From patchwork Fri Nov 19 17:44:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 4843 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Hwkb41Xycz3wcw for ; Fri, 19 Nov 2021 17:45:20 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Hwkb16NwLz15N; Fri, 19 Nov 2021 17:45:17 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Hwkb15RQZz30H1; Fri, 19 Nov 2021 17:45:17 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Hwkb064DLz2x9g for ; Fri, 19 Nov 2021 17:45:16 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Hwkb00NNVz25; Fri, 19 Nov 2021 17:45:16 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1637343916; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=S/Z5c729jzoYPfgXdmBEdL6Ge3Rs7ANTOPs1nSDx2Cs=; b=k+hOXy93xmIc4mm/Q+Aymy0lSUZzSts+tedYobLTxcuERnbBEYYgssqQYL/rvJ54Kx8YUN 23puLzWo53eYj9CQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1637343916; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=S/Z5c729jzoYPfgXdmBEdL6Ge3Rs7ANTOPs1nSDx2Cs=; b=CqI/odU4BqVf+KOa0LvU2aXzuNNOuewagfAfrwe3eTJ85maLnfEfFXAoX2Mo0lS5HylPE+ eOG8diImlpB37L7oNkN8cK+fgZvumUuGtGpWDQ8sHj/c0JyzdC1bh8Yardt2Q2JVMj+54x P2hhNC0d/xPCLtD51ASY0DpyNGgCQ7cKgYKQWCAypzv6Io6mLOK3SHKKTg1XmTuwLzpDAA QT8PKbwd7MFdexehra0tbQtIIfLILM06vFWbOgTDiDrHmhqLqBwBwwaUhezLtZFFQjdJxZ 7xOeQrIEo3MLQXlNhb+gbC84EDamnvBbok+8f7Lv5I54/CKFuqt5jyB8hXdxyg== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 1/7] suricata: Include all default rules Date: Fri, 19 Nov 2021 17:44:52 +0000 Message-Id: <20211119174458.789486-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" These rules do not drop anything, but only alert when internal parts of the engine trigger an event. This will allow us more insight on what is happening. Signed-off-by: Michael Tremer --- config/rootfiles/common/suricata | 22 ++++++++++++++++++++++ config/suricata/suricata.yaml | 24 ++++++++++++++++++++++-- lfs/suricata | 3 --- 3 files changed, 44 insertions(+), 5 deletions(-) diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata index 32358483a..21dbeae64 100644 --- a/config/rootfiles/common/suricata +++ b/config/rootfiles/common/suricata @@ -19,6 +19,28 @@ usr/bin/suricata #usr/share/man/man1/suricatactl-filestore.1 #usr/share/man/man1/suricatactl.1 #usr/share/man/man1/suricatasc.1 +usr/share/suricata/ +#usr/share/suricata/classification.config +#usr/share/suricata/reference.config +#usr/share/suricata/rules +#usr/share/suricata/rules/app-layer-events.rules +#usr/share/suricata/rules/decoder-events.rules +#usr/share/suricata/rules/dhcp-events.rules +#usr/share/suricata/rules/dnp3-events.rules +#usr/share/suricata/rules/dns-events.rules +#usr/share/suricata/rules/files.rules +#usr/share/suricata/rules/http2-events.rules +#usr/share/suricata/rules/http-events.rules +#usr/share/suricata/rules/ipsec-events.rules +#usr/share/suricata/rules/kerberos-events.rules +#usr/share/suricata/rules/modbus-events.rules +#usr/share/suricata/rules/mqtt-events.rules +#usr/share/suricata/rules/nfs-events.rules +#usr/share/suricata/rules/ntp-events.rules +#usr/share/suricata/rules/smb-events.rules +#usr/share/suricata/rules/smtp-events.rules +#usr/share/suricata/rules/stream-events.rules +#usr/share/suricata/rules/tls-events.rules var/lib/suricata var/lib/suricata/classification.config var/lib/suricata/reference.config diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 6f37671c8..0ad36e705 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -46,8 +46,28 @@ vars: ## default-rule-path: /var/lib/suricata