[PATCH 1/5] ids-functions.pl: Introduce generate_dns_servers_file()

[PATCH 1/5] ids-functions.pl: Introduce generate_dns_servers_file()

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 3242 bytes --]

This function is used to generate a yaml file which take care of the
current used DNS configuration and should be included in the main
suricata config file.

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 config/cfgroot/ids-functions.pl | 62 +++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 94de1373c..54d86f70f 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -34,6 +34,9 @@ our $used_rulefiles_file = "$settingsdir/suricata-used-rulefiles.yaml";
 # File where the addresses of the homenet are stored.
 our $homenet_file = "$settingsdir/suricata-homenet.yaml";
 
+# File where the addresses of the used DNS servers are stored.
+our $dns_servers_file = "$settingsdir/suricata-dns-servers.yaml";
+
 # File which contains the enabled sids.
 our $enabled_sids_file = "$settingsdir/oinkmaster-enabled-sids.conf";
 
@@ -695,6 +698,65 @@ sub generate_home_net_file() {
 	close(FILE);
 }
 
+#
+# Function to generate and write the file which contains the configured and used DNS servers.
+#
+sub generate_dns_servers_file() {
+	# Open file which contains the current used DNS configuration.
+	open (FILE, "${General::swroot}/red/dns") or die "Could not read DNS configuration from ${General::swroot}/red/dns. $!\n";
+
+	# Read-in whole file content and store it in a temporary array.
+	my @file_content = <FILE>;
+
+	# Close file handle.
+	close(FILE);
+
+	# Format dns servers declaration.
+	my $line = "\"\[";
+
+	# Loop through the array which contains the file content.
+	foreach my $server (@file_content) {
+		# Remove newlines.
+		chomp($server);
+
+		# Check if the current DNS configuration is using the local recursor mode.
+		if ($server eq "local recursor") {
+			# The responsible DNS servers on red are directly used, and because we are not able
+			# to specify each single DNS server address here, we currently have to thread each
+			# address which is not part of the HOME_NET as possible DNS server.
+			$line = "$line" . "!\$HOME_NET";
+		} else {
+			# Add the DNS server to the line.
+			$line = "$line" . "$server";
+		}
+
+                # Check if the current DNS server was the last in the array.
+                if ($server eq $file_content[-1]) {
+                        # Close the line.
+                        $line = "$line" . "\]\"";
+                } else {
+                        # Add "," for the next DNS server.
+                        $line = "$line" . "\,";
+                }
+        }
+
+	# Open file to store the used DNS server addresses.
+	open(FILE, ">$dns_servers_file") or die "Could not open $dns_servers_file. $!\n";
+
+	# Print yaml header.
+	print FILE "%YAML 1.1\n";
+	print FILE "---\n\n";
+
+	# Print notice about autogenerated file.
+	print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+
+	# Print the generated DNS declaration to the file.
+	print FILE "DNS_SERVERS:\t$line\n";
+
+	# Close file handle.
+	close(FILE);
+}
+
 #
 ## Function to generate and write the file for used rulefiles.
 #
-- 
2.20.1

[PATCH 2/5] ids.cgi: Generate and store the DNS server configuration.

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 719 bytes --]

This will be done by the recently added generate_dns_servers_file()
function from ids-functions.pl.

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 html/cgi-bin/ids.cgi | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 74f5ca223..da009f891 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -601,6 +601,9 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 	# Generate file to store the home net.
 	&IDS::generate_home_net_file();
 
+	# Generate file to the store the DNS servers.
+	&IDS::generate_dns_servers_file();
+
 	# Write the modify sid's file and pass the taken ruleaction.
 	&IDS::write_modify_sids_file();
 
-- 
2.20.1

[PATCH 3/5] convert-snort: Generate DNS servers file.

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 1294 bytes --]

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 config/suricata/convert-snort | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/config/suricata/convert-snort b/config/suricata/convert-snort
index 5ed36954f..64b6e8b6a 100644
--- a/config/suricata/convert-snort
+++ b/config/suricata/convert-snort
@@ -253,7 +253,17 @@ if (-f $IDS::rulestarball) {
 &IDS::set_ownership("$IDS::homenet_file");
 
 #
-## Step 9: Setup automatic ruleset updates.
+## Step 9: Generate file for the DNS servers.
+#
+
+# Call subfunction to generate the file.
+&IDS::generate_dns_servers_file();
+
+# Set correct ownership for the dns_servers_file.
+&IDS::set_ownership("$IDS::dns_servers_file");
+
+#
+## Step 10: Setup automatic ruleset updates.
 #
 
 # Check if a ruleset is configured.
@@ -263,7 +273,7 @@ if($rulessettings{"RULES"}) {
 }
 
 #
-## Step 10: Grab used ruleset files from snort config file and convert
+## Step 11: Grab used ruleset files from snort config file and convert
 ##         them into the new format.
 #
 
@@ -309,7 +319,7 @@ close(SNORTCONF);
 &IDS::write_used_rulefiles_file(@enabled_rule_files);
 
 #
-## Step 11: Start the IDS if enabled.
+## Step 12: Start the IDS if enabled.
 #
 
 # Check if the IDS should be started.
-- 
2.20.1

[PATCH 4/5] red.up: Generate Suricata DNS servers file on reconnect.

