This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 171512b7a76f61669b61d234965570e40f585fee (commit) via 21a838238378b531551f42e2c582f0c5f82ca26f (commit) via 3c91ee80925f175cd5c599a2d46b78f31d726a35 (commit) via e1f8f870ea975c6c47afe8fd907ffb75980fe7db (commit) via f1add9a8dd5271af669ee0831f30b207b33d158d (commit) via 81bae51f6102a555ba50a5d42ed433288ddcfe54 (commit) via a40bcbb02cf1012405c4a0507d4b54d4d8a45064 (commit) via a5ba473c15c73a2e88d3333c73c1f13a332010b6 (commit) via 9734a58faf9832a708057e44092b96976401a8eb (commit) via 72ab71969fd88fc1bf78ddd77f066f86b15731c7 (commit) from dc9ac30c8dfb157c8ac7af5849d166f42462b08d (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 171512b7a76f61669b61d234965570e40f585fee Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jun 5 12:46:37 2019 +0100
Update contributors
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 21a838238378b531551f42e2c582f0c5f82ca26f Author: Erik Kapfer ummeegge@ipfire.org Date: Tue Jun 4 15:00:24 2019 +0200
suricata: Enable EVE logging
The EVE output facility outputs alerts, metadata, file info and protocol specific records through JSON. for further informations please see --> https://suricata.readthedocs.io/en/suricata-4.1.2/output/eve/index.html .
Signed-off-by: Erik Kapfer ummeegge@ipfire.org Acked-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 3c91ee80925f175cd5c599a2d46b78f31d726a35 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Jun 5 20:56:35 2019 +0200
convert-ids-modifysids-file: Adjust code to use changed write_modify_sids_file function
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e1f8f870ea975c6c47afe8fd907ffb75980fe7db Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jun 5 12:42:53 2019 +0100
core133: Ship snort configuration converter
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit f1add9a8dd5271af669ee0831f30b207b33d158d Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Jun 5 20:56:34 2019 +0200
convert-snort: Adjust code to use changed modify_sids_file function.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 81bae51f6102a555ba50a5d42ed433288ddcfe54 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Jun 5 20:56:33 2019 +0200
ids-functions.pl: Rework function write_modify_sids_file().
Directly implement the logic to determine the used ruleset and if IDS or IPS mode should be used into the function instead of pass those details as arguments.
This helps to prevent from doing this stuff at several places again and again.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a40bcbb02cf1012405c4a0507d4b54d4d8a45064 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jun 5 12:41:37 2019 +0100
core133: Ship IPS changes
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a5ba473c15c73a2e88d3333c73c1f13a332010b6 Author: Tim FitzGeorge ipfr@tfitzgeorge.me.uk Date: Wed Jun 5 20:56:32 2019 +0200
suricata: correct rule actions in IPS mode
In IPS mode rule actions need to be have the action 'drop' for the protection to work, however this is not appropriate for all rules. Modify the generator for oinkmaster-modify-sids.conf to leave rules with the action 'alert' here this is appropriate. Also add a script to be run on update to correct existing downloaded rules.
Fixes #12086
Signed-off-by: Tim FitzGeorge ipfr@tfitzgeorge.me.uk Tested-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 9734a58faf9832a708057e44092b96976401a8eb Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jun 5 12:34:44 2019 +0100
core133: Ship IDS ruleset updater
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 72ab71969fd88fc1bf78ddd77f066f86b15731c7 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Jun 5 18:27:10 2019 +0200
update-ids-ruleset: Run as unprivileged user.