rule-files: - # Include enabled ruleset files from external file. - include: /var/ipfire/suricata/suricata-used-rulefiles.yaml + # Default rules + - /usr/share/suricata/rules/app-layer-events.rules + - /usr/share/suricata/rules/decoder-events.rules + - /usr/share/suricata/rules/dhcp-events.rules + - /usr/share/suricata/rules/dnp3-events.rules + - /usr/share/suricata/rules/dns-events.rules + - /usr/share/suricata/rules/files.rules + - /usr/share/suricata/rules/http2-events.rules + - /usr/share/suricata/rules/http-events.rules + - /usr/share/suricata/rules/ipsec-events.rules + - /usr/share/suricata/rules/kerberos-events.rules + - /usr/share/suricata/rules/modbus-events.rules + - /usr/share/suricata/rules/mqtt-events.rules + - /usr/share/suricata/rules/nfs-events.rules + - /usr/share/suricata/rules/ntp-events.rules + - /usr/share/suricata/rules/smb-events.rules + - /usr/share/suricata/rules/smtp-events.rules + - /usr/share/suricata/rules/stream-events.rules + - /usr/share/suricata/rules/tls-events.rules + + # Include enabled ruleset files from external file + - !include: /var/ipfire/suricata/suricata-used-rulefiles.yaml classification-file: /var/lib/suricata/classification.config reference-config-file: /var/lib/suricata/reference.config diff --git a/lfs/suricata b/lfs/suricata index c7f189bf4..bd57b829e 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -96,9 +96,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Install IPFire related config file. install -m 0644 $(DIR_SRC)/config/suricata/suricata.yaml /etc/suricata - # Remove shipped rules. - rm -rvf /usr/share/suricata - # Create emtpy rules directory. -mkdir -p /var/lib/suricata From patchwork Fri Nov 19 17:44:53 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 4845 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Hwkb61Ssvz3wsg for ; Fri, 19 Nov 2021 17:45:22 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Hwkb20q34z2f6; Fri, 19 Nov 2021 17:45:18 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Hwkb168jNz30HK; Fri, 19 Nov 2021 17:45:17 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Hwkb06Jlyz2yXQ for ; Fri, 19 Nov 2021 17:45:16 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Hwkb04kyBz15N; Fri, 19 Nov 2021 17:45:16 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1637343916; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fRbo7SyxKs/jFNALPJEATAVgV4J/Evgy9CYoCkp0QoE=; b=lmdz45OsyZXtydwgoRLquJaqcyy1Zs9qjk8Itq2zqwLwSvQXabbCC+Z0QWAapS0xfvtB7Z O7+PYldCTTaTm7DQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1637343916; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fRbo7SyxKs/jFNALPJEATAVgV4J/Evgy9CYoCkp0QoE=; b=gOxJD9aB5/khxs74kji1VLJEFuMUhTsqkPEChLbdqvgSyWReRFtTYUzBczpue5fYpp0gLA lVlMAXsXaEBLjdBmHu3+Js29mhvVOVTkKbCW/r5WqjVrCCmeaVrQYU/L5YyY91a0B8ubQZ Q85dmzSQ6IxVe5Xzq8Hq5aP0ekMtDqJk5PHHVg2/xu0k/O6pLZUQCS5F/NRBZepCSkGTEm WRB1hug6UTCKjRR9c8ZnECDcEswkWjntjcN0C0cQp4EY21uCLsIE0EU11z+f07lP7P6ElH s48UvNpugz+VI78pCHp6Pksx/C58RIY/BywBaBD3HAdzanbkVD1hgJ5ecu4U4g== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 2/7] rust: Drop Cargo home directory after build Date: Fri, 19 Nov 2021 17:44:53 +0000 Message-Id: <20211119174458.789486-2-michael.tremer@ipfire.org> In-Reply-To: <20211119174458.789486-1-michael.tremer@ipfire.org> References: <20211119174458.789486-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- config/rootfiles/common/suricata | 2 -- lfs/Config | 5 ++++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata index 21dbeae64..7c512b033 100644 --- a/config/rootfiles/common/suricata +++ b/config/rootfiles/common/suricata @@ -1,7 +1,5 @@ etc/suricata etc/suricata/suricata.yaml -#root/.cargo -#root/.cargo/.package-cache usr/bin/suricata #usr/share/doc/suricata #usr/share/doc/suricata/AUTHORS diff --git a/lfs/Config b/lfs/Config index a2d3cddc5..8b2e5dabb 100644 --- a/lfs/Config +++ b/lfs/Config @@ -143,6 +143,9 @@ ifeq "$(BUILD_ARCH)" "aarch64" GOARCH = arm64 endif +# Rust +export CARGOPATH = $(HOME)/.cargo + ############################################################################### # Common Macro Definitions ############################################################################### @@ -184,7 +187,7 @@ define POSTBUILD @echo "Updating linker cache..." @type -p ldconfig >/dev/null && ldconfig || : @echo "Install done; saving file list to $(TARGET) ..." - @rm -rf $(GOPATH) + @rm -rf $(GOPATH) $(CARGOPATH) @$(FIND_FILES) > $(DIR_SRC)/lsalrnew @diff $(DIR_SRC)/lsalr $(DIR_SRC)/lsalrnew | grep '^> ' | sed 's/^> //' > $(TARGET)_diff @cp -f $(DIR_SRC)/lsalrnew $(DIR_SRC)/lsalr From patchwork Fri Nov 19 17:44:54 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 4844 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Hwkb56kk4z3wcw for ; Fri, 19 Nov 2021 17:45:21 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Hwkb22KzJz34V; Fri, 19 Nov 2021 17:45:18 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Hwkb16yRrz2yxq; Fri, 19 Nov 2021 17:45:17 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Hwkb06ZyCz2ykC for ; Fri, 19 Nov 2021 17:45:16 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Hwkb05NHGz2LD; Fri, 19 Nov 2021 17:45:16 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1637343916; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wtbICBRJW5NaGp3GUmNxKJ4ZZYaHSTsPC8psV7XBrEg=; b=4kcb2F1UvF1oJcKGy5obLUhjc2i54HylpMJFe+X2/+6kMfAPH0D5cjf5R5i/QoULXk5Tue WsFOqggHRAPZVVCg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1637343916; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wtbICBRJW5NaGp3GUmNxKJ4ZZYaHSTsPC8psV7XBrEg=; b=XqLyWLkUURsxx99+gYOhyXKEgbs2br/WFHOwq+sX5cCKWWNkd/+A7n6VgTERsPyfK+EW81 InG27ade98iXZqFKwpEkAY5Blb1p/8iThPsmW6oOEIQ35pEHobpLlParHnW4db8NnY1zJm 5w7Dk7pmoRXatETgc8W/zj33eS+DLtNI3r+ao7V22gvEG1nJifutx49m/oRhBlcelW4tg4 5CP77CtbsztvWdhj1k6agpBbQ1S2Ug0JgG2V4tE85VllLtE9lE9nuDsKYoOvGTqVuXOXys rOSENHjbFWLDFVEzhdSqU33s+tyrs/RhhCSrPFZcRJdmjQittw8RboodVniWCQ== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 3/7] suricata: Drop extra rootfiles Date: Fri, 19 Nov 2021 17:44:54 +0000 Message-Id: <20211119174458.789486-3-michael.tremer@ipfire.org> In-Reply-To: <20211119174458.789486-1-michael.tremer@ipfire.org> References: <20211119174458.789486-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" These are all the same and not different from what is in config/rootfiles/common/suricata. Signed-off-by: Michael Tremer --- config/rootfiles/common/aarch64/suricata | 28 ------------------------ config/rootfiles/common/armv6l/suricata | 28 ------------------------ config/rootfiles/common/i586/suricata | 28 ------------------------ config/rootfiles/common/x86_64/suricata | 28 ------------------------ 4 files changed, 112 deletions(-) delete mode 100644 config/rootfiles/common/aarch64/suricata delete mode 100644 config/rootfiles/common/armv6l/suricata delete mode 100644 config/rootfiles/common/i586/suricata delete mode 100644 config/rootfiles/common/x86_64/suricata diff --git a/config/rootfiles/common/aarch64/suricata