This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, master has been updated via e7a52c52d109e044bcce0ca52eb0b5a94c2ec03a (commit) via 08639bc2a90ca945e710f5ca13556a50458f0056 (commit) via 5fa063f8590dcd85867935fd6d1a6bd570ac61c6 (commit) via 26dc79a6fe16c83c5b57f4b6c7c3f73281a03d6c (commit) via e96adc77972108de9cb8b4b6c0f7fbad07b76035 (commit) via 9e65aa9ed6d7a3a489c58a6f966eac34972c68f8 (commit) via c25a386523c305615641a1810bcc3b009bc3cf07 (commit) via 64aed99df6ba3b057c35ebb6b9278a13ae5e575d (commit) via e91c83490be8d248796d50b0c9bca3976199551c (commit) via fea27a56f7ef299fa2793971ef6e49f3a423fdc3 (commit) via 175f5c060ea8b967bc3020b376385d5b71116e92 (commit) via 820b2909825479b52696886d1f9054c0f709d3f0 (commit) via 0851afba33bf8f1a4562a7e755bec5af23d4d03e (commit) via 5e39f3c08a4a6e9f402b18c267fe82595cb0596b (commit) via e8b389e0f0a88f064c192305e8bbbc366300af24 (commit) via 316d14c43ad3b0b27cfa6984d8253e8f9255a87c (commit) via 6874a5765b887b51e324e1afbddc4516d66a710f (commit) via 5b2ec053c25b80843958864d4305b3108b55dd3c (commit) via c3c2ae4475a0e99a6163027405a45a1e2b4fa8b6 (commit) via 32e7b93c284fe02450e28f431453621537214a03 (commit) via dccbdf5b97130f72b4d0bb26d962ffcda8121a51 (commit) via 2c44da1382dfffb311b15250b9e02784b826dff2 (commit) via 0d34a479c878cd775e541601b2a72238eb3f7546 (commit) via d51d3c5b93886a66b75388d029e35eb07d9b06eb (commit) via 2eb0c326da2196c56f6f955bf5371e5d8c7ca9db (commit) via 19c066b602a12fcce601cfa2350b0d83b231717c (commit) via a32c219fa4642127a97050bf5af60a03e4e5c2f8 (commit) via 41b7369f8078d5dc4998483fa005b2f8e3b89624 (commit) via 854b63c42af8f82106b587dc43945ad848f8994e (commit) via a45bfbf1c5a8a7c10ad4bdcb5ed559ed38a796c5 (commit) via 3e11f8257dfe003aaad20d7ca73e3bc831131a96 (commit) via d27675b08175ed7969d842fdc64f157797911faa (commit) via a2907cdd9fba3a6ce6af8cc75c656daf1fa43dc0 (commit) via ee82349a0ea00866d731936e769fab9441690932 (commit) via e4bc9b8b6fa0cc0d67d2f698e2bdd5d41af49f05 (commit) via ee53381ab167b195d2d4d94da3d2a3d4a024288d (commit) via f9de28e6f0ca455aacca3b0fc30722b88d542630 (commit) via e918b62ae223b31f459ca5843d291532f5188faf (commit) via e1f6dfcbbc3c34130027ffe113488f5f3d9c9557 (commit) via 4f30ce49b3c2375d52e7358d12a6235c3e35997d (commit) via f2afd5e70dc1c95c13aa75b0acf3da072d714af8 (commit) via 47204d12f1387502612e8a66b4a1a8a853e33ebf (commit) via 918ee4a4cf5bb8d2a3ade16aac0dd643215c47e2 (commit) via 5f9bf17d76e43b1ee0bb4b880a9aa001844e4d4a (commit) via c557356ea4878f7f6d0d9431246bfc8e75018672 (commit) via 0265f51e9f5b2635e9df6243f913d6043cde0af6 (commit) via ca7af382032b3542584fb07b3fabe3976063e551 (commit) via 44b0afe0298941eaeca862ad14c0f965103e158c (commit) via 83c956c3c8d0bc60c2c6fa23f53bd68f6ac6d3ff (commit) via f40cd26de2a0353fca1fdee407cfce153b16c76d (commit) via ee44d509b61eea858e38e8a4f1f57db6f9940cf3 (commit) via f903d3a6f0c4a3f2e5251fda7ea2d1b788606294 (commit) via aa20f1b27727e8ed3d3d164eb3a66faa4ea0d4a4 (commit) via aab33d48450aedf20409fe187f573d74eb60f95d (commit) via ab79dc43bf66f66b0c34a10158d46e4727d4df6a (commit) via aeecc7ae1025f93bae421c13cf05c612bd3e6241 (commit) via 7dd81936843944f0bd6fa35b95532bc0039b578f (commit) via 0ce95859da727188019a95d855a3053ce2bf8985 (commit) via a4cc65bc4866583be8c625c33f20d7429a25a400 (commit) via c95ba2bbcc0b6c0b037f058a4395027f93dc093a (commit) via 34bbcff61f2de1fa76e4be20371d276f304277da (commit) via ef1cb80375ca736b2aca12f2bbba2b5ffe7216de (commit) via 5f2e713ec888dfbbcdb609ee61e846c060ded96c (commit) via 72995596119e76e1c41395f21c097643bff44be6 (commit) via df95c62f3a26a71c41610df0ad49a590dc3abbb8 (commit) via 94f89b821e0307f69bd99b19ca895219d779fabc (commit) via 0e54ca260288079e008393a1d2fc5cc8b9cdb7e7 (commit) via 2aca6aa061c2f680b46aea2dbeb36e4678ed57a3 (commit) via 82d176d33bc2839ea31028b9f7dfb6d60f3860af (commit) via 48d3cde9cec7add38fb3c62dd66079c5b2fec5aa (commit) via 474a6a59785123b7cdd645447f43c52307a6f6ba (commit) via 4038d70b768910c5dc5b2ce2c09e3e5b687064dd (commit) via 84fca55b3373f5acc3821b6a8e050bce89b679e8 (commit) via d38f3eed08d71343cc16de61373860e5aa7efcfd (commit) via 78c8fe06a5841101c04c7a8e9f1117501f5fd6fc (commit) via 56f4ba9b017008584c132fdcca41557002a1d8f3 (commit) via d00d788be47b9c17bc792be2c90d4c81a3ced544 (commit) via 3005eb2234e5875389011d247785909d5f044c74 (commit) via c955ae653ae8421621c49092fd3057ed99e0a4b1 (commit) via 9f52e35066b3fa8603e85784b7ede0532afc66e6 (commit) via 10945e38f36893cba8f6c28c8756fa8741c08118 (commit) via b666975ec292fec239aa6023dc79abf5538c9d95 (commit) via 35cdc506b06ed2e5fc8f7ad7fe57239eaadbda58 (commit) via 4d093b810552339a6a7df774412c8e144f799331 (commit) via effa44650ebc227d99a3781ba962e015a3430d3a (commit) via 2547e73e6b1c2e24e631140f328eeb49deddb6f9 (commit) via 3657df4ea3b74b9aa7bc631106b2e3684a0bfe72 (commit) via abe21498524bce327404febe644b1361267d0957 (commit) via d4767896cb27880c2e042ffd49bdbcf7b99a2c64 (commit) via 3210e92212b70ab886fe31847c6397a273e784e6 (commit) via 6bc94afa0d36ecaa4691eaa4dbefa4322861893f (commit) via 67b943c18a36aa9801684ca85ac3390292651e87 (commit) via b3a7120c1556bd060caf894fa0b4a5084fc7436a (commit) via b6c60092db15360cd51091b9f5bcff637ee2ea7c (commit) via fd0b2742bf217cbacacd4725a2bd9ad4ec1b6aaf (commit) via aac6015042e28730982d643425f768f46dc9c603 (commit) via 5b8ff1ccb6506942485ff221e13d163691109a6c (commit) via af2dc11c921062608c4537368885eb195f54c177 (commit) via b60fd7a3e2640d7da41a3bdb875669c302849acc (commit) via ceaf0ef0087abb09e9cca1677c67776cf76ce417 (commit) via 08ded6035f61ed97e3a122dc1832703084b72f86 (commit) via 3b521c724f09a45e09ac9228d8b65df0d8bd13a7 (commit) via c31c8078cffcf3f933f567cb02a366ceedd6d5da (commit) via 70a7c454af4a6a9ef7245def2f77119520de85af (commit) via 30c33cb318cc399b32c9c06d99e88c52ba957ea9 (commit) via 62bf7bd2b2cba74cd7838014cdf3380611690d60 (commit) via 57521504a89e792336f55e893564a000bfe4b1d7 (commit) via 5b4464a94478059ceebf266bc31dee4a4ba18fac (commit) via a10b0e5b448bf7e4a9bcc334e177ddae09806dc7 (commit) via a46903cce3863923838c5cc0721f4932adf2175d (commit) via 6f8b156bf0dcda4a1bb8ccdc8db83a54b2d7d1d0 (commit) via 2c703afc04448f15f9ad6b9c90be216bad256532 (commit) via f81c2225198b894c180cf36b6ee2cd6c0ea3849d (commit) via 728f3d2e8f3d26e80154236c6d67e303e1f7f3b9 (commit) via 7bf5b0f22194fcb617f3e678c4a1c492b0faf01d (commit) via e1d9148b61bc973ac1fef063b58500de4d881d7e (commit) via 9c4477d0f394af12f51d74e52d1a1c85cd13b289 (commit) via 03f68cbca90d9c1bc0b55c2f5aa4698a5d9d3eab (commit) via 710afa00c6e1441ba45f3fdda2feaf613ffd0033 (commit) via acb718b0bbfdf2b15bcc95abce2f4a7c23392362 (commit) via f9219b91a1f4648f6c2db9e3699169bb797e79c1 (commit) via 3bc001dbf976a89dcf4fc15912b472073c9e45db (commit) via cdfbdd1ada37183769c0b245218faff2cd300ac6 (commit) via 01604708c386da93713cffadb3d5d40665f62ec9 (commit) via c578cbd35f8af09f452326ce643d13e92ddaed99 (commit) via 5fc5f703470b37b43e18be66da0fb181696428a7 (commit) via 4680d554fc52813b9e2a1bae3888d0b34dfbb5ad (commit) via b450e7e3e6f47734e7282bf37953912b9ef6c740 (commit) via e776d33c7018a314acfb8909e9581a26d544d7e7 (commit) via e8b1b397c1dd4b158520b8c7905cd66b864c1051 (commit) via f717b1dc55595b4353fd7d3b44a057d282d19b62 (commit) via fd378b3b08f8458fd7c32e9eb0e2566de53ed02a (commit) via 38081b8be19b56b7298d5a01e7218b774759406c (commit) via 2bec60c34725c759c98f4da276fc8149162b3397 (commit) via 1fbf0788bf66da1b93774a19d4b0db52b0fdfc73 (commit) via b051eb68b6c12f619b1c3a76009d41ad59550b6b (commit) via 26c758cf4870d834dfe4d20bb2ce76f701befd61 (commit) via 8efbd71caad61912817c5cf28974364a34dc6390 (commit) via 96495c9aa2a46896ebb5cbbdfa5fd4b961864215 (commit) via 5d04cfe7d582bc58a4e4f9995fe5f67fcc456456 (commit) via c9ee3592f00f0edc9467643a27ba1505cc8f879a (commit) via 99d75ac72e66928f5218c222b0b3fd8fbfba179f (commit) via 890f1bf2954328f5e811757754d815dedf6f92c1 (commit) via 0b340f0938e5f292f74f5f2e60b3d46d473f2096 (commit) via ab1444b4f4b9324e96fbb240929334b27611e12f (commit) via 47cb057145c76d5faf7987de9e779bf07a029336 (commit) via 7eed864c93d143ef943b9f3f8bdf7b40a440cb71 (commit) via 83b576c892c82652b0b56efc200e52fd1dee30f9 (commit) via 0e28ea9f3e72e0f4db9274c3b7021711d0c0c258 (commit) via 682f1fdaca919284af877894aecd1282595c1430 (commit) via cf976e93c419d2c268979397ec87e05a2b8b7636 (commit) via fe5bd1862f2dfce5b3123ed2d2bbb5a360f1cd40 (commit) via bc2cb52953c92ad9209576de316f2076cfdb4caf (commit) via 75fba6cd248af6925d62452c15d4a21a2a7a204a (commit) via 5196d8ddbb097c4485a01a0fee58ade94b7255ac (commit) via 9f726f8f536fb271e00c51ca7d10dac143dd3045 (commit) via 16446608cbe53bcd0873ed48b907b697441d31d1 (commit) via 1f3c61b66c77898707791519b837e61b1d2e6ad0 (commit) via cc636c4741e7928276a1a5c7048b4fc0693c7f23 (commit) via 5d7d8749dc005bd883e3b7d53d953f334cdea5b4 (commit) via d0f9526beb718ca934de9f8cea749bec4b04f3ad (commit) via 06f57f72309f268d4f6b3490b33912813fbf1f1e (commit) via 7c3b7cdcca852e4f5e5ee46b5291b8ba522535ec (commit) via 20b4c4d863d40f4b6cc1fd68eed17d1214a05f9e (commit) via 77c07352a58a67e88a507feba982fe0f73518f59 (commit) via d215f6e9809e3a7e0b7356c985803291067d923e (commit) via 0d8cc90f4dead04de7181634377fe11115678f34 (commit) via 1ef235f08dab44779d3b97854f25e234b6124cab (commit) via 78690361abbff86772850947e1dac97eecfa0648 (commit) via b09c13f1b6276885cfc457fa04896bfd7ba240e6 (commit) via 99b2e30636aa404f9fac355fcbbbe0a2e8f84e0a (commit) via c980ac7f2a0ba8ea08797005445328055993e31e (commit) via c1c754a1211fbe50b7ba5b7a25444bd34b090957 (commit) via f3cbcfeff9e8ce263c812a25a24c7f4f14d4a64f (commit) via 4434236e00a6e5fddbf031ca4777d2c00ad34482 (commit) via ad99f959e2b83dd9f1275c1d385140271c8926ae (commit) via 8723bb91aeff7dbbc173c6f7b8052a76203cb0a5 (commit) via 05a635ec04f1ca7ee85a1511757ef3fea28cdb5c (commit) via 5fbd7b29829caf0bcadcccd6f56ead51e2fb812e (commit) via ee7fe87ea6341f201bad78910d1055ed17560766 (commit) via e8ae413a79a9c5eea8952ca42449128d79682216 (commit) via dd8d6f5ee8c6262b96319b84751a73044be23e39 (commit) via 5bd8940d68186e1ad2cbbb376c4bae6d512630bb (commit) via e566e977f7605758df450c6128d1484cc5fb2a35 (commit) via 9074e3d74cc931244892d306b38c298ce8dd0f2b (commit) via 5206a3358d18b8ec9b1ceca3e95a56516ae7b4ab (commit) via 8076deba79f9bbd4e551fdfe1eb49e8a77b2c19e (commit) via 5f2145eb59d3f0f7cbc70cd4f071302fd56213ea (commit) via f6eb1a40a00625b7a83984461242e86347e48579 (commit) via 8117fff863431671939d5aa1c11c0a84e56298a2 (commit) via d8f19ebb5accbf4e850e881fbd0be8fd9d66660c (commit) via 613f58fbfa9f536d9c84bc76354f7775b3e9b57f (commit) via f644a167ab06e5324c021144e08c00413472b143 (commit) via 155b3b56a8e4c8765c473b853445e2957b0b852f (commit) via c17a9778d62d964ac7d8e8da156ba0f08baf8748 (commit) via 422dc4caf97696ac34b65410784f22875f3412c0 (commit) via 9e9b477d7c4fbad483f6307cf63bf475dd79141b (commit) via af0065691c6d3fcb14c646d1ec0b9c83bdd3313d (commit) via cc9057c0148cddb231be85caa4c38d4cf721f0c3 (commit) via 318e7137e79f29574a5cc9677615a48b2a9b3e40 (commit) via 97870bf29cd93669beef30b876e21f2fed5d6405 (commit) via 5709768b0bab2b860911fcad66da8e0aec5c4eaa (commit) via b7a9b4edc28a678cd9d2b01e0ab6304597409860 (commit) via 81592314ebe93ae942f28a1bc9037185f155ccda (commit) via 4924cfdc7312ce8c31101fefebf3f0371e7cd779 (commit) via 067e1847dc1012316b23d7eb8dba8e25a65cd757 (commit) via bcbc9897e392a237105fc2e12af2323804bd2a42 (commit) via de8e1e5b6ce6c8d82dc8e67c92af338206252dc2 (commit) via 912d7472a86b1347f3165c1850ed05ba2b7b641f (commit) via c9b07d6a0cdb54c71d5aef4a75c40d505585a0fe (commit) via 23c0347ac5d386e215c56ae9fa3af97e66f1c23f (commit) via 77c3130174cd492f0bae12205cfd3000b9b7798c (commit) via d6f725e1857b19fefce67fc3bb63f7a379f549d4 (commit) via e0cec9fe99c957a686182f6002185744edd8254d (commit) via cf02bf2f7d23f9755a6e08383dd46fa9033d924b (commit) via 013274d7d88653e5eaf22156754f0bb8c2e3ebaa (commit) via 5fd2e9d64ac8363ac56bf0431ec3607e099b3f46 (commit) via 34a3843865bfcb6c88cb10773570b96cd61363d6 (commit) via d618d67e010e94e1ef26f2570abe9d6748e90416 (commit) via 674912fc3abe6283566c4e51a5360dcbf5850f36 (commit) via 029b8ed2b1e039d216fc974db413cd5f3f718a3d (commit) via bc4a2223cccc4165f213ec3520aee23b2550a4d2 (commit) via 17c2c09bcc50376ef805a194eec8688a3dfcbc29 (commit) via 80592396611f06069a05494da2b228aad29af72a (commit) via 68699ecffff5e8c0d35883403451bec881bd33ec (commit) via ca8c92108af8ed2fce390592d8bd536f9caa2458 (commit) via 36e69d34b1a59258bf17b886db323653dac1a13d (commit) via 4fbd88bfad631b932973321004af3e26b6ca19d5 (commit) via 9f9651e06aac68d650be585a7dd15a8a6c502d5c (commit) via 3c59b1fab85f76f75e0b6bb89cd9c007b2416b57 (commit) via 1fedede6a0982500847ef5d8747b5d3483991a05 (commit) via 8c27372438dd267648cba48b86d85a594f14be1c (commit) via 85a62b05237a4087c9b80d0efadc71b2da45abfa (commit) via e4840020ed9962e3fac83c7a52670ed2cfd56672 (commit) via 39155be80547e808e859f8f4dcd93763876bff5f (commit) via 5b0b4182a8a0f7fa17548983a4e15aeed3aa2234 (commit) via 9283e9b9cf8326453086d9777b264d7e50b9660a (commit) via c1a34012352f9eee339f78c00130807e275b05c2 (commit) via b749416ad71126d6a05eb92b1409f097cc127617 (commit) via 7b6f8596edd5591a1bde21b34a7665170e5d4353 (commit) via ed809cf07a5ccacc5817f682fc9103a2f52163d6 (commit) via 6994f00174d222a6e7dd9b812c5bebaad1e3fa3e (commit) via 04a0d07c97087c9d66e09155058beacee031d627 (commit) via 2ee510888c4f4a0836ef4afe5b6e30c2b94f7ddb (commit) via 74cc8f5a3ddafb065dffd885222246842fc8304c (commit) via b02e30fd81e3e095ea3cd74cb8f0b056d68e10e7 (commit) via 53817b89c0eb5f03830777982c86c58e4c097fa6 (commit) via 99b372b51d01e7c35ac6b24bea72ec9c739681c9 (commit) via 01d02eb63bbb2142b5f154f75f028448bdd47ca5 (commit) via ea5c8eeb83a65791960d6cb5de6c7dc78db02fda (commit) via aac8e30831b037034e932044b0ca941105f40d70 (commit) via ebdd0f9a90da800cc6173f6f30fb0621dddc354b (commit) via 0a1bba1a1d3ec8995f482b291d25c84374d11085 (commit) via 8353c3fd36c3e56861b9996c489836e4554c1ebd (commit) via 25b6545a6e5523d67484e15c5d8bafd941c8c9ae (commit) via 96da5803a77ac8cae85fc8bc37e2153a19b5ab26 (commit) via 1201c1e74695fffeae36ba8a8a6adfe422a53ddd (commit) via f5ad510e3c0f416a1507999f5ad20ab171df9c07 (commit) via 208cb3363fc13bc9b918aeacb26e4c98d1d963d3 (commit) via a13ddf04d9b58ee469b5da6bc0dd5efb64d6ebad (commit) via 8cf04a165696c512c8c2cb1f3d282c1f0cc88787 (commit) via 4ce424884914e6ee5a721124eaec89b634c19f48 (commit) via 883820bdcb24414e965bd92844bb0b9c438b312b (commit) via b59cdbeea5eb2a83ac5c0be51541c471bd1cd809 (commit) via 5d3b16c6df1a83d6eacb69a32176941a1e09a157 (commit) via 8d087d0391b8ab441a974b4cbc84980bb6055774 (commit) via 89a12b3843d22a355adf1989e9bd823e170a2387 (commit) via 2d475a3c6c8e37295f97a07dcca9a6eed2dbb21f (commit) via eadad5fda6e7a798ad63261da4629673bd88cf76 (commit) via 6c9458342b72d5eef122e4e146872ded98751d05 (commit) via 3aadbbca38882cf6e8af2370c26234de0940a099 (commit) via 82979dec3655138b5c8467a63fc423b30961ef9c (commit) via ed06bc811ffe055e2dadd226d27332892f4725db (commit) via 6ce504a2f2c405c7a7baab6f74be779f903d89de (commit) via dae534f2ca7172a1171d77fe6acd034591233d58 (commit) via 5508f18c012c5be264c9562b9327a41a2bebb2f8 (commit) via 43ab7d9c30fb24bebd716e264530d7db3e84a007 (commit) via b7e29743944953c973e3f858c10ab627949f898d (commit) via 6f3b3cd089cea0f308c0b67e17ed864f6aa50b83 (commit) via 63d911cdc5d3e8a706f222e2094f2f7350c5fa02 (commit) via f5ddcad1cc38cfcc3b01f819bc4c4f01e6d1c189 (commit) via 80bcd4dd1a424e1353aa0839e873ce9292cea3db (commit) via fd72c85eb8bb11978957dc39da8a5822715a5453 (commit) via 762a33f17ca8d86b979e22ddd538e76d32287d94 (commit) via 21cab141ec018b885abf2849b82acb22684f0c80 (commit) via d2e6bf6e5f0a3867664c68cd85dff686a08b696c (commit) via 00512a5ac800205a9f46cd0936909d5c921e6643 (commit) via 004b13b7e801c18d399740c4e9b7866c9685637c (commit) via be52c68a2db2455f8118190a6bb37594891480a1 (commit) via e568796bb0a0fc2072c2494936ec678f4c7fe17f (commit) via 4892f82ca19ad29b2213825a9fc2200d9b801252 (commit) via baeae346589a793b2d9dca39017e1eb7c00d5bf1 (commit) via 330759d88a4adfbf5fc23cb575607b8b99b1b62b (commit) via 68123effb80c3509cb4855c46d3ff378ba7f13a0 (commit) via 9074853d8df16e729d7e3fe3fb6c465877614f2e (commit) via 335114b207971fa88bc768c7dea49747b15b4fae (commit) via af5e823247876c313f516a98efe38ad38db5a01f (commit) via 13d077fdf2093a2e468b5cda1e9e44fa99ee03cc (commit) via 5f630673850f01e4e1284d163a80772b2f7a46af (commit) via 01ba4be48d1687d621b1d7242085aa077552cacd (commit) via 308ba5e74c27e50e9fda4278749256d3ff541d5e (commit) via cb52183c6a311d7413c286f73895b52a8e2e3a57 (commit) via 7fe5bc8261d639753ee7a5a005ce06325231769b (commit) via c5486ccb9793029e58f0e6156d7d2f4d21de6cd0 (commit) via d2212836226ee8212eef3226acf3a4e6fa65643a (commit) via a5d617520b144e22fd2b31795d2b04c8170f93ef (commit) via 5a28e721e08104e35c0e7f23a1aee4dff3fbae45 (commit) via bbb6efae56957c1ec70d5ee7668c4cc68b4dd2b2 (commit) via a4ccfcbbc6073684768d951006232d410df091a1 (commit) via d9711d91ef57f846eb09fd77ec9e7a58d745dc6d (commit) via 88daf7eb3a9ba5ceb3df9f8197ea3cb5cfd4f30b (commit) via 55658ee381aeeac19c63a0da8822fc3f727b135b (commit) via 00a031145e32d31a08037dda3c8a3cc7cc6c815e (commit) via 04b5c77a450ceb8fd83898a90f096175580a058f (commit) via 3c2c54831fd7a5f1813376ceb45c22774631a5e7 (commit) via 7c82ee6165d04597c371944490b085c240482424 (commit) via cc60d3dfd3cd6ae9d38470d40edd646691e422ac (commit) via 423030555835840a1821b56408b5a19e6dcfe7e0 (commit) via 6187da5055dac1a10402d3c6eeaf1f9bed7f3890 (commit) via e2e7880dc73fc98aa7409b2de2384e5c9e436f29 (commit) via 5240a80987920b1b807e6609a6c10fb666235e21 (commit) via f7d76eecc6660bd2d59951a6aa138cd0f96a2e9d (commit) via 8d2f6b0b59c3448dfa0fcab683fafc9604873a57 (commit) via e0bfd338ee5c847b16ea534acf84fba645974ec7 (commit) via 8766096429b7d19a78d632e96a84b32f058f8e80 (commit) via 796eea2154ae581aeae68be92bd04f105d0a939b (commit) via 1286e0d41e75dd691a54ac130ae6d70bfc284e14 (commit) via 1cae702c22ed31784393980968634626af8fe653 (commit) via ab114c276b0d719b9a9c43dea05870e4ceedbdbc (commit) via 06b569a4429eb5641343fdf4c3472825dc327f09 (commit) via d33874f4969f48d5dd880b212900220ba932d8f0 (commit) via 843a8c570c6784ef6c66d214fbbbc2e67e4505c2 (commit) via 914cca3d8e834c6ab051126f628daeef073b7106 (commit) via 74b7d695c630c971fb4774e93c39b4954d7bb5fe (commit) via ef640882ab4ff5f26fb7b4bf9a5f00ca4f94d172 (commit) via d72b3e64c2515546b78a7cf099157799481da130 (commit) via 101d3ece24c99a9696bb2dfe0add1cdfdebbbf91 (commit) via bce84f3975eb04ac94ffe2e14039c1a6a8ac8030 (commit) via 1d9b87914053e54550c6f2a76377a8001bbf1da6 (commit) via 72b2109c726c1ab78918648a6aa540cf137692b0 (commit) via 4c6d6c1ee3308e8143b95867376f29876739a149 (commit) via 101c888174285f4d4e599902c7645d2e834ea027 (commit) via 164eab662756366023016c88c27f1432f243832f (commit) via a8b8c9e5b2a2d993d06b774aefe7b6ff49adc739 (commit) via 67752a9510d9db653ca8aee9355e8fa63d0f9316 (commit) via 3498300d87ec69f5676d33e54dca4f3c6897d20f (commit) via 91cc908f84a44ba9dc6493938c00aa982eafed81 (commit) via 434001d0a0eb05946fccded7090e1e1fa6e2c64d (commit) via 02844177afb86e070564ee776c5ca679d7cf374b (commit) via 298ef5bafa8242fedf8b95ba8d8ad23e0c4c05b1 (commit) via 9d18656ba7dd1bf98d5cd41423c8e44d355f1c25 (commit) via fdfd8913ab5da218c9c5303f67bb5b707da8ee30 (commit) via 27760092c0a4973a92e1dcea8544866ae29d37da (commit) via eb5592c1ce15d579072689a7121ffbd87b3f22be (commit) via 0e40e1e772b2f29e71df807f9cb07098b0d23034 (commit) via 77910792754776c740ddd415d4737340052a4d91 (commit) via 3983aebdec7489ca0ce36956307a822ecdc820fd (commit) via a69b96d2002c14d3fe65dcf90f9731a9c631b624 (commit) via ad1d8a8accc454e0bf36e93fa9b6c5890ccc5024 (commit) via 25f5cb0d4b4a6c2418c219d975eb95e393b4e9af (commit) via eea2670b39ee6ba804d534e95b03d27059e45468 (commit) via 59052432f4cc108631a9b264f2f48aaf6ea76873 (commit) via 8dcebe5342c261eac9f7436ff382ac71d4890eca (commit) via c724524e2e9a0a5498ca7e29db8d1ec80a2a73af (commit) via c77bd4923503e58fc2429ffed5e377132394e7a4 (commit) via 1504a375179cecc182dd40b8a5324eb2c1320ada (commit) via a6edfcbd9b762832939209e538e31e79c0d32b65 (commit) via 43263ea68ecbd2bddfc84b3cee64ffc0aa9911e5 (commit) via e524290c9cd90a6d95475f2738bcb65d990cfbd0 (commit) via c6bcdda1af86f803e980947aa66490f277b791d9 (commit) via 9f5247f60cc66716de0b5b8bd14e0de118763fb5 (commit) via ef5171ab7175d381a11f196de4e18b7e8af769e2 (commit) via afe26a0586678f59e25a2a4ae1877737da064bfd (commit) via a232b58ca78648f60f19b2464395c93cfc046b78 (commit) via 8f22237bebe2d3880b27c671c173ffcf79040ed2 (commit) via 500c5c55d0db331fe9b16afcdaedd9c5d218b327 (commit) via aa12410222aef6afa63a03a7eb74512bf92daad4 (commit) via c51a044a2a93042605fc599eaccf69f49fa7bc87 (commit) via 525998650ab51df74317f362ccb1382870af4bbb (commit) via 56dacb580e16210837ba55648ddfc9e18b860f02 (commit) via 376595057ba05eea8d9c6337d390374dec7749e0 (commit) via 466c67794b207f327a4b7478ce6f2c9c194df45f (commit) via 603334734a0199f6d4558e70ef859fe86fe243d6 (commit) via b65b5ef3775cc724da41a47b5285b7057a2250fd (commit) via e573807983b0acf911dc688ae06bb5d7b2b7714b (commit) via 0b89daee931885a9c34548009a556299d8adc62a (commit) via 298723b9db481a07056377278a501d4a643c7a93 (commit) via 0b568bb9650bfe9200d45d7a57b500747e37a73f (commit) via 177266446a3c9a9c63dbd4bd1af032339003ab3d (commit) via f7fcd1c020f0eaaacf9068182e9f64750ccf7ea7 (commit) via e3ab140634f8769399b258b8391ec58ec9035c1b (commit) via 3da6e01bcf1aefd1e495f64d251d0e39a94a4fdc (commit) via a70d269a9ad8ed8ee14f0d1de6426bf936750a3f (commit) via 422204ff08af8f1932e57bace8125baa149329a7 (commit) via fbd430172f49cb746975f5543c4e184748537b4e (commit) via ca745a2978aadad52a487a7c6a1a8dcb8464aab3 (commit) via b5ea63f85c7d2ff107cd5f1cf985e98e75a84efe (commit) via fb22c9ffd990eebee3249a3cbc2a6c8695b811b7 (commit) via b56b67330ce0927af61c38e1d02284154f912dda (commit) via 6d1ebd1d4323984108c2682d84fe07e54f647061 (commit) via 74c193f266e9660c822bfc5e86d050d35539bab6 (commit) via 5776b677db10ad18aa9972b49900addaa8bf44ba (commit) via 6600eeac49362964f6813c8c106aa68d6afe3d0e (commit) via 31313db780f894cdadd74dc4973e0fd6a22a4659 (commit) via 5f9fb7a8f6fb4109a6bc451aaf5b8aea74c12892 (commit) via f707295a85f820405a21a25a25c86c00e030ddb4 (commit) via 197033fab234d4698b097fdb1b653b8ae39b1aae (commit) via f2956cf42f04c7d6dcd5379b00ee779434a27d44 (commit) from d01d68913f643c5d4b9b58a7ecab6d1c4dde5c0c (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit e7a52c52d109e044bcce0ca52eb0b5a94c2ec03a Merge: 08639bc2a 9e65aa9ed Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sat Apr 20 17:35:54 2019 +0200
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
commit 08639bc2a90ca945e710f5ca13556a50458f0056 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sat Apr 20 17:21:03 2019 +0200
kernel: update 4.14.113
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 5fa063f8590dcd85867935fd6d1a6bd570ac61c6 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Apr 17 22:30:19 2019 +0200
kernel: update to 4.14.112
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 26dc79a6fe16c83c5b57f4b6c7c3f73281a03d6c Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Apr 17 21:24:25 2019 +0100
suricata: Do not let oinkmaster be too verbose
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e96adc77972108de9cb8b4b6c0f7fbad07b76035 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Apr 17 20:59:55 2019 +0100
suricata: Redirect oinkmaster output to perl function
The output was written to stderr before and landed in apache's error log where we do not want it.
Fixes: #12004 Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 9e65aa9ed6d7a3a489c58a6f966eac34972c68f8 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Apr 17 19:15:44 2019 +0100
Revert "hostapd: Always enable 80 MHz channel width for 802.11ac"
This reverts commit c31c8078cffcf3f933f567cb02a366ceedd6d5da.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c25a386523c305615641a1810bcc3b009bc3cf07 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Apr 17 07:38:27 2019 +0100
unbound: Drop unused function
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 64aed99df6ba3b057c35ebb6b9278a13ae5e575d Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Apr 17 05:16:05 2019 +0100
suricata: Change runmode to workers
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e91c83490be8d248796d50b0c9bca3976199551c Author: Arne Fitzenreiter arne_f@ipfire.org Date: Tue Apr 16 18:05:18 2019 +0200
wireless-regdb: update to 2019.03.01
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit fea27a56f7ef299fa2793971ef6e49f3a423fdc3 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Apr 16 13:23:17 2019 +0100
haproxy: Backup certificates, too
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 175f5c060ea8b967bc3020b376385d5b71116e92 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Apr 16 13:22:10 2019 +0100
backup: Allow passing name of tarball for creation/restore
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 820b2909825479b52696886d1f9054c0f709d3f0 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 11 23:32:57 2019 +0100
Move IPS to a higher position in the Firewall menu
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0851afba33bf8f1a4562a7e755bec5af23d4d03e Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 11 23:24:28 2019 +0100
remote.cgi: Move SSH Agent Forwarding to the top
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5e39f3c08a4a6e9f402b18c267fe82595cb0596b Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 11 23:22:14 2019 +0100
sshctrl: Fix syntax of generated sed command
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e8b389e0f0a88f064c192305e8bbbc366300af24 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 11 23:02:57 2019 +0100
core131: Ship PTR changes in hosts.cgi
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 316d14c43ad3b0b27cfa6984d8253e8f9255a87c Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 11 23:00:25 2019 +0100
Update list of contributors
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6874a5765b887b51e324e1afbddc4516d66a710f Author: Peter Müller peter.mueller@ipfire.org Date: Mon Apr 8 18:04:00 2019 +0000
Unbound: do not generate PTR if the user requested not to, do so
Partially fixes #12030
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5b2ec053c25b80843958864d4305b3108b55dd3c Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 11 22:58:35 2019 +0100
Update translations
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c3c2ae4475a0e99a6163027405a45a1e2b4fa8b6 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Apr 8 18:04:00 2019 +0000
add option for selective PTR generation on hosts.cgi
In some cases, it might be useful to create an additional host (i.e. for round robin loadbalancing) without assigning another PTR to the IP address specified.
This patch introduces the ability to check or uncheck PTR generation for each host individually.
Partially fixes #12030
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 32e7b93c284fe02450e28f431453621537214a03 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 11 21:59:41 2019 +0100
udev: Rename interfaces when MACs are uppercase
The script relied on the configuration being in lowercase.
If people manually editied their configuration file they might not have paid attention to this and therefore this script now also accepts uppercase MAC addresses.
Fixes: #12047 Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit dccbdf5b97130f72b4d0bb26d962ffcda8121a51 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Apr 12 17:59:21 2019 +0100
suricata: Take as much off of the CPU as possible
https://suricata.readthedocs.io/en/suricata-4.1.3/performance/high-performan...
This will compile the ruleset as efficient as possible and allows the IPS to run faster on smaller systems.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 2c44da1382dfffb311b15250b9e02784b826dff2 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 11 10:29:56 2019 +0100
core131: Ship updated setup
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0d34a479c878cd775e541601b2a72238eb3f7546 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Apr 12 18:21:01 2019 +0200
ids.cgi: Display oinkcode section after page load when neccessary.
Fixes #12048.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d51d3c5b93886a66b75388d029e35eb07d9b06eb Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Apr 12 17:36:54 2019 +0100
IPS logging: Fix date comparison for last entry
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 2eb0c326da2196c56f6f955bf5371e5d8c7ca9db Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Apr 12 17:33:39 2019 +0100
IPS logging: There is no distinguation between suricata & snort required
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 19c066b602a12fcce601cfa2350b0d83b231717c Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Apr 12 17:32:02 2019 +0100
IPS logging: Fix reading date
The CGI script only compares mm/dd and does not care about the year.
Suricata, however, logs the year as well which has to be ignored here.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a32c219fa4642127a97050bf5af60a03e4e5c2f8 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 11 07:55:36 2019 +0100
zabbix_agentd: Bump package version
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 41b7369f8078d5dc4998483fa005b2f8e3b89624 Author: Alexander Koch ipfire@starkstromkonsument.de Date: Wed Apr 10 20:33:31 2019 +0200
zabbix_agentd: Bugfix for /etc/sudoers.d/zabbix.user
Files containing an '~' or '.' are ignored by sudo when placed in the includedir /etc/sudoers.d This makes the file useless. The file is renamed to "zabbix" instead of "zabbix.user" to fix this.
See: https://www.sudo.ws/man/1.8.13/sudoers.man.html#Including_other_files_from_w...
Signed-off-by: Alexander Koch ipfire@starkstromkonsument.de Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 854b63c42af8f82106b587dc43945ad848f8994e Author: Alexander Koch ipfire@starkstromkonsument.de Date: Wed Apr 10 20:33:30 2019 +0200
zabbix_agentd: update to 4.2.0
Relase Notes: https://www.zabbix.com/rn/rn4.2.0
Signed-off-by: Alexander Koch ipfire@starkstromkonsument.de Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a45bfbf1c5a8a7c10ad4bdcb5ed559ed38a796c5 Author: Stéphane Pautrel stephane.pautrel@gmail.com Date: Thu Apr 11 03:47:44 2019 +0100
installer+setup: Update French translation
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 3e11f8257dfe003aaad20d7ca73e3bc831131a96 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Thu Apr 11 07:34:14 2019 +0200
make.sh: fix syntax error
i have merged master>next and not deleted this line.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit d27675b08175ed7969d842fdc64f157797911faa Merge: a2907cdd9 ee82349a0 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Thu Apr 11 07:31:11 2019 +0200
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
commit a2907cdd9fba3a6ce6af8cc75c656daf1fa43dc0 Merge: 4f30ce49b d01d68913 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Thu Apr 11 07:30:26 2019 +0200
Merge remote-tracking branch 'origin/master' into next
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit ee82349a0ea00866d731936e769fab9441690932 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Apr 8 20:20:18 2019 +0200
convert-snort: Re-order steps at end of script
This will ensure that the whole IDS is configured property, if no or an empty snort config file is present.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e4bc9b8b6fa0cc0d67d2f698e2bdd5d41af49f05 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Apr 8 20:02:53 2019 +0200
convert-snort: Fix logic for detecting enough free disk space.
The subfunction only will return something if the check fails - so the logic of the if statement was wrong set and the downloader only was called if this check failed and to less diskspace would be available.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ee53381ab167b195d2d4d94da3d2a3d4a024288d Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Apr 8 20:53:47 2019 +0100
core130: Ship SSH Agent Forwarding changes
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit f9de28e6f0ca455aacca3b0fc30722b88d542630 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Apr 8 16:35:00 2019 +0000
change AllowAgentForwarding in SSHD configuration if, necessary
Fixes #11931
Signed-off-by: Peter Müller peter.mueller@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e918b62ae223b31f459ca5843d291532f5188faf Author: Peter Müller peter.mueller@ipfire.org Date: Mon Apr 8 16:35:00 2019 +0000
allow SSH agent forwarding to be configured via WebUI
Fixes #11931
Signed-off-by: Peter Müller peter.mueller@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e1f6dfcbbc3c34130027ffe113488f5f3d9c9557 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Apr 8 16:34:00 2019 +0000
add language strings for SSH agent forwarding settings
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4f30ce49b3c2375d52e7358d12a6235c3e35997d Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Apr 8 21:49:20 2019 +0200
rename core130 -> core131
we need to insert a core update to fix urgent bugs
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit f2afd5e70dc1c95c13aa75b0acf3da072d714af8 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Apr 8 21:47:23 2019 +0200
kernel: update to 4.14.111
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 47204d12f1387502612e8a66b4a1a8a853e33ebf Merge: 5f9bf17d7 918ee4a4c Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Apr 8 21:47:12 2019 +0200
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 918ee4a4cf5bb8d2a3ade16aac0dd643215c47e2 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Apr 8 16:41:24 2019 +0100
strongswan: Manually install all routes for non-routed VPNs
This is a regression from disabling charon.install_routes.
VPNs are routing fine as long as traffic is passing through the firewall. Traps are not propertly used as long as these routes are not present and therefore we won't trigger any tunnels when traffic originates from the firewall.
Fixes: #12045 Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5f9bf17d76e43b1ee0bb4b880a9aa001844e4d4a Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Apr 8 16:18:00 2019 +0200
core130: update pakfire database after version change
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit c557356ea4878f7f6d0d9431246bfc8e75018672 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Apr 8 11:56:58 2019 +0100
core130: Ship perl-Net-SSLeay
This was still using the old version of OpenSSL.
Instead of linking the module (which we should have found earlier) the module uses dlopen :(
Fixes: #12044 Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0265f51e9f5b2635e9df6243f913d6043cde0af6 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Apr 7 18:19:50 2019 +0200
core130: remove lm_sensors config
the sensor search has to redone after boot the new kernel.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit ca7af382032b3542584fb07b3fabe3976063e551 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Apr 7 17:24:46 2019 +0200
core130: ship setup binary
The setup contain a IPFire version string.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 44b0afe0298941eaeca862ad14c0f965103e158c Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Apr 7 17:13:43 2019 +0200
core130: ship pakfire version update
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 83c956c3c8d0bc60c2c6fa23f53bd68f6ac6d3ff Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Apr 7 17:01:08 2019 +0200
core130: add kernel to updater
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit f40cd26de2a0353fca1fdee407cfce153b16c76d Author: Peter Müller peter.mueller@ipfire.org Date: Sat Apr 6 06:04:00 2019 +0000
Postfix: update to 3.4.5
See http://www.postfix.org/announcements/postfix-3.4.5.html for release notes.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ee44d509b61eea858e38e8a4f1f57db6f9940cf3 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Fri Apr 5 21:55:12 2019 +0200
wget: Update to 1.20.3
For details see: https://fossies.org/linux/wget/ChangeLog
Excerpt from "NEWS":
"2019-04-05 Tim Ruehsen tim.ruehsen@gmx.de
Fix a buffer overflow vulnerability * src/iri.c(do_conversion): Reallocate the output buffer to a larger size if it is already full"
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit f903d3a6f0c4a3f2e5251fda7ea2d1b788606294 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 4 22:01:54 2019 +0100
suricata: Disable CPU affinity
Benchmarks have shown, that this is making the IPS slower across various hardware
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit aa20f1b27727e8ed3d3d164eb3a66faa4ea0d4a4 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Apr 5 07:46:34 2019 +0200
kernel: update to 4.14.110
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit aab33d48450aedf20409fe187f573d74eb60f95d Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 4 09:05:25 2019 +0100
core130: Do not search for sensors on AWS
This causes some i2c drivers to load and tons of error messages being created in syslog. So we skip searching for any sensors that do not exist.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ab79dc43bf66f66b0c34a10158d46e4727d4df6a Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 4 11:52:30 2019 +0100
vpnmain.cgi: Set MTU to a default when editing an old connection
This field is required and therefore we need to initialize it for old connections. Right now, the CGI throws an error message when editing an existing connection without the MTU being filled in.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit aeecc7ae1025f93bae421c13cf05c612bd3e6241 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 4 02:07:16 2019 +0100
core130: Ship updated wget
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 7dd81936843944f0bd6fa35b95532bc0039b578f Author: Matthias Fischer matthias.fischer@ipfire.org Date: Thu Apr 4 09:43:50 2019 +0200
wget: Update to 1.20.2
For details see: https://fossies.org/linux/wget/ChangeLog
Excerpt from "NEWS":
* Changes in Wget 1.20.2 ** NTLM authentication will retry under certain cases ** Fixed a buffer overflow vulnerability"
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0ce95859da727188019a95d855a3053ce2bf8985 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 4 02:06:41 2019 +0100
core130: Ship updated nettle
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a4cc65bc4866583be8c625c33f20d7429a25a400 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Thu Apr 4 09:37:25 2019 +0200
nettle: Update to 3.4.1
For details see: https://fossies.org/linux/nettle/ChangeLog
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c95ba2bbcc0b6c0b037f058a4395027f93dc093a Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 4 02:05:52 2019 +0100
core130: Ship updated GnuTLS
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 34bbcff61f2de1fa76e4be20371d276f304277da Author: Matthias Fischer matthias.fischer@ipfire.org Date: Thu Apr 4 09:31:00 2019 +0200
gnutls: Update to 3.6.7.1
For details see: https://lists.gnupg.org/pipermail/gnutls-help/2019-March/004497.html
Please note: A few days after the "3.6.7" release, "3.6.7.1" came out.
See: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/
But the compressed directory version is still versioned 3.6.7.
Because of this, the fourth (sub)-version number required some lfs adjustments.
And: This version requires "nettle 3.4.1", which is sent in another commit.
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ef1cb80375ca736b2aca12f2bbba2b5ffe7216de Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 4 02:04:28 2019 +0100
core130: Ship updated apache
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5f2e713ec888dfbbcdb609ee61e846c060ded96c Author: Matthias Fischer matthias.fischer@ipfire.org Date: Thu Apr 4 09:15:00 2019 +0200
apache: Update to 2.4.39
For details see: http://mirror.checkdomain.de/apache//httpd/CHANGES_2.4.39
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 72995596119e76e1c41395f21c097643bff44be6 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 4 02:00:29 2019 +0100
freeradius: Fix extra whitespace
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit df95c62f3a26a71c41610df0ad49a590dc3abbb8 Merge: 94f89b821 0e54ca260 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Apr 3 21:53:22 2019 +0000
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
commit 94f89b821e0307f69bd99b19ca895219d779fabc Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Apr 3 21:52:04 2019 +0000
freeradius: handle special LDFLAGS to configure
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 0e54ca260288079e008393a1d2fc5cc8b9cdb7e7 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Apr 3 00:42:19 2019 +0100
pcengines-apu-firmware: New package
This package ships the latest BIOS for PC Engines APU boards.
With help of the firmware-update package, this can be very easily updated when running IPFire.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 2aca6aa061c2f680b46aea2dbeb36e4678ed57a3 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Apr 3 00:33:44 2019 +0100
firmware-update: New package
This is a script that can update firmware on PC Engines APU systems
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 82d176d33bc2839ea31028b9f7dfb6d60f3860af Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Apr 3 00:26:13 2019 +0100
flashrom: New package
This is required to flash firmware
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 48d3cde9cec7add38fb3c62dd66079c5b2fec5aa Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Apr 1 21:58:23 2019 +0100
kernel: Disable some debugging in expactation to increase performance
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 474a6a59785123b7cdd645447f43c52307a6f6ba Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Apr 1 21:55:03 2019 +0100
kernel: Enable strict checks for /dev/mem
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4038d70b768910c5dc5b2ce2c09e3e5b687064dd Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Apr 1 21:35:56 2019 +0100
freeradius: Fix build on armv5tel
Reported-by: Arne Fitzenreiter arne.fitzenreiter@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 84fca55b3373f5acc3821b6a8e050bce89b679e8 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Apr 1 16:53:50 2019 +0100
Update translations
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d38f3eed08d71343cc16de61373860e5aa7efcfd Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Apr 1 17:32:34 2019 +0200
IDS: Rename sourcefire VRT rulesets to Talos VRT rulesets
Fixes #12019
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 78c8fe06a5841101c04c7a8e9f1117501f5fd6fc Merge: d00d788be 56f4ba9b0 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Mar 31 18:36:44 2019 +0200
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
commit 56f4ba9b017008584c132fdcca41557002a1d8f3 Author: Jonatan Schlag jonatan.schlag@ipfire.org Date: Sun Mar 31 13:29:45 2019 +0100
Update borgbackup to version 1.1.9
Fixes: #12016
Signed-off-by: Jonatan Schlag jonatan.schlag@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d00d788be47b9c17bc792be2c90d4c81a3ced544 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Mar 31 11:46:34 2019 +0200
kernel: update to 4.14.109
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 3005eb2234e5875389011d247785909d5f044c74 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sat Mar 30 16:56:56 2019 +0100
kernel: update user regd patch from openwrt
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit c955ae653ae8421621c49092fd3057ed99e0a4b1 Merge: 9f52e3506 c31c8078c Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sat Mar 30 16:55:35 2019 +0100
Merge remote-tracking branch 'ms/dfs' into next
commit 9f52e35066b3fa8603e85784b7ede0532afc66e6 Author: Erik Kapfer ummeegge@ipfire.org Date: Fri Mar 29 10:44:43 2019 +0100
freeradius: Update to version 3.0.18
Signed-off-by: Erik Kapfer ummeegge@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 10945e38f36893cba8f6c28c8756fa8741c08118 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Wed Mar 27 20:54:10 2019 +0100
clamav: Update to 0.101.2
For details see: https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
"ClamAV 0.101.2 is a patch release to address a handful of security related bugs."
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b666975ec292fec239aa6023dc79abf5538c9d95 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Mar 28 12:51:06 2019 +0000
unbound-dhcp-leases-bridge: Replace leases file atomically
When there is a large number of leases, writing the file may take a long time. When unbound is re-reading its configuration in that time, the file might syntactically incorrect.
This change writes the file first and then moves it to the right place in one transaction.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 35cdc506b06ed2e5fc8f7ad7fe57239eaadbda58 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 26 21:58:01 2019 +0000
suricata: Enable CPU affinity
This will tie the detection threads to a certain CPU and slightly increases throughput on my system.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4d093b810552339a6a7df774412c8e144f799331 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 26 21:18:45 2019 +0000
suricata: Tie queues to a CPU core
This should improve performance by a small margin
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit effa44650ebc227d99a3781ba962e015a3430d3a Author: Erik Kapfer ummeegge@ipfire.org Date: Tue Mar 26 07:15:16 2019 +0100
nginx: Update to 1.15.9
Fixes #12023 . Added support for http2.
Signed-off-by: Erik Kapfer ummeegge@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 2547e73e6b1c2e24e631140f328eeb49deddb6f9 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 22 07:28:23 2019 +0000
freeradius: Bump version because package is linked against old version of OpenSSL
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 3657df4ea3b74b9aa7bc631106b2e3684a0bfe72 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 22 03:28:23 2019 +0000
DHCP: Remove double colon
In some languages, there were double colons in the DNS Update section
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit abe21498524bce327404febe644b1361267d0957 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 22 02:58:57 2019 +0000
GeoIP: Do not crash when locations database does not exist
Fixes: #12021 Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d4767896cb27880c2e042ffd49bdbcf7b99a2c64 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Mar 21 20:50:30 2019 +0000
make.sh: Build libedit very early
Many packages can make use of this
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 3210e92212b70ab886fe31847c6397a273e784e6 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Mar 21 20:48:39 2019 +0000
core130: Ship updated lua
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6bc94afa0d36ecaa4691eaa4dbefa4322861893f Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sun Mar 24 18:34:37 2019 +0100
lua: Update to 5.3.5
For details see:
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 67b943c18a36aa9801684ca85ac3390292651e87 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Mar 21 20:39:51 2019 +0000
core130: Ship rrdtool and collectd
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b3a7120c1556bd060caf894fa0b4a5084fc7436a Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sun Mar 24 18:21:20 2019 +0100
rrdtool: Update to 1.7.1
Disabled 'lua' because otherwise building failed.
I didn't find any place or reason where 'lua' was used by 'rrdtool', so it was deactivated.
Disabling had no noticeable effects by now. Running.
Please note: '/usr/lib/collectd/rrdcached.so' and '/usr/lib/collectd/rrdtool.so' have to be updated, too.
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b6c60092db15360cd51091b9f5bcff637ee2ea7c Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 22 15:22:43 2019 +0000
openvpn: Remove subnet check for static pools
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit fd0b2742bf217cbacacd4725a2bd9ad4ec1b6aaf Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 18 04:38:41 2019 +0000
dnsdist: Update to 1.3.3
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit aac6015042e28730982d643425f768f46dc9c603 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 18 02:54:37 2019 +0000
dnsdist: Install some symlinks to start the service
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5b8ff1ccb6506942485ff221e13d163691109a6c Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 18 02:54:15 2019 +0000
dnsdist: Add backup include
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit af2dc11c921062608c4537368885eb195f54c177 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 16 23:09:11 2019 +0000
Rootfile update
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b60fd7a3e2640d7da41a3bdb875669c302849acc Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Mar 18 20:33:28 2019 +0100
Core 130: Remove files after convert-snort has been launched
The converter requires /etc/snort/snort.conf to grab the used rule files (categories). After all settings have been converted, we are fine to delete all snort related files, because none of them is needed anymore.
Also the /var/ipfire/snort directory needs to be deleted. If it will be left on the system and at any later time a backup will get restored, the converter will be started by the backup script, because it detects that a snort settins dir exists and would be restore the old snort settings and replaces all current IPS settings.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ceaf0ef0087abb09e9cca1677c67776cf76ce417 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 18 17:26:16 2019 +0000
dnsforward.cgi: Add DNSSEC option to legend
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 08ded6035f61ed97e3a122dc1832703084b72f86 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 18 15:35:29 2019 +0000
dnsforward.cgi: Check DISABLE_DNSSEC checkbox when editing
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 3b521c724f09a45e09ac9228d8b65df0d8bd13a7 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 18 15:24:56 2019 +0000
ipsec-interfaces: Apply static routes (again) after creating IPsec interfaces
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c31c8078cffcf3f933f567cb02a366ceedd6d5da Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Mar 13 18:37:28 2019 +0100
hostapd: Always enable 80 MHz channel width for 802.11ac
This is mandatory to support by all hardware and works well.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 70a7c454af4a6a9ef7245def2f77119520de85af Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Mar 13 18:24:01 2019 +0100
hostapd: Automatically disassociate any clients with high error rates
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 30c33cb318cc399b32c9c06d99e88c52ba957ea9 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Mar 14 13:07:11 2019 +0000
kernel: Enable debugging for Atheros drivers
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 62bf7bd2b2cba74cd7838014cdf3380611690d60 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 8 11:05:26 2019 +0000
kernel: Enable DFS support for ath*k drivers
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 57521504a89e792336f55e893564a000bfe4b1d7 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 16 12:34:19 2019 +0000
hostapd: Bump package version
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5b4464a94478059ceebf266bc31dee4a4ba18fac Author: Peter Müller peter.mueller@ipfire.org Date: Sat Mar 16 14:20:00 2019 +0000
hostapd: make client isolation configurable via WebUI
hostapd supports client-isolation, but this feature could not be configured via the WebUI so far. Since it might be desired in public wireless networks, or even private ones, it makes sense to provide a radio button to let the user decide on.
Fixes #11974.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a10b0e5b448bf7e4a9bcc334e177ddae09806dc7 Author: Peter Müller peter.mueller@ipfire.org Date: Fri Mar 15 17:00:00 2019 +0000
ensure Tor daemon files have correct permissions
Set permissions for /var/lib/tor and /var/ipfire/tor to tor:tor, regardless whether Tor user has been created before or not.
This ensures Tor starts properly on existing systems after reinstallation of the add-on. Thanks to Michael for the hint.
Further, a comment for new Tor user in /etc/passwd has been added.
Fixes #11779.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a46903cce3863923838c5cc0721f4932adf2175d Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 16 12:32:10 2019 +0000
core130: Ship updated unbound
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6f8b156bf0dcda4a1bb8ccdc8db83a54b2d7d1d0 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Fri Mar 15 19:15:19 2019 +0100
unbound: Update to 1.9.1
For details see: https://nlnetlabs.nl/pipermail/unbound-users/2019-March/011415.html
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 2c703afc04448f15f9ad6b9c90be216bad256532 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 16 12:30:22 2019 +0000
core130: Ship updated ntp
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit f81c2225198b894c180cf36b6ee2cd6c0ea3849d Author: Matthias Fischer matthias.fischer@ipfire.org Date: Fri Mar 15 19:10:11 2019 +0100
ntp: Update to 4.2.8p13
For details see: http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 728f3d2e8f3d26e80154236c6d67e303e1f7f3b9 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Mar 16 13:04:18 2019 +0100
suricata: Fix ownership and file permissions of files inside /var/lib/suricata.
These files needs to have nobody.nobody as owner but requires read-acces from everyone to allow the suricata user reading-in this files during startup.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 7bf5b0f22194fcb617f3e678c4a1c492b0faf01d Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Mar 16 12:57:25 2019 +0100
logs.cgi/ids.dat: Fixup processing dates from logfiles which contains a year
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e1d9148b61bc973ac1fef063b58500de4d881d7e Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 16 10:00:19 2019 +0000
Fix python3-yaml rootfile
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 9c4477d0f394af12f51d74e52d1a1c85cd13b289 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Mar 15 15:33:29 2019 +0100
core130: Fix another error in rootfile
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 03f68cbca90d9c1bc0b55c2f5aa4698a5d9d3eab Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 15 13:20:23 2019 +0000
core130: Fix errors in rootfile
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 710afa00c6e1441ba45f3fdda2feaf613ffd0033 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Mar 14 16:52:38 2019 +0000
Update IPS translation
* Fix typos * Fix compound nouns (especially in German) * Remove unused strings
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit acb718b0bbfdf2b15bcc95abce2f4a7c23392362 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Mar 14 14:01:45 2019 +0000
nut: Disable parallel build
nut just fails to build when running in parallel
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit f9219b91a1f4648f6c2db9e3699169bb797e79c1 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Mar 14 13:48:25 2019 +0000
core130: Ship suricata
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 3bc001dbf976a89dcf4fc15912b472073c9e45db Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Mar 14 13:20:56 2019 +0000
Update contributors
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit cdfbdd1ada37183769c0b245218faff2cd300ac6 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Mar 14 13:20:22 2019 +0000
Update translations
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 01604708c386da93713cffadb3d5d40665f62ec9 Merge: c578cbd35 e776d33c7 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Mar 14 13:19:35 2019 +0000
Merge remote-tracking branch 'stevee/next-suricata' into next
commit c578cbd35f8af09f452326ce643d13e92ddaed99 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Mar 14 13:16:33 2019 +0000
core130: Ship updated firewall script
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5fc5f703470b37b43e18be66da0fb181696428a7 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Mar 11 20:07:00 2019 +0000
add IPtables chain for outgoing Tor traffic
If Tor is operating in relay mode, it has to open a lot of outgoing TCP connections. These should be separated from any other outgoing connections, as allowing _all_ outgoing traffic will be unwanted and risky in most cases.
Thereof, Tor will be running as a dedicated user (see second patch), allowing usage of user-based IPtables rulesets.
Partially fixes #11779.
Singed-off-by: Peter Müller peter.mueller@ipfire.org
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4680d554fc52813b9e2a1bae3888d0b34dfbb5ad Author: Peter Müller peter.mueller@ipfire.org Date: Mon Mar 11 20:07:00 2019 +0000
run Tor under dedicated user
This allows more-fine granular firewall rules (see first patch for further information). Further, it prevents other services running as "nobody" (Apache, ...) from reading Tor relay keys.