Check if the script has been launched as privileged user (root) and drop all permissions by switching to the "nobody" user and group.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: .mailmap | 1 + config/cfgroot/ids-functions.pl | 53 +++++++++++++++++++--- config/rootfiles/common/configroot | 1 + config/rootfiles/core/133/filelists/files | 5 ++ config/rootfiles/core/133/update.sh | 3 ++ .../suricata/convert-ids-modifysids-file | 53 ++++++++++++++-------- config/suricata/convert-snort | 12 +---- html/cgi-bin/credits.cgi | 6 +-- html/cgi-bin/ids.cgi | 18 ++------ lfs/configroot | 1 + lfs/suricata | 2 + src/scripts/update-ids-ruleset | 14 ++++++ 12 files changed, 116 insertions(+), 53 deletions(-) copy src/initscripts/helper/getdnsfromdhcpc.pl => config/suricata/convert-ids-modifysids-file (62%)
Difference in files: diff --git a/.mailmap b/.mailmap index f920b448f..08653c701 100644 --- a/.mailmap +++ b/.mailmap @@ -33,3 +33,4 @@ Rene Zingel linuxadmin@ea5c0bd1-69bd-2848-81d8-4f18e57aeed8 Ronald Wiesinger rowie@ipfire.org Stéphane Pautrel steph78630@gmail.com Erik Kapfer ummeegge@ipfire.org +Stephan Feddersen sfeddersen@ipfire.org diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl index 88734a3ca..94de1373c 100644 --- a/config/cfgroot/ids-functions.pl +++ b/config/cfgroot/ids-functions.pl @@ -243,7 +243,7 @@ sub downloadruleset { # Load perl module to deal with temporary files. use File::Temp;
- # Generate temporay file name, located in "/var/tmp" and with a suffix of ".tar.gz". + # Generate temporary file name, located in "/var/tmp" and with a suffix of ".tar.gz". my $tmp = File::Temp->new( SUFFIX => ".tar.gz", DIR => "/var/tmp/", UNLINK => 0 ); my $tmpfile = $tmp->filename();
@@ -293,6 +293,9 @@ sub downloadruleset { # Overwrite existing rules tarball with the new downloaded one. move("$tmpfile", "$rulestarball");
+ # Set correct ownership for the rulesdir and files. + set_ownership("$rulestarball"); + # If we got here, everything worked fine. Return nothing. return; } @@ -726,8 +729,15 @@ sub write_used_rulefiles_file(@) { # ## Function to generate and write the file for modify the ruleset. # -sub write_modify_sids_file($) { - my ($ruleaction) = @_; +sub write_modify_sids_file() { + # Get configured settings. + my %idssettings=(); + my %rulessettings=(); + &General::readhash("$ids_settings_file", %idssettings); + &General::readhash("$rules_settings_file", %rulessettings); + + # Gather the configured ruleset. + my $ruleset = $rulessettings{'RULES'};
# Open modify sid's file for writing. open(FILE, ">$modify_sids_file") or die "Could not write to $modify_sids_file. $!\n"; @@ -736,9 +746,40 @@ sub write_modify_sids_file($) { print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
# Check if the traffic only should be monitored. - unless($ruleaction eq "alert") { - # Tell oinkmaster to switch all rules from alert to drop. - print FILE "modifysid * "alert" | "drop"\n"; + unless($idssettings{'MONITOR_TRAFFIC_ONLY'} eq 'on') { + # Suricata is in IPS mode, which means that the rule actions have to be changed + # from 'alert' to 'drop', however not all rules should be changed. Some rules + # exist purely to set a flowbit which is used to convey other information, such + # as a specific type of file being downloaded, to other rulewhich then check for + # malware in that file. Rules which fall into the first category should stay as + # alert since not all flows of that type contain malware. + + if($ruleset eq 'registered' or $ruleset eq 'subscripted' or $ruleset eq 'community') { + # These types of rulesfiles contain meta-data which gives the action that should + # be used when in IPS mode. Do the following: + # + # 1. Disable all rules and set the action to 'drop' + # 2. Set the action back to 'alert' if the rule contains 'flowbits:noalert;' + # This should give rules not in the policy a reasonable default if the user + # manually enables them. + # 3. Enable rules and set actions according to the meta-data strings. + + my $policy = 'balanced'; # Placeholder to allow policy to be changed. + + print FILE <<END; +modifysid * "^#?