This function is used to generate a yaml file which take care of the current used DNS configuration and should be included in the main suricata config file.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- config/cfgroot/ids-functions.pl | 62 +++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+)
diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl index 94de1373c..54d86f70f 100644 --- a/config/cfgroot/ids-functions.pl +++ b/config/cfgroot/ids-functions.pl @@ -34,6 +34,9 @@ our $used_rulefiles_file = "$settingsdir/suricata-used-rulefiles.yaml"; # File where the addresses of the homenet are stored. our $homenet_file = "$settingsdir/suricata-homenet.yaml";
+# File where the addresses of the used DNS servers are stored. +our $dns_servers_file = "$settingsdir/suricata-dns-servers.yaml"; + # File which contains the enabled sids. our $enabled_sids_file = "$settingsdir/oinkmaster-enabled-sids.conf";
@@ -695,6 +698,65 @@ sub generate_home_net_file() { close(FILE); }
+# +# Function to generate and write the file which contains the configured and used DNS servers. +# +sub generate_dns_servers_file() { + # Open file which contains the current used DNS configuration. + open (FILE, "${General::swroot}/red/dns") or die "Could not read DNS configuration from ${General::swroot}/red/dns. $!\n"; + + # Read-in whole file content and store it in a temporary array. + my @file_content = <FILE>; + + # Close file handle. + close(FILE); + + # Format dns servers declaration. + my $line = ""["; + + # Loop through the array which contains the file content. + foreach my $server (@file_content) { + # Remove newlines. + chomp($server); + + # Check if the current DNS configuration is using the local recursor mode. + if ($server eq "local recursor") { + # The responsible DNS servers on red are directly used, and because we are not able + # to specify each single DNS server address here, we currently have to thread each + # address which is not part of the HOME_NET as possible DNS server. + $line = "$line" . "!$HOME_NET"; + } else { + # Add the DNS server to the line. + $line = "$line" . "$server"; + } + + # Check if the current DNS server was the last in the array. + if ($server eq $file_content[-1]) { + # Close the line. + $line = "$line" . "]""; + } else { + # Add "," for the next DNS server. + $line = "$line" . ","; + } + } + + # Open file to store the used DNS server addresses. + open(FILE, ">$dns_servers_file") or die "Could not open $dns_servers_file. $!\n"; + + # Print yaml header. + print FILE "%YAML 1.1\n"; + print FILE "---\n\n"; + + # Print notice about autogenerated file. + print FILE "#Autogenerated file. Any custom changes will be overwritten!\n"; + + # Print the generated DNS declaration to the file. + print FILE "DNS_SERVERS:\t$line\n"; + + # Close file handle. + close(FILE); +} + # ## Function to generate and write the file for used rulefiles. #
This will be done by the recently added generate_dns_servers_file() function from ids-functions.pl.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- html/cgi-bin/ids.cgi | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 74f5ca223..da009f891 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -601,6 +601,9 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) { # Generate file to store the home net. &IDS::generate_home_net_file();
+ # Generate file to the store the DNS servers. + &IDS::generate_dns_servers_file(); + # Write the modify sid's file and pass the taken ruleaction. &IDS::write_modify_sids_file();
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- config/suricata/convert-snort | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/config/suricata/convert-snort b/config/suricata/convert-snort index 5ed36954f..64b6e8b6a 100644 --- a/config/suricata/convert-snort +++ b/config/suricata/convert-snort @@ -253,7 +253,17 @@ if (-f $IDS::rulestarball) { &IDS::set_ownership("$IDS::homenet_file");
# -## Step 9: Setup automatic ruleset updates. +## Step 9: Generate file for the DNS servers. +# + +# Call subfunction to generate the file. +&IDS::generate_dns_servers_file(); + +# Set correct ownership for the dns_servers_file. +&IDS::set_ownership("$IDS::dns_servers_file"); + +# +## Step 10: Setup automatic ruleset updates. #
# Check if a ruleset is configured. @@ -263,7 +273,7 @@ if($rulessettings{"RULES"}) { }
# -## Step 10: Grab used ruleset files from snort config file and convert +## Step 11: Grab used ruleset files from snort config file and convert ## them into the new format. #
@@ -309,7 +319,7 @@ close(SNORTCONF); &IDS::write_used_rulefiles_file(@enabled_rule_files);
# -## Step 11: Start the IDS if enabled. +## Step 12: Start the IDS if enabled. #
# Check if the IDS should be started.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- src/initscripts/networking/red.up/23-suricata | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/initscripts/networking/red.up/23-suricata b/src/initscripts/networking/red.up/23-suricata index 1514909ee..c0628e9f9 100644 --- a/src/initscripts/networking/red.up/23-suricata +++ b/src/initscripts/networking/red.up/23-suricata @@ -19,8 +19,12 @@ if($ids_settings{'ENABLE_IDS'} eq "on") { # Regenerate the file with HOME_NET details. &IDS::generate_home_net_file();
- # Set correct ownership. + # Regenerate the file with DNS_SERVERS details. + &IDS::generate_dns_servers_file(); + + # Set correct ownerships. &IDS::set_ownership("$IDS::homenet_file"); + &IDS::set_ownership("$IDS::dns_servers_file");
# Check if suricata is running. if(&IDS::ids_is_running()) {
These settings now will be read from /var/ipfire/suricata/suricata-dns-servers.yaml, which will be generated by the generate_dns_servers_file() function, located in ids-functions.pl and called by various scripts.
