"RULES"} = $snortsettings{"RULES"};
+# Hash to store the provider settings.
+my %providersettings = ();
+
+# Default ID.
+$id = "1";
+
+# Grab the choosen ruleset from snort settings hash.
+my $provider = $snortsettings{"RULES"};
+my $subscription_code;
 
 # Check if an oinkcode has been provided.
 if($snortsettings{"OINKCODE"}) {
-	# Take the oinkcode from snort settings hash and store it in the rules
-	# settings hash.
-	$rulessettings{"OINKCODE"} = $snortsettings{"OINKCODE"};
+	# Take the oinkcode from snort settings hash.
+	$subscription_code = $snortsettings{"OINKCODE"};
 }
 
+# Generate providers config line and add it to the provider settings hash.
+#
+# Enabled automatic ruleste updates and the usage of the provider.
+$providersettings{$id} = [ "$provider", "$subscription_code", "enabled", "enabled" ];
+
 #
 ## Step 4: Import guardian settings and whitelist if the addon is installed.
 #
@@ -225,8 +231,8 @@ if (-f $guardian_meta) {
 # Write IDS settings.
 &General::writehash("$IDS::ids_settings_file", \%idssettings);
 
-# Write rules settings.
-&General::writehash("$IDS::rules_settings_file", \%rulessettings);
+# Write provider settings.
+&General::writehash("$IDS::providers_settings_file", \%providersettings);
 
 #
 ## Step 6: Generate and write the file to modify the ruleset.
@@ -242,16 +248,19 @@ if (-f $guardian_meta) {
 ## Step 7: Move rulestarball to its new location.
 #
 
+# Grab file and path to store the provider rules tarball.
+my $rulestarball = &IDS::_get_dl_rulesfile($provider);
+
 # Check if a rulestarball has been downloaded yet.
 if (-f $snort_rules_tarball) {
 	# Load perl module which contains the move command.
 	use File::Copy;
 
 	# Move the rulestarball to the new location.
-	move($snort_rules_tarball, $IDS::rulestarball);
+	move($snort_rules_tarball, $rulestarball);
 
 	# Set correct ownership.
-	&IDS::set_ownership("$IDS::rulestarball");
+	&IDS::set_ownership("$rulestarball");
 
 # In case no tarball is present, try to download the ruleset.
 } else {
@@ -270,7 +279,7 @@ if (-f $snort_rules_tarball) {
 #
 
 # Check if a rulestarball is present.
-if (-f $IDS::rulestarball) {
+if (-f $rulestarball) {
 	# Launch oinkmaster by calling the subfunction.
 	&IDS::oinkmaster();
 
@@ -312,10 +321,10 @@ if (-f $IDS::rulestarball) {
 ## Step 12: Setup automatic ruleset updates.
 #
 
-# Check if a ruleset is configured.
-if($rulessettings{"RULES"}) {
+# Check if a provider is configured.
+if(%providersettings) {
 	# Call suricatactrl and setup the periodic update mechanism.
-	&IDS::call_suricatactrl("cron", $rulessettings{'AUTOUPDATE_INTERVAL'});
+	&IDS::call_suricatactrl("cron", $idssettings{'AUTOUPDATE_INTERVAL'});
 }
 
 #
@@ -362,7 +371,16 @@ while (my $line = <SNORTCONF>) {
 close(SNORTCONF);
 
 # Pass the array of enabled rule files to the subfunction and write the file.
-&IDS::write_used_rulefiles_file(@enabled_rule_files);
+&IDS::write_used_provider_rulefiles_file("$provider", @enabled_rule_files);
+&IDS::write_main_used_rulefiles_file("$provider");
+
+# Grab the used provider rulesfile file path and name.
+my $used_provider_rulesfile_file = &IDS::get_used_provider_rulesfile_file("$provider");
+
+# Set correct ownership for new files.
+&IDS::set_ownership("$suricata_used_providers_file");
+&IDS::set_ownership("$suricata_static_rulefiles_file");
+&IDS::set_ownership("$used_provider_rulesfile_file");
 
 #
 ## Step 14: Start the IDS if enabled.

config/suricata/ruleset-sources

@@ -1,15 +1,169 @@
-# Ruleset for registered sourcefire users.
-registered = https://www.snort.org/rules/snortrules-snapshot-29161.tar.gz?oinkcode=<oinkcode>
+package IDS::Ruleset;
 