(?:alert|drop)" | "#drop" +modifysid * "^#drop(.+flowbits:noalert;)" | "#alert${1}" +modifysid * "^#(?:alert|drop)(.+policy $policy-ips alert)" | "alert${1}" +modifysid * "^#(?:alert|drop)(.+policy $policy-ips drop)" | "drop${1}" +END + } else { + # These rulefiles don't have the metadata, so set rules to 'drop' unless they + # contain the string 'flowbits:noalert;'. + print FILE <<END; +modifysid * "^(#?)(?:alert|drop)" | "${1}drop" +modifysid * "^(#?)drop(.+flowbits:noalert;)" | "${1}alert${2}" +END + } }
# Close file handle. diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index a7f27fe55..56b0257bc 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -3,6 +3,7 @@ usr/sbin/convert-outgoingfw usr/sbin/convert-portfw usr/sbin/convert-snort usr/sbin/convert-xtaccess +usr/sbin/convert-ids-modifysids-file usr/sbin/firewall-policy #var/ipfire var/ipfire/addon-lang diff --git a/config/rootfiles/core/133/filelists/files b/config/rootfiles/core/133/filelists/files index 97a603ad8..7998df231 100644 --- a/config/rootfiles/core/133/filelists/files +++ b/config/rootfiles/core/133/filelists/files @@ -3,6 +3,11 @@ etc/issue etc/rc.d/init.d/smt srv/web/ipfire/cgi-bin/credits.cgi srv/web/ipfire/cgi-bin/dhcp.cgi +srv/web/ipfire/cgi-bin/ids.cgi srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi srv/web/ipfire/cgi-bin/vulnerabilities.cgi +usr/local/bin/update-ids-ruleset +usr/sbin/convert-ids-modifysids-file +usr/sbin/convert-snort +var/ipfire/ids-functions.pl diff --git a/config/rootfiles/core/133/update.sh b/config/rootfiles/core/133/update.sh index 9d708f092..a05ad0741 100644 --- a/config/rootfiles/core/133/update.sh +++ b/config/rootfiles/core/133/update.sh @@ -62,6 +62,9 @@ telinit u # Regenerate /etc/ipsec.conf sudo -u nobody /srv/web/ipfire/cgi-bin/vpnmain.cgi
+# Modify suricata modify-sids file +/usr/sbin/convert-ids-modifysids-file + # Start services /usr/local/bin/ipsecctrl S /etc/init.d/suricata restart diff --git a/config/suricata/convert-ids-modifysids-file b/config/suricata/convert-ids-modifysids-file new file mode 100644 index 000000000..adcc10577 --- /dev/null +++ b/config/suricata/convert-ids-modifysids-file @@ -0,0 +1,60 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2019 IPFire Development Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +use strict; + +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/ids-functions.pl"; + +exit unless(-f $IDS::ids_settings_file and -f $IDS::rules_settings_file); + +# +## Step 1: Re-generate and write the file to modify the ruleset. +# + +# Call subfunction and pass the desired IDS action. +&IDS::write_modify_sids_file(); + +# Set correct ownership. +&IDS::set_ownership("$IDS::modify_sids_file"); + +# +## Step 2: Call oinkmaster to extract and setup the rules structures. +# + +# Check if a rulestarball is present. +if (-f $IDS::rulestarball) { + # Launch oinkmaster by calling the subfunction. + &IDS::oinkmaster(); + + # Set correct ownership for the rulesdir and files. + &IDS::set_ownership("$IDS::rulespath"); +} + +# +## Step 3: Reload the IDS ruleset if running. +# + +# Check if the IDS should be started. +if($idssettings{"ENABLE_IDS"} eq "on") { + # Call suricatactrl and reload the rules. + &IDS::call_suricatactrl("reload"); +} diff --git a/config/suricata/convert-snort b/config/suricata/convert-snort index 83931fa5b..5ed36954f 100644 --- a/config/suricata/convert-snort +++ b/config/suricata/convert-snort @@ -196,18 +196,8 @@ if (-f $guardian_meta) { ## Step 5: Generate and write the file to modify the ruleset. #
-# Converters default is to only monitor the traffic, so set the IDS action to -# "alert". -my $IDS_action = "alert"; - -# Check if the traffic only should be monitored. -if ($idssettings{"MONITOR_TRAFFIC_ONLY"} eq "off") { - # Swith IDS action to alert only. - $IDS_action = "drop"; -} - # Call subfunction and pass the desired IDS action. -&IDS::write_modify_sids_file($IDS_action); +&IDS::write_modify_sids_file();
