In IPS mode rule actions need to be have the action 'drop' for the
protection to work, however this is not appropriate for all rules.
Modify the generator for oinkmaster-modify-sids.conf to leave
rules with the action 'alert' here this is appropriate. Also add
a script to be run on update to correct existing downloaded rules.
Fixes#12086
Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Tested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Check if the script has been launched as privileged user (root) and drop all
permissions by switching to the "nobody" user and group.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Just cosmetics:
Removed all trailing spaces - there were a few...
Activated 'monit' start delay:
I activated this option to avoid running into a race condition while started through
'/etc/init.d/monit start'.
As mentioned in 'monit' manual:
"...if a service is slow to start, Monit can assume that the service is not running
and possibly try to start it [again] and raise an alert, while, in fact the service
is already about to start or already in its startup sequence."
This happened here during testing with (e.g.) Clamav.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This changes the behaviour of the script to immediately save the added
lease to file but still remain in edit mode to make changes.
If the user does not make any changes, the lease is immediately saved
and there is no second click required to write it to file.
This a more natural flow that is expected by almost all users of this
feature.
Fixes: #12050
Signed-off-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Since we have now one cache for each architecture, we do not
need to make it too large.
The largest build (i586 because of the two kernels) uses around
2.5GB after one build. So 4G will give us some space.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
It does not make much sense to mix architectures into a single
ccache:
* There is never going to be a match
* The cache gets bigger and therefore slower
* If both architectures are being compiled one after the other and
the cache hits its maximum size, cached but still needed content
will be dropped
* Only both can be deleted together
This small change splits this into multiple caches. One per
architecture. Therefore we should be more efficient on builders
that build for multiple architectures.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Incl. one vulnerability and several bug fixes. For full overview --> https://www.wireshark.org/docs/relnotes/wireshark-3.0.2.html .
- Disabled geoip support since libmaxminddb is not presant.
- Added dictionary in ROOTFILE to prevent "radius: Could not open file: '/usr/share/wireshark/radius/dictionary' " .
- Added CMAKE build type
- Removed profile examples and htmls completly from ROOTFILE.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This package is only compiled on x86_64 and i586 and cannot
be packaged in any of the other architectures.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