Fixes #11779.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b450e7e3e6f47734e7282bf37953912b9ef6c740 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Mar 14 13:15:03 2019 +0000
Start Core Update 130
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e776d33c7018a314acfb8909e9581a26d544d7e7 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Mar 13 12:14:30 2019 +0100
suricata: Fix amount of listened nfqueues
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit e8b1b397c1dd4b158520b8c7905cd66b864c1051 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Mar 13 10:03:48 2019 +0100
suricata: Remove unneeded stuff during build
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit f717b1dc55595b4353fd7d3b44a057d282d19b62 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Mar 10 18:52:40 2019 +0100
IDS: Set owner of suricata logging directory to correct user
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit fd378b3b08f8458fd7c32e9eb0e2566de53ed02a Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Mar 10 18:50:37 2019 +0100
Rename snort user and group to suricata
This only affects new installations.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 38081b8be19b56b7298d5a01e7218b774759406c Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 2 17:26:34 2019 +0000
suricata: Run as non-root user
This patch does not have any effect (yet) and is untested because suricata needs to be built against libcap-ng which is currently not being packaged for IPFire.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 2bec60c34725c759c98f4da276fc8149162b3397 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Mar 10 17:34:03 2019 +0100
suricata: Update to 4.1.3
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 1fbf0788bf66da1b93774a19d4b0db52b0fdfc73 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Mar 10 13:27:52 2019 +0100
Move IDS/IPS menu entry to firewall section
Fixes #12011.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit b051eb68b6c12f619b1c3a76009d41ad59550b6b Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Mar 3 15:10:02 2019 +0100
libcap-ng: New package
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 26c758cf4870d834dfe4d20bb2ce76f701befd61 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 2 17:18:39 2019 +0000
suricata: Drop parsers I have never heard of
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 8efbd71caad61912817c5cf28974364a34dc6390 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 2 17:18:38 2019 +0000
suricata: Configure HTTP decoder
This will now scan all request and response bodies where possible and use up to 256MB of RAM
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 96495c9aa2a46896ebb5cbbdfa5fd4b961864215 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 2 17:18:37 2019 +0000
Revert "Suricata: detect DNS events on port 853, too"
This reverts commit ad99f959e2b83dd9f1275c1d385140271c8926ae.
It does not make any sense to try to decode the TLS connection with the DNS decoder.
Therefore should 853 (TCP only) be added to the TLS decoder.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 5d04cfe7d582bc58a4e4f9995fe5f67fcc456456 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Feb 28 19:37:38 2019 +0000
suricata: Use highest bit to mark packets
We are using the netfilter MARK in IPsec & QoS and this is causing conflicts.
Therefore, we use the highest bit in the IPS chain now and clear it afterwards because we do not really care about this after the packets have been passed through suricata.
Then, no other application has to worry about suricata.
Fixes: #12010 Signed-off-by: Arne Fitzenreiter arne.fitzenreiter@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit c9ee3592f00f0edc9467643a27ba1505cc8f879a Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Feb 28 14:28:25 2019 +0000
suricata: Fix syntax error
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 99d75ac72e66928f5218c222b0b3fd8fbfba179f Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Feb 28 14:28:24 2019 +0000
suricata: Start capture first and then load rules
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 890f1bf2954328f5e811757754d815dedf6f92c1 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Feb 28 14:28:23 2019 +0000
suricata: Disable decoding for Teredo
This decoder is not very accurate and Teredo has been disabled in Windows by default. Nobody will use this.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 0b340f0938e5f292f74f5f2e60b3d46d473f2096 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Feb 28 14:28:22 2019 +0000
suricata: Increase memory size for the stream engine
This change also ensures that suricata has a decent number of streams preallocated to be able to handle any bursts in traffic.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit ab1444b4f4b9324e96fbb240929334b27611e12f Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Feb 28 14:28:21 2019 +0000
suricata: Log to syslog like a normal process
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 47cb057145c76d5faf7987de9e779bf07a029336 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Feb 28 14:28:20 2019 +0000
suricata: Use up to 256MB of RAM for the flow cache
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 7eed864c93d143ef943b9f3f8bdf7b40a440cb71 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Feb 28 14:28:19 2019 +0000
suricata: Use 64MB of RAM for defragmentation
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 83b576c892c82652b0b56efc200e52fd1dee30f9 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Feb 28 14:28:18 2019 +0000
suricata: Use the correct path for the magic database
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 0e28ea9f3e72e0f4db9274c3b7021711d0c0c258 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Feb 28 14:28:17 2019 +0000
suricata: Log to syslog
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 682f1fdaca919284af877894aecd1282595c1430 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Feb 28 14:28:16 2019 +0000
suricata: We do not use any IP reputation lists
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit cf976e93c419d2c268979397ec87e05a2b8b7636 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Feb 28 14:28:14 2019 +0000
suricata: Allow 32MB of RAM for DNS decoding
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit fe5bd1862f2dfce5b3123ed2d2bbb5a360f1cd40 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Feb 28 14:28:12 2019 +0000
suricata: Drop sections that require Rust
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit bc2cb52953c92ad9209576de316f2076cfdb4caf Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Feb 28 14:28:11 2019 +0000
suricata: Drop some commented stuff from configuration
The file is really large and we should not carry anything we will never use.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 75fba6cd248af6925d62452c15d4a21a2a7a204a Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Feb 28 14:28:10 2019 +0000
suricata: Drop profiling section from configuration
This is not compiled in as it slows down detection and is only really useful for debugging
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 5196d8ddbb097c4485a01a0fee58ade94b7255ac Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Feb 28 14:28:09 2019 +0000
suricata: Set detection profile to high
This will merge rules more aggressively so that the engine is only processing those that can actually match.
Memory is cheap. People with little memory should not run suricata anyways.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 9f726f8f536fb271e00c51ca7d10dac143dd3045 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Feb 28 14:28:08 2019 +0000
suricata: Set default packet size to 1514
We usually use a MTU of 1500 + Ethernet header
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 16446608cbe53bcd0873ed48b907b697441d31d1 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Feb 28 14:28:07 2019 +0000
suricata: Set max-pending-packets to 1024
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 1f3c61b66c77898707791519b837e61b1d2e6ad0 Author: Peter Müller peter.mueller@ipfire.org Date: Fri Feb 22 20:16:00 2019 +0000
Suricata: detect TLS traffic on port 444, too
This is the default port for IPFire's administrative web interface and should be monitored by Suricata, too.
Signed-off-by: Peter Müller peter.mueller@ipfire.org c: Stefan Schantl stefan.schantl@ipfire.org Acked-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit cc636c4741e7928276a1a5c7048b4fc0693c7f23 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Feb 22 10:04:27 2019 +0100
convert-snort: Try to download ruleset if none is present.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 5d7d8749dc005bd883e3b7d53d953f334cdea5b4 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 18 13:33:41 2019 +0100
convert-snort: Set correct ownership after modify_sids_file has been generated.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit d0f9526beb718ca934de9f8cea749bec4b04f3ad Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 18 13:29:47 2019 +0100
ids.cgi: Add language string for ignored hosts section.
Fixes #12002.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 06f57f72309f268d4f6b3490b33912813fbf1f1e Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 18 10:28:13 2019 +0000
general-functions.pl: Only skip lines with a # at the beginning
This accidientially dropped all lines that include #. That resulted in colour codes not being loaded from file any more.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 7c3b7cdcca852e4f5e5ee46b5291b8ba522535ec Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 18 10:55:27 2019 +0100
ids-functions.pl: Tune rules to always monitor in both directions.
This will allow to scan the traffic from an EXTERNAL_NET to the HOME_NET and from the HOME_NET to the EXTERNAL_NET.
Reference: 10273
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 20b4c4d863d40f4b6cc1fd68eed17d1214a05f9e Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 18 10:01:47 2019 +0100
suricata: Swith to "16" as repeat-mark and repeat-mask.
Marks "1-3" are used for marking source-natted packets on the interfaces and 4 up to 6 for TOS and QOS. The mark "32" is used by IPsec.
See commit: f5ad510e3c0f416a1507999f5ad20ab171df9c07
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 77c07352a58a67e88a507feba982fe0f73518f59 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Feb 15 13:26:55 2019 +0100
Suricata: Start service on red.up event if requested
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit d215f6e9809e3a7e0b7356c985803291067d923e Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Feb 15 12:39:56 2019 +0100
collectd: Stop collecting process details for snort
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 0d8cc90f4dead04de7181634377fe11115678f34 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Feb 15 12:18:45 2019 +0100
services.cgi: Show status of suricata instead of snort
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 1ef235f08dab44779d3b97854f25e234b6124cab Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Feb 15 11:22:14 2019 +0100
logrotate: Rotate suricata logs instead of snort ones
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 78690361abbff86772850947e1dac97eecfa0648 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Feb 14 12:37:13 2019 +0100
convert-snort: Always create directory and filelayout
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit b09c13f1b6276885cfc457fa04896bfd7ba240e6 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Feb 14 12:15:41 2019 +0100
convert-snort: Call subfunction to change ownership of rulestarball
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 99b2e30636aa404f9fac355fcbbbe0a2e8f84e0a Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Feb 14 11:43:31 2019 +0100
ids-ruleset-sources: Fix rootfile
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit c980ac7f2a0ba8ea08797005445328055993e31e Merge: c1c754a12 5368ccb0f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 13 19:46:45 2019 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
commit c1c754a1211fbe50b7ba5b7a25444bd34b090957 Merge: f3cbcfeff 02a8a241b Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Feb 8 09:59:31 2019 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
commit f3cbcfeff9e8ce263c812a25a24c7f4f14d4a64f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Feb 8 09:56:36 2019 +0100
libhtp: Update to 0.5.29
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 4434236e00a6e5fddbf031ca4777d2c00ad34482 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Feb 8 09:55:46 2019 +0100
ruleset-sources: Update sourcefire rulesets to latest snapshot version
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit ad99f959e2b83dd9f1275c1d385140271c8926ae Author: Peter Müller peter.mueller@ipfire.org Date: Thu Feb 7 17:47:00 2019 +0000
Suricata: detect DNS events on port 853, too
As DNS over TLS popularity is increasing, port 853 becomes more interesting for an attacker as a bypass method. Enabling this port for DNS monitoring makes sense in order to avoid unusual activity (non-DNS traffic) as well as "normal" DNS attacks.
Partially fixes #11808
Signed-off-by: Peter Müller peter.mueller@ipfire.org Cc: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 8723bb91aeff7dbbc173c6f7b8052a76203cb0a5 Author: Peter Müller peter.mueller@ipfire.org Date: Thu Feb 7 17:41:00 2019 +0000
Suricata: enable full detection for missing protocols
These are IMAP and MSN, which can be safely enabled.
Partially fixes #11808
Signed-off-by: Peter Müller peter.mueller@ipfire.org Cc: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 05a635ec04f1ca7ee85a1511757ef3fea28cdb5c Author: Peter Müller peter.mueller@ipfire.org Date: Thu Feb 7 17:38:00 2019 +0000
Suricata: detect TLS traffic on IMAPS/POP3S/SSMTP ports as, well
Partially fixes #11808
Signed-off-by: Peter Müller peter.mueller@ipfire.org Cc: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 5fbd7b29829caf0bcadcccd6f56ead51e2fb812e Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Feb 7 10:33:29 2019 +0100
ids.cgi: Format and show date of the current ruleset again
Fixes #11992
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit ee7fe87ea6341f201bad78910d1055ed17560766 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Feb 7 09:46:01 2019 +0100
ids.cgi: Change name of the button to apply the ruleset changes
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit e8ae413a79a9c5eea8952ca42449128d79682216 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Feb 7 09:02:32 2019 +0100
langs: Remove snort related and unused strings
Fixes #11993.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit dd8d6f5ee8c6262b96319b84751a73044be23e39 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Feb 7 09:00:35 2019 +0100
logs.cgi/ids.dat: Do not call the IDS snort again
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 5bd8940d68186e1ad2cbbb376c4bae6d512630bb Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Feb 7 08:51:31 2019 +0100
ids.cgi: Improve showed messages while the IDS is working
Reference #11993
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit e566e977f7605758df450c6128d1484cc5fb2a35 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Feb 7 08:28:29 2019 +0100
Add german translation for "system is offline"
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 9074e3d74cc931244892d306b38c298ce8dd0f2b Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Feb 7 08:24:15 2019 +0100
ids.cgi: Lock page while autoupdate script is running
Fixes #11991
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 5206a3358d18b8ec9b1ceca3e95a56516ae7b4ab Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Feb 7 08:06:49 2019 +0100
update-ids-ruleset: Lock and Unlock the IDS page during runtime
Reference #11991
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 8076deba79f9bbd4e551fdfe1eb49e8a77b2c19e Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Feb 7 07:59:20 2019 +0100
ids-functions.pl: Add code to lock/unlock ids page while autoupdating the ruleset
Reference #11991
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 5f2145eb59d3f0f7cbc70cd4f071302fd56213ea Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Feb 7 07:44:11 2019 +0100
ids.cgi: Show "Update Ruleset"-Button only if automatic updates are disabled
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit f6eb1a40a00625b7a83984461242e86347e48579 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 6 15:59:02 2019 +0100
aliases.cgi: Handle suricata related actions when dealing with aliases
When working with aliases (adding/modifying/removing), the file which contains the HOME_NET declarations needs to be re-generated and suricata requires a restart afterwards.
Fixes #11990
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 8117fff863431671939d5aa1c11c0a84e56298a2 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 6 15:23:46 2019 +0100
IDS: Call helper script when red interface gets up
The helper script will be automatically called when the red interface gets up and will re-generate the HOME_NET file, to take care if the IP-address of this interface has changed.
Fixes #11989
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit d8f19ebb5accbf4e850e881fbd0be8fd9d66660c Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 6 13:12:50 2019 +0100
IDS: Edit german translation for "ids oinkcode required".
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 613f58fbfa9f536d9c84bc76354f7775b3e9b57f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 6 12:49:01 2019 +0100
ids.cgi: Check if the selected ruleset requires an oinkcode
Fixes #11983
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit f644a167ab06e5324c021144e08c00413472b143 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 6 12:48:08 2019 +0100
ids.cgi: Only perform actions when saving ruleset settings, if there are no error messages
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 155b3b56a8e4c8765c473b853445e2957b0b852f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 6 10:58:59 2019 +0100
ids-functions.pl: Do not send HEAD requests to sourcefire (snort.org) servers
Using this feature to fetch the size of the requested tarball is not allowed by these servers, so skip this feature for their rulesets.
Fixes #11987
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit c17a9778d62d964ac7d8e8da156ba0f08baf8748 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 6 10:00:17 2019 +0100
Revert "ids-functions.pl: Use GET method to fetch Header data of a file"
Using the GET method will download the file twice and does not provide the desired mechanism here.
This reverts commit 81592314ebe93ae942f28a1bc9037185f155ccda.
commit 422dc4caf97696ac34b65410784f22875f3412c0 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Feb 5 14:34:44 2019 +0100
ids.cgi: Fix HTML formated spaces.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 9e9b477d7c4fbad483f6307cf63bf475dd79141b Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Feb 5 14:14:11 2019 +0100
ids.cgi: Rework "Enable IPS" section
Just use one language string for a maximum of flexiblity for the transloators.
Fixes #11986
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit af0065691c6d3fcb14c646d1ec0b9c83bdd3313d Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Feb 5 13:57:40 2019 +0100
suricata: Do not display messages when starting up
Fixes #11979.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit cc9057c0148cddb231be85caa4c38d4cf721f0c3 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Feb 5 13:51:08 2019 +0100
ids.cgi: Change lang string from "Activate IPS" to "Enable IPS"
Reference #11986
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 318e7137e79f29574a5cc9677615a48b2a9b3e40 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Feb 5 13:25:27 2019 +0100
IDS: Rename IDS strings to IPS
Reference: #11986
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 97870bf29cd93669beef30b876e21f2fed5d6405 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Feb 5 12:43:49 2019 +0100
ids.cgi: Stop suricata when the rulest source has been changed
If the ruleset source has been changed, it has to be configured again. This happens because of different rule categories, filenames rule ID's etc.
In case suricata currently is running it has to be stopped and after the configuration has been done by the user, it can be launched again.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 5709768b0bab2b860911fcad66da8e0aec5c4eaa Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Feb 5 12:36:30 2019 +0100
ids.cgi: Fix downloading rules if source changed
Fix the if statement to detect wheater the ruleset has been changed and automatically download the new one.
Fixes #11984.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit b7a9b4edc28a678cd9d2b01e0ab6304597409860 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Feb 5 12:13:28 2019 +0100
ids.cgi: Update automatic download texts
Update the showed texts in the dropdown box as mentioned in the bug report.
Fixes #11985
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 81592314ebe93ae942f28a1bc9037185f155ccda Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Feb 5 12:01:43 2019 +0100
ids-functions.pl: Use GET method to fetch Header data of a file
The sourcfire web servers does not support the HEAD request so we have to do this with a GET here.
Fixes #11987
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 4924cfdc7312ce8c31101fefebf3f0371e7cd779 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Feb 5 11:55:37 2019 +0100
ids-functions.pl: Fix show HTTP error code and message
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 067e1847dc1012316b23d7eb8dba8e25a65cd757 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Feb 1 14:34:25 2019 +0100
suricata.yaml: Add port 222 to list of SSH Ports
The SSH-server listened on port "222" as default on IPFire in the past.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit bcbc9897e392a237105fc2e12af2323804bd2a42 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Jan 31 09:50:47 2019 +0100
ids-functions.pl: Grab address for RED by using get_red_address() function.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit de8e1e5b6ce6c8d82dc8e67c92af338206252dc2 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Jan 31 09:41:35 2019 +0100
ids-functions.pl: Add function to the the current assigned IP-address of RED.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 912d7472a86b1347f3165c1850ed05ba2b7b641f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Jan 31 08:55:05 2019 +0100
ids.cgi: Automatically download ruleset if the ruleset source has been changed.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit c9b07d6a0cdb54c71d5aef4a75c40d505585a0fe Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Jan 30 13:43:38 2019 +0100
initscripts/suricata: Generate firewall rules on start and reload
Fixes #11978
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 23c0347ac5d386e215c56ae9fa3af97e66f1c23f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Jan 30 12:04:54 2019 +0100
ids-functions.pl: Add RED address and aliases to the HOME_NET
Reference: #11981
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 77c3130174cd492f0bae12205cfd3000b9b7798c Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Jan 30 11:57:49 2019 +0100
ids-functions.pl: Add get_aliases()
This subfunction is used to get all configured and enabled aliases for the RED network zone. They will be returned as an array.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit d6f725e1857b19fefce67fc3bb63f7a379f549d4 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Jan 30 10:57:31 2019 +0100
update-ids-ruleset: Improve error reporting if the system is offline
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit e0cec9fe99c957a686182f6002185744edd8254d Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Jan 30 10:53:17 2019 +0100
ids.cgi: Dynamically generate SHOW/HIDE for expanding or collapsing a ruleset category
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit cf02bf2f7d23f9755a6e08383dd46fa9033d924b Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Jan 30 10:12:11 2019 +0100
ids.cgi: Show IDS setting area only if a ruleset is present.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 013274d7d88653e5eaf22156754f0bb8c2e3ebaa Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Jan 30 10:05:14 2019 +0100
ids.cgi: Diplay reason, why a ruleset could not be downloaded, if the system is offline.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 5fd2e9d64ac8363ac56bf0431ec3607e099b3f46 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Jan 30 09:57:49 2019 +0100
ids.cgi: Also download the ruleset when saving the ruleset settings
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 34a3843865bfcb6c88cb10773570b96cd61363d6 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Jan 30 09:42:28 2019 +0100
ids.cgi: Add dropdown option for Emergingthreats.net Pro rules.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit d618d67e010e94e1ef26f2570abe9d6748e90416 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Jan 30 09:39:17 2019 +0100
ids.cgi: Only show "update ruleset" button if a ruleset is present
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 674912fc3abe6283566c4e51a5360dcbf5850f36 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Jan 30 09:33:47 2019 +0100
ids.cgi: Draw daemon status and setting in the same box.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 029b8ed2b1e039d216fc974db413cd5f3f718a3d Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Jan 30 09:27:37 2019 +0100
ids.cgi: Show/Hide subscription code area dynamically.
Dynamically (Java Script) show/hide the area for entering the subscription code / oinkcode based on the choosen ruleset.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit bc4a2223cccc4165f213ec3520aee23b2550a4d2 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Jan 30 09:25:34 2019 +0100
ids.cgi: Remove help text for obtaining an oinkcode
This information is only valid for sourcefire (snort) rulesets, may confuse users and therefore should be handled in the wiki.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 17c2c09bcc50376ef805a194eec8688a3dfcbc29 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Jan 29 12:03:37 2019 +0000
suricata: Scan outgoing traffic, too
Connections from the firewall and through the proxy must be filtered, too
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 80592396611f06069a05494da2b228aad29af72a Author: Peter Müller peter.mueller@link38.eu Date: Wed Jan 23 21:22:41 2019 +0100
Suricata: drop unused cuda HW acceleration
As stated in https://bugzilla.ipfire.org/show_bug.cgi?id=11808#c5 , Cuda hardware acceleration is unused and so the configuration file section can be removed.
This partially addresses #11808.
Signed-off-by: Peter Müller peter.mueller@link38.eu Cc: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 68699ecffff5e8c0d35883403451bec881bd33ec Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Jan 29 11:23:54 2019 +0100
Revert "Add DDNS to core 107."
This reverts commit 197033fab234d4698b097fdb1b653b8ae39b1aae.
commit ca8c92108af8ed2fce390592d8bd536f9caa2458 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Jan 29 09:09:11 2019 +0100
update-ids-ruleset: Set correct ownership for rulesdir and files
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 36e69d34b1a59258bf17b886db323653dac1a13d Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Jan 29 09:05:29 2019 +0100
convert-snort: Use set_ownership() from ids-functions.pl
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 4fbd88bfad631b932973321004af3e26b6ca19d5 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Jan 29 09:01:20 2019 +0100
ruleset-sources: Add Emerging-Threads Pro ruleset
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 9f9651e06aac68d650be585a7dd15a8a6c502d5c Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Jan 29 09:00:26 2019 +0100
logs.cgi/log.dat: Change search pattern from snort to suricata
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 3c59b1fab85f76f75e0b6bb89cd9c007b2416b57 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Jan 29 08:58:08 2019 +0100
ids-functions.pl: Set correct ownership for the stored error file.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 1fedede6a0982500847ef5d8747b5d3483991a05 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Jan 29 08:50:16 2019 +0100
ids-functions.pl: Add set_ownership() function.
This function is used to change the ownership of a given file or directory to the user "nobody" and the group "nobody", which is used by the WUI.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 8c27372438dd267648cba48b86d85a594f14be1c Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Jan 29 08:40:34 2019 +0100
backup.pl: Run snort to suricata converter when a backup gets restored.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 85a62b05237a4087c9b80d0efadc71b2da45abfa Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Jan 29 08:26:15 2019 +0100
IDS: Install snort to suricata converter
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit e4840020ed9962e3fac83c7a52670ed2cfd56672 Merge: 39155be80 61ee84291 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Jan 28 17:29:21 2019 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
commit 39155be80547e808e859f8f4dcd93763876bff5f Merge: 5b0b4182a d03916e55 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Jan 26 12:40:04 2019 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
commit 5b0b4182a8a0f7fa17548983a4e15aeed3aa2234 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Jan 22 15:36:00 2019 +0100
convert-snort: Settings converter from snort to suricata
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 9283e9b9cf8326453086d9777b264d7e50b9660a Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Jan 22 13:25:13 2019 +0100
ids.cgi: Move and rename GenerateIgnoreList() function to ids-functions.pl
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit c1a34012352f9eee339f78c00130807e275b05c2 Merge: b749416ad f6326e4f7 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Jan 21 13:04:13 2019 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
commit b749416ad71126d6a05eb92b1409f097cc127617 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Jan 6 14:11:30 2019 +0100
ids-functions.pl: Downloader should reads settings from correct file
In commit ea5c8eeb83a65791960d6cb5de6c7dc78db02fda the taken settings for the ruleset have been stored into an own file.
The Downloader now uses this file to read-in which ruleset should be used and downloaded.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 7b6f8596edd5591a1bde21b34a7665170e5d4353 Merge: ed809cf07 f1f40274a Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Dec 28 07:36:59 2018 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
commit ed809cf07a5ccacc5817f682fc9103a2f52163d6 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Dec 28 07:36:19 2018 +0100
Ship update-ids-ruleset script also on x86_64 and aarch64
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 6994f00174d222a6e7dd9b812c5bebaad1e3fa3e Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Dec 26 16:33:54 2018 +0100
ids-functions.pl: Downloader now also uses upstream proxy for HTTPS
Fixes #11953
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 04a0d07c97087c9d66e09155058beacee031d627 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Dec 26 16:05:46 2018 +0100
ids-functions.pl: Add function to get the version of suricata
The get_suricata_version() function is used to get the version of the on the system installed version of suricata. You can specify the how detailed the returned result should be "major" will return only the major version, were "minor" will provide the major and minor version (1.2 for example). All other calls will be answered with the full version string (1.2.3).
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 2ee510888c4f4a0836ef4afe5b6e30c2b94f7ddb Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Dec 25 20:19:12 2018 +0100
ids-functions.pl: Fix typo
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 74cc8f5a3ddafb065dffd885222246842fc8304c Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Dec 25 18:40:34 2018 +0100
ids-functions.pl: Introduce function write_modify_sids_file()
This function is used to write the corresponding file which tells oinkmaster to alter the whole ruleset and finally switches suricata into an IPS or IDS.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit b02e30fd81e3e095ea3cd74cb8f0b056d68e10e7 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Dec 25 18:26:21 2018 +0100
ids.cgi: Move variable declaration to ids-functions.pl
Also move some functions from the cgi file to the library file.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 53817b89c0eb5f03830777982c86c58e4c097fa6 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Dec 24 13:19:06 2018 +0100
ids.cgi: Hack to use the correct language string for red network zone.
This hack is needed because "red" is used as "internet" in the language files and "red1" contains the correct "red" translations.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 99b372b51d01e7c35ac6b24bea72ec9c739681c9 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Dec 24 13:18:14 2018 +0100
ids.cgi: Colourize network zones
Colourize the network with the proper colour.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 01d02eb63bbb2142b5f154f75f028448bdd47ca5 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Dec 24 10:03:18 2018 +0100
ids.cgi: Change RUN_MODE to MONITOR_TRAFFIC_ONLY
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit ea5c8eeb83a65791960d6cb5de6c7dc78db02fda Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Dec 23 21:06:14 2018 +0100
ids.cgi: Seperate IPS and ruleset settings
Now each of both have their own corresponding configuration areas. The taken settings will be saved in "/var/ipfire/suricata/settings" for all IDS/IPS related settings and in "/var/ipfire/suricata/rules-settings" for ruleset related settings.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit aac8e30831b037034e932044b0ca941105f40d70 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Dec 23 21:05:37 2018 +0100
langs/en.pl: Fix typo
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit ebdd0f9a90da800cc6173f6f30fb0621dddc354b Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Dec 20 13:18:48 2018 +0100
ids.cgi: Prevent from starting suricata without ruleset or selected network zone
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 0a1bba1a1d3ec8995f482b291d25c84374d11085 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Dec 20 11:55:13 2018 +0100
ids.cgi: Access ruleset by its own name
This improves accessing the single rules of a rule category.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 8353c3fd36c3e56861b9996c489836e4554c1ebd Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Dec 18 15:19:30 2018 +0100
ids.cgi: Allways use the whitelist
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 25b6545a6e5523d67484e15c5d8bafd941c8c9ae Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Dec 18 15:14:08 2018 +0100
ids-functions.pl: Use temporary file in downloader.
Download the requested rules tarball into a temporay file and if every thing is fine, replace the old by the downloaded one.
In addition with the previously implemented file size check, we are saved now from a corrupt rules tarball on disk.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 96da5803a77ac8cae85fc8bc37e2153a19b5ab26 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Dec 18 14:16:13 2018 +0100
ids-functions.pl: Introduce filesize check for downloader
The downloader now requests the html header for the rulestarball and obtain the size of the file bevore downloading it.
After success the size of the downloaded file will be compared with the requested one before. If they do not match, an error will be gained.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 1201c1e74695fffeae36ba8a8a6adfe422a53ddd Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Dec 18 14:12:52 2018 +0100
ids-functions.pl: Fix sub _cleanup_rulesdir() function
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit f5ad510e3c0f416a1507999f5ad20ab171df9c07 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Dec 17 15:04:48 2018 +0100
suricata: Use "2" as repeat-mark and repeat-mask.
The previous used "1" was already used to mark source-natted packets.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 208cb3363fc13bc9b918aeacb26e4c98d1d963d3 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Dec 17 15:03:10 2018 +0100
suricata: Update to 4.0.6
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit a13ddf04d9b58ee469b5da6bc0dd5efb64d6ebad Merge: 8cf04a165 58e840bd9 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Dec 12 09:27:59 2018 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 8cf04a165696c512c8c2cb1f3d282c1f0cc88787 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Oct 12 15:43:16 2018 +0200
ids-functions.pl: Rework &_cleanup_rulesdir() function
* Use a directory listing and delete the files. * Keep files with "config" as file extension.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 4ce424884914e6ee5a721124eaec89b634c19f48 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Oct 12 15:18:38 2018 +0200
ids-functions.pl: Fix typo
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 883820bdcb24414e965bd92844bb0b9c438b312b Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Oct 12 15:16:32 2018 +0200
ids-functions.pl: Call &_cleanup_rulesdir() function before calling oinkmaster.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit b59cdbeea5eb2a83ac5c0be51541c471bd1cd809 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Oct 12 15:12:10 2018 +0200
ids-functions.pl: Add private function to cleanup the rules directory.
This private function is used to remove any files which are stored in the IDS rules directory and prevent from any old (unneeded or conflicting) files after an update or complete change of the ruleset source.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 5d3b16c6df1a83d6eacb69a32176941a1e09a157 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Oct 12 13:08:35 2018 +0200
suricata: Rootfile update
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 8d087d0391b8ab441a974b4cbc84980bb6055774 Merge: 89a12b384 e3ab1962e Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Oct 2 07:35:13 2018 +0200
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
commit 89a12b3843d22a355adf1989e9bd823e170a2387 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Oct 1 20:14:00 2018 +0200
suricata: Set correct ownership for /var/lib/suricata
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 2d475a3c6c8e37295f97a07dcca9a6eed2dbb21f Merge: eadad5fda 0a5823db0 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Sep 26 14:49:34 2018 +0200
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
commit eadad5fda6e7a798ad63261da4629673bd88cf76 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Sep 26 14:43:09 2018 +0200
ids.cgi: Add support for autoupdate of the IDS ruleset
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 6c9458342b72d5eef122e4e146872ded98751d05 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Sep 26 14:42:47 2018 +0200
IDS: Update language files
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 3aadbbca38882cf6e8af2370c26234de0940a099 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Sep 26 14:38:46 2018 +0200
stage2: Rootfile update for update-ids-ruleset script
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 82979dec3655138b5c8467a63fc423b30961ef9c Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Sep 26 14:11:31 2018 +0200
IDS: Introduce update-ids-ruleset
This script periodly will be called by fcron and is responsible for downloading and altering the ruleset, if autoupdate of the configured ruleset is enabled.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit ed06bc811ffe055e2dadd226d27332892f4725db Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Sep 26 14:09:53 2018 +0200
ids-functions.pl: Add backend code to handle the "cron" function of suricatactrl
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 6ce504a2f2c405c7a7baab6f74be779f903d89de Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Sep 26 13:54:14 2018 +0200
suricatactrl: Add "cron" command
This command allows to enable the automatic update of the used IDS ruleset and to specify the update interval.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit dae534f2ca7172a1171d77fe6acd034591233d58 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Sep 26 13:02:28 2018 +0200
ids.cgi: Only write oinkmaster-modify-sids.conf if neccessary.
Only write to the file if the runmode of the IDS has been changed.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 5508f18c012c5be264c9562b9327a41a2bebb2f8 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Sep 11 12:28:28 2018 +0200
logs.cgi/log.dat: Fix pattern to display oinkmaster related messages
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 43ab7d9c30fb24bebd716e264530d7db3e84a007 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Sep 11 12:00:31 2018 +0200
ids.cgi: Set state of used rulefile to on if it contains rules
Only set the state of a used rulefile to "on" if it is present in the %idsrules hash. This happens if it contains at least one rule.
This prevents from showing a rulefile in the ruleset section if, it does not exist anymore or does not contains any rules at all.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit b7e29743944953c973e3f858c10ab627949f898d Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Sep 11 10:21:00 2018 +0200
ids.cgi: Introduce whitelisting of IP-addresses
If an IP-address has been added to the whitelist, any traffic from this host will not longer inspected by suricata.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 6f3b3cd089cea0f308c0b67e17ed864f6aa50b83 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Sep 6 13:28:20 2018 +0200
logs.cgi/ids.dat: Dont display/export empty events.
Check if the current processed event has at least datetime and a title. Otherwise skip it.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 63d911cdc5d3e8a706f222e2094f2f7350c5fa02 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Sep 6 13:22:18 2018 +0200
logs.cgi/ids.dat: Ease list of reported events
Just ease the strict layout by adding a simple line break.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit f5ddcad1cc38cfcc3b01f819bc4c4f01e6d1c189 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Sep 6 12:09:34 2018 +0200
logs.cgi/ids.dat: Adjust code to show suricata events
As default show the events generated by suricata and if for a certain selected date no suricata log is available try to fall-back to read the events from the old snort alert files (if available).
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 80bcd4dd1a424e1353aa0839e873ce9292cea3db Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Aug 30 18:18:26 2018 +0200
ids.cgi: Hide rules config section if no rules a present
Do not show the rules config section anymore if there is not ruleset available.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit fd72c85eb8bb11978957dc39da8a5822715a5453 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Aug 30 15:12:29 2018 +0200
Enable threshold file in suricata.yaml
Enable and specify the path to the threshold-file in the suricata.yaml, otherwise the programm is trying to read it from a build-in default location and prints the following error message:
Error opening file: "/etc/suricata//threshold.config": No such file or directory
Fixes #11837.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 762a33f17ca8d86b979e22ddd538e76d32287d94 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Aug 30 14:13:37 2018 +0200
suricata: Add files to be backuped
Now all oinkmaster related config files and suricata related yaml files in "/var/ipfire/suricata/" will be included into the backups.
Also the entire ruleset is part of the backup, so after a backup has been restored, the IDS can be used in the same way as before.
Fixes #11835.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 21cab141ec018b885abf2849b82acb22684f0c80 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Aug 29 12:34:08 2018 +0200
suricata: Rule files are now located in /var/lib/suricata
Place the rulefiles from now in "/var/lib/suricata".
Fixes #11834
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit d2e6bf6e5f0a3867664c68cd85dff686a08b696c Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Aug 29 12:27:12 2018 +0200
suricata: Do not ship an example configuration file
Stop shipping a full example configuration file for suricata.
Fixes #11836.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 00512a5ac800205a9f46cd0936909d5c921e6643 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Aug 29 11:50:59 2018 +0200
ids.cgi: Create file for used rulefiles on first execution if not present
Create this file on first execution of the script if it does not exist yet. This will allow suricata to imediately be started. Otherwise the ruleset has to be downloaded and configured before this file has been created and suricata could be launched.
Fixes #11833.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 004b13b7e801c18d399740c4e9b7866c9685637c Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Aug 29 10:55:32 2018 +0200
ids.cgi: Fix get_memory_usage()
Change the get_memory_usage() function to grab and return the memory usage of the entire process, containing all sub-processes and threads.
Fixes #11821
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit be52c68a2db2455f8118190a6bb37594891480a1 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Aug 27 15:11:28 2018 +0200
ids-functions.pl: Early abort downloadruleset() if no ruleset is configured
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit e568796bb0a0fc2072c2494936ec678f4c7fe17f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Aug 25 15:48:58 2018 +0200
ids-functions.pl: Also check and fix the permissions of rulespath
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 4892f82ca19ad29b2213825a9fc2200d9b801252 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Aug 25 15:22:53 2018 +0200
suricata: Fix rootfile
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit baeae346589a793b2d9dca39017e1eb7c00d5bf1 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Aug 24 15:15:09 2018 +0200
lfs/suricata: Move classification and reference config to /etc/suricata/rules
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 330759d88a4adfbf5fc23cb575607b8b99b1b62b Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Aug 24 14:55:40 2018 +0200
ids-functions.pl: Add priviate function _check_rulesdir_permissions()
This function checks if all files located in /etc/suricata/rules are writable by the effective user and group (nobody:nobody) and if not calls suricatactl to fix it.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 68123effb80c3509cb4855c46d3ff378ba7f13a0 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Aug 24 14:54:34 2018 +0200
suricatactrl: Add fix-rules-dir command
This command is used to set the ownership and permissions back to nobody:nobdoy which is used by the WUI to write the ruleset.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 9074853d8df16e729d7e3fe3fb6c465877614f2e Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Aug 24 14:26:24 2018 +0200
suricatactrl: Add reload command
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 335114b207971fa88bc768c7dea49747b15b4fae Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Aug 24 11:11:15 2018 +0200
suricata.yaml: Start moving to IPFire specific configuration
Remove a lot of stuff and options which are deactivated during compiling, unsupported by the plattform or not used in IPFire.
Add an advice to the full documented suricata-example.yaml file which also is shipped by IPFire.
More work needs to be done.
See #11808
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit af5e823247876c313f516a98efe38ad38db5a01f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Aug 24 10:54:07 2018 +0200
suricata.yaml: Adjust classification and reference config location
Both files are included in the various rulesets, therefore use them from the rules folder.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 13d077fdf2093a2e468b5cda1e9e44fa99ee03cc Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Aug 24 10:28:42 2018 +0200
suricata.yaml: Fix include statement for homenet file
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 5f630673850f01e4e1284d163a80772b2f7a46af Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Aug 24 10:04:33 2018 +0200
suricata: Fix initscript when using a single core machine
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 01ba4be48d1687d621b1d7242085aa077552cacd Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Aug 24 07:39:04 2018 +0200
ids.cgi: Create oinkmaster related files at first call
With this commit, the CGI file will create the oinkmaster related files during first run if they does not exist.
Fixes #11822.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 308ba5e74c27e50e9fda4278749256d3ff541d5e Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Aug 24 07:37:10 2018 +0200
ids-functions.pl: Add function to create empty files
This generic function can be used to create any kind of emtpy files - it just requires the full path and filename to work.
If the specified file exists at calltime, the function will abort to prevent from overwriting existing files and content.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit cb52183c6a311d7413c286f73895b52a8e2e3a57 Merge: 7fe5bc826 c5486ccb9 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Aug 23 10:34:17 2018 +0200
Fix merge conflicts during merge of next and the suricata branch
commit 7fe5bc8261d639753ee7a5a005ce06325231769b Merge: f7d76eecc 702f0ba83 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Aug 23 10:32:21 2018 +0200
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit c5486ccb9793029e58f0e6156d7d2f4d21de6cd0 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Aug 22 10:37:44 2018 +0200
oinkmaster: Ship IPFire specific config file
Ship an IPFire specific configuration file for oinkmaster.
This allows oinkmaster to do all the great rule modifications which have been introduced by the new ids.cgi file.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit d2212836226ee8212eef3226acf3a4e6fa65643a Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Aug 22 08:39:57 2018 +0200
ids.cgi: Rework handling of enabled/disabled sids
Now the enabled or disabled sids are stored in a single hash instead of two arrays, which easily can be modified.
When saving the ruleset, the new read_enabled_disabled_sids() function will be used to read-in the current (old) saved enabled or disabled sids and add them to the new hash structure.
After adding or modifiying sids to the hash, the entries will be written to the corresponding files.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit a5d617520b144e22fd2b31795d2b04c8170f93ef Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Aug 22 08:38:16 2018 +0200
ids.cgi: Add function to read the enabled/disabled sid files
This function is used to read-in the files for enabled or disabled sid files and stores the sid and their state into a temporary hash which will be returned by the function.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 5a28e721e08104e35c0e7f23a1aee4dff3fbae45 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Aug 21 19:18:01 2018 +0200
ids.cgi: Fix check if the IDS is running
The correct function name is ids_is_running()!
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit bbb6efae56957c1ec70d5ee7668c4cc68b4dd2b2 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Aug 18 14:48:30 2018 +0200
ids.cgi: Add backend code to handle switch between IDS and IPS mode
This commit adds the required backend code to allow switching between IDS and IPS mode of suricata.
Technically the behaviour of suricata is specified by the rules - each of them can contain the action "alert" or "drop" (There are more actions supported but these two are currently the important one)
When running in IDS mode, the ruleset does not need to be touched, because the default action is "alert". When switching to IPS mode, the CGI writes a single line to "oinkmaster-modify-sids.conf" which is included by oinkmaster and modify the action for each single rule from alert to drop.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit a4ccfcbbc6073684768d951006232d410df091a1 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Aug 18 10:16:12 2018 +0200
ids.cgi: Allow to switch between IDS/IPS mode
Add the option to select the runmode for suricata, wheater it should run in intrusion detection mode or intrusion prevention mode.
If the option has not configured yet, it defaults to IPS mode.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit d9711d91ef57f846eb09fd77ec9e7a58d745dc6d Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Aug 18 10:01:14 2018 +0200
ids-functions.pl: Display error if oinkmaster cannot be executed
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 88daf7eb3a9ba5ceb3df9f8197ea3cb5cfd4f30b Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Aug 17 08:49:06 2018 +0200
ids-functions.pl: Log correct error message if download fails
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 55658ee381aeeac19c63a0da8822fc3f727b135b Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Aug 17 08:45:47 2018 +0200
suricata: Fix detection of enabled IDS on zone in initscript
I accidently commited the wrong file in the previous commit. This is the fixed and working version.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 00a031145e32d31a08037dda3c8a3cc7cc6c815e Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Aug 17 08:24:19 2018 +0200
suricata: Give 644 permissions to the suricata pidfile
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 04b5c77a450ceb8fd83898a90f096175580a058f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Aug 17 07:36:54 2018 +0200
ruleset-sources: Move to suricata optimized ruleset when using emerginthreads.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 3c2c54831fd7a5f1813376ceb45c22774631a5e7 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Aug 16 18:51:13 2018 +0200
suricata: Add code to create iptables rules to the initscript
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 7c82ee6165d04597c371944490b085c240482424 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Aug 16 18:50:39 2018 +0200
firewall: Add chains for IPS (suricata)
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit cc60d3dfd3cd6ae9d38470d40edd646691e422ac Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Aug 12 18:40:31 2018 +0200
suricata: Fix include of used rulefiles yaml
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 423030555835840a1821b56408b5a19e6dcfe7e0 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Aug 12 07:05:24 2018 +0200
suricata: Use HOME_NET declaration from external file
Use the gernerated HOME_NET details from /var/ipfire/suricata/suricata-homenet.yaml which will be generated by the WUI.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 6187da5055dac1a10402d3c6eeaf1f9bed7f3890 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Aug 11 22:28:07 2018 +0200
IDS: Add reload option to initscript
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit e2e7880dc73fc98aa7409b2de2384e5c9e436f29 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Aug 11 22:11:18 2018 +0200
ids.cgi: Add code to start/stop/reload the IDS when neccessary
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 5240a80987920b1b807e6609a6c10fb666235e21 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Aug 11 22:10:29 2018 +0200
ids-functions.pl: Add function to call suricatactrl binary
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit f7d76eecc6660bd2d59951a6aa138cd0f96a2e9d Merge: ca745a297 98ce89752 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Aug 11 19:50:20 2018 +0200
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit 8d2f6b0b59c3448dfa0fcab683fafc9604873a57 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Aug 9 15:33:25 2018 +0200
ids.cgi: Dynamically generate the HOME_NET details for suricata.
Introduce generate_home_net_file() which uses the current network config to obtain the network address and subnetmask for each available network zone, generate and write these HOME_NET information into a yaml compatible file which can be included into the suricata configuration file.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit e0bfd338ee5c847b16ea534acf84fba645974ec7 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Aug 5 19:42:33 2018 +0200
ids.cgi: Rename form name from SNORT to IDS
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 8766096429b7d19a78d632e96a84b32f058f8e80 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Aug 5 14:24:20 2018 +0200
ids.cgi: Display if the IDS is running
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 796eea2154ae581aeae68be92bd04f105d0a939b Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Aug 5 14:23:45 2018 +0200
ids-functions.pl: Add function to check if the IDS is running
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 1286e0d41e75dd691a54ac130ae6d70bfc284e14 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Aug 5 12:57:44 2018 +0200
ids.cgi: Rework section to configure the IDS
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 1cae702c22ed31784393980968634626af8fe653 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Aug 4 16:48:27 2018 +0200
ids-functions.pl: Add function to get the available network zones
The get_available_network_zones() function uses the /var/ipfire/ethernet/settings file and translates the configured mode into an array, which contains the names of the configured network zones.
The array will be returned and easily can be used to loop over this list of available network zones and perform any kind of actions in other scripts.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit ab114c276b0d719b9a9c43dea05870e4ceedbdbc Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Aug 3 13:51:59 2018 +0200
ids.cgi: Call suricatactrl for restarting the IDS
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 06b569a4429eb5641343fdf4c3472825dc327f09 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Aug 3 13:48:46 2018 +0200
oinkmaster: Install config file to /var/ipfire/suricata
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit d33874f4969f48d5dd880b212900220ba932d8f0 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Aug 3 10:20:18 2018 +0200
daq: Drop package
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 843a8c570c6784ef6c66d214fbbbc2e67e4505c2 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Aug 3 10:19:35 2018 +0200
snort: Drop package
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 914cca3d8e834c6ab051126f628daeef073b7106 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Aug 3 10:02:34 2018 +0200
initscripts: Link against suricata initscript in runlevels and red.up hook
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 74b7d695c630c971fb4774e93c39b4954d7bb5fe Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Aug 3 09:50:31 2018 +0200
misc-progs: Rename snortctrl to suricatactrl
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit ef640882ab4ff5f26fb7b4bf9a5f00ca4f94d172 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Aug 2 19:58:41 2018 +0200
make.sh: Add ids-ruleset-source
I accidently forgot to commit this file in 1d9b87914053e54550c6f2a76377a8001bbf1da6
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit d72b3e64c2515546b78a7cf099157799481da130 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Aug 2 19:54:22 2018 +0200
suricata: Introduce basic initscript
Add a very basic initscript, which currently allows to start/stop/restart suricata and check if the daemon is running.
The script will detect when starting suricata how many CPU cores are present on the system and will launch suricata in inline mode (NFQUEUE) and listen to as much queues as CPU cores are detected.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 101d3ece24c99a9696bb2dfe0add1cdfdebbbf91 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Aug 2 19:33:37 2018 +0200
ids-ruleset-sources: Update download URL for snort rules
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit bce84f3975eb04ac94ffe2e14039c1a6a8ac8030 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Aug 2 19:31:52 2018 +0200
ids-functions.pl: Rename ruleset-sources.list to ruleset-sources
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 1d9b87914053e54550c6f2a76377a8001bbf1da6 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Aug 2 19:29:36 2018 +0200
ids-ruleset-sources: New package
Move the file which contains the download URL's for the IDS rulesets into an own common package. This will allow us in future to easily ship a changed file with a core update.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 72b2109c726c1ab78918648a6aa540cf137692b0 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Aug 2 15:47:31 2018 +0200
configroot: Move from snort to suricata
Create /var/ipfire/suricata and /var/ipfire/suricata/settings instead of /var/ipfire/snort and /var/ipfire/snort/settings.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 4c6d6c1ee3308e8143b95867376f29876739a149 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Aug 2 09:10:25 2018 +0200
suricata: Install very basic config file
This config file is mostly based on the example configuration shipped by the suricata project and needs to be enhanched.
See #11808.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 101c888174285f4d4e599902c7645d2e834ea027 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Aug 2 09:07:12 2018 +0200
ids.cgi: Generate suricata compatiple used-rulefiles file
* Rename filename to suricata-used-rulefiles.yaml * Adjust file generation as a yaml file to be compatible with suricata * Adjust code to correctly read-in and parse the changed file
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 164eab662756366023016c88c27f1432f243832f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Jul 30 21:36:07 2018 +0200
ids-functions.pl: Move path details from snort to suricata
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit a8b8c9e5b2a2d993d06b774aefe7b6ff49adc739 Merge: 67752a951 434001d0a Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Jul 30 21:33:25 2018 +0200
Merge branch 'next-new-ids.cgi' into next-suricata-and-cgi
commit 67752a9510d9db653ca8aee9355e8fa63d0f9316 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Jul 23 20:21:38 2018 +0200
suricata: New package
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 3498300d87ec69f5676d33e54dca4f3c6897d20f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Jul 23 20:20:29 2018 +0200
libhtp: New package
This is build and runtime dependency for suricata.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 91cc908f84a44ba9dc6493938c00aa982eafed81 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Jul 23 20:19:19 2018 +0200
yaml: New package
This is a build and runtime dependency for suricata.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 434001d0a0eb05946fccded7090e1e1fa6e2c64d Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Jul 28 16:34:50 2018 +0200
IDS: Rework error and log handling in ids-functions.pl
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 02844177afb86e070564ee776c5ca679d7cf374b Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Jul 27 07:58:23 2018 +0200
IDS: Introduce settingsdir variable
The $settingsdir variable is declared in the ids-functions.pl and used to to store the path where the various files which contains the settings for the IDS and oinkmaster is located.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 298ef5bafa8242fedf8b95ba8d8ad23e0c4c05b1 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Jul 26 15:56:47 2018 +0200
IDS: Move rulepath declaration to ids-functions.pl
This will help if the path ever changed. Also remove hard coded rulepath from oinkmaster call.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 9d18656ba7dd1bf98d5cd41423c8e44d355f1c25 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Jul 26 15:51:15 2018 +0200
ids.cgi: Rename snortrules hash to idsrules.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit fdfd8913ab5da218c9c5303f67bb5b707da8ee30 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 14 14:08:29 2018 +0100
ids.cgi: Drop code which is detecting if oinkmaster is running
This code is not longer required and therefore can be dropped.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 27760092c0a4973a92e1dcea8544866ae29d37da Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 14 14:03:08 2018 +0100
ids.cgi: Reimplement function to lock page and show working notice
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit eb5592c1ce15d579072689a7121ffbd87b3f22be Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 14 14:01:50 2018 +0100
ids-functions.pl: Also log errors to syslog
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 0e40e1e772b2f29e71df807f9cb07098b0d23034 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 14 14:00:57 2018 +0100
ids-functions.pl: Use pure perl to log oinkmaster result to syslog
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 77910792754776c740ddd415d4737340052a4d91 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 14 12:14:06 2018 +0100
ids-functions.pl: Make variables globally accessible
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 3983aebdec7489ca0ce36956307a822ecdc820fd Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 14 10:20:23 2018 +0100
ids.cgi: Rework CGI logic to download a new ruleset
* Drop function to show a notice about snort is working. * Introduce the log_error function which is responsible for log any error messages. Currently it writes it to a tempory file, which will be read by the WUI, the message will be displayed and the temporary file will be released again. * Introduce a tiny function to easily perform a reload of the generated webpage.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit a69b96d2002c14d3fe65dcf90f9731a9c631b624 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 14 10:15:39 2018 +0100
ids.cgi: Use tarball information from ids-functions.pl
Directly use the value from the ids-functions.pl for the location and filename of the tarball which includes the snort ruleset.
This will save to declare this information twice and prevents from any failures if the location of filname every changes.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit ad1d8a8accc454e0bf36e93fa9b6c5890ccc5024 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 14 09:00:03 2018 +0100
ids.cgi: Drop dirty hook for updating the ruleset
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 25f5cb0d4b4a6c2418c219d975eb95e393b4e9af Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 14 08:58:18 2018 +0100
ids.cgi: Move function to call oinkmaster to ids-functions.pl
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit eea2670b39ee6ba804d534e95b03d27059e45468 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 14 08:52:21 2018 +0100
ids.cgi: Move downloader code to ids-functions.pl
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 59052432f4cc108631a9b264f2f48aaf6ea76873 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 14 08:20:50 2018 +0100
ids.cgi: Use ids-functions.pl for checking available discspace
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 8dcebe5342c261eac9f7436ff382ac71d4890eca Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Feb 14 08:18:15 2018 +0100
IDS: Introduce ids-functions.pl.
This library will contain a set of functions used by the IDS CGI script and the planned update script for auto-updating the snort ruleset.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit c724524e2e9a0a5498ca7e29db8d1ec80a2a73af Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 12 15:38:25 2018 +0100
ids.cgi: Drop loading of File::Copy module.
This is not required, at any time by the script.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit c77bd4923503e58fc2429ffed5e377132394e7a4 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Dec 19 11:57:19 2017 +0100
logs.cgi/log.dat: Add support for oinkmaster
This will allow to display the logged output of oinkmaster via the webinterface.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 1504a375179cecc182dd40b8a5324eb2c1320ada Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Dec 19 11:56:04 2017 +0100
ids.cgi: Rework snort configuration area
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit a6edfcbd9b762832939209e538e31e79c0d32b65 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Dec 17 19:10:21 2017 +0100
ids.cgi: Pipe the oinkmaster output to the logger binary
This will allow anybody, to access the log of oinkmaster and get detailed information about any changes which have been done on the ruleset.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 43263ea68ecbd2bddfc84b3cee64ffc0aa9911e5 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Dec 17 19:08:25 2017 +0100
ids.cgi: Rework downloader for rulesets
Doing the rules download in pure perl instead of using the external wget.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit e524290c9cd90a6d95475f2738bcb65d990cfbd0 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Dec 14 08:31:41 2017 +0100
ids.cgi: Drop old control code
The control file are not longer required, because the initscript uses the settings file to determine if snort should be started and binded to which interfaches.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit c6bcdda1af86f803e980947aa66490f277b791d9 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Dec 13 15:06:42 2017 +0100
snort: Introduce ruleset-sources.list
This file contains the ruleset vendors and download urls and will be used by the ids.cgi.
If an url or filename changes, we easily can adjust this file. In most cases this will be needed when performing a snort update.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 9f5247f60cc66716de0b5b8bd14e0de118763fb5 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Dec 13 14:53:51 2017 +0100
general-functions.pl: readhash() Add code to handle optional comments in files
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit ef5171ab7175d381a11f196de4e18b7e8af769e2 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Dec 13 14:50:12 2017 +0100
ids.cgi: Call oinkmaster without a log target
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit afe26a0586678f59e25a2a4ae1877737da064bfd Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Dec 13 14:45:27 2017 +0100
ids.cgi: Introduce ruleset-source.list
This new file will contain the vendor information and url for downloading their ruleset. In future if the download location or filename changes, we only need to adjust this one file and ship it via a core update.
Also extend the downloadrulesfile to be able to directly call the subfunction.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit a232b58ca78648f60f19b2464395c93cfc046b78 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Dec 13 14:40:47 2017 +0100
ids.cgi: Adjust code for saving snort settings
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 8f22237bebe2d3880b27c671c173ffcf79040ed2 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Dec 13 11:53:44 2017 +0100
ids.cgi: Remove logfile after wget has successfully downloaded the ruleset
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 500c5c55d0db331fe9b16afcdaedd9c5d218b327 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Dec 13 11:51:08 2017 +0100
ids.cgi: Rework code which shows if oinkmaster is working
Move the code for displaying a notice that snort currently is working into an own subfunction which will be called if oinkmaster currently is started.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit aa12410222aef6afa63a03a7eb74512bf92daad4 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Dec 13 11:50:01 2017 +0100
ids.cgi: Drop old code for debuging purposes
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit c51a044a2a93042605fc599eaccf69f49fa7bc87 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Dec 13 11:46:40 2017 +0100
ids.cgi: Add check when altering the ruleset
Add a check if the currently processing sid is nummeric, otherwise skip it.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 525998650ab51df74317f362ccb1382870af4bbb Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Dec 12 20:24:50 2017 +0100
ids.cgi: Rework code for downloading/updating the ruleset
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 56dacb580e16210837ba55648ddfc9e18b860f02 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Dec 12 20:24:11 2017 +0100
ids.cgi: Move call of oinkmaster to an own subfunction
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 376595057ba05eea8d9c6337d390374dec7749e0 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Dec 12 20:16:26 2017 +0100
ids.cgi: Always write config files for enabled/disabled rule files
If a single sid has been activated and then disabled without doing any other ruleset modifications only one of the oinkmaster files for enabled / disabled rules has been modified.
In this case it was possible, that the same sid, was part of the file for enabled rules and part of the file for disabled rules at the same time.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 466c67794b207f327a4b7478ce6f2c9c194df45f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Dec 12 20:15:00 2017 +0100
ids.cgi: Process enabled rulefiles in an own loop
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 603334734a0199f6d4558e70ef859fe86fe243d6 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Dec 12 20:12:38 2017 +0100
ids.cgi: Drop enabled/disabled rules from cgiparams hash
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit b65b5ef3775cc724da41a47b5285b7057a2250fd Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Dec 12 20:10:17 2017 +0100
ids.cgi: Drop enabled rulefile from cgiparams hash after processing
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit e573807983b0acf911dc688ae06bb5d7b2b7714b Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Dec 11 14:22:07 2017 +0100
ids.cgi: Re-add code for enable/disable rulefiles
The enabled rulefiles (rule categories) now will be added to an own file, which will be included by the snort main config file.
This will allow us to update snort and push the new main config file without loosing the activated rulesets anymore.
* Introducing snort-used-rulefiles.conf
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 0b89daee931885a9c34548009a556299d8adc62a Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Dec 11 08:46:18 2017 +0100
ids.cgi: Code cleanup
* Drop a lot of unused variables and code. * Re-ordering some code parts. * Add a lot of comments.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 298723b9db481a07056377278a501d4a643c7a93 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Dec 11 08:33:36 2017 +0100
ids.cgi: Re-add code to save the ruleset.
The manually enabled or disabled rules by the user now will be written to own config files, which will be used by oinkmaster to keep these rules in the same state after a rules update has been performed.
In short words, if you adjust your ruleset, the changes will not be lost again if you perform an update of your ruleset.
* Grabbing and storing the cgi values now in an own hash (%cgiparams) * Introducing oinkmaster config files for enabled and disabled rules.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 0b568bb9650bfe9200d45d7a57b500747e37a73f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Dec 10 10:36:07 2017 +0100
ids.cgi: Drop unused css code
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 177266446a3c9a9c63dbd4bd1af032339003ab3d Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Dec 10 10:07:41 2017 +0100
ids.cgi: Rework code for displaying the single rules
The complete ruleset will be grouped as categories by it's corresponding rulefile and printed in hidden tables.
They easiely can be displayed by klicking on the show link and vice-versa.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit f7fcd1c020f0eaaacf9068182e9f64750ccf7ea7 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Dec 6 11:44:30 2017 +0100
ids.cgi: Always display ruleset
Display the rule categories any time and do not hide them if no instance of snort is runing.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit e3ab140634f8769399b258b8391ec58ec9035c1b Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Dec 6 11:19:42 2017 +0100
ids.cgi: Remove comment lines for snort rules control
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 3da6e01bcf1aefd1e495f64d251d0e39a94a4fdc Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Dec 6 09:51:46 2017 +0100
ids.cgi: Refactor reading-in rule files.
Move the code for reading and parsing the snort rule files into an own subfunction.
* Drop code for reading in and modifying the snort main config file. * Rework code for parsing and adding the snort rules to the snortrules hash. * Drop code for gathering a description for the rule files, which does not because of a file layout change and sadly there is not suitable description shipped anymore by the snort team.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit a70d269a9ad8ed8ee14f0d1de6426bf936750a3f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Dec 2 15:31:19 2017 +0100
ids.cgi: Move function to end of file
Move the function for doing the page refresh stuff to the end of the file and do some layout changes for better reading the code.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 422204ff08af8f1932e57bace8125baa149329a7 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Dec 2 15:24:12 2017 +0100
ids.cgi: Use pure perl for directory listing
Use pure perl for getting the filelist of available rule files instead of using a sub-shell and unix commands.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit fbd430172f49cb746975f5543c4e184748537b4e Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Dec 2 15:17:49 2017 +0100
ids.cgi: Drop old code for uploading a ruleset
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit ca745a2978aadad52a487a7c6a1a8dcb8464aab3 Merge: b5ea63f85 4e4c122c5 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Jul 21 14:14:53 2018 +0200
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit b5ea63f85c7d2ff107cd5f1cf985e98e75a84efe Merge: fb22c9ffd 6a7e6b449 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Jul 19 18:10:23 2018 +0200
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit fb22c9ffd990eebee3249a3cbc2a6c8695b811b7 Merge: b56b67330 9aefd1ed0 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Jul 8 08:34:37 2018 +0200
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit b56b67330ce0927af61c38e1d02284154f912dda Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Jun 27 19:38:41 2018 +0200
guardian: Update to 2.0.2
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 6d1ebd1d4323984108c2682d84fe07e54f647061 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Jun 27 19:36:28 2018 +0200
guardian.cgi: Remove support for owncloud
Owncloud as an addon has been dropped for IPFire. As a result of this, we do not need this code anymore.
Fixes #11572.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 74c193f266e9660c822bfc5e86d050d35539bab6 Merge: 5776b677d bc91a6628 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Jun 27 19:33:43 2018 +0200
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit 5776b677db10ad18aa9972b49900addaa8bf44ba Merge: 6600eeac4 f574f9ea0 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Nov 14 19:17:23 2017 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit 6600eeac49362964f6813c8c106aa68d6afe3d0e Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Jun 8 14:13:24 2017 +0200
guardian: Bump package version.
