webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-05-11 09:48:24 +02:00
Code Issues Packages Projects Releases Wiki Activity
14,063 Commits 2 Branches 1 Tag
3bf804e83400c87398950526170b3d77bf38b8a6
Commit Graph

7074 Commits

Author SHA1 Message Date
Michael Tremer
0b340f0938 suricata: Increase memory size for the stream engine 
This change also ensures that suricata has a decent number
of streams preallocated to be able to handle any bursts in traffic.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-03-01 17:56:47 +01:00
Michael Tremer
ab1444b4f4 suricata: Log to syslog like a normal process 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-03-01 17:56:47 +01:00
Michael Tremer
47cb057145 suricata: Use up to 256MB of RAM for the flow cache 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-03-01 17:56:47 +01:00
Michael Tremer
7eed864c93 suricata: Use 64MB of RAM for defragmentation 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-03-01 17:56:46 +01:00
Michael Tremer
83b576c892 suricata: Use the correct path for the magic database 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-03-01 17:56:46 +01:00
Michael Tremer
0e28ea9f3e suricata: Log to syslog 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-03-01 17:56:46 +01:00
Michael Tremer
682f1fdaca suricata: We do not use any IP reputation lists 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-03-01 17:56:46 +01:00
Michael Tremer
cf976e93c4 suricata: Allow 32MB of RAM for DNS decoding 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-03-01 17:56:29 +01:00
Michael Tremer
fe5bd1862f suricata: Drop sections that require Rust 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-03-01 17:55:26 +01:00
Michael Tremer
bc2cb52953 suricata: Drop some commented stuff from configuration 
The file is really large and we should not carry anything we will
never use.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-03-01 17:55:26 +01:00
Michael Tremer
75fba6cd24 suricata: Drop profiling section from configuration 
This is not compiled in as it slows down detection and is
only really useful for debugging

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-03-01 17:55:26 +01:00
Michael Tremer
5196d8ddbb suricata: Set detection profile to high 
This will merge rules more aggressively so that the engine
is only processing those that can actually match.

Memory is cheap. People with little memory should not run
suricata anyways.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-03-01 17:55:25 +01:00
Michael Tremer
9f726f8f53 suricata: Set default packet size to 1514 
We usually use a MTU of 1500 + Ethernet header

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-03-01 17:55:25 +01:00
Michael Tremer
16446608cb suricata: Set max-pending-packets to 1024 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-03-01 17:55:25 +01:00
Peter Müller
1f3c61b66c Suricata: detect TLS traffic on port 444, too 
This is the default port for IPFire's administrative web interface
and should be monitored by Suricata, too.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
c: Stefan Schantl <stefan.schantl@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-03-01 17:53:04 +01:00
Michael Tremer
e37e796206 sysctl.conf: Revert enabling busy loop waiting on sockets 
This causes the firmware in my ath10k module to crash.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-28 18:53:22 +00:00
Michael Tremer
ebda3cb93b Update openssl rootfile 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-27 03:52:26 +00:00
Michael Tremer
f907865389 core129: Ship updated OpenSSL 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-26 17:25:11 +00:00
Michael Tremer
2f7e8b59a6 core129: Ship updated credits.cgi 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-25 02:31:23 +00:00
Michael Tremer
97499aa8a3 core129: Ship updated OpenVPN 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-25 02:29:29 +00:00
Michael Tremer
cc0104dce3 core129: Ship updated libgcrypt 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-25 00:58:04 +00:00
Peter Müller
b66c2faac2 libgcrypt: update to 1.8.4 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-25 00:57:18 +00:00
Michael Tremer
07b73b195c core129: Ship updated unbound 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-25 00:56:49 +00:00
Matthias Fischer
97a238f4bf unbound: Update to 1.9.0 
For details see:
https://nlnetlabs.nl/svn/unbound/tags/release-1.9.0/doc/Changelog