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 903 bytes --]

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 src/initscripts/networking/red.up/23-suricata | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/initscripts/networking/red.up/23-suricata b/src/initscripts/networking/red.up/23-suricata
index 1514909ee..c0628e9f9 100644
--- a/src/initscripts/networking/red.up/23-suricata
+++ b/src/initscripts/networking/red.up/23-suricata
@@ -19,8 +19,12 @@ if($ids_settings{'ENABLE_IDS'} eq "on") {
 	# Regenerate the file with HOME_NET details.
 	&IDS::generate_home_net_file();
 
-	# Set correct ownership.
+	# Regenerate the file with DNS_SERVERS details.
+	&IDS::generate_dns_servers_file();
+
+	# Set correct ownerships.
 	&IDS::set_ownership("$IDS::homenet_file");
+	&IDS::set_ownership("$IDS::dns_servers_file");
 
 	# Check if suricata is running.
 	if(&IDS::ids_is_running()) {
-- 
2.20.1

[PATCH 5/5] suricata: Use DNS_SERVERS declaration from external file.

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 1083 bytes --]

These settings now will be read from
/var/ipfire/suricata/suricata-dns-servers.yaml, which will be
generated by the generate_dns_servers_file() function, located in
ids-functions.pl and called by various scripts.

Fixes #12166.

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 config/suricata/suricata.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index e921781cf..af9cb75a9 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -11,12 +11,14 @@ vars:
     # Include HOME_NET declaration from external file.
     include: /var/ipfire/suricata/suricata-homenet.yaml
 
+    # Include DNS_SERVERS declaration from external file.
+    include: /var/ipfire/suricata/suricata-dns-servers.yaml
+
     EXTERNAL_NET: "any"
 
     HTTP_SERVERS: "$HOME_NET"
     SMTP_SERVERS: "$HOME_NET"
     SQL_SERVERS: "$HOME_NET"
-    DNS_SERVERS: "$HOME_NET"
     TELNET_SERVERS: "$HOME_NET"
     AIM_SERVERS: "$EXTERNAL_NET"
     DC_SERVERS: "$HOME_NET"
-- 
2.20.1

Re: [PATCH 5/5] suricata: Use DNS_SERVERS declaration from external file.

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1378 bytes --]

Hi,

Shouldn’t HOME_NET still be in DNS_SERVERS for users who are running a DNS server behind their firewall?

> On 5 Nov 2019, at 09:32, Stefan Schantl <stefan.schantl(a)ipfire.org> wrote:
> 
> These settings now will be read from
> /var/ipfire/suricata/suricata-dns-servers.yaml, which will be
> generated by the generate_dns_servers_file() function, located in
> ids-functions.pl and called by various scripts.
> 
> Fixes #12166.
> 
> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
> config/suricata/suricata.yaml | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
> index e921781cf..af9cb75a9 100644
> --- a/config/suricata/suricata.yaml
> +++ b/config/suricata/suricata.yaml
> @@ -11,12 +11,14 @@ vars:
>     # Include HOME_NET declaration from external file.
>     include: /var/ipfire/suricata/suricata-homenet.yaml
> 
> +    # Include DNS_SERVERS declaration from external file.
> +    include: /var/ipfire/suricata/suricata-dns-servers.yaml
> +
>     EXTERNAL_NET: "any"
> 
>     HTTP_SERVERS: "$HOME_NET"
>     SMTP_SERVERS: "$HOME_NET"
>     SQL_SERVERS: "$HOME_NET"
> -    DNS_SERVERS: "$HOME_NET"
>     TELNET_SERVERS: "$HOME_NET"
>     AIM_SERVERS: "$EXTERNAL_NET"
>     DC_SERVERS: "$HOME_NET"
> -- 
> 2.20.1
> 

Re: [PATCH 5/5] suricata: Use DNS_SERVERS declaration from external file.

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 1788 bytes --]

Hello Michael,
> Hi,
> 
> Shouldn’t HOME_NET still be in DNS_SERVERS for users who are running
> a DNS server behind their firewall?

set HOME_NET here would result in DNS related intrusion rules which
will only match if DNS requests will be sent to a internal DNS server,
which was the default in the past.