-# Ruleset for registered sourcefire users with valid subscription.
-subscripted = https://www.snort.org/rules/snortrules-snapshot-29161.tar.gz?oinkcode=<oinkcode>
+# This file contains the supported ruleset providers.
+#
+# Each one is defined as a hash in the main hash.
+# It's name acts as handle/key and the key/value pair acts as data part.
+# So the structure is like the following:
+#
+# handle => {
+# 	summary => A short summary of the service. This also will be shown if no translation string is available for the WUI.
+# 	website => The website of the ruleset provider.
+# 	tr_string => The translation string which is used by the WUI and part of the language files.
+# 	requires_subscription => "True/False" - If some kind of registration code is required in order to download the ruleset.
+# 	dl_url => The download URL to grab the ruleset.
+# 	dl_type => "archive/plain" - To specify, if the downloaded file is a packed archive or a plain text file.
+# },
 
-# Community rules from sourcefire.
-community = https://www.snort.org/rules/community
+# Hash which contains the supported ruleset providers.
+our %Providers = (
+	# Ruleset for registered sourcefire users.
+	registered => {
+		summary => "Talos VRT rules for registered users",
+		website => "https://www.snort.org",
+		tr_string => "registered user rules",
+		requires_subscription => "True",
+		dl_url => "https://www.snort.org/rules/snortrules-snapshot-29190.tar.gz?oinkcode=<subscription_code>",
+		dl_type => "archive",
+	},
 
-# Emerging threads community rules.
-emerging = https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz
+	# Ruleset for registered sourcefire users with a valid subsription.
+	subscripted => {
+		summary => "Talos VRT rules with subscription",
+		website => "https://www.snort.org",
+		tr_string => "subscripted user rules",
+		requires_subscription => "True",
+		dl_url => "https://www.snort.org/rules/snortrules-snapshot-29190.tar.gz?oinkcode=<subscription_code>",
+		dl_type => "archive",
+	},
 
-# Emerging threads pro rules.
-emerging_pro = https://rules.emergingthreatspro.com/<oinkcode>/suricata-5.0/etpro.rules.tar.gz
+	# Community rules from sourcefire.
+	community => {
+		summary => "Snort/VRT GPLv2 Community Rules",
+		website => "https://www.snort.org",
+		tr_string => "community rules",
+		requires_subscription => "False",
+		dl_url => "https://www.snort.org/rules/community",
+		dl_type => "archive",
+	},
 