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-25 00:56:05 +00:00
Michael Tremer
59db01c753 core129: Ship changes from ipsec branch 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-25 00:55:31 +00:00
Michael Tremer
50d1bbf0f5 Merge branch 'ipsec' into next 2019-02-25 00:48:08 +00:00
Michael Tremer
b5ef99df2c Start Core Update 129 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-25 00:47:28 +00:00
Michael Tremer
232c42e14d core128: Drop old openssl engines 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-24 04:06:52 +00:00
Arne Fitzenreiter
1e1273df1d core128: add openldap to update 
openldap was linked against old openssl lib

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-02-24 20:50:16 +01:00
Arne Fitzenreiter
ed971af3a4 core128: add sse2 openssl libs 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-02-24 17:04:44 +01:00
Arne Fitzenreiter
42e48984ad core128: apply local sshd config 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-02-24 10:55:49 +01:00
Arne Fitzenreiter
186402fbe8 core128: stop apache before replacing files 
apache will not restart without stopped before
the files was replaced.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-02-22 19:26:08 +01:00
Stefan Schantl
cc636c4741 convert-snort: Try to download ruleset if none is present. 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-02-22 10:04:27 +01:00
Arne Fitzenreiter
4a25ada199 core128: add kernel to updater 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-02-21 19:23:05 +01:00
Stefan Schantl
5d7d8749dc convert-snort: Set correct ownership after modify_sids_file has been generated. 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-02-18 13:33:41 +01:00
Michael Tremer
06f57f7230 general-functions.pl: Only skip lines with a # at the beginning 
This accidientially dropped all lines that include #. That resulted
in colour codes not being loaded from file any more.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-02-18 11:36:37 +01:00
Stefan Schantl
7c3b7cdcca ids-functions.pl: Tune rules to always monitor in both directions. 
This will allow to scan the traffic from an EXTERNAL_NET to the HOME_NET and from
the HOME_NET to the EXTERNAL_NET.

Reference: 10273

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-02-18 10:55:27 +01:00
Stefan Schantl
20b4c4d863 suricata: Swith to "16" as repeat-mark and repeat-mask. 
Marks "1-3" are used for marking source-natted packets on the
interfaces and 4 up to 6 for TOS and QOS. The mark "32" is used by IPsec.

See commit: f5ad510e3c

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-02-18 10:02:29 +01:00
Michael Tremer
9bc1760052 unbound: Drop certificates for local control connection 
These are a cause of worry because they are sometimes generated with
an invalid timestamp and therefore render unbound being unusable.

There is no strong reason to use self-signed certificates for extra
security here.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-17 13:46:51 +00:00
Matthias Fischer
256070e92f Added 'CONFIG_X86_MSR=y for 'powertop' to i586 and x86_64 builds for fixing #11997 
Triggered by:
https://forum.ipfire.org/viewtopic.php?f=69&t=22274

This - probably - fixes Bug #11997.

Needs testing on 64bit installations!

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-17 13:03:56 +00:00
Arne Fitzenreiter
56ec56a819 borgbackup: fix build on armv5tel 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-02-16 22:49:47 +01:00
Arne Fitzenreiter
2caca41217 kernel: enable PCA953X GPIO extender for ClearFog boards 
fixes: #12000

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-02-16 21:44:52 +01:00
Stefan Schantl
d215f6e980 collectd: Stop collecting process details for snort 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-02-15 12:39:56 +01:00
Stefan Schantl
1ef235f08d logrotate: Rotate suricata logs instead of snort ones 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-02-15 11:22:14 +01:00
Stefan Schantl
78690361ab convert-snort: Always create directory and filelayout 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-02-14 12:37:13 +01:00
Stefan Schantl
b09c13f1b6 convert-snort: Call subfunction to change ownership of rulestarball 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-02-14 12:15:41 +01:00
Stefan Schantl
99b2e30636 ids-ruleset-sources: Fix rootfile 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
 2019-02-14 11:43:31 +01:00
Stefan Schantl
c980ac7f2a Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata 2019-02-13 19:46:45 +01:00
Michael Tremer
5368ccb0fc core128: Ship kdig 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-13 11:32:00 +00:00
Erik Kapfer
2397e51335 knot: Reduced version of knot with kdig only 
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-13 11:31:37 +00:00