b/config/rootfiles/common/aarch64/suricata deleted file mode 100644 index 32358483a..000000000 --- a/config/rootfiles/common/aarch64/suricata +++ /dev/null @@ -1,28 +0,0 @@ -etc/suricata -etc/suricata/suricata.yaml -#root/.cargo -#root/.cargo/.package-cache -usr/bin/suricata -#usr/share/doc/suricata -#usr/share/doc/suricata/AUTHORS -#usr/share/doc/suricata/Basic_Setup.txt -#usr/share/doc/suricata/GITGUIDE -#usr/share/doc/suricata/INSTALL -#usr/share/doc/suricata/INSTALL.PF_RING -#usr/share/doc/suricata/INSTALL.WINDOWS -#usr/share/doc/suricata/NEWS -#usr/share/doc/suricata/README -#usr/share/doc/suricata/Setting_up_IPSinline_for_Linux.txt -#usr/share/doc/suricata/TODO -#usr/share/doc/suricata/Third_Party_Installation_Guides.txt -#usr/share/man/man1/suricata.1 -#usr/share/man/man1/suricatactl-filestore.1 -#usr/share/man/man1/suricatactl.1 -#usr/share/man/man1/suricatasc.1 -var/lib/suricata -var/lib/suricata/classification.config -var/lib/suricata/reference.config -var/lib/suricata/threshold.config -var/log/suricata -#var/log/suricata/certs -#var/log/suricata/files diff --git a/config/rootfiles/common/armv6l/suricata b/config/rootfiles/common/armv6l/suricata deleted file mode 100644 index 32358483a..000000000 --- a/config/rootfiles/common/armv6l/suricata +++ /dev/null @@ -1,28 +0,0 @@ -etc/suricata -etc/suricata/suricata.yaml -#root/.cargo -#root/.cargo/.package-cache -usr/bin/suricata -#usr/share/doc/suricata -#usr/share/doc/suricata/AUTHORS -#usr/share/doc/suricata/Basic_Setup.txt -#usr/share/doc/suricata/GITGUIDE -#usr/share/doc/suricata/INSTALL -#usr/share/doc/suricata/INSTALL.PF_RING -#usr/share/doc/suricata/INSTALL.WINDOWS -#usr/share/doc/suricata/NEWS -#usr/share/doc/suricata/README -#usr/share/doc/suricata/Setting_up_IPSinline_for_Linux.txt -#usr/share/doc/suricata/TODO -#usr/share/doc/suricata/Third_Party_Installation_Guides.txt -#usr/share/man/man1/suricata.1 -#usr/share/man/man1/suricatactl-filestore.1 -#usr/share/man/man1/suricatactl.1 -#usr/share/man/man1/suricatasc.1 -var/lib/suricata -var/lib/suricata/classification.config -var/lib/suricata/reference.config -var/lib/suricata/threshold.config -var/log/suricata -#var/log/suricata/certs -#var/log/suricata/files diff --git a/config/rootfiles/common/i586/suricata b/config/rootfiles/common/i586/suricata deleted file mode 100644 index 32358483a..000000000 --- a/config/rootfiles/common/i586/suricata +++ /dev/null @@ -1,28 +0,0 @@ -etc/suricata -etc/suricata/suricata.yaml -#root/.cargo -#root/.cargo/.package-cache -usr/bin/suricata -#usr/share/doc/suricata -#usr/share/doc/suricata/AUTHORS -#usr/share/doc/suricata/Basic_Setup.txt -#usr/share/doc/suricata/GITGUIDE -#usr/share/doc/suricata/INSTALL -#usr/share/doc/suricata/INSTALL.PF_RING -#usr/share/doc/suricata/INSTALL.WINDOWS -#usr/share/doc/suricata/NEWS -#usr/share/doc/suricata/README -#usr/share/doc/suricata/Setting_up_IPSinline_for_Linux.txt -#usr/share/doc/suricata/TODO -#usr/share/doc/suricata/Third_Party_Installation_Guides.txt -#usr/share/man/man1/suricata.1 -#usr/share/man/man1/suricatactl-filestore.1 -#usr/share/man/man1/suricatactl.1 -#usr/share/man/man1/suricatasc.1 -var/lib/suricata -var/lib/suricata/classification.config -var/lib/suricata/reference.config -var/lib/suricata/threshold.config -var/log/suricata -#var/log/suricata/certs -#var/log/suricata/files diff --git a/config/rootfiles/common/x86_64/suricata b/config/rootfiles/common/x86_64/suricata deleted file mode 100644 index 