+	# Emerging threads community rules.
+	emerging => {
+		summary => "Emergingthreats.net Community Rules",
+		website => "https://emergingthreats.net/",
+		tr_string => "emerging rules",
+		requires_subscription => "False",
+		dl_url => "https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz",
+		dl_type => "archive",
+	},
+
+	# Emerging threads Pro rules.
+	emerging_pro => {
+		summary => "Emergingthreats.net Pro Rules",
+		website => "https://emergingthreats.net/",
+		tr_string => "emerging pro rules",
+		requires_subscription => "True",
+		dl_url => "https://rules.emergingthreatspro.com/<subscription_code>/suricata-5.0/etpro.rules.tar.gz",
+		dl_type => "archive",
+	},
+
+	# Abuse.ch SSLBL JA3 fingerprint rules.
+	sslbl_ja3 => {
+		summary => "Abuse.ch SSLBL JA3 Rules",
+		website => "https://sslbl.abuse.ch/",
+		tr_string => "sslbl ja3 fingerprint rules",
+		requires_subscription => "False",
+		dl_url => "https://sslbl.abuse.ch/blacklist/ja3_fingerprints.rules",
+		dl_type => "plain",
+	},
+
+	# Abuse.ch SSLBL Blacklist rules.
+	sslbl_blacklist => {
+		summary => "Abuse.ch SSLBL Blacklist Rules",
+		website => "https://sslbl.abuse.ch/",
+		tr_string => "sslbl blacklist rules",
+		requires_subscription => "False",
+		dl_url => "https://sslbl.abuse.ch/blacklist/sslblacklist.rules",
+		dl_type => "plain",
+	},
+
+	# Abuse.ch URLhaus Blacklist rules.
+	urlhaus => {
+		summary => "Abuse.ch URLhaus Blacklist Rules",
+		website => "https://urlhaus.abuse.ch/",
+		tr_string => "urlhaus blacklist rules",
+		requires_subscription => "False",
+		dl_url => "https://urlhaus.abuse.ch/downloads/urlhaus_suricata.tar.gz",
+		dl_type => "archive",
+	},
+
+	# Etnetera Aggressive Blacklist.
+	etnetera_aggresive => {
+		summary => "Etnetera Aggressive Blacklist Rules",
+		website => "https://security.etnetera.cz/",
+		tr_string => "etnetera aggressive blacklist rules",
+		requires_subscription => "False",
+		dl_url => "https://security.etnetera.cz/feeds/etn_aggressive.rules",
+		dl_type => "plain",
+	},
+
+	# OISF Traffic ID rules.
+	oisf_trafficid => {
+		summary => "OISF Traffic ID Rules",
+		website => "https://www.openinfosecfoundation.org/",
+		tr_string => "oisf traffic id rules",
+		requires_subscription => "False",
+		dl_url => "https://openinfosecfoundation.org/rules/trafficid/trafficid.rules",
+		dl_type => "plain",
+	},
+
+	# Positive Technologies Attack Detection Team rules.
+	attack_detection => {
+		summary => "PT Attack Detection Team Rules",
+		website => "https://github.com/ptresearch/AttackDetection",
+		tr_string => "attack detection team rules",
+		requires_subscription => "False",
+		dl_url => "https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz",
+		dl_type => "archive",
+	},
+
+	# Secureworks Security rules.
+	secureworks_security => {
+		summary => "Secureworks Security Ruleset",
+		website => "https://www.secureworks.com",
+		tr_string => "secureworks security ruleset",
+		requires_subscription => "True",
+		dl_url => "https://ws.secureworks.com/ti/ruleset/<subscription_code>/Suricata_suricata-security_latest.tgz",
+		dl_type => "archive",
+	},
+
+	# Secureworks Malware rules.
+	secureworks_malware => {
+		summary => "Secureworks Malware Ruleset",
+		website => "https://www.secureworks.com",
+		tr_string => "secureworks malware ruleset",
+		requires_subscription => "True",
+		dl_url => "https://ws.secureworks.com/ti/ruleset/<subscription_code>/Suricata_suricata-malware_latest.tgz",
+		dl_type => "archive",
+	},
+
+	# Secureworks Enhanced rules.
+	secureworks_enhanced => {
+		summary => "Secureworks Enhanced Ruleset",
+		website => "https://www.secureworks.com",
+		tr_string => "secureworks enhanced ruleset",
+		requires_subscription => "True",
+		dl_url => "https://ws.secureworks.com/ti/ruleset/<subscription_code>/Suricata_suricata-enhanced_latest.tgz",
+		dl_type => "archive",
+	},
+
+	# Travis B. Green hunting rules.
+	tgreen => {
+		summary => "Travis Green - Hunting rules",
+		website => "https://github.com/travisbgreen/hunting-rules",
+		tr_string => "travis green hunting rules",
+		requires_subscription => "False",
+		dl_url => "https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules",
+		dl_type => "plain",
+	},
+);

config/suricata/suricata.yaml

@@ -46,16 +46,15 @@ vars:
 ##
 default-rule-path: /var/lib/suricata
 rule-files:
-    # Include enabled ruleset files from external file
-    include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
+    # Include enabled ruleset files from external file.
+    include: /var/ipfire/suricata/suricata-used-providers.yaml
 
     # Include default rules.
     include: /var/ipfire/suricata/suricata-default-rules.yaml
 
-classification-file: /var/lib/suricata/classification.config
-reference-config-file: /var/lib/suricata/reference.config
-threshold-file: /var/lib/suricata/threshold.config
-
+classification-file: /usr/share/suricata/classification.config
+reference-config-file: /usr/share/suricata/reference.config
+threshold-file: /usr/share/suricata/threshold.config
 
 ##
 ## Logging options.
@@ -64,7 +63,7 @@ default-log-dir: /var/log/suricata/
 
 # global stats configuration
 stats:
-  enabled: yes
+  enabled: no
   # The interval field (in seconds) controls at what interval
   # the loggers are invoked.
   interval: 8
@@ -318,7 +317,7 @@ logging:
   # compiled with the --enable-debug configure option.
   #
   # This value is overriden by the SC_LOG_LEVEL env var.
-  default-log-level: notice
+  default-log-level: Info
 