Fixes #12166.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- config/suricata/suricata.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index e921781cf..af9cb75a9 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -11,12 +11,14 @@ vars: # Include HOME_NET declaration from external file. include: /var/ipfire/suricata/suricata-homenet.yaml
+ # Include DNS_SERVERS declaration from external file. + include: /var/ipfire/suricata/suricata-dns-servers.yaml + EXTERNAL_NET: "any"
HTTP_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" SQL_SERVERS: "$HOME_NET" - DNS_SERVERS: "$HOME_NET" TELNET_SERVERS: "$HOME_NET" AIM_SERVERS: "$EXTERNAL_NET" DC_SERVERS: "$HOME_NET"
Hi,
Shouldn’t HOME_NET still be in DNS_SERVERS for users who are running a DNS server behind their firewall?
On 5 Nov 2019, at 09:32, Stefan Schantl stefan.schantl@ipfire.org wrote:
These settings now will be read from /var/ipfire/suricata/suricata-dns-servers.yaml, which will be generated by the generate_dns_servers_file() function, located in ids-functions.pl and called by various scripts.
Fixes #12166.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/suricata/suricata.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index e921781cf..af9cb75a9 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -11,12 +11,14 @@ vars: # Include HOME_NET declaration from external file. include: /var/ipfire/suricata/suricata-homenet.yaml
# Include DNS_SERVERS declaration from external file.
include: /var/ipfire/suricata/suricata-dns-servers.yaml
EXTERNAL_NET: "any"
HTTP_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" SQL_SERVERS: "$HOME_NET"
- DNS_SERVERS: "$HOME_NET" TELNET_SERVERS: "$HOME_NET" AIM_SERVERS: "$EXTERNAL_NET" DC_SERVERS: "$HOME_NET"
-- 2.20.1
Hello Michael,
Hi,
Shouldn’t HOME_NET still be in DNS_SERVERS for users who are running a DNS server behind their firewall?
set HOME_NET here would result in DNS related intrusion rules which will only match if DNS requests will be sent to a internal DNS server, which was the default in the past.
The current approach is to set this value to the used DNS servers, or if unbound is used in recursor mode to every external address (!HOME_NET).
Best regards,
-Stefan
On 5 Nov 2019, at 09:32, Stefan Schantl stefan.schantl@ipfire.org wrote:
These settings now will be read from /var/ipfire/suricata/suricata-dns-servers.yaml, which will be generated by the generate_dns_servers_file() function, located in ids-functions.pl and called by various scripts.
Fixes #12166.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/suricata/suricata.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index e921781cf..af9cb75a9 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -11,12 +11,14 @@ vars: # Include HOME_NET declaration from external file. include: /var/ipfire/suricata/suricata-homenet.yaml
# Include DNS_SERVERS declaration from external file.
include: /var/ipfire/suricata/suricata-dns-servers.yaml
EXTERNAL_NET: "any"
HTTP_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" SQL_SERVERS: "$HOME_NET"
- DNS_SERVERS: "$HOME_NET" TELNET_SERVERS: "$HOME_NET" AIM_SERVERS: "$EXTERNAL_NET" DC_SERVERS: "$HOME_NET"
-- 2.20.1
Hello,
On 5 Nov 2019, at 12:45, Stefan Schantl stefan.schantl@ipfire.org wrote:
Hello Michael,
Hi,
Shouldn’t HOME_NET still be in DNS_SERVERS for users who are running a DNS server behind their firewall?
set HOME_NET here would result in DNS related intrusion rules which will only match if DNS requests will be sent to a internal DNS server, which was the default in the past.
The current approach is to set this value to the used DNS servers, or if unbound is used in recursor mode to every external address (!HOME_NET).
Yes, I know what the patch does.
I was just asking about that this patch removes that DNS traffic will be scanned when it is coming from the Internet to a local DNS server in a local subnet.
That worked before and I think it should continue to work.
HOME_NET should be in DNS_SERVERS, *as well as* the resolvers that unbound is using.
-Michael
Best regards,
-Stefan
On 5 Nov 2019, at 09:32, Stefan Schantl stefan.schantl@ipfire.org wrote:
These settings now will be read from /var/ipfire/suricata/suricata-dns-servers.yaml, which will be generated by the generate_dns_servers_file() function, located in ids-functions.pl and called by various scripts.
Fixes #12166.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/suricata/suricata.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index e921781cf..af9cb75a9 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -11,12 +11,14 @@ vars: # Include HOME_NET declaration from external file. include: /var/ipfire/suricata/suricata-homenet.yaml
# Include DNS_SERVERS declaration from external file.
include: /var/ipfire/suricata/suricata-dns-servers.yaml
EXTERNAL_NET: "any"
HTTP_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" SQL_SERVERS: "$HOME_NET"
- DNS_SERVERS: "$HOME_NET" TELNET_SERVERS: "$HOME_NET" AIM_SERVERS: "$EXTERNAL_NET" DC_SERVERS: "$HOME_NET"
-- 2.20.1
-
Michael Tremer -
Stefan Schantl