32358483a..000000000 --- a/config/rootfiles/common/x86_64/suricata +++ /dev/null @@ -1,28 +0,0 @@ -etc/suricata -etc/suricata/suricata.yaml -#root/.cargo -#root/.cargo/.package-cache -usr/bin/suricata -#usr/share/doc/suricata -#usr/share/doc/suricata/AUTHORS -#usr/share/doc/suricata/Basic_Setup.txt -#usr/share/doc/suricata/GITGUIDE -#usr/share/doc/suricata/INSTALL -#usr/share/doc/suricata/INSTALL.PF_RING -#usr/share/doc/suricata/INSTALL.WINDOWS -#usr/share/doc/suricata/NEWS -#usr/share/doc/suricata/README -#usr/share/doc/suricata/Setting_up_IPSinline_for_Linux.txt -#usr/share/doc/suricata/TODO -#usr/share/doc/suricata/Third_Party_Installation_Guides.txt -#usr/share/man/man1/suricata.1 -#usr/share/man/man1/suricatactl-filestore.1 -#usr/share/man/man1/suricatactl.1 -#usr/share/man/man1/suricatasc.1 -var/lib/suricata -var/lib/suricata/classification.config -var/lib/suricata/reference.config -var/lib/suricata/threshold.config -var/log/suricata -#var/log/suricata/certs -#var/log/suricata/files From patchwork Fri Nov 19 17:44:55 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 4846 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Hwkb76rVMz3wcw for ; Fri, 19 Nov 2021 17:45:23 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Hwkb24PYZz2ll; Fri, 19 Nov 2021 17:45:18 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Hwkb20YzHz30Dy; Fri, 19 Nov 2021 17:45:18 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Hwkb10B58z2yw8 for ; Fri, 19 Nov 2021 17:45:17 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Hwkb06Dk9z25; Fri, 19 Nov 2021 17:45:16 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1637343916; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XZIGeNv18Q+rtHA5jBA/obV1nApSEMwYilfkMelWPvg=; b=E4RKSPwYpvNSmoKtkHHssW1CuraW4fZQ4LjIwoTMssYfLQaLoQZa/a3depid2VXF1N32QX lxDTi6QswazzoNBQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1637343916; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XZIGeNv18Q+rtHA5jBA/obV1nApSEMwYilfkMelWPvg=; b=EQknQrzNjcaTBTJHkXOGt+Zw2Pu8h7XeHu7MUgYocJQ5prnL+S2uYvppH3ZJGL9Sf42ruN ozkJ0O+WmOa0z82nZaEd10ZqZwZh63HvdMHOVsTSFW7jd4juXPjH6hNW2HrFgtYvZJi6hY DNdF1vU/TdRXsckx2B/3KFQhYKnCSPT0ZPE81++u2equADMVx31jbpTaMpyJ66pqAXvTi7 L74Me0xmA4MB2peStog30HDyXHGWDMg5i9dbDVWxQUEqRbReqXvBJ0vbA7GCNKT5gFJTBQ dW9Yl5o+EZelB0BB9nlomoT+ccVHwiImCm9ZwEdn32Tsq3yp8MLSw9a7Hyh8gw== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 4/7] suricata: This package is supported on all architectures Date: Fri, 19 Nov 2021 17:44:55 +0000 Message-Id: <20211119174458.789486-4-michael.tremer@ipfire.org> In-Reply-To: <20211119174458.789486-1-michael.tremer@ipfire.org> References: <20211119174458.789486-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" There is no need to list them specifically. Signed-off-by: Michael Tremer --- lfs/suricata | 1 - 1 file changed, 1 deletion(-) diff --git a/lfs/suricata b/lfs/suricata index bd57b829e..0a1dcf2b8 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -31,7 +31,6 @@ DL_FILE = $(THISAPP).tar.gz DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) -SUP_ARCH = x86_64 i586 aarch64 armv6l ############################################################################### # Top-level Rules From patchwork Fri Nov 19 17:44:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 4847 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HwkbB4Dmfz3wcw for ; Fri, 19 Nov 2021 17:45:26 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Hwkb26ZcGz37t; Fri, 19 Nov 2021 17:45:18 