   # A regex to filter output.  Can be overridden in an output section.
   # Defaults to empty (no filter).
@@ -522,6 +521,41 @@ app-layer:
            double-decode-path: no
            double-decode-query: no
 
+    # Note: Modbus probe parser is minimalist due to the poor significant field
+    # Only Modbus message length (greater than Modbus header length)
+    # And Protocol ID (equal to 0) are checked in probing parser
+    # It is important to enable detection port and define Modbus port
+    # to avoid false positive
+    modbus:
+      # How many unreplied Modbus requests are considered a flood.
+      # If the limit is reached, app-layer-event:modbus.flooded; will match.
+      #request-flood: 500
+
+      enabled: no
+      detection-ports:
+        dp: 502
+      # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
+      # is recommended to keep the TCP connection opened with a remote device
+      # and not to open and close it for each MODBUS/TCP transaction. In that
+      # case, it is important to set the depth of the stream reassembling as
+      # unlimited (stream.reassembly.depth: 0)
+
+      # Stream reassembly size for modbus. By default track it completely.
+      stream-depth: 0
+
+    # DNP3
+    dnp3:
+      enabled: no
+      detection-ports:
+        dp: 20000
+
+    # SCADA EtherNet/IP and CIP protocol support
+    enip:
+      enabled: no
+      detection-ports:
+        dp: 44818
+        sp: 44818
+
     ntp:
       enabled: yes
     dhcp:

langs/de/cgi-bin/de.pl

@@ -1372,11 +1372,17 @@
 'idle' => 'Leerlauf',
 'idle timeout' => 'Leerlaufwartezeit in Minuten (0 zum Deaktivieren):',
 'idle timeout not set' => 'Leerlaufwartezeit nicht angegeben.',
+'ids add provider' => 'Provider hinzufügen',
 'ids apply' => 'Übernehmen',
 'ids apply ruleset changes' => 'Regeländerungen werden übernommen. Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde...',
+'ids autoupdates' => 'Automatische Updates',
 'ids automatic rules update' => 'Automatische Regelaktualisierung',
-'ids download new ruleset' => 'Das neue Regelsatz wird heruntergeladen und entpackt. Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde...',
+'ids could not add provider' => 'Provider konnte nicht hinzugefügt werden',
+'ids customize ruleset' => 'Regelset anpassen',
+'ids download new ruleset' => 'Das neue Regelset wird heruntergeladen und entpackt. Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde...',
 'ids enable' => 'Einbruchsverhinderungssystem aktivieren',
+'ids enable automatic updates' => 'Automatische Updates aktivieren',
+'ids force ruleset update' => 'Regelset jetzt aktualisieren',
 'ids hide' => 'Verstecken',
 'ids ignored hosts' => 'Ausnahmeliste',
 'ids log hits' => 'Gesamtanzahl der Regeltreffer für',
@@ -1385,12 +1391,18 @@
 'ids monitor traffic only' => 'Netzwerkpakete nur überprüfen (nicht verwerfen)',
 'ids monitored interfaces' => 'Überwachte Netzwerkzonen',
 'ids no network zone' => 'Bitte wählen Sie mindestens eine zu überwachende Netzwerkzone aus',
-'ids no ruleset available' => 'Es ist kein Regelsatz verfügbar. Bitte laden Sie einen Regelsatz herunter.',
+'ids no enabled ruleset provider' => 'Es ist kein aktivierter Provider verfügbar. Bitte aktivieren Sie einen oder fügen Sie einen Provider hinzu.',
 'ids oinkcode required' => 'Für den ausgewählten Regelsatz wird ein Abonnement oder ein Oinkcode benötigt',
+'ids provider' => 'Regelset-Anbieter',
+'ids provider settings' => 'Regelset-Anbieter-Einstellungen',
+'ids reset provider' => 'Providereinstellungen zurücksetzen',
 'ids rules update' => 'Regelsatz',
 'ids ruleset autoupdate in progress' => 'Der Regelsatz wird gerade aktualisiert. Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde...',
 'ids ruleset settings' => 'Regelsatzeinstellungen',
 'ids show' => 'Anzeigen',
+'ids the choosen provider is already in use' => 'Der gewhählte Provider wird bereits verwendet.',
+'ids unable to download the ruleset' => 'Das Regelset konnte nicht heruntergeladen werden.',
+'ids visit provider website' => 'Anbieter-Webseite besuchen',
 'ids working' => 'Änderungen werden übernommen. Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde.',
 'iface' => 'Iface',
 'ignore filter' => '"Ignorieren"-Filter',

