From patchwork Thu Jun 6 04:56:32 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 2284 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 247CE88895A for ; Wed, 5 Jun 2019 19:56:46 +0100 (BST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 45Jygw6pFTz5NKb2; Wed, 5 Jun 2019 19:56:44 +0100 (BST) Received: from tuxedo.stevee (212095005248.public.telering.at [212.95.5.248]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 45Jygs1pTvz5NKZv; Wed, 5 Jun 2019 19:56:41 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904rsa; t=1559761001; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ydOw2j0PsdNwDtXYQWkLY9rmYzmMbLkdd6B0gkadg4E=; b=KqYV1/SfoeTk4zC8ELx0xrnq3rtiudFafs0/Rtgh+laGOuu8KDAcL1pMNsUOFuxCPIzKc7 I05so1Lj4dFU5Y2PvfZLLce4+d+RR33bqwDw6uMNtkK4DAgFsHS2HU9OF08Z6x9rPc7nko gPA1apiW7/4aX0Jkj7+U1QUowMiREetHk4/s8E6Eblxnj9/su3zquwS/ou60ufUYLe10rF lyvczseILFuumAN8haf4xfMy4HsiMwnhObcZQx/CQUEVfv7VtLzVj0coFUePLF/SeYgM0n yiv2A0paibmCNSxQJoq//UNMlvrlrL16O9PbHUUYUUP0TsMirRrC+POhEPy7Ew== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904ed25519; t=1559761001; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ydOw2j0PsdNwDtXYQWkLY9rmYzmMbLkdd6B0gkadg4E=; b=P+IPw6OdGLRRBunV5lnInr+WBdRGVZYJLeK+hAU2vD+Tf+YwONKzzmDLAU+sElRWBVLpFm ZnwyilRJ9K2WLNBQ== From: Stefan Schantl To: development@lists.ipfire.org Subject: [PATCH 1/5] suricata: correct rule actions in IPS mode Date: Wed, 5 Jun 2019 20:56:32 +0200 Message-Id: <20190605185636.9952-1-stefan.schantl@ipfire.org> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=stevee smtp.mailfrom=stefan.schantl@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" From: Tim FitzGeorge In IPS mode rule actions need to be have the action 'drop' for the protection to work, however this is not appropriate for all rules. Modify the generator for oinkmaster-modify-sids.conf to leave rules with the action 'alert' here this is appropriate. Also add a script to be run on update to correct existing downloaded rules. Fixes #12086 Signed-off-by: Tim FitzGeorge Tested-by: Peter Müller Signed-off-by: Stefan Schantl --- config/cfgroot/ids-functions.pl | 44 +++++++++-- config/rootfiles/common/configroot | 1 + config/rootfiles/core/133/update.sh | 3 + config/suricata/convert-ids-modifysids-file | 84 +++++++++++++++++++++ html/cgi-bin/ids.cgi | 22 +++++- lfs/configroot | 1 + 6 files changed, 148 insertions(+), 7 deletions(-) create mode 100644 config/suricata/convert-ids-modifysids-file diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl index 88734a3ca..e1caa6e58 100644 --- a/config/cfgroot/ids-functions.pl +++ b/config/cfgroot/ids-functions.pl @@ -243,7 +243,7 @@ sub downloadruleset { # Load perl module to deal with temporary files. use File::Temp; - # Generate temporay file name, located in "/var/tmp" and with a suffix of ".tar.gz". + # Generate temporary file name, located in "/var/tmp" and with a suffix of ".tar.gz". my $tmp = File::Temp->new( SUFFIX => ".tar.gz", DIR => "/var/tmp/", UNLINK => 0 ); my $tmpfile = $tmp->filename(); @@ -293,6 +293,9 @@ sub downloadruleset { # Overwrite existing rules tarball with the new downloaded one. move("$tmpfile", "$rulestarball"); + # Set correct ownership for the rulesdir and files. + set_ownership("$rulestarball"); + # If we got here, everything worked fine. Return nothing. return; } @@ -726,8 +729,8 @@ sub write_used_rulefiles_file(@) { # ## Function to generate and write the file for modify the ruleset. # -sub write_modify_sids_file($) { - my ($ruleaction) = @_; +sub write_modify_sids_file($$) { + my ($ruleaction,$rulefile) = @_; # Open modify sid's file for writing. open(FILE, ">$modify_sids_file") or die "Could not write to $modify_sids_file. $!