During commit d68ead3decfdcc4ca4a1413e33f3c47270799836 the guardian.cgi has been changed, and therefore the package version of guardian needs to be bumped to ship the changed files.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 31313db780f894cdadd74dc4973e0fd6a22a4659 Merge: 5f9fb7a8f 357b8c141 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Jun 8 14:03:56 2017 +0200
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit 5f9fb7a8f6fb4109a6bc451aaf5b8aea74c12892 Merge: f707295a8 c6bc0fb03 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Nov 11 07:44:38 2016 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit f707295a85f820405a21a25a25c86c00e030ddb4 Merge: 197033fab f95b8b9f7 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Nov 2 10:00:00 2016 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit 197033fab234d4698b097fdb1b653b8ae39b1aae Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Oct 28 15:35:53 2016 +0200
Add DDNS to core 107.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit f2956cf42f04c7d6dcd5379b00ee779434a27d44 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Sep 30 10:34:22 2016 +0200
ddns: Import patches for schokokeks.org support.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/backup/backup.pl | 33 +- config/backup/include | 3 + config/backup/includes/dnsdist | 1 + config/backup/includes/haproxy | 1 + config/backup/includes/zabbix_agentd | 2 +- config/cfgroot/general-functions.pl | 4 + config/cfgroot/geoip-functions.pl | 4 +- config/cfgroot/ids-functions.pl | 981 +++++++++++ config/collectd/collectd.conf | 1 - config/etc/group | 2 +- config/etc/logrotate.conf | 8 +- config/etc/passwd | 2 +- config/etc/syslog.conf | 2 +- config/kernel/kernel.config.aarch64-ipfire | 25 +- .../kernel/kernel.config.armv5tel-ipfire-kirkwood | 27 +- config/kernel/kernel.config.armv5tel-ipfire-multi | 26 +- config/kernel/kernel.config.i586-ipfire | 26 +- config/kernel/kernel.config.i586-ipfire-pae | 26 +- config/kernel/kernel.config.x86_64-ipfire | 36 +- config/menu/40-services.menu | 5 - config/menu/50-firewall.menu | 13 +- config/oinkmaster/oinkmaster.conf | 432 +++++ config/rootfiles/common/aarch64/initscripts | 8 +- config/rootfiles/common/aarch64/linux | 1 - config/rootfiles/common/aarch64/stage2 | 1 + config/rootfiles/common/armv5tel/initscripts | 8 +- config/rootfiles/common/armv5tel/linux-multi | 1 - config/rootfiles/common/configroot | 6 +- config/rootfiles/common/daq | 33 - config/rootfiles/common/gnutls | 101 +- config/rootfiles/common/i586/initscripts | 8 +- config/rootfiles/common/i586/linux | 1 - config/rootfiles/common/ids-ruleset-sources | 1 + config/rootfiles/common/libcap-ng | 44 + config/rootfiles/common/libhtp | 22 + config/rootfiles/common/misc-progs | 2 +- config/rootfiles/common/nettle | 8 +- config/rootfiles/common/oinkmaster | 2 +- config/rootfiles/common/rrdtool | 205 +-- config/rootfiles/common/snort | 235 --- config/rootfiles/common/stage2 | 1 + config/rootfiles/common/suricata | 23 + config/rootfiles/common/unbound | 2 +- config/rootfiles/common/wireless-regdb | 5 +- config/rootfiles/common/x86_64/initscripts | 8 +- config/rootfiles/common/x86_64/linux | 1 - config/rootfiles/common/x86_64/stage2 | 1 + config/rootfiles/common/yaml | 6 + config/rootfiles/core/{129 => 131}/exclude | 0 .../core/{130 => 131}/filelists/Net_SSLeay | 0 .../124 => core/131}/filelists/aarch64/linux | 0 .../131}/filelists/aarch64/linux-initrd | 0 .../rootfiles/core/{130 => 131}/filelists/apache2 | 0 .../131}/filelists/armv5tel/linux-initrd-kirkwood | 0 .../131}/filelists/armv5tel/linux-initrd-multi | 0 .../131}/filelists/armv5tel/linux-kirkwood | 0 .../131}/filelists/armv5tel/linux-multi | 0 .../{oldcore/125 => core/131}/filelists/collectd | 0 config/rootfiles/core/131/filelists/files | 37 + .../{oldcore/110 => core/131}/filelists/gnutls | 0 .../{oldcore/100 => core/131}/filelists/i586/linux | 0 .../100 => core/131}/filelists/i586/linux-initrd | 0 .../core/131/filelists/ids-ruleset-sources | 1 + config/rootfiles/core/131/filelists/libcap-ng | 1 + config/rootfiles/core/131/filelists/libhtp | 1 + .../{oldcore/100 => core/131}/filelists/lua | 0 .../{oldcore/101 => core/131}/filelists/nettle | 0 .../{oldcore/100 => core/131}/filelists/ntp | 0 .../{oldcore/71 => core/131}/filelists/oinkmaster | 0 .../{oldcore/111 => core/131}/filelists/rrdtool | 0 .../{oldcore/119 => core/131}/filelists/setup | 0 config/rootfiles/core/131/filelists/suricata | 1 + .../rootfiles/core/{129 => 131}/filelists/unbound | 0 config/rootfiles/core/{130 => 131}/filelists/wget | 0 .../51 => core/131}/filelists/wireless-regdb | 0 .../100 => core/131}/filelists/x86_64/linux | 0 .../100 => core/131}/filelists/x86_64/linux-initrd | 0 config/rootfiles/core/131/filelists/yaml | 1 + config/rootfiles/core/131/update.sh | 188 +++ config/rootfiles/{core/130 => oldcore/129}/exclude | 0 .../{core => oldcore}/129/filelists/aarch64/u-boot | 0 .../129/filelists/armv5tel/u-boot | 0 .../rootfiles/{core => oldcore}/129/filelists/bind | 0 .../{core => oldcore}/129/filelists/files | 0 .../{core => oldcore}/129/filelists/groff | 0 .../129/filelists/i586/openssl-sse2 | 0 .../{core => oldcore}/129/filelists/ipset | 0 .../rootfiles/{core => oldcore}/129/filelists/knot | 0 .../rootfiles/{core => oldcore}/129/filelists/less | 0 .../{core => oldcore}/129/filelists/libgcrypt | 0 .../{core => oldcore}/129/filelists/openssl | 0 .../{core => oldcore}/129/filelists/openvpn | 0 .../{core => oldcore}/129/filelists/squid | 0 .../{core => oldcore}/129/filelists/strongswan | 0 .../rootfiles/{core => oldcore}/129/filelists/tar | 0 .../{core => oldcore}/129/filelists/unbound | 0 .../{core => oldcore}/129/filelists/wpa_supplicant | 0 config/rootfiles/{core => oldcore}/129/update.sh | 0 config/rootfiles/{core/129 => oldcore/130}/exclude | 0 .../{core => oldcore}/130/filelists/Net_SSLeay | 0 .../{core => oldcore}/130/filelists/apache2 | 0 .../{core => oldcore}/130/filelists/files | 0 .../{core => oldcore}/130/filelists/strongswan | 0 .../rootfiles/{core => oldcore}/130/filelists/wget | 0 config/rootfiles/{core => oldcore}/130/update.sh | 0 config/rootfiles/packages/armv5tel/borgbackup | 95 +- .../rootfiles/packages/{ => armv5tel}/python3-yaml | 1 + config/rootfiles/packages/borgbackup | 95 +- config/rootfiles/packages/dnsdist | 3 +- config/rootfiles/packages/firmware-update | 1 + config/rootfiles/packages/flashrom | 2 + config/rootfiles/packages/freeradius | 22 +- config/rootfiles/packages/i586/borgbackup | 95 +- config/rootfiles/packages/{ => i586}/python3-yaml | 1 + config/rootfiles/packages/linux-pae | 1 - config/rootfiles/packages/nginx | 6 +- config/rootfiles/packages/pcengines-apu-firmware | 7 + config/rootfiles/packages/python3-yaml | 1 + config/rootfiles/packages/zabbix_agentd | 2 +- config/snort/snort.conf | 524 ------ config/suricata/convert-snort | 326 ++++ config/suricata/ruleset-sources | 15 + config/suricata/suricata.yaml | 738 +++++++++ config/udev/network-hotplug-rename | 2 +- config/unbound/unbound-dhcp-leases-bridge | 8 +- doc/language_issues.de | 11 +- doc/language_issues.en | 59 +- doc/language_issues.es | 43 +- doc/language_issues.fr | 37 +- doc/language_issues.it | 43 +- doc/language_issues.nl | 43 +- doc/language_issues.pl | 43 +- doc/language_issues.ru | 43 +- doc/language_issues.tr | 37 +- doc/language_missings | 207 +++ html/cgi-bin/aliases.cgi | 26 + html/cgi-bin/credits.cgi | 8 +- html/cgi-bin/dnsforward.cgi | 6 +- html/cgi-bin/hosts.cgi | 52 +- html/cgi-bin/ids.cgi | 1728 ++++++++++++++------ html/cgi-bin/logs.cgi/ids.dat | 43 +- html/cgi-bin/logs.cgi/log.dat | 6 +- html/cgi-bin/ovpnmain.cgi | 5 +- html/cgi-bin/remote.cgi | 11 +- html/cgi-bin/services.cgi | 43 +- html/cgi-bin/vpnmain.cgi | 4 + html/cgi-bin/wlanap.cgi | 15 + langs/de/cgi-bin/de.pl | 52 +- langs/en/cgi-bin/en.pl | 62 +- langs/es/cgi-bin/es.pl | 4 +- langs/fr/cgi-bin/fr.pl | 4 +- langs/it/cgi-bin/it.pl | 4 +- langs/nl/cgi-bin/nl.pl | 4 +- langs/pl/cgi-bin/pl.pl | 4 +- langs/ru/cgi-bin/ru.pl | 4 +- langs/tr/cgi-bin/tr.pl | 6 +- lfs/borgbackup | 6 +- lfs/configroot | 8 +- lfs/dnsdist | 20 +- lfs/{daq => firmware-update} | 20 +- lfs/{nettle => flashrom} | 24 +- lfs/freeradius | 19 +- lfs/gnutls | 9 +- lfs/haproxy | 2 +- lfs/hostapd | 2 +- lfs/{wireless-regdb => ids-ruleset-sources} | 45 +- lfs/initscripts | 6 +- lfs/{daq => libcap-ng} | 13 +- lfs/{daq => libhtp} | 15 +- lfs/linux | 12 +- lfs/lua | 11 +- lfs/nettle | 6 +- lfs/nginx | 10 +- lfs/ntp | 6 +- lfs/nut | 2 +- lfs/oinkmaster | 5 +- lfs/{dnsdist => pcengines-apu-firmware} | 49 +- lfs/postfix | 6 +- lfs/rrdtool | 7 +- lfs/snort | 105 -- lfs/{rrdtool => suricata} | 55 +- lfs/tor | 6 +- lfs/unbound | 6 +- lfs/wireless-regdb | 6 +- lfs/{daq => yaml} | 12 +- lfs/zabbix_agentd | 8 +- make.sh | 16 +- src/initscripts/networking/red.up/23-suricata | 33 + src/initscripts/packages/dnsdist | 3 +- src/initscripts/packages/tor | 4 + src/initscripts/system/collectd | 5 + src/initscripts/system/firewall | 10 +- src/initscripts/system/snort | 146 -- src/initscripts/system/suricata | 174 ++ src/initscripts/system/unbound | 31 +- src/installer/po/fr.po | 95 +- src/misc-progs/Makefile | 2 +- src/misc-progs/snortctrl.c | 38 - src/misc-progs/sshctrl.c | 9 +- src/misc-progs/suricatactrl.c | 54 + src/pakfire/pakfire.conf | 2 +- src/paks/{tor => dnsdist}/install.sh | 12 +- .../update.sh => dnsdist/uninstall.sh} | 12 +- src/paks/{apcupsd => dnsdist}/update.sh | 0 src/paks/tor/install.sh | 15 +- src/paks/zabbix_agentd/update.sh | 5 + src/patches/linux/linux-4.14_ath_user_regd.patch | 71 + .../linux/linux-4.9.8-ath_ignore_eeprom_regd.patch | 39 - .../lua-5.3.5-autotoolize.patch} | 2 +- src/patches/lua/lua-5.3.5-shared_library-1.patch | 61 + .../pakfire.conf => scripts/update-ids-ruleset} | 64 +- src/setup/po/fr.po | 164 +- 212 files changed, 6344 insertions(+), 2450 deletions(-) create mode 100644 config/backup/includes/dnsdist create mode 100644 config/cfgroot/ids-functions.pl create mode 100644 config/oinkmaster/oinkmaster.conf delete mode 100644 config/rootfiles/common/daq create mode 100644 config/rootfiles/common/ids-ruleset-sources create mode 100644 config/rootfiles/common/libcap-ng create mode 100644 config/rootfiles/common/libhtp delete mode 100644 config/rootfiles/common/snort create mode 100644 config/rootfiles/common/suricata create mode 100644 config/rootfiles/common/yaml copy config/rootfiles/core/{129 => 131}/exclude (100%) copy config/rootfiles/core/{130 => 131}/filelists/Net_SSLeay (100%) copy config/rootfiles/{oldcore/124 => core/131}/filelists/aarch64/linux (100%) copy config/rootfiles/{oldcore/124 => core/131}/filelists/aarch64/linux-initrd (100%) copy config/rootfiles/core/{130 => 131}/filelists/apache2 (100%) copy config/rootfiles/{oldcore/121 => core/131}/filelists/armv5tel/linux-initrd-kirkwood (100%) copy config/rootfiles/{oldcore/121 => core/131}/filelists/armv5tel/linux-initrd-multi (100%) copy config/rootfiles/{oldcore/100 => core/131}/filelists/armv5tel/linux-kirkwood (100%) copy config/rootfiles/{oldcore/100 => core/131}/filelists/armv5tel/linux-multi (100%) copy config/rootfiles/{oldcore/125 => core/131}/filelists/collectd (100%) create mode 100644 config/rootfiles/core/131/filelists/files copy config/rootfiles/{oldcore/110 => core/131}/filelists/gnutls (100%) copy config/rootfiles/{oldcore/100 => core/131}/filelists/i586/linux (100%) copy config/rootfiles/{oldcore/100 => core/131}/filelists/i586/linux-initrd (100%) create mode 120000 config/rootfiles/core/131/filelists/ids-ruleset-sources create mode 120000 config/rootfiles/core/131/filelists/libcap-ng create mode 120000 config/rootfiles/core/131/filelists/libhtp copy config/rootfiles/{oldcore/100 => core/131}/filelists/lua (100%) copy config/rootfiles/{oldcore/101 => core/131}/filelists/nettle (100%) copy config/rootfiles/{oldcore/100 => core/131}/filelists/ntp (100%) copy config/rootfiles/{oldcore/71 => core/131}/filelists/oinkmaster (100%) copy config/rootfiles/{oldcore/111 => core/131}/filelists/rrdtool (100%) copy config/rootfiles/{oldcore/119 => core/131}/filelists/setup (100%) create mode 120000 config/rootfiles/core/131/filelists/suricata copy config/rootfiles/core/{129 => 131}/filelists/unbound (100%) copy config/rootfiles/core/{130 => 131}/filelists/wget (100%) copy config/rootfiles/{oldcore/51 => core/131}/filelists/wireless-regdb (100%) copy config/rootfiles/{oldcore/100 => core/131}/filelists/x86_64/linux (100%) copy config/rootfiles/{oldcore/100 => core/131}/filelists/x86_64/linux-initrd (100%) create mode 120000 config/rootfiles/core/131/filelists/yaml create mode 100644 config/rootfiles/core/131/update.sh rename config/rootfiles/{core/130 => oldcore/129}/exclude (100%) rename config/rootfiles/{core => oldcore}/129/filelists/aarch64/u-boot (100%) rename config/rootfiles/{core => oldcore}/129/filelists/armv5tel/u-boot (100%) rename config/rootfiles/{core => oldcore}/129/filelists/bind (100%) rename config/rootfiles/{core => oldcore}/129/filelists/files (100%) rename config/rootfiles/{core => oldcore}/129/filelists/groff (100%) rename config/rootfiles/{core => oldcore}/129/filelists/i586/openssl-sse2 (100%) rename config/rootfiles/{core => oldcore}/129/filelists/ipset (100%) rename config/rootfiles/{core => oldcore}/129/filelists/knot (100%) rename config/rootfiles/{core => oldcore}/129/filelists/less (100%) rename config/rootfiles/{core => oldcore}/129/filelists/libgcrypt (100%) rename config/rootfiles/{core => oldcore}/129/filelists/openssl (100%) rename config/rootfiles/{core => oldcore}/129/filelists/openvpn (100%) rename config/rootfiles/{core => oldcore}/129/filelists/squid (100%) rename config/rootfiles/{core => oldcore}/129/filelists/strongswan (100%) rename config/rootfiles/{core => oldcore}/129/filelists/tar (100%) rename config/rootfiles/{core => oldcore}/129/filelists/unbound (100%) rename config/rootfiles/{core => oldcore}/129/filelists/wpa_supplicant (100%) rename config/rootfiles/{core => oldcore}/129/update.sh (100%) rename config/rootfiles/{core/129 => oldcore/130}/exclude (100%) rename config/rootfiles/{core => oldcore}/130/filelists/Net_SSLeay (100%) rename config/rootfiles/{core => oldcore}/130/filelists/apache2 (100%) rename config/rootfiles/{core => oldcore}/130/filelists/files (100%) rename config/rootfiles/{core => oldcore}/130/filelists/strongswan (100%) rename config/rootfiles/{core => oldcore}/130/filelists/wget (100%) rename config/rootfiles/{core => oldcore}/130/update.sh (100%) copy config/rootfiles/packages/{ => armv5tel}/python3-yaml (96%) create mode 100644 config/rootfiles/packages/firmware-update create mode 100644 config/rootfiles/packages/flashrom copy config/rootfiles/packages/{ => i586}/python3-yaml (97%) create mode 100644 config/rootfiles/packages/pcengines-apu-firmware delete mode 100644 config/snort/snort.conf create mode 100644 config/suricata/convert-snort create mode 100644 config/suricata/ruleset-sources create mode 100644 config/suricata/suricata.yaml copy lfs/{daq => firmware-update} (87%) copy lfs/{nettle => flashrom} (88%) copy lfs/{wireless-regdb => ids-ruleset-sources} (67%) copy lfs/{daq => libcap-ng} (93%) copy lfs/{daq => libhtp} (90%) copy lfs/{dnsdist => pcengines-apu-firmware} (73%) delete mode 100644 lfs/snort copy lfs/{rrdtool => suricata} (72%) rename lfs/{daq => yaml} (93%) create mode 100644 src/initscripts/networking/red.up/23-suricata delete mode 100644 src/initscripts/system/snort create mode 100644 src/initscripts/system/suricata delete mode 100644 src/misc-progs/snortctrl.c create mode 100644 src/misc-progs/suricatactrl.c copy src/paks/{tor => dnsdist}/install.sh (87%) copy src/paks/{zabbix_agentd/update.sh => dnsdist/uninstall.sh} (93%) copy src/paks/{apcupsd => dnsdist}/update.sh (100%) create mode 100644 src/patches/linux/linux-4.14_ath_user_regd.patch delete mode 100644 src/patches/linux/linux-4.9.8-ath_ignore_eeprom_regd.patch rename src/patches/{lua-5.3.0-autotoolize.patch => lua/lua-5.3.5-autotoolize.patch} (99%) create mode 100644 src/patches/lua/lua-5.3.5-shared_library-1.patch copy src/{pakfire/pakfire.conf => scripts/update-ids-ruleset} (51%)
Difference in files: diff --git a/config/backup/backup.pl b/config/backup/backup.pl index 3accbcfff..6ac4e4967 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -129,6 +129,15 @@ restore_backup() { # Convert old OpenVPN CCD files (CN change, Core Update 75) convert-ovpn
+ # Snort to suricata converter. + if [ -d "/var/ipfire/snort" ]; then + # Run converter + convert-snort + + # Remove old configuration directory. + rm -rf "/var/ipfire/snort" + fi + return 0 }
@@ -167,19 +176,34 @@ main() { local command="${1}" shift
- # Desired backup filename - local filename="/var/ipfire/backup/${NOW}.ipf" - case "${command}" in include) + local filename="${1}" + + if [ -z "${filename}" ]; then + filename="/var/ipfire/backup/${NOW}.ipf" + fi + make_backup "${filename}" $(find_logfiles) ;;
exclude) + local filename="${1}" + + if [ -z "${filename}" ]; then + filename="/var/ipfire/backup/${NOW}.ipf" + fi + make_backup "${filename}" ;;
restore) + local filename="${1}" + + if [ -z "${filename}" ]; then + filename="/tmp/restore.ipf" + fi + restore_backup "/tmp/restore.ipf" ;;
@@ -192,6 +216,9 @@ main() { ;;
iso) + # Desired backup filename + local filename="/var/ipfire/backup/${NOW}.ipf" + if make_backup "${filename}"; then /usr/local/bin/backupiso "${NOW}" & fi diff --git a/config/backup/include b/config/backup/include index 6c7affa20..1190eda81 100644 --- a/config/backup/include +++ b/config/backup/include @@ -46,10 +46,13 @@ /var/ipfire/proxy /var/ipfire/qos/* /var/ipfire/qos/bin/qos.sh +/var/ipfire/suricata/*.conf +/var/ipfire/suricata/*.yaml /var/ipfire/*/settings /var/ipfire/time/ /var/ipfire/urlfilter /var/ipfire/vpn +/var/lib/suricata /var/log/ip-acct/* /var/log/rrd/* /var/log/rrd/collectd diff --git a/config/backup/includes/dnsdist b/config/backup/includes/dnsdist new file mode 100644 index 000000000..8d9b82584 --- /dev/null +++ b/config/backup/includes/dnsdist @@ -0,0 +1 @@ +/etc/dnsdist.conf diff --git a/config/backup/includes/haproxy b/config/backup/includes/haproxy index 4516e18ac..483746808 100644 --- a/config/backup/includes/haproxy +++ b/config/backup/includes/haproxy @@ -1 +1,2 @@ +/etc/haproxy/certs /etc/haproxy/haproxy.cfg diff --git a/config/backup/includes/zabbix_agentd b/config/backup/includes/zabbix_agentd index b410dbe16..cba18d772 100644 --- a/config/backup/includes/zabbix_agentd +++ b/config/backup/includes/zabbix_agentd @@ -1,2 +1,2 @@ -/etc/sudoers.d/zabbix.user +/etc/sudoers.d/zabbix /etc/zabbix_agentd/* diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl index e8495e885..04e36969c 100644 --- a/config/cfgroot/general-functions.pl +++ b/config/cfgroot/general-functions.pl @@ -149,6 +149,10 @@ sub readhash while (<FILE>) { chop; + + # Skip comments. + next if ($_ =~ /^#/); + ($var, $val) = split /=/, $_, 2; if ($var) { diff --git a/config/cfgroot/geoip-functions.pl b/config/cfgroot/geoip-functions.pl index d03503a3f..b2319daaa 100644 --- a/config/cfgroot/geoip-functions.pl +++ b/config/cfgroot/geoip-functions.pl @@ -122,10 +122,10 @@ sub get_full_country_name($) {
# Function to get all available GeoIP locations. sub get_geoip_locations() { - my @locations; + my @locations = ();
# Open the location database. - open(LOCATION, "$geoip_database_dir/$location_database") or die "Could not open $geoip_database_dir/$location_database. $!\n"; + open(LOCATION, "$geoip_database_dir/$location_database") or return @locations;
# Loop through the file. while(my $line = <LOCATION>) { diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl new file mode 100644 index 000000000..5496df1a9 --- /dev/null +++ b/config/cfgroot/ids-functions.pl @@ -0,0 +1,981 @@ +#!/usr/bin/perl -w +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2018 IPFire Team info@ipfire.org. # +# # +############################################################################ + +package IDS; + +require '/var/ipfire/general-functions.pl'; + +# Location where all config and settings files are stored. +our $settingsdir = "${General::swroot}/suricata"; + +# File where the used rulefiles are stored. +our $used_rulefiles_file = "$settingsdir/suricata-used-rulefiles.yaml"; + +# File where the addresses of the homenet are stored. +our $homenet_file = "$settingsdir/suricata-homenet.yaml"; + +# File which contains the enabled sids. +our $enabled_sids_file = "$settingsdir/oinkmaster-enabled-sids.conf"; + +# File which contains the disabled sids. +our $disabled_sids_file = "$settingsdir/oinkmaster-disabled-sids.conf"; + +# File which contains wheater the rules should be changed. +our $modify_sids_file = "$settingsdir/oinkmaster-modify-sids.conf"; + +# File which stores the configured IPS settings. +our $ids_settings_file = "$settingsdir/settings"; + +# File which stores the configured rules-settings. +our $rules_settings_file = "$settingsdir/rules-settings"; + +# File which stores the configured settings for whitelisted addresses. +our $ignored_file = "$settingsdir/ignored"; + +# Location and name of the tarball which contains the ruleset. +our $rulestarball = "/var/tmp/idsrules.tar.gz"; + +# File to store any errors, which also will be read and displayed by the wui. +our $storederrorfile = "/tmp/ids_storederror"; + +# File to lock the WUI, while the autoupdate script runs. +our $ids_page_lock_file = "/tmp/ids_page_locked"; + +# Location where the rulefiles are stored. +our $rulespath = "/var/lib/suricata"; + +# File which contains the rules to whitelist addresses on suricata. +our $whitelist_file = "$rulespath/whitelist.rules"; + +# File which contains a list of all supported ruleset sources. +# (Sourcefire, Emergingthreads, etc..) +our $rulesetsourcesfile = "$settingsdir/ruleset-sources"; + +# The pidfile of the IDS. +our $idspidfile = "/var/run/suricata.pid"; + +# Location of suricatactrl. +my $suricatactrl = "/usr/local/bin/suricatactrl"; + +# Array with allowed commands of suricatactrl. +my @suricatactrl_cmds = ( 'start', 'stop', 'restart', 'reload', 'fix-rules-dir', 'cron' ); + +# Array with supported cron intervals. +my @cron_intervals = ('off', 'daily', 'weekly' ); + +# +## Function to check and create all IDS related files, if the does not exist. +# +sub check_and_create_filelayout() { + # Check if the files exist and if not, create them. + unless (-f "$enabled_sids_file") { &create_empty_file($enabled_sids_file); } + unless (-f "$disabled_sids_file") { &create_empty_file($disabled_sids_file); } + unless (-f "$modify_sids_file") { &create_empty_file($modify_sids_file); } + unless (-f "$used_rulefiles_file") { &create_empty_file($used_rulefiles_file); } + unless (-f "$ids_settings_file") { &create_empty_file($ids_settings_file); } + unless (-f "$rules_settings_file") { &create_empty_file($rules_settings_file); } + unless (-f "$ignored_file") { &create_empty_file($ignored_file); } + unless (-f "$whitelist_file" ) { &create_empty_file($whitelist_file); } +} + +# +## Function for checking if at least 300MB of free disk space are available +## on the "/var" partition. +# +sub checkdiskspace () { + # Call diskfree to gather the free disk space of /var. + my @df = `/bin/df -B M /var`; + + # Loop through the output. + foreach my $line (@df) { + # Ignore header line. + next if $line =~ m/^Filesystem/; + + # Search for a line with the device information. + if ($line =~ m/dev/ ) { + # Split the line into single pieces. + my @values = split(' ', $line); + my ($filesystem, $blocks, $used, $available, $used_perenctage, $mounted_on) = @values; + + # Check if the available disk space is more than 300MB. + if ($available < 300) { + # Log error to syslog. + &_log_to_syslog("Not enough free disk space on /var. Only $available MB from 300 MB available."); + + # Exit function and return "1" - False. + return 1; + } + } + } + + # Everything okay, return nothing. + return; +} + +# +## This function is responsible for downloading the configured IDS ruleset. +## +## * At first it obtains from the stored rules settings which ruleset should be downloaded. +## * The next step is to get the download locations for all available rulesets. +## * After that, the function will check if an upstream proxy should be used and grab the settings. +## * The last step will be to generate the final download url, by obtaining the URL for the desired +## ruleset, add the settings for the upstream proxy and final grab the rules tarball from the server. +# +sub downloadruleset { + # Get rules settings. + my %rulessettings=(); + &General::readhash("$rules_settings_file", %rulessettings); + + # Check if a ruleset has been configured. + unless($rulessettings{'RULES'}) { + # Log that no ruleset has been configured and abort. + &_log_to_syslog("No ruleset source has been configured."); + + # Return "1". + return 1; + } + + # Get all available ruleset locations. + my %rulesetsources=(); + &General::readhash($rulesetsourcesfile, %rulesetsources); + + # Read proxysettings. + my %proxysettings=(); + &General::readhash("${General::swroot}/proxy/settings", %proxysettings); + + # Load required perl module to handle the download. + use LWP::UserAgent; + + # Init the download module. + my $downloader = LWP::UserAgent->new; + + # Set timeout to 10 seconds. + $downloader->timeout(10); + + # Check if an upstream proxy is configured. + if ($proxysettings{'UPSTREAM_PROXY'}) { + my ($peer, $peerport) = (/^(?:[a-zA-Z ]+://)?(?:[A-Za-z0-9_.-]*?(?::[A-Za-z0-9_.-]*?)?@)?([a-zA-Z0-9._-]*?)(?::([0-9]{1,5}))?(?:/.*?)?$/); + my $proxy_url; + + # Check if we got a peer. + if ($peer) { + $proxy_url = "http://"; + + # Check if the proxy requires authentication. + if (($proxysettings{'UPSTREAM_USER'}) && ($proxysettings{'UPSTREAM_PASSWORD'})) { + $proxy_url .= "$proxysettings{'UPSTREAM_USER'}:$proxysettings{'UPSTREAM_PASSWORD'}@"; + } + + # Add proxy server address and port. + $proxy_url .= "$peer:$peerport"; + } else { + # Log error message and break. + &_log_to_syslog("Could not proper configure the proxy server access."); + + # Return "1" - false. + return 1; + } + + # Setup proxy settings. + $downloader->proxy(['http', 'https'], $proxy_url); + } + + # Grab the right url based on the configured vendor. + my $url = $rulesetsources{$rulessettings{'RULES'}}; + + # Check if the vendor requires an oinkcode and add it if needed. + $url =~ s/<oinkcode>/$rulessettings{'OINKCODE'}/g; + + # Abort if no url could be determined for the vendor. + unless ($url) { + # Log error and abort. + &_log_to_syslog("Unable to gather a download URL for the selected ruleset."); + return 1; + } + + # Variable to store the filesize of the remote object. + my $remote_filesize; + + # The sourcfire (snort rules) does not allow to send "HEAD" requests, so skip this check + # for this webserver. + # + # Check if the ruleset source contains "snort.org". + unless ($url =~ /.snort.org/) { + # Pass the requrested url to the downloader. + my $request = HTTP::Request->new(HEAD => $url); + + # Accept the html header. + $request->header('Accept' => 'text/html'); + + # Perform the request and fetch the html header. + my $response = $downloader->request($request); + + # Check if there was any error. + unless ($response->is_success) { + # Obtain error. + my $error = $response->status_line(); + + # Log error message. + &_log_to_syslog("Unable to download the ruleset. ($error)"); + + # Return "1" - false. + return 1; + } + + # Assign the fetched header object. + my $header = $response->headers(); + + # Grab the remote file size from the object and store it in the + # variable. + $remote_filesize = $header->content_length; + } + + # Load perl module to deal with temporary files. + use File::Temp; + + # Generate temporay file name, located in "/var/tmp" and with a suffix of ".tar.gz". + my $tmp = File::Temp->new( SUFFIX => ".tar.gz", DIR => "/var/tmp/", UNLINK => 0 ); + my $tmpfile = $tmp->filename(); + + # Pass the requested url to the downloader. + my $request = HTTP::Request->new(GET => $url); + + # Perform the request and save the output into the tmpfile. + my $response = $downloader->request($request, $tmpfile); + + # Check if there was any error. + unless ($response->is_success) { + # Obtain error. + my $error = $response->content; + + # Log error message. + &_log_to_syslog("Unable to download the ruleset. ($error)"); + + # Return "1" - false. + return 1; + } + + # Load perl stat module. + use File::stat; + + # Perform stat on the tmpfile. + my $stat = stat($tmpfile); + + # Grab the local filesize of the downloaded tarball. + my $local_filesize = $stat->size; + + # Check if both file sizes match. + if (($remote_filesize) && ($remote_filesize ne $local_filesize)) { + # Log error message. + &_log_to_syslog("Unable to completely download the ruleset. "); + &_log_to_syslog("Only got $local_filesize Bytes instead of $remote_filesize Bytes. "); + + # Delete temporary file. + unlink("$tmpfile"); + + # Return "1" - false. + return 1; + } + + # Load file copy module, which contains the move() function. + use File::Copy; + + # Overwrite existing rules tarball with the new downloaded one. + move("$tmpfile", "$rulestarball"); + + # If we got here, everything worked fine. Return nothing. + return; +} + +# +## A tiny wrapper function to call the oinkmaster script. +# +sub oinkmaster () { + # Check if the files in rulesdir have the correct permissions. + &_check_rulesdir_permissions(); + + # Cleanup the rules directory before filling it with the new rulest. + &_cleanup_rulesdir(); + + # Load perl module to talk to the kernel syslog. + use Sys::Syslog qw(:DEFAULT setlogsock); + + # Establish the connection to the syslog service. + openlog('oinkmaster', 'cons,pid', 'user'); + + # Call oinkmaster to generate ruleset. + open(OINKMASTER, "/usr/local/bin/oinkmaster.pl -s -u file://$rulestarball -C $settingsdir/oinkmaster.conf -o $rulespath 2>&1 |") or die "Could not execute oinkmaster $!\n"; + + # Log output of oinkmaster to syslog. + while(<OINKMASTER>) { + # The syslog function works best with an array based input, + # so generate one before passing the message details to syslog. + my @syslog = ("INFO", "$_"); + + # Send the log message. + syslog(@syslog); + } + + # Close the pipe to oinkmaster process. + close(OINKMASTER); + + # Close the log handle. + closelog(); +} + +# +## Function to do all the logging stuff if the downloading or updating of the ruleset fails. +# +sub log_error ($) { + my ($error) = @_; + + # Remove any newline. + chomp($error); + + # Call private function to log the error message to syslog. + &_log_to_syslog($error); + + # Call private function to write/store the error message in the storederrorfile. + &_store_error_message($error); +} + +# +## Function to log a given error message to the kernel syslog. +# +sub _log_to_syslog ($) { + my ($message) = @_; + + # Load perl module to talk to the kernel syslog. + use Sys::Syslog qw(:DEFAULT setlogsock); + + # The syslog function works best with an array based input, + # so generate one before passing the message details to syslog. + my @syslog = ("ERR", "<ERROR> $message"); + + # Establish the connection to the syslog service. + openlog('oinkmaster', 'cons,pid', 'user'); + + # Send the log message. + syslog(@syslog); + + # Close the log handle. + closelog(); +} + +# +## Private function to write a given error message to the storederror file. +# +sub _store_error_message ($) { + my ($message) = @_; + + # Remove any newline. + chomp($message); + + # Open file for writing. + open (ERRORFILE, ">$storederrorfile") or die "Could not write to $storederrorfile. $!\n"; + + # Write error to file. + print ERRORFILE "$message\n"; + + # Close file. + close (ERRORFILE); + + # Set correct ownership for the file. + &set_ownership("$storederrorfile"); +} + +# +## Function to get a list of all available network zones. +# +sub get_available_network_zones () { + # Get netsettings. + my %netsettings = (); + &General::readhash("${General::swroot}/ethernet/settings", %netsettings); + + # Obtain the configuration type from the netsettings hash. + my $config_type = $netsettings{'CONFIG_TYPE'}; + + # Hash which contains the conversation from the config mode + # to the existing network interface names. They are stored like + # an array. + # + # Mode "0" red is a modem and green + # Mode "1" red is a netdev and green + # Mode "2" red, green and orange + # Mode "3" red, green and blue + # Mode "4" red, green, blue, orange + my %config_type_to_interfaces = ( + "0" => [ "red", "green" ], + "1" => [ "red", "green" ], + "2" => [ "red", "green", "orange" ], + "3" => [ "red", "green", "blue" ], + "4" => [ "red", "green", "blue", "orange" ] + ); + + # Obtain and dereference the corresponding network interaces based on the read + # network config type. + my @network_zones = @{ $config_type_to_interfaces{$config_type} }; + + # Return them. + return @network_zones; +} + +# +## Function to check if the IDS is running. +# +sub ids_is_running () { + if(-f $idspidfile) { + # Open PID file for reading. + open(PIDFILE, "$idspidfile") or die "Could not open $idspidfile. $!\n"; + + # Grab the process-id. + my $pid = <PIDFILE>; + + # Close filehandle. + close(PIDFILE); + + # Remove any newline. + chomp($pid); + + # Check if a directory for the process-id exists in proc. + if(-d "/proc/$pid") { + # The IDS daemon is running return the process id. + return $pid; + } + } + + # Return nothing - IDS is not running. + return; +} + +# +## Function to call suricatactrl binary with a given command. +# +sub call_suricatactrl ($) { + # Get called option. + my ($option, $interval) = @_; + + # Loop through the array of supported commands and check if + # the given one is part of it. + foreach my $cmd (@suricatactrl_cmds) { + # Skip current command unless the given one has been found. + next unless($cmd eq $option); + + # Check if the given command is "cron". + if ($option eq "cron") { + # Check if an interval has been given. + if ($interval) { + # Check if the given interval is valid. + foreach my $element (@cron_intervals) { + # Skip current element until the given one has been found. + next unless($element eq $interval); + + # Call the suricatactrl binary and pass the "cron" command + # with the requrested interval. + system("$suricatactrl $option $interval &>/dev/null"); + + # Return "1" - True. + return 1; + } + } + + # If we got here, the given interval is not supported or none has been given. - Return nothing. + return; + } else { + # Call the suricatactrl binary and pass the requrested + # option to it. + system("$suricatactrl $option &>/dev/null"); + + # Return "1" - True. + return 1; + } + } + + # Command not found - return nothing. + return; +} + +# +## Function to create a new empty file. +# +sub create_empty_file($) { + my ($file) = @_; + + # Check if the given file exists. + if(-e $file) { + # Do nothing to prevent from overwriting existing files. + return; + } + + # Open the file for writing. + open(FILE, ">$file") or die "Could not write to $file. $!\n"; + + # Close file handle. + close(FILE); + + # Return true. + return 1; +} + +# +## Private function to check if the file permission of the rulespath are correct. +## If not, call suricatactrl to fix them. +# +sub _check_rulesdir_permissions() { + # Check if the rulepath main directory is writable. + unless (-W $rulespath) { + # If not call suricatctrl to fix it. + &call_suricatactrl("fix-rules-dir"); + } + + # Open snort rules directory and do a directory listing. + opendir(DIR, $rulespath) or die $!; + # Loop through the direcory. + while (my $file = readdir(DIR)) { + # We only want files. + next unless (-f "$rulespath/$file"); + + # Check if the file is writable by the user. + if (-W "$rulespath/$file") { + # Everything is okay - go on to the next file. + next; + } else { + # There are wrong permissions, call suricatactrl to fix it. + &call_suricatactrl("fix-rules-dir"); + } + } +} + +# +## Private function to cleanup the directory which contains +## the IDS rules, before extracting and modifing the new ruleset. +# +sub _cleanup_rulesdir() { + # Open rules directory and do a directory listing. + opendir(DIR, $rulespath) or die $!; + + # Loop through the direcory. + while (my $file = readdir(DIR)) { + # We only want files. + next unless (-f "$rulespath/$file"); + + # Skip element if it has config as file extension. + next if ($file =~ m/.config$/); + + # Delete the current processed file, if not, exit this function + # and return an error message. + unlink("$rulespath/$file") or return "Could not delete $rulespath/$file. $!\n"; + } + + # Return nothing; + return; +} + +# +## Function to generate the file which contains the home net information. +# +sub generate_home_net_file() { + my %netsettings; + + # Read-in network settings. + &General::readhash("${General::swroot}/ethernet/settings", %netsettings); + + # Get available network zones. + my @network_zones = &get_available_network_zones(); + + # Temporary array to store network address and prefix of the configured + # networks. + my @networks; + + # Loop through the array of available network zones. + foreach my $zone (@network_zones) { + # Check if the current processed zone is red. + if($zone eq "red") { + # Grab the IP-address of the red interface. + my $red_address = &get_red_address(); + + # Check if an address has been obtained. + if ($red_address) { + # Generate full network string. + my $red_network = join("/", $red_address, "32"); + + # Add the red network to the array of networks. + push(@networks, $red_network); + } + + # Check if the configured RED_TYPE is static. + if ($netsettings{'RED_TYPE'} eq "STATIC") { + # Get configured and enabled aliases. + my @aliases = &get_aliases(); + + # Loop through the array. + foreach my $alias (@aliases) { + # Add "/32" prefix. + my $network = join("/", $alias, "32"); + + # Add the generated network to the array of networks. + push(@networks, $network); + } + } + # Process remaining network zones. + } else { + # Convert current zone name into upper case. + $zone = uc($zone); + + # Generate key to access the required data from the netsettings hash. + my $zone_netaddress = $zone . "_NETADDRESS"; + my $zone_netmask = $zone . "_NETMASK"; + + # Obtain the settings from the netsettings hash. + my $netaddress = $netsettings{$zone_netaddress}; + my $netmask = $netsettings{$zone_netmask}; + + # Convert the subnetmask into prefix notation. + my $prefix = &Network::convert_netmask2prefix($netmask); + + # Generate full network string. + my $network = join("/", $netaddress,$prefix); + + # Check if the network is valid. + if(&Network::check_subnet($network)) { + # Add the generated network to the array of networks. + push(@networks, $network); + } + } + } + + # Format home net declaration. + my $line = ""["; + + # Loop through the array of networks. + foreach my $network (@networks) { + # Add the network to the line. + $line = "$line" . "$network"; + + # Check if the current network was the last in the array. + if ($network eq $networks[-1]) { + # Close the line. + $line = "$line" . "]""; + } else { + # Add "," for the next network. + $line = "$line" . ","; + } + } + + # Open file to store the addresses of the home net. + open(FILE, ">$homenet_file") or die "Could not open $homenet_file. $!\n"; + + # Print yaml header. + print FILE "%YAML 1.1\n"; + print FILE "---\n\n"; + + # Print notice about autogenerated file. + print FILE "#Autogenerated file. Any custom changes will be overwritten!\n"; + + # Print the generated and required HOME_NET declaration to the file. + print FILE "HOME_NET:\t$line\n"; + + # Close file handle. + close(FILE); +} + +# +## Function to generate and write the file for used rulefiles. +# +sub write_used_rulefiles_file(@) { + my @files = @_; + + # Open file for used rulefiles. + open (FILE, ">$used_rulefiles_file") or die "Could not write to $used_rulefiles_file. $!\n"; + + # Write yaml header to the file. + print FILE "%YAML 1.1\n"; + print FILE "---\n\n"; + + # Write header to file. + print FILE "#Autogenerated file. Any custom changes will be overwritten!\n"; + + # Allways use the whitelist. + print FILE " - whitelist.rules\n"; + + # Loop through the array of given files. + foreach my $file (@files) { + # Check if the given filename exists and write it to the file of used rulefiles. + if(-f "$rulespath/$file") { + print FILE " - $file\n"; + } + } + + # Close file after writing. + close(FILE); +} + +# +## Function to generate and write the file for modify the ruleset. +# +sub write_modify_sids_file($) { + my ($ruleaction) = @_; + + # Open modify sid's file for writing. + open(FILE, ">$modify_sids_file") or die "Could not write to $modify_sids_file. $!\n"; + + # Write file header. + print FILE "#Autogenerated file. Any custom changes will be overwritten!\n"; + + # Tune rules to monitor in both directions. + print FILE "modifysid * "->" | "<>"\n"; + + # Check if the traffic only should be monitored. + unless($ruleaction eq "alert") { + # Tell oinkmaster to switch all rules from alert to drop. + print FILE "modifysid * "alert" | "drop"\n"; + } + + # Close file handle. + close(FILE); +} + +# +## Function to gather the version of suricata. +# +sub get_suricata_version($) { + my ($format) = @_; + + # Execute piped suricata command and return the version information. + open(SURICATA, "suricata -V |") or die "Couldn't execute program: $!"; + + # Grab and store the output of the piped program. + my $version_string = <SURICATA>; + + # Close pipe. + close(SURICATA); + + # Remove newlines. + chomp($version_string); + + # Grab the version from the version string. + $version_string =~ /([0-9]+([.][0-9]+)+)/; + + # Splitt the version into single chunks. + my ($major_ver, $minor_ver, $patchlevel) = split(/./, $1); + + # Check and return the requested version sheme. + if ($format eq "major") { + # Return the full version. + return "$major_ver"; + } elsif ($format eq "minor") { + # Return the major and minor part. + return "$major_ver.$minor_ver"; + } else { + # Return the full version string. + return "$major_ver.$minor_ver.$patchlevel"; + } +} + +# +## Function to generate the rules file with whitelisted addresses. +# +sub generate_ignore_file() { + my %ignored = (); + + # SID range 1000000-1999999 Reserved for Local Use + # Put your custom rules in this range to avoid conflicts + my $sid = 1500000; + + # Read-in ignoredfile. + &General::readhasharray($IDS::ignored_file, %ignored); + + # Open ignorefile for writing. + open(FILE, ">$IDS::whitelist_file") or die "Could not write to $IDS::whitelist_file. $!\n"; + + # Config file header. + print FILE "# Autogenerated file.\n"; + print FILE "# All user modifications will be overwritten.\n\n"; + + # Add all user defined addresses to the whitelist. + # + # Check if the hash contains any elements. + if (keys (%ignored)) { + # Loop through the entire hash and write the host/network + # and remark to the ignore file. + while ( (my $key) = each %ignored) { + my $address = $ignored{$key}[0]; + my $remark = $ignored{$key}[1]; + my $status = $ignored{$key}[2]; + + # Check if the status of the entry is "enabled". + if ($status eq "enabled") { + # Check if the address/network is valid. + if ((&General::validip($address)) || (&General::validipandmask($address))) { + # Write rule line to the file to pass any traffic from this IP + print FILE "pass ip $address any -> any any (msg:"pass all traffic from/to $address"; sid:$sid;)\n"; + + # Increment sid. + $sid++; + } + } + } + } + + close(FILE); +} + +# +## Function to set correct ownership for single files and directories. +# + +sub set_ownership($) { + my ($target) = @_; + + # User and group of the WUI. + my $uname = "nobody"; + my $grname = "nobody"; + + # The chown function implemented in perl requies the user and group as nummeric id's. + my $uid = getpwnam($uname); + my $gid = getgrnam($grname); + + # Check if the given target exists. + unless ($target) { + # Stop the script and print error message. + die "The $target does not exist. Cannot change the ownership!\n"; + } + + # Check weather the target is a file or directory. + if (-f $target) { + # Change ownership ot the single file. + chown($uid, $gid, "$target"); + } elsif (-d $target) { + # Do a directory listing. + opendir(DIR, $target) or die $!; + # Loop through the direcory. + while (my $file = readdir(DIR)) { + + # We only want files. + next unless (-f "$target/$file"); + + # Set correct ownership for the files. + chown($uid, $gid, "$target/$file"); + } + + closedir(DIR); + + # Change ownership of the directory. + chown($uid, $gid, "$target"); + } +} + +# +## Function to read-in the aliases file and returns all configured and enabled aliases. +# +sub get_aliases() { + # Location of the aliases file. + my $aliases_file = "${General::swroot}/ethernet/aliases"; + + # Array to store the aliases. + my @aliases; + + # Check if the file is empty. + if (-z $aliases_file) { + # Abort nothing to do. + return; + } + + # Open the aliases file. + open(ALIASES, $aliases_file) or die "Could not open $aliases_file. $!\n"; + + # Loop through the file content. + while (my $line = <ALIASES>) { + # Remove newlines. + chomp($line); + + # Splitt line content into single chunks. + my ($address, $state, $remark) = split(/,/, $line); + + # Check if the state of the current processed alias is "on". + if ($state eq "on") { + # Check if the address is valid. + if(&Network::check_ip_address($address)) { + # Add the alias to the array of aliases. + push(@aliases, $address); + } + } + } + + # Close file handle. + close(ALIASES); + + # Return the array. + return @aliases; +} + +# +## Function to grab the current assigned IP-address on red. +# +sub get_red_address() { + # File, which contains the current IP-address of the red interface. + my $file = "${General::swroot}/red/local-ipaddress"; + + # Check if the file exists. + if (-e $file) { + # Open the given file. + open(FILE, "$file") or die "Could not open $file."; + + # Obtain the address from the first line of the file. + my $address = <FILE>; + + # Close filehandle + close(FILE); + + # Remove newlines. + chomp $address; + + # Check if the grabbed address is valid. + if (&General::validip($address)) { + # Return the address. + return $address; + } + } + + # Return nothing. + return; +} + +# +## Function to write the lock file for locking the WUI, while +## the autoupdate script runs. +# +sub lock_ids_page() { + # Call subfunction to create the file. + &create_empty_file($ids_page_lock_file); +} + +# +## Function to release the lock of the WUI, again. +# +sub unlock_ids_page() { + # Delete lock file. + unlink($ids_page_lock_file); +} + +1; diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf index aea72fc3f..e336a9d3f 100644 --- a/config/collectd/collectd.conf +++ b/config/collectd/collectd.conf @@ -71,7 +71,6 @@ include "/etc/collectd.precache" Process "squid" Process "squidguard" Process "charon" - Process "snort" Process "openvpn" Process "qemu" Process "rtorrent" diff --git a/config/etc/group b/config/etc/group index 5b84eca92..4855214be 100644 --- a/config/etc/group +++ b/config/etc/group @@ -26,7 +26,7 @@ pcap:x:77: wbpriv:x:88:squid nobody:x:99: users:x:100: -snort:x:101: +suricata:x:101: logwatch:x:102: cron:x:104: syslogd:x:105: diff --git a/config/etc/logrotate.conf b/config/etc/logrotate.conf index d38570de5..f15ee92c3 100644 --- a/config/etc/logrotate.conf +++ b/config/etc/logrotate.conf @@ -28,16 +28,16 @@ include /etc/logrotate.d endscript }
-/var/log/snort/alert { +/var/log/suricata/*.log { weekly copytruncate compress ifempty missingok postrotate - /bin/find /var/log/snort -path '/var/log/snort/[0-9]*' -prune -exec /bin/rm -rf {} ; - /bin/find /var/log/snort -name 'snort.log.*' -mtime +28 -exec /bin/rm -rf {} ; - /etc/init.d/snort restart + /bin/find /var/log/suricata -path '/var/log/suricata/[0-9]*' -prune -exec /bin/rm -rf {} ; + /bin/find /var/log/suricata -name 'fast.log.*' -mtime +28 -exec /bin/rm -rf {} ; + /bin/kill -HUP `cat /var/run/suricata.pid 2> /dev/null` 2> /dev/null || true endscript }
diff --git a/config/etc/passwd b/config/etc/passwd index 7c0f7dffa..7893b43c9 100644 --- a/config/etc/passwd +++ b/config/etc/passwd @@ -10,7 +10,7 @@ stunnel:x:51:51:stunnel Daemon:/var/lib/stunnel:/bin/false sshd:x:74:74:sshd:/var/empty:/bin/false nobody:x:99:99:Nobody:/home/nobody:/bin/false postfix:x:100:100::/var/spool/postfix:/bin/false -snort:x:101:101:ftp:/var/log/snort:/bin/false +suricata:x:101:101:Suricata:/var/log/suricata:/bin/false logwatch:x:102:102::/var/log/logwatch:/bin/false cron:x:104:104::/:/bin/false syslogd:x:105:105:/var/empty:/bin/false diff --git a/config/etc/syslog.conf b/config/etc/syslog.conf index d5f525a0e..b2b548969 100644 --- a/config/etc/syslog.conf +++ b/config/etc/syslog.conf @@ -5,7 +5,7 @@ # Log anything (except mail) of level info or higher. # Don't log private authentication messages! # local0.* any dhcpcd log (even debug) in messages -cron.none;daemon.*;local0.*;local2.*;*.info;mail.none;authpriv.* -/var/log/messages +cron.none;daemon.*;local0.*;local2.*;local5.*;*.info;mail.none;authpriv.* -/var/log/messages
# Log crons #cron.* -/var/log/cron.log diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 38c547c0b..9dc7ad18d 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 4.14.97-ipfire Kernel Configuration +# Linux/arm64 4.14.112-ipfire Kernel Configuration # CONFIG_ARM64=y CONFIG_64BIT=y @@ -1380,9 +1380,11 @@ CONFIG_WEXT_PROC=y CONFIG_WEXT_SPY=y CONFIG_WEXT_PRIV=y CONFIG_CFG80211=m -# CONFIG_NL80211_TESTMODE is not set +CONFIG_NL80211_TESTMODE=y # CONFIG_CFG80211_DEVELOPER_WARNINGS is not set -# CONFIG_CFG80211_CERTIFICATION_ONUS is not set +CONFIG_CFG80211_CERTIFICATION_ONUS=y +CONFIG_CFG80211_REG_CELLULAR_HINTS=y +CONFIG_CFG80211_REG_RELAX_NO_IR=y CONFIG_CFG80211_DEFAULT_PS=y # CONFIG_CFG80211_DEBUGFS is not set # CONFIG_CFG80211_INTERNAL_REGDB is not set @@ -2421,7 +2423,10 @@ CONFIG_ADM8211=m # CONFIG_RTL8189ES is not set CONFIG_ATH_COMMON=m CONFIG_WLAN_VENDOR_ATH=y -# CONFIG_ATH_DEBUG is not set +CONFIG_ATH_DEBUG=y +# CONFIG_ATH_TRACEPOINTS is not set +CONFIG_ATH_REG_DYNAMIC_USER_REG_HINTS=y +CONFIG_ATH_REG_DYNAMIC_USER_CERT_TESTING=y # CONFIG_ATH5K is not set # CONFIG_ATH5K_PCI is not set CONFIG_ATH9K_HW=m @@ -2431,6 +2436,7 @@ CONFIG_ATH9K=m CONFIG_ATH9K_PCI=y CONFIG_ATH9K_AHB=y # CONFIG_ATH9K_DEBUGFS is not set +CONFIG_ATH9K_DFS_CERTIFIED=y # CONFIG_ATH9K_DYNACK is not set # CONFIG_ATH9K_WOW is not set CONFIG_ATH9K_RFKILL=y @@ -2451,9 +2457,10 @@ CONFIG_ATH10K_PCI=m CONFIG_ATH10K_AHB=y CONFIG_ATH10K_SDIO=m CONFIG_ATH10K_USB=m -# CONFIG_ATH10K_DEBUG is not set +CONFIG_ATH10K_DEBUG=y # CONFIG_ATH10K_DEBUGFS is not set # CONFIG_ATH10K_TRACING is not set +CONFIG_ATH10K_DFS_CERTIFIED=y CONFIG_WCN36XX=m # CONFIG_WCN36XX_DEBUGFS is not set CONFIG_WLAN_VENDOR_ATMEL=y @@ -2813,6 +2820,7 @@ CONFIG_SERIAL_NONSTANDARD=y CONFIG_N_HDLC=m CONFIG_N_GSM=m # CONFIG_TRACE_SINK is not set +CONFIG_LDISC_AUTOLOAD=y CONFIG_DEVMEM=y
# @@ -2892,7 +2900,6 @@ CONFIG_HW_RANDOM_OMAP=y CONFIG_HW_RANDOM_VIRTIO=y CONFIG_HW_RANDOM_MESON=y CONFIG_HW_RANDOM_CAVIUM=y -CONFIG_R3964=m # CONFIG_APPLICOM is not set
# @@ -6412,7 +6419,7 @@ CONFIG_HAVE_DEBUG_KMEMLEAK=y # CONFIG_DEBUG_VM is not set CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y # CONFIG_DEBUG_VIRTUAL is not set -CONFIG_DEBUG_MEMORY_INIT=y +# CONFIG_DEBUG_MEMORY_INIT is not set # CONFIG_DEBUG_PER_CPU_MAPS is not set CONFIG_HAVE_ARCH_KASAN=y # CONFIG_KASAN is not set @@ -6454,7 +6461,7 @@ CONFIG_STACKTRACE=y # CONFIG_DEBUG_KOBJECT is not set CONFIG_HAVE_DEBUG_BUGVERBOSE=y CONFIG_DEBUG_BUGVERBOSE=y -CONFIG_DEBUG_LIST=y +# CONFIG_DEBUG_LIST is not set # CONFIG_DEBUG_PI_LIST is not set # CONFIG_DEBUG_SG is not set # CONFIG_DEBUG_NOTIFIERS is not set @@ -6557,7 +6564,7 @@ CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN is not set CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y CONFIG_STRICT_DEVMEM=y -# CONFIG_IO_STRICT_DEVMEM is not set +CONFIG_IO_STRICT_DEVMEM=y # CONFIG_ARM64_PTDUMP_CORE is not set # CONFIG_ARM64_PTDUMP_DEBUGFS is not set # CONFIG_PID_IN_CONTEXTIDR is not set diff --git a/config/kernel/kernel.config.armv5tel-ipfire-kirkwood b/config/kernel/kernel.config.armv5tel-ipfire-kirkwood index f596617db..5c6050b91 100644 --- a/config/kernel/kernel.config.armv5tel-ipfire-kirkwood +++ b/config/kernel/kernel.config.armv5tel-ipfire-kirkwood @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm 4.14.97-ipfire-kirkwood Kernel Configuration +# Linux/arm 4.14.112-ipfire-kirkwood Kernel Configuration # CONFIG_ARM=y CONFIG_ARM_HAS_SG_CHAIN=y @@ -1359,9 +1359,11 @@ CONFIG_WEXT_PROC=y CONFIG_WEXT_SPY=y CONFIG_WEXT_PRIV=y CONFIG_CFG80211=m -# CONFIG_NL80211_TESTMODE is not set +CONFIG_NL80211_TESTMODE=y # CONFIG_CFG80211_DEVELOPER_WARNINGS is not set -# CONFIG_CFG80211_CERTIFICATION_ONUS is not set +CONFIG_CFG80211_CERTIFICATION_ONUS=y +CONFIG_CFG80211_REG_CELLULAR_HINTS=y +CONFIG_CFG80211_REG_RELAX_NO_IR=y CONFIG_CFG80211_DEFAULT_PS=y # CONFIG_CFG80211_DEBUGFS is not set # CONFIG_CFG80211_INTERNAL_REGDB is not set @@ -2305,11 +2307,15 @@ CONFIG_WLAN_VENDOR_ADMTEK=y # CONFIG_ADM8211 is not set CONFIG_ATH_COMMON=m CONFIG_WLAN_VENDOR_ATH=y -# CONFIG_ATH_DEBUG is not set +CONFIG_ATH_DEBUG=y +# CONFIG_ATH_TRACEPOINTS is not set +CONFIG_ATH_REG_DYNAMIC_USER_REG_HINTS=y +CONFIG_ATH_REG_DYNAMIC_USER_CERT_TESTING=y CONFIG_ATH5K=m # CONFIG_ATH5K_DEBUG is not set # CONFIG_ATH5K_TRACER is not set CONFIG_ATH5K_PCI=y +# CONFIG_ATH5K_TEST_CHANNELS is not set CONFIG_ATH9K_HW=m CONFIG_ATH9K_COMMON=m CONFIG_ATH9K_BTCOEX_SUPPORT=y @@ -2317,6 +2323,7 @@ CONFIG_ATH9K=m CONFIG_ATH9K_PCI=y CONFIG_ATH9K_AHB=y # CONFIG_ATH9K_DEBUGFS is not set +CONFIG_ATH9K_DFS_CERTIFIED=y # CONFIG_ATH9K_DYNACK is not set # CONFIG_ATH9K_WOW is not set CONFIG_ATH9K_RFKILL=y @@ -2334,6 +2341,7 @@ CONFIG_ATH6KL=m CONFIG_ATH6KL_USB=m # CONFIG_ATH6KL_DEBUG is not set # CONFIG_ATH6KL_TRACING is not set +# CONFIG_ATH6KL_REGDOMAIN is not set CONFIG_AR5523=m CONFIG_WIL6210=m CONFIG_WIL6210_ISR_COR=y @@ -2344,9 +2352,10 @@ CONFIG_ATH10K_PCI=m CONFIG_ATH10K_AHB=y CONFIG_ATH10K_SDIO=m CONFIG_ATH10K_USB=m -# CONFIG_ATH10K_DEBUG is not set +CONFIG_ATH10K_DEBUG=y # CONFIG_ATH10K_DEBUGFS is not set # CONFIG_ATH10K_TRACING is not set +CONFIG_ATH10K_DFS_CERTIFIED=y CONFIG_WCN36XX=m CONFIG_WCN36XX_DEBUGFS=y CONFIG_WLAN_VENDOR_ATMEL=y @@ -2702,6 +2711,7 @@ CONFIG_SERIAL_NONSTANDARD=y CONFIG_N_HDLC=m CONFIG_N_GSM=m # CONFIG_TRACE_SINK is not set +CONFIG_LDISC_AUTOLOAD=y CONFIG_DEVMEM=y # CONFIG_DEVKMEM is not set
@@ -2757,7 +2767,6 @@ CONFIG_HW_RANDOM=y CONFIG_HW_RANDOM_TIMERIOMEM=m # CONFIG_HW_RANDOM_OMAP is not set # CONFIG_NVRAM is not set -# CONFIG_R3964 is not set # CONFIG_APPLICOM is not set # CONFIG_RAW_DRIVER is not set # CONFIG_TCG_TPM is not set @@ -5833,7 +5842,7 @@ CONFIG_HAVE_DEBUG_KMEMLEAK=y # CONFIG_DEBUG_VM is not set CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y # CONFIG_DEBUG_VIRTUAL is not set -CONFIG_DEBUG_MEMORY_INIT=y +# CONFIG_DEBUG_MEMORY_INIT is not set # CONFIG_DEBUG_HIGHMEM is not set CONFIG_DEBUG_SHIRQ=y
@@ -5870,7 +5879,7 @@ CONFIG_STACKTRACE=y # CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set # CONFIG_DEBUG_KOBJECT is not set CONFIG_DEBUG_BUGVERBOSE=y -CONFIG_DEBUG_LIST=y +# CONFIG_DEBUG_LIST is not set # CONFIG_DEBUG_PI_LIST is not set # CONFIG_DEBUG_SG is not set # CONFIG_DEBUG_NOTIFIERS is not set @@ -5971,7 +5980,7 @@ CONFIG_HAVE_ARCH_KGDB=y # CONFIG_UBSAN is not set CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y CONFIG_STRICT_DEVMEM=y -# CONFIG_IO_STRICT_DEVMEM is not set +CONFIG_IO_STRICT_DEVMEM=y # CONFIG_ARM_PTDUMP is not set CONFIG_ARM_UNWIND=y CONFIG_OLD_MCOUNT=y diff --git a/config/kernel/kernel.config.armv5tel-ipfire-multi b/config/kernel/kernel.config.armv5tel-ipfire-multi index 9d6389196..7ba02c6d1 100644 --- a/config/kernel/kernel.config.armv5tel-ipfire-multi +++ b/config/kernel/kernel.config.armv5tel-ipfire-multi @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm 4.14.101-ipfire-multi Kernel Configuration +# Linux/arm 4.14.112-ipfire-multi Kernel Configuration # CONFIG_ARM=y CONFIG_ARM_HAS_SG_CHAIN=y @@ -64,6 +64,7 @@ CONFIG_GENERIC_IRQ_PROBE=y CONFIG_GENERIC_IRQ_SHOW=y CONFIG_GENERIC_IRQ_SHOW_LEVEL=y CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK=y +CONFIG_GENERIC_IRQ_MIGRATION=y CONFIG_HARDIRQS_SW_RESEND=y CONFIG_GENERIC_IRQ_CHIP=y CONFIG_IRQ_DOMAIN=y @@ -1636,9 +1637,11 @@ CONFIG_WEXT_PROC=y CONFIG_WEXT_SPY=y CONFIG_WEXT_PRIV=y CONFIG_CFG80211=m -# CONFIG_NL80211_TESTMODE is not set +CONFIG_NL80211_TESTMODE=y # CONFIG_CFG80211_DEVELOPER_WARNINGS is not set -# CONFIG_CFG80211_CERTIFICATION_ONUS is not set +CONFIG_CFG80211_CERTIFICATION_ONUS=y +CONFIG_CFG80211_REG_CELLULAR_HINTS=y +CONFIG_CFG80211_REG_RELAX_NO_IR=y CONFIG_CFG80211_DEFAULT_PS=y # CONFIG_CFG80211_DEBUGFS is not set # CONFIG_CFG80211_INTERNAL_REGDB is not set @@ -2705,7 +2708,10 @@ CONFIG_ADM8211=m CONFIG_RTL8189ES=m CONFIG_ATH_COMMON=m CONFIG_WLAN_VENDOR_ATH=y -# CONFIG_ATH_DEBUG is not set +CONFIG_ATH_DEBUG=y +# CONFIG_ATH_TRACEPOINTS is not set +CONFIG_ATH_REG_DYNAMIC_USER_REG_HINTS=y +CONFIG_ATH_REG_DYNAMIC_USER_CERT_TESTING=y # CONFIG_ATH5K is not set # CONFIG_ATH5K_PCI is not set CONFIG_ATH9K_HW=m @@ -2715,6 +2721,7 @@ CONFIG_ATH9K=m CONFIG_ATH9K_PCI=y CONFIG_ATH9K_AHB=y # CONFIG_ATH9K_DEBUGFS is not set +CONFIG_ATH9K_DFS_CERTIFIED=y # CONFIG_ATH9K_DYNACK is not set # CONFIG_ATH9K_WOW is not set CONFIG_ATH9K_RFKILL=y @@ -2735,9 +2742,10 @@ CONFIG_ATH10K_PCI=m CONFIG_ATH10K_AHB=y CONFIG_ATH10K_SDIO=m CONFIG_ATH10K_USB=m -# CONFIG_ATH10K_DEBUG is not set +CONFIG_ATH10K_DEBUG=y # CONFIG_ATH10K_DEBUGFS is not set # CONFIG_ATH10K_TRACING is not set +CONFIG_ATH10K_DFS_CERTIFIED=y CONFIG_WCN36XX=m # CONFIG_WCN36XX_DEBUGFS is not set CONFIG_WLAN_VENDOR_ATMEL=y @@ -3104,6 +3112,7 @@ CONFIG_SERIAL_NONSTANDARD=y CONFIG_N_HDLC=m CONFIG_N_GSM=m # CONFIG_TRACE_SINK is not set +CONFIG_LDISC_AUTOLOAD=y CONFIG_DEVMEM=y # CONFIG_DEVKMEM is not set
