This parameter was passed to some shell commands without any
sanitisation which allowed an attacker who was authenticated to
the web UI to download arbitrary files from some directories
and delete any file from the filesystem.
References: #11830
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Only set the state of a used rulefile to "on" if it is present in
the %idsrules hash. This happens if it contains at least one rule.
This prevents from showing a rulefile in the ruleset section if, it
does not exist anymore or does not contains any rules at all.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
If an IP-address has been added to the whitelist, any traffic from
this host will not longer inspected by suricata.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Embed the IPFire background image into the redirect template
directly via CSS instead of loading it from somewhere else.
This is necessary because of Content Security Policy (CSP).
This patch inserts the base64 encoded image during build so
nothing needs to be updated twice in case background image
changes.
It supersedes first to fourth version of this patch and has
been successfully tested during a clean build.
Fixes#11650
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
As default show the events generated by suricata and if
for a certain selected date no suricata log is available
try to fall-back to read the events from the old snort
alert files (if available).
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Create this file on first execution of the script if it does not exist yet.
This will allow suricata to imediately be started. Otherwise the ruleset has
to be downloaded and configured before this file has been created and suricata
could be launched.
Fixes#11833.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Change the get_memory_usage() function to grab and return the
memory usage of the entire process, containing all sub-processes and
threads.
Fixes#11821
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The concept has been retired a very log time ago
and the web service only responds with 200 what ever
it is being sent.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is not really necessary because pakfire will automatically
failover to the next mirror anyways and that a mirror responds
to an ICMP echo request doesn't necessarily mean that it can
deliver the requested file.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Code only changed field 6 of hash (target group) and not field 4 (source group).
Also if using geoip it was only field 4 of hash (source group) and not field 6 of hash (target group)
Added new code that changes both fields to reflect the change in the firewallrules immediately.
fixes: #11825
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
With this commit, the CGI file will create the oinkmaster related
files during first run if they does not exist.
Fixes#11822.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Now its possible to create a rule with orange source and target orange interface of the firewall.
Fixes: #11805
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Now the enabled or disabled sids are stored in a single
hash instead of two arrays, which easily can be modified.
When saving the ruleset, the new read_enabled_disabled_sids() function
will be used to read-in the current (old) saved enabled or disabled sids
and add them to the new hash structure.
After adding or modifiying sids to the hash, the entries will be written
to the corresponding files.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This function is used to read-in the files for enabled or disabled sid
files and stores the sid and their state into a temporary hash which will
be returned by the function.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This commit adds the required backend code to allow switching
between IDS and IPS mode of suricata.
Technically the behaviour of suricata is specified by the rules -
each of them can contain the action "alert" or "drop" (There are
more actions supported but these two are currently the important one)
When running in IDS mode, the ruleset does not need to be touched,
because the default action is "alert". When switching to IPS mode,
the CGI writes a single line to "oinkmaster-modify-sids.conf" which
is included by oinkmaster and modify the action for each single rule
from alert to drop.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Add the option to select the runmode for suricata, wheater it
should run in intrusion detection mode or intrusion prevention mode.
If the option has not configured yet, it defaults to IPS mode.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The Emerging Threats ruleset server supports HTTPS. It should
be used for downloading the ruleset in IPFire, too.
This also needs to be applied on the upcoming ids.cgi file for Suricata
which I will do in a second patch.
The third version of this patch superseds the first and
second one which were broken due to bugs in the MUAs GPG
implementation.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Check if the sid of a rule belongs to sourcefire and link to the
changed URL for gathering more details. If the sid of the rule belongs
to emergingthreads now link to the emergingthreads documentation.
Fixes#11806.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Introduce generate_home_net_file() which uses the current network
config to obtain the network address and subnetmask for each
available network zone, generate and write these HOME_NET information
into a yaml compatible file which can be included into the suricata
configuration file.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
* Rename filename to suricata-used-rulefiles.yaml
* Adjust file generation as a yaml file to be compatible with suricata
* Adjust code to correctly read-in and parse the changed file
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The $settingsdir variable is declared in the ids-functions.pl and used to to
store the path where the various files which contains the settings for the IDS and
oinkmaster is located.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This will help if the path ever changed. Also remove hard coded rulepath
from oinkmaster call.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
* Drop function to show a notice about snort is working.
* Introduce the log_error function which is responsible for log any
error messages. Currently it writes it to a tempory file, which will
be read by the WUI, the message will be displayed and the temporary file
will be released again.
* Introduce a tiny function to easily perform a reload of the generated
webpage.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Directly use the value from the ids-functions.pl for the
location and filename of the tarball which includes the snort ruleset.
This will save to declare this information twice and prevents from any
failures if the location of filname every changes.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