\n"; @@ -737,8 +740,39 @@ sub write_modify_sids_file($) { # Check if the traffic only should be monitored. unless($ruleaction eq "alert") { - # Tell oinkmaster to switch all rules from alert to drop. - print FILE "modifysid \* \"alert\" \| \"drop\"\n"; + # Suricata is in IPS mode, which means that the rule actions have to be changed + # from 'alert' to 'drop', however not all rules should be changed. Some rules + # exist purely to set a flowbit which is used to convey other information, such + # as a specific type of file being downloaded, to other rulewhich then check for + # malware in that file. Rules which fall into the first category should stay as + # alert since not all flows of that type contain malware. + + if($rulefile eq 'registered' or $rulefile eq 'subscripted' or $rulefile eq 'community') { + # These types of rulesfiles contain meta-data which gives the action that should + # be used when in IPS mode. Do the following: + # + # 1. Disable all rules and set the action to 'drop' + # 2. Set the action back to 'alert' if the rule contains 'flowbits:noalert;' + # This should give rules not in the policy a reasonable default if the user + # manually enables them. + # 3. Enable rules and set actions according to the meta-data strings. + + my $policy = 'balanced'; # Placeholder to allow policy to be changed. + + print FILE < # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +use strict; + +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/ids-functions.pl"; + +# Hash which contains the IDS (suricata) settings. +my %idssettings; + +# Hash which contains the RULES settings. +my %rulessettings; + +# +## Step 1: Read IDS and rules settings. +# + +exit unless(-f $IDS::ids_settings_file and -f $IDS::rules_settings_file); + +# Read IDS settings. +&General::readhash("$IDS::ids_settings_file", \%idssettings); + +# Read rules settings. +&General::readhash("$IDS::rules_settings_file", \%rulessettings); + +# +## Step 2: Generate and write the file to modify the ruleset. +# + +my $IDS_action = "drop"; + +# Check if the traffic only should be monitored. +if ($idssettings{"MONITOR_TRAFFIC_ONLY"} eq "on") { + # Switch IDS action to alert only. + $IDS_action = "alert"; +} + +# Call subfunction and pass the desired IDS action. +&IDS::write_modify_sids_file($IDS_action, $rulessettings{RULES}); + +# Set correct ownership. +&IDS::set_ownership("$IDS::modify_sids_file"); + +# +## Step 3: Call oinkmaster to extract and setup the rules structures. +# + +# Check if a rulestarball is present. +if (-f $IDS::rulestarball) { + # Launch oinkmaster by calling the subfunction. + &IDS::oinkmaster(); + + # Set correct ownership for the rulesdir and files. + &IDS::set_ownership("$IDS::rulespath"); +} + +# +## Step 4: Start the IDS if enabled. +# + +# Check if the IDS should be started. +if($idssettings{"ENABLE_IDS"} eq "on") { + # Call suricatactrl and reload the rules. + &IDS::call_suricatactrl("reload"); +} diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 00db6a0c3..1791e9beb 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -359,7 +359,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) { $errormessage = "$Lang::tr{'could not download latest updates'} - $Lang::tr{'system is offline'}"; } - # Check if enought free disk space is availabe. + # Check if enough free disk space is availabe. if(&IDS::checkdiskspace()) { $errormessage = "$Lang::tr{'not enough disk space'}"; } @@ -370,6 +370,22 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) { # a new ruleset. &working_notice("$Lang::tr{'ids working'}"); + &General::readhash("$IDS::ids_settings_file", \%idssettings); + + # Temporary variable to set the ruleaction. + # Default is "drop" to use suricata as IPS. + my $ruleaction="drop"; + + # Check if the traffic only should be monitored. + if($idssettings{'MONITOR_TRAFFIC_ONLY'} eq 'on') { + # Switch the ruleaction to "alert". + # Suricata acts as an IDS only. + $ruleaction="alert"; + } + + # Write the modify sid's file and pass the taken ruleaction. + &IDS::write_modify_sids_file($ruleaction, $cgiparams{'RULES'}); + # Call