@@ -3193,7 +3202,6 @@ CONFIG_HW_RANDOM_MXC_RNGA=y CONFIG_HW_RANDOM_IMX_RNGC=y CONFIG_HW_RANDOM_MESON=y CONFIG_NVRAM=y -CONFIG_R3964=m # CONFIG_APPLICOM is not set CONFIG_RAW_DRIVER=y CONFIG_MAX_RAW_DEVS=8192 @@ -6897,7 +6905,7 @@ CONFIG_HAVE_DEBUG_KMEMLEAK=y # CONFIG_DEBUG_VM is not set CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y # CONFIG_DEBUG_VIRTUAL is not set -CONFIG_DEBUG_MEMORY_INIT=y +# CONFIG_DEBUG_MEMORY_INIT is not set # CONFIG_DEBUG_PER_CPU_MAPS is not set # CONFIG_DEBUG_HIGHMEM is not set CONFIG_DEBUG_SHIRQ=y @@ -6935,7 +6943,7 @@ CONFIG_STACKTRACE=y # CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set # CONFIG_DEBUG_KOBJECT is not set CONFIG_DEBUG_BUGVERBOSE=y -CONFIG_DEBUG_LIST=y +# CONFIG_DEBUG_LIST is not set # CONFIG_DEBUG_PI_LIST is not set # CONFIG_DEBUG_SG is not set # CONFIG_DEBUG_NOTIFIERS is not set @@ -7039,7 +7047,7 @@ CONFIG_HAVE_ARCH_KGDB=y # CONFIG_UBSAN is not set CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y CONFIG_STRICT_DEVMEM=y -# CONFIG_IO_STRICT_DEVMEM is not set +CONFIG_IO_STRICT_DEVMEM=y # CONFIG_ARM_PTDUMP is not set CONFIG_ARM_UNWIND=y CONFIG_OLD_MCOUNT=y diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire index d54e8b8b6..3ced58c5d 100644 --- a/config/kernel/kernel.config.i586-ipfire +++ b/config/kernel/kernel.config.i586-ipfire @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.14.97-ipfire-pae Kernel Configuration +# Linux/x86 4.14.112-ipfire Kernel Configuration # # CONFIG_64BIT is not set CONFIG_X86_32=y @@ -1578,9 +1578,11 @@ CONFIG_WEXT_PROC=y CONFIG_WEXT_SPY=y CONFIG_WEXT_PRIV=y CONFIG_CFG80211=m -# CONFIG_NL80211_TESTMODE is not set +CONFIG_NL80211_TESTMODE=y # CONFIG_CFG80211_DEVELOPER_WARNINGS is not set -# CONFIG_CFG80211_CERTIFICATION_ONUS is not set +CONFIG_CFG80211_CERTIFICATION_ONUS=y +CONFIG_CFG80211_REG_CELLULAR_HINTS=y +CONFIG_CFG80211_REG_RELAX_NO_IR=y CONFIG_CFG80211_DEFAULT_PS=y # CONFIG_CFG80211_DEBUGFS is not set # CONFIG_CFG80211_INTERNAL_REGDB is not set @@ -2608,11 +2610,15 @@ CONFIG_WLAN_VENDOR_ADMTEK=y CONFIG_ADM8211=m CONFIG_ATH_COMMON=m CONFIG_WLAN_VENDOR_ATH=y -# CONFIG_ATH_DEBUG is not set +CONFIG_ATH_DEBUG=y +# CONFIG_ATH_TRACEPOINTS is not set +CONFIG_ATH_REG_DYNAMIC_USER_REG_HINTS=y +CONFIG_ATH_REG_DYNAMIC_USER_CERT_TESTING=y CONFIG_ATH5K=m CONFIG_ATH5K_DEBUG=y # CONFIG_ATH5K_TRACER is not set CONFIG_ATH5K_PCI=y +# CONFIG_ATH5K_TEST_CHANNELS is not set CONFIG_ATH9K_HW=m CONFIG_ATH9K_COMMON=m CONFIG_ATH9K_BTCOEX_SUPPORT=y @@ -2620,6 +2626,7 @@ CONFIG_ATH9K=m CONFIG_ATH9K_PCI=y CONFIG_ATH9K_AHB=y # CONFIG_ATH9K_DEBUGFS is not set +CONFIG_ATH9K_DFS_CERTIFIED=y # CONFIG_ATH9K_DYNACK is not set # CONFIG_ATH9K_WOW is not set CONFIG_ATH9K_RFKILL=y @@ -2642,9 +2649,10 @@ CONFIG_ATH10K=m CONFIG_ATH10K_PCI=m CONFIG_ATH10K_SDIO=m CONFIG_ATH10K_USB=m -# CONFIG_ATH10K_DEBUG is not set +CONFIG_ATH10K_DEBUG=y # CONFIG_ATH10K_DEBUGFS is not set # CONFIG_ATH10K_TRACING is not set +CONFIG_ATH10K_DFS_CERTIFIED=y CONFIG_WCN36XX=m # CONFIG_WCN36XX_DEBUGFS is not set CONFIG_WLAN_VENDOR_ATMEL=y @@ -3032,6 +3040,7 @@ CONFIG_NOZOMI=m CONFIG_N_HDLC=m CONFIG_N_GSM=m # CONFIG_TRACE_SINK is not set +CONFIG_LDISC_AUTOLOAD=y CONFIG_DEVMEM=y # CONFIG_DEVKMEM is not set
@@ -3109,7 +3118,6 @@ CONFIG_HW_RANDOM_VIA=m CONFIG_HW_RANDOM_VIRTIO=m CONFIG_NVRAM=y # CONFIG_DTLK is not set -CONFIG_R3964=m # CONFIG_APPLICOM is not set CONFIG_SONYPI=m
@@ -6529,11 +6537,11 @@ CONFIG_HAVE_DEBUG_KMEMLEAK=y # CONFIG_DEBUG_VM is not set CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y # CONFIG_DEBUG_VIRTUAL is not set -CONFIG_DEBUG_MEMORY_INIT=y +# CONFIG_DEBUG_MEMORY_INIT is not set # CONFIG_DEBUG_PER_CPU_MAPS is not set # CONFIG_DEBUG_HIGHMEM is not set CONFIG_HAVE_DEBUG_STACKOVERFLOW=y -CONFIG_DEBUG_STACKOVERFLOW=y +# CONFIG_DEBUG_STACKOVERFLOW is not set CONFIG_DEBUG_SHIRQ=y
# @@ -6685,7 +6693,7 @@ CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN is not set CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y CONFIG_STRICT_DEVMEM=y -# CONFIG_IO_STRICT_DEVMEM is not set +CONFIG_IO_STRICT_DEVMEM=y # CONFIG_X86_VERBOSE_BOOTUP is not set CONFIG_EARLY_PRINTK=y # CONFIG_EARLY_PRINTK_DBGP is not set diff --git a/config/kernel/kernel.config.i586-ipfire-pae b/config/kernel/kernel.config.i586-ipfire-pae index d86520155..870a01c52 100644 --- a/config/kernel/kernel.config.i586-ipfire-pae +++ b/config/kernel/kernel.config.i586-ipfire-pae @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.14.97-ipfire-pae Kernel Configuration +# Linux/x86 4.14.112-ipfire-pae Kernel Configuration # # CONFIG_64BIT is not set CONFIG_X86_32=y @@ -1596,9 +1596,11 @@ CONFIG_WEXT_PROC=y CONFIG_WEXT_SPY=y CONFIG_WEXT_PRIV=y CONFIG_CFG80211=m -# CONFIG_NL80211_TESTMODE is not set +CONFIG_NL80211_TESTMODE=y # CONFIG_CFG80211_DEVELOPER_WARNINGS is not set -# CONFIG_CFG80211_CERTIFICATION_ONUS is not set +CONFIG_CFG80211_CERTIFICATION_ONUS=y +CONFIG_CFG80211_REG_CELLULAR_HINTS=y +CONFIG_CFG80211_REG_RELAX_NO_IR=y CONFIG_CFG80211_DEFAULT_PS=y # CONFIG_CFG80211_DEBUGFS is not set # CONFIG_CFG80211_INTERNAL_REGDB is not set @@ -2628,11 +2630,15 @@ CONFIG_WLAN_VENDOR_ADMTEK=y CONFIG_ADM8211=m CONFIG_ATH_COMMON=m CONFIG_WLAN_VENDOR_ATH=y -# CONFIG_ATH_DEBUG is not set +CONFIG_ATH_DEBUG=y +# CONFIG_ATH_TRACEPOINTS is not set +CONFIG_ATH_REG_DYNAMIC_USER_REG_HINTS=y +CONFIG_ATH_REG_DYNAMIC_USER_CERT_TESTING=y CONFIG_ATH5K=m CONFIG_ATH5K_DEBUG=y # CONFIG_ATH5K_TRACER is not set CONFIG_ATH5K_PCI=y +# CONFIG_ATH5K_TEST_CHANNELS is not set CONFIG_ATH9K_HW=m CONFIG_ATH9K_COMMON=m CONFIG_ATH9K_BTCOEX_SUPPORT=y @@ -2640,6 +2646,7 @@ CONFIG_ATH9K=m CONFIG_ATH9K_PCI=y CONFIG_ATH9K_AHB=y # CONFIG_ATH9K_DEBUGFS is not set +CONFIG_ATH9K_DFS_CERTIFIED=y # CONFIG_ATH9K_DYNACK is not set # CONFIG_ATH9K_WOW is not set CONFIG_ATH9K_RFKILL=y @@ -2662,9 +2669,10 @@ CONFIG_ATH10K=m CONFIG_ATH10K_PCI=m CONFIG_ATH10K_SDIO=m CONFIG_ATH10K_USB=m -# CONFIG_ATH10K_DEBUG is not set +CONFIG_ATH10K_DEBUG=y # CONFIG_ATH10K_DEBUGFS is not set # CONFIG_ATH10K_TRACING is not set +CONFIG_ATH10K_DFS_CERTIFIED=y CONFIG_WCN36XX=m # CONFIG_WCN36XX_DEBUGFS is not set CONFIG_WLAN_VENDOR_ATMEL=y @@ -3055,6 +3063,7 @@ CONFIG_NOZOMI=m CONFIG_N_HDLC=m CONFIG_N_GSM=m # CONFIG_TRACE_SINK is not set +CONFIG_LDISC_AUTOLOAD=y CONFIG_DEVMEM=y # CONFIG_DEVKMEM is not set
@@ -3135,7 +3144,6 @@ CONFIG_HW_RANDOM_VIA=m CONFIG_HW_RANDOM_VIRTIO=m CONFIG_NVRAM=y # CONFIG_DTLK is not set -CONFIG_R3964=m # CONFIG_APPLICOM is not set CONFIG_SONYPI=m
@@ -6535,11 +6543,11 @@ CONFIG_HAVE_DEBUG_KMEMLEAK=y # CONFIG_DEBUG_VM is not set CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y # CONFIG_DEBUG_VIRTUAL is not set -CONFIG_DEBUG_MEMORY_INIT=y +# CONFIG_DEBUG_MEMORY_INIT is not set # CONFIG_DEBUG_PER_CPU_MAPS is not set # CONFIG_DEBUG_HIGHMEM is not set CONFIG_HAVE_DEBUG_STACKOVERFLOW=y -CONFIG_DEBUG_STACKOVERFLOW=y +# CONFIG_DEBUG_STACKOVERFLOW is not set CONFIG_DEBUG_SHIRQ=y
# @@ -6691,7 +6699,7 @@ CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN is not set CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y CONFIG_STRICT_DEVMEM=y -# CONFIG_IO_STRICT_DEVMEM is not set +CONFIG_IO_STRICT_DEVMEM=y # CONFIG_X86_VERBOSE_BOOTUP is not set CONFIG_EARLY_PRINTK=y # CONFIG_EARLY_PRINTK_DBGP is not set diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index e6598c8d8..8018dc01d 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.14.97-ipfire Kernel Configuration +# Linux/x86 4.14.112-ipfire Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -1571,9 +1571,11 @@ CONFIG_WEXT_PROC=y CONFIG_WEXT_SPY=y CONFIG_WEXT_PRIV=y CONFIG_CFG80211=m -# CONFIG_NL80211_TESTMODE is not set +CONFIG_NL80211_TESTMODE=y # CONFIG_CFG80211_DEVELOPER_WARNINGS is not set -# CONFIG_CFG80211_CERTIFICATION_ONUS is not set +CONFIG_CFG80211_CERTIFICATION_ONUS=y +CONFIG_CFG80211_REG_CELLULAR_HINTS=y +CONFIG_CFG80211_REG_RELAX_NO_IR=y CONFIG_CFG80211_DEFAULT_PS=y # CONFIG_CFG80211_DEBUGFS is not set # CONFIG_CFG80211_INTERNAL_REGDB is not set @@ -2582,11 +2584,15 @@ CONFIG_WLAN_VENDOR_ADMTEK=y CONFIG_ADM8211=m CONFIG_ATH_COMMON=m CONFIG_WLAN_VENDOR_ATH=y -# CONFIG_ATH_DEBUG is not set +CONFIG_ATH_DEBUG=y +# CONFIG_ATH_TRACEPOINTS is not set +CONFIG_ATH_REG_DYNAMIC_USER_REG_HINTS=y +CONFIG_ATH_REG_DYNAMIC_USER_CERT_TESTING=y CONFIG_ATH5K=m CONFIG_ATH5K_DEBUG=y # CONFIG_ATH5K_TRACER is not set CONFIG_ATH5K_PCI=y +# CONFIG_ATH5K_TEST_CHANNELS is not set CONFIG_ATH9K_HW=m CONFIG_ATH9K_COMMON=m CONFIG_ATH9K_BTCOEX_SUPPORT=y @@ -2594,6 +2600,7 @@ CONFIG_ATH9K=m CONFIG_ATH9K_PCI=y CONFIG_ATH9K_AHB=y # CONFIG_ATH9K_DEBUGFS is not set +CONFIG_ATH9K_DFS_CERTIFIED=y # CONFIG_ATH9K_DYNACK is not set # CONFIG_ATH9K_WOW is not set CONFIG_ATH9K_RFKILL=y @@ -2616,9 +2623,10 @@ CONFIG_ATH10K=m CONFIG_ATH10K_PCI=m CONFIG_ATH10K_SDIO=m CONFIG_ATH10K_USB=m -# CONFIG_ATH10K_DEBUG is not set +CONFIG_ATH10K_DEBUG=y # CONFIG_ATH10K_DEBUGFS is not set # CONFIG_ATH10K_TRACING is not set +CONFIG_ATH10K_DFS_CERTIFIED=y CONFIG_WCN36XX=m # CONFIG_WCN36XX_DEBUGFS is not set CONFIG_WLAN_VENDOR_ATMEL=y @@ -2994,6 +3002,7 @@ CONFIG_NOZOMI=m CONFIG_N_HDLC=m CONFIG_N_GSM=m # CONFIG_TRACE_SINK is not set +CONFIG_LDISC_AUTOLOAD=y CONFIG_DEVMEM=y # CONFIG_DEVKMEM is not set
@@ -3067,7 +3076,6 @@ CONFIG_HW_RANDOM_AMD=m CONFIG_HW_RANDOM_VIA=m CONFIG_HW_RANDOM_VIRTIO=m CONFIG_NVRAM=y -CONFIG_R3964=m # CONFIG_APPLICOM is not set
# @@ -6377,7 +6385,7 @@ CONFIG_DEBUG_KERNEL=y # CONFIG_DEBUG_PAGEALLOC is not set # CONFIG_PAGE_POISONING is not set # CONFIG_DEBUG_PAGE_REF is not set -CONFIG_DEBUG_RODATA_TEST=y +# CONFIG_DEBUG_RODATA_TEST is not set # CONFIG_DEBUG_OBJECTS is not set # CONFIG_SLUB_DEBUG_ON is not set # CONFIG_SLUB_STATS is not set @@ -6387,15 +6395,15 @@ CONFIG_HAVE_DEBUG_KMEMLEAK=y # CONFIG_DEBUG_VM is not set CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y # CONFIG_DEBUG_VIRTUAL is not set -CONFIG_DEBUG_MEMORY_INIT=y +# CONFIG_DEBUG_MEMORY_INIT is not set # CONFIG_DEBUG_PER_CPU_MAPS is not set CONFIG_HAVE_DEBUG_STACKOVERFLOW=y -CONFIG_DEBUG_STACKOVERFLOW=y +# CONFIG_DEBUG_STACKOVERFLOW is not set CONFIG_HAVE_ARCH_KASAN=y # CONFIG_KASAN is not set CONFIG_ARCH_HAS_KCOV=y # CONFIG_KCOV is not set -CONFIG_DEBUG_SHIRQ=y +# CONFIG_DEBUG_SHIRQ is not set
# # Debug Lockups and Hangs @@ -6438,7 +6446,7 @@ CONFIG_STACKTRACE=y # CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set # CONFIG_DEBUG_KOBJECT is not set CONFIG_DEBUG_BUGVERBOSE=y -CONFIG_DEBUG_LIST=y +# CONFIG_DEBUG_LIST is not set # CONFIG_DEBUG_PI_LIST is not set # CONFIG_DEBUG_SG is not set # CONFIG_DEBUG_NOTIFIERS is not set @@ -6547,7 +6555,7 @@ CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y # CONFIG_UBSAN is not set CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y CONFIG_STRICT_DEVMEM=y -# CONFIG_IO_STRICT_DEVMEM is not set +CONFIG_IO_STRICT_DEVMEM=y # CONFIG_X86_VERBOSE_BOOTUP is not set CONFIG_EARLY_PRINTK=y # CONFIG_EARLY_PRINTK_DBGP is not set @@ -6570,12 +6578,12 @@ CONFIG_IO_DELAY_0X80=y # CONFIG_IO_DELAY_UDELAY is not set # CONFIG_IO_DELAY_NONE is not set CONFIG_DEFAULT_IO_DELAY_TYPE=0 -CONFIG_DEBUG_BOOT_PARAMS=y +# CONFIG_DEBUG_BOOT_PARAMS is not set # CONFIG_CPA_DEBUG is not set CONFIG_OPTIMIZE_INLINING=y # CONFIG_DEBUG_ENTRY is not set # CONFIG_DEBUG_NMI_SELFTEST is not set -CONFIG_X86_DEBUG_FPU=y +# CONFIG_X86_DEBUG_FPU is not set # CONFIG_PUNIT_ATOM_DEBUG is not set CONFIG_UNWINDER_ORC=y # CONFIG_UNWINDER_FRAME_POINTER is not set diff --git a/config/menu/40-services.menu b/config/menu/40-services.menu index 2f4d96e73..83ce3bc1f 100644 --- a/config/menu/40-services.menu +++ b/config/menu/40-services.menu @@ -25,11 +25,6 @@ 'title' => "Quality of Service", 'enabled' => 1, }; - $subservices->{'60.ids'} = {'caption' => $Lang::tr{'intrusion detection'}, - 'enabled' => 1, - 'uri' => '/cgi-bin/ids.cgi', - 'title' => "$Lang::tr{'intrusion detection system'}", - }; $subservices->{'70.extrahd'} = {'caption' => "ExtraHD", 'enabled' => 1, 'uri' => '/cgi-bin/extrahd.cgi', diff --git a/config/menu/50-firewall.menu b/config/menu/50-firewall.menu index 7271b3212..5ec1f67fc 100644 --- a/config/menu/50-firewall.menu +++ b/config/menu/50-firewall.menu @@ -16,25 +16,30 @@ 'title' => "$Lang::tr{'options fw'}", 'enabled' => 1, }; - $subfirewall->{'40.p2p'} = { + $subfirewall->{'40.ids'} = {'caption' => $Lang::tr{'intrusion detection'}, + 'uri' => '/cgi-bin/ids.cgi', + 'title' => "$Lang::tr{'intrusion detection system'}", + 'enabled' => 1, + }; + $subfirewall->{'50.p2p'} = { 'caption' => $Lang::tr{'p2p block'}, 'uri' => '/cgi-bin/p2p-block.cgi', 'title' => "P2P-Block", 'enabled' => 1, }; - $subfirewall->{'50.geoipblock'} = { + $subfirewall->{'60.geoipblock'} = { 'caption' => $Lang::tr{'geoipblock'}, 'uri' => '/cgi-bin/geoip-block.cgi', 'title' => $Lang::tr{'geoipblock'}, 'enabled' => 1, }; - $subfirewall->{'60.wireless'} = { + $subfirewall->{'70.wireless'} = { 'caption' => $Lang::tr{'blue access'}, 'uri' => '/cgi-bin/wireless.cgi', 'title' => "$Lang::tr{'blue access'}", 'enabled' => 1, }; - $subfirewall->{'70.upnp'} = { + $subfirewall->{'80.upnp'} = { 'caption' => 'UPnP', 'uri' => '/cgi-bin/upnp.cgi', 'title' => "Universal Plug and Play", diff --git a/config/oinkmaster/oinkmaster.conf b/config/oinkmaster/oinkmaster.conf new file mode 100644 index 000000000..a04e32987 --- /dev/null +++ b/config/oinkmaster/oinkmaster.conf @@ -0,0 +1,432 @@ +# $Id: oinkmaster.conf,v 1.132 2006/02/02 12:05:08 andreas_o Exp $ # + +# This file is pretty big by default, but don't worry. +# The only things required are "path" and "update_files". You must also +# set "url" to point to the correct rules archive for your version of +# Snort, unless you prefer to specify this on the command line. +# The rest in here is just a few recommended defaults, and examples +# how to use all the other optional features and give some ideas how they +# could be used. + +# Remember not to let untrusted users edit Oinkmaster configuration +# files, as things like the PATH to use during execution is defined +# in here. + + +# Use "url = <url>" to specify the location of the rules archive to +# download. The url must begin with http://, https://, ftp://, file:// +# or scp:// and end with .tar.gz or .tgz, and the file must be a +# gzipped tarball what contains a directory named "rules". +# You can also point to a local directory with dir://<directory>. +# Multiple "url = <url>" lines can be specified to grab multiple rules +# archives from different locations. +# +# Note: if URL is specified on the command line, it overrides all +# possible URLs specified in the configuration file(s). +# +# The location of the official Snort rules you should use depends +# on which Snort version you run. Basically, you should go to +# http://www.snort.org/rules/ and follow the instructions +# there to pick the right URL for your version of Snort +# (and remember to update the URL when upgrading Snort in the +# future). You can of course also specify locations to third party +# rules. +# +# As of March 2005, you must register on the Snort site to get access +# to the official Snort rules. This will get you an "oinkcode". +# You then specify the URL as +# http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/<filename> +# For example, if your code is 5a081649c06a277e1022e1284b and +# you use Snort 2.4, the url to use would be (without the wrap): +# http://www.snort.org/pub-bin/oinkmaster.cgi/ +# 5a081649c06a277e1022e1284bdc8fabda70e2a4/snortrules-snapshot-2.4.tar.gz +# See the Oinkmaster FAQ Q1 and http://www.snort.org/rules/ for +# more information. + + +# URL examples follows. Replace <oinkcode> with the code you get on the +# Snort site in your registered user profile. + +# Example for Snort 2.4 +# url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.4.tar.gz +# url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.4.tar.gz + +# Example for Snort-current ("current" means cvs snapshots). +#url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-CURRENT.tar.gz + +# Example for Community rules +# url = http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rul... + +# Example for rules from the Bleeding Snort project +# url = http://www.bleedingsnort.com/bleeding.rules.tar.gz + +# If you prefer to download the rules archive from outside Oinkmaster, +# you can then point to the file on your local filesystem by using +# file://<filename>, for example: +# url = file:///tmp/snortrules.tar.gz + +# In rare cases you may want to grab the rules directly from a +# local directory (don't confuse this with the output directory). +# url = dir:///etc/snort/src/rules + +# Example to use scp to copy the rules archive from another host. +# Only OpenSSH is tested. See the FAQ for more information. +# url = scp://user@somehost.example.com:/somedir/snortrules.tar.gz + +# If you use -u scp://... and need to specify a private ssh key (passed +# as -i <key> to the scp command) you can specify it here or add an +# entry in ~/.ssh/config for the Oinkmaster user as described in the +# OpenSSH manual. +# scp_key = /home/oinkmaster/oinkmaster_privkey + + +# The PATH to use during execution. If you prefer to use external +# binaries (i.e. use_external_bins=1, see below), tar and gzip must be +# found, and also wget if downloading via ftp, http or https. All with +# optional .exe suffix. If you're on Cygwin, make sure that the path +# contains the Cygwin binaries and not the native Win32 binaries or +# you will get problems. +# Assume UNIX style by default: +path = /bin:/usr/bin:/usr/local/bin + +# Example if running native Win32 or standalone Cygwin: +# path = c:\oinkmaster;c:\oinkmaster\bin + +# Example if running standalone Cygwin and you prefer Cygwin style path: +# path = /cygdrive/c/oinkmaster:/cygdrive/c/oinkmaster/bin + + +# We normally use external binaries (wget, tar and gzip) since they're +# already available on most systems and do a good job. If you have the +# Perl modules Archive::Tar, IO::Zlib and LWP::UserAgent, you can use +# those instead if you like. You can set use_external_bins below to +# choose which method you prefer. It's set to 0 by default on Win32 +# (i.e. use Perl modules), and 1 on other systems (i.e. use external +# binaries). The reason for that is that the required Perl modules +# are included on Windows/ActivePerl 5.8.1+, so it's easier to use +# those than to install the ported Unix tools. (Note that if you're +# using scp to download the archive, external scp binary is still +# used.) +# use_external_bins = 0 + + +# Temporary directory to use. This directory must exist when starting and +# Oinkmaster will then create a temporary sub directory in here. +# Keep it as a #comment if you want to use the default. +# The default will be checked for in the environment variables TMP, +# TMPDIR or TEMPDIR, or otherwise use "/tmp" if none of them was set. + +# Example for UNIX. +# tmpdir = /home/oinkmaster/tmp/ + +# Example if running native Win32 or Cygwin. +# tmpdir = c:\tmp + +# Example if running Cygwin and you prefer Cygwin style path. +# tmpdir = /cygdrive/c/tmp + + +# The umask to use during execution if you want it to be something +# else than the current value when starting Oinkmaster. +# This will affect the mode bits when writing new files. +# Keep it commented out to keep your system's current umask. +# umask = 0027 + + +# Files in the archive(s) matching this regular expression will be +# checked for changes, and then updated or added if needed. +# All other files will be ignored. You can then choose to skip +# individual files by specifying the "skipfile" keyword below. +# Normally you shouldn't need to change this one. +update_files = .rules$|.config$|.conf$|.txt$|.map$ + + +# Regexp of keywords that starts a Snort rule. +# May be useful if you create your own ruletypes and want those +# lines to be regarded as rules as well. +# rule_actions = alert|drop|log|pass|reject|sdrop|activate|dynamic + + +# If the number of rules files in the downloaded archive matching the +# 'update_files' regexp is below min_files, or if the number +# of rules is below min_rules, the rules are regarded as broken +# and the update is aborted with an error message. +# Both are set to 1 by default (i.e. the archive is only regarded as +# broken if it's totally empty). +# If you download from multiple URLs, the count is the total number +# of files/rules across all archives. +# min_files = 1 +# min_rules = 1 + + +# By default, a basic sanity check is performed on most paths/filenames +# to see if they contain illegal characters that may screw things up. +# If this check is too strict for your system (e.g. you get bogus +# "illegal characters in filename" errors because of your local language +# etc) and you're sure you want to disable the checks completely, +# set use_path_checks to 0. +# use_path_checks = 1 + + +# If you want Oinkmaster to send a User-Agent HTTP header string +# other than the default one for wget/LWP, set this variable. +# user_agent = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) + + +# You can include other files anywhere in here by using +# "include <file>". <file> will be parsed just like a regular +# oinkmaster.conf as soon as the include statement is seen, and then +# return and continue parsing the rest of the original file. If an +# option is redefined, it will override the previous value. You can use +# as many "include" statements as you wish, and also include even more +# files from included files. Example to load stuff from "/etc/foo.conf". +# include /etc/foo.conf + +# Include file for enabled sids. +include /var/ipfire/suricata/oinkmaster-enabled-sids.conf + +# Include file for disabled sids. +include /var/ipfire/suricata/oinkmaster-disabled-sids.conf + +# Include file which defines the runmode of suricata. +include /var/ipfire/suricata/oinkmaster-modify-sids.conf + +####################################################################### +# Files to totally skip (i.e. never update or check for changes) # +# # +# Syntax: skipfile filename # +# or: skipfile filename1, filename2, filename3, ... # +####################################################################### + +# Ignore local.rules from the rules archive by default since we might +# have put some local rules in our own local.rules and we don't want it +# to get overwritten by the empty one from the archive after each +# update. +skipfile local.rules + +# The file deleted.rules contains rules that have been deleted from +# other files, so there is usually no point in updating it. +skipfile deleted.rules + +# Also skip snort.conf by default since we don't want to overwrite our +# own snort.conf if we have it in the same directory as the rules. If +# you have your own production copy of snort.conf in another directory, +# it may be really nice to check for changes in this file though, +# especially since variables are sometimes added or modified and +# new/old files are included/excluded. +#skipfile snort.conf + +# You may want to consider ignoring threshold.conf for the same reasons +# as for snort.conf, i.e. if you customize it locally and don't want it +# to become overwritten by the default one. It may be better to put +# local thresholding/suppressing in some local file and still update +# and use the official one though, in case important stuff is added to +# it some day. We do update it by default, but it's your call. +# skipfile threshold.conf + +# If you update from multiple URLs at the same time you may need to +# ignore the sid-msg.map (and generate it yourself if you need one) as +# it's usually included in each rules tarball. See the FAQ for more info. +# skipfile sid-msg.map + + + +########################################################################## +# SIDs to modify after each update (only for the skilled/stupid/brave). # +# Don't use it unless you have to. There is nothing that stops you from # +# modifying rules in such ways that they become invalid or generally # +# break things. You have been warned. # +# If you just want to disable SIDs, please skip this section and have a # +# look at the "disablesid" keyword below. # +# # +# You may specify multiple modifysid directives for the same SID (they # +# will be processed in order of appearance), and you may also specify a # +# list of SIDs on which the substitution should be applied. # +# If the argument is in the form something.something it's regarded # +# as a filename and the substitution will apply on all rules in that # +# file. The wildcard ("*") can be used to apply the substitution on all # +# rules regardless of the SID or file. Please avoid using #comments # +# at the end of modifysid lines, they may confuse the parser in some # +# situations. # +# # +# Syntax: # +# modifysid SID "replacethis" | "withthis" # +# or: # +# modifysid SID1, SID2, SID3, ... "replacethis" | "withthis" # +# or: # +# modifysid file "replacethis" | "withthis" # +# or: # +# modifysid * "replacethis" | "withthis" # +# # +# The strings within the quotes will basically be passed to a # +# s/replacethis/withthis/ statement in Perl, so they must be valid # +# regular expressions. The strings are case-insensitive and only the # +# first occurrence will be replaced. If there are multiple occurrences # +# you want to replace, simply repeat the same modifysid line. # +# As the strings are regular expressions, you MUST escape special # +# characters like $ \ / ( ) | by prepending a "" to them. # +# # +# If you specify a modifysid statement for a multi-line rule, Oinkmaster # +# will first translate the rule into a single-line version and then # +# perform the substitution, so you don't have to care about the trailing # +# backslashes and newlines. # +# # +# If you use backreference variables in the substitution expression, # +# it's strongly recommended to specify them as ${1} instead of $1 and so # +# on, to avoid parsing confusion with unexpected results in some # +# situations. Note that modifysid statements will process both active # +# and inactive (disabled) rules. # +# # +# You may want to check out README.templates and template-examples.conf # +# to find how you can simplify the modifysid usage by using templates. # +########################################################################## + +# Example to enable a rule (in this case SID 1325) that is disabled by +# default, by simply replacing leading "#alert" with "alert". +# (You should really use 'enablesid' for this though.) +# Oinkmaster removes whitespaces next to the leading "#" so you don't +# have to worry about that, but be careful about possible whitespace in +# other places when writing the regexps. +# modifysid 1325 "^#alert" | "alert" + +# You could also do this to enable it no matter what type of rule it is +# (alert, log, pass, etc). +# modifysid 1325 "^#" | "" + +# Example to add "tag" stuff to SID 1325. +# modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;" + +# Example to make SID 1378 a 'drop' rule (valid if you're running +# Snort_inline). +# modifysid 1378 "^alert" | "drop" + +# Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET +# in SID 302. +# modifysid 302 "$EXTERNAL_NET" | "$HOME_NET" + +# You can also specify that a substitution should apply on multiple SIDs. +# modifysid 302,429,1821 "$EXTERNAL_NET" | "$HOME_NET" + +# You can take advantage of the fact that it's regular expressions and +# do more complex stuff. This example (for Snort_inline) adds a 'replace' +# statement to SID 1324 that replaces "/bin/sh" with "/foo/sh". +# modifysid 1324 "(content\s*:\s*"/bin/sh"\s*;)" | \ +# "${1} replace:"/foo/sh";" + +# If you for some reason would like to add a comment inside the actual +# rules file, like the reason why you disabled this rule, you can do +# like this (you would normally add such comments in oinkmaster.conf +# though). +# modifysid 1324 "(.+)" | "# 20020101: disabled this rule just for fun:\n#${1}" + +# Here is an example that is actually useful. Let's say you don't care +# about incoming welchia pings (detected by SID 483 at the time of +# writing) but you want to know when infected hosts on your network +# scans hosts on the outside. (Remember that watching for outgoing +# malicious packets is often just as important as watching for incoming +# ones, especially in this case.) The rule currently looks like +# "alert icmp $EXTERNAL_NET any -> $HOME_NET any ..." +# but we want to switch that so it becomes +# "alert icmp $HOME_NET any -> $EXTERNAL_NET any ...". +# Here is how it could be done. +# modifysid 483 \ +# "(.+) $EXTERNAL_NET (.+) $HOME_NET (.+)" | \ +# "${1} $HOME_NET ${2} $EXTERNAL_NET ${3}" + +# The wildcard (modifysid * ...) can be used to do all kinds of +# interesting things. The substitution expression will be applied on all +# matching rules. First, a silly example to replace "foo" with "bar" in +# all rules (that have the string "foo" in them, that is.) +# modifysid * "foo" | "bar" + +# If you for some reason don't want to use the stream preprocessor to +# match established streams, you may want to replace the 'flow' +# statement with 'flags:A+;' in all those rules. +# modifysid * "flow:[a-z,_ ]+;" | "flags:A+;" + +# Example to convert all rules of classtype attempted-admin to 'drop' +# rules (for Snort_inline only, obviously). +# modifysid * "^alert (.*classtype\s*:\s*attempted-admin)" | "drop ${1}" + +# This one will append some text to the 'msg' string for all rules that +# have the 'tag' keyword in them. +# modifysid * "(.*msg:\s*".+?)"(\s*;.+;\s*tag:.*)" | \ +# "${1}, going to tag this baby"${2}" + +# There may be times when you want to replace multiple occurrences of a +# certain keyword/string in a rule and not just the first one. To +# replace the first two occurrences of "foo" with "bar" in SID 100, +# simply repeat the modifysid statement: +# modifysid 100 "foo" | "bar" +# modifysid 100 "foo" | "bar" + +# Or you can even specify a SID list but repeat the same SID as many +# times as required, like: +# modifysid 100,100,100 "foo" | "bar" + +# Enable all rules in the file exploit.rules. +# modifysid exploit.rules "^#" | "" + +# Enable all rules in exploit.rules, icmp-info.rules and also SID 1171. +# modifysid exploit.rules, snmp.rules, 1171 "^#" | "" + + + +######################################################################## +# SIDs that we don't want to update. # +# If you for some reason don't want a specific rule to be updated # +# (e.g. you made local modifications to it and you never want to # +# update it and don't care about changes in the official version), you # +# can specify a "localsid" statement for it. This means that the old # +# version of the rule (i.e. the one in the rules file on your # +# harddrive) is always kept, regardless if the official version has # +# been updated. Please do not use this feature unless in special # +# cases as it's easy to end up with many signatures that aren't # +# maintained anymore. See the FAQ for details about this and hints # +# about better solutions regarding customization of rules. # +# # +# Syntax: localsid SID # +# or: localsid SID1, SID2, SID3, ... # +######################################################################## + +# Example to never update SID 1325. +# localsid 1325 + + + +######################################################################## +# SIDs to enable after each update. # +# Will simply remove all the leading '#' for a specified SID (if it's # +# a multi-line rule, the leading '#' for all lines are removed.) # +# These will be processed after all the modifysid and disablesid # +# statements. Using 'enablesid' on a rule that is not disabled is a # +# NOOP. # +# # +# Syntax: enablesid SID # +# or: enablesid SID1, SID2, SID3, ... # +######################################################################## + +# Example to enable SID 1325. +# enablesid 1325 + + + +######################################################################## +# SIDs to comment out, i.e. disable, after each update by placing a # +# '#' in front of the rule (if it's a multi-line rule, it will be put # +# in front of all lines). # +# # +# Syntax: disablesid SID # +# or: disablesid SID1, SID2, SID3, ... # +######################################################################## + +# You can specify one SID per line. +# disablesid 1 +# disablesid 2 +# disablesid 3 + +# And also as comma-separated lists. +# disablesid 4,5,6 + +# It's a good idea to also add comment about why you disable the sid: +# disablesid 1324 # 20020101: disabled this SID just because I can diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts index 367a0a725..ed4f727d9 100644 --- a/config/rootfiles/common/aarch64/initscripts +++ b/config/rootfiles/common/aarch64/initscripts @@ -53,7 +53,7 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast etc/rc.d/init.d/networking/red.up/10-static-routes etc/rc.d/init.d/networking/red.up/20-firewall -etc/rc.d/init.d/networking/red.up/23-RS-snort +etc/rc.d/init.d/networking/red.up/23-suricata etc/rc.d/init.d/networking/red.up/24-RS-qos etc/rc.d/init.d/networking/red.up/27-RS-squid etc/rc.d/init.d/networking/red.up/30-ddns @@ -75,10 +75,10 @@ etc/rc.d/init.d/rngd etc/rc.d/init.d/sendsignals etc/rc.d/init.d/setclock etc/rc.d/init.d/smartenabler -etc/rc.d/init.d/snort etc/rc.d/init.d/squid etc/rc.d/init.d/sshd etc/rc.d/init.d/static-routes +etc/rc.d/init.d/suricata etc/rc.d/init.d/swap etc/rc.d/init.d/swconfig etc/rc.d/init.d/sysctl @@ -105,7 +105,7 @@ etc/rc.d/rc0.d/K47setclock etc/rc.d/rc0.d/K49cyrus-sasl etc/rc.d/rc0.d/K51vnstat etc/rc.d/rc0.d/K77conntrackd -etc/rc.d/rc0.d/K78snort +etc/rc.d/rc0.d/K78suricata etc/rc.d/rc0.d/K79leds etc/rc.d/rc0.d/K79unbound etc/rc.d/rc0.d/K80network @@ -158,7 +158,7 @@ etc/rc.d/rc6.d/K47setclock etc/rc.d/rc6.d/K49cyrus-sasl etc/rc.d/rc6.d/K51vnstat etc/rc.d/rc6.d/K77conntrackd -etc/rc.d/rc6.d/K78snort +etc/rc.d/rc6.d/K78suricata etc/rc.d/rc6.d/K79leds etc/rc.d/rc6.d/K79unbound etc/rc.d/rc6.d/K80network diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux index 2b11e71a8..e3f6ba406 100644 --- a/config/rootfiles/common/aarch64/linux +++ b/config/rootfiles/common/aarch64/linux @@ -1760,7 +1760,6 @@ lib/modules/KVER-ipfire #lib/modules/KVER-ipfire/kernel/drivers/tty #lib/modules/KVER-ipfire/kernel/drivers/tty/n_gsm.ko.xz #lib/modules/KVER-ipfire/kernel/drivers/tty/n_hdlc.ko.xz -#lib/modules/KVER-ipfire/kernel/drivers/tty/n_r3964.ko.xz #lib/modules/KVER-ipfire/kernel/drivers/tty/serial #lib/modules/KVER-ipfire/kernel/drivers/tty/serial/arc_uart.ko.xz #lib/modules/KVER-ipfire/kernel/drivers/tty/serial/fsl_lpuart.ko.xz diff --git a/config/rootfiles/common/aarch64/stage2 b/config/rootfiles/common/aarch64/stage2 index c6d19a5f6..576d3f77b 100644 --- a/config/rootfiles/common/aarch64/stage2 +++ b/config/rootfiles/common/aarch64/stage2 @@ -104,6 +104,7 @@ usr/local/bin/scanhd usr/local/bin/settime usr/local/bin/timecheck usr/local/bin/timezone-transition +usr/local/bin/update-ids-ruleset usr/local/bin/update-lang-cache usr/local/bin/xt_geoip_build usr/local/bin/xt_geoip_update diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts index 367a0a725..ed4f727d9 100644 --- a/config/rootfiles/common/armv5tel/initscripts +++ b/config/rootfiles/common/armv5tel/initscripts @@ -53,7 +53,7 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast etc/rc.d/init.d/networking/red.up/10-static-routes etc/rc.d/init.d/networking/red.up/20-firewall -etc/rc.d/init.d/networking/red.up/23-RS-snort +etc/rc.d/init.d/networking/red.up/23-suricata etc/rc.d/init.d/networking/red.up/24-RS-qos etc/rc.d/init.d/networking/red.up/27-RS-squid etc/rc.d/init.d/networking/red.up/30-ddns @@ -75,10 +75,10 @@ etc/rc.d/init.d/rngd etc/rc.d/init.d/sendsignals etc/rc.d/init.d/setclock etc/rc.d/init.d/smartenabler -etc/rc.d/init.d/snort etc/rc.d/init.d/squid etc/rc.d/init.d/sshd etc/rc.d/init.d/static-routes +etc/rc.d/init.d/suricata etc/rc.d/init.d/swap etc/rc.d/init.d/swconfig etc/rc.d/init.d/sysctl @@ -105,7 +105,7 @@ etc/rc.d/rc0.d/K47setclock etc/rc.d/rc0.d/K49cyrus-sasl etc/rc.d/rc0.d/K51vnstat etc/rc.d/rc0.d/K77conntrackd -etc/rc.d/rc0.d/K78snort +etc/rc.d/rc0.d/K78suricata etc/rc.d/rc0.d/K79leds etc/rc.d/rc0.d/K79unbound etc/rc.d/rc0.d/K80network @@ -158,7 +158,7 @@ etc/rc.d/rc6.d/K47setclock etc/rc.d/rc6.d/K49cyrus-sasl etc/rc.d/rc6.d/K51vnstat etc/rc.d/rc6.d/K77conntrackd -etc/rc.d/rc6.d/K78snort +etc/rc.d/rc6.d/K78suricata etc/rc.d/rc6.d/K79leds etc/rc.d/rc6.d/K79unbound etc/rc.d/rc6.d/K80network diff --git a/config/rootfiles/common/armv5tel/linux-multi b/config/rootfiles/common/armv5tel/linux-multi index 9ca15348e..c159ca8b8 100644 --- a/config/rootfiles/common/armv5tel/linux-multi +++ b/config/rootfiles/common/armv5tel/linux-multi @@ -2265,7 +2265,6 @@ lib/modules/KVER-ipfire-multi #lib/modules/KVER-ipfire-multi/kernel/drivers/tty #lib/modules/KVER-ipfire-multi/kernel/drivers/tty/n_gsm.ko.xz #lib/modules/KVER-ipfire-multi/kernel/drivers/tty/n_hdlc.ko.xz -#lib/modules/KVER-ipfire-multi/kernel/drivers/tty/n_r3964.ko.xz #lib/modules/KVER-ipfire-multi/kernel/drivers/tty/serial #lib/modules/KVER-ipfire-multi/kernel/drivers/tty/serial/arc_uart.ko.xz #lib/modules/KVER-ipfire-multi/kernel/drivers/tty/serial/fsl_lpuart.ko.xz diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index fa18a0525..4c9f6fb62 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -1,6 +1,7 @@ usr/sbin/convert-dmz usr/sbin/convert-outgoingfw usr/sbin/convert-portfw +usr/sbin/convert-snort usr/sbin/convert-xtaccess usr/sbin/firewall-policy #var/ipfire @@ -78,6 +79,7 @@ var/ipfire/general-functions.pl var/ipfire/geoip-functions.pl var/ipfire/graphs.pl var/ipfire/header.pl +var/ipfire/ids-functions.pl var/ipfire/isdn #var/ipfire/isdn/settings var/ipfire/key @@ -173,8 +175,8 @@ var/ipfire/remote #var/ipfire/remote/settings var/ipfire/sensors #var/ipfire/sensors/settings -var/ipfire/snort -#var/ipfire/snort/settings +var/ipfire/suricata +#var/ipfire/suricata/settings var/ipfire/time #var/ipfire/time/settings var/ipfire/updatexlrator diff --git a/config/rootfiles/common/daq b/config/rootfiles/common/daq deleted file mode 100644 index 6c156e3d9..000000000 --- a/config/rootfiles/common/daq +++ /dev/null @@ -1,33 +0,0 @@ -#usr/bin/daq-modules-config -#usr/include/daq.h -#usr/include/daq_api.h -#usr/include/daq_common.h -#usr/include/sfbpf.h -#usr/include/sfbpf_dlt.h -usr/lib/daq -#usr/lib/daq/daq_afpacket.la -#usr/lib/daq/daq_afpacket.so -#usr/lib/daq/daq_dump.la -#usr/lib/daq/daq_dump.so -#usr/lib/daq/daq_ipfw.la -#usr/lib/daq/daq_ipfw.so -#usr/lib/daq/daq_ipq.la -#usr/lib/daq/daq_ipq.so -#usr/lib/daq/daq_nfq.la -#usr/lib/daq/daq_nfq.so -#usr/lib/daq/daq_pcap.la -#usr/lib/daq/daq_pcap.so -#usr/lib/libdaq.a -#usr/lib/libdaq.la -#usr/lib/libdaq.so -usr/lib/libdaq.so.2 -usr/lib/libdaq.so.2.0.4 -#usr/lib/libdaq_static.a -#usr/lib/libdaq_static.la -#usr/lib/libdaq_static_modules.a -#usr/lib/libdaq_static_modules.la -#usr/lib/libsfbpf.a -#usr/lib/libsfbpf.la -#usr/lib/libsfbpf.so -usr/lib/libsfbpf.so.0 -usr/lib/libsfbpf.so.0.0.1 diff --git a/config/rootfiles/common/gnutls b/config/rootfiles/common/gnutls index 137fbe124..b8adaa9d9 100644 --- a/config/rootfiles/common/gnutls +++ b/config/rootfiles/common/gnutls @@ -33,7 +33,7 @@ usr/lib/libgnutls-dane.so.0.4.1 #usr/lib/libgnutls.la #usr/lib/libgnutls.so usr/lib/libgnutls.so.30 -usr/lib/libgnutls.so.30.14.11 +usr/lib/libgnutls.so.30.23.2 #usr/lib/libgnutlsxx.la #usr/lib/libgnutlsxx.so usr/lib/libgnutlsxx.so.28 @@ -66,18 +66,20 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/info/gnutls.info-4 #usr/share/info/gnutls.info-5 #usr/share/info/gnutls.info-6 +#usr/share/info/gnutls.info-7 #usr/share/info/pkcs11-vision.png #usr/share/locale/cs/LC_MESSAGES/gnutls.mo #usr/share/locale/de/LC_MESSAGES/gnutls.mo -#usr/share/locale/en@boldquot/LC_MESSAGES/gnutls.mo -#usr/share/locale/en@quot/LC_MESSAGES/gnutls.mo #usr/share/locale/eo/LC_MESSAGES/gnutls.mo +#usr/share/locale/es/LC_MESSAGES/gnutls.mo #usr/share/locale/fi/LC_MESSAGES/gnutls.mo #usr/share/locale/fr/LC_MESSAGES/gnutls.mo #usr/share/locale/it/LC_MESSAGES/gnutls.mo #usr/share/locale/ms/LC_MESSAGES/gnutls.mo #usr/share/locale/nl/LC_MESSAGES/gnutls.mo #usr/share/locale/pl/LC_MESSAGES/gnutls.mo +#usr/share/locale/pt_BR/LC_MESSAGES/gnutls.mo +#usr/share/locale/sr/LC_MESSAGES/gnutls.mo #usr/share/locale/sv/LC_MESSAGES/gnutls.mo #usr/share/locale/uk/LC_MESSAGES/gnutls.mo #usr/share/locale/vi/LC_MESSAGES/gnutls.mo @@ -113,6 +115,7 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_aead_cipher_decrypt.3 #usr/share/man/man3/gnutls_aead_cipher_deinit.3 #usr/share/man/man3/gnutls_aead_cipher_encrypt.3 +#usr/share/man/man3/gnutls_aead_cipher_encryptv.3 #usr/share/man/man3/gnutls_aead_cipher_init.3 #usr/share/man/man3/gnutls_alert_get.3 #usr/share/man/man3/gnutls_alert_get_name.3 @@ -129,9 +132,17 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_anon_set_server_dh_params.3 #usr/share/man/man3/gnutls_anon_set_server_known_dh_params.3 #usr/share/man/man3/gnutls_anon_set_server_params_function.3 +#usr/share/man/man3/gnutls_anti_replay_deinit.3 +#usr/share/man/man3/gnutls_anti_replay_enable.3 +#usr/share/man/man3/gnutls_anti_replay_init.3 +#usr/share/man/man3/gnutls_anti_replay_set_add_function.3 +#usr/share/man/man3/gnutls_anti_replay_set_ptr.3 +#usr/share/man/man3/gnutls_anti_replay_set_window.3 #usr/share/man/man3/gnutls_auth_client_get_type.3 #usr/share/man/man3/gnutls_auth_get_type.3 #usr/share/man/man3/gnutls_auth_server_get_type.3 +#usr/share/man/man3/gnutls_base64_decode2.3 +#usr/share/man/man3/gnutls_base64_encode2.3 #usr/share/man/man3/gnutls_buffer_append_data.3 #usr/share/man/man3/gnutls_bye.3 #usr/share/man/man3/gnutls_certificate_activation_time_peers.3 @@ -145,6 +156,7 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_certificate_free_keys.3 #usr/share/man/man3/gnutls_certificate_get_crt_raw.3 #usr/share/man/man3/gnutls_certificate_get_issuer.3 +#usr/share/man/man3/gnutls_certificate_get_ocsp_expiration.3 #usr/share/man/man3/gnutls_certificate_get_ours.3 #usr/share/man/man3/gnutls_certificate_get_peers.3 #usr/share/man/man3/gnutls_certificate_get_peers_subkey_id.3 @@ -159,12 +171,17 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_certificate_set_key.3 #usr/share/man/man3/gnutls_certificate_set_known_dh_params.3 #usr/share/man/man3/gnutls_certificate_set_ocsp_status_request_file.3 +#usr/share/man/man3/gnutls_certificate_set_ocsp_status_request_file2.3 #usr/share/man/man3/gnutls_certificate_set_ocsp_status_request_function.3 #usr/share/man/man3/gnutls_certificate_set_ocsp_status_request_function2.3 +#usr/share/man/man3/gnutls_certificate_set_ocsp_status_request_mem.3 #usr/share/man/man3/gnutls_certificate_set_params_function.3 #usr/share/man/man3/gnutls_certificate_set_pin_function.3 +#usr/share/man/man3/gnutls_certificate_set_rawpk_key_file.3 +#usr/share/man/man3/gnutls_certificate_set_rawpk_key_mem.3 #usr/share/man/man3/gnutls_certificate_set_retrieve_function.3 #usr/share/man/man3/gnutls_certificate_set_retrieve_function2.3 +#usr/share/man/man3/gnutls_certificate_set_retrieve_function3.3 #usr/share/man/man3/gnutls_certificate_set_trust_list.3 #usr/share/man/man3/gnutls_certificate_set_verify_flags.3 #usr/share/man/man3/gnutls_certificate_set_verify_function.3 @@ -185,6 +202,7 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_certificate_set_x509_trust_file.3 #usr/share/man/man3/gnutls_certificate_set_x509_trust_mem.3 #usr/share/man/man3/gnutls_certificate_type_get.3 +#usr/share/man/man3/gnutls_certificate_type_get2.3 #usr/share/man/man3/gnutls_certificate_type_get_id.3 #usr/share/man/man3/gnutls_certificate_type_get_name.3 #usr/share/man/man3/gnutls_certificate_type_list.3 @@ -224,6 +242,7 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_crypto_register_digest.3 #usr/share/man/man3/gnutls_crypto_register_mac.3 #usr/share/man/man3/gnutls_db_check_entry.3 +#usr/share/man/man3/gnutls_db_check_entry_expire_time.3 #usr/share/man/man3/gnutls_db_check_entry_time.3 #usr/share/man/man3/gnutls_db_get_default_cache_expiration.3 #usr/share/man/man3/gnutls_db_get_ptr.3 @@ -234,6 +253,8 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_db_set_retrieve_function.3 #usr/share/man/man3/gnutls_db_set_store_function.3 #usr/share/man/man3/gnutls_decode_ber_digest_info.3 +#usr/share/man/man3/gnutls_decode_gost_rs_value.3 +#usr/share/man/man3/gnutls_decode_rs_value.3 #usr/share/man/man3/gnutls_deinit.3 #usr/share/man/man3/gnutls_dh_get_group.3 #usr/share/man/man3/gnutls_dh_get_peers_public_bits.3 @@ -273,15 +294,20 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_ecc_curve_get_size.3 #usr/share/man/man3/gnutls_ecc_curve_list.3 #usr/share/man/man3/gnutls_encode_ber_digest_info.3 +#usr/share/man/man3/gnutls_encode_gost_rs_value.3 +#usr/share/man/man3/gnutls_encode_rs_value.3 #usr/share/man/man3/gnutls_error_is_fatal.3 #usr/share/man/man3/gnutls_error_to_alert.3 #usr/share/man/man3/gnutls_est_record_overhead_size.3 +#usr/share/man/man3/gnutls_ext_get_current_msg.3 #usr/share/man/man3/gnutls_ext_get_data.3 #usr/share/man/man3/gnutls_ext_get_name.3 +#usr/share/man/man3/gnutls_ext_raw_parse.3 #usr/share/man/man3/gnutls_ext_register.3 #usr/share/man/man3/gnutls_ext_set_data.3 #usr/share/man/man3/gnutls_fingerprint.3 #usr/share/man/man3/gnutls_fips140_mode_enabled.3 +#usr/share/man/man3/gnutls_fips140_set_mode.3 #usr/share/man/man3/gnutls_global_deinit.3 #usr/share/man/man3/gnutls_global_init.3 #usr/share/man/man3/gnutls_global_set_audit_log_function.3 @@ -290,6 +316,12 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_global_set_mem_functions.3 #usr/share/man/man3/gnutls_global_set_mutex.3 #usr/share/man/man3/gnutls_global_set_time_function.3 +#usr/share/man/man3/gnutls_gost_paramset_get_name.3 +#usr/share/man/man3/gnutls_gost_paramset_get_oid.3 +#usr/share/man/man3/gnutls_group_get.3 +#usr/share/man/man3/gnutls_group_get_id.3 +#usr/share/man/man3/gnutls_group_get_name.3 +#usr/share/man/man3/gnutls_group_list.3 #usr/share/man/man3/gnutls_handshake.3 #usr/share/man/man3/gnutls_handshake_description_get_name.3 #usr/share/man/man3/gnutls_handshake_get_last_in.3 @@ -358,6 +390,7 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_ocsp_resp_check_crt.3 #usr/share/man/man3/gnutls_ocsp_resp_deinit.3 #usr/share/man/man3/gnutls_ocsp_resp_export.3 +#usr/share/man/man3/gnutls_ocsp_resp_export2.3 #usr/share/man/man3/gnutls_ocsp_resp_get_certs.3 #usr/share/man/man3/gnutls_ocsp_resp_get_extension.3 #usr/share/man/man3/gnutls_ocsp_resp_get_nonce.3 @@ -372,15 +405,19 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_ocsp_resp_get_status.3 #usr/share/man/man3/gnutls_ocsp_resp_get_version.3 #usr/share/man/man3/gnutls_ocsp_resp_import.3 +#usr/share/man/man3/gnutls_ocsp_resp_import2.3 #usr/share/man/man3/gnutls_ocsp_resp_init.3 +#usr/share/man/man3/gnutls_ocsp_resp_list_import2.3 #usr/share/man/man3/gnutls_ocsp_resp_print.3 #usr/share/man/man3/gnutls_ocsp_resp_verify.3 #usr/share/man/man3/gnutls_ocsp_resp_verify_direct.3 #usr/share/man/man3/gnutls_ocsp_status_request_enable_client.3 #usr/share/man/man3/gnutls_ocsp_status_request_get.3 +#usr/share/man/man3/gnutls_ocsp_status_request_get2.3 #usr/share/man/man3/gnutls_ocsp_status_request_is_checked.3 #usr/share/man/man3/gnutls_oid_to_digest.3 #usr/share/man/man3/gnutls_oid_to_ecc_curve.3 +#usr/share/man/man3/gnutls_oid_to_gost_paramset.3 #usr/share/man/man3/gnutls_oid_to_mac.3 #usr/share/man/man3/gnutls_oid_to_pk.3 #usr/share/man/man3/gnutls_oid_to_sign.3 @@ -393,9 +430,12 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_pcert_export_x509.3 #usr/share/man/man3/gnutls_pcert_import_openpgp.3 #usr/share/man/man3/gnutls_pcert_import_openpgp_raw.3 +#usr/share/man/man3/gnutls_pcert_import_rawpk.3 +#usr/share/man/man3/gnutls_pcert_import_rawpk_raw.3 #usr/share/man/man3/gnutls_pcert_import_x509.3 #usr/share/man/man3/gnutls_pcert_import_x509_list.3 #usr/share/man/man3/gnutls_pcert_import_x509_raw.3 +#usr/share/man/man3/gnutls_pcert_list_import_x509_file.3 #usr/share/man/man3/gnutls_pcert_list_import_x509_raw.3 #usr/share/man/man3/gnutls_pem_base64_decode.3 #usr/share/man/man3/gnutls_pem_base64_decode2.3 @@ -434,6 +474,7 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_pkcs11_obj_get_exts.3 #usr/share/man/man3/gnutls_pkcs11_obj_get_flags.3 #usr/share/man/man3/gnutls_pkcs11_obj_get_info.3 +#usr/share/man/man3/gnutls_pkcs11_obj_get_ptr.3 #usr/share/man/man3/gnutls_pkcs11_obj_get_type.3 #usr/share/man/man3/gnutls_pkcs11_obj_import_url.3 #usr/share/man/man3/gnutls_pkcs11_obj_init.3 @@ -457,9 +498,11 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_pkcs11_reinit.3 #usr/share/man/man3/gnutls_pkcs11_set_pin_function.3 #usr/share/man/man3/gnutls_pkcs11_set_token_function.3 +#usr/share/man/man3/gnutls_pkcs11_token_check_mechanism.3 #usr/share/man/man3/gnutls_pkcs11_token_get_flags.3 #usr/share/man/man3/gnutls_pkcs11_token_get_info.3 #usr/share/man/man3/gnutls_pkcs11_token_get_mechanism.3 +#usr/share/man/man3/gnutls_pkcs11_token_get_ptr.3 #usr/share/man/man3/gnutls_pkcs11_token_get_random.3 #usr/share/man/man3/gnutls_pkcs11_token_get_url.3 #usr/share/man/man3/gnutls_pkcs11_token_init.3 @@ -529,12 +572,15 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_prf_raw.3 #usr/share/man/man3/gnutls_prf_rfc5705.3 #usr/share/man/man3/gnutls_priority_certificate_type_list.3 +#usr/share/man/man3/gnutls_priority_certificate_type_list2.3 #usr/share/man/man3/gnutls_priority_cipher_list.3 #usr/share/man/man3/gnutls_priority_compression_list.3 #usr/share/man/man3/gnutls_priority_deinit.3 #usr/share/man/man3/gnutls_priority_ecc_curve_list.3 #usr/share/man/man3/gnutls_priority_get_cipher_suite_index.3 +#usr/share/man/man3/gnutls_priority_group_list.3 #usr/share/man/man3/gnutls_priority_init.3 +#usr/share/man/man3/gnutls_priority_init2.3 #usr/share/man/man3/gnutls_priority_kx_list.3 #usr/share/man/man3/gnutls_priority_mac_list.3 #usr/share/man/man3/gnutls_priority_protocol_list.3 @@ -543,23 +589,31 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_priority_sign_list.3 #usr/share/man/man3/gnutls_priority_string_list.3 #usr/share/man/man3/gnutls_privkey_decrypt_data.3 +#usr/share/man/man3/gnutls_privkey_decrypt_data2.3 #usr/share/man/man3/gnutls_privkey_deinit.3 #usr/share/man/man3/gnutls_privkey_export_dsa_raw.3 +#usr/share/man/man3/gnutls_privkey_export_dsa_raw2.3 #usr/share/man/man3/gnutls_privkey_export_ecc_raw.3 +#usr/share/man/man3/gnutls_privkey_export_ecc_raw2.3 +#usr/share/man/man3/gnutls_privkey_export_gost_raw2.3 #usr/share/man/man3/gnutls_privkey_export_openpgp.3 #usr/share/man/man3/gnutls_privkey_export_pkcs11.3 #usr/share/man/man3/gnutls_privkey_export_rsa_raw.3 +#usr/share/man/man3/gnutls_privkey_export_rsa_raw2.3 #usr/share/man/man3/gnutls_privkey_export_x509.3 #usr/share/man/man3/gnutls_privkey_generate.3 #usr/share/man/man3/gnutls_privkey_generate2.3 #usr/share/man/man3/gnutls_privkey_get_pk_algorithm.3 #usr/share/man/man3/gnutls_privkey_get_seed.3 +#usr/share/man/man3/gnutls_privkey_get_spki.3 #usr/share/man/man3/gnutls_privkey_get_type.3 #usr/share/man/man3/gnutls_privkey_import_dsa_raw.3 #usr/share/man/man3/gnutls_privkey_import_ecc_raw.3 #usr/share/man/man3/gnutls_privkey_import_ext.3 #usr/share/man/man3/gnutls_privkey_import_ext2.3 #usr/share/man/man3/gnutls_privkey_import_ext3.3 +#usr/share/man/man3/gnutls_privkey_import_ext4.3 +#usr/share/man/man3/gnutls_privkey_import_gost_raw.3 #usr/share/man/man3/gnutls_privkey_import_openpgp.3 #usr/share/man/man3/gnutls_privkey_import_openpgp_raw.3 #usr/share/man/man3/gnutls_privkey_import_pkcs11.3 @@ -573,8 +627,11 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_privkey_init.3 #usr/share/man/man3/gnutls_privkey_set_flags.3 #usr/share/man/man3/gnutls_privkey_set_pin_function.3 +#usr/share/man/man3/gnutls_privkey_set_spki.3 #usr/share/man/man3/gnutls_privkey_sign_data.3 +#usr/share/man/man3/gnutls_privkey_sign_data2.3 #usr/share/man/man3/gnutls_privkey_sign_hash.3 +#usr/share/man/man3/gnutls_privkey_sign_hash2.3 #usr/share/man/man3/gnutls_privkey_status.3 #usr/share/man/man3/gnutls_privkey_verify_params.3 #usr/share/man/man3/gnutls_privkey_verify_seed.3 @@ -602,18 +659,24 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_pubkey_export.3 #usr/share/man/man3/gnutls_pubkey_export2.3 #usr/share/man/man3/gnutls_pubkey_export_dsa_raw.3 +#usr/share/man/man3/gnutls_pubkey_export_dsa_raw2.3 #usr/share/man/man3/gnutls_pubkey_export_ecc_raw.3 +#usr/share/man/man3/gnutls_pubkey_export_ecc_raw2.3 #usr/share/man/man3/gnutls_pubkey_export_ecc_x962.3 +#usr/share/man/man3/gnutls_pubkey_export_gost_raw2.3 #usr/share/man/man3/gnutls_pubkey_export_rsa_raw.3 +#usr/share/man/man3/gnutls_pubkey_export_rsa_raw2.3 #usr/share/man/man3/gnutls_pubkey_get_key_id.3 #usr/share/man/man3/gnutls_pubkey_get_key_usage.3 #usr/share/man/man3/gnutls_pubkey_get_openpgp_key_id.3 #usr/share/man/man3/gnutls_pubkey_get_pk_algorithm.3 #usr/share/man/man3/gnutls_pubkey_get_preferred_hash_algorithm.3 +#usr/share/man/man3/gnutls_pubkey_get_spki.3 #usr/share/man/man3/gnutls_pubkey_import.3 #usr/share/man/man3/gnutls_pubkey_import_dsa_raw.3 #usr/share/man/man3/gnutls_pubkey_import_ecc_raw.3 #usr/share/man/man3/gnutls_pubkey_import_ecc_x962.3 +#usr/share/man/man3/gnutls_pubkey_import_gost_raw.3 #usr/share/man/man3/gnutls_pubkey_import_openpgp.3 #usr/share/man/man3/gnutls_pubkey_import_openpgp_raw.3 #usr/share/man/man3/gnutls_pubkey_import_pkcs11.3 @@ -629,11 +692,13 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_pubkey_print.3 #usr/share/man/man3/gnutls_pubkey_set_key_usage.3 #usr/share/man/man3/gnutls_pubkey_set_pin_function.3 +#usr/share/man/man3/gnutls_pubkey_set_spki.3 #usr/share/man/man3/gnutls_pubkey_verify_data2.3 #usr/share/man/man3/gnutls_pubkey_verify_hash2.3 #usr/share/man/man3/gnutls_pubkey_verify_params.3 #usr/share/man/man3/gnutls_random_art.3 #usr/share/man/man3/gnutls_range_split.3 +#usr/share/man/man3/gnutls_reauth.3 #usr/share/man/man3/gnutls_record_can_use_length_hiding.3 #usr/share/man/man3/gnutls_record_check_corked.3 #usr/share/man/man3/gnutls_record_check_pending.3 @@ -642,14 +707,19 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_record_discard_queued.3 #usr/share/man/man3/gnutls_record_get_direction.3 #usr/share/man/man3/gnutls_record_get_discarded.3 +#usr/share/man/man3/gnutls_record_get_max_early_data_size.3 #usr/share/man/man3/gnutls_record_get_max_size.3 #usr/share/man/man3/gnutls_record_get_state.3 #usr/share/man/man3/gnutls_record_overhead_size.3 #usr/share/man/man3/gnutls_record_recv.3 +#usr/share/man/man3/gnutls_record_recv_early_data.3 #usr/share/man/man3/gnutls_record_recv_packet.3 #usr/share/man/man3/gnutls_record_recv_seq.3 #usr/share/man/man3/gnutls_record_send.3 +#usr/share/man/man3/gnutls_record_send2.3 +#usr/share/man/man3/gnutls_record_send_early_data.3 #usr/share/man/man3/gnutls_record_send_range.3 +#usr/share/man/man3/gnutls_record_set_max_early_data_size.3 #usr/share/man/man3/gnutls_record_set_max_size.3 #usr/share/man/man3/gnutls_record_set_state.3 #usr/share/man/man3/gnutls_record_set_timeout.3 @@ -681,6 +751,7 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_session_get_random.3 #usr/share/man/man3/gnutls_session_get_verify_cert_status.3 #usr/share/man/man3/gnutls_session_is_resumed.3 +#usr/share/man/man3/gnutls_session_key_update.3 #usr/share/man/man3/gnutls_session_resumption_requested.3 #usr/share/man/man3/gnutls_session_set_data.3 #usr/share/man/man3/gnutls_session_set_id.3 @@ -693,7 +764,9 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_session_ticket_enable_client.3 #usr/share/man/man3/gnutls_session_ticket_enable_server.3 #usr/share/man/man3/gnutls_session_ticket_key_generate.3 +#usr/share/man/man3/gnutls_session_ticket_send.3 #usr/share/man/man3/gnutls_set_default_priority.3 +#usr/share/man/man3/gnutls_set_default_priority_append.3 #usr/share/man/man3/gnutls_sign_algorithm_get.3 #usr/share/man/man3/gnutls_sign_algorithm_get_client.3 #usr/share/man/man3/gnutls_sign_algorithm_get_requested.3 @@ -703,7 +776,9 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_sign_get_oid.3 #usr/share/man/man3/gnutls_sign_get_pk_algorithm.3 #usr/share/man/man3/gnutls_sign_is_secure.3 +#usr/share/man/man3/gnutls_sign_is_secure2.3 #usr/share/man/man3/gnutls_sign_list.3 +#usr/share/man/man3/gnutls_sign_supports_pk_algorithm.3 #usr/share/man/man3/gnutls_srp_allocate_client_credentials.3 #usr/share/man/man3/gnutls_srp_allocate_server_credentials.3 #usr/share/man/man3/gnutls_srp_base64_decode.3 @@ -858,6 +933,7 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_x509_crq_get_private_key_usage_period.3 #usr/share/man/man3/gnutls_x509_crq_get_signature_algorithm.3 #usr/share/man/man3/gnutls_x509_crq_get_signature_oid.3 +#usr/share/man/man3/gnutls_x509_crq_get_spki.3 #usr/share/man/man3/gnutls_x509_crq_get_subject_alt_name.3 #usr/share/man/man3/gnutls_x509_crq_get_subject_alt_othername_oid.3 #usr/share/man/man3/gnutls_x509_crq_get_tlsfeatures.3 @@ -878,6 +954,7 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_x509_crq_set_key_usage.3 #usr/share/man/man3/gnutls_x509_crq_set_private_key_usage_period.3 #usr/share/man/man3/gnutls_x509_crq_set_pubkey.3 +#usr/share/man/man3/gnutls_x509_crq_set_spki.3 #usr/share/man/man3/gnutls_x509_crq_set_subject_alt_name.3 #usr/share/man/man3/gnutls_x509_crq_set_subject_alt_othername.3 #usr/share/man/man3/gnutls_x509_crq_set_tlsfeatures.3 @@ -888,6 +965,7 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_x509_crt_check_email.3 #usr/share/man/man3/gnutls_x509_crt_check_hostname.3 #usr/share/man/man3/gnutls_x509_crt_check_hostname2.3 +#usr/share/man/man3/gnutls_x509_crt_check_ip.3 #usr/share/man/man3/gnutls_x509_crt_check_issuer.3 #usr/share/man/man3/gnutls_x509_crt_check_key_purpose.3 #usr/share/man/man3/gnutls_x509_crt_check_revocation.3 @@ -917,6 +995,7 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_x509_crt_get_extension_info.3 #usr/share/man/man3/gnutls_x509_crt_get_extension_oid.3 #usr/share/man/man3/gnutls_x509_crt_get_fingerprint.3 +#usr/share/man/man3/gnutls_x509_crt_get_inhibit_anypolicy.3 #usr/share/man/man3/gnutls_x509_crt_get_issuer.3 #usr/share/man/man3/gnutls_x509_crt_get_issuer_alt_name.3 #usr/share/man/man3/gnutls_x509_crt_get_issuer_alt_name2.3 @@ -934,6 +1013,7 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_x509_crt_get_pk_algorithm.3 #usr/share/man/man3/gnutls_x509_crt_get_pk_dsa_raw.3 #usr/share/man/man3/gnutls_x509_crt_get_pk_ecc_raw.3 +#usr/share/man/man3/gnutls_x509_crt_get_pk_gost_raw.3 #usr/share/man/man3/gnutls_x509_crt_get_pk_oid.3 #usr/share/man/man3/gnutls_x509_crt_get_pk_rsa_raw.3 #usr/share/man/man3/gnutls_x509_crt_get_policy.3 @@ -946,6 +1026,7 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_x509_crt_get_signature.3 #usr/share/man/man3/gnutls_x509_crt_get_signature_algorithm.3 #usr/share/man/man3/gnutls_x509_crt_get_signature_oid.3 +#usr/share/man/man3/gnutls_x509_crt_get_spki.3 #usr/share/man/man3/gnutls_x509_crt_get_subject.3 #usr/share/man/man3/gnutls_x509_crt_get_subject_alt_name.3 #usr/share/man/man3/gnutls_x509_crt_get_subject_alt_name2.3 @@ -961,6 +1042,7 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_x509_crt_list_import.3 #usr/share/man/man3/gnutls_x509_crt_list_import2.3 #usr/share/man/man3/gnutls_x509_crt_list_import_pkcs11.3 +#usr/share/man/man3/gnutls_x509_crt_list_import_url.3 #usr/share/man/man3/gnutls_x509_crt_list_verify.3 #usr/share/man/man3/gnutls_x509_crt_print.3 #usr/share/man/man3/gnutls_x509_crt_privkey_sign.3 @@ -978,6 +1060,8 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_x509_crt_set_dn_by_oid.3 #usr/share/man/man3/gnutls_x509_crt_set_expiration_time.3 #usr/share/man/man3/gnutls_x509_crt_set_extension_by_oid.3 +#usr/share/man/man3/gnutls_x509_crt_set_flags.3 +#usr/share/man/man3/gnutls_x509_crt_set_inhibit_anypolicy.3 #usr/share/man/man3/gnutls_x509_crt_set_issuer_alt_name.3 #usr/share/man/man3/gnutls_x509_crt_set_issuer_alt_othername.3 #usr/share/man/man3/gnutls_x509_crt_set_issuer_dn.3 @@ -994,6 +1078,7 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_x509_crt_set_proxy_dn.3 #usr/share/man/man3/gnutls_x509_crt_set_pubkey.3 #usr/share/man/man3/gnutls_x509_crt_set_serial.3 +#usr/share/man/man3/gnutls_x509_crt_set_spki.3 #usr/share/man/man3/gnutls_x509_crt_set_subject_alt_name.3 #usr/share/man/man3/gnutls_x509_crt_set_subject_alt_othername.3 #usr/share/man/man3/gnutls_x509_crt_set_subject_alternative_name.3 @@ -1021,6 +1106,7 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_x509_ext_export_authority_key_id.3 #usr/share/man/man3/gnutls_x509_ext_export_basic_constraints.3 #usr/share/man/man3/gnutls_x509_ext_export_crl_dist_points.3 +#usr/share/man/man3/gnutls_x509_ext_export_inhibit_anypolicy.3 #usr/share/man/man3/gnutls_x509_ext_export_key_purposes.3 #usr/share/man/man3/gnutls_x509_ext_export_key_usage.3 #usr/share/man/man3/gnutls_x509_ext_export_name_constraints.3 @@ -1034,6 +1120,7 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_x509_ext_import_authority_key_id.3 #usr/share/man/man3/gnutls_x509_ext_import_basic_constraints.3 #usr/share/man/man3/gnutls_x509_ext_import_crl_dist_points.3 +#usr/share/man/man3/gnutls_x509_ext_import_inhibit_anypolicy.3 #usr/share/man/man3/gnutls_x509_ext_import_key_purposes.3 #usr/share/man/man3/gnutls_x509_ext_import_key_usage.3 #usr/share/man/man3/gnutls_x509_ext_import_name_constraints.3 @@ -1069,6 +1156,7 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_x509_privkey_export2_pkcs8.3 #usr/share/man/man3/gnutls_x509_privkey_export_dsa_raw.3 #usr/share/man/man3/gnutls_x509_privkey_export_ecc_raw.3 +#usr/share/man/man3/gnutls_x509_privkey_export_gost_raw.3 #usr/share/man/man3/gnutls_x509_privkey_export_pkcs8.3 #usr/share/man/man3/gnutls_x509_privkey_export_rsa_raw.3 #usr/share/man/man3/gnutls_x509_privkey_export_rsa_raw2.3 @@ -1079,10 +1167,12 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_x509_privkey_get_pk_algorithm.3 #usr/share/man/man3/gnutls_x509_privkey_get_pk_algorithm2.3 #usr/share/man/man3/gnutls_x509_privkey_get_seed.3 +#usr/share/man/man3/gnutls_x509_privkey_get_spki.3 #usr/share/man/man3/gnutls_x509_privkey_import.3 #usr/share/man/man3/gnutls_x509_privkey_import2.3 #usr/share/man/man3/gnutls_x509_privkey_import_dsa_raw.3 #usr/share/man/man3/gnutls_x509_privkey_import_ecc_raw.3 +#usr/share/man/man3/gnutls_x509_privkey_import_gost_raw.3 #usr/share/man/man3/gnutls_x509_privkey_import_openssl.3 #usr/share/man/man3/gnutls_x509_privkey_import_pkcs8.3 #usr/share/man/man3/gnutls_x509_privkey_import_rsa_raw.3 @@ -1091,6 +1181,7 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_x509_privkey_sec_param.3 #usr/share/man/man3/gnutls_x509_privkey_set_flags.3 #usr/share/man/man3/gnutls_x509_privkey_set_pin_function.3 +#usr/share/man/man3/gnutls_x509_privkey_set_spki.3 #usr/share/man/man3/gnutls_x509_privkey_sign_data.3 #usr/share/man/man3/gnutls_x509_privkey_sign_hash.3 #usr/share/man/man3/gnutls_x509_privkey_verify_params.3 @@ -1099,6 +1190,10 @@ usr/lib/libgnutlsxx.so.28.1.0 #usr/share/man/man3/gnutls_x509_rdn_get2.3 #usr/share/man/man3/gnutls_x509_rdn_get_by_oid.3 #usr/share/man/man3/gnutls_x509_rdn_get_oid.3 +#usr/share/man/man3/gnutls_x509_spki_deinit.3 +#usr/share/man/man3/gnutls_x509_spki_get_rsa_pss_params.3 +#usr/share/man/man3/gnutls_x509_spki_init.3 +#usr/share/man/man3/gnutls_x509_spki_set_rsa_pss_params.3 #usr/share/man/man3/gnutls_x509_tlsfeatures_add.3 #usr/share/man/man3/gnutls_x509_tlsfeatures_check_crt.3 #usr/share/man/man3/gnutls_x509_tlsfeatures_deinit.3 diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index 6f9868ec3..07a123a48 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -53,7 +53,7 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast etc/rc.d/init.d/networking/red.up/10-static-routes etc/rc.d/init.d/networking/red.up/20-firewall -etc/rc.d/init.d/networking/red.up/23-RS-snort +etc/rc.d/init.d/networking/red.up/23-suricata etc/rc.d/init.d/networking/red.up/24-RS-qos etc/rc.d/init.d/networking/red.up/27-RS-squid etc/rc.d/init.d/networking/red.up/30-ddns @@ -75,10 +75,10 @@ etc/rc.d/init.d/rngd etc/rc.d/init.d/sendsignals etc/rc.d/init.d/setclock etc/rc.d/init.d/smartenabler -etc/rc.d/init.d/snort etc/rc.d/init.d/squid etc/rc.d/init.d/sshd etc/rc.d/init.d/static-routes +etc/rc.d/init.d/suricata etc/rc.d/init.d/swap etc/rc.d/init.d/sysctl etc/rc.d/init.d/sysklogd @@ -104,7 +104,7 @@ etc/rc.d/rc0.d/K47setclock etc/rc.d/rc0.d/K49cyrus-sasl etc/rc.d/rc0.d/K51vnstat etc/rc.d/rc0.d/K77conntrackd -etc/rc.d/rc0.d/K78snort +etc/rc.d/rc0.d/K78suricata etc/rc.d/rc0.d/K79leds etc/rc.d/rc0.d/K79unbound etc/rc.d/rc0.d/K80network @@ -157,7 +157,7 @@ etc/rc.d/rc6.d/K47setclock etc/rc.d/rc6.d/K49cyrus-sasl etc/rc.d/rc6.d/K51vnstat etc/rc.d/rc6.d/K77conntrackd -etc/rc.d/rc6.d/K78snort +etc/rc.d/rc6.d/K78suricata etc/rc.d/rc6.d/K79leds etc/rc.d/rc6.d/K79unbound etc/rc.d/rc6.d/K80network diff --git a/config/rootfiles/common/i586/linux b/config/rootfiles/common/i586/linux index 88d1a7396..cb4a972f3 100644 --- a/config/rootfiles/common/i586/linux +++ b/config/rootfiles/common/i586/linux @@ -2352,7 +2352,6 @@ lib/modules/KVER-ipfire #lib/modules/KVER-ipfire/kernel/drivers/tty/cyclades.ko.xz #lib/modules/KVER-ipfire/kernel/drivers/tty/n_gsm.ko.xz #lib/modules/KVER-ipfire/kernel/drivers/tty/n_hdlc.ko.xz -#lib/modules/KVER-ipfire/kernel/drivers/tty/n_r3964.ko.xz #lib/modules/KVER-ipfire/kernel/drivers/tty/nozomi.ko.xz #lib/modules/KVER-ipfire/kernel/drivers/tty/rocket.ko.xz #lib/modules/KVER-ipfire/kernel/drivers/tty/serial diff --git a/config/rootfiles/common/ids-ruleset-sources b/config/rootfiles/common/ids-ruleset-sources new file mode 100644 index 000000000..698fd1268 --- /dev/null +++ b/config/rootfiles/common/ids-ruleset-sources @@ -0,0 +1 @@ +var/ipfire/suricata/ruleset-sources diff --git a/config/rootfiles/common/libcap-ng b/config/rootfiles/common/libcap-ng new file mode 100644 index 000000000..9c0b5e156 --- /dev/null +++ b/config/rootfiles/common/libcap-ng @@ -0,0 +1,44 @@ +#usr/bin/captest +#usr/bin/filecap +#usr/bin/netcap +#usr/bin/pscap +#usr/include/cap-ng.h +#usr/lib/libcap-ng.la +#usr/lib/libcap-ng.so +usr/lib/libcap-ng.so.0 +usr/lib/libcap-ng.so.0.0.0 +#usr/lib/pkgconfig/libcap-ng.pc +#usr/lib/python2.7/site-packages/_capng.la +#usr/lib/python2.7/site-packages/_capng.so +#usr/lib/python2.7/site-packages/capng.py +#usr/lib/python2.7/site-packages/capng.pyc +#usr/lib/python2.7/site-packages/capng.pyo +#usr/lib/python3.6/site-packages/__pycache__/capng.cpython-36.opt-1.pyc +#usr/lib/python3.6/site-packages/__pycache__/capng.cpython-36.pyc +#usr/lib/python3.6/site-packages/_capng.la +#usr/lib/python3.6/site-packages/_capng.so +#usr/lib/python3.6/site-packages/capng.py +#usr/share/aclocal/cap-ng.m4 +#usr/share/man/man3/capng_apply.3 +#usr/share/man/man3/capng_capability_to_name.3 +#usr/share/man/man3/capng_change_id.3 +#usr/share/man/man3/capng_clear.3 +#usr/share/man/man3/capng_fill.3 +#usr/share/man/man3/capng_get_caps_fd.3 +#usr/share/man/man3/capng_get_caps_process.3 +#usr/share/man/man3/capng_have_capabilities.3 +#usr/share/man/man3/capng_have_capability.3 +#usr/share/man/man3/capng_lock.3 +#usr/share/man/man3/capng_name_to_capability.3 +#usr/share/man/man3/capng_print_caps_numeric.3 +#usr/share/man/man3/capng_print_caps_text.3 +#usr/share/man/man3/capng_restore_state.3 +#usr/share/man/man3/capng_save_state.3 +#usr/share/man/man3/capng_set_caps_fd.3 +#usr/share/man/man3/capng_setpid.3 +#usr/share/man/man3/capng_update.3 +#usr/share/man/man3/capng_updatev.3 +#usr/share/man/man8/captest.8 +#usr/share/man/man8/filecap.8 +#usr/share/man/man8/netcap.8 +#usr/share/man/man8/pscap.8 diff --git a/config/rootfiles/common/libhtp b/config/rootfiles/common/libhtp new file mode 100644 index 000000000..9211ea713 --- /dev/null +++ b/config/rootfiles/common/libhtp @@ -0,0 +1,22 @@ +#usr/include/htp +#usr/include/htp/bstr.h +#usr/include/htp/bstr_builder.h +#usr/include/htp/htp.h +#usr/include/htp/htp_base64.h +#usr/include/htp/htp_config.h +#usr/include/htp/htp_connection_parser.h +#usr/include/htp/htp_core.h +#usr/include/htp/htp_decompressors.h +#usr/include/htp/htp_hooks.h +#usr/include/htp/htp_list.h +#usr/include/htp/htp_multipart.h +#usr/include/htp/htp_table.h +#usr/include/htp/htp_transaction.h +#usr/include/htp/htp_urlencoded.h +#usr/include/htp/htp_utf8_decoder.h +#usr/include/htp/htp_version.h +#usr/lib/libhtp.la +#usr/lib/libhtp.so +usr/lib/libhtp.so.2 +usr/lib/libhtp.so.2.0.0 +#usr/lib/pkgconfig/htp.pc diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs index 789179513..c48a474b2 100644 --- a/config/rootfiles/common/misc-progs +++ b/config/rootfiles/common/misc-progs @@ -26,8 +26,8 @@ usr/local/bin/redctrl #usr/local/bin/sambactrl usr/local/bin/setaliases usr/local/bin/smartctrl -usr/local/bin/snortctrl usr/local/bin/squidctrl +usr/local/bin/suricatactrl usr/local/bin/sshctrl usr/local/bin/syslogdctrl usr/local/bin/timectrl diff --git a/config/rootfiles/common/nettle b/config/rootfiles/common/nettle index 3f23cb70a..d3621683c 100644 --- a/config/rootfiles/common/nettle +++ b/config/rootfiles/common/nettle @@ -17,6 +17,7 @@ #usr/include/nettle/cast128.h #usr/include/nettle/cbc.h #usr/include/nettle/ccm.h +#usr/include/nettle/cfb.h #usr/include/nettle/chacha-poly1305.h #usr/include/nettle/chacha.h #usr/include/nettle/ctr.h @@ -32,6 +33,7 @@ #usr/include/nettle/eddsa.h #usr/include/nettle/gcm.h #usr/include/nettle/gosthash94.h +#usr/include/nettle/hkdf.h #usr/include/nettle/hmac.h #usr/include/nettle/knuth-lfib.h #usr/include/nettle/macros.h @@ -48,6 +50,8 @@ #usr/include/nettle/pgp.h #usr/include/nettle/pkcs1.h #usr/include/nettle/poly1305.h +#usr/include/nettle/pss-mgf1.h +#usr/include/nettle/pss.h #usr/include/nettle/realloc.h #usr/include/nettle/ripemd160.h #usr/include/nettle/rsa.h @@ -64,9 +68,9 @@ #usr/include/nettle/yarrow.h usr/lib/libhogweed.so usr/lib/libhogweed.so.4 -usr/lib/libhogweed.so.4.3 +usr/lib/libhogweed.so.4.5 #usr/lib/libnettle.so usr/lib/libnettle.so.6 -usr/lib/libnettle.so.6.3 +usr/lib/libnettle.so.6.5 #usr/lib/pkgconfig/hogweed.pc #usr/lib/pkgconfig/nettle.pc diff --git a/config/rootfiles/common/oinkmaster b/config/rootfiles/common/oinkmaster index be14b54d6..2557353fa 100644 --- a/config/rootfiles/common/oinkmaster +++ b/config/rootfiles/common/oinkmaster @@ -1,2 +1,2 @@ usr/local/bin/oinkmaster.pl -var/ipfire/snort/oinkmaster.conf +var/ipfire/suricata/oinkmaster.conf diff --git a/config/rootfiles/common/rrdtool b/config/rootfiles/common/rrdtool index 4254b2ec9..9edf10c01 100644 --- a/config/rootfiles/common/rrdtool +++ b/config/rootfiles/common/rrdtool @@ -11,7 +11,7 @@ usr/bin/rrdupdate #usr/lib/librrd.la #usr/lib/librrd.so usr/lib/librrd.so.8 -usr/lib/librrd.so.8.0.0 +usr/lib/librrd.so.8.2.0 usr/lib/perl5/site_perl/5.12.3/RRDp.pm usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/RRDs.pm #usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/RRDp @@ -21,105 +21,114 @@ usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/RRDs.pm #usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/RRDs/RRDs.bs usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/RRDs/RRDs.so #usr/lib/pkgconfig/librrd.pc -#usr/share/doc/rrdtool-1.6.0 -#usr/share/doc/rrdtool-1.6.0/html -#usr/share/doc/rrdtool-1.6.0/html/RRDp.html -#usr/share/doc/rrdtool-1.6.0/html/RRDs.html -#usr/share/doc/rrdtool-1.6.0/html/bin_dec_hex.html -#usr/share/doc/rrdtool-1.6.0/html/cdeftutorial.html -#usr/share/doc/rrdtool-1.6.0/html/index.html -#usr/share/doc/rrdtool-1.6.0/html/librrd.html -#usr/share/doc/rrdtool-1.6.0/html/rpntutorial.html -#usr/share/doc/rrdtool-1.6.0/html/rrd-beginners.html -#usr/share/doc/rrdtool-1.6.0/html/rrdbuild.html -#usr/share/doc/rrdtool-1.6.0/html/rrdcached.html -#usr/share/doc/rrdtool-1.6.0/html/rrdcgi.html -#usr/share/doc/rrdtool-1.6.0/html/rrdcreate.html -#usr/share/doc/rrdtool-1.6.0/html/rrddump.html -#usr/share/doc/rrdtool-1.6.0/html/rrdfetch.html -#usr/share/doc/rrdtool-1.6.0/html/rrdfirst.html -#usr/share/doc/rrdtool-1.6.0/html/rrdflushcached.html -#usr/share/doc/rrdtool-1.6.0/html/rrdgraph.html -#usr/share/doc/rrdtool-1.6.0/html/rrdgraph_data.html -#usr/share/doc/rrdtool-1.6.0/html/rrdgraph_examples.html -#usr/share/doc/rrdtool-1.6.0/html/rrdgraph_graph.html -#usr/share/doc/rrdtool-1.6.0/html/rrdgraph_rpn.html -#usr/share/doc/rrdtool-1.6.0/html/rrdinfo.html -#usr/share/doc/rrdtool-1.6.0/html/rrdlast.html -#usr/share/doc/rrdtool-1.6.0/html/rrdlastupdate.html -#usr/share/doc/rrdtool-1.6.0/html/rrdlua.html -#usr/share/doc/rrdtool-1.6.0/html/rrdresize.html -#usr/share/doc/rrdtool-1.6.0/html/rrdrestore.html -#usr/share/doc/rrdtool-1.6.0/html/rrdthreads.html -#usr/share/doc/rrdtool-1.6.0/html/rrdtool.html -#usr/share/doc/rrdtool-1.6.0/html/rrdtune.html -#usr/share/doc/rrdtool-1.6.0/html/rrdtutorial.html -#usr/share/doc/rrdtool-1.6.0/html/rrdupdate.html -#usr/share/doc/rrdtool-1.6.0/html/rrdxport.html -#usr/share/doc/rrdtool-1.6.0/txt -#usr/share/doc/rrdtool-1.6.0/txt/bin_dec_hex.pod -#usr/share/doc/rrdtool-1.6.0/txt/bin_dec_hex.txt -#usr/share/doc/rrdtool-1.6.0/txt/cdeftutorial.pod -#usr/share/doc/rrdtool-1.6.0/txt/cdeftutorial.txt -#usr/share/doc/rrdtool-1.6.0/txt/librrd.txt -#usr/share/doc/rrdtool-1.6.0/txt/rpntutorial.pod -#usr/share/doc/rrdtool-1.6.0/txt/rpntutorial.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrd-beginners.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrd-beginners.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrdbuild.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrdbuild.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrdcached.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrdcached.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrdcgi.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrdcgi.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrdcreate.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrdcreate.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrddump.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrddump.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrdfetch.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrdfetch.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrdfirst.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrdfirst.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrdflushcached.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrdflushcached.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrdgraph.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrdgraph.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrdgraph_data.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrdgraph_data.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrdgraph_examples.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrdgraph_examples.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrdgraph_graph.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrdgraph_graph.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrdgraph_rpn.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrdgraph_rpn.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrdinfo.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrdinfo.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrdlast.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrdlast.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrdlastupdate.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrdlastupdate.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrdlua.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrdlua.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrdresize.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrdresize.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrdrestore.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrdrestore.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrdthreads.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrdthreads.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrdtool.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrdtool.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrdtune.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrdtune.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrdtutorial.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrdtutorial.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrdupdate.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrdupdate.txt -#usr/share/doc/rrdtool-1.6.0/txt/rrdxport.pod -#usr/share/doc/rrdtool-1.6.0/txt/rrdxport.txt +#usr/share/doc/rrdtool-1.7.1 +#usr/share/doc/rrdtool-1.7.1/html +#usr/share/doc/rrdtool-1.7.1/html/RRDp.html +#usr/share/doc/rrdtool-1.7.1/html/RRDs.html +#usr/share/doc/rrdtool-1.7.1/html/bin_dec_hex.html +#usr/share/doc/rrdtool-1.7.1/html/cdeftutorial.html +#usr/share/doc/rrdtool-1.7.1/html/index.html +#usr/share/doc/rrdtool-1.7.1/html/librrd.html +#usr/share/doc/rrdtool-1.7.1/html/rpntutorial.html +#usr/share/doc/rrdtool-1.7.1/html/rrd-beginners.html +#usr/share/doc/rrdtool-1.7.1/html/rrd_pdpcalc.html +#usr/share/doc/rrdtool-1.7.1/html/rrdbuild.html +#usr/share/doc/rrdtool-1.7.1/html/rrdcached.html +#usr/share/doc/rrdtool-1.7.1/html/rrdcgi.html +#usr/share/doc/rrdtool-1.7.1/html/rrdcreate.html +#usr/share/doc/rrdtool-1.7.1/html/rrddump.html +#usr/share/doc/rrdtool-1.7.1/html/rrdfetch.html +#usr/share/doc/rrdtool-1.7.1/html/rrdfirst.html +#usr/share/doc/rrdtool-1.7.1/html/rrdflushcached.html +#usr/share/doc/rrdtool-1.7.1/html/rrdgraph.html +#usr/share/doc/rrdtool-1.7.1/html/rrdgraph_data.html +#usr/share/doc/rrdtool-1.7.1/html/rrdgraph_examples.html +#usr/share/doc/rrdtool-1.7.1/html/rrdgraph_graph.html +#usr/share/doc/rrdtool-1.7.1/html/rrdgraph_rpn.html +#usr/share/doc/rrdtool-1.7.1/html/rrdinfo.html +#usr/share/doc/rrdtool-1.7.1/html/rrdlast.html +#usr/share/doc/rrdtool-1.7.1/html/rrdlastupdate.html +#usr/share/doc/rrdtool-1.7.1/html/rrdlist.html +#usr/share/doc/rrdtool-1.7.1/html/rrdlua.html +#usr/share/doc/rrdtool-1.7.1/html/rrdresize.html +#usr/share/doc/rrdtool-1.7.1/html/rrdrestore.html +#usr/share/doc/rrdtool-1.7.1/html/rrdthreads.html +#usr/share/doc/rrdtool-1.7.1/html/rrdtool.html +#usr/share/doc/rrdtool-1.7.1/html/rrdtune.html +#usr/share/doc/rrdtool-1.7.1/html/rrdtutorial.html +#usr/share/doc/rrdtool-1.7.1/html/rrdupdate.html +#usr/share/doc/rrdtool-1.7.1/html/rrdxport.html +#usr/share/doc/rrdtool-1.7.1/txt +#usr/share/doc/rrdtool-1.7.1/txt/bin_dec_hex.pod +#usr/share/doc/rrdtool-1.7.1/txt/bin_dec_hex.txt +#usr/share/doc/rrdtool-1.7.1/txt/cdeftutorial.pod +#usr/share/doc/rrdtool-1.7.1/txt/cdeftutorial.txt +#usr/share/doc/rrdtool-1.7.1/txt/librrd.txt +#usr/share/doc/rrdtool-1.7.1/txt/rpntutorial.pod +#usr/share/doc/rrdtool-1.7.1/txt/rpntutorial.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrd-beginners.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrd-beginners.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrd_pdpcalc.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrd_pdpcalc.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdbuild.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdbuild.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdcached.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdcached.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdcgi.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdcgi.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdcreate.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdcreate.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrddump.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrddump.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdfetch.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdfetch.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdfirst.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdfirst.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdflushcached.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdflushcached.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdgraph.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdgraph.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdgraph_data.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdgraph_data.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdgraph_examples.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdgraph_examples.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdgraph_graph.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdgraph_graph.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdgraph_rpn.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdgraph_rpn.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdinfo.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdinfo.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdlast.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdlast.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdlastupdate.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdlastupdate.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdlist.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdlist.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdlua.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdlua.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdresize.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdresize.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdrestore.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdrestore.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdthreads.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdthreads.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdtool.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdtool.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdtune.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdtune.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdtutorial.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdtutorial.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdupdate.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdupdate.txt +#usr/share/doc/rrdtool-1.7.1/txt/rrdxport.pod +#usr/share/doc/rrdtool-1.7.1/txt/rrdxport.txt +#usr/share/locale/fr/LC_MESSAGES/rrdtool.mo +#usr/share/locale/hu/LC_MESSAGES/rrdtool.mo #usr/share/man/man1/bin_dec_hex.1 #usr/share/man/man1/cdeftutorial.1 #usr/share/man/man1/rpntutorial.1 #usr/share/man/man1/rrd-beginners.1 +#usr/share/man/man1/rrd_pdpcalc.1 #usr/share/man/man1/rrdbuild.1 #usr/share/man/man1/rrdcached.1 #usr/share/man/man1/rrdcgi.1 @@ -136,7 +145,7 @@ usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/RRDs/RRDs.so #usr/share/man/man1/rrdinfo.1 #usr/share/man/man1/rrdlast.1 #usr/share/man/man1/rrdlastupdate.1 -#usr/share/man/man1/rrdlua.1 +#usr/share/man/man1/rrdlist.1 #usr/share/man/man1/rrdresize.1 #usr/share/man/man1/rrdrestore.1 #usr/share/man/man1/rrdthreads.1 @@ -163,3 +172,5 @@ usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/RRDs/RRDs.so #usr/share/rrdtool/examples/stripes.pl #usr/share/rrdtool/examples/stripes.py var/log/rrd +usr/lib/collectd/rrdcached.so +usr/lib/collectd/rrdtool.so diff --git a/config/rootfiles/common/snort b/config/rootfiles/common/snort deleted file mode 100644 index c83b15697..000000000 --- a/config/rootfiles/common/snort +++ /dev/null @@ -1,235 +0,0 @@ -#etc/snort -etc/snort/rules -#etc/snort/rules/classification.config -#etc/snort/rules/reference.config -etc/snort/snort.conf -etc/snort/snort.conf.template -etc/snort/unicode.map -usr/bin/u2boat -usr/bin/u2spewfoo -#usr/include/snort -#usr/include/snort/dynamic_output -#usr/include/snort/dynamic_output/bitop.h -#usr/include/snort/dynamic_output/ipv6_port.h -#usr/include/snort/dynamic_output/obfuscation.h -#usr/include/snort/dynamic_output/output_api.h -#usr/include/snort/dynamic_output/output_common.h -#usr/include/snort/dynamic_output/output_lib.h -#usr/include/snort/dynamic_output/preprocids.h -#usr/include/snort/dynamic_output/sfPolicy.h -#usr/include/snort/dynamic_output/sf_dynamic_common.h -#usr/include/snort/dynamic_output/sf_ip.h -#usr/include/snort/dynamic_output/sf_protocols.h -#usr/include/snort/dynamic_output/sf_snort_packet.h -#usr/include/snort/dynamic_output/sfrt.h -#usr/include/snort/dynamic_output/sfrt_dir.h -#usr/include/snort/dynamic_output/sfrt_trie.h -#usr/include/snort/dynamic_output/snort_debug.h -#usr/include/snort/dynamic_output/stream_api.h -#usr/include/snort/dynamic_preproc -#usr/include/snort/dynamic_preproc/appdata_adjuster.h -#usr/include/snort/dynamic_preproc/bitop.h -#usr/include/snort/dynamic_preproc/cpuclock.h -#usr/include/snort/dynamic_preproc/file_api.h -#usr/include/snort/dynamic_preproc/idle_processing.h -#usr/include/snort/dynamic_preproc/ipv6_port.h -#usr/include/snort/dynamic_preproc/mempool.h -#usr/include/snort/dynamic_preproc/mpse_methods.h -#usr/include/snort/dynamic_preproc/obfuscation.h -#usr/include/snort/dynamic_preproc/packet_time.h -#usr/include/snort/dynamic_preproc/perf_indicators.h -#usr/include/snort/dynamic_preproc/preprocids.h -#usr/include/snort/dynamic_preproc/profiler.h -#usr/include/snort/dynamic_preproc/reg_test.h -#usr/include/snort/dynamic_preproc/reload_api.h -#usr/include/snort/dynamic_preproc/segment_mem.h -#usr/include/snort/dynamic_preproc/session_api.h -#usr/include/snort/dynamic_preproc/sfPolicy.h -#usr/include/snort/dynamic_preproc/sfPolicyUserData.h -#usr/include/snort/dynamic_preproc/sf_decompression.h -#usr/include/snort/dynamic_preproc/sf_dynamic_common.h -#usr/include/snort/dynamic_preproc/sf_dynamic_define.h -#usr/include/snort/dynamic_preproc/sf_dynamic_engine.h -#usr/include/snort/dynamic_preproc/sf_dynamic_meta.h -#usr/include/snort/dynamic_preproc/sf_dynamic_preproc_lib.h -#usr/include/snort/dynamic_preproc/sf_dynamic_preprocessor.h -#usr/include/snort/dynamic_preproc/sf_ip.h -#usr/include/snort/dynamic_preproc/sf_preproc_info.h -#usr/include/snort/dynamic_preproc/sf_protocols.h -#usr/include/snort/dynamic_preproc/sf_sdlist_types.h -#usr/include/snort/dynamic_preproc/sf_seqnums.h -#usr/include/snort/dynamic_preproc/sf_snort_packet.h -#usr/include/snort/dynamic_preproc/sf_snort_plugin_api.h -#usr/include/snort/dynamic_preproc/sfcommon.h -#usr/include/snort/dynamic_preproc/sfcontrol.h -#usr/include/snort/dynamic_preproc/sfrt.h -#usr/include/snort/dynamic_preproc/sfrt_dir.h -#usr/include/snort/dynamic_preproc/sfrt_flat.h -#usr/include/snort/dynamic_preproc/sfrt_flat_dir.h -#usr/include/snort/dynamic_preproc/sfrt_trie.h -#usr/include/snort/dynamic_preproc/sidechannel_define.h -#usr/include/snort/dynamic_preproc/snort_bounds.h -#usr/include/snort/dynamic_preproc/snort_debug.h -#usr/include/snort/dynamic_preproc/ssl.h -#usr/include/snort/dynamic_preproc/ssl_config.h -#usr/include/snort/dynamic_preproc/ssl_ha.h -#usr/include/snort/dynamic_preproc/ssl_include.h -#usr/include/snort/dynamic_preproc/ssl_inspect.h -#usr/include/snort/dynamic_preproc/ssl_session.h -#usr/include/snort/dynamic_preproc/str_search.h -#usr/include/snort/dynamic_preproc/stream_api.h -#usr/lib/pkgconfig/snort.pc -#usr/lib/pkgconfig/snort_output.pc -#usr/lib/pkgconfig/snort_preproc.pc -#usr/lib/snort -usr/lib/snort/dynamic_output -#usr/lib/snort/dynamic_output/libsf_dynamic_output.a -#usr/lib/snort/dynamic_output/libsf_dynamic_output.la -usr/lib/snort/dynamic_preproc -#usr/lib/snort/dynamic_preproc/libsf_dynamic_preproc.a -#usr/lib/snort/dynamic_preproc/libsf_dynamic_preproc.la -#usr/lib/snort/dynamic_preproc/libsf_dynamic_utils.a -#usr/lib/snort/dynamic_preproc/libsf_dynamic_utils.la -usr/lib/snort_dynamicengine -#usr/lib/snort_dynamicengine/libsf_engine.a -#usr/lib/snort_dynamicengine/libsf_engine.la -#usr/lib/snort_dynamicengine/libsf_engine.so -#usr/lib/snort_dynamicengine/libsf_engine.so.0 -#usr/lib/snort_dynamicengine/libsf_engine.so.0.0.0 -usr/lib/snort_dynamicpreprocessor -#usr/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.a -#usr/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.la -#usr/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so -#usr/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so.0 -#usr/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so.0.0.0 -#usr/lib/snort_dynamicpreprocessor/libsf_dnp3_preproc.a -#usr/lib/snort_dynamicpreprocessor/libsf_dnp3_preproc.la -#usr/lib/snort_dynamicpreprocessor/libsf_dnp3_preproc.so -#usr/lib/snort_dynamicpreprocessor/libsf_dnp3_preproc.so.0 -#usr/lib/snort_dynamicpreprocessor/libsf_dnp3_preproc.so.0.0.0 -#usr/lib/snort_dynamicpreprocessor/libsf_dns_preproc.a -#usr/lib/snort_dynamicpreprocessor/libsf_dns_preproc.la -#usr/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so -#usr/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so.0 -#usr/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so.0.0.0 -#usr/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.a -#usr/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.la -#usr/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so -#usr/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0 -#usr/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0.0.0 -#usr/lib/snort_dynamicpreprocessor/libsf_gtp_preproc.a -#usr/lib/snort_dynamicpreprocessor/libsf_gtp_preproc.la -#usr/lib/snort_dynamicpreprocessor/libsf_gtp_preproc.so -#usr/lib/snort_dynamicpreprocessor/libsf_gtp_preproc.so.0 -#usr/lib/snort_dynamicpreprocessor/libsf_gtp_preproc.so.0.0.0 -#usr/lib/snort_dynamicpreprocessor/libsf_imap_preproc.a -#usr/lib/snort_dynamicpreprocessor/libsf_imap_preproc.la -#usr/lib/snort_dynamicpreprocessor/libsf_imap_preproc.so -#usr/lib/snort_dynamicpreprocessor/libsf_imap_preproc.so.0 -#usr/lib/snort_dynamicpreprocessor/libsf_imap_preproc.so.0.0.0 -#usr/lib/snort_dynamicpreprocessor/libsf_modbus_preproc.a -#usr/lib/snort_dynamicpreprocessor/libsf_modbus_preproc.la -#usr/lib/snort_dynamicpreprocessor/libsf_modbus_preproc.so -#usr/lib/snort_dynamicpreprocessor/libsf_modbus_preproc.so.0 -#usr/lib/snort_dynamicpreprocessor/libsf_modbus_preproc.so.0.0.0 -#usr/lib/snort_dynamicpreprocessor/libsf_pop_preproc.a -#usr/lib/snort_dynamicpreprocessor/libsf_pop_preproc.la -#usr/lib/snort_dynamicpreprocessor/libsf_pop_preproc.so -#usr/lib/snort_dynamicpreprocessor/libsf_pop_preproc.so.0 -#usr/lib/snort_dynamicpreprocessor/libsf_pop_preproc.so.0.0.0 -#usr/lib/snort_dynamicpreprocessor/libsf_reputation_preproc.a -#usr/lib/snort_dynamicpreprocessor/libsf_reputation_preproc.la -#usr/lib/snort_dynamicpreprocessor/libsf_reputation_preproc.so -#usr/lib/snort_dynamicpreprocessor/libsf_reputation_preproc.so.0 -#usr/lib/snort_dynamicpreprocessor/libsf_reputation_preproc.so.0.0.0 -#usr/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.a -#usr/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.la -#usr/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so -#usr/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so.0 -#usr/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so.0.0.0 -#usr/lib/snort_dynamicpreprocessor/libsf_sip_preproc.a -#usr/lib/snort_dynamicpreprocessor/libsf_sip_preproc.la -#usr/lib/snort_dynamicpreprocessor/libsf_sip_preproc.so -#usr/lib/snort_dynamicpreprocessor/libsf_sip_preproc.so.0 -#usr/lib/snort_dynamicpreprocessor/libsf_sip_preproc.so.0.0.0 -#usr/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.a -#usr/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.la -#usr/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so -#usr/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so.0 -#usr/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so.0.0.0 -#usr/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.a -#usr/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.la -#usr/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so -#usr/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so.0 -#usr/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so.0.0.0 -#usr/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.a -#usr/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.la -#usr/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so -#usr/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so.0 -#usr/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so.0.0.0 -usr/sbin/snort -#usr/share/doc/snort -#usr/share/doc/snort/AUTHORS -#usr/share/doc/snort/BUGS -#usr/share/doc/snort/CREDITS -#usr/share/doc/snort/INSTALL -#usr/share/doc/snort/NEWS -#usr/share/doc/snort/OpenDetectorDeveloperGuide.pdf -#usr/share/doc/snort/PROBLEMS -#usr/share/doc/snort/README -#usr/share/doc/snort/README.GTP -#usr/share/doc/snort/README.PLUGINS -#usr/share/doc/snort/README.PerfProfiling -#usr/share/doc/snort/README.SMTP -#usr/share/doc/snort/README.UNSOCK -#usr/share/doc/snort/README.WIN32 -#usr/share/doc/snort/README.active -#usr/share/doc/snort/README.alert_order -#usr/share/doc/snort/README.appid -#usr/share/doc/snort/README.asn1 -#usr/share/doc/snort/README.counts -#usr/share/doc/snort/README.csv -#usr/share/doc/snort/README.daq -#usr/share/doc/snort/README.dcerpc2 -#usr/share/doc/snort/README.decode -#usr/share/doc/snort/README.decoder_preproc_rules -#usr/share/doc/snort/README.dnp3 -#usr/share/doc/snort/README.dns -#usr/share/doc/snort/README.event_queue -#usr/share/doc/snort/README.file -#usr/share/doc/snort/README.file_ips -#usr/share/doc/snort/README.filters -#usr/share/doc/snort/README.flowbits -#usr/share/doc/snort/README.frag3 -#usr/share/doc/snort/README.ftptelnet -#usr/share/doc/snort/README.gre -#usr/share/doc/snort/README.ha -#usr/share/doc/snort/README.http_inspect -#usr/share/doc/snort/README.imap -#usr/share/doc/snort/README.ipip -#usr/share/doc/snort/README.ipv6 -#usr/share/doc/snort/README.modbus -#usr/share/doc/snort/README.multipleconfigs -#usr/share/doc/snort/README.normalize -#usr/share/doc/snort/README.pcap_readmode -#usr/share/doc/snort/README.pop -#usr/share/doc/snort/README.ppm -#usr/share/doc/snort/README.reload -#usr/share/doc/snort/README.reputation -#usr/share/doc/snort/README.sensitive_data -#usr/share/doc/snort/README.sfportscan -#usr/share/doc/snort/README.sip -#usr/share/doc/snort/README.ssh -#usr/share/doc/snort/README.ssl -#usr/share/doc/snort/README.stream5 -#usr/share/doc/snort/README.tag -#usr/share/doc/snort/README.thresholding -#usr/share/doc/snort/README.u2boat -#usr/share/doc/snort/README.unified2 -#usr/share/doc/snort/README.variables -#usr/share/doc/snort/TODO -#usr/share/doc/snort/USAGE -#usr/share/doc/snort/WISHLIST -#usr/share/doc/snort/generators -#usr/share/man/man8/snort.8 -var/log/snort diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2 index ea941cdbe..5999609ed 100644 --- a/config/rootfiles/common/stage2 +++ b/config/rootfiles/common/stage2 @@ -103,6 +103,7 @@ usr/local/bin/settime usr/local/bin/timecheck usr/local/bin/timezone-transition usr/local/bin/update-lang-cache +usr/local/bin/update-ids-ruleset usr/local/bin/xt_geoip_build usr/local/bin/xt_geoip_update #usr/local/include diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata new file mode 100644 index 000000000..ac48dbce9 --- /dev/null +++ b/config/rootfiles/common/suricata @@ -0,0 +1,23 @@ +etc/suricata +etc/suricata/suricata.yaml +usr/bin/suricata +#usr/share/doc/suricata +#usr/share/doc/suricata/AUTHORS +#usr/share/doc/suricata/Basic_Setup.txt +#usr/share/doc/suricata/GITGUIDE +#usr/share/doc/suricata/INSTALL +#usr/share/doc/suricata/INSTALL.PF_RING +#usr/share/doc/suricata/INSTALL.WINDOWS +#usr/share/doc/suricata/NEWS +#usr/share/doc/suricata/README +#usr/share/doc/suricata/Setting_up_IPSinline_for_Linux.txt +#usr/share/doc/suricata/TODO +#usr/share/doc/suricata/Third_Party_Installation_Guides.txt +#usr/share/man/man1/suricata.1 +var/lib/suricata +var/lib/suricata/classification.config +var/lib/suricata/reference.config +var/lib/suricata/threshold.config +var/log/suricata +#var/log/suricata/certs +#var/log/suricata/files diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound index 843e0eeca..a130a059b 100644 --- a/config/rootfiles/common/unbound +++ b/config/rootfiles/common/unbound @@ -11,7 +11,7 @@ etc/unbound/unbound.conf #usr/lib/libunbound.la #usr/lib/libunbound.so usr/lib/libunbound.so.8 -usr/lib/libunbound.so.8.1.0 +usr/lib/libunbound.so.8.1.1 #usr/lib/pkgconfig/libunbound.pc usr/sbin/unbound usr/sbin/unbound-anchor diff --git a/config/rootfiles/common/wireless-regdb b/config/rootfiles/common/wireless-regdb index 2dcdbca32..7e830ae1f 100644 --- a/config/rootfiles/common/wireless-regdb +++ b/config/rootfiles/common/wireless-regdb @@ -1,5 +1,8 @@ +lib/firmware/regulatory.db +lib/firmware/regulatory.db.p7s #usr/lib/crda #usr/lib/crda/pubkeys -usr/lib/crda/pubkeys/linville.key.pub.pem +usr/lib/crda/pubkeys/sforshee.key.pub.pem usr/lib/crda/regulatory.bin #usr/share/man/man5/regulatory.bin.5.gz +#usr/share/man/man5/regulatory.db.5.gz diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts index 6f9868ec3..07a123a48 100644 --- a/config/rootfiles/common/x86_64/initscripts +++ b/config/rootfiles/common/x86_64/initscripts @@ -53,7 +53,7 @@ etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast etc/rc.d/init.d/networking/red.up/10-static-routes etc/rc.d/init.d/networking/red.up/20-firewall -etc/rc.d/init.d/networking/red.up/23-RS-snort +etc/rc.d/init.d/networking/red.up/23-suricata etc/rc.d/init.d/networking/red.up/24-RS-qos etc/rc.d/init.d/networking/red.up/27-RS-squid etc/rc.d/init.d/networking/red.up/30-ddns @@ -75,10 +75,10 @@ etc/rc.d/init.d/rngd etc/rc.d/init.d/sendsignals etc/rc.d/init.d/setclock etc/rc.d/init.d/smartenabler -etc/rc.d/init.d/snort etc/rc.d/init.d/squid etc/rc.d/init.d/sshd etc/rc.d/init.d/static-routes +etc/rc.d/init.d/suricata etc/rc.d/init.d/swap etc/rc.d/init.d/sysctl etc/rc.d/init.d/sysklogd @@ -104,7 +104,7 @@ etc/rc.d/rc0.d/K47setclock etc/rc.d/rc0.d/K49cyrus-sasl etc/rc.d/rc0.d/K51vnstat etc/rc.d/rc0.d/K77conntrackd -etc/rc.d/rc0.d/K78snort +etc/rc.d/rc0.d/K78suricata etc/rc.d/rc0.d/K79leds etc/rc.d/rc0.d/K79unbound etc/rc.d/rc0.d/K80network @@ -157,7 +157,7 @@ etc/rc.d/rc6.d/K47setclock etc/rc.d/rc6.d/K49cyrus-sasl etc/rc.d/rc6.d/K51vnstat etc/rc.d/rc6.d/K77conntrackd -etc/rc.d/rc6.d/K78snort +etc/rc.d/rc6.d/K78suricata etc/rc.d/rc6.d/K79leds etc/rc.d/rc6.d/K79unbound etc/rc.d/rc6.d/K80network diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux index ffbf7d0da..2d25334ab 100644 --- a/config/rootfiles/common/x86_64/linux +++ b/config/rootfiles/common/x86_64/linux @@ -2334,7 +2334,6 @@ lib/modules/KVER-ipfire #lib/modules/KVER-ipfire/kernel/drivers/tty/cyclades.ko.xz #lib/modules/KVER-ipfire/kernel/drivers/tty/n_gsm.ko.xz #lib/modules/KVER-ipfire/kernel/drivers/tty/n_hdlc.ko.xz -#lib/modules/KVER-ipfire/kernel/drivers/tty/n_r3964.ko.xz #lib/modules/KVER-ipfire/kernel/drivers/tty/nozomi.ko.xz #lib/modules/KVER-ipfire/kernel/drivers/tty/rocket.ko.xz #lib/modules/KVER-ipfire/kernel/drivers/tty/serial diff --git a/config/rootfiles/common/x86_64/stage2 b/config/rootfiles/common/x86_64/stage2 index c6d19a5f6..576d3f77b 100644 --- a/config/rootfiles/common/x86_64/stage2 +++ b/config/rootfiles/common/x86_64/stage2 @@ -104,6 +104,7 @@ usr/local/bin/scanhd usr/local/bin/settime usr/local/bin/timecheck usr/local/bin/timezone-transition +usr/local/bin/update-ids-ruleset usr/local/bin/update-lang-cache usr/local/bin/xt_geoip_build usr/local/bin/xt_geoip_update diff --git a/config/rootfiles/common/yaml b/config/rootfiles/common/yaml new file mode 100644 index 000000000..565fa373f --- /dev/null +++ b/config/rootfiles/common/yaml @@ -0,0 +1,6 @@ +#usr/include/yaml.h +usr/lib/libyaml-0.so.2 +usr/lib/libyaml-0.so.2.0.5 +#usr/lib/libyaml.la +#usr/lib/libyaml.so +#usr/lib/pkgconfig/yaml-0.1.pc diff --git a/config/rootfiles/core/129/exclude b/config/rootfiles/core/131/exclude similarity index 100% rename from config/rootfiles/core/129/exclude rename to config/rootfiles/core/131/exclude diff --git a/config/rootfiles/core/130/filelists/Net_SSLeay b/config/rootfiles/core/131/filelists/Net_SSLeay similarity index 100% rename from config/rootfiles/core/130/filelists/Net_SSLeay rename to config/rootfiles/core/131/filelists/Net_SSLeay diff --git a/config/rootfiles/core/131/filelists/aarch64/linux b/config/rootfiles/core/131/filelists/aarch64/linux new file mode 120000 index 000000000..3a2532bc7 --- /dev/null +++ b/config/rootfiles/core/131/filelists/aarch64/linux @@ -0,0 +1 @@ +../../../../common/aarch64/linux \ No newline at end of file diff --git a/config/rootfiles/core/131/filelists/aarch64/linux-initrd b/config/rootfiles/core/131/filelists/aarch64/linux-initrd new file mode 120000 index 000000000..8acdb0f31 --- /dev/null +++ b/config/rootfiles/core/131/filelists/aarch64/linux-initrd @@ -0,0 +1 @@ +../../../../common/aarch64/linux-initrd \ No newline at end of file diff --git a/config/rootfiles/core/130/filelists/apache2 b/config/rootfiles/core/131/filelists/apache2 similarity index 100% rename from config/rootfiles/core/130/filelists/apache2 rename to config/rootfiles/core/131/filelists/apache2 diff --git a/config/rootfiles/core/131/filelists/armv5tel/linux-initrd-kirkwood b/config/rootfiles/core/131/filelists/armv5tel/linux-initrd-kirkwood new file mode 120000 index 000000000..39c5591b7 --- /dev/null +++ b/config/rootfiles/core/131/filelists/armv5tel/linux-initrd-kirkwood @@ -0,0 +1 @@ +../../../../common/armv5tel/linux-initrd-kirkwood \ No newline at end of file diff --git a/config/rootfiles/core/131/filelists/armv5tel/linux-initrd-multi b/config/rootfiles/core/131/filelists/armv5tel/linux-initrd-multi new file mode 120000 index 000000000..0b1b4530a --- /dev/null +++ b/config/rootfiles/core/131/filelists/armv5tel/linux-initrd-multi @@ -0,0 +1 @@ +../../../../common/armv5tel/linux-initrd-multi \ No newline at end of file diff --git a/config/rootfiles/core/131/filelists/armv5tel/linux-kirkwood b/config/rootfiles/core/131/filelists/armv5tel/linux-kirkwood new file mode 120000 index 000000000..72171071e --- /dev/null +++ b/config/rootfiles/core/131/filelists/armv5tel/linux-kirkwood @@ -0,0 +1 @@ +../../../../common/armv5tel/linux-kirkwood \ No newline at end of file diff --git a/config/rootfiles/core/131/filelists/armv5tel/linux-multi b/config/rootfiles/core/131/filelists/armv5tel/linux-multi new file mode 120000 index 000000000..204eb4c43 --- /dev/null +++ b/config/rootfiles/core/131/filelists/armv5tel/linux-multi @@ -0,0 +1 @@ +../../../../common/armv5tel/linux-multi \ No newline at end of file diff --git a/config/rootfiles/core/131/filelists/collectd b/config/rootfiles/core/131/filelists/collectd new file mode 120000 index 000000000..871b32f14 --- /dev/null +++ b/config/rootfiles/core/131/filelists/collectd @@ -0,0 +1 @@ +../../../common/collectd \ No newline at end of file diff --git a/config/rootfiles/core/131/filelists/files b/config/rootfiles/core/131/filelists/files new file mode 100644 index 000000000..810c67b1e --- /dev/null +++ b/config/rootfiles/core/131/filelists/files @@ -0,0 +1,37 @@ +etc/system-release +etc/issue +srv/web/ipfire/cgi-bin/credits.cgi +etc/collectd.conf +etc/logrotate.conf +etc/rc.d/init.d/collectd +etc/rc.d/init.d/firewall +etc/rc.d/init.d/networking/red.up/23-suricata +etc/rc.d/init.d/suricata +etc/rc.d/init.d/unbound +etc/syslog.conf +lib/udev/network-hotplug-rename +opt/pakfire/etc/pakfire.conf +srv/web/ipfire/cgi-bin/aliases.cgi +srv/web/ipfire/cgi-bin/dnsforward.cgi +srv/web/ipfire/cgi-bin/hosts.cgi +srv/web/ipfire/cgi-bin/ids.cgi +srv/web/ipfire/cgi-bin/logs.cgi/ids.dat +srv/web/ipfire/cgi-bin/logs.cgi/log.dat +srv/web/ipfire/cgi-bin/ovpnmain.cgi +srv/web/ipfire/cgi-bin/remote.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi +usr/local/bin/ipsec-interfaces +usr/local/bin/sshctrl +usr/local/bin/suricatactrl +usr/local/bin/update-ids-ruleset +usr/sbin/convert-snort +usr/sbin/unbound-dhcp-leases-bridge +usr/sbin/setup +var/ipfire/backup/bin/backup.pl +var/ipfire/backup/include +var/ipfire/general-functions.pl +var/ipfire/geoip-functions.pl +var/ipfire/ids-functions.pl +var/ipfire/langs +var/ipfire/menu.d/40-services.menu +var/ipfire/menu.d/50-firewall.menu diff --git a/config/rootfiles/core/131/filelists/gnutls b/config/rootfiles/core/131/filelists/gnutls new file mode 120000 index 000000000..8dbe60bc3 --- /dev/null +++ b/config/rootfiles/core/131/filelists/gnutls @@ -0,0 +1 @@ +../../../common/gnutls \ No newline at end of file diff --git a/config/rootfiles/core/131/filelists/i586/linux b/config/rootfiles/core/131/filelists/i586/linux new file mode 120000 index 000000000..693ec4bbf --- /dev/null +++ b/config/rootfiles/core/131/filelists/i586/linux @@ -0,0 +1 @@ +../../../../common/i586/linux \ No newline at end of file diff --git a/config/rootfiles/core/131/filelists/i586/linux-initrd b/config/rootfiles/core/131/filelists/i586/linux-initrd new file mode 120000 index 000000000..32a03e6a9 --- /dev/null +++ b/config/rootfiles/core/131/filelists/i586/linux-initrd @@ -0,0 +1 @@ +../../../../common/i586/linux-initrd \ No newline at end of file diff --git a/config/rootfiles/core/131/filelists/ids-ruleset-sources b/config/rootfiles/core/131/filelists/ids-ruleset-sources new file mode 120000 index 000000000..a226ada39 --- /dev/null +++ b/config/rootfiles/core/131/filelists/ids-ruleset-sources @@ -0,0 +1 @@ +../../../common/ids-ruleset-sources \ No newline at end of file diff --git a/config/rootfiles/core/131/filelists/libcap-ng b/config/rootfiles/core/131/filelists/libcap-ng new file mode 120000 index 000000000..f58b21141 --- /dev/null +++ b/config/rootfiles/core/131/filelists/libcap-ng @@ -0,0 +1 @@ +../../../common/libcap-ng \ No newline at end of file diff --git a/config/rootfiles/core/131/filelists/libhtp b/config/rootfiles/core/131/filelists/libhtp new file mode 120000 index 000000000..676e2c5e8 --- /dev/null +++ b/config/rootfiles/core/131/filelists/libhtp @@ -0,0 +1 @@ +../../../common/libhtp \ No newline at end of file diff --git a/config/rootfiles/core/131/filelists/lua b/config/rootfiles/core/131/filelists/lua new file mode 120000 index 000000000..951f661c5 --- /dev/null +++ b/config/rootfiles/core/131/filelists/lua @@ -0,0 +1 @@ +../../../common/lua \ No newline at end of file diff --git a/config/rootfiles/core/131/filelists/nettle b/config/rootfiles/core/131/filelists/nettle new file mode 120000 index 000000000..f0dba7ac8 --- /dev/null +++ b/config/rootfiles/core/131/filelists/nettle @@ -0,0 +1 @@ +../../../common/nettle \ No newline at end of file diff --git a/config/rootfiles/core/131/filelists/ntp b/config/rootfiles/core/131/filelists/ntp new file mode 120000 index 000000000..7542d86cb --- /dev/null +++ b/config/rootfiles/core/131/filelists/ntp @@ -0,0 +1 @@ +../../../common/ntp \ No newline at end of file diff --git a/config/rootfiles/core/131/filelists/oinkmaster b/config/rootfiles/core/131/filelists/oinkmaster new file mode 120000 index 000000000..75029e679 --- /dev/null +++ b/config/rootfiles/core/131/filelists/oinkmaster @@ -0,0 +1 @@ +../../../common/oinkmaster \ No newline at end of file diff --git a/config/rootfiles/core/131/filelists/rrdtool b/config/rootfiles/core/131/filelists/rrdtool new file mode 120000 index 000000000..7a82e414b --- /dev/null +++ b/config/rootfiles/core/131/filelists/rrdtool @@ -0,0 +1 @@ +../../../common/rrdtool \ No newline at end of file diff --git a/config/rootfiles/core/131/filelists/setup b/config/rootfiles/core/131/filelists/setup new file mode 120000 index 000000000..209374bbc --- /dev/null +++ b/config/rootfiles/core/131/filelists/setup @@ -0,0 +1 @@ +../../../common/setup \ No newline at end of file diff --git a/config/rootfiles/core/131/filelists/suricata b/config/rootfiles/core/131/filelists/suricata new file mode 120000 index 000000000..f671f6993 --- /dev/null +++ b/config/rootfiles/core/131/filelists/suricata @@ -0,0 +1 @@ +../../../common/suricata \ No newline at end of file diff --git a/config/rootfiles/core/129/filelists/unbound b/config/rootfiles/core/131/filelists/unbound similarity index 100% rename from config/rootfiles/core/129/filelists/unbound rename to config/rootfiles/core/131/filelists/unbound diff --git a/config/rootfiles/core/130/filelists/wget b/config/rootfiles/core/131/filelists/wget similarity index 100% rename from config/rootfiles/core/130/filelists/wget rename to config/rootfiles/core/131/filelists/wget diff --git a/config/rootfiles/core/131/filelists/wireless-regdb b/config/rootfiles/core/131/filelists/wireless-regdb new file mode 120000 index 000000000..c9205b3cf --- /dev/null +++ b/config/rootfiles/core/131/filelists/wireless-regdb @@ -0,0 +1 @@ +../../../common/wireless-regdb \ No newline at end of file diff --git a/config/rootfiles/core/131/filelists/x86_64/linux b/config/rootfiles/core/131/filelists/x86_64/linux new file mode 120000 index 000000000..0615b5b9a --- /dev/null +++ b/config/rootfiles/core/131/filelists/x86_64/linux @@ -0,0 +1 @@ +../../../../common/x86_64/linux \ No newline at end of file diff --git a/config/rootfiles/core/131/filelists/x86_64/linux-initrd b/config/rootfiles/core/131/filelists/x86_64/linux-initrd new file mode 120000 index 000000000..1b9fff70f --- /dev/null +++ b/config/rootfiles/core/131/filelists/x86_64/linux-initrd @@ -0,0 +1 @@ +../../../../common/x86_64/linux-initrd \ No newline at end of file diff --git a/config/rootfiles/core/131/filelists/yaml b/config/rootfiles/core/131/filelists/yaml new file mode 120000 index 000000000..3dc14343f --- /dev/null +++ b/config/rootfiles/core/131/filelists/yaml @@ -0,0 +1 @@ +../../../common/yaml \ No newline at end of file diff --git a/config/rootfiles/core/131/update.sh b/config/rootfiles/core/131/update.sh new file mode 100644 index 000000000..c809ed0ef --- /dev/null +++ b/config/rootfiles/core/131/update.sh @@ -0,0 +1,188 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2019 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +core=131 + +exit_with_error() { + # Set last succesfull installed core. + echo $(($core-1)) > /opt/pakfire/db/core/mine + # don't start pakfire again at error + killall -KILL pak_update + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: $1" + exit $2 +} + +# Remove old core updates from pakfire cache to save space... +for (( i=1; i<=$core; i++ )); do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +KVER="xxxKVERxxx" + +# Backup uEnv.txt if exist +if [ -e /boot/uEnv.txt ]; then + cp -vf /boot/uEnv.txt /boot/uEnv.txt.org +fi + +# Do some sanity checks. +case $(uname -r) in + *-ipfire*) + # Ok. + ;; + *) + exit_with_error "ERROR cannot update. No IPFire Kernel." 1 + ;; +esac + +# Check diskspace on root +ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + +if [ $ROOTSPACE -lt 80000 ]; then + exit_with_error "ERROR cannot update because not enough free space on root." 2 + exit 2 +fi + +# Remove the old kernel +rm -rf /boot/System.map-* +rm -rf /boot/config-* +rm -rf /boot/ipfirerd-* +rm -rf /boot/initramfs-* +rm -rf /boot/vmlinuz-* +rm -rf /boot/uImage-*-ipfire-* +rm -rf /boot/zImage-*-ipfire-* +rm -rf /boot/uInit-*-ipfire-* +rm -rf /boot/dtb-*-ipfire-* +rm -rf /lib/modules +rm -f /etc/sysconfig/lm_sensors + +# Stop services +/etc/init.d/snort stop +if [ -e "/etc/init.d/suricata" ]; then + /etc/init.d/suricata stop +fi + +# Rename snort user to suricata +if getent group snort &>/dev/null; then + groupmod -n suricata snort +fi + +if getent passwd snort &>/dev/null; then + usermod -l suricata -c "Suricata" \ + -d /var/log/suricata snort +fi + +# Extract files +extract_files + +# update linker config +ldconfig + +# Update Language cache +/usr/local/bin/update-lang-cache + +# Migrate snort configuration to suricata +/usr/sbin/convert-snort + +# Remove files +rm -rfv \ + /etc/rc.d/rc*.d/*snort \ + /etc/rc.d/init.d/networking/red.up/23-RS-snort \ + /etc/snort \ + /usr/bin/daq-modules-config \ + /usr/bin/u2boat \ + /usr/bin/u2spewfoo \ + /usr/lib/daq \ + /usr/lib/snort \ + /usr/lib/libdaq.so* \ + /usr/lib/libsfbpf.so* \ + /usr/local/bin/snortctl \ + /usr/sbin/snort \ + /var/ipfire/snort + +# Start services +/etc/init.d/apache restart +/etc/init.d/collectd restart +/etc/init.d/firewall restart +/etc/init.d/unbound restart +/etc/init.d/suricata start + +# Update pakfire database +/usr/local/bin/pakfire update --force + +# Search sensors again after reboot into the new kernel +rm -f /etc/sysconfig/lm_sensors + +# Upadate Kernel version uEnv.txt +if [ -e /boot/uEnv.txt ]; then + sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt +fi + +# call user update script (needed for some arm boards) +if [ -e /boot/pakfire-kernel-update ]; then + /boot/pakfire-kernel-update ${KVER} +fi + +case "$(uname -m)" in + i?86) + # Force (re)install pae kernel if pae is supported + rm -rf /opt/pakfire/db/installed/meta-linux-pae + rm -rf /opt/pakfire/db/rootfiles/linux-pae + if [ ! "$(grep "^flags.* pae " /proc/cpuinfo)" == "" ]; then + ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + BOOTSPACE=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + if [ $BOOTSPACE -lt 22000 -o $ROOTSPACE -lt 120000 ]; then + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: WARNING not enough space for pae kernel." + touch /var/run/need_reboot + else + echo "Name: linux-pae" > /opt/pakfire/db/installed/meta-linux-pae + echo "ProgVersion: 0" >> /opt/pakfire/db/installed/meta-linux-pae + echo "Release: 0" >> /opt/pakfire/db/installed/meta-linux-pae + fi + else + touch /var/run/need_reboot + fi + ;; + *) + # This update needs a reboot... + touch /var/run/need_reboot + ;; +esac + +# Finish +/etc/init.d/fireinfo start +sendprofile + +# Update grub config to display new core version +if [ -e /boot/grub/grub.cfg ]; then + grub-mkconfig -o /boot/grub/grub.cfg +fi + +sync + +# Don't report the exitcode last command +exit 0 diff --git a/config/rootfiles/core/130/exclude b/config/rootfiles/oldcore/129/exclude similarity index 100% rename from config/rootfiles/core/130/exclude rename to config/rootfiles/oldcore/129/exclude diff --git a/config/rootfiles/core/129/filelists/aarch64/u-boot b/config/rootfiles/oldcore/129/filelists/aarch64/u-boot similarity index 100% rename from config/rootfiles/core/129/filelists/aarch64/u-boot rename to config/rootfiles/oldcore/129/filelists/aarch64/u-boot diff --git a/config/rootfiles/core/129/filelists/armv5tel/u-boot b/config/rootfiles/oldcore/129/filelists/armv5tel/u-boot similarity index 100% rename from config/rootfiles/core/129/filelists/armv5tel/u-boot rename to config/rootfiles/oldcore/129/filelists/armv5tel/u-boot diff --git a/config/rootfiles/core/129/filelists/bind b/config/rootfiles/oldcore/129/filelists/bind similarity index 100% rename from config/rootfiles/core/129/filelists/bind rename to config/rootfiles/oldcore/129/filelists/bind diff --git a/config/rootfiles/core/129/filelists/files b/config/rootfiles/oldcore/129/filelists/files similarity index 100% rename from config/rootfiles/core/129/filelists/files rename to config/rootfiles/oldcore/129/filelists/files diff --git a/config/rootfiles/core/129/filelists/groff b/config/rootfiles/oldcore/129/filelists/groff similarity index 100% rename from config/rootfiles/core/129/filelists/groff rename to config/rootfiles/oldcore/129/filelists/groff diff --git a/config/rootfiles/core/129/filelists/i586/openssl-sse2 b/config/rootfiles/oldcore/129/filelists/i586/openssl-sse2 similarity index 100% rename from config/rootfiles/core/129/filelists/i586/openssl-sse2 rename to config/rootfiles/oldcore/129/filelists/i586/openssl-sse2 diff --git a/config/rootfiles/core/129/filelists/ipset b/config/rootfiles/oldcore/129/filelists/ipset similarity index 100% rename from config/rootfiles/core/129/filelists/ipset rename to config/rootfiles/oldcore/129/filelists/ipset diff --git a/config/rootfiles/core/129/filelists/knot b/config/rootfiles/oldcore/129/filelists/knot similarity index 100% rename from config/rootfiles/core/129/filelists/knot rename to config/rootfiles/oldcore/129/filelists/knot diff --git a/config/rootfiles/core/129/filelists/less b/config/rootfiles/oldcore/129/filelists/less similarity index 100% rename from config/rootfiles/core/129/filelists/less rename to config/rootfiles/oldcore/129/filelists/less diff --git a/config/rootfiles/core/129/filelists/libgcrypt b/config/rootfiles/oldcore/129/filelists/libgcrypt similarity index 100% rename from config/rootfiles/core/129/filelists/libgcrypt rename to config/rootfiles/oldcore/129/filelists/libgcrypt diff --git a/config/rootfiles/core/129/filelists/openssl b/config/rootfiles/oldcore/129/filelists/openssl similarity index 100% rename from config/rootfiles/core/129/filelists/openssl rename to config/rootfiles/oldcore/129/filelists/openssl diff --git a/config/rootfiles/core/129/filelists/openvpn b/config/rootfiles/oldcore/129/filelists/openvpn similarity index 100% rename from config/rootfiles/core/129/filelists/openvpn rename to config/rootfiles/oldcore/129/filelists/openvpn diff --git a/config/rootfiles/core/129/filelists/squid b/config/rootfiles/oldcore/129/filelists/squid similarity index 100% rename from config/rootfiles/core/129/filelists/squid rename to config/rootfiles/oldcore/129/filelists/squid diff --git a/config/rootfiles/core/129/filelists/strongswan b/config/rootfiles/oldcore/129/filelists/strongswan similarity index 100% rename from config/rootfiles/core/129/filelists/strongswan rename to config/rootfiles/oldcore/129/filelists/strongswan diff --git a/config/rootfiles/core/129/filelists/tar b/config/rootfiles/oldcore/129/filelists/tar similarity index 100% rename from config/rootfiles/core/129/filelists/tar rename to config/rootfiles/oldcore/129/filelists/tar diff --git a/config/rootfiles/oldcore/129/filelists/unbound b/config/rootfiles/oldcore/129/filelists/unbound new file mode 120000 index 000000000..66adf0924 --- /dev/null +++ b/config/rootfiles/oldcore/129/filelists/unbound @@ -0,0 +1 @@ +../../../common/unbound \ No newline at end of file diff --git a/config/rootfiles/core/129/filelists/wpa_supplicant b/config/rootfiles/oldcore/129/filelists/wpa_supplicant similarity index 100% rename from config/rootfiles/core/129/filelists/wpa_supplicant rename to config/rootfiles/oldcore/129/filelists/wpa_supplicant diff --git a/config/rootfiles/core/129/update.sh b/config/rootfiles/oldcore/129/update.sh similarity index 100% rename from config/rootfiles/core/129/update.sh rename to config/rootfiles/oldcore/129/update.sh diff --git a/config/rootfiles/oldcore/130/exclude b/config/rootfiles/oldcore/130/exclude new file mode 100644 index 000000000..b22159878 --- /dev/null +++ b/config/rootfiles/oldcore/130/exclude @@ -0,0 +1,28 @@ +boot/config.txt +boot/grub/grub.cfg +boot/grub/grubenv +etc/alternatives +etc/collectd.custom +etc/default/grub +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/snort/snort.conf +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/dma +var/ipfire/time +var/ipfire/ovpn +var/lib/alternatives +var/log/cache +var/log/dhcpcd.log +var/log/messages +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/oldcore/130/filelists/Net_SSLeay b/config/rootfiles/oldcore/130/filelists/Net_SSLeay new file mode 120000 index 000000000..13fe0560c --- /dev/null +++ b/config/rootfiles/oldcore/130/filelists/Net_SSLeay @@ -0,0 +1 @@ +../../../common/Net_SSLeay \ No newline at end of file diff --git a/config/rootfiles/oldcore/130/filelists/apache2 b/config/rootfiles/oldcore/130/filelists/apache2 new file mode 120000 index 000000000..eef95efa7 --- /dev/null +++ b/config/rootfiles/oldcore/130/filelists/apache2 @@ -0,0 +1 @@ +../../../common/apache2 \ No newline at end of file diff --git a/config/rootfiles/core/130/filelists/files b/config/rootfiles/oldcore/130/filelists/files similarity index 100% rename from config/rootfiles/core/130/filelists/files rename to config/rootfiles/oldcore/130/filelists/files diff --git a/config/rootfiles/core/130/filelists/strongswan b/config/rootfiles/oldcore/130/filelists/strongswan similarity index 100% rename from config/rootfiles/core/130/filelists/strongswan rename to config/rootfiles/oldcore/130/filelists/strongswan diff --git a/config/rootfiles/oldcore/130/filelists/wget b/config/rootfiles/oldcore/130/filelists/wget new file mode 120000 index 000000000..fcb57dfec --- /dev/null +++ b/config/rootfiles/oldcore/130/filelists/wget @@ -0,0 +1 @@ +../../../common/wget \ No newline at end of file diff --git a/config/rootfiles/core/130/update.sh b/config/rootfiles/oldcore/130/update.sh similarity index 100% rename from config/rootfiles/core/130/update.sh rename to config/rootfiles/oldcore/130/update.sh diff --git a/config/rootfiles/packages/armv5tel/borgbackup b/config/rootfiles/packages/armv5tel/borgbackup index ca9ce0990..4704d5c92 100644 --- a/config/rootfiles/packages/armv5tel/borgbackup +++ b/config/rootfiles/packages/armv5tel/borgbackup @@ -1,4 +1,5 @@ usr/bin/borg +usr/bin/borgfs usr/lib/python3.6/site-packages/borg usr/lib/python3.6/site-packages/borg/__init__.py usr/lib/python3.6/site-packages/borg/__main__.py @@ -9,55 +10,67 @@ usr/lib/python3.6/site-packages/borg/__pycache__/_version.