This commit adds the required backend code to allow switching
between IDS and IPS mode of suricata.
Technically the behaviour of suricata is specified by the rules -
each of them can contain the action "alert" or "drop" (There are
more actions supported but these two are currently the important one)
When running in IDS mode, the ruleset does not need to be touched,
because the default action is "alert". When switching to IPS mode,
the CGI writes a single line to "oinkmaster-modify-sids.conf" which
is included by oinkmaster and modify the action for each single rule
from alert to drop.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Add the option to select the runmode for suricata, wheater it
should run in intrusion detection mode or intrusion prevention mode.
If the option has not configured yet, it defaults to IPS mode.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The Emerging Threats ruleset server supports HTTPS. It should
be used for downloading the ruleset in IPFire, too.
This also needs to be applied on the upcoming ids.cgi file for Suricata
which I will do in a second patch.
The third version of this patch superseds the first and
second one which were broken due to bugs in the MUAs GPG
implementation.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Check if the sid of a rule belongs to sourcefire and link to the
changed URL for gathering more details. If the sid of the rule belongs
to emergingthreads now link to the emergingthreads documentation.
Fixes#11806.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Introduce generate_home_net_file() which uses the current network
config to obtain the network address and subnetmask for each
available network zone, generate and write these HOME_NET information
into a yaml compatible file which can be included into the suricata
configuration file.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
* Rename filename to suricata-used-rulefiles.yaml
* Adjust file generation as a yaml file to be compatible with suricata
* Adjust code to correctly read-in and parse the changed file
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The $settingsdir variable is declared in the ids-functions.pl and used to to
store the path where the various files which contains the settings for the IDS and
oinkmaster is located.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This will help if the path ever changed. Also remove hard coded rulepath
from oinkmaster call.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
* Drop function to show a notice about snort is working.
* Introduce the log_error function which is responsible for log any
error messages. Currently it writes it to a tempory file, which will
be read by the WUI, the message will be displayed and the temporary file
will be released again.
* Introduce a tiny function to easily perform a reload of the generated
webpage.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Directly use the value from the ids-functions.pl for the
location and filename of the tarball which includes the snort ruleset.
This will save to declare this information twice and prevents from any
failures if the location of filname every changes.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This library will contain a set of functions used by the IDS CGI script
and the planned update script for auto-updating the snort ruleset.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This will allow anybody, to access the log of oinkmaster and
get detailed information about any changes which have been done
on the ruleset.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The control file are not longer required, because the
initscript uses the settings file to determine if snort
should be started and binded to which interfaches.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This new file will contain the vendor information and url
for downloading their ruleset. In future if the download location
or filename changes, we only need to adjust this one file and ship
it via a core update.
Also extend the downloadrulesfile to be able to directly call the
subfunction.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Move the code for displaying a notice that snort currently is working
into an own subfunction which will be called if oinkmaster currently
is started.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
If a single sid has been activated and then disabled without doing
any other ruleset modifications only one of the oinkmaster files
for enabled / disabled rules has been modified.
In this case it was possible, that the same sid, was part of the
file for enabled rules and part of the file for disabled rules at the
same time.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The enabled rulefiles (rule categories) now will be added
to an own file, which will be included by the snort main config
file.
This will allow us to update snort and push the new main config file
without loosing the activated rulesets anymore.
* Introducing snort-used-rulefiles.conf
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
* Drop a lot of unused variables and code.
* Re-ordering some code parts.
* Add a lot of comments.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The manually enabled or disabled rules by the user now will be written
to own config files, which will be used by oinkmaster to keep these rules
in the same state after a rules update has been performed.
In short words, if you adjust your ruleset, the changes will not be lost
again if you perform an update of your ruleset.
* Grabbing and storing the cgi values now in an own hash (%cgiparams)
* Introducing oinkmaster config files for enabled and disabled rules.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The complete ruleset will be grouped as categories by it's
corresponding rulefile and printed in hidden tables.
They easiely can be displayed by klicking on the show link and
vice-versa.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