langs/en/cgi-bin/en.pl

@@ -1401,11 +1401,17 @@
 'idle' => 'Idle',
 'idle timeout' => 'Idle timeout (mins; 0 to disable):',
 'idle timeout not set' => 'Idle timeout not set.',
+'ids add provider' => 'Add provider',
 'ids apply' => 'Apply',
 'ids apply ruleset changes' => 'The ruleset changes are being applied. Please wait until all operations have completed successfully...',
+'ids autoupdates' => 'Automatic updates',
 'ids automatic rules update' => 'Automatic Rule Update',
+'ids could not add provider' => 'Could not add provider',
+'ids customize ruleset' => 'Customize ruleset',
 'ids download new ruleset' => 'Downloading and unpacking new ruleset. Please wait until all operations have completed successfully...',
 'ids enable' => 'Enable Intrusion Prevention System',
+'ids enable automatic updates' => 'Enable automatic updates',
+'ids force ruleset update' => 'Force ruleset update',
 'ids hide' => 'Hide',
 'ids ignored hosts' => 'Whitelisted Hosts',
 'ids log hits' => 'Total of number of activated rules for',
@@ -1414,12 +1420,18 @@
 'ids monitor traffic only' => 'Monitor traffic only',
 'ids monitored interfaces' => 'Monitored Interfaces',
 'ids no network zone' => 'Please select at least one network zone to be monitored',
-'ids no ruleset available' => 'No ruleset is available. Please download one first',
-'ids oinkcode required' => 'The selected ruleset requires a subscription or an Oinkcode',
+'ids no enabled ruleset provider' => 'No enabled ruleset is available. Please activate or add one first.',
+'ids subscription code required' => 'The selected ruleset requires a subscription code',
+'ids provider' => 'Provider',
+'ids provider settings' => 'Provider settings',
+'ids reset provider' => 'Reset provider',
 'ids rules update' => 'Ruleset',
 'ids ruleset autoupdate in progress' => 'Ruleset update in progress. Please wait until all operations have completed successfully...',
 'ids ruleset settings' => 'Ruleset Settings',
 'ids show' => 'Show',
+'ids the choosen provider is already in use' => 'The choosen provider is already in use.',
+'ids unable to download the ruleset' => 'Unable to download the ruleset',
+'ids visit provider website' => 'Visit provider website',
 'ids working' => 'Changes are being applied. Please wait until all operations have completed successfully...',
 'iface' => 'Iface',
 'ignore filter' => 'Ignore filter',
@@ -1497,7 +1509,7 @@
 'invalid input for max clients' => 'Invalid input for Max Clients. The maximum of 1024 clients has been exceeded',
 'invalid input for mode' => 'Invalid input for mode',
 'invalid input for name' => 'Invalid input for user\'s full name or system hostname',
-'invalid input for oink code' => 'Invalid input for Oink code',
+'invalid input for subscription code' => 'Invalid input for subscription code',
 'invalid input for organization' => 'Invalid input for organization',
 'invalid input for remote host/ip' => 'Invalid input for remote host/ip.',
 'invalid input for state or province' => 'Invalid input for state or province.',
@@ -2371,6 +2383,7 @@
 'subnet is invalid' => 'Netmask is invalid',
 'subnet mask' => 'Subnet Mask',
 'subscripted user rules' => 'Talos VRT rules with subscription',
+'subscription code' => 'Subscription code',
 'successfully refreshed updates list' => 'Successfully refreshed updates list.',
 'summaries kept' => 'Keep summaries for',
 'sunday' => 'Sunday',

lfs/configroot

@@ -138,6 +138,7 @@ $(TARGET) :
 	# Install snort to suricata converter.
 	cp $(DIR_SRC)/config/suricata/convert-snort	/usr/sbin/convert-snort
 	cp $(DIR_SRC)/config/suricata/convert-ids-modifysids-file   /usr/sbin/convert-ids-modifysids-file
+	cp $(DIR_SRC)/config/suricata/convert-ids-multiple-providers /usr/sbin/convert-ids-multiple-providers
 