The current approach is to set this value to the used DNS servers, or
if unbound is used in recursor mode to every external address
(!HOME_NET).

Best regards,

-Stefan
> 
> > On 5 Nov 2019, at 09:32, Stefan Schantl <stefan.schantl(a)ipfire.org>
> > wrote:
> > 
> > These settings now will be read from
> > /var/ipfire/suricata/suricata-dns-servers.yaml, which will be
> > generated by the generate_dns_servers_file() function, located in
> > ids-functions.pl and called by various scripts.
> > 
> > Fixes #12166.
> > 
> > Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> > ---
> > config/suricata/suricata.yaml | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> > 
> > diff --git a/config/suricata/suricata.yaml
> > b/config/suricata/suricata.yaml
> > index e921781cf..af9cb75a9 100644
> > --- a/config/suricata/suricata.yaml
> > +++ b/config/suricata/suricata.yaml
> > @@ -11,12 +11,14 @@ vars:
> >     # Include HOME_NET declaration from external file.
> >     include: /var/ipfire/suricata/suricata-homenet.yaml
> > 
> > +    # Include DNS_SERVERS declaration from external file.
> > +    include: /var/ipfire/suricata/suricata-dns-servers.yaml
> > +
> >     EXTERNAL_NET: "any"
> > 
> >     HTTP_SERVERS: "$HOME_NET"
> >     SMTP_SERVERS: "$HOME_NET"
> >     SQL_SERVERS: "$HOME_NET"
> > -    DNS_SERVERS: "$HOME_NET"
> >     TELNET_SERVERS: "$HOME_NET"
> >     AIM_SERVERS: "$EXTERNAL_NET"
> >     DC_SERVERS: "$HOME_NET"
> > -- 
> > 2.20.1
> > 

Re: [PATCH 5/5] suricata: Use DNS_SERVERS declaration from external file.

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2327 bytes --]

Hello,

> On 5 Nov 2019, at 12:45, Stefan Schantl <stefan.schantl(a)ipfire.org> wrote:
> 
> Hello Michael,
>> Hi,
>> 
>> Shouldn’t HOME_NET still be in DNS_SERVERS for users who are running
>> a DNS server behind their firewall?
> 
> set HOME_NET here would result in DNS related intrusion rules which
> will only match if DNS requests will be sent to a internal DNS server,
> which was the default in the past.
> 
> The current approach is to set this value to the used DNS servers, or
> if unbound is used in recursor mode to every external address
> (!HOME_NET).

Yes, I know what the patch does.

I was just asking about that this patch removes that DNS traffic will be scanned when it is coming from the Internet to a local DNS server in a local subnet.

That worked before and I think it should continue to work.

HOME_NET should be in DNS_SERVERS, *as well as* the resolvers that unbound is using.

-Michael

> 
> Best regards,
> 
> -Stefan
>> 
>>> On 5 Nov 2019, at 09:32, Stefan Schantl <stefan.schantl(a)ipfire.org>
>>> wrote:
>>> 
>>> These settings now will be read from
>>> /var/ipfire/suricata/suricata-dns-servers.yaml, which will be
>>> generated by the generate_dns_servers_file() function, located in
>>> ids-functions.pl and called by various scripts.
>>> 
>>> Fixes #12166.
>>> 
>>> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
>>> ---
>>> config/suricata/suricata.yaml | 4 +++-
>>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>> 
>>> diff --git a/config/suricata/suricata.yaml
>>> b/config/suricata/suricata.yaml
>>> index e921781cf..af9cb75a9 100644
>>> --- a/config/suricata/suricata.yaml
>>> +++ b/config/suricata/suricata.yaml
>>> @@ -11,12 +11,14 @@ vars:
>>>    # Include HOME_NET declaration from external file.
>>>    include: /var/ipfire/suricata/suricata-homenet.yaml
>>> 
>>> +    # Include DNS_SERVERS declaration from external file.
>>> +    include: /var/ipfire/suricata/suricata-dns-servers.yaml
>>> +
>>>    EXTERNAL_NET: "any"
>>> 
>>>    HTTP_SERVERS: "$HOME_NET"
>>>    SMTP_SERVERS: "$HOME_NET"
>>>    SQL_SERVERS: "$HOME_NET"
>>> -    DNS_SERVERS: "$HOME_NET"
>>>    TELNET_SERVERS: "$HOME_NET"
>>>    AIM_SERVERS: "$EXTERNAL_NET"
>>>    DC_SERVERS: "$HOME_NET"
>>> -- 
>>> 2.20.1
>>> 
>