The YAML syntax of /var/ipfire/suricata/suricata-dns-servers.yaml was
invalid and caused Suricata to crash after upgrading to Core Update 139.
Due to strange NFQUEUE behaviour, this caused IPsec traffic to be
emitted to the internet directly. While this patch represents a quick
solution for Core Update 139, another one is needed for changing the
IPtables chain order to avoid similar information leaks in future.
Thanks to Michael for his debugging effort.
Fixes#12260
Partially fixes#12257
Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This function is used to generate a yaml file which take care of the
current used DNS configuration and should be included in the main
suricata config file.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Directly implement the logic to determine the used ruleset and if
IDS or IPS mode should be used into the function instead of pass those
details as arguments.
This helps to prevent from doing this stuff at several places again and again.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
In IPS mode rule actions need to be have the action 'drop' for the
protection to work, however this is not appropriate for all rules.
Modify the generator for oinkmaster-modify-sids.conf to leave
rules with the action 'alert' here this is appropriate. Also add
a script to be run on update to correct existing downloaded rules.
Fixes#12086
Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Tested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This creates some overhead that we do not need and rules need to
be adjusted to match any direction they are supposed to match.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The output was written to stderr before and landed in apache's
error log where we do not want it.
Fixes: #12004
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This will allow to scan the traffic from an EXTERNAL_NET to the HOME_NET and from
the HOME_NET to the EXTERNAL_NET.
Reference: 10273
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Using this feature to fetch the size of the requested tarball is not allowed by these
servers, so skip this feature for their rulesets.
Fixes#11987
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The sourcfire web servers does not support the HEAD request so we have to do
this with a GET here.
Fixes#11987
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This subfunction is used to get all configured and enabled aliases
for the RED network zone. They will be returned as an array.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This function is used to change the ownership of a given file
or directory to the user "nobody" and the group "nobody", which is
used by the WUI.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
In commit ea5c8eeb83 the taken settings
for the ruleset have been stored into an own file.
The Downloader now uses this file to read-in which ruleset should be used
and downloaded.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The get_suricata_version() function is used to get the version
of the on the system installed version of suricata. You can
specify the how detailed the returned result should be "major" will
return only the major version, were "minor" will provide the major
and minor version (1.2 for example). All other calls will be answered
with the full version string (1.2.3).
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This function is used to write the corresponding file which
tells oinkmaster to alter the whole ruleset and finally
switches suricata into an IPS or IDS.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Download the requested rules tarball into a temporay file
and if every thing is fine, replace the old by the
downloaded one.
In addition with the previously implemented file size check,
we are saved now from a corrupt rules tarball on disk.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The downloader now requests the html header for the rulestarball
and obtain the size of the file bevore downloading it.
After success the size of the downloaded file will be compared with
the requested one before. If they do not match, an error will be gained.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
* Use a directory listing and delete the files.
* Keep files with "config" as file extension.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This private function is used to remove any files which are stored in the
IDS rules directory and prevent from any old (unneeded or conflicting) files
after an update or complete change of the ruleset source.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This function checks if all files located in /etc/suricata/rules are
writable by the effective user and group (nobody:nobody) and if not
calls suricatactl to fix it.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This generic function can be used to create any kind of emtpy files -
it just requires the full path and filename to work.
If the specified file exists at calltime, the function will abort
to prevent from overwriting existing files and content.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The get_available_network_zones() function uses the /var/ipfire/ethernet/settings
file and translates the configured mode into an array, which contains the names
of the configured network zones.
The array will be returned and easily can be used to loop over this list of
available network zones and perform any kind of actions in other scripts.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The $settingsdir variable is declared in the ids-functions.pl and used to to
store the path where the various files which contains the settings for the IDS and
oinkmaster is located.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