 	# set converters executable
 	chmod 755 /usr/sbin/convert-*

lfs/suricata

@@ -100,15 +100,19 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	# Install yaml file for loading default rules.
 	install -m 0664 $(DIR_SRC)/config/suricata/suricata-default-rules.yaml /var/ipfire/suricata
 
+	# Set correct ownership for the default rules file.
+	chown nobody:nobody /var/ipfire/suricata/suricata-default-rules.yaml
+
 	# Create emtpy rules directory.
 	-mkdir -p /var/lib/suricata
 
 	# Move config files for references, threshold and classification
 	# to the rules directory.
-	mv /etc/suricata/*.config /var/lib/suricata
+	rm -rfv /etc/suricata/*.config
 
-	# Set correct permissions for the files.
-	chmod 644 /var/lib/suricata/*.config
+	# Set correct ownership for the classifiction config file.
+	# (File has to be writeable for the nobody user)
+	chown nobody:nobody /usr/share/suricata/classification.config
 
 	# Set correct ownership for /var/lib/suricata and the
 	# contained files

src/scripts/update-ids-ruleset

@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2018 IPFire Team  <info@ipfire.org>                           #
+# Copyright (C) 2018-2021 IPFire Team  <info@ipfire.org>                      #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -26,6 +26,9 @@ require '/var/ipfire/general-functions.pl';
 require "${General::swroot}/ids-functions.pl";
 require "${General::swroot}/lang.pl";
 
+# Hash to store the configured providers.
+my %providers = ();
+
 # The user and group name as which this script should be run.
 my $run_as = 'nobody';
 
@@ -39,6 +42,17 @@ if ( $> == 0 ) {
 	POSIX::setuid( $uid );
 }
 
+# Check if the IDS lock file exists.
+# In this case the WUI or another instance currently is altering the
+# ruleset.
+if (-f "$IDS::ids_page_lock_file") {
+	# Store notice to the syslog.
+	&IDS::_log_to_syslog("Another process currently is altering the IDS ruleset.");
+
+	# Exit.
+	exit 0;
+}
+
 # Check if the red device is active.
 unless (-e "${General::swroot}/red/active") {
 	# Store notice in the syslog.
@@ -63,21 +77,37 @@ if(&IDS::checkdiskspace()) {
 # Lock the IDS page.
 &IDS::lock_ids_page();
 
-# Call the download function and gather the new ruleset.
-if(&IDS::downloadruleset()) {
-	# Store error message for displaying in the WUI.
-	&IDS::_store_error_message("$Lang::tr{'could not download latest updates'}");
+# Grab the configured providers.
+&General::readhasharray("$IDS::providers_settings_file", \%providers);
 
-	# Unlock the IDS page.
-	&IDS::unlock_ids_page();
+# Loop through the array of available providers.
+foreach my $id (keys %providers) {
+	# Assign some nice variabled.
+	my $provider = $providers{$id}[0];
+	my $autoupdate_status = $providers{$id}[3];
 
-	# Exit.
-	exit 0;
+	# Skip the provider if autoupdate is not enabled.
+	next unless($autoupdate_status eq "enabled");
+
+	# Call the download function and gather the new ruleset for the current processed provider.
+	if(&IDS::downloadruleset($provider)) {
+		# Store error message for displaying in the WUI.
+		&IDS::_store_error_message("$provider: $Lang::tr{'could not download latest updates'}");
+
+		# Unlock the IDS page.
+		&IDS::unlock_ids_page();
+
+		# Exit.
+		exit 0;
+	}
+
+	# Get path and name of the stored rules file or archive.
+	my $stored_file = &IDS::_get_dl_rulesfile($provider);
+
+	# Set correct ownership for the downloaded tarball.
+	&IDS::set_ownership("$stored_file");
 }
 
-# Set correct ownership for the downloaded tarball.
-&IDS::set_ownership("$IDS::rulestarball");
-
 # Call oinkmaster to alter the ruleset.
 &IDS::oinkmaster();