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Hwkb21Mg2z30HS; Fri, 19 Nov 2021 17:45:18 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Hwkb10r3Cz2yXQ for ; Fri, 19 Nov 2021 17:45:17 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Hwkb073yHz15N; Fri, 19 Nov 2021 17:45:16 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1637343917; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=od4eR4xpdYPkL3QZ7RRs2KV60SRZHvrNEglqUhdIvak=; b=TGxewKIV3HnyBqRd9PfxbhxZTixYLBOKLJQhgVLtZWbx/jdpRbdtn3KkSexEIXkMxFtW7K QCEVbZ1g4nP92jDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1637343917; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=od4eR4xpdYPkL3QZ7RRs2KV60SRZHvrNEglqUhdIvak=; b=lWHzXwIxMAjQLIPIn39OD74IDu55ZJMKlFvwn3w/aVbZ4M8RGP76MFJTVfUhakTTEpeMoj tBJT9C6f9kBUmEuuxugCJOTmxze3zc8M6M+tBcwk/kc+pIc7sM8bKj/HS08IEuKKa0Cvp+ +A1fXGGXCv04ki4XP3nABXvfAXWUyf4wOOPTNZnU77Txs2sabKqMTjxP3aUES0MGG88ywQ KTouNfEvmr3K8nBwqgU26kPCEYQtPur3y/qCecaMffOWjbCIC/e0ktWDMv/MHN2Gg9M1QT O/SdoWJOxcQCukycVqyC1BRvW90biRtZ0+c1CzeLux1kz5Q6ZwleqIOXfCBNdQ== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 5/7] suricata: Load *.config files from default location Date: Fri, 19 Nov 2021 17:44:56 +0000 Message-Id: <20211119174458.789486-5-michael.tremer@ipfire.org> In-Reply-To: <20211119174458.789486-1-michael.tremer@ipfire.org> References: <20211119174458.789486-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- config/rootfiles/common/suricata | 3 --- config/suricata/suricata.yaml | 7 +++---- lfs/suricata | 5 +---- 3 files changed, 4 insertions(+), 11 deletions(-) diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata index 7c512b033..091245023 100644 --- a/config/rootfiles/common/suricata +++ b/config/rootfiles/common/suricata @@ -40,9 +40,6 @@ usr/share/suricata/ #usr/share/suricata/rules/stream-events.rules #usr/share/suricata/rules/tls-events.rules var/lib/suricata -var/lib/suricata/classification.config -var/lib/suricata/reference.config -var/lib/suricata/threshold.config var/log/suricata #var/log/suricata/certs #var/log/suricata/files diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 0ad36e705..ba56c6a75 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -69,10 +69,9 @@ rule-files: # Include enabled ruleset files from external file - !include: /var/ipfire/suricata/suricata-used-rulefiles.yaml -classification-file: /var/lib/suricata/classification.config -reference-config-file: /var/lib/suricata/reference.config -threshold-file: /var/lib/suricata/threshold.config - +classification-file: /usr/share/suricata/classification.config +reference-config-file: /usr/share/suricata/reference.config +threshold-file: /usr/share/suricata/threshold.config ## ## Logging options. diff --git a/lfs/suricata b/lfs/suricata index 0a1dcf2b8..38289962f 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -100,10 +100,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Move config files for references, threshold and classification # to the rules directory. - mv /etc/suricata/*.config /var/lib/suricata - - # Set correct permissions for the files. - chmod 644 /var/lib/suricata/*.config + rm -rfv /etc/suricata/*.config # Set correct ownership for /var/lib/suricata and the # contained files From patchwork Fri Nov 19 17:44:57 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 4848 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HwkbD6cX3z3wcw for ; Fri, 19 Nov 2021 17:45:28 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Hwkb30lbfz39V; Fri, 