Now the enabled or disabled sids are stored in a single
hash instead of two arrays, which easily can be modified.
When saving the ruleset, the new read_enabled_disabled_sids() function
will be used to read-in the current (old) saved enabled or disabled sids
and add them to the new hash structure.
After adding or modifiying sids to the hash, the entries will be written
to the corresponding files.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This function is used to read-in the files for enabled or disabled sid
files and stores the sid and their state into a temporary hash which will
be returned by the function.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This commit adds the required backend code to allow switching
between IDS and IPS mode of suricata.
Technically the behaviour of suricata is specified by the rules -
each of them can contain the action "alert" or "drop" (There are
more actions supported but these two are currently the important one)
When running in IDS mode, the ruleset does not need to be touched,
because the default action is "alert". When switching to IPS mode,
the CGI writes a single line to "oinkmaster-modify-sids.conf" which
is included by oinkmaster and modify the action for each single rule
from alert to drop.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Add the option to select the runmode for suricata, wheater it
should run in intrusion detection mode or intrusion prevention mode.
If the option has not configured yet, it defaults to IPS mode.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
I accidently commited the wrong file in the previous commit.
This is the fixed and working version.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Use the gernerated HOME_NET details from
/var/ipfire/suricata/suricata-homenet.yaml which will be
generated by the WUI.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Introduce generate_home_net_file() which uses the current network
config to obtain the network address and subnetmask for each
available network zone, generate and write these HOME_NET information
into a yaml compatible file which can be included into the suricata
configuration file.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The get_available_network_zones() function uses the /var/ipfire/ethernet/settings
file and translates the configured mode into an array, which contains the names
of the configured network zones.
The array will be returned and easily can be used to loop over this list of
available network zones and perform any kind of actions in other scripts.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Add a very basic initscript, which currently allows to start/stop/restart suricata and
check if the daemon is running.
The script will detect when starting suricata how many CPU cores are present on the system and
will launch suricata in inline mode (NFQUEUE) and listen to as much queues as CPU cores are
detected.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Move the file which contains the download URL's for the IDS rulesets
into an own common package. This will allow us in future to easily ship
a changed file with a core update.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Create /var/ipfire/suricata and /var/ipfire/suricata/settings instead of
/var/ipfire/snort and /var/ipfire/snort/settings.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This config file is mostly based on the example configuration shipped
by the suricata project and needs to be enhanched.
See #11808.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
* Rename filename to suricata-used-rulefiles.yaml
* Adjust file generation as a yaml file to be compatible with suricata
* Adjust code to correctly read-in and parse the changed file
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The $settingsdir variable is declared in the ids-functions.pl and used to to
store the path where the various files which contains the settings for the IDS and
oinkmaster is located.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This will help if the path ever changed. Also remove hard coded rulepath
from oinkmaster call.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