subfunction to download the ruleset. if(&IDS::downloadruleset()) { $errormessage = $Lang::tr{'could not download latest updates'}; @@ -609,8 +625,10 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) { $ruleaction="alert"; } + &General::readhash("$IDS::rules_settings_file", \%rulessettings); + # Write the modify sid's file and pass the taken ruleaction. - &IDS::write_modify_sids_file($ruleaction); + &IDS::write_modify_sids_file($ruleaction, $rulessettings{'RULES'}); # Check if "MONITOR_TRAFFIC_ONLY" has been changed. if($cgiparams{'MONITOR_TRAFFIC_ONLY'} ne $oldidssettings{'MONITOR_TRAFFIC_ONLY'}) { diff --git a/lfs/configroot b/lfs/configroot index d4eb545f0..227d09239 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -135,6 +135,7 @@ $(TARGET) : # Install snort to suricata converter. cp $(DIR_SRC)/config/suricata/convert-snort /usr/sbin/convert-snort + cp $(DIR_SRC)/config/suricata/convert-ids-modifysids-file /usr/sbin/convert-ids-modifysids-file # Add conntrack helper default settings for proto in FTP H323 IRC SIP TFTP; do \ From patchwork Thu Jun 6 04:56:33 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 2285 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 3BD7E88895A for ; Wed, 5 Jun 2019 19:56:51 +0100 (BST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 45Jyh25QtPz5NKbH; Wed, 5 Jun 2019 19:56:50 +0100 (BST) Received: from tuxedo.stevee (212095005248.public.telering.at [212.95.5.248]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 45Jygt4NPtz5NKZx; Wed, 5 Jun 2019 19:56:42 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904rsa; t=1559761002; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=j7DyYbtobriCsGef0ZwQlnNBPVlSrJlch54WhkTvIDI=; b=ariTuaRgpjRAVvByC5Jf+tj4b0E3Vkcs8V9x8A4+Wy1cl0Ye334vVOpGoZ1PfhK+by2PBf PUKDCP5O5cviq1HorFHBwGLCnrbp65Xf1QOSaH+KbcyGMhKc6BGOrGJCXvQ4gNfS3xZoCd dru5dXtdhNMTR2NOhH87QtJq61UjjCe2Nx6TWBFDSp5V7+hDSprsEZS7Gkwcq6vurcpNr9 /yiVJ8Xj1rKew3z5PaZtpfdwa4SvWA4tQQjb0DyLkSEksZFxRX0+QEKHOtz+h6VLBgmqu4 UqRY8Q0wIxE/xF+8hR312jcX5+sdm3NLFYvxlt7I1z+Q/QsUCeTucqdFRT/zjg== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904ed25519; t=1559761002; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=j7DyYbtobriCsGef0ZwQlnNBPVlSrJlch54WhkTvIDI=; b=BRM+0VTKEY7OaNRcDx1nkHpUuOBwMoX6GAtKR+qT43oIa5aebPSIaTWMfpk7xwbDs03hAQ 7vEQPT6LmPzAaRDA== From: Stefan Schantl To: development@lists.ipfire.org Subject: [PATCH 2/5] ids-functions.pl: Rework function write_modify_sids_file(). Date: Wed, 5 Jun 2019 20:56:33 +0200 Message-Id: <20190605185636.9952-2-stefan.schantl@ipfire.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190605185636.9952-1-stefan.schantl@ipfire.org> References: <20190605185636.9952-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=stevee smtp.mailfrom=stefan.schantl@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" X-Spam: Yes Directly implement the logic to determine the used ruleset and if IDS or IPS mode should be used into the function instead of pass those details as arguments. This helps to prevent from doing this stuff at several places again and again. Signed-off-by: Stefan Schantl --- config/cfgroot/ids-functions.pl | 15 +++++++++++---- html/cgi-bin/ids.cgi | 30 ++---------------------------- 2 files changed, 13 insertions(+), 32 deletions(-) diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl index e1caa6e58..94de1373c 100644 --- a/config/cfgroot/ids-functions.pl +++ b/config/cfgroot/ids-functions.pl @@ -729,8 +729,15 @@ sub write_used_rulefiles_file(@) { # ## Function to generate and write the file for modify the ruleset. # -sub write_modify_sids_file($$) { - my ($ruleaction,$rulefile) = @_; +sub write_modify_sids_file() { + # Get configured settings. + my %idssettings=(); + my %rulessettings=(); + &General::readhash("$ids_settings_file", \%idssettings); + &General::readhash("$rules_settings_file", \%rulessettings); + + # Gather the configured ruleset. + my $ruleset = $rulessettings{'RULES'}; # Open modify sid's file for writing. open(FILE, ">$modify_sids_file") or die "Could not write to $modify_sids_file. $!