# Set correct ownership. &IDS::set_ownership("$IDS::modify_sids_file"); diff --git a/html/cgi-bin/credits.cgi b/html/cgi-bin/credits.cgi index 7119a4628..6ce9542b2 100644 --- a/html/cgi-bin/credits.cgi +++ b/html/cgi-bin/credits.cgi @@ -92,11 +92,11 @@ Sascha Kilian, Ronald Wiesinger, Stephan Feddersen, Stéphane Pautrel, +Florian Bührle, +Bernhard Bitsch, Justin Luth, Michael Eitelwein, -Bernhard Bitsch, Dominik Hassler, -Florian Bührle, Larsen, Gabriel Rolland, Anton D. Seliverstov, @@ -107,6 +107,7 @@ Jakub Ratajczak, Jorrit de Jonge, Jörn-Ingo Weigert, Przemek Zdroik, +Tim FitzGeorge, Alexander Rudolf Gruber, Andrew Bellows, Axel Gembe, @@ -134,7 +135,6 @@ Robert Möker, Stefan Ernst, Stefan Ferstl, Thomas Ebert, -Tim FitzGeorge, Timmothy Wilson, Umberto Parma <!-- END --> diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 00db6a0c3..74f5ca223 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -359,7 +359,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) { $errormessage = "$Lang::tr{'could not download latest updates'} - $Lang::tr{'system is offline'}"; }
- # Check if enought free disk space is availabe. + # Check if enough free disk space is availabe. if(&IDS::checkdiskspace()) { $errormessage = "$Lang::tr{'not enough disk space'}"; } @@ -370,6 +370,9 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) { # a new ruleset. &working_notice("$Lang::tr{'ids working'}");
+ # Write the modify sid's file and pass the taken ruleaction. + &IDS::write_modify_sids_file(); + # Call subfunction to download the ruleset. if(&IDS::downloadruleset()) { $errormessage = $Lang::tr{'could not download latest updates'}; @@ -598,19 +601,8 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) { # Generate file to store the home net. &IDS::generate_home_net_file();
- # Temporary variable to set the ruleaction. - # Default is "drop" to use suricata as IPS. - my $ruleaction="drop"; - - # Check if the traffic only should be monitored. - if($cgiparams{'MONITOR_TRAFFIC_ONLY'} eq 'on') { - # Switch the ruleaction to "alert". - # Suricata acts as an IDS only. - $ruleaction="alert"; - } - # Write the modify sid's file and pass the taken ruleaction. - &IDS::write_modify_sids_file($ruleaction); + &IDS::write_modify_sids_file();
# Check if "MONITOR_TRAFFIC_ONLY" has been changed. if($cgiparams{'MONITOR_TRAFFIC_ONLY'} ne $oldidssettings{'MONITOR_TRAFFIC_ONLY'}) { diff --git a/lfs/configroot b/lfs/configroot index d4eb545f0..227d09239 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -135,6 +135,7 @@ $(TARGET) :
# Install snort to suricata converter. cp $(DIR_SRC)/config/suricata/convert-snort /usr/sbin/convert-snort + cp $(DIR_SRC)/config/suricata/convert-ids-modifysids-file /usr/sbin/convert-ids-modifysids-file
# Add conntrack helper default settings for proto in FTP H323 IRC SIP TFTP; do \ diff --git a/lfs/suricata b/lfs/suricata index 310920606..6f779d875 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -80,6 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --enable-nfqueue \ --disable-static \ --disable-python \ + --with-libjansson-libraries=/usr/lib \ + --with-libjansson-includes=/usr/include \ --disable-suricata-update cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install diff --git a/src/scripts/update-ids-ruleset b/src/scripts/update-ids-ruleset index 956c3a1f5..dbe5b6849 100644 --- a/src/scripts/update-ids-ruleset +++ b/src/scripts/update-ids-ruleset @@ -20,11 +20,25 @@ ###############################################################################
use strict; +use POSIX;
require '/var/ipfire/general-functions.pl'; require "${General::swroot}/ids-functions.pl"; require "${General::swroot}/lang.pl";
+# The user and group name as which this script should be run. +my $run_as = 'nobody'; + +# Get user and group id of the user. +my ( $uid, $gid ) = ( getpwnam $run_as )[ 2, 3 ]; + +# Check if the script currently runs as root. +if ( $> == 0 ) { + # Drop privileges and switch to the specified user and group. + POSIX::setgid( $gid ); + POSIX::setuid( $uid ); +} + # Check if the red device is active. unless (-e "${General::swroot}/red/active") { # Store notice in the syslog.
hooks/post-receive -- IPFire 2.x development tree