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/archive.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/archiver.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/cache.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/__pycache__/constants.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/fuse.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/helpers.cpython-36.pyc -usr/lib/python3.6/site-packages/borg/__pycache__/key.cpython-36.pyc -usr/lib/python3.6/site-packages/borg/__pycache__/keymanager.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/locking.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/logger.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/lrucache.cpython-36.pyc -usr/lib/python3.6/site-packages/borg/__pycache__/platform.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/__pycache__/nanorst.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/__pycache__/patterns.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/remote.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/repository.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/__pycache__/selftest.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/shellpattern.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/upgrader.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/__pycache__/version.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/xattr.cpython-36.pyc -usr/lib/python3.6/site-packages/borg/_chunker.c -usr/lib/python3.6/site-packages/borg/_hashindex.c usr/lib/python3.6/site-packages/borg/_version.py +usr/lib/python3.6/site-packages/borg/algorithms +usr/lib/python3.6/site-packages/borg/algorithms/__init__.py +usr/lib/python3.6/site-packages/borg/algorithms/__pycache__ +usr/lib/python3.6/site-packages/borg/algorithms/__pycache__/__init__.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/algorithms/checksums.cpython-36m-arm-linux-gnueabi.so usr/lib/python3.6/site-packages/borg/archive.py usr/lib/python3.6/site-packages/borg/archiver.py usr/lib/python3.6/site-packages/borg/cache.py -usr/lib/python3.6/site-packages/borg/chunker.c usr/lib/python3.6/site-packages/borg/chunker.cpython-36m-arm-linux-gnueabi.so -usr/lib/python3.6/site-packages/borg/chunker.pyx -usr/lib/python3.6/site-packages/borg/compress.c usr/lib/python3.6/site-packages/borg/compress.cpython-36m-arm-linux-gnueabi.so -usr/lib/python3.6/site-packages/borg/compress.pyx -usr/lib/python3.6/site-packages/borg/crypto.c -usr/lib/python3.6/site-packages/borg/crypto.cpython-36m-arm-linux-gnueabi.so -usr/lib/python3.6/site-packages/borg/crypto.pyx +usr/lib/python3.6/site-packages/borg/constants.py +usr/lib/python3.6/site-packages/borg/crypto +usr/lib/python3.6/site-packages/borg/crypto/__init__.py +usr/lib/python3.6/site-packages/borg/crypto/__pycache__ +usr/lib/python3.6/site-packages/borg/crypto/__pycache__/__init__.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/crypto/__pycache__/file_integrity.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/crypto/__pycache__/key.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/crypto/__pycache__/keymanager.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/crypto/__pycache__/nonces.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/crypto/file_integrity.py +usr/lib/python3.6/site-packages/borg/crypto/key.py +usr/lib/python3.6/site-packages/borg/crypto/keymanager.py +usr/lib/python3.6/site-packages/borg/crypto/low_level.cpython-36m-arm-linux-gnueabi.so +usr/lib/python3.6/site-packages/borg/crypto/nonces.py usr/lib/python3.6/site-packages/borg/fuse.py -usr/lib/python3.6/site-packages/borg/hashindex.c usr/lib/python3.6/site-packages/borg/hashindex.cpython-36m-arm-linux-gnueabi.so -usr/lib/python3.6/site-packages/borg/hashindex.pyx usr/lib/python3.6/site-packages/borg/helpers.py -usr/lib/python3.6/site-packages/borg/key.py -usr/lib/python3.6/site-packages/borg/keymanager.py +usr/lib/python3.6/site-packages/borg/item.cpython-36m-arm-linux-gnueabi.so usr/lib/python3.6/site-packages/borg/locking.py usr/lib/python3.6/site-packages/borg/logger.py usr/lib/python3.6/site-packages/borg/lrucache.py +usr/lib/python3.6/site-packages/borg/nanorst.py usr/lib/python3.6/site-packages/borg/paperkey.html -usr/lib/python3.6/site-packages/borg/platform.py -usr/lib/python3.6/site-packages/borg/platform_darwin.c -usr/lib/python3.6/site-packages/borg/platform_darwin.pyx -usr/lib/python3.6/site-packages/borg/platform_freebsd.c -usr/lib/python3.6/site-packages/borg/platform_freebsd.pyx -usr/lib/python3.6/site-packages/borg/platform_linux.c -usr/lib/python3.6/site-packages/borg/platform_linux.cpython-36m-arm-linux-gnueabi.so -usr/lib/python3.6/site-packages/borg/platform_linux.pyx +usr/lib/python3.6/site-packages/borg/patterns.py +usr/lib/python3.6/site-packages/borg/platform +usr/lib/python3.6/site-packages/borg/platform/__init__.py +usr/lib/python3.6/site-packages/borg/platform/__pycache__ +usr/lib/python3.6/site-packages/borg/platform/__pycache__/__init__.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/platform/__pycache__/base.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/platform/base.py +usr/lib/python3.6/site-packages/borg/platform/linux.cpython-36m-arm-linux-gnueabi.so +usr/lib/python3.6/site-packages/borg/platform/posix.cpython-36m-arm-linux-gnueabi.so usr/lib/python3.6/site-packages/borg/remote.py usr/lib/python3.6/site-packages/borg/repository.py +usr/lib/python3.6/site-packages/borg/selftest.py usr/lib/python3.6/site-packages/borg/shellpattern.py #usr/lib/python3.6/site-packages/borg/testsuite #usr/lib/python3.6/site-packages/borg/testsuite/__init__.py @@ -66,44 +79,64 @@ usr/lib/python3.6/site-packages/borg/shellpattern.py #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/archive.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/archiver.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/benchmark.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/cache.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/checksums.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/chunker.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/compress.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/crypto.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/file_integrity.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/hashindex.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/helpers.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/item.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/key.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/locking.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/logger.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/lrucache.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/nanorst.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/nonces.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/patterns.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/platform.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/remote.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/repository.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/shellpattern.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/upgrader.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/version.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/xattr.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/archive.py #usr/lib/python3.6/site-packages/borg/testsuite/archiver.py #usr/lib/python3.6/site-packages/borg/testsuite/attic.tar.gz #usr/lib/python3.6/site-packages/borg/testsuite/benchmark.py +#usr/lib/python3.6/site-packages/borg/testsuite/cache.py +#usr/lib/python3.6/site-packages/borg/testsuite/checksums.py #usr/lib/python3.6/site-packages/borg/testsuite/chunker.py #usr/lib/python3.6/site-packages/borg/testsuite/compress.py #usr/lib/python3.6/site-packages/borg/testsuite/crypto.py +#usr/lib/python3.6/site-packages/borg/testsuite/file_integrity.py #usr/lib/python3.6/site-packages/borg/testsuite/hashindex.py #usr/lib/python3.6/site-packages/borg/testsuite/helpers.py +#usr/lib/python3.6/site-packages/borg/testsuite/item.py #usr/lib/python3.6/site-packages/borg/testsuite/key.py #usr/lib/python3.6/site-packages/borg/testsuite/locking.py #usr/lib/python3.6/site-packages/borg/testsuite/logger.py #usr/lib/python3.6/site-packages/borg/testsuite/lrucache.py +#usr/lib/python3.6/site-packages/borg/testsuite/nanorst.py +#usr/lib/python3.6/site-packages/borg/testsuite/nonces.py +#usr/lib/python3.6/site-packages/borg/testsuite/patterns.py #usr/lib/python3.6/site-packages/borg/testsuite/platform.py +#usr/lib/python3.6/site-packages/borg/testsuite/remote.py #usr/lib/python3.6/site-packages/borg/testsuite/repository.py #usr/lib/python3.6/site-packages/borg/testsuite/shellpattern.py #usr/lib/python3.6/site-packages/borg/testsuite/upgrader.py +#usr/lib/python3.6/site-packages/borg/testsuite/version.py #usr/lib/python3.6/site-packages/borg/testsuite/xattr.py usr/lib/python3.6/site-packages/borg/upgrader.py +usr/lib/python3.6/site-packages/borg/version.py usr/lib/python3.6/site-packages/borg/xattr.py -usr/lib/python3.6/site-packages/borgbackup-1.0.12-py3.6.egg-info -usr/lib/python3.6/site-packages/borgbackup-1.0.12-py3.6.egg-info/PKG-INFO -usr/lib/python3.6/site-packages/borgbackup-1.0.12-py3.6.egg-info/SOURCES.txt -usr/lib/python3.6/site-packages/borgbackup-1.0.12-py3.6.egg-info/dependency_links.txt -usr/lib/python3.6/site-packages/borgbackup-1.0.12-py3.6.egg-info/entry_points.txt -usr/lib/python3.6/site-packages/borgbackup-1.0.12-py3.6.egg-info/requires.txt -usr/lib/python3.6/site-packages/borgbackup-1.0.12-py3.6.egg-info/top_level.txt +usr/lib/python3.6/site-packages/borgbackup-1.1.9-py3.6.egg-info +usr/lib/python3.6/site-packages/borgbackup-1.1.9-py3.6.egg-info/PKG-INFO +usr/lib/python3.6/site-packages/borgbackup-1.1.9-py3.6.egg-info/SOURCES.txt +usr/lib/python3.6/site-packages/borgbackup-1.1.9-py3.6.egg-info/dependency_links.txt +usr/lib/python3.6/site-packages/borgbackup-1.1.9-py3.6.egg-info/entry_points.txt +usr/lib/python3.6/site-packages/borgbackup-1.1.9-py3.6.egg-info/not-zip-safe +usr/lib/python3.6/site-packages/borgbackup-1.1.9-py3.6.egg-info/requires.txt +usr/lib/python3.6/site-packages/borgbackup-1.1.9-py3.6.egg-info/top_level.txt diff --git a/config/rootfiles/packages/armv5tel/python3-yaml b/config/rootfiles/packages/armv5tel/python3-yaml new file mode 100644 index 000000000..9525d0e37 --- /dev/null +++ b/config/rootfiles/packages/armv5tel/python3-yaml @@ -0,0 +1,38 @@ +#usr/lib/python3.6/site-packages/PyYAML-3.13-py3.6.egg-info +usr/lib/python3.6/site-packages/_yaml.cpython-36m-arm-linux-gnueabi.so +usr/lib/python3.6/site-packages/yaml +#usr/lib/python3.6/site-packages/yaml/__init__.py +#usr/lib/python3.6/site-packages/yaml/__pycache__ +#usr/lib/python3.6/site-packages/yaml/__pycache__/__init__.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/composer.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/constructor.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/cyaml.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/dumper.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/emitter.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/error.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/events.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/loader.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/nodes.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/parser.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/reader.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/representer.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/resolver.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/scanner.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/serializer.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/tokens.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/composer.py +#usr/lib/python3.6/site-packages/yaml/constructor.py +#usr/lib/python3.6/site-packages/yaml/cyaml.py +#usr/lib/python3.6/site-packages/yaml/dumper.py +#usr/lib/python3.6/site-packages/yaml/emitter.py +#usr/lib/python3.6/site-packages/yaml/error.py +#usr/lib/python3.6/site-packages/yaml/events.py +#usr/lib/python3.6/site-packages/yaml/loader.py +#usr/lib/python3.6/site-packages/yaml/nodes.py +#usr/lib/python3.6/site-packages/yaml/parser.py +#usr/lib/python3.6/site-packages/yaml/reader.py +#usr/lib/python3.6/site-packages/yaml/representer.py +#usr/lib/python3.6/site-packages/yaml/resolver.py +#usr/lib/python3.6/site-packages/yaml/scanner.py +#usr/lib/python3.6/site-packages/yaml/serializer.py +#usr/lib/python3.6/site-packages/yaml/tokens.py diff --git a/config/rootfiles/packages/borgbackup b/config/rootfiles/packages/borgbackup index 32aacc006..c28b566fd 100644 --- a/config/rootfiles/packages/borgbackup +++ b/config/rootfiles/packages/borgbackup @@ -1,4 +1,5 @@ usr/bin/borg +usr/bin/borgfs usr/lib/python3.6/site-packages/borg usr/lib/python3.6/site-packages/borg/__init__.py usr/lib/python3.6/site-packages/borg/__main__.py @@ -9,55 +10,67 @@ usr/lib/python3.6/site-packages/borg/__pycache__/_version.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/archive.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/archiver.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/cache.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/__pycache__/constants.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/fuse.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/helpers.cpython-36.pyc -usr/lib/python3.6/site-packages/borg/__pycache__/key.cpython-36.pyc -usr/lib/python3.6/site-packages/borg/__pycache__/keymanager.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/locking.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/logger.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/lrucache.cpython-36.pyc -usr/lib/python3.6/site-packages/borg/__pycache__/platform.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/__pycache__/nanorst.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/__pycache__/patterns.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/remote.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/repository.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/__pycache__/selftest.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/shellpattern.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/upgrader.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/__pycache__/version.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/xattr.cpython-36.pyc -usr/lib/python3.6/site-packages/borg/_chunker.c -usr/lib/python3.6/site-packages/borg/_hashindex.c usr/lib/python3.6/site-packages/borg/_version.py +usr/lib/python3.6/site-packages/borg/algorithms +usr/lib/python3.6/site-packages/borg/algorithms/__init__.py +usr/lib/python3.6/site-packages/borg/algorithms/__pycache__ +usr/lib/python3.6/site-packages/borg/algorithms/__pycache__/__init__.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/algorithms/checksums.cpython-36m-MACHINE-linux-gnu.so usr/lib/python3.6/site-packages/borg/archive.py usr/lib/python3.6/site-packages/borg/archiver.py usr/lib/python3.6/site-packages/borg/cache.py -usr/lib/python3.6/site-packages/borg/chunker.c usr/lib/python3.6/site-packages/borg/chunker.cpython-36m-MACHINE-linux-gnu.so -usr/lib/python3.6/site-packages/borg/chunker.pyx -usr/lib/python3.6/site-packages/borg/compress.c usr/lib/python3.6/site-packages/borg/compress.cpython-36m-MACHINE-linux-gnu.so -usr/lib/python3.6/site-packages/borg/compress.pyx -usr/lib/python3.6/site-packages/borg/crypto.c -usr/lib/python3.6/site-packages/borg/crypto.cpython-36m-MACHINE-linux-gnu.so -usr/lib/python3.6/site-packages/borg/crypto.pyx +usr/lib/python3.6/site-packages/borg/constants.py +usr/lib/python3.6/site-packages/borg/crypto +usr/lib/python3.6/site-packages/borg/crypto/__init__.py +usr/lib/python3.6/site-packages/borg/crypto/__pycache__ +usr/lib/python3.6/site-packages/borg/crypto/__pycache__/__init__.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/crypto/__pycache__/file_integrity.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/crypto/__pycache__/key.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/crypto/__pycache__/keymanager.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/crypto/__pycache__/nonces.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/crypto/file_integrity.py +usr/lib/python3.6/site-packages/borg/crypto/key.py +usr/lib/python3.6/site-packages/borg/crypto/keymanager.py +usr/lib/python3.6/site-packages/borg/crypto/low_level.cpython-36m-MACHINE-linux-gnu.so +usr/lib/python3.6/site-packages/borg/crypto/nonces.py usr/lib/python3.6/site-packages/borg/fuse.py -usr/lib/python3.6/site-packages/borg/hashindex.c usr/lib/python3.6/site-packages/borg/hashindex.cpython-36m-MACHINE-linux-gnu.so -usr/lib/python3.6/site-packages/borg/hashindex.pyx usr/lib/python3.6/site-packages/borg/helpers.py -usr/lib/python3.6/site-packages/borg/key.py -usr/lib/python3.6/site-packages/borg/keymanager.py +usr/lib/python3.6/site-packages/borg/item.cpython-36m-MACHINE-linux-gnu.so usr/lib/python3.6/site-packages/borg/locking.py usr/lib/python3.6/site-packages/borg/logger.py usr/lib/python3.6/site-packages/borg/lrucache.py +usr/lib/python3.6/site-packages/borg/nanorst.py usr/lib/python3.6/site-packages/borg/paperkey.html -usr/lib/python3.6/site-packages/borg/platform.py -usr/lib/python3.6/site-packages/borg/platform_darwin.c -usr/lib/python3.6/site-packages/borg/platform_darwin.pyx -usr/lib/python3.6/site-packages/borg/platform_freebsd.c -usr/lib/python3.6/site-packages/borg/platform_freebsd.pyx -usr/lib/python3.6/site-packages/borg/platform_linux.c -usr/lib/python3.6/site-packages/borg/platform_linux.cpython-36m-MACHINE-linux-gnu.so -usr/lib/python3.6/site-packages/borg/platform_linux.pyx +usr/lib/python3.6/site-packages/borg/patterns.py +usr/lib/python3.6/site-packages/borg/platform +usr/lib/python3.6/site-packages/borg/platform/__init__.py +usr/lib/python3.6/site-packages/borg/platform/__pycache__ +usr/lib/python3.6/site-packages/borg/platform/__pycache__/__init__.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/platform/__pycache__/base.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/platform/base.py +usr/lib/python3.6/site-packages/borg/platform/linux.cpython-36m-MACHINE-linux-gnu.so +usr/lib/python3.6/site-packages/borg/platform/posix.cpython-36m-MACHINE-linux-gnu.so usr/lib/python3.6/site-packages/borg/remote.py usr/lib/python3.6/site-packages/borg/repository.py +usr/lib/python3.6/site-packages/borg/selftest.py usr/lib/python3.6/site-packages/borg/shellpattern.py #usr/lib/python3.6/site-packages/borg/testsuite #usr/lib/python3.6/site-packages/borg/testsuite/__init__.py @@ -66,44 +79,64 @@ usr/lib/python3.6/site-packages/borg/shellpattern.py #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/archive.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/archiver.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/benchmark.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/cache.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/checksums.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/chunker.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/compress.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/crypto.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/file_integrity.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/hashindex.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/helpers.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/item.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/key.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/locking.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/logger.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/lrucache.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/nanorst.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/nonces.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/patterns.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/platform.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/remote.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/repository.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/shellpattern.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/upgrader.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/version.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/xattr.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/archive.py #usr/lib/python3.6/site-packages/borg/testsuite/archiver.py #usr/lib/python3.6/site-packages/borg/testsuite/attic.tar.gz #usr/lib/python3.6/site-packages/borg/testsuite/benchmark.py +#usr/lib/python3.6/site-packages/borg/testsuite/cache.py +#usr/lib/python3.6/site-packages/borg/testsuite/checksums.py #usr/lib/python3.6/site-packages/borg/testsuite/chunker.py #usr/lib/python3.6/site-packages/borg/testsuite/compress.py #usr/lib/python3.6/site-packages/borg/testsuite/crypto.py +#usr/lib/python3.6/site-packages/borg/testsuite/file_integrity.py #usr/lib/python3.6/site-packages/borg/testsuite/hashindex.py #usr/lib/python3.6/site-packages/borg/testsuite/helpers.py +#usr/lib/python3.6/site-packages/borg/testsuite/item.py #usr/lib/python3.6/site-packages/borg/testsuite/key.py #usr/lib/python3.6/site-packages/borg/testsuite/locking.py #usr/lib/python3.6/site-packages/borg/testsuite/logger.py #usr/lib/python3.6/site-packages/borg/testsuite/lrucache.py +#usr/lib/python3.6/site-packages/borg/testsuite/nanorst.py +#usr/lib/python3.6/site-packages/borg/testsuite/nonces.py +#usr/lib/python3.6/site-packages/borg/testsuite/patterns.py #usr/lib/python3.6/site-packages/borg/testsuite/platform.py +#usr/lib/python3.6/site-packages/borg/testsuite/remote.py #usr/lib/python3.6/site-packages/borg/testsuite/repository.py #usr/lib/python3.6/site-packages/borg/testsuite/shellpattern.py #usr/lib/python3.6/site-packages/borg/testsuite/upgrader.py +#usr/lib/python3.6/site-packages/borg/testsuite/version.py #usr/lib/python3.6/site-packages/borg/testsuite/xattr.py usr/lib/python3.6/site-packages/borg/upgrader.py +usr/lib/python3.6/site-packages/borg/version.py usr/lib/python3.6/site-packages/borg/xattr.py -usr/lib/python3.6/site-packages/borgbackup-1.0.12-py3.6.egg-info -usr/lib/python3.6/site-packages/borgbackup-1.0.12-py3.6.egg-info/PKG-INFO -usr/lib/python3.6/site-packages/borgbackup-1.0.12-py3.6.egg-info/SOURCES.txt -usr/lib/python3.6/site-packages/borgbackup-1.0.12-py3.6.egg-info/dependency_links.txt -usr/lib/python3.6/site-packages/borgbackup-1.0.12-py3.6.egg-info/entry_points.txt -usr/lib/python3.6/site-packages/borgbackup-1.0.12-py3.6.egg-info/requires.txt -usr/lib/python3.6/site-packages/borgbackup-1.0.12-py3.6.egg-info/top_level.txt +usr/lib/python3.6/site-packages/borgbackup-1.1.9-py3.6.egg-info +usr/lib/python3.6/site-packages/borgbackup-1.1.9-py3.6.egg-info/PKG-INFO +usr/lib/python3.6/site-packages/borgbackup-1.1.9-py3.6.egg-info/SOURCES.txt +usr/lib/python3.6/site-packages/borgbackup-1.1.9-py3.6.egg-info/dependency_links.txt +usr/lib/python3.6/site-packages/borgbackup-1.1.9-py3.6.egg-info/entry_points.txt +usr/lib/python3.6/site-packages/borgbackup-1.1.9-py3.6.egg-info/not-zip-safe +usr/lib/python3.6/site-packages/borgbackup-1.1.9-py3.6.egg-info/requires.txt +usr/lib/python3.6/site-packages/borgbackup-1.1.9-py3.6.egg-info/top_level.txt diff --git a/config/rootfiles/packages/dnsdist b/config/rootfiles/packages/dnsdist index ba7381f34..3ccb1260c 100644 --- a/config/rootfiles/packages/dnsdist +++ b/config/rootfiles/packages/dnsdist @@ -1,3 +1,4 @@ +etc/rc.d/init.d/dnsdist usr/bin/dnsdist #usr/share/man/man1/dnsdist.1 -etc/rc.d/init.d/dnsdist +var/ipfire/backup/addons/includes/dnsdist diff --git a/config/rootfiles/packages/firmware-update b/config/rootfiles/packages/firmware-update new file mode 100644 index 000000000..92bb977e1 --- /dev/null +++ b/config/rootfiles/packages/firmware-update @@ -0,0 +1 @@ +usr/sbin/firmware-update diff --git a/config/rootfiles/packages/flashrom b/config/rootfiles/packages/flashrom new file mode 100644 index 000000000..1b224cbe9 --- /dev/null +++ b/config/rootfiles/packages/flashrom @@ -0,0 +1,2 @@ +usr/sbin/flashrom +#usr/share/man/man8/flashrom.8 diff --git a/config/rootfiles/packages/freeradius b/config/rootfiles/packages/freeradius index a5b8414b4..aacb08b02 100644 --- a/config/rootfiles/packages/freeradius +++ b/config/rootfiles/packages/freeradius @@ -6,6 +6,7 @@ etc/raddb #etc/raddb/certs/bootstrap #etc/raddb/certs/ca.cnf #etc/raddb/certs/client.cnf +#etc/raddb/certs/inner-server.cnf #etc/raddb/certs/passwords.mk #etc/raddb/certs/server.cnf #etc/raddb/certs/xpextensions @@ -156,7 +157,6 @@ etc/raddb #etc/raddb/mods-config/sql/main/postgresql #etc/raddb/mods-config/sql/main/postgresql/extras #etc/raddb/mods-config/sql/main/postgresql/extras/cisco_h323_db_schema.sql -#etc/raddb/mods-config/sql/main/postgresql/extras/update_radacct_group.sql #etc/raddb/mods-config/sql/main/postgresql/extras/voip-postpaid.conf #etc/raddb/mods-config/sql/main/postgresql/queries.conf #etc/raddb/mods-config/sql/main/postgresql/schema.sql @@ -183,7 +183,6 @@ etc/raddb #etc/raddb/mods-enabled/date #etc/raddb/mods-enabled/detail #etc/raddb/mods-enabled/detail.log -#etc/raddb/mods-enabled/dhcp #etc/raddb/mods-enabled/digest #etc/raddb/mods-enabled/dynamic_clients #etc/raddb/mods-enabled/eap @@ -219,6 +218,7 @@ etc/raddb #etc/raddb/policy.d/filter #etc/raddb/policy.d/moonshot-targeted-ids #etc/raddb/policy.d/operator-name +#etc/raddb/policy.d/rfc7542 #etc/raddb/proxy.conf #etc/raddb/radiusd.conf #etc/raddb/sites-available @@ -269,6 +269,7 @@ usr/bin/rlm_ippool_tool usr/bin/smbencrypt #usr/include/freeradius #usr/include/freeradius/attributes.h +#usr/include/freeradius/autoconf.h #usr/include/freeradius/base64.h #usr/include/freeradius/build.h #usr/include/freeradius/conf.h @@ -293,6 +294,7 @@ usr/bin/smbencrypt #usr/include/freeradius/radpaths.h #usr/include/freeradius/radutmp.h #usr/include/freeradius/realms.h +#usr/include/freeradius/regex.h #usr/include/freeradius/rfc2865.h #usr/include/freeradius/rfc2866.h #usr/include/freeradius/rfc2867.h @@ -325,9 +327,12 @@ usr/bin/smbencrypt #usr/include/freeradius/rfc7268.h #usr/include/freeradius/rfc7499.h #usr/include/freeradius/rfc7930.h +#usr/include/freeradius/rfc8045.h #usr/include/freeradius/sha1.h #usr/include/freeradius/stats.h #usr/include/freeradius/sysutmp.h +#usr/include/freeradius/tcp.h +#usr/include/freeradius/threads.h #usr/include/freeradius/tls.h #usr/include/freeradius/token.h #usr/include/freeradius/udpfromto.h @@ -659,6 +664,13 @@ usr/sbin/radmin #usr/share/doc/freeradius/schemas/ldap/openldap/freeradius-clients.schema #usr/share/doc/freeradius/schemas/ldap/openldap/freeradius.ldif #usr/share/doc/freeradius/schemas/ldap/openldap/freeradius.schema +#usr/share/doc/freeradius/schemas/ldap/samba +#usr/share/doc/freeradius/schemas/ldap/samba/README.txt +#usr/share/doc/freeradius/schemas/ldap/samba/freeradius-attrs.ldif +#usr/share/doc/freeradius/schemas/ldap/samba/freeradius-classes.ldif +#usr/share/doc/freeradius/schemas/ldap/samba/freeradius-clients-attrs.ldif +#usr/share/doc/freeradius/schemas/ldap/samba/freeradius-clients-classes.ldif +#usr/share/doc/freeradius/schemas/ldap/samba/freeradius-user.ldif #usr/share/doc/freeradius/schemas/logstash #usr/share/doc/freeradius/schemas/logstash/README #usr/share/doc/freeradius/schemas/logstash/kibana4-dashboard.json @@ -703,6 +715,7 @@ usr/share/freeradius #usr/share/freeradius/dictionary.avaya #usr/share/freeradius/dictionary.azaire #usr/share/freeradius/dictionary.bay +#usr/share/freeradius/dictionary.bigswitch #usr/share/freeradius/dictionary.bintec #usr/share/freeradius/dictionary.bluecoat #usr/share/freeradius/dictionary.boingo @@ -761,6 +774,7 @@ usr/share/freeradius #usr/share/freeradius/dictionary.huawei #usr/share/freeradius/dictionary.iana #usr/share/freeradius/dictionary.iea +#usr/share/freeradius/dictionary.infinera #usr/share/freeradius/dictionary.infoblox #usr/share/freeradius/dictionary.infonet #usr/share/freeradius/dictionary.ipunplugged @@ -782,6 +796,7 @@ usr/share/freeradius #usr/share/freeradius/dictionary.microsemi #usr/share/freeradius/dictionary.microsoft #usr/share/freeradius/dictionary.mikrotik +#usr/share/freeradius/dictionary.mimosa #usr/share/freeradius/dictionary.motorola #usr/share/freeradius/dictionary.motorola.illegal #usr/share/freeradius/dictionary.motorola.wimax @@ -838,6 +853,7 @@ usr/share/freeradius #usr/share/freeradius/dictionary.rfc7268 #usr/share/freeradius/dictionary.rfc7499 #usr/share/freeradius/dictionary.rfc7930 +#usr/share/freeradius/dictionary.rfc8045 #usr/share/freeradius/dictionary.riverbed #usr/share/freeradius/dictionary.riverstone #usr/share/freeradius/dictionary.roaringpenguin @@ -850,6 +866,7 @@ usr/share/freeradius #usr/share/freeradius/dictionary.siemens #usr/share/freeradius/dictionary.slipstream #usr/share/freeradius/dictionary.sofaware +#usr/share/freeradius/dictionary.softbank #usr/share/freeradius/dictionary.sonicwall #usr/share/freeradius/dictionary.springtide #usr/share/freeradius/dictionary.starent @@ -869,6 +886,7 @@ usr/share/freeradius #usr/share/freeradius/dictionary.usr.illegal #usr/share/freeradius/dictionary.utstarcom #usr/share/freeradius/dictionary.valemount +#usr/share/freeradius/dictionary.verizon #usr/share/freeradius/dictionary.versanet #usr/share/freeradius/dictionary.vqp #usr/share/freeradius/dictionary.walabi diff --git a/config/rootfiles/packages/i586/borgbackup b/config/rootfiles/packages/i586/borgbackup index 7655c01c5..bab1f8044 100644 --- a/config/rootfiles/packages/i586/borgbackup +++ b/config/rootfiles/packages/i586/borgbackup @@ -1,4 +1,5 @@ usr/bin/borg +usr/bin/borgfs usr/lib/python3.6/site-packages/borg usr/lib/python3.6/site-packages/borg/__init__.py usr/lib/python3.6/site-packages/borg/__main__.py @@ -9,55 +10,67 @@ usr/lib/python3.6/site-packages/borg/__pycache__/_version.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/archive.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/archiver.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/cache.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/__pycache__/constants.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/fuse.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/helpers.cpython-36.pyc -usr/lib/python3.6/site-packages/borg/__pycache__/key.cpython-36.pyc -usr/lib/python3.6/site-packages/borg/__pycache__/keymanager.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/locking.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/logger.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/lrucache.cpython-36.pyc -usr/lib/python3.6/site-packages/borg/__pycache__/platform.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/__pycache__/nanorst.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/__pycache__/patterns.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/remote.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/repository.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/__pycache__/selftest.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/shellpattern.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/upgrader.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/__pycache__/version.cpython-36.pyc usr/lib/python3.6/site-packages/borg/__pycache__/xattr.cpython-36.pyc -usr/lib/python3.6/site-packages/borg/_chunker.c -usr/lib/python3.6/site-packages/borg/_hashindex.c usr/lib/python3.6/site-packages/borg/_version.py +usr/lib/python3.6/site-packages/borg/algorithms +usr/lib/python3.6/site-packages/borg/algorithms/__init__.py +usr/lib/python3.6/site-packages/borg/algorithms/__pycache__ +usr/lib/python3.6/site-packages/borg/algorithms/__pycache__/__init__.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/algorithms/checksums.cpython-36m-i386-linux-gnu.so usr/lib/python3.6/site-packages/borg/archive.py usr/lib/python3.6/site-packages/borg/archiver.py usr/lib/python3.6/site-packages/borg/cache.py -usr/lib/python3.6/site-packages/borg/chunker.c usr/lib/python3.6/site-packages/borg/chunker.cpython-36m-i386-linux-gnu.so -usr/lib/python3.6/site-packages/borg/chunker.pyx -usr/lib/python3.6/site-packages/borg/compress.c usr/lib/python3.6/site-packages/borg/compress.cpython-36m-i386-linux-gnu.so -usr/lib/python3.6/site-packages/borg/compress.pyx -usr/lib/python3.6/site-packages/borg/crypto.c -usr/lib/python3.6/site-packages/borg/crypto.cpython-36m-i386-linux-gnu.so -usr/lib/python3.6/site-packages/borg/crypto.pyx +usr/lib/python3.6/site-packages/borg/constants.py +usr/lib/python3.6/site-packages/borg/crypto +usr/lib/python3.6/site-packages/borg/crypto/__init__.py +usr/lib/python3.6/site-packages/borg/crypto/__pycache__ +usr/lib/python3.6/site-packages/borg/crypto/__pycache__/__init__.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/crypto/__pycache__/file_integrity.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/crypto/__pycache__/key.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/crypto/__pycache__/keymanager.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/crypto/__pycache__/nonces.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/crypto/file_integrity.py +usr/lib/python3.6/site-packages/borg/crypto/key.py +usr/lib/python3.6/site-packages/borg/crypto/keymanager.py +usr/lib/python3.6/site-packages/borg/crypto/low_level.cpython-36m-i386-linux-gnu.so +usr/lib/python3.6/site-packages/borg/crypto/nonces.py usr/lib/python3.6/site-packages/borg/fuse.py -usr/lib/python3.6/site-packages/borg/hashindex.c usr/lib/python3.6/site-packages/borg/hashindex.cpython-36m-i386-linux-gnu.so -usr/lib/python3.6/site-packages/borg/hashindex.pyx usr/lib/python3.6/site-packages/borg/helpers.py -usr/lib/python3.6/site-packages/borg/key.py -usr/lib/python3.6/site-packages/borg/keymanager.py +usr/lib/python3.6/site-packages/borg/item.cpython-36m-i386-linux-gnu.so usr/lib/python3.6/site-packages/borg/locking.py usr/lib/python3.6/site-packages/borg/logger.py usr/lib/python3.6/site-packages/borg/lrucache.py +usr/lib/python3.6/site-packages/borg/nanorst.py usr/lib/python3.6/site-packages/borg/paperkey.html -usr/lib/python3.6/site-packages/borg/platform.py -usr/lib/python3.6/site-packages/borg/platform_darwin.c -usr/lib/python3.6/site-packages/borg/platform_darwin.pyx -usr/lib/python3.6/site-packages/borg/platform_freebsd.c -usr/lib/python3.6/site-packages/borg/platform_freebsd.pyx -usr/lib/python3.6/site-packages/borg/platform_linux.c -usr/lib/python3.6/site-packages/borg/platform_linux.cpython-36m-i386-linux-gnu.so -usr/lib/python3.6/site-packages/borg/platform_linux.pyx +usr/lib/python3.6/site-packages/borg/patterns.py +usr/lib/python3.6/site-packages/borg/platform +usr/lib/python3.6/site-packages/borg/platform/__init__.py +usr/lib/python3.6/site-packages/borg/platform/__pycache__ +usr/lib/python3.6/site-packages/borg/platform/__pycache__/__init__.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/platform/__pycache__/base.cpython-36.pyc +usr/lib/python3.6/site-packages/borg/platform/base.py +usr/lib/python3.6/site-packages/borg/platform/linux.cpython-36m-i386-linux-gnu.so +usr/lib/python3.6/site-packages/borg/platform/posix.cpython-36m-i386-linux-gnu.so usr/lib/python3.6/site-packages/borg/remote.py usr/lib/python3.6/site-packages/borg/repository.py +usr/lib/python3.6/site-packages/borg/selftest.py usr/lib/python3.6/site-packages/borg/shellpattern.py #usr/lib/python3.6/site-packages/borg/testsuite #usr/lib/python3.6/site-packages/borg/testsuite/__init__.py @@ -66,44 +79,64 @@ usr/lib/python3.6/site-packages/borg/shellpattern.py #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/archive.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/archiver.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/benchmark.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/cache.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/checksums.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/chunker.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/compress.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/crypto.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/file_integrity.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/hashindex.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/helpers.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/item.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/key.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/locking.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/logger.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/lrucache.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/nanorst.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/nonces.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/patterns.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/platform.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/remote.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/repository.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/shellpattern.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/upgrader.cpython-36.pyc +#usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/version.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/__pycache__/xattr.cpython-36.pyc #usr/lib/python3.6/site-packages/borg/testsuite/archive.py #usr/lib/python3.6/site-packages/borg/testsuite/archiver.py #usr/lib/python3.6/site-packages/borg/testsuite/attic.tar.gz #usr/lib/python3.6/site-packages/borg/testsuite/benchmark.py +#usr/lib/python3.6/site-packages/borg/testsuite/cache.py +#usr/lib/python3.6/site-packages/borg/testsuite/checksums.py #usr/lib/python3.6/site-packages/borg/testsuite/chunker.py #usr/lib/python3.6/site-packages/borg/testsuite/compress.py #usr/lib/python3.6/site-packages/borg/testsuite/crypto.py +#usr/lib/python3.6/site-packages/borg/testsuite/file_integrity.py #usr/lib/python3.6/site-packages/borg/testsuite/hashindex.py #usr/lib/python3.6/site-packages/borg/testsuite/helpers.py +#usr/lib/python3.6/site-packages/borg/testsuite/item.py #usr/lib/python3.6/site-packages/borg/testsuite/key.py #usr/lib/python3.6/site-packages/borg/testsuite/locking.py #usr/lib/python3.6/site-packages/borg/testsuite/logger.py #usr/lib/python3.6/site-packages/borg/testsuite/lrucache.py +#usr/lib/python3.6/site-packages/borg/testsuite/nanorst.py +#usr/lib/python3.6/site-packages/borg/testsuite/nonces.py +#usr/lib/python3.6/site-packages/borg/testsuite/patterns.py #usr/lib/python3.6/site-packages/borg/testsuite/platform.py +#usr/lib/python3.6/site-packages/borg/testsuite/remote.py #usr/lib/python3.6/site-packages/borg/testsuite/repository.py #usr/lib/python3.6/site-packages/borg/testsuite/shellpattern.py #usr/lib/python3.6/site-packages/borg/testsuite/upgrader.py +#usr/lib/python3.6/site-packages/borg/testsuite/version.py #usr/lib/python3.6/site-packages/borg/testsuite/xattr.py usr/lib/python3.6/site-packages/borg/upgrader.py +usr/lib/python3.6/site-packages/borg/version.py usr/lib/python3.6/site-packages/borg/xattr.py -usr/lib/python3.6/site-packages/borgbackup-1.0.12-py3.6.egg-info -usr/lib/python3.6/site-packages/borgbackup-1.0.12-py3.6.egg-info/PKG-INFO -usr/lib/python3.6/site-packages/borgbackup-1.0.12-py3.6.egg-info/SOURCES.txt -usr/lib/python3.6/site-packages/borgbackup-1.0.12-py3.6.egg-info/dependency_links.txt -usr/lib/python3.6/site-packages/borgbackup-1.0.12-py3.6.egg-info/entry_points.txt -usr/lib/python3.6/site-packages/borgbackup-1.0.12-py3.6.egg-info/requires.txt -usr/lib/python3.6/site-packages/borgbackup-1.0.12-py3.6.egg-info/top_level.txt +usr/lib/python3.6/site-packages/borgbackup-1.1.9-py3.6.egg-info +usr/lib/python3.6/site-packages/borgbackup-1.1.9-py3.6.egg-info/PKG-INFO +usr/lib/python3.6/site-packages/borgbackup-1.1.9-py3.6.egg-info/SOURCES.txt +usr/lib/python3.6/site-packages/borgbackup-1.1.9-py3.6.egg-info/dependency_links.txt +usr/lib/python3.6/site-packages/borgbackup-1.1.9-py3.6.egg-info/entry_points.txt +usr/lib/python3.6/site-packages/borgbackup-1.1.9-py3.6.egg-info/not-zip-safe +usr/lib/python3.6/site-packages/borgbackup-1.1.9-py3.6.egg-info/requires.txt +usr/lib/python3.6/site-packages/borgbackup-1.1.9-py3.6.egg-info/top_level.txt diff --git a/config/rootfiles/packages/i586/python3-yaml b/config/rootfiles/packages/i586/python3-yaml new file mode 100644 index 000000000..19a4d19c1 --- /dev/null +++ b/config/rootfiles/packages/i586/python3-yaml @@ -0,0 +1,38 @@ +#usr/lib/python3.6/site-packages/PyYAML-3.13-py3.6.egg-info +usr/lib/python3.6/site-packages/_yaml.cpython-36m-i386-linux-gnu.so +usr/lib/python3.6/site-packages/yaml +#usr/lib/python3.6/site-packages/yaml/__init__.py +#usr/lib/python3.6/site-packages/yaml/__pycache__ +#usr/lib/python3.6/site-packages/yaml/__pycache__/__init__.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/composer.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/constructor.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/cyaml.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/dumper.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/emitter.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/error.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/events.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/loader.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/nodes.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/parser.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/reader.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/representer.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/resolver.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/scanner.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/serializer.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/__pycache__/tokens.cpython-36.pyc +#usr/lib/python3.6/site-packages/yaml/composer.py +#usr/lib/python3.6/site-packages/yaml/constructor.py +#usr/lib/python3.6/site-packages/yaml/cyaml.py +#usr/lib/python3.6/site-packages/yaml/dumper.py +#usr/lib/python3.6/site-packages/yaml/emitter.py +#usr/lib/python3.6/site-packages/yaml/error.py +#usr/lib/python3.6/site-packages/yaml/events.py +#usr/lib/python3.6/site-packages/yaml/loader.py +#usr/lib/python3.6/site-packages/yaml/nodes.py +#usr/lib/python3.6/site-packages/yaml/parser.py +#usr/lib/python3.6/site-packages/yaml/reader.py +#usr/lib/python3.6/site-packages/yaml/representer.py +#usr/lib/python3.6/site-packages/yaml/resolver.py +#usr/lib/python3.6/site-packages/yaml/scanner.py +#usr/lib/python3.6/site-packages/yaml/serializer.py +#usr/lib/python3.6/site-packages/yaml/tokens.py diff --git a/config/rootfiles/packages/linux-pae b/config/rootfiles/packages/linux-pae index 39958585c..e139e20cc 100644 --- a/config/rootfiles/packages/linux-pae +++ b/config/rootfiles/packages/linux-pae @@ -2355,7 +2355,6 @@ lib/modules/KVER-ipfire-pae #lib/modules/KVER-ipfire-pae/kernel/drivers/tty/cyclades.ko.xz #lib/modules/KVER-ipfire-pae/kernel/drivers/tty/n_gsm.ko.xz #lib/modules/KVER-ipfire-pae/kernel/drivers/tty/n_hdlc.ko.xz -#lib/modules/KVER-ipfire-pae/kernel/drivers/tty/n_r3964.ko.xz #lib/modules/KVER-ipfire-pae/kernel/drivers/tty/nozomi.ko.xz #lib/modules/KVER-ipfire-pae/kernel/drivers/tty/rocket.ko.xz #lib/modules/KVER-ipfire-pae/kernel/drivers/tty/serial diff --git a/config/rootfiles/packages/nginx b/config/rootfiles/packages/nginx index 3560e45b9..2ea271bd9 100644 --- a/config/rootfiles/packages/nginx +++ b/config/rootfiles/packages/nginx @@ -1,4 +1,4 @@ -etc/nginx +#etc/nginx etc/nginx/fastcgi.conf etc/nginx/fastcgi.conf.default etc/nginx/fastcgi_params @@ -16,8 +16,8 @@ etc/nginx/uwsgi_params.default etc/nginx/win-utf etc/rc.d/init.d/nginx usr/sbin/nginx -usr/share/nginx -usr/share/nginx/html +#usr/share/nginx +#usr/share/nginx/html usr/share/nginx/html/50x.html usr/share/nginx/html/index.html var/ipfire/backup/addons/includes/nginx diff --git a/config/rootfiles/packages/pcengines-apu-firmware b/config/rootfiles/packages/pcengines-apu-firmware new file mode 100644 index 000000000..271d6df32 --- /dev/null +++ b/config/rootfiles/packages/pcengines-apu-firmware @@ -0,0 +1,7 @@ +#lib/firmware/pcengines +#lib/firmware/pcengines/apu +lib/firmware/pcengines/apu/apu1_v4.9.0.3.rom +lib/firmware/pcengines/apu/apu2_v4.9.0.3.rom +lib/firmware/pcengines/apu/apu3_v4.9.0.3.rom +lib/firmware/pcengines/apu/apu4_v4.9.0.3.rom +lib/firmware/pcengines/apu/apu5_v4.9.0.3.rom diff --git a/config/rootfiles/packages/python3-yaml b/config/rootfiles/packages/python3-yaml index 6b095f845..d3278eaca 100644 --- a/config/rootfiles/packages/python3-yaml +++ b/config/rootfiles/packages/python3-yaml @@ -1,4 +1,5 @@ #usr/lib/python3.6/site-packages/PyYAML-3.13-py3.6.egg-info +usr/lib/python3.6/site-packages/_yaml.cpython-36m-MACHINE-linux-gnu.so usr/lib/python3.6/site-packages/yaml #usr/lib/python3.6/site-packages/yaml/__init__.py #usr/lib/python3.6/site-packages/yaml/__pycache__ diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd index db852381e..eaecf2644 100644 --- a/config/rootfiles/packages/zabbix_agentd +++ b/config/rootfiles/packages/zabbix_agentd @@ -1,6 +1,6 @@ etc/logrotate.d/zabbix_agentd etc/rc.d/init.d/zabbix_agentd -etc/sudoers.d/zabbix.user +etc/sudoers.d/zabbix etc/zabbix_agentd etc/zabbix_agentd/scripts etc/zabbix_agentd/zabbix_agentd.conf diff --git a/config/snort/snort.conf b/config/snort/snort.conf deleted file mode 100644 index 950ae3e55..000000000 --- a/config/snort/snort.conf +++ /dev/null @@ -1,524 +0,0 @@ -################################################### -# IPFire snort.conf -# -# some parts of this file are changed/updated by the webif -################################################### -# VERSIONS : 2.9.5.0 - -include /etc/snort/vars - -################################################### -# Step #1: Set the network variables. For more information, see README.variables -################################################### - -# taken from /etc/snort vars -#ipvar HOME_NET any - -# Set up the external network addresses. Leave as "any" in most situations -ipvar EXTERNAL_NET any - -# List of DNS servers on your network -#ipvar DNS_SERVERS $HOME_NET - -# List of SMTP servers on your network -ipvar SMTP_SERVERS $HOME_NET - -# List of web servers on your network -ipvar HTTP_SERVERS $HOME_NET - -# List of sql servers on your network -ipvar SQL_SERVERS $HOME_NET - -# List of telnet servers on your network -ipvar TELNET_SERVERS $HOME_NET - -# List of ssh servers on your network -ipvar SSH_SERVERS $HOME_NET - -# List of ftp servers on your network -ipvar FTP_SERVERS $HOME_NET - -# List of sip servers on your network -ipvar SIP_SERVERS $HOME_NET - -# List of ports you run web servers on -portvar HTTP_PORTS [80,81,82,83,84,85,86,87,88,89,311,383,444,591,593,631,901,1220,1414,1741,1830,2301,2381,2809,3037,3057,3128,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555] - -# List of ports you want to look for SHELLCODE on. -portvar SHELLCODE_PORTS !80 - -# List of ports you might see oracle attacks on -portvar ORACLE_PORTS 1024: - -# List of ports you want to look for SSH connections on: -portvar SSH_PORTS [22,222] - -# List of ports you run ftp servers on -portvar FTP_PORTS [21,2100,3535] - -# List of ports you run SIP servers on -portvar SIP_PORTS [5060,5061,5600] - -# List of file data ports for file inspection -portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] - -# List of GTP ports for GTP preprocessor -portvar GTP_PORTS [2123,2152,3386] - -# other variables, these should not be modified -ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] - -# Path to your rules files (this can be a relative path) -# Note for Windows users: You are advised to make this an absolute path, -# such as: c:\snort\rules -var RULE_PATH /etc/snort/rules -var SO_RULE_PATH /etc/snort/so_rules -var PREPROC_RULE_PATH /etc/snort/preproc_rules - -# If you are using reputation preprocessor set these -# Currently there is a bug with relative paths, they are relative to where snort is -# not relative to snort.conf like the above variables -# This is completely inconsistent with how other vars work, BUG 89986 -# Set the absolute path appropriately -var WHITE_LIST_PATH /etc/snort/rules -var BLACK_LIST_PATH /etc/snort/rules - - -################################################### -# Step #2: Configure the decoder. For more information, see README.decode -################################################### - -# Stop generic decode events: -config disable_decode_alerts - -# Stop Alerts on experimental TCP options -config disable_tcpopt_experimental_alerts - -# Stop Alerts on obsolete TCP options -config disable_tcpopt_obsolete_alerts - -# Stop Alerts on T/TCP alerts -# config disable_tcpopt_ttcp_alerts - -# Stop Alerts on all other TCPOption type events: -config disable_tcpopt_alerts - -# Stop Alerts on invalid ip options -# config disable_ipopt_alerts - -# Alert if value in length field (IP, TCP, UDP) is greater th elength of the packet -# config enable_decode_oversized_alerts - -# Same as above, but drop packet if in Inline mode (requires enable_decode_oversized_alerts) -# config enable_decode_oversized_drops - -# Configure IP / TCP checksum mode -config checksum_mode: all - -# Configure maximum number of flowbit references. For more information, see README.flowbits -# config flowbits_size: 64 - -# Configure ports to ignore -# config ignore_ports: tcp 21 6667:6671 1356 -# config ignore_ports: udp 1:17 53 - -# Configure active response for non inline operation. For more information, see REAMDE.active -# config response: eth0 attempts 2 - -# Configure DAQ related options for inline operation. For more information, see README.daq -# -# config daq: <type> -# config daq_dir: <dir> -# config daq_mode: <mode> -# config daq_var: <var> -# -# <type> ::= pcap | afpacket | dump | nfq | ipq | ipfw -# <mode> ::= read-file | passive | inline -# <var> ::= arbitrary <name>=<value passed to DAQ -# <dir> ::= path as to where to look for DAQ module so's - -# Configure specific UID and GID to run snort as after dropping privs. For more information see snort -h command line options -# -# config set_gid: -# config set_uid: - -# Configure default snaplen. Snort defaults to MTU of in use interface. For more information see README -# -# config snaplen: -# - -# Configure default bpf_file to use for filtering what traffic reaches snort. For more information see snort -h command line options (-F) -# -# config bpf_file: -# - -# Configure default log directory for snort to log to. For more information see snort -h command line options (-l) -# -# config logdir: - - -################################################### -# Step #3: Configure the base detection engine. For more information, see README.decode -################################################### - -# Configure PCRE match limitations -config pcre_match_limit: 3500 -config pcre_match_limit_recursion: 1500 - -# Configure the detection engine See the Snort Manual, Configuring Snort - Includes - Config -config detection: search-method ac-split search-optimize max-pattern-len 20 - -# Configure the event queue. For more information, see README.event_queue -config event_queue: max_queue 8 log 5 order_events content_length - -################################################### -## Configure GTP if it is to be used. -## For more information, see README.GTP -#################################################### - -# config enable_gtp - -################################################### -# Per packet and rule latency enforcement -# For more information see README.ppm -################################################### - -# Per Packet latency configuration -#config ppm: max-pkt-time 250, \ -# fastpath-expensive-packets, \ -# pkt-log - -# Per Rule latency configuration -#config ppm: max-rule-time 200, \ -# threshold 3, \ -# suspend-expensive-rules, \ -# suspend-timeout 20, \ -# rule-log alert - -################################################### -# Configure Perf Profiling for debugging -# For more information see README.PerfProfiling -################################################### - -#config profile_rules: print all, sort avg_ticks -#config profile_preprocs: print all, sort avg_ticks - -################################################### -# Configure protocol aware flushing -# For more information see README.stream5 -################################################### -config paf_max: 16000 - -################################################### -# Step #4: Configure dynamic loaded libraries. -# For more information, see Snort Manual, Configuring Snort - Dynamic Modules -################################################### - -# path to dynamic preprocessor libraries -dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/ - -# path to base preprocessor engine -dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so - -# path to dynamic rules libraries -# dynamicdetection directory /usr/local/lib/snort_dynamicrules - - -################################################### -# Step #5: Configure preprocessors -# For more information, see the Snort Manual, Configuring Snort - Preprocessors -################################################### - -# GTP Control Channle Preprocessor. For more information, see README.GTP -# preprocessor gtp: ports { 2123 3386 2152 } - -# Inline packet normalization. For more information, see README.normalize -# Does nothing in IDS mode -preprocessor normalize_ip4 -preprocessor normalize_tcp: ips ecn stream -preprocessor normalize_icmp4 -preprocessor normalize_ip6 -preprocessor normalize_icmp6 - -# Target-based IP defragmentation. For more inforation, see README.frag3 -preprocessor frag3_global: max_frags 65536 -preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180 - -# Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5 -preprocessor stream5_global: track_tcp yes, \ - track_udp yes, \ - track_icmp no, \ - max_tcp 262144, \ - max_udp 131072, \ - max_active_responses 2, \ - min_response_seconds 5 -preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \ - overlap_limit 10, small_segments 3 bytes 150, timeout 180, \ - ports client 21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 139 143 \ - 161 222 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6665 6666 6667 6668 6669 \ - 7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \ - ports both 80 81 82 83 84 85 86 87 88 89 110 311 383 443 444 465 563 591 593 631 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3037 3057 3128 3702 4343 4848 5250 6080 6988 7907 7000 7001 7144 