Fixes#11904
Since OpenSSL-1.1.0x the database attribute file for IPSec and OpenVPN wasn´t created while initial PKI generation.
OpenVPN delivered an error message but IPSec did crashed within the first attempt.
This problem persists also after X509 deletion and new generation.
index.txt.attr will now be delivered by the system but also deleted and recreated while setting up a new x509.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This function is used to write the corresponding file which
tells oinkmaster to alter the whole ruleset and finally
switches suricata into an IPS or IDS.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This hack is needed because "red" is used as "internet" in the language files
and "red1" contains the correct "red" translations.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Now each of both have their own corresponding configuration areas.
The taken settings will be saved in "/var/ipfire/suricata/settings" for
all IDS/IPS related settings and in "/var/ipfire/suricata/rules-settings" for
ruleset related settings.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
I do not know why I forgot this. Now it is how it was intended
in the first place.
This commit removes all email addresses because people keep
emailing me for private support. Use the forum guys!
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Currently, the wget call only uses proxy information for HTTP.
Since rulesets are downloaded via HTTPS now, the same information
also needs to be applied for HTTPS.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
this may violate regulatory rules because 40Mhz channels should disabled
if there are other networks but nearly every commercial router ignore this.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This parameter was passed to some shell commands without any
sanitisation which allowed an attacker who was authenticated to
the web UI to download arbitrary files from some directories
and delete any file from the filesystem.
References: #11830
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Only set the state of a used rulefile to "on" if it is present in
the %idsrules hash. This happens if it contains at least one rule.
This prevents from showing a rulefile in the ruleset section if, it
does not exist anymore or does not contains any rules at all.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
If an IP-address has been added to the whitelist, any traffic from
this host will not longer inspected by suricata.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
As default show the events generated by suricata and if
for a certain selected date no suricata log is available
try to fall-back to read the events from the old snort
alert files (if available).
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Create this file on first execution of the script if it does not exist yet.
This will allow suricata to imediately be started. Otherwise the ruleset has
to be downloaded and configured before this file has been created and suricata
could be launched.
Fixes#11833.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Change the get_memory_usage() function to grab and return the
memory usage of the entire process, containing all sub-processes and
threads.
Fixes#11821
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The concept has been retired a very log time ago
and the web service only responds with 200 what ever
it is being sent.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is not really necessary because pakfire will automatically
failover to the next mirror anyways and that a mirror responds
to an ICMP echo request doesn't necessarily mean that it can
deliver the requested file.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Code only changed field 6 of hash (target group) and not field 4 (source group).
Also if using geoip it was only field 4 of hash (source group) and not field 6 of hash (target group)
Added new code that changes both fields to reflect the change in the firewallrules immediately.
fixes: #11825
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
With this commit, the CGI file will create the oinkmaster related
files during first run if they does not exist.
Fixes#11822.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Now its possible to create a rule with orange source and target orange interface of the firewall.
Fixes: #11805
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Now the enabled or disabled sids are stored in a single
hash instead of two arrays, which easily can be modified.
When saving the ruleset, the new read_enabled_disabled_sids() function
will be used to read-in the current (old) saved enabled or disabled sids
and add them to the new hash structure.
After adding or modifiying sids to the hash, the entries will be written
to the corresponding files.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This function is used to read-in the files for enabled or disabled sid
files and stores the sid and their state into a temporary hash which will
be returned by the function.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