19 Nov 2021 17:45:19 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Hwkb226DXz30H1; Fri, 19 Nov 2021 17:45:18 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Hwkb11Pcnz2ykC for ; Fri, 19 Nov 2021 17:45:17 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Hwkb10Zzsz25; Fri, 19 Nov 2021 17:45:17 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1637343917; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aZHqgmnLaxERZlt/FwFdurak2ydep0Y9ku7/3D/AXb8=; b=S0AF4TVMR8pSy+1qT9DyE92afLIgdnCdW9Q+zc2SvaHwHi/fiATXIVEohNvBFnkhFRiYoc 4bM18Bmp+cMt53Aw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1637343917; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aZHqgmnLaxERZlt/FwFdurak2ydep0Y9ku7/3D/AXb8=; b=AXeSIKYJi9haL6bdwjQTZ+VAKbFy6uPwGgo3hfduoyxgWDyQwzxDyxVAFAyvOE4pCHOp3s 1jX3Vwou3+oITMUvb/0Px8MPJnkJOvqgzMSN0NghEJYalArTZb88kXF2Cyj0XGl0mWCPAA Q7FMDJ3+wzrkNNaSII+g2Qe0pkQk8BlEnPhVnTBCp429zK9iz2kKQe1WdiVF637aeWFAc9 an5mPrCTdO2XBZCQRXwPVismN818/LQ3zQsWG+48VGYN/RTQHtFVGv8C9EiRmK1SBEV/FC NgxNe1bgfl1G5z/2rp+NTz8ngTWnXav4PBv0kUOyUJChSg3FAIoAzDHu6CUrwQ== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 6/7] IPS: Do not try to show rules when stat on rules tarball fails Date: Fri, 19 Nov 2021 17:44:57 +0000 Message-Id: <20211119174458.789486-6-michael.tremer@ipfire.org> In-Reply-To: <20211119174458.789486-1-michael.tremer@ipfire.org> References: <20211119174458.789486-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- html/cgi-bin/ids.cgi | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 85c5ddd86..4e8b28fd8 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -1091,13 +1091,14 @@ if (%idsrules) { # Call stat on the rulestarball. my $stat = stat("$IDS::rulestarball"); - # Get timestamp the file creation. - my $mtime = $stat->mtime; + if (defined $stat) { + # Get timestamp the file creation. + my $mtime = $stat->mtime; - # Convert into human read-able format. - my $rulesdate = strftime('%Y-%m-%d %H:%M:%S', localtime($mtime)); + # Convert into human read-able format. + my $rulesdate = strftime('%Y-%m-%d %H:%M:%S', localtime($mtime)); - &Header::openbox('100%', 'LEFT', "$Lang::tr{'intrusion detection system rules'} ($rulesdate)" ); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'intrusion detection system rules'} ($rulesdate)" ); print"
\n"; @@ -1189,7 +1190,7 @@ if (%idsrules) { # Close display table print ""; -print < @@ -1198,7 +1199,8 @@ print < END ; - &Header::closebox(); + &Header::closebox(); + } } &Header::closebigbox(); From patchwork Fri Nov 19 17:44:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 4849 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HwkbF48tXz3wsg for ; Fri, 19 Nov 2021 17:45:29 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Hwkb33K64z37S; Fri, 19 Nov 2021 17:45:19 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Hwkb22sr6z30HJ; Fri, 19 Nov 2021 17:45:18 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Hwkb12PPXz2yXQ for ; Fri, 19 Nov 2021 17:45:17 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Hwkb11B6yz15N; Fri, 19 Nov 2021 17:45:17 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1637343917; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NZqJI0k1Z7V1p0oz/l12kwk1Tu0Cz+eQsYEhLuO+P1o=; b=Dchm4cfmvKtk0tYyfxtrZJfnUt9YvzyhAIDIgi9fVUodW0lfXiLpPSzyYXh2hxqObDGVeo 3p+XhwH4amCmqxDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1637343917; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NZqJI0k1Z7V1p0oz/l12kwk1Tu0Cz+eQsYEhLuO+P1o=; b=QN4e11TtqZ0rcfKujoT29tDvSFZkVVrfDNqiP3TeWUlfd1W8d9hz6TtY1uhc2m1Jm/ZcLT