\n"; @@ -739,7 +746,7 @@ sub write_modify_sids_file($$) { print FILE "#Autogenerated file. Any custom changes will be overwritten!\n"; # Check if the traffic only should be monitored. - unless($ruleaction eq "alert") { + unless($idssettings{'MONITOR_TRAFFIC_ONLY'} eq 'on') { # Suricata is in IPS mode, which means that the rule actions have to be changed # from 'alert' to 'drop', however not all rules should be changed. Some rules # exist purely to set a flowbit which is used to convey other information, such @@ -747,7 +754,7 @@ sub write_modify_sids_file($$) { # malware in that file. Rules which fall into the first category should stay as # alert since not all flows of that type contain malware. - if($rulefile eq 'registered' or $rulefile eq 'subscripted' or $rulefile eq 'community') { + if($ruleset eq 'registered' or $ruleset eq 'subscripted' or $ruleset eq 'community') { # These types of rulesfiles contain meta-data which gives the action that should # be used when in IPS mode. Do the following: # diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 1791e9beb..74f5ca223 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -370,21 +370,8 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) { # a new ruleset. &working_notice("$Lang::tr{'ids working'}"); - &General::readhash("$IDS::ids_settings_file", \%idssettings); - - # Temporary variable to set the ruleaction. - # Default is "drop" to use suricata as IPS. - my $ruleaction="drop"; - - # Check if the traffic only should be monitored. - if($idssettings{'MONITOR_TRAFFIC_ONLY'} eq 'on') { - # Switch the ruleaction to "alert". - # Suricata acts as an IDS only. - $ruleaction="alert"; - } - # Write the modify sid's file and pass the taken ruleaction. - &IDS::write_modify_sids_file($ruleaction, $cgiparams{'RULES'}); + &IDS::write_modify_sids_file(); # Call subfunction to download the ruleset. if(&IDS::downloadruleset()) { @@ -614,21 +601,8 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) { # Generate file to store the home net. &IDS::generate_home_net_file(); - # Temporary variable to set the ruleaction. - # Default is "drop" to use suricata as IPS. - my $ruleaction="drop"; - - # Check if the traffic only should be monitored. - if($cgiparams{'MONITOR_TRAFFIC_ONLY'} eq 'on') { - # Switch the ruleaction to "alert". - # Suricata acts as an IDS only. - $ruleaction="alert"; - } - - &General::readhash("$IDS::rules_settings_file", \%rulessettings); - # Write the modify sid's file and pass the taken ruleaction. - &IDS::write_modify_sids_file($ruleaction, $rulessettings{'RULES'}); + &IDS::write_modify_sids_file(); # Check if "MONITOR_TRAFFIC_ONLY" has been changed. if($cgiparams{'MONITOR_TRAFFIC_ONLY'} ne $oldidssettings{'MONITOR_TRAFFIC_ONLY'}) { From patchwork Thu Jun 6 04:56:34 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 2286 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 206FC88895A for ; Wed, 5 Jun 2019 19:56:55 +0100 (BST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 45Jyh64ZjGz5NKbC; Wed, 5 Jun 2019 19:56:54 +0100 (BST) Received: from tuxedo.stevee (212095005248.public.telering.at [212.95.5.248]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 45Jygv2Rdfz5NKZw; Wed, 5 Jun 2019 19:56:43 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904rsa; t=1559761003; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rj2UJMuJrmunWrIlG4lkXjtB5ktaouOdY2N/YfeNXe0=; b=c7PdoxWyrYVXchTZIoonhjgm3nwOKrupDGF8XSg584fskncRB3Rr7ZESM0cTehgghI32ZB pdGYgeB/qxeUtagZvXsp3jpI1r8dXH7obu8Tvp2N5ymsegWOxIj7SLfWvBaBxt+bDvTyXB 8g9eKZDxaXKsEbupJWogywdyX+Kt+ZlV/siAVNobo1EfqRAuuzGO2688cqFzeDtDeMytnf MKy6wMAaJOlqTRsniTba42/FpXyC/qWjRWpSDHv+DcdqN4hiTDpyPgAJ0kvdTVKeZwqOAJ ZOicztGL26Pzxd0mqzgEXD8TmPf9Nm744WCSyZ8RDhXj44t9EjyRcnSbhpgAig== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904ed25519; t=1559761003; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rj2UJMuJrmunWrIlG4lkXjtB5ktaouOdY2N/YfeNXe0=; b=o/gHwGWvB4Lk/1BkiKMyG04SHwkyFI0zotnBBZ+9pMPI4JAFziaY8V2aXfBNElCVWC0b42 nVg19Qa1I96Z/4BQ== From: Stefan Schantl To: development@lists.ipfire.org Subject: [PATCH 3/5] convert-snort: Adjust code to use changed modify_sids_file function. Date: Wed, 5 Jun 2019 20:56:34 +0200 Message-Id: <20190605185636.9952-3-stefan.schantl@ipfire.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190605185636.9952-1-stefan.schantl@ipfire.org> References: <20190605185636.9952-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=stevee smtp.mailfrom=stefan.schantl@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Stefan Schantl --- config/suricata/convert-snort | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/config/suricata/convert-snort b/config/suricata/convert-snort index 83931fa5b..5ed36954f 100644 --- a/config/suricata/convert-snort +++ b/config/suricata/convert-snort @@ -196,18 +196,8 @@ if (-f $guardian_meta) { ## Step 5: Generate and write the file to modify the ruleset. # -# Converters default is to only monitor the traffic, so set the IDS action to -# "alert". -my $IDS_action = "alert"; - -# Check if the traffic only should be monitored. -if ($idssettings{"MONITOR_TRAFFIC_ONLY"} eq "off") { - # Swith IDS action to alert only. - $IDS_action = "drop"; -} - # Call subfunction and pass the desired IDS action. -&IDS::write_modify_sids_file($IDS_action); +&IDS::write_modify_sids_file(); # Set correct ownership. &IDS::set_ownership("$IDS::modify_sids_file"); From patchwork Thu Jun 6 04:56:35 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 2287 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 1656C88895A for ; Wed, 5 Jun 2019 19:56:59 +0100 (BST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 45JyhB4B0hz5NKbV; Wed, 5 Jun 2019 19:56:58 +0100 (BST) Received: from tuxedo.stevee (212095005248.public.telering.at [212.95.5.248]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 45Jygv6p7bz5NKZx; Wed, 5 Jun 2019 19:56:43 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904rsa; t=1559761004; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=38JgNw36lAJS5CaZHjlRHb3vYT/YCJ2O1s+VaXcGFEs=; b=OGFfoNQ9vRmZoyqWi6eSIoDJ8DcoAd6e9fdOLeqZ3frqhm3PvmhcNkMhfAsL24fLc8sS6j 7HMPmgJph2LW3R8CQE40EW8GM8nlTV69961Q7nq8QA2Wjlwj6eGn1z/nGrpIlwz/Su6uDf w9iIRzT6//6aCAS9EAOSpD1y07+iRUGIdh2kavObOcRELwFllwuH44ofHAW57V9YXv/WrJ Y6E0P6IpGHOd9LHLvVKVE3XOr/BdzC+W10feBPH5BfC3i8tOgxTE0KFz8+co124iPLN6eQ pZO316H3kl8Pgv4YilXHIv0YO2E99JHeTJo9PuMu268gvy7e5e0zvsas0H4REg== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904ed25519; t=1559761004; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=38JgNw36lAJS5CaZHjlRHb3vYT/YCJ2O1s+VaXcGFEs=; b=t0Yz7C+BlEcSbUsU2QKTnF+gEnniTGkkIhBwYJcFK8iAbCdsjbmceJ2u7gUlKsxzK48asO SKcLYOwifB5HrSCQ== From: Stefan Schantl To: development@lists.ipfire.org Subject: [PATCH 4/5] convert-ids-modifysids-file: Adjust code to use changed write_modify_sids_file function Date: Wed, 5 Jun 2019 20:56:35 +0200 Message-Id: <20190605185636.9952-4-stefan.schantl@ipfire.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190605185636.9952-1-stefan.schantl@ipfire.org> References: <20190605185636.9952-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=stevee smtp.mailfrom=stefan.schantl@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Stefan Schantl --- config/suricata/convert-ids-modifysids-file | 32 +++------------------ 1 file changed, 4 insertions(+), 28 deletions(-) diff --git a/config/suricata/convert-ids-modifysids-file b/config/suricata/convert-ids-modifysids-file index 8b70aa0fc..adcc10577 100644 --- a/config/suricata/convert-ids-modifysids-file +++ b/config/suricata/convert-ids-modifysids-file @@ -24,44 +24,20 @@ use strict; require '/var/ipfire/general-functions.pl'; require "${General::swroot}/ids-functions.pl"; -# Hash which contains the IDS (suricata) settings. -my %idssettings; - -# Hash which contains the RULES settings. -my %rulessettings; - -# -## Step 1: Read IDS and rules settings. -# - exit unless(-f $IDS::ids_settings_file and -f $IDS::rules_settings_file); -# Read IDS settings. -&General::readhash("$IDS::ids_settings_file", \%idssettings); - -# Read rules settings. -&General::readhash("$IDS::rules_settings_file", \%rulessettings); - # -## Step 2: Generate and write the file to modify the ruleset. +## Step 1: Re-generate and write the file to modify the ruleset. # -my $IDS_action = "drop"; - -# Check if the traffic only should be monitored. -if ($idssettings{"MONITOR_TRAFFIC_ONLY"} eq "on") { - # Switch IDS action to alert only. - $IDS_action = "alert"; -} - # Call subfunction and pass the desired IDS action. -&IDS::write_modify_sids_file($IDS_action, $rulessettings{RULES}); +&IDS::write_modify_sids_file(); # Set correct ownership. &IDS::set_ownership("$IDS::modify_sids_file"); # -## Step 3: Call oinkmaster to extract and setup the rules structures. +## Step 2: Call oinkmaster to extract and setup the rules structures. # # Check if a rulestarball is present. @@ -74,7 +50,7 @@ if (-f $IDS::rulestarball) { } # -## Step 4: Start the IDS if enabled. +## Step 3: Reload the IDS ruleset if running. # # Check if the IDS should be started. From patchwork Thu Jun 6 04:56:36 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 2288 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id E5DDB88895A for ; Wed, 5 Jun 2019 19:57:02 +0100 (BST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 45JyhG3MRzz5NKb5; Wed, 5 Jun 2019 19:57:02 +0100 (BST) Received: from tuxedo.stevee (212095005248.public.telering.at [212.95.5.248]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 45Jygw4qg5z5NKb4; Wed, 5 Jun 2019 19:56:44 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904rsa; t=1559761005; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rWlaTIssupQfDRiVfoH0FIVVFHUa12hSeKYnEoGGeU8=; b=epHMXRk2EXNWPSNtXXlZyDjCC3GBwDWV/Htid2LHE2JW58hw+vcUVJD+4pJMcEq++Ea+AB xyfrB+uh9abpOlIVl6fEA8z59xhsC52GelRYqQaUemUpe5TdC6lWiGfXd44N4LOh8aRB+H X219n5ywZ6RIKo7rtdh66BRa5kXkXnjpCxpQD4QVpbG0ubWN2/OwXHIYmeRdgJL5Ejgat9 2y3JrdnYXKW43Xlq7IxmRdXTDLqVwPmUCL4Y9Up6UqWo03OBToWKPCmAV4Pzj7I8LsriCY s5tq5SpX3sM/68dICHAiDENFkOczwx/Z+Aco/UfHgMTwHAEDyVqyapJbMWWxUg== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904ed25519; t=1559761005; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rWlaTIssupQfDRiVfoH0FIVVFHUa12hSeKYnEoGGeU8=; b=1QAEKNXUzf+it1DlHngJtiy267RBQw0uDHVoMJ4RtcC2ALTvSNvyvyyN1Hr9Nh7XyJlYeI O710slDCuvoZToCA== From: Stefan Schantl To: development@lists.ipfire.org Subject: [PATCH 5/5] Core 133: Add suricata related converters to the update. Date: Wed, 5 Jun 2019 20:56:36 +0200 Message-Id: <20190605185636.9952-5-stefan.schantl@ipfire.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190605185636.9952-1-stefan.schantl@ipfire.org> References: <20190605185636.9952-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=stevee smtp.mailfrom=stefan.schantl@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Stefan Schantl --- config/rootfiles/core/133/filelists/files | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/rootfiles/core/133/filelists/files b/config/rootfiles/core/133/filelists/files index 97a603ad8..46ee37a2c 100644 --- a/config/rootfiles/core/133/filelists/files +++ b/config/rootfiles/core/133/filelists/files @@ -1,6 +1,8 @@ etc/system-release etc/issue etc/rc.d/init.d/smt +usr/sbin/convert-snort +usr/sbin/convert-ids-modifysids-file srv/web/ipfire/cgi-bin/credits.cgi srv/web/ipfire/cgi-bin/dhcp.cgi srv/web/ipfire/cgi-bin/ovpnmain.cgi