7145 7510 7802 7777 7779 \ - 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \ - 7917 7918 7919 7920 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8222 8243 8280 8300 8500 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555 -preprocessor stream5_udp: timeout 180 - -# performance statistics. For more information, see the Snort Manual, Configuring Snort - Preprocessors - Performance Monitor -# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000 - -# HTTP normalization and anomaly detection. For more information, see README.http_inspect -preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 -preprocessor http_inspect_server: server default \ - http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \ - chunk_length 500000 \ - server_flow_depth 0 \ - client_flow_depth 0 \ - post_depth 65495 \ - oversize_dir_length 500 \ - max_header_length 750 \ - max_headers 100 \ - max_spaces 200 \ - small_chunk_length { 10 5 } \ - ports { 80 81 82 83 84 85 86 87 88 89 311 383 444 591 593 631 901 1220 1414 1741 1830 2301 2381 2809 3037 3057 3128 3702 4343 4848 5250 6080 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8500 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555 } \ - non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ - enable_cookie \ - extended_response_inspection \ - inspect_gzip \ - normalize_utf \ - unlimited_decompress \ - normalize_javascript \ - apache_whitespace no \ - ascii no \ - bare_byte no \ - directory no \ - double_decode no \ - iis_backslash no \ - iis_delimiter no \ - iis_unicode no \ - multi_slash no \ - utf_8 no \ - u_encode yes \ - webroot no - -# ONC-RPC normalization and anomaly detection. For more information, see the Snort Manual, Configuring Snort - Preprocessors - RPC Decode -preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete - -# Back Orifice detection. -preprocessor bo - -# FTP / Telnet normalization and anomaly detection. For more information, see README.ftptelnet -preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no check_encrypted -preprocessor ftp_telnet_protocol: telnet \ - ayt_attack_thresh 20 \ - normalize ports { 23 } \ - detect_anomalies -preprocessor ftp_telnet_protocol: ftp server default \ - def_max_param_len 100 \ - ports { 21 2100 3535 } \ - telnet_cmds yes \ - ignore_telnet_erase_cmds yes \ - ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \ - ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \ - ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \ - ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \ - ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \ - ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \ - ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \ - ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \ - ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \ - ftp_cmds { XSEN XSHA1 XSHA256 } \ - alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \ - alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \ - alt_max_param_len 256 { CWD RNTO } \ - alt_max_param_len 400 { PORT } \ - alt_max_param_len 512 { SIZE } \ - chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \ - chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \ - chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \ - chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \ - chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \ - chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \ - chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \ - chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \ - cmd_validity ALLO < int [ char R int ] > \ - cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \ - cmd_validity MACB < string > \ - cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ - cmd_validity MODE < char ASBCZ > \ - cmd_validity PORT < host_port > \ - cmd_validity PROT < char CSEP > \ - cmd_validity STRU < char FRPO [ string ] > \ - cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > -preprocessor ftp_telnet_protocol: ftp client default \ - max_resp_len 256 \ - bounce yes \ - ignore_telnet_erase_cmds yes \ - telnet_cmds yes - - -# SMTP normalization and anomaly detection. For more information, see README.SMTP -preprocessor smtp: ports { 25 465 587 691 } \ - inspection_type stateful \ - b64_decode_depth 0 \ - qp_decode_depth 0 \ - bitenc_decode_depth 0 \ - uu_decode_depth 0 \ - log_mailfrom \ - log_rcptto \ - log_filename \ - log_email_hdrs \ - normalize cmds \ - normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \ - normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \ - normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \ - normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \ - max_command_line_len 512 \ - max_header_line_len 1000 \ - max_response_line_len 512 \ - alt_max_command_line_len 260 { MAIL } \ - alt_max_command_line_len 300 { RCPT } \ - alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ - alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ - alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \ - valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \ - valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \ - valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \ - valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \ - xlink2state { enabled } - -# Portscan detection. For more information, see README.sfportscan -preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { medium } - -# ARP spoof detection. For more information, see the Snort Manual - Configuring Snort - Preprocessors - ARP Spoof Preprocessor -# preprocessor arpspoof -# preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 - -# SSH anomaly detection. For more information, see README.ssh -preprocessor ssh: server_ports { 22 222 } \ - autodetect \ - max_client_bytes 19600 \ - max_encrypted_packets 20 \ - max_server_version_len 100 \ - enable_respoverflow enable_ssh1crc32 \ - enable_srvoverflow enable_protomismatch - -# SMB / DCE-RPC normalization and anomaly detection. For more information, see README.dcerpc2 -preprocessor dcerpc2: memcap 102400, events [co ] -preprocessor dcerpc2_server: default, policy WinXP, \ - detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ - autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ - smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"] - -# DNS anomaly detection. For more information, see README.dns -preprocessor dns: ports { 53 } enable_rdata_overflow - -# SSL anomaly detection and traffic bypass. For more information, see README.ssl -preprocessor ssl: ports { 443 444 465 563 636 989 992 993 994 995 7801 7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted - -# SDF sensitive data preprocessor. For more information see README.sensitive_data -preprocessor sensitive_data: alert_threshold 25 - -# SIP Session Initiation Protocol preprocessor. For more information see README.sip -preprocessor sip: max_sessions 40000, \ - ports { 5060 5061 5600 }, \ - methods { invite \ - cancel \ - ack \ - bye \ - register \ - options \ - refer \ - subscribe \ - update \ - join \ - info \ - message \ - notify \ - benotify \ - do \ - qauth \ - sprack \ - publish \ - service \ - unsubscribe \ - prack }, \ - max_uri_len 512, \ - max_call_id_len 80, \ - max_requestName_len 20, \ - max_from_len 256, \ - max_to_len 256, \ - max_via_len 1024, \ - max_contact_len 512, \ - max_content_len 2048 - -# IMAP preprocessor. For more information see README.imap -preprocessor imap: \ - ports { 143 } \ - b64_decode_depth 0 \ - qp_decode_depth 0 \ - bitenc_decode_depth 0 \ - uu_decode_depth 0 - -# POP preprocessor. For more information see README.pop -preprocessor pop: \ - ports { 110 } \ - b64_decode_depth 0 \ - qp_decode_depth 0 \ - bitenc_decode_depth 0 \ - uu_decode_depth 0 - -# Modbus preprocessor. For more information see README.modbus -preprocessor modbus: ports { 502 } - -# DNP3 preprocessor. For more information see README.dnp3 -preprocessor dnp3: ports { 20000 } \ - memcap 262144 \ - check_crc - -# Reputation preprocessor. For more information see README.reputation -#preprocessor reputation: \ -# memcap 500, \ -# priority whitelist, \ -# nested_ip inner, \ -# whitelist $WHITE_LIST_PATH/white_list.rules, \ -# blacklist $BLACK_LIST_PATH/black_list.rules - - -################################################### -# Step #6: Configure output plugins -# For more information, see Snort Manual, Configuring Snort - Output Modules -################################################### - -# unified2 -# Recommended for most installs -# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types - -# Additional configuration for specific types of installs -# output alert_unified2: filename snort.alert, limit 128, nostamp -# output log_unified2: filename snort.log, limit 128, nostamp - -# syslog -# output alert_syslog: LOG_AUTH LOG_ALERT - -# pcap -# output log_tcpdump: tcpdump.log - -# database -# output database: alert, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname> -# output database: log, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname> - -# prelude -# output alert_prelude - -# metadata reference data. do not modify these lines -include /etc/snort/rules/classification.config -include /etc/snort/rules/reference.config - - -################################################### -# Step #7: Customize your rule set -# For more information, see Snort Manual, Writing Snort Rules -################################################### - -# -# site specific rules -# diff --git a/config/suricata/convert-snort b/config/suricata/convert-snort new file mode 100644 index 000000000..0ad2942b1 --- /dev/null +++ b/config/suricata/convert-snort @@ -0,0 +1,326 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2019 IPFire Development Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +use strict; + +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/ids-functions.pl"; + +# Snort settings file, which contains the settings from the WUI. +my $snort_settings_file = "${General::swroot}/snort/settings"; + +# Main snort config file. +my $snort_config_file = "/etc/snort/snort.conf"; + +# Snort rules tarball. +my $snort_rules_tarball = "/var/tmp/snortrules.tar.gz"; + +# +## Step 1: Setup directory and file layout, if not present and set correct +## ownership. The converter runs as a privileged user, but the files +## needs to be full access-able by the WUI user and group (nobody:nobody). +# + +# Check if the settings directory exists. +unless (-d $IDS::settingsdir) { + # Create the directory. + mkdir($IDS::settingsdir); +} + +# Check if the rules directory exists. +unless (-d $IDS::rulespath) { + # Create the directory. + mkdir($IDS::rulespath); +} + +# Create file layout, if not exists yet. +&IDS::check_and_create_filelayout(); + +# Set correct ownership for settingsdir and rulespath. +&IDS::set_ownership("$IDS::settingsdir"); +&IDS::set_ownership("$IDS::rulespath"); + +# Check if a snort settings file exists. +unless( -f "$snort_settings_file") { + print "$snort_settings_file not found - Nothing to do. Exiting!\n"; + exit(0); +} + +# Check if the snort settings file is empty. +if (-z "$snort_settings_file") { + print "$snort_settings_file is empty - Nothing to do. Exiting!\n"; + exit(0); +} + +# +## Step 2: Import snort settings and convert to the required format for the new IDS +## (suricata). +# + +# Hash which contains the "old" snort settings. +my %snortsettings; + +# Hash which contains the IDS (suricata) settings. +# +# Add default value for MONITOR_TRAFFIC_ONLY which will be "on" +# when migrating from snort to the new IDS. +my %idssettings = ( + "MONITOR_TRAFFIC_ONLY" => "on", +); + +# Hash which contains the RULES settings. +# +# Set default value for UPDATE_INTERVAL to weekly. +my %rulessettings = ( + "AUTOUPDATE_INTERVAL" => "weekly", +); + +# Get all available network zones. +my @network_zones = &IDS::get_available_network_zones(); + +# Read-in snort settings file. +&General::readhash("$snort_settings_file", %snortsettings); + +# Loop through the array of network zones. +foreach my $zone (@network_zones) { + # Convert current zone into upper case. + my $zone_upper = uc($zone); + + # Check if the current network zone is "red". + if($zone eq "red") { + # Check if snort was enabled and enabled on red. + if ($snortsettings{"ENABLE_SNORT"} eq "on") { + # Enable the IDS. + $idssettings{"ENABLE_IDS"} = "on"; + + # Enable the IDS on RED. + $idssettings{"ENABLE_IDS_$zone_upper"} = "on"; + } + } else { + # Check if snort was enabled on the current zone. + if ($snortsettings{"ENABLE_SNORT_$zone_upper"} eq "on") { + # Enable the IDS on this zone too. + $idssettings{"ENABLE_IDS_$zone_upper"} = "on"; + } + } +} + +# Grab the choosen ruleset from snort settings hash and store it in the rules +# settings hash. +$rulessettings{"RULES"} = $snortsettings{"RULES"}; + +# Check if an oinkcode has been provided. +if($snortsettings{"OINKCODE"}) { + # Take the oinkcode from snort settings hash and store it in the rules + # settings hash. + $rulessettings{"OINKCODE"} = $snortsettings{"OINKCODE"}; +} + +# +## Step 3: Import guardian settings and whitelist if the addon is installed. +# + +# Pakfire meta file for owncloud. +# (File exists when the addon is installed.) +my $guardian_meta = "/opt/pakfire/db/installed/meta-guardian"; + +# Check if the guardian addon is installed. +if (-f $guardian_meta) { + # File which contains the taken setting for guardian. + my $guardian_settings_file = "${General::swroot}/guardian/settings"; + + # File which contains the white-listed hosts. + my $guardian_ignored_file = "${General::swroot}/guardian/ignored"; + + # Hash which will contain the settings of guardian. + my %guardiansettings; + + # Check if the settings file of guardian is empty. + unless (-z $guardian_settings_file) { + # Read-in settings. + &General::readhash("$guardian_settings_file", %guardiansettings); + } + + # Check if guardian is not configured to take actions on snort events. + if ($guardiansettings{"GUARDIAN_MONITOR_SNORT"} eq "on") { + # Change the IDS into MONITOR_TRAFFIC_ONLY mode. + $idssettings{"MONITOR_TRAFFIC_ONLY"} = "off"; + } + + # Check if guardian has any white-listed hosts configured. + unless (-z $guardian_ignored_file) { + # Temporary hash to store the ignored hosts. + my %ignored_hosts; + + # Read-in white-listed hosts and store them in the hash. + &General::readhasharray($guardian_ignored_file, %ignored_hosts); + + # Write-out the white-listed hosts for the IDS system. + &General::writehasharray($IDS::ignored_file, %ignored_hosts); + + # Call subfunction to generate the file for white-listing the hosts. + &IDS::generate_ignored_file(); + } + +} + +# +## Step 4: Save IDS and rules settings. +# + +# Write IDS settings. +&General::writehash("$IDS::ids_settings_file", %idssettings); + +# Write rules settings. +&General::writehash("$IDS::rules_settings_file", %rulessettings); + +# +## Step 5: Generate and write the file to modify the ruleset. +# + +# Converters default is to only monitor the traffic, so set the IDS action to +# "alert". +my $IDS_action = "alert"; + +# Check if the traffic only should be monitored. +if ($idssettings{"MONITOR_TRAFFIC_ONLY"} eq "off") { + # Swith IDS action to alert only. + $IDS_action = "drop"; +} + +# Call subfunction and pass the desired IDS action. +&IDS::write_modify_sids_file($IDS_action); + +# Set correct ownership. +&IDS::set_ownership("$IDS::modify_sids_file"); + +# +## Step 6: Move rulestarball to its new location. +# + +# Check if a rulestarball has been downloaded yet. +if (-f $snort_rules_tarball) { + # Load perl module which contains the move command. + use File::Copy; + + # Move the rulestarball to the new location. + move($snort_rules_tarball, $IDS::rulestarball); + + # Set correct ownership. + &IDS::set_ownership("$IDS::rulestarball"); + +# In case no tarball is present, try to download the ruleset. +} else { + # Check if enought disk space is available. + if(&IDS::checkdiskspace()) { + # Print error message. + print "Could not download ruleset - Not enough free diskspace available.\n"; + } else { + # Call the download function and grab the new ruleset. + &IDS::downloadruleset(); + } +} + +# +## Step 7: Call oinkmaster to extract and setup the rules structures. +# + +# Check if a rulestarball is present. +if (-f $IDS::rulestarball) { + # Launch oinkmaster by calling the subfunction. + &IDS::oinkmaster(); + + # Set correct ownership for the rulesdir and files. + &IDS::set_ownership("$IDS::rulespath"); +} + +# +## Step 8: Generate file for the HOME Net. +# + +# Call subfunction to generate the file. +&IDS::generate_home_net_file(); + +# +## Step 9: Setup automatic ruleset updates. +# + +# Check if a ruleset is configured. +if($rulessettings{"RULES"}) { + # Call suricatactrl and setup the periodic update mechanism. + &IDS::call_suricatactrl("cron", $rulessettings{'AUTOUPDATE_INTERVAL'}); +} + +# +## Step 10: Grab used ruleset files from snort config file and convert +## them into the new format. +# + +# Check if the snort config file exists. +unless (-f $snort_config_file) { + print "$snort_config_file does not exist - Nothing to do. Exiting!\n"; + exit(0); +} + +# Array to store the enabled rules files. +my @enabled_rule_files; + +# Open snort config file. +open(SNORTCONF, $snort_config_file) or die "Could not open $snort_config_file. $!\n"; + +# Loop through the file content. +while (my $line = <SNORTCONF>) { + # Skip comments. + next if ($line =~ /#/); + + # Skip blank lines. + next if ($line =~ /^\s*$/); + + # Remove newlines. + chomp($line); + + # Check for a line with .rules + if ($line =~ /.rules$/) { + # Parse out rule file name + my $rulefile = $line; + $rulefile =~ s/$RULE_PATH///i; + $rulefile =~ s/ ?include ?//i; + + # Add the enabled rulefile to the array of enabled rule files. + push(@enabled_rule_files, $rulefile); + } +} + +# Close filehandle. +close(SNORTCONF); + +# Pass the array of enabled rule files to the subfunction and write the file. +&IDS::write_used_rulefiles_file(@enabled_rule_files); + +# +## Step 11: Start the IDS if enabled. +# + +# Check if the IDS should be started. +if($idssettings{"ENABLE_IDS"} eq "on") { + # Call suricatactrl and launch the IDS. + &IDS::call_suricatactrl("start"); +} diff --git a/config/suricata/ruleset-sources b/config/suricata/ruleset-sources new file mode 100644 index 000000000..cf6baa18e --- /dev/null +++ b/config/suricata/ruleset-sources @@ -0,0 +1,15 @@ +# Ruleset for registered sourcefire users. +registered = https://www.snort.org/rules/snortrules-snapshot-29120.tar.gz?oinkcode=<oinkcode> + +# Ruleset for registered sourcefire users with valid subscription. +subscripted = https://www.snort.org/rules/snortrules-snapshot-29120.tar.gz?oinkcode=<oinkcode> + +# Community rules from sourcefire. +community = https://www.snort.org/rules/community + +# Emerging threads community rules. +emerging = https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz + +# Emerging threads pro rules. +emerging_pro = https://rules.emergingthreatspro.com/<oinkcode>/suricata-4.0/etpro.rules.tar.gz + diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml new file mode 100644 index 000000000..e7e27c731 --- /dev/null +++ b/config/suricata/suricata.yaml @@ -0,0 +1,738 @@ +%YAML 1.1 +--- + +## +## IPFire specific configuration file - an untouched example configuration +## can be found in suricata-example.yaml. +## + +vars: + address-groups: + # Include HOME_NET declaration from external file. + include: /var/ipfire/suricata/suricata-homenet.yaml + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: "[22,222]" + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + +## +## Ruleset specific options. +## +default-rule-path: /var/lib/suricata +rule-files: + # Include enabled ruleset files from external file. + include: /var/ipfire/suricata/suricata-used-rulefiles.yaml + +classification-file: /var/lib/suricata/classification.config +reference-config-file: /var/lib/suricata/reference.config +threshold-file: /var/lib/suricata/threshold.config + + +## +## Logging options. +## +default-log-dir: /var/log/suricata/ + +# global stats configuration +stats: + enabled: yes + # The interval field (in seconds) controls at what interval + # the loggers are invoked. + interval: 8 + + # Add decode events as stats. + #decoder-events: true + # Decoder event prefix in stats. Has been 'decoder' before, but that leads + # to missing events in the eve.stats records. See issue #2225. + decoder-events-prefix: "decoder.event" + # Add stream events as stats. + #stream-events: false + +# Configure the type of alert (and other) logging you would like. +outputs: + # a line based alerts log similar to Snort's fast.log + - fast: + enabled: yes + filename: fast.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # Stats.log contains data from various counters of the suricata engine. + - stats: + enabled: yes + filename: stats.log + append: no # append to file (yes) or overwrite it (no) + totals: yes # stats for all threads merged together + threads: no # per thread stats + #null-values: yes # print counters that have value 0 + +logging: + # The default log level, can be overridden in an output section. + # Note that debug level logging will only be emitted if Suricata was + # compiled with the --enable-debug configure option. + # + # This value is overriden by the SC_LOG_LEVEL env var. + default-log-level: notice + + # A regex to filter output. Can be overridden in an output section. + # Defaults to empty (no filter). + # + # This value is overriden by the SC_LOG_OP_FILTER env var. + default-output-filter: + + # Define your logging outputs. If none are defined, or they are all + # disabled you will get the default - console output. + outputs: + - console: + enabled: no + # type: json + - file: + enabled: no + level: info + filename: /var/log/suricata/suricata.log + # type: json + - syslog: + enabled: yes + facility: local5 + format: "" + # type: json + +## +## Netfilter configuration +## + +nfq: + mode: repeat + repeat-mark: 1879048192 + repeat-mask: 1879048192 +# bypass-mark: 1 +# bypass-mask: 1 +# route-queue: 2 +# batchcount: 20 + fail-open: yes + +## +## Step 5: App Layer Protocol Configuration +## + +# Configure the app-layer parsers. The protocols section details each +# protocol. +# +# The option "enabled" takes 3 values - "yes", "no", "detection-only". +# "yes" enables both detection and the parser, "no" disables both, and +# "detection-only" enables protocol detection only (parser disabled). +app-layer: + protocols: + krb5: + enabled: no # Requires rust + ikev2: + enabled: yes + tls: + enabled: yes + detection-ports: + dp: "[443,444,465,853,993,995]" + + # Completely stop processing TLS/SSL session after the handshake + # completed. If bypass is enabled this will also trigger flow + # bypass. If disabled (the default), TLS/SSL session is still + # tracked for Heartbleed and other anomalies. + #no-reassemble: yes + dcerpc: + enabled: yes + ftp: + enabled: yes + ssh: + enabled: yes + smtp: + enabled: yes + # Configure SMTP-MIME Decoder + mime: + # Decode MIME messages from SMTP transactions + # (may be resource intensive) + # This field supercedes all others because it turns the entire + # process on or off + decode-mime: yes + + # Decode MIME entity bodies (ie. base64, quoted-printable, etc.) + decode-base64: yes + decode-quoted-printable: yes + + # Maximum bytes per header data value stored in the data structure + # (default is 2000) + header-value-depth: 2000 + + # Extract URLs and save in state data structure + extract-urls: yes + # Set to yes to compute the md5 of the mail body. You will then + # be able to journalize it. + body-md5: no + # Configure inspected-tracker for file_data keyword + inspected-tracker: + content-limit: 100000 + content-inspect-min-size: 32768 + content-inspect-window: 4096 + imap: + enabled: yes + msn: + enabled: yes + smb: + enabled: yes + detection-ports: + dp: 139, 445 + # smb2 detection is disabled internally inside the engine. + #smb2: + # enabled: yes + dns: + # memcaps. Globally and per flow/state. + global-memcap: 32mb + state-memcap: 512kb + + # How many unreplied DNS requests are considered a flood. + # If the limit is reached, app-layer-event:dns.flooded; will match. + request-flood: 512 + + tcp: + enabled: yes + detection-ports: + dp: 53 + udp: + enabled: yes + detection-ports: + dp: 53 + http: + enabled: yes + memcap: 256mb + + # default-config: Used when no server-config matches + # personality: List of personalities used by default + # request-body-limit: Limit reassembly of request body for inspection + # by http_client_body & pcre /P option. + # response-body-limit: Limit reassembly of response body for inspection + # by file_data, http_server_body & pcre /Q option. + # double-decode-path: Double decode path section of the URI + # double-decode-query: Double decode query section of the URI + # response-body-decompress-layer-limit: + # Limit to how many layers of compression will be + # decompressed. Defaults to 2. + # + # Currently Available Personalities: + # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, + # IIS_7_0, IIS_7_5, Apache_2 + libhtp: + default-config: + personality: IDS + + # Can be specified in kb, mb, gb. Just a number indicates + # it's in bytes. + request-body-limit: 0 + response-body-limit: 0 + + # response body decompression (0 disables) + response-body-decompress-layer-limit: 2 + + # auto will use http-body-inline mode in IPS mode, yes or no set it statically + http-body-inline: auto + + # Take a random value for inspection sizes around the specified value. + # This lower the risk of some evasion technics but could lead + # detection change between runs. It is set to 'yes' by default. + randomize-inspection-sizes: yes + # If randomize-inspection-sizes is active, the value of various + # inspection size will be choosen in the [1 - range%, 1 + range%] + # range + # Default value of randomize-inspection-range is 10. + randomize-inspection-range: 10 + + # decoding + double-decode-path: no + double-decode-query: no + + +# Limit for the maximum number of asn1 frames to decode (default 256) +asn1-max-frames: 256 + + +############################################################################## +## +## Advanced settings below +## +############################################################################## + +## +## Run Options +## + +# Run suricata as user and group. +run-as: + user: suricata + group: suricata + +# Suricata core dump configuration. Limits the size of the core dump file to +# approximately max-dump. The actual core dump size will be a multiple of the +# page size. Core dumps that would be larger than max-dump are truncated. On +# Linux, the actual core dump size may be a few pages larger than max-dump. +# Setting max-dump to 0 disables core dumping. +# Setting max-dump to 'unlimited' will give the full core dump file. +# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size +# to be 'unlimited'. + +coredump: + max-dump: unlimited + +# If suricata box is a router for the sniffed networks, set it to 'router'. If +# it is a pure sniffing setup, set it to 'sniffer-only'. +# If set to auto, the variable is internally switch to 'router' in IPS mode +# and 'sniffer-only' in IDS mode. +# This feature is currently only used by the reject* keywords. +host-mode: auto + +# Number of packets preallocated per thread. The default is 1024. A higher number +# will make sure each CPU will be more easily kept busy, but may negatively +# impact caching. +max-pending-packets: 1024 + +# Runmode the engine should use. Please check --list-runmodes to get the available +# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned +# load balancing). +runmode: workers + +# Specifies the kind of flow load balancer used by the flow pinned autofp mode. +# +# Supported schedulers are: +# +# round-robin - Flows assigned to threads in a round robin fashion. +# active-packets - Flows assigned to threads that have the lowest number of +# unprocessed packets (default). +# hash - Flow alloted usihng the address hash. More of a random +# technique. Was the default in Suricata 1.2.1 and older. +# +#autofp-scheduler: active-packets + +# Preallocated size for packet. Default is 1514 which is the classical +# size for pcap on ethernet. You should adjust this value to the highest +# packet size (MTU + hardware header) on your system. +default-packet-size: 1514 + +# Unix command socket can be used to pass commands to suricata. +# An external tool can then connect to get information from suricata +# or trigger some modifications of the engine. Set enabled to yes +# to activate the feature. In auto mode, the feature will only be +# activated in live capture mode. You can use the filename variable to set +# the file name of the socket. +unix-command: + enabled: no + #filename: custom.socket + +# Magic file +magic-file: /usr/share/misc/magic.mgc + +legacy: + uricontent: enabled + +## +## Detection settings +## + +# Set the order of alerts bassed on actions +# The default order is pass, drop, reject, alert +# action-order: +# - pass +# - drop +# - reject +# - alert + +# When run with the option --engine-analysis, the engine will read each of +# the parameters below, and print reports for each of the enabled sections +# and exit. The reports are printed to a file in the default log dir +# given by the parameter "default-log-dir", with engine reporting +# subsection below printing reports in its own report file. +engine-analysis: + # enables printing reports for fast-pattern for every rule. + rules-fast-pattern: yes + # enables printing reports for each rule + rules: yes + +#recursion and match limits for PCRE where supported +pcre: + match-limit: 3500 + match-limit-recursion: 1500 + +## +## Advanced Traffic Tracking and Reconstruction Settings +## + +# Host specific policies for defragmentation and TCP stream +# reassembly. The host OS lookup is done using a radix tree, just +# like a routing table so the most specific entry matches. +host-os-policy: + # Make the default policy windows. + windows: [0.0.0.0/0] + bsd: [] + bsd-right: [] + old-linux: [] + linux: [] + old-solaris: [] + solaris: [] + hpux10: [] + hpux11: [] + irix: [] + macos: [] + vista: [] + windows2k3: [] + +# Defrag settings: + +defrag: + memcap: 64mb + hash-size: 65536 + trackers: 65535 # number of defragmented flows to follow + max-frags: 65535 # number of fragments to keep (higher than trackers) + prealloc: yes + timeout: 60 + +# Flow settings: +# By default, the reserved memory (memcap) for flows is 32MB. This is the limit +# for flow allocation inside the engine. You can change this value to allow +# more memory usage for flows. +# The hash-size determine the size of the hash used to identify flows inside +# the engine, and by default the value is 65536. +# At the startup, the engine can preallocate a number of flows, to get a better +# performance. The number of flows preallocated is 10000 by default. +# emergency-recovery is the percentage of flows that the engine need to +# prune before unsetting the emergency state. The emergency state is activated +# when the memcap limit is reached, allowing to create new flows, but +# prunning them with the emergency timeouts (they are defined below). +# If the memcap is reached, the engine will try to prune flows +# with the default timeouts. If it doens't find a flow to prune, it will set +# the emergency bit and it will try again with more agressive timeouts. +# If that doesn't work, then it will try to kill the last time seen flows +# not in use. +# The memcap can be specified in kb, mb, gb. Just a number indicates it's +# in bytes. + +flow: + memcap: 256mb + hash-size: 65536 + prealloc: 10000 + emergency-recovery: 30 + managers: 1 + recyclers: 1 + +# This option controls the use of vlan ids in the flow (and defrag) +# hashing. Normally this should be enabled, but in some (broken) +# setups where both sides of a flow are not tagged with the same vlan +# tag, we can ignore the vlan id's in the flow hashing. +vlan: + use-for-tracking: true + +# Specific timeouts for flows. Here you can specify the timeouts that the +# active flows will wait to transit from the current state to another, on each +# protocol. The value of "new" determine the seconds to wait after a hanshake or +# stream startup before the engine free the data of that flow it doesn't +# change the state to established (usually if we don't receive more packets +# of that flow). The value of "established" is the amount of +# seconds that the engine will wait to free the flow if it spend that amount +# without receiving new packets or closing the connection. "closed" is the +# amount of time to wait after a flow is closed (usually zero). "bypassed" +# timeout controls locally bypassed flows. For these flows we don't do any other +# tracking. If no packets have been seen after this timeout, the flow is discarded. +# +# There's an emergency mode that will become active under attack circumstances, +# making the engine to check flow status faster. This configuration variables +# use the prefix "emergency-" and work similar as the normal ones. +# Some timeouts doesn't apply to all the protocols, like "closed", for udp and +# icmp. + +flow-timeouts: + + default: + new: 30 + established: 300 + closed: 0 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-closed: 0 + emergency-bypassed: 50 + tcp: + new: 60 + established: 600 + closed: 60 + bypassed: 100 + emergency-new: 5 + emergency-established: 100 + emergency-closed: 10 + emergency-bypassed: 50 + udp: + new: 30 + established: 300 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-bypassed: 50 + icmp: + new: 30 + established: 300 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-bypassed: 50 + +# Stream engine settings. Here the TCP stream tracking and reassembly +# engine is configured. +# +# stream: +# memcap: 32mb # Can be specified in kb, mb, gb. Just a +# # number indicates it's in bytes. +# checksum-validation: yes # To validate the checksum of received +# # packet. If csum validation is specified as +# # "yes", then packet with invalid csum will not +# # be processed by the engine stream/app layer. +# # Warning: locally generated trafic can be +# # generated without checksum due to hardware offload +# # of checksum. You can control the handling of checksum +# # on a per-interface basis via the 'checksum-checks' +# # option +# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread +# midstream: false # don't allow midstream session pickups +# async-oneside: false # don't enable async stream handling +# inline: no # stream inline mode +# drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine +# max-synack-queued: 5 # Max different SYN/ACKs to queue +# bypass: no # Bypass packets when stream.depth is reached +# +# reassembly: +# memcap: 64mb # Can be specified in kb, mb, gb. Just a number +# # indicates it's in bytes. +# depth: 1mb # Can be specified in kb, mb, gb. Just a number +# # indicates it's in bytes. +# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least +# # this size. Can be specified in kb, mb, +# # gb. Just a number indicates it's in bytes. +# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least +# # this size. Can be specified in kb, mb, +# # gb. Just a number indicates it's in bytes. +# randomize-chunk-size: yes # Take a random value for chunk size around the specified value. +# # This lower the risk of some evasion technics but could lead +# # detection change between runs. It is set to 'yes' by default. +# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is +# # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size +# # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same +# # calculation for toclient-chunk-size. +# # Default value of randomize-chunk-range is 10. +# +# raw: yes # 'Raw' reassembly enabled or disabled. +# # raw is for content inspection by detection +# # engine. +# +# segment-prealloc: 2048 # number of segments preallocated per thread +# +# check-overlap-different-data: true|false +# # check if a segment contains different data +# # than what we've already seen for that +# # position in the stream. +# # This is enabled automatically if inline mode +# # is used or when stream-event:reassembly_overlap_different_data; +# # is used in a rule. +# +stream: + memcap: 256mb + prealloc-sessions: 4096 + checksum-validation: yes # reject wrong csums + inline: auto # auto will use inline mode in IPS mode, yes or no set it statically + reassembly: + memcap: 256mb + depth: 1mb # reassemble 1mb into a stream + toserver-chunk-size: 2560 + toclient-chunk-size: 2560 + randomize-chunk-size: yes + raw: yes + segment-prealloc: 2048 + check-overlap-different-data: true + +# Host table: +# +# Host table is used by tagging and per host thresholding subsystems. +# +host: + hash-size: 4096 + prealloc: 1000 + memcap: 32mb + +# IP Pair table: +# +# Used by xbits 'ippair' tracking. +# +#ippair: +# hash-size: 4096 +# prealloc: 1000 +# memcap: 32mb + +# Decoder settings + +decoder: + # Teredo decoder is known to not be completely accurate + # it will sometimes detect non-teredo as teredo. + teredo: + enabled: false + + +## +## Performance tuning and profiling +## + +# The detection engine builds internal groups of signatures. The engine +# allow us to specify the profile to use for them, to manage memory on an +# efficient way keeping a good performance. For the profile keyword you +# can use the words "low", "medium", "high" or "custom". If you use custom +# make sure to define the values at "- custom-values" as your convenience. +# Usually you would prefer medium/high/low. +# +# "sgh mpm-context", indicates how the staging should allot mpm contexts for +# the signature groups. "single" indicates the use of a single context for +# all the signature group heads. "full" indicates a mpm-context for each +# group head. "auto" lets the engine decide the distribution of contexts +# based on the information the engine gathers on the patterns from each +# group head. +# +# The option inspection-recursion-limit is used to limit the recursive calls +# in the content inspection code. For certain payload-sig combinations, we +# might end up taking too much time in the content inspection code. +# If the argument specified is 0, the engine uses an internally defined +# default limit. On not specifying a value, we use no limits on the recursion. +detect: + profile: custom + custom-values: + toclient-groups: 200 + toserver-groups: 200 + sgh-mpm-context: auto + inspection-recursion-limit: 3000 + + # If set to yes, the loading of signatures will be made after the capture + # is started. This will limit the downtime in IPS mode. + delayed-detect: yes + + prefilter: + # default prefiltering setting. "mpm" only creates MPM/fast_pattern + # engines. "auto" also sets up prefilter engines for other keywords. + # Use --list-keywords=all to see which keywords support prefiltering. + default: mpm + + # the grouping values above control how many groups are created per + # direction. Port whitelisting forces that port to get it's own group. + # Very common ports will benefit, as well as ports with many expensive + # rules. + grouping: + #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 + #udp-whitelist: 53, 135, 5060 + + profiling: + # Log the rules that made it past the prefilter stage, per packet + # default is off. The threshold setting determines how many rules + # must have made it past pre-filter for that rule to trigger the + # logging. + #inspect-logging-threshold: 200 + grouping: + dump-to-disk: false + include-rules: false # very verbose + include-mpm-stats: false + +# Select the multi pattern algorithm you want to run for scan/search the +# in the engine. +# +# The supported algorithms are: +# "ac" - Aho-Corasick, default implementation +# "ac-bs" - Aho-Corasick, reduced memory implementation +# "ac-cuda" - Aho-Corasick, CUDA implementation +# "ac-ks" - Aho-Corasick, "Ken Steele" variant +# "hs" - Hyperscan, available when built with Hyperscan support +# +# The default mpm-algo value of "auto" will use "hs" if Hyperscan is +# available, "ac" otherwise. +# +# The mpm you choose also decides the distribution of mpm contexts for +# signature groups, specified by the conf - "detect.sgh-mpm-context". +# Selecting "ac" as the mpm would require "detect.sgh-mpm-context" +# to be set to "single", because of ac's memory requirements, unless the +# ruleset is small enough to fit in one's memory, in which case one can +# use "full" with "ac". Rest of the mpms can be run in "full" mode. +# +# There is also a CUDA pattern matcher (only available if Suricata was +# compiled with --enable-cuda: b2g_cuda. Make sure to update your +# max-pending-packets setting above as well if you use b2g_cuda. + +mpm-algo: auto + +# Select the matching algorithm you want to use for single-pattern searches. +# +# Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only +# available if Suricata has been built with Hyperscan support). +# +# The default of "auto" will use "hs" if available, otherwise "bm". + +spm-algo: auto + +# Suricata is multi-threaded. Here the threading can be influenced. +threading: + set-cpu-affinity: no + # Tune cpu affinity of threads. Each family of threads can be bound + # on specific CPUs. + # + # These 2 apply to the all runmodes: + # management-cpu-set is used for flow timeout handling, counters + # worker-cpu-set is used for 'worker' threads + # + # Additionally, for autofp these apply: + # receive-cpu-set is used for capture threads + # verdict-cpu-set is used for IPS verdict threads + # + cpu-affinity: + - management-cpu-set: + cpu: [ 0 ] # include only these cpus in affinity settings + - receive-cpu-set: + cpu: [ 0 ] # include only these cpus in affinity settings + - worker-cpu-set: + cpu: [ "all" ] + mode: "exclusive" + prio: + low: [ 0 ] + medium: [ "1-2" ] + high: [ 3 ] + default: "medium" + - verdict-cpu-set: + cpu: [ 0 ] + prio: + default: "high" + # + # By default Suricata creates one "detect" thread per available CPU/CPU core. + # This setting allows controlling this behaviour. A ratio setting of 2 will + # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this + # will result in 4 detect threads. If values below 1 are used, less threads + # are created. So on a dual core CPU a setting of 0.5 results in 1 detect + # thread being created. Regardless of the setting at a minimum 1 detect + # thread will always be created. + # + detect-thread-ratio: 1.0 diff --git a/config/udev/network-hotplug-rename b/config/udev/network-hotplug-rename index 3a482d2db..71a25c317 100644 --- a/config/udev/network-hotplug-rename +++ b/config/udev/network-hotplug-rename @@ -63,7 +63,7 @@ for zone in ${ZONES}; do [ -n "${!address}" -a -n "${!device}" ] || continue
# Compare MAC addresses - [ "${ADDRESS}" = "${!address}" ] || continue + [ "${ADDRESS}" = "${!address,,}" ] || continue
# If a matching interface has been found we will # print the name to which udev will rename it. diff --git a/config/unbound/unbound-dhcp-leases-bridge b/config/unbound/unbound-dhcp-leases-bridge index 54cd8135b..a8cd837bb 100644 --- a/config/unbound/unbound-dhcp-leases-bridge +++ b/config/unbound/unbound-dhcp-leases-bridge @@ -25,9 +25,11 @@ import daemon import ipaddress import logging import logging.handlers +import os import re import signal import subprocess +import tempfile
import inotify.adapters
@@ -519,11 +521,15 @@ class UnboundConfigWriter(object): self._cached_leases.append(l)
def write_dhcp_leases(self, leases): - with open(self.path, "w") as f: + with tempfile.NamedTemporaryFile(mode="w", delete=False) as f: + filename = f.name + for l in leases: for rr in l.rrset: f.write("local-data: "%s"\n" % " ".join(rr))
+ os.rename(filename, self.path) + def _control(self, *args): command = ["unbound-control"] command.extend(args) diff --git a/doc/language_issues.de b/doc/language_issues.de index d9f92d062..5f7bf7b5f 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -205,6 +205,7 @@ WARNING: translation string unused: do not log this port list WARNING: translation string unused: domain not set WARNING: translation string unused: donation-link WARNING: translation string unused: download dh parameter +WARNING: translation string unused: download new ruleset WARNING: translation string unused: driver WARNING: translation string unused: dstprt range overlaps WARNING: translation string unused: dstprt within existing @@ -224,7 +225,6 @@ WARNING: translation string unused: email text WARNING: translation string unused: emailreportlevel WARNING: translation string unused: enable javascript WARNING: translation string unused: enable wildcards -WARNING: translation string unused: enabled on WARNING: translation string unused: enabledtitle WARNING: translation string unused: encrypted WARNING: translation string unused: err bk 1 @@ -336,7 +336,6 @@ WARNING: translation string unused: ibod for dual isdn only WARNING: translation string unused: icmp selected but no type WARNING: translation string unused: icmp type WARNING: translation string unused: id -WARNING: translation string unused: ids preprocessor WARNING: translation string unused: ike encryption WARNING: translation string unused: ike grouptype WARNING: translation string unused: ike integrity @@ -353,6 +352,7 @@ WARNING: translation string unused: installed WARNING: translation string unused: installed updates WARNING: translation string unused: intrusion detection system log viewer WARNING: translation string unused: intrusion detection system2 +WARNING: translation string unused: intrusion prevention system WARNING: translation string unused: invalid cache size WARNING: translation string unused: invalid date entered WARNING: translation string unused: invalid downlink speed @@ -569,6 +569,7 @@ WARNING: translation string unused: router ip WARNING: translation string unused: rsvd dst port overlap WARNING: translation string unused: rsvd src port overlap WARNING: translation string unused: rules already up to date +WARNING: translation string unused: runmode WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error WARNING: translation string unused: select dest net @@ -681,6 +682,7 @@ WARNING: translation string unused: unencrypted WARNING: translation string unused: update transcript WARNING: translation string unused: updatedatabase WARNING: translation string unused: updates +WARNING: translation string unused: updates installed WARNING: translation string unused: updates is old1 WARNING: translation string unused: updates is old2 WARNING: translation string unused: updxlrtr children @@ -691,6 +693,7 @@ WARNING: translation string unused: updxlrtr unknown WARNING: translation string unused: updxlrtr update information WARNING: translation string unused: updxlrtr update notification WARNING: translation string unused: upload file +WARNING: translation string unused: upload new ruleset WARNING: translation string unused: upload static key WARNING: translation string unused: upload successful WARNING: translation string unused: upload synch.bin @@ -737,6 +740,7 @@ WARNING: untranslated string: bytes = unknown string WARNING: untranslated string: community rules = Snort/VRT GPLv2 Community Rules WARNING: untranslated string: dead peer detection = Dead Peer Detection WARNING: untranslated string: default IP address = Default IP Address +WARNING: untranslated string: emerging pro rules = Emergingthreats.net Pro Rules WARNING: untranslated string: emerging rules = Emergingthreats.net Community Rules WARNING: untranslated string: fwhost cust geoipgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string @@ -776,6 +780,9 @@ WARNING: untranslated string: guardian priolevel_very_low = unknown string WARNING: untranslated string: guardian priority level = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: guardian watch snort alertfile = unknown string +WARNING: untranslated string: ids hide = Hide +WARNING: untranslated string: ids rules update = Ruleset +WARNING: untranslated string: ids show = Show WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string WARNING: untranslated string: info messages = unknown string WARNING: untranslated string: interface mode = Interface diff --git a/doc/language_issues.en b/doc/language_issues.en index 5a3012207..72d94868a 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -56,6 +56,8 @@ WARNING: untranslated string: ConnSched shutdown = Shutdown WARNING: untranslated string: ConnSched time = Time: WARNING: untranslated string: ConnSched up = Up WARNING: untranslated string: ConnSched weekdays = Days of the week: +WARNING: untranslated string: Daily = Daily +WARNING: untranslated string: Disabled = Disabled WARNING: untranslated string: Edit an existing route = Edit an existing route WARNING: untranslated string: Enter TOS = Activate or deactivate TOS-bits <br /> and then press <i>Save</i>. WARNING: untranslated string: Existing Files = Files in database @@ -85,6 +87,7 @@ WARNING: untranslated string: The destination IP address is invalid. = The desti WARNING: untranslated string: The source IP address is invalid. = The source IP address is invalid. WARNING: untranslated string: Utilization on = Utilization on WARNING: untranslated string: WakeOnLan = Wake On Lan +WARNING: untranslated string: Weekly = Weekly WARNING: untranslated string: a ca certificate with this name already exists = A CA certificate with this name already exists. WARNING: untranslated string: a connection with this common name already exists = A connection with this common name already exists. WARNING: untranslated string: a connection with this name already exists = A connection with this name already exists. @@ -573,10 +576,10 @@ WARNING: untranslated string: dhcp allow bootp = Allow bootp clients WARNING: untranslated string: dhcp bootp pxe data = Enter optional bootp pxe data for this fixed lease WARNING: untranslated string: dhcp configuration = DHCP configuration WARNING: untranslated string: dhcp dns enable update = Enable DNS Update (RFC2136): -WARNING: untranslated string: dhcp dns key name = Key Name: +WARNING: untranslated string: dhcp dns key name = Key Name WARNING: untranslated string: dhcp dns update = DNS Update -WARNING: untranslated string: dhcp dns update algo = Algorithm: -WARNING: untranslated string: dhcp dns update secret = Secret: +WARNING: untranslated string: dhcp dns update algo = Algorithm +WARNING: untranslated string: dhcp dns update secret = Secret WARNING: untranslated string: dhcp server = DHCP Server WARNING: untranslated string: dhcp server disabled = DHCP server disabled. Stopped. WARNING: untranslated string: dhcp server enabled = DHCP server enabled. Restarting. @@ -621,6 +624,7 @@ WARNING: untranslated string: dns title = Domain Name System WARNING: untranslated string: dnsforward = DNS Forwarding WARNING: untranslated string: dnsforward add a new entry = Add a new entry WARNING: untranslated string: dnsforward configuration = DNS forward configuration +WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is disabled WARNING: untranslated string: dnsforward edit an entry = Edit an existing entry WARNING: untranslated string: dnsforward entries = Current entries WARNING: untranslated string: dnsforward forward_servers = Nameservers @@ -649,7 +653,6 @@ WARNING: untranslated string: download = download WARNING: untranslated string: download ca certificate = Download CA certificate WARNING: untranslated string: download certificate = Download file WARNING: untranslated string: download host certificate = Download host certificate -WARNING: untranslated string: download new ruleset = Download new ruleset WARNING: untranslated string: download pkcs12 file = Download PKCS12 file WARNING: untranslated string: download root certificate = Download root certificate WARNING: untranslated string: download tls-auth key = Download tls-auth key @@ -702,11 +705,13 @@ WARNING: untranslated string: email settings = Mail Service WARNING: untranslated string: email testmail = Send test mail WARNING: untranslated string: email tls = Use TLS WARNING: untranslated string: email usemail = Activate Mail Service +WARNING: untranslated string: emerging pro rules = Emergingthreats.net Pro Rules WARNING: untranslated string: emerging rules = Emergingthreats.net Community Rules WARNING: untranslated string: empty = This field may be left blank WARNING: untranslated string: empty profile = empty WARNING: untranslated string: enable ignore filter = Enable ignore filter WARNING: untranslated string: enabled = Enabled: +WARNING: untranslated string: enabled on = Enabled on WARNING: untranslated string: encapsulation = Encapsulation WARNING: untranslated string: encryption = Encryption: WARNING: untranslated string: end address = End address: @@ -946,6 +951,7 @@ WARNING: untranslated string: gen dh = Generate new Diffie-Hellman parameters WARNING: untranslated string: generate a certificate = Generate a certificate: WARNING: untranslated string: generate dh key = Generate Diffie-Hellman parameters WARNING: untranslated string: generate iso = Generate ISO +WARNING: untranslated string: generate ptr = Generate PTR WARNING: untranslated string: generate root/host certificates = Generate root/host certificates WARNING: untranslated string: generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient = Generating the root and host certificates may take a long time. It can take up to several minutes on older hardware. Please be patient. WARNING: untranslated string: genre = Genre @@ -1029,13 +1035,26 @@ WARNING: untranslated string: hours = Hours WARNING: untranslated string: idle = Idle WARNING: untranslated string: idle timeout = Idle timeout (mins; 0 to disable): WARNING: untranslated string: idle timeout not set = Idle timeout not set. -WARNING: untranslated string: ids log viewer = IDS log viewer -WARNING: untranslated string: ids logs = IDS Logs -WARNING: untranslated string: ids rules license = To utilize Sourcefire VRT Certified Rules, you need to register on -WARNING: untranslated string: ids rules license1 = . -WARNING: untranslated string: ids rules license2 = Acknowledge the license, activate your account by visiting the url you got via mail. Then go to -WARNING: untranslated string: ids rules license3 = press the "Generate code"-button and copy the 40 character Oinkcode into the field below. -WARNING: untranslated string: ids rules update = Snort rules update +WARNING: untranslated string: ids apply = Apply +WARNING: untranslated string: ids apply ruleset changes = The ruleset changes are being applied. Please wait until all operations have completed successfully... +WARNING: untranslated string: ids automatic rules update = Automatic Rule Update +WARNING: untranslated string: ids download new ruleset = Downloading and unpacking new ruleset. Please wait until all operations have completed successfully... +WARNING: untranslated string: ids enable = Enable Intrusion Prevention System +WARNING: untranslated string: ids hide = Hide +WARNING: untranslated string: ids ignored hosts = Whitelisted Hosts +WARNING: untranslated string: ids log hits = Total of number of activated rules for +WARNING: untranslated string: ids log viewer = IPS Log Viewer +WARNING: untranslated string: ids logs = IPS Logs +WARNING: untranslated string: ids monitor traffic only = Monitor traffic only +WARNING: untranslated string: ids monitored interfaces = Monitored Interfaces +WARNING: untranslated string: ids no network zone = Please select at least one network zone to be monitored +WARNING: untranslated string: ids no ruleset available = No ruleset is available. Please download one first +WARNING: untranslated string: ids oinkcode required = The selected ruleset requires a subscription or an Oinkcode +WARNING: untranslated string: ids rules update = Ruleset +WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... +WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids show = Show +WARNING: untranslated string: ids working = Changes are being applied. Please wait until all operations have completed successfully... WARNING: untranslated string: iface = Iface WARNING: untranslated string: ignore filter = Ignore filter WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string @@ -1057,9 +1076,9 @@ WARNING: untranslated string: interface = Interface WARNING: untranslated string: interface mode = Interface WARNING: untranslated string: interfaces = Interfaces WARNING: untranslated string: internet = INTERNET -WARNING: untranslated string: intrusion detection = Intrusion Detection -WARNING: untranslated string: intrusion detection system = Intrusion Detection System -WARNING: untranslated string: intrusion detection system rules = intrusion detection system rules +WARNING: untranslated string: intrusion detection = Intrusion Prevention +WARNING: untranslated string: intrusion detection system = Intrusion Prevention System +WARNING: untranslated string: intrusion detection system rules = Ruleset WARNING: untranslated string: invalid broadcast ip = Invalid broadcast IP WARNING: untranslated string: invalid characters found in pre-shared key = Invalid characters found in pre-shared key. WARNING: untranslated string: invalid default lease time = Invalid default lease time. @@ -1481,6 +1500,7 @@ WARNING: untranslated string: proxy reports daily = Daily reports WARNING: untranslated string: proxy reports monthly = Monthly reports WARNING: untranslated string: proxy reports today = Today WARNING: untranslated string: proxy reports weekly = Weekly reports +WARNING: untranslated string: ptr = PTR WARNING: untranslated string: pulse = Pulse WARNING: untranslated string: pulse dial = Pulse dial: WARNING: untranslated string: qos add subclass = Add subclass @@ -1504,7 +1524,7 @@ WARNING: untranslated string: red1 = RED WARNING: untranslated string: references = References WARNING: untranslated string: refresh = Refresh WARNING: untranslated string: refresh index page while connected = Refresh index.cgi page while connected -WARNING: untranslated string: registered user rules = Sourcefire VRT rules for