EedBVdFVgiKxlb/vSww1q+/ezwoUq24YXoM2muf3iq8rdX0wiguPQbQ3lhfeEhGKRe2UYv RTU7nWptZSkE+W34ux9B8Jz0eQ81z64sqy5OgyoRrtTvRkCKo3qi1bMEsSF1thrKUmDkQf 7hS4JoDFINGfEUwtDJOlbyZOh5ESgp4vSaoTjJ31LftPW0C6QPqWXvDknwDrOgNuFyQDXC v+MMYI7nmUBGxn6sq8TKsp39ie8+txsMj7CtKEU7mh3hF7dPs8tC5RbFhQaCww== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 7/7] suricata: Handle retransmitted SYN with TSval Date: Fri, 19 Nov 2021 17:44:58 +0000 Message-Id: <20211119174458.789486-7-michael.tremer@ipfire.org> In-Reply-To: <20211119174458.789486-1-michael.tremer@ipfire.org> References: <20211119174458.789486-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Read more in the patch. Signed-off-by: Michael Tremer --- lfs/suricata | 1 + ...-Handle-retransmitted-SYN-with-TSval.patch | 55 +++++++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch diff --git a/lfs/suricata b/lfs/suricata index 38289962f..b54a038c3 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -70,6 +70,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch cd $(DIR_APP) && LDFLAGS="$(LDFLAGS)" ./configure \ --prefix=/usr \ --sysconfdir=/etc \ diff --git a/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch b/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch new file mode 100644 index 000000000..fcea77cfa --- /dev/null +++ b/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch @@ -0,0 +1,55 @@ +From 511648b3d7a4b5a5b4d55b92dffd63fcb23903a0 Mon Sep 17 00:00:00 2001 +From: Michael Tremer +Date: Fri, 19 Nov 2021 17:17:47 +0000 +Subject: [PATCH] stream: tcp: Handle retransmitted SYN with TSval + +For connections that use TCP timestamps for which the first SYN packet +does not reach the server, any replies to retransmitted SYNs will be +tropped. + +This is happening in StateSynSentValidateTimestamp, where the timestamp +value in a SYN-ACK packet must match the one from the SYN packet. +However, since the server never received the first SYN packet, it will +respond with an updated timestamp from any of the following SYN packets. + +The timestamp value inside suricata is not being updated at any time +which should happen. This patch fixes that problem. + +This problem was introduced in 9f0294fadca3dcc18c919424242a41e01f3e8318. + +Signed-off-by: Michael Tremer +--- + src/stream-tcp.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/src/stream-tcp.c b/src/stream-tcp.c +index 1cff19fa5..af681760b 100644 +--- a/src/stream-tcp.c ++++ b/src/stream-tcp.c +@@ -1643,6 +1643,23 @@ static int StreamTcpPacketStateSynSent(ThreadVars *tv, Packet *p, + "ssn->client.last_ack %"PRIu32"", ssn, + ssn->client.isn, ssn->client.next_seq, + ssn->client.last_ack); ++ } else if (PKT_IS_TOSERVER(p)) { ++ /* ++ * On retransmitted SYN packets, the timestamp value must be updated, ++ * to avoid dropping any SYN+ACK packets that respond to a retransmitted SYN ++ * with an updated timestamp in StateSynSentValidateTimestamp. ++ */ ++ if ((ssn->client.flags & STREAMTCP_STREAM_FLAG_TIMESTAMP) && TCP_HAS_TS(p)) { ++ uint32_t ts_val = TCP_GET_TSVAL(p); ++ ++ // Check whether packets have been received in the correct order (only ever update) ++ if (ssn->client.last_ts < ts_val) { ++ ssn->client.last_ts = ts_val; ++ ssn->client.last_pkt_ts = p->ts.tv_sec; ++ } ++ ++ SCLogDebug("ssn %p: Retransmitted SYN. Updated timestamp from packet %"PRIu64, ssn, p->pcap_cnt); ++ } + } + + /** \todo check if it's correct or set event */ +-- +2.30.2 +