registered users +WARNING: untranslated string: registered user rules = Talos VRT rules for registered users WARNING: untranslated string: reload = reload WARNING: untranslated string: remark = Remark WARNING: untranslated string: remark title = Remark: @@ -1598,8 +1618,6 @@ WARNING: untranslated string: smbrestart = Restart samba WARNING: untranslated string: smbstart = Start samba WARNING: untranslated string: smbstop = Stop samba WARNING: untranslated string: snat new source ip address = New source IP address -WARNING: untranslated string: snort hits = Total of number of Intrusion rules activated for -WARNING: untranslated string: snort working = Snort is working ... Please wait until all operations have completed successfully. WARNING: untranslated string: socket options = Socket options WARNING: untranslated string: software version = Software Version WARNING: untranslated string: sort ascending = Sort ascending @@ -1617,6 +1635,7 @@ WARNING: untranslated string: src port = Src Port WARNING: untranslated string: ssh = SSH WARNING: untranslated string: ssh access = SSH Access WARNING: untranslated string: ssh active sessions = Active logins +WARNING: untranslated string: ssh agent forwarding = Allow SSH Agent Forwarding WARNING: untranslated string: ssh fingerprint = Fingerprint WARNING: untranslated string: ssh host keys = SSH Host Keys WARNING: untranslated string: ssh is disabled = SSH is disabled. Stopping. @@ -1650,7 +1669,7 @@ WARNING: untranslated string: stop ovpn server = Stop OpenVPN Server WARNING: untranslated string: stopped = STOPPED WARNING: untranslated string: subject = Subject WARNING: untranslated string: subnet mask = Subnet Mask -WARNING: untranslated string: subscripted user rules = Sourcefire VRT rules with subscription +WARNING: untranslated string: subscripted user rules = Talos VRT rules with subscription WARNING: untranslated string: summaries kept = Keep summaries for WARNING: untranslated string: sunday = Sunday WARNING: untranslated string: support donation = Support the IPFire project with your donation @@ -1659,6 +1678,7 @@ WARNING: untranslated string: swap usage per = Swap usage per WARNING: untranslated string: system = System WARNING: untranslated string: system has rdrand = This system has support for Intel(R) RDRAND. WARNING: untranslated string: system information = System Information +WARNING: untranslated string: system is offline = The system is offline. WARNING: untranslated string: system logs = System Logs WARNING: untranslated string: ta key = TLS-Authentification-Key WARNING: untranslated string: tcp more reliable = TCP (more reliable) @@ -1752,8 +1772,8 @@ WARNING: untranslated string: unlimited = Unlimited WARNING: untranslated string: unnamed = Unnamed WARNING: untranslated string: update = Update WARNING: untranslated string: update accelerator = Update Accelerator +WARNING: untranslated string: update ruleset = Update ruleset WARNING: untranslated string: update time = Update the time: -WARNING: untranslated string: updates installed = Ruleset update from WARNING: untranslated string: updxlrtr 3 months = three months WARNING: untranslated string: updxlrtr 6 months = six months WARNING: untranslated string: updxlrtr all files = all files ... @@ -1828,7 +1848,6 @@ WARNING: untranslated string: upload a certificate = Upload a certificate: WARNING: untranslated string: upload a certificate request = Upload a certificate request: WARNING: untranslated string: upload ca certificate = Upload CA certificate WARNING: untranslated string: upload dh key = Upload Diffie-Hellman parameters -WARNING: untranslated string: upload new ruleset = Upload new ruleset WARNING: untranslated string: upload p12 file = Upload PKCS12 file WARNING: untranslated string: uptime load average = Load average WARNING: untranslated string: url filter = URL Filter diff --git a/doc/language_issues.es b/doc/language_issues.es index d8b49f918..f292ebb85 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -196,6 +196,7 @@ WARNING: translation string unused: do not log this port list WARNING: translation string unused: domain not set WARNING: translation string unused: donation-link WARNING: translation string unused: done +WARNING: translation string unused: download new ruleset WARNING: translation string unused: driver WARNING: translation string unused: drop output WARNING: translation string unused: dstprt range overlaps @@ -212,7 +213,6 @@ WARNING: translation string unused: email server can not be empty WARNING: translation string unused: emailreportlevel WARNING: translation string unused: enable javascript WARNING: translation string unused: enable wildcards -WARNING: translation string unused: enabled on WARNING: translation string unused: enabledtitle WARNING: translation string unused: encrypted WARNING: translation string unused: err bk 1 @@ -285,6 +285,10 @@ WARNING: translation string unused: icmp selected but no type WARNING: translation string unused: icmp type WARNING: translation string unused: id WARNING: translation string unused: ids preprocessor +WARNING: translation string unused: ids rules license +WARNING: translation string unused: ids rules license1 +WARNING: translation string unused: ids rules license2 +WARNING: translation string unused: ids rules license3 WARNING: translation string unused: ike encryption WARNING: translation string unused: ike grouptype WARNING: translation string unused: ike integrity @@ -520,6 +524,8 @@ WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload WARNING: translation string unused: smtphost WARNING: translation string unused: smtpport +WARNING: translation string unused: snort hits +WARNING: translation string unused: snort working WARNING: translation string unused: source ip bad WARNING: translation string unused: source ip in use WARNING: translation string unused: source ip or net @@ -603,6 +609,7 @@ WARNING: translation string unused: unencrypted WARNING: translation string unused: update transcript WARNING: translation string unused: updatedatabase WARNING: translation string unused: updates +WARNING: translation string unused: updates installed WARNING: translation string unused: updates is old1 WARNING: translation string unused: updates is old2 WARNING: translation string unused: updxlrtr children @@ -612,6 +619,7 @@ WARNING: translation string unused: updxlrtr update information WARNING: translation string unused: updxlrtr update notification WARNING: translation string unused: upload fcdsl.o WARNING: translation string unused: upload file +WARNING: translation string unused: upload new ruleset WARNING: translation string unused: upload static key WARNING: translation string unused: upload successful WARNING: translation string unused: upload synch.bin @@ -691,12 +699,15 @@ WARNING: untranslated string: ConnSched dial = Connect WARNING: untranslated string: ConnSched hangup = Disconnect WARNING: untranslated string: ConnSched reboot = Reboot WARNING: untranslated string: ConnSched shutdown = Shutdown +WARNING: untranslated string: Daily = Daily +WARNING: untranslated string: Disabled = Disabled WARNING: untranslated string: MB read = MB read WARNING: untranslated string: MB written = MB written WARNING: untranslated string: MTU settings = MTU settings: WARNING: untranslated string: Number of Countries for the pie chart = Number of Countries for the pie chart WARNING: untranslated string: Scan for Songs = unknown string WARNING: untranslated string: Set time on boot = Force setting the system clock on boot +WARNING: untranslated string: Weekly = Weekly WARNING: untranslated string: addons = Addons WARNING: untranslated string: administrator password = Administrator password WARNING: untranslated string: administrator username = Administrator username @@ -772,10 +783,10 @@ WARNING: untranslated string: dh key warn = Creating DH-parameters with a length WARNING: untranslated string: dh key warn1 = For weak systems or systems with little entropy, it is recommended to upload long Diffie-Hellman parameters by usage of the upload function. WARNING: untranslated string: dh parameter = Diffie-Hellman parameters WARNING: untranslated string: dhcp dns enable update = Enable DNS Update (RFC2136): -WARNING: untranslated string: dhcp dns key name = Key Name: +WARNING: untranslated string: dhcp dns key name = Key Name WARNING: untranslated string: dhcp dns update = DNS Update -WARNING: untranslated string: dhcp dns update algo = Algorithm: -WARNING: untranslated string: dhcp dns update secret = Secret: +WARNING: untranslated string: dhcp dns update algo = Algorithm +WARNING: untranslated string: dhcp dns update secret = Secret WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip) WARNING: untranslated string: dnat address = Firewall Interface WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) @@ -784,6 +795,7 @@ WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dnsforward = DNS Forwarding WARNING: untranslated string: dnsforward add a new entry = Add a new entry WARNING: untranslated string: dnsforward configuration = DNS forward configuration +WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is disabled WARNING: untranslated string: dnsforward edit an entry = Edit an existing entry WARNING: untranslated string: dnsforward entries = Current entries WARNING: untranslated string: dnsforward forward_servers = Nameservers @@ -819,6 +831,7 @@ WARNING: untranslated string: email settings = Mail Service WARNING: untranslated string: email testmail = Send test mail WARNING: untranslated string: email tls = Use TLS WARNING: untranslated string: email usemail = Activate Mail Service +WARNING: untranslated string: emerging pro rules = Emergingthreats.net Pro Rules WARNING: untranslated string: emerging rules = Emergingthreats.net Community Rules WARNING: untranslated string: encryption = Encryption: WARNING: untranslated string: entropy = Entropy @@ -1009,6 +1022,7 @@ WARNING: untranslated string: fwhost used = Used WARNING: untranslated string: fwhost welcome = Over here, you can group single hosts, networks and services together, which will creating new rules more easy and faster. WARNING: untranslated string: gen dh = Generate new Diffie-Hellman parameters WARNING: untranslated string: generate dh key = Generate Diffie-Hellman parameters +WARNING: untranslated string: generate ptr = Generate PTR WARNING: untranslated string: grouptype = Grouptype: WARNING: untranslated string: guardian = Guardian WARNING: untranslated string: guardian block a host = unknown string @@ -1047,6 +1061,23 @@ WARNING: untranslated string: guardian priority level = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: guardian watch snort alertfile = unknown string WARNING: untranslated string: hardware support = Hardware Support +WARNING: untranslated string: ids apply = Apply +WARNING: untranslated string: ids apply ruleset changes = The ruleset changes are being applied. Please wait until all operations have completed successfully... +WARNING: untranslated string: ids automatic rules update = Automatic Rule Update +WARNING: untranslated string: ids download new ruleset = Downloading and unpacking new ruleset. Please wait until all operations have completed successfully... +WARNING: untranslated string: ids enable = Enable Intrusion Prevention System +WARNING: untranslated string: ids hide = Hide +WARNING: untranslated string: ids ignored hosts = Whitelisted Hosts +WARNING: untranslated string: ids log hits = Total of number of activated rules for +WARNING: untranslated string: ids monitor traffic only = Monitor traffic only +WARNING: untranslated string: ids monitored interfaces = Monitored Interfaces +WARNING: untranslated string: ids no network zone = Please select at least one network zone to be monitored +WARNING: untranslated string: ids no ruleset available = No ruleset is available. Please download one first +WARNING: untranslated string: ids oinkcode required = The selected ruleset requires a subscription or an Oinkcode +WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... +WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids show = Show +WARNING: untranslated string: ids working = Changes are being applied. Please wait until all operations have completed successfully... WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string WARNING: untranslated string: imei = IMEI WARNING: untranslated string: imsi = IMSI @@ -1162,6 +1193,7 @@ WARNING: untranslated string: proxy reports daily = Daily reports WARNING: untranslated string: proxy reports monthly = Monthly reports WARNING: untranslated string: proxy reports today = Today WARNING: untranslated string: proxy reports weekly = Weekly reports +WARNING: untranslated string: ptr = PTR WARNING: untranslated string: qos enter bandwidths = You will need to enter your downstream and upstream bandwidth! WARNING: untranslated string: random number generator daemon = Random Number Generator Daemon WARNING: untranslated string: rdns = rDNS @@ -1182,6 +1214,7 @@ WARNING: untranslated string: software version = Software Version WARNING: untranslated string: source ip country = Source IP Country WARNING: untranslated string: ssh = SSH WARNING: untranslated string: ssh active sessions = Active logins +WARNING: untranslated string: ssh agent forwarding = Allow SSH Agent Forwarding WARNING: untranslated string: ssh login time = Logged in since WARNING: untranslated string: ssh no active logins = No active logins WARNING: untranslated string: ssh username = Username @@ -1190,6 +1223,7 @@ WARNING: untranslated string: subnet mask = Subnet Mask WARNING: untranslated string: support donation = Support the IPFire project with your donation WARNING: untranslated string: system has rdrand = This system has support for Intel(R) RDRAND. WARNING: untranslated string: system information = System Information +WARNING: untranslated string: system is offline = The system is offline. WARNING: untranslated string: ta key = TLS-Authentification-Key WARNING: untranslated string: tcp more reliable = TCP (more reliable) WARNING: untranslated string: ten minutes = 10 Minutes @@ -1250,6 +1284,7 @@ WARNING: untranslated string: unblock = Unblock WARNING: untranslated string: unblock all = Unblock all WARNING: untranslated string: uncheck all = Uncheck all WARNING: untranslated string: unlimited = Unlimited +WARNING: untranslated string: update ruleset = Update ruleset WARNING: untranslated string: uplink = Uplink WARNING: untranslated string: uplink bit rate = Uplink Bit Rate WARNING: untranslated string: upload dh key = Upload Diffie-Hellman parameters diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 37b43569c..e903e017d 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -229,6 +229,7 @@ WARNING: translation string unused: domain not set WARNING: translation string unused: donation-link WARNING: translation string unused: done WARNING: translation string unused: download dh parameter +WARNING: translation string unused: download new ruleset WARNING: translation string unused: driver WARNING: translation string unused: dstprt range overlaps WARNING: translation string unused: dstprt within existing @@ -248,7 +249,6 @@ WARNING: translation string unused: email text WARNING: translation string unused: emailreportlevel WARNING: translation string unused: enable javascript WARNING: translation string unused: enable wildcards -WARNING: translation string unused: enabled on WARNING: translation string unused: enabledtitle WARNING: translation string unused: encrypted WARNING: translation string unused: err bk 1 @@ -363,6 +363,10 @@ WARNING: translation string unused: icmp selected but no type WARNING: translation string unused: icmp type WARNING: translation string unused: id WARNING: translation string unused: ids preprocessor +WARNING: translation string unused: ids rules license +WARNING: translation string unused: ids rules license1 +WARNING: translation string unused: ids rules license2 +WARNING: translation string unused: ids rules license3 WARNING: translation string unused: ike encryption WARNING: translation string unused: ike grouptype WARNING: translation string unused: ike integrity @@ -623,6 +627,8 @@ WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload WARNING: translation string unused: smtphost WARNING: translation string unused: smtpport +WARNING: translation string unused: snort hits +WARNING: translation string unused: snort working WARNING: translation string unused: source ip bad WARNING: translation string unused: source ip in use WARNING: translation string unused: source ip or net @@ -715,6 +721,7 @@ WARNING: translation string unused: unencrypted WARNING: translation string unused: update transcript WARNING: translation string unused: updatedatabase WARNING: translation string unused: updates +WARNING: translation string unused: updates installed WARNING: translation string unused: updates is old1 WARNING: translation string unused: updates is old2 WARNING: translation string unused: updxlrtr children @@ -727,6 +734,7 @@ WARNING: translation string unused: updxlrtr update notification WARNING: translation string unused: updxlrtr used by WARNING: translation string unused: upload fcdsl.o WARNING: translation string unused: upload file +WARNING: translation string unused: upload new ruleset WARNING: translation string unused: upload static key WARNING: translation string unused: upload successful WARNING: translation string unused: upload synch.bin @@ -769,13 +777,19 @@ WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: Captive clients = unknown string +WARNING: untranslated string: Daily = Daily +WARNING: untranslated string: Disabled = Disabled WARNING: untranslated string: Scan for Songs = unknown string +WARNING: untranslated string: Weekly = Weekly WARNING: untranslated string: bytes = unknown string WARNING: untranslated string: default IP address = Default IP Address WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) +WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is disabled +WARNING: untranslated string: emerging pro rules = Emergingthreats.net Pro Rules WARNING: untranslated string: fwhost cust geoipgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string +WARNING: untranslated string: generate ptr = Generate PTR WARNING: untranslated string: guardian block a host = unknown string WARNING: untranslated string: guardian block httpd brute-force = unknown string WARNING: untranslated string: guardian block ssh brute-force = unknown string @@ -811,6 +825,23 @@ WARNING: untranslated string: guardian priolevel_very_low = unknown string WARNING: untranslated string: guardian priority level = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: guardian watch snort alertfile = unknown string +WARNING: untranslated string: ids apply = Apply +WARNING: untranslated string: ids apply ruleset changes = The ruleset changes are being applied. Please wait until all operations have completed successfully... +WARNING: untranslated string: ids automatic rules update = Automatic Rule Update +WARNING: untranslated string: ids download new ruleset = Downloading and unpacking new ruleset. Please wait until all operations have completed successfully... +WARNING: untranslated string: ids enable = Enable Intrusion Prevention System +WARNING: untranslated string: ids hide = Hide +WARNING: untranslated string: ids ignored hosts = Whitelisted Hosts +WARNING: untranslated string: ids log hits = Total of number of activated rules for +WARNING: untranslated string: ids monitor traffic only = Monitor traffic only +WARNING: untranslated string: ids monitored interfaces = Monitored Interfaces +WARNING: untranslated string: ids no network zone = Please select at least one network zone to be monitored +WARNING: untranslated string: ids no ruleset available = No ruleset is available. Please download one first +WARNING: untranslated string: ids oinkcode required = The selected ruleset requires a subscription or an Oinkcode +WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... +WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids show = Show +WARNING: untranslated string: ids working = Changes are being applied. Please wait until all operations have completed successfully... WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string WARNING: untranslated string: info messages = unknown string WARNING: untranslated string: interface mode = Interface @@ -830,10 +861,14 @@ WARNING: untranslated string: local ip address = Local IP Address WARNING: untranslated string: mtu = MTU WARNING: untranslated string: no data = unknown string WARNING: untranslated string: pakfire ago = ago. +WARNING: untranslated string: ptr = PTR WARNING: untranslated string: route config changed = unknown string WARNING: untranslated string: routing config added = unknown string WARNING: untranslated string: routing config changed = unknown string WARNING: untranslated string: routing table = unknown string +WARNING: untranslated string: ssh agent forwarding = Allow SSH Agent Forwarding WARNING: untranslated string: subnet mask = Subnet Mask +WARNING: untranslated string: system is offline = The system is offline. WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode +WARNING: untranslated string: update ruleset = Update ruleset WARNING: untranslated string: vpn statistics n2n = unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index c2b0b2327..c18ff4d2b 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -208,6 +208,7 @@ WARNING: translation string unused: domain not set WARNING: translation string unused: donation-link WARNING: translation string unused: done WARNING: translation string unused: download dh parameter +WARNING: translation string unused: download new ruleset WARNING: translation string unused: driver WARNING: translation string unused: dstprt range overlaps WARNING: translation string unused: dstprt within existing @@ -223,7 +224,6 @@ WARNING: translation string unused: email server can not be empty WARNING: translation string unused: emailreportlevel WARNING: translation string unused: enable javascript WARNING: translation string unused: enable wildcards -WARNING: translation string unused: enabled on WARNING: translation string unused: enabledtitle WARNING: translation string unused: encrypted WARNING: translation string unused: err bk 1 @@ -336,6 +336,10 @@ WARNING: translation string unused: icmp selected but no type WARNING: translation string unused: icmp type WARNING: translation string unused: id WARNING: translation string unused: ids preprocessor +WARNING: translation string unused: ids rules license +WARNING: translation string unused: ids rules license1 +WARNING: translation string unused: ids rules license2 +WARNING: translation string unused: ids rules license3 WARNING: translation string unused: ike encryption WARNING: translation string unused: ike grouptype WARNING: translation string unused: ike integrity @@ -596,6 +600,8 @@ WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload WARNING: translation string unused: smtphost WARNING: translation string unused: smtpport +WARNING: translation string unused: snort hits +WARNING: translation string unused: snort working WARNING: translation string unused: source ip bad WARNING: translation string unused: source ip in use WARNING: translation string unused: source ip or net @@ -688,6 +694,7 @@ WARNING: translation string unused: unencrypted WARNING: translation string unused: update transcript WARNING: translation string unused: updatedatabase WARNING: translation string unused: updates +WARNING: translation string unused: updates installed WARNING: translation string unused: updates is old1 WARNING: translation string unused: updates is old2 WARNING: translation string unused: updxlrtr children @@ -700,6 +707,7 @@ WARNING: translation string unused: updxlrtr update notification WARNING: translation string unused: updxlrtr used by WARNING: translation string unused: upload fcdsl.o WARNING: translation string unused: upload file +WARNING: translation string unused: upload new ruleset WARNING: translation string unused: upload static key WARNING: translation string unused: upload successful WARNING: translation string unused: upload synch.bin @@ -776,9 +784,12 @@ WARNING: untranslated string: Captive upload logo recommendations = (PNG or JPEG WARNING: untranslated string: Captive valid for = Valid for WARNING: untranslated string: Captive vouchervalid = Allowed time for this coupon WARNING: untranslated string: Captive wrong ext = Uploaded file has wrong filetype +WARNING: untranslated string: Daily = Daily +WARNING: untranslated string: Disabled = Disabled WARNING: untranslated string: MTU settings = MTU settings: WARNING: untranslated string: Number of Countries for the pie chart = Number of Countries for the pie chart WARNING: untranslated string: Scan for Songs = unknown string +WARNING: untranslated string: Weekly = Weekly WARNING: untranslated string: administrator password = Administrator password WARNING: untranslated string: administrator username = Administrator username WARNING: untranslated string: advproxy AUTH method ntlm auth = Windows Active Directory @@ -793,13 +804,14 @@ WARNING: untranslated string: crypto error = Cryptographic error WARNING: untranslated string: crypto warning = Cryptographic warning WARNING: untranslated string: default IP address = Default IP Address WARNING: untranslated string: dhcp dns enable update = Enable DNS Update (RFC2136): -WARNING: untranslated string: dhcp dns key name = Key Name: +WARNING: untranslated string: dhcp dns key name = Key Name WARNING: untranslated string: dhcp dns update = DNS Update -WARNING: untranslated string: dhcp dns update algo = Algorithm: -WARNING: untranslated string: dhcp dns update secret = Secret: +WARNING: untranslated string: dhcp dns update algo = Algorithm +WARNING: untranslated string: dhcp dns update secret = Secret WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip) WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) +WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is disabled WARNING: untranslated string: dnsforward forward_servers = Nameservers WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been disabled WARNING: untranslated string: eight hours = 8 Hours @@ -819,6 +831,7 @@ WARNING: untranslated string: email settings = Mail Service WARNING: untranslated string: email testmail = Send test mail WARNING: untranslated string: email tls = Use TLS WARNING: untranslated string: email usemail = Activate Mail Service +WARNING: untranslated string: emerging pro rules = Emergingthreats.net Pro Rules WARNING: untranslated string: fifteen minutes = 15 Minutes WARNING: untranslated string: firewall graph country = Firewall-Diagram (Country) WARNING: untranslated string: firewall graph ip = Firewall-Diagram (IP) @@ -841,6 +854,7 @@ WARNING: untranslated string: fwhost cust geoipgrp = unknown string WARNING: untranslated string: fwhost cust geoiplocation = GeoIP Locations WARNING: untranslated string: fwhost err hostip = unknown string WARNING: untranslated string: fwhost newgeoipgrp = GeoIP Groups +WARNING: untranslated string: generate ptr = Generate PTR WARNING: untranslated string: geoip = GeoIP WARNING: untranslated string: geoipblock = GeoIP Block WARNING: untranslated string: geoipblock block countries = Block countries @@ -885,6 +899,23 @@ WARNING: untranslated string: guardian priolevel_very_low = unknown string WARNING: untranslated string: guardian priority level = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: guardian watch snort alertfile = unknown string +WARNING: untranslated string: ids apply = Apply +WARNING: untranslated string: ids apply ruleset changes = The ruleset changes are being applied. Please wait until all operations have completed successfully... +WARNING: untranslated string: ids automatic rules update = Automatic Rule Update +WARNING: untranslated string: ids download new ruleset = Downloading and unpacking new ruleset. Please wait until all operations have completed successfully... +WARNING: untranslated string: ids enable = Enable Intrusion Prevention System +WARNING: untranslated string: ids hide = Hide +WARNING: untranslated string: ids ignored hosts = Whitelisted Hosts +WARNING: untranslated string: ids log hits = Total of number of activated rules for +WARNING: untranslated string: ids monitor traffic only = Monitor traffic only +WARNING: untranslated string: ids monitored interfaces = Monitored Interfaces +WARNING: untranslated string: ids no network zone = Please select at least one network zone to be monitored +WARNING: untranslated string: ids no ruleset available = No ruleset is available. Please download one first +WARNING: untranslated string: ids oinkcode required = The selected ruleset requires a subscription or an Oinkcode +WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... +WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids show = Show +WARNING: untranslated string: ids working = Changes are being applied. Please wait until all operations have completed successfully... WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string WARNING: untranslated string: incoming compression in bytes per second = Incoming Compression WARNING: untranslated string: incoming overhead in bytes per second = Incoming Overhead @@ -931,6 +962,7 @@ WARNING: untranslated string: ovpn warning rfc3280 = Your host certificate is no WARNING: untranslated string: pptp netconfig = My Net Config WARNING: untranslated string: pptp peer = Peer WARNING: untranslated string: pptp route = PPTP Route +WARNING: untranslated string: ptr = PTR WARNING: untranslated string: rdns = rDNS WARNING: untranslated string: required field = Required field WARNING: untranslated string: route config changed = unknown string @@ -941,10 +973,12 @@ WARNING: untranslated string: samba join a domain = Join a domain WARNING: untranslated string: samba join domain = Join domain WARNING: untranslated string: search = Search WARNING: untranslated string: ssh active sessions = Active logins +WARNING: untranslated string: ssh agent forwarding = Allow SSH Agent Forwarding WARNING: untranslated string: ssh login time = Logged in since WARNING: untranslated string: ssh no active logins = No active logins WARNING: untranslated string: ssh username = Username WARNING: untranslated string: subnet mask = Subnet Mask +WARNING: untranslated string: system is offline = The system is offline. WARNING: untranslated string: tcp more reliable = TCP (more reliable) WARNING: untranslated string: ten minutes = 10 Minutes WARNING: untranslated string: thirty minutes = 30 Minutes @@ -956,6 +990,7 @@ WARNING: untranslated string: unblock = Unblock WARNING: untranslated string: unblock all = Unblock all WARNING: untranslated string: uncheck all = Uncheck all WARNING: untranslated string: unlimited = Unlimited +WARNING: untranslated string: update ruleset = Update ruleset WARNING: untranslated string: uplink bit rate = Uplink Bit Rate WARNING: untranslated string: vpn broken = Broken WARNING: untranslated string: vpn connecting = CONNECTING diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 46d923fe5..509a58f0b 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -205,6 +205,7 @@ WARNING: translation string unused: do not log this port list WARNING: translation string unused: domain not set WARNING: translation string unused: donation-link WARNING: translation string unused: done +WARNING: translation string unused: download new ruleset WARNING: translation string unused: driver WARNING: translation string unused: drop output WARNING: translation string unused: dstprt range overlaps @@ -221,7 +222,6 @@ WARNING: translation string unused: email server can not be empty WARNING: translation string unused: emailreportlevel WARNING: translation string unused: enable javascript WARNING: translation string unused: enable wildcards -WARNING: translation string unused: enabled on WARNING: translation string unused: enabledtitle WARNING: translation string unused: encrypted WARNING: translation string unused: err bk 1 @@ -334,6 +334,10 @@ WARNING: translation string unused: icmp selected but no type WARNING: translation string unused: icmp type WARNING: translation string unused: id WARNING: translation string unused: ids preprocessor +WARNING: translation string unused: ids rules license +WARNING: translation string unused: ids rules license1 +WARNING: translation string unused: ids rules license2 +WARNING: translation string unused: ids rules license3 WARNING: translation string unused: ike encryption WARNING: translation string unused: ike grouptype WARNING: translation string unused: ike integrity @@ -592,6 +596,8 @@ WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload WARNING: translation string unused: smtphost WARNING: translation string unused: smtpport +WARNING: translation string unused: snort hits +WARNING: translation string unused: snort working WARNING: translation string unused: source ip bad WARNING: translation string unused: source ip in use WARNING: translation string unused: source ip or net @@ -683,6 +689,7 @@ WARNING: translation string unused: unencrypted WARNING: translation string unused: update transcript WARNING: translation string unused: updatedatabase WARNING: translation string unused: updates +WARNING: translation string unused: updates installed WARNING: translation string unused: updates is old1 WARNING: translation string unused: updates is old2 WARNING: translation string unused: updxlrtr children @@ -695,6 +702,7 @@ WARNING: translation string unused: updxlrtr update notification WARNING: translation string unused: updxlrtr used by WARNING: translation string unused: upload fcdsl.o WARNING: translation string unused: upload file +WARNING: translation string unused: upload new ruleset WARNING: translation string unused: upload static key WARNING: translation string unused: upload successful WARNING: translation string unused: upload synch.bin @@ -771,9 +779,12 @@ WARNING: untranslated string: Captive upload logo recommendations = (PNG or JPEG WARNING: untranslated string: Captive valid for = Valid for WARNING: untranslated string: Captive vouchervalid = Allowed time for this coupon WARNING: untranslated string: Captive wrong ext = Uploaded file has wrong filetype +WARNING: untranslated string: Daily = Daily +WARNING: untranslated string: Disabled = Disabled WARNING: untranslated string: MTU settings = MTU settings: WARNING: untranslated string: Number of Countries for the pie chart = Number of Countries for the pie chart WARNING: untranslated string: Scan for Songs = unknown string +WARNING: untranslated string: Weekly = Weekly WARNING: untranslated string: administrator password = Administrator password WARNING: untranslated string: administrator username = Administrator username WARNING: untranslated string: advproxy AUTH method ntlm auth = Windows Active Directory @@ -796,14 +807,15 @@ WARNING: untranslated string: dh key warn = Creating DH-parameters with a length WARNING: untranslated string: dh key warn1 = For weak systems or systems with little entropy, it is recommended to upload long Diffie-Hellman parameters by usage of the upload function. WARNING: untranslated string: dh parameter = Diffie-Hellman parameters WARNING: untranslated string: dhcp dns enable update = Enable DNS Update (RFC2136): -WARNING: untranslated string: dhcp dns key name = Key Name: +WARNING: untranslated string: dhcp dns key name = Key Name WARNING: untranslated string: dhcp dns update = DNS Update -WARNING: untranslated string: dhcp dns update algo = Algorithm: -WARNING: untranslated string: dhcp dns update secret = Secret: +WARNING: untranslated string: dhcp dns update algo = Algorithm +WARNING: untranslated string: dhcp dns update secret = Secret WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip) WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: dns servers = DNS Servers +WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is disabled WARNING: untranslated string: dnsforward forward_servers = Nameservers WARNING: untranslated string: dnssec aware = DNSSEC Aware WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been disabled @@ -829,6 +841,7 @@ WARNING: untranslated string: email settings = Mail Service WARNING: untranslated string: email testmail = Send test mail WARNING: untranslated string: email tls = Use TLS WARNING: untranslated string: email usemail = Activate Mail Service +WARNING: untranslated string: emerging pro rules = Emergingthreats.net Pro Rules WARNING: untranslated string: fifteen minutes = 15 Minutes WARNING: untranslated string: firewall graph country = Firewall-Diagram (Country) WARNING: untranslated string: firewall graph ip = Firewall-Diagram (IP) @@ -854,6 +867,7 @@ WARNING: untranslated string: fwhost err hostip = unknown string WARNING: untranslated string: fwhost newgeoipgrp = GeoIP Groups WARNING: untranslated string: gen dh = Generate new Diffie-Hellman parameters WARNING: untranslated string: generate dh key = Generate Diffie-Hellman parameters +WARNING: untranslated string: generate ptr = Generate PTR WARNING: untranslated string: geoip = GeoIP WARNING: untranslated string: geoipblock = GeoIP Block WARNING: untranslated string: geoipblock block countries = Block countries @@ -897,6 +911,23 @@ WARNING: untranslated string: guardian priolevel_very_low = unknown string WARNING: untranslated string: guardian priority level = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: guardian watch snort alertfile = unknown string +WARNING: untranslated string: ids apply = Apply +WARNING: untranslated string: ids apply ruleset changes = The ruleset changes are being applied. Please wait until all operations have completed successfully... +WARNING: untranslated string: ids automatic rules update = Automatic Rule Update +WARNING: untranslated string: ids download new ruleset = Downloading and unpacking new ruleset. Please wait until all operations have completed successfully... +WARNING: untranslated string: ids enable = Enable Intrusion Prevention System +WARNING: untranslated string: ids hide = Hide +WARNING: untranslated string: ids ignored hosts = Whitelisted Hosts +WARNING: untranslated string: ids log hits = Total of number of activated rules for +WARNING: untranslated string: ids monitor traffic only = Monitor traffic only +WARNING: untranslated string: ids monitored interfaces = Monitored Interfaces +WARNING: untranslated string: ids no network zone = Please select at least one network zone to be monitored +WARNING: untranslated string: ids no ruleset available = No ruleset is available. Please download one first +WARNING: untranslated string: ids oinkcode required = The selected ruleset requires a subscription or an Oinkcode +WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... +WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids show = Show +WARNING: untranslated string: ids working = Changes are being applied. Please wait until all operations have completed successfully... WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string WARNING: untranslated string: imei = IMEI WARNING: untranslated string: imsi = IMSI @@ -969,6 +1000,7 @@ WARNING: untranslated string: ovpn warning rfc3280 = Your host certificate is no WARNING: untranslated string: pptp netconfig = My Net Config WARNING: untranslated string: pptp peer = Peer WARNING: untranslated string: pptp route = PPTP Route +WARNING: untranslated string: ptr = PTR WARNING: untranslated string: random number generator daemon = Random Number Generator Daemon WARNING: untranslated string: rdns = rDNS WARNING: untranslated string: required field = Required field @@ -984,10 +1016,12 @@ WARNING: untranslated string: show tls-auth key = Show tls-auth key WARNING: untranslated string: software version = Software Version WARNING: untranslated string: source ip country = Source IP Country WARNING: untranslated string: ssh active sessions = Active logins +WARNING: untranslated string: ssh agent forwarding = Allow SSH Agent Forwarding WARNING: untranslated string: ssh login time = Logged in since WARNING: untranslated string: ssh no active logins = No active logins WARNING: untranslated string: ssh username = Username WARNING: untranslated string: subnet mask = Subnet Mask +WARNING: untranslated string: system is offline = The system is offline. WARNING: untranslated string: ta key = TLS-Authentification-Key WARNING: untranslated string: tcp more reliable = TCP (more reliable) WARNING: untranslated string: ten minutes = 10 Minutes @@ -1000,6 +1034,7 @@ WARNING: untranslated string: unblock = Unblock WARNING: untranslated string: unblock all = Unblock all WARNING: untranslated string: uncheck all = Uncheck all WARNING: untranslated string: unlimited = Unlimited +WARNING: untranslated string: update ruleset = Update ruleset WARNING: untranslated string: uplink bit rate = Uplink Bit Rate WARNING: untranslated string: upload dh key = Upload Diffie-Hellman parameters WARNING: untranslated string: vendor = Vendor diff --git a/doc/language_issues.pl b/doc/language_issues.pl index d8b49f918..f292ebb85 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -196,6 +196,7 @@ WARNING: translation string unused: do not log this port list WARNING: translation string unused: domain not set WARNING: translation string unused: donation-link WARNING: translation string unused: done +WARNING: translation string unused: download new ruleset WARNING: translation string unused: driver WARNING: translation string unused: drop output WARNING: translation string unused: dstprt range overlaps @@ -212,7 +213,6 @@ WARNING: translation string unused: email server can not be empty WARNING: translation string unused: emailreportlevel WARNING: translation string unused: enable javascript WARNING: translation string unused: enable wildcards -WARNING: translation string unused: enabled on WARNING: translation string unused: enabledtitle WARNING: translation string unused: encrypted WARNING: translation string unused: err bk 1 @@ -285,6 +285,10 @@ WARNING: translation string unused: icmp selected but no type WARNING: translation string unused: icmp type WARNING: translation string unused: id WARNING: translation string unused: ids preprocessor +WARNING: translation string unused: ids rules license +WARNING: translation string unused: ids rules license1 +WARNING: translation string unused: ids rules license2 +WARNING: translation string unused: ids rules license3 WARNING: translation string unused: ike encryption WARNING: translation string unused: ike grouptype WARNING: translation string unused: ike integrity @@ -520,6 +524,8 @@ WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload WARNING: translation string unused: smtphost WARNING: translation string unused: smtpport +WARNING: translation string unused: snort hits +WARNING: translation string unused: snort working WARNING: translation string unused: source ip bad WARNING: translation string unused: source ip in use WARNING: translation string unused: source ip or net @@ -603,6 +609,7 @@ WARNING: translation string unused: unencrypted WARNING: translation string unused: update transcript WARNING: translation string unused: updatedatabase WARNING: translation string unused: updates +WARNING: translation string unused: updates installed WARNING: translation string unused: updates is old1 WARNING: translation string unused: updates is old2 WARNING: translation string unused: updxlrtr children @@ -612,6 +619,7 @@ WARNING: translation string unused: updxlrtr update information WARNING: translation string unused: updxlrtr update notification WARNING: translation string unused: upload fcdsl.o WARNING: translation string unused: upload file +WARNING: translation string unused: upload new ruleset WARNING: translation string unused: upload static key WARNING: translation string unused: upload successful WARNING: translation string unused: upload synch.bin @@ -691,12 +699,15 @@ WARNING: untranslated string: ConnSched dial = Connect WARNING: untranslated string: ConnSched hangup = Disconnect WARNING: untranslated string: ConnSched reboot = Reboot WARNING: untranslated string: ConnSched shutdown = Shutdown +WARNING: untranslated string: Daily = Daily +WARNING: untranslated string: Disabled = Disabled WARNING: untranslated string: MB read = MB read WARNING: untranslated string: MB written = MB written WARNING: untranslated string: MTU settings = MTU settings: WARNING: untranslated string: Number of Countries for the pie chart = Number of Countries for the pie chart WARNING: untranslated string: Scan for Songs = unknown string WARNING: untranslated string: Set time on boot = Force setting the system clock on boot +WARNING: untranslated string: Weekly = Weekly WARNING: untranslated string: addons = Addons WARNING: untranslated string: administrator password = Administrator password WARNING: untranslated string: administrator username = Administrator username @@ -772,10 +783,10 @@ WARNING: untranslated string: dh key warn = Creating DH-parameters with a length WARNING: untranslated string: dh key warn1 = For weak systems or systems with little entropy, it is recommended to upload long Diffie-Hellman parameters by usage of the upload function. WARNING: untranslated string: dh parameter = Diffie-Hellman parameters WARNING: untranslated string: dhcp dns enable update = Enable DNS Update (RFC2136): -WARNING: untranslated string: dhcp dns key name = Key Name: +WARNING: untranslated string: dhcp dns key name = Key Name WARNING: untranslated string: dhcp dns update = DNS Update -WARNING: untranslated string: dhcp dns update algo = Algorithm: -WARNING: untranslated string: dhcp dns update secret = Secret: +WARNING: untranslated string: dhcp dns update algo = Algorithm +WARNING: untranslated string: dhcp dns update secret = Secret WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip) WARNING: untranslated string: dnat address = Firewall Interface WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) @@ -784,6 +795,7 @@ WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dnsforward = DNS Forwarding WARNING: untranslated string: dnsforward add a new entry = Add a new entry WARNING: untranslated string: dnsforward configuration = DNS forward configuration +WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is disabled WARNING: untranslated string: dnsforward edit an entry = Edit an existing entry WARNING: untranslated string: dnsforward entries = Current entries WARNING: untranslated string: dnsforward forward_servers = Nameservers @@ -819,6 +831,7 @@ WARNING: untranslated string: email settings = Mail Service WARNING: untranslated string: email testmail = Send test mail WARNING: untranslated string: email tls = Use TLS WARNING: untranslated string: email usemail = Activate Mail Service +WARNING: untranslated string: emerging pro rules = Emergingthreats.net Pro Rules WARNING: untranslated string: emerging rules = Emergingthreats.net Community Rules WARNING: untranslated string: encryption = Encryption: WARNING: untranslated string: entropy = Entropy @@ -1009,6 +1022,7 @@ WARNING: untranslated string: fwhost used = Used WARNING: untranslated string: fwhost welcome = Over here, you can group single hosts, networks and services together, which will creating new rules more easy and faster. WARNING: untranslated string: gen dh = Generate new Diffie-Hellman parameters WARNING: untranslated string: generate dh key = Generate Diffie-Hellman parameters +WARNING: untranslated string: generate ptr = Generate PTR WARNING: untranslated string: grouptype = Grouptype: WARNING: untranslated string: guardian = Guardian WARNING: untranslated string: guardian block a host = unknown string @@ -1047,6 +1061,23 @@ WARNING: untranslated string: guardian priority level = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: guardian watch snort alertfile = unknown string WARNING: untranslated string: hardware support = Hardware Support +WARNING: untranslated string: ids apply = Apply +WARNING: untranslated string: ids apply ruleset changes = The ruleset changes are being applied. Please wait until all operations have completed successfully... +WARNING: untranslated string: ids automatic rules update = Automatic Rule Update +WARNING: untranslated string: ids download new ruleset = Downloading and unpacking new ruleset. Please wait until all operations have completed successfully... +WARNING: untranslated string: ids enable = Enable Intrusion Prevention System +WARNING: untranslated string: ids hide = Hide +WARNING: untranslated string: ids ignored hosts = Whitelisted Hosts +WARNING: untranslated string: ids log hits = Total of number of activated rules for +WARNING: untranslated string: ids monitor traffic only = Monitor traffic only +WARNING: untranslated string: ids monitored interfaces = Monitored Interfaces +WARNING: untranslated string: ids no network zone = Please select at least one network zone to be monitored +WARNING: untranslated string: ids no ruleset available = No ruleset is available. Please download one first +WARNING: untranslated string: ids oinkcode required = The selected ruleset requires a subscription or an Oinkcode +WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... +WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids show = Show +WARNING: untranslated string: ids working = Changes are being applied. Please wait until all operations have completed successfully... WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string WARNING: untranslated string: imei = IMEI WARNING: untranslated string: imsi = IMSI @@ -1162,6 +1193,7 @@ WARNING: untranslated string: proxy reports daily = Daily reports WARNING: untranslated string: proxy reports monthly = Monthly reports WARNING: untranslated string: proxy reports today = Today WARNING: untranslated string: proxy reports weekly = Weekly reports +WARNING: untranslated string: ptr = PTR WARNING: untranslated string: qos enter bandwidths = You will need to enter your downstream and upstream bandwidth! WARNING: untranslated string: random number generator daemon = Random Number Generator Daemon WARNING: untranslated string: rdns = rDNS @@ -1182,6 +1214,7 @@ WARNING: untranslated string: software version = Software Version WARNING: untranslated string: source ip country = Source IP Country WARNING: untranslated string: ssh = SSH WARNING: untranslated string: ssh active sessions = Active logins +WARNING: untranslated string: ssh agent forwarding = Allow SSH Agent Forwarding WARNING: untranslated string: ssh login time = Logged in since WARNING: untranslated string: ssh no active logins = No active logins WARNING: untranslated string: ssh username = Username @@ -1190,6 +1223,7 @@ WARNING: untranslated string: subnet mask = Subnet Mask WARNING: untranslated string: support donation = Support the IPFire project with your donation WARNING: untranslated string: system has rdrand = This system has support for Intel(R) RDRAND. WARNING: untranslated string: system information = System Information +WARNING: untranslated string: system is offline = The system is offline. WARNING: untranslated string: ta key = TLS-Authentification-Key WARNING: untranslated string: tcp more reliable = TCP (more reliable) WARNING: untranslated string: ten minutes = 10 Minutes @@ -1250,6 +1284,7 @@ WARNING: untranslated string: unblock = Unblock WARNING: untranslated string: unblock all = Unblock all WARNING: untranslated string: uncheck all = Uncheck all WARNING: untranslated string: unlimited = Unlimited +WARNING: untranslated string: update ruleset = Update ruleset WARNING: untranslated string: uplink = Uplink WARNING: untranslated string: uplink bit rate = Uplink Bit Rate WARNING: untranslated string: upload dh key = Upload Diffie-Hellman parameters diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 1286bcd87..d6fa07a3c 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -196,6 +196,7 @@ WARNING: translation string unused: do not log this port list WARNING: translation string unused: domain not set WARNING: translation string unused: donation-link WARNING: translation string unused: done +WARNING: translation string unused: download new ruleset WARNING: translation string unused: driver WARNING: translation string unused: drop output WARNING: translation string unused: dstprt range overlaps @@ -212,7 +213,6 @@ WARNING: translation string unused: email server can not be empty WARNING: translation string unused: emailreportlevel WARNING: translation string unused: enable javascript WARNING: translation string unused: enable wildcards -WARNING: translation string unused: enabled on WARNING: translation string unused: enabledtitle WARNING: translation string unused: encrypted WARNING: translation string unused: err bk 1 @@ -278,6 +278,10 @@ WARNING: translation string unused: icmp selected but no type WARNING: translation string unused: icmp type WARNING: translation string unused: id WARNING: translation string unused: ids preprocessor +WARNING: translation string unused: ids rules license +WARNING: translation string unused: ids rules license1 +WARNING: translation string unused: ids rules license2 +WARNING: translation string unused: ids rules license3 WARNING: translation string unused: ike encryption WARNING: translation string unused: ike grouptype WARNING: translation string unused: ike integrity @@ -523,6 +527,8 @@ WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload WARNING: translation string unused: smtphost WARNING: translation string unused: smtpport +WARNING: translation string unused: snort hits +WARNING: translation string unused: snort working WARNING: translation string unused: source ip bad WARNING: translation string unused: source ip in use WARNING: translation string unused: source ip or net @@ -606,6 +612,7 @@ WARNING: translation string unused: unencrypted WARNING: translation string unused: update transcript WARNING: translation string unused: updatedatabase WARNING: translation string unused: updates +WARNING: translation string unused: updates installed WARNING: translation string unused: updates is old1 WARNING: translation string unused: updates is old2 WARNING: translation string unused: updxlrtr children @@ -615,6 +622,7 @@ WARNING: translation string unused: updxlrtr update information WARNING: translation string unused: updxlrtr update notification WARNING: translation string unused: upload fcdsl.o WARNING: translation string unused: upload file +WARNING: translation string unused: upload new ruleset WARNING: translation string unused: upload static key WARNING: translation string unused: upload successful WARNING: translation string unused: upload synch.bin @@ -693,12 +701,15 @@ WARNING: untranslated string: ConnSched dial = Connect WARNING: untranslated string: ConnSched hangup = Disconnect WARNING: untranslated string: ConnSched reboot = Reboot WARNING: untranslated string: ConnSched shutdown = Shutdown +WARNING: untranslated string: Daily = Daily +WARNING: untranslated string: Disabled = Disabled WARNING: untranslated string: Edit an existing route = Edit an existing route WARNING: untranslated string: MB read = MB read WARNING: untranslated string: MB written = MB written WARNING: untranslated string: MTU settings = MTU settings: WARNING: untranslated string: Number of Countries for the pie chart = Number of Countries for the pie chart WARNING: untranslated string: Scan for Songs = unknown string +WARNING: untranslated string: Weekly = Weekly WARNING: untranslated string: addons = Addons WARNING: untranslated string: administrator password = Administrator password WARNING: untranslated string: administrator username = Administrator username @@ -775,10 +786,10 @@ WARNING: untranslated string: dh key warn = Creating DH-parameters with a length WARNING: untranslated string: dh key warn1 = For weak systems or systems with little entropy, it is recommended to upload long Diffie-Hellman parameters by usage of the upload function. WARNING: untranslated string: dh parameter = Diffie-Hellman parameters WARNING: untranslated string: dhcp dns enable update = Enable DNS Update (RFC2136): -WARNING: untranslated string: dhcp dns key name = Key Name: +WARNING: untranslated string: dhcp dns key name = Key Name WARNING: untranslated string: dhcp dns update = DNS Update -WARNING: untranslated string: dhcp dns update algo = Algorithm: -WARNING: untranslated string: dhcp dns update secret = Secret: +WARNING: untranslated string: dhcp dns update algo = Algorithm +WARNING: untranslated string: dhcp dns update secret = Secret WARNING: untranslated string: disk access per = Disk Access per WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip) WARNING: untranslated string: dnat address = Firewall Interface @@ -788,6 +799,7 @@ WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dnsforward = DNS Forwarding WARNING: untranslated string: dnsforward add a new entry = Add a new entry WARNING: untranslated string: dnsforward configuration = DNS forward configuration +WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is disabled WARNING: untranslated string: dnsforward edit an entry = Edit an existing entry WARNING: untranslated string: dnsforward entries = Current entries WARNING: untranslated string: dnsforward forward_servers = Nameservers @@ -823,6 +835,7 @@ WARNING: untranslated string: email settings = Mail Service WARNING: untranslated string: email testmail = Send test mail WARNING: untranslated string: email tls = Use TLS WARNING: untranslated string: email usemail = Activate Mail Service +WARNING: untranslated string: emerging pro rules = Emergingthreats.net Pro Rules WARNING: untranslated string: emerging rules = Emergingthreats.net Community Rules WARNING: untranslated string: encryption = Encryption: WARNING: untranslated string: entropy = Entropy @@ -1003,6 +1016,7 @@ WARNING: untranslated string: fwhost used = Used WARNING: untranslated string: fwhost welcome = Over here, you can group single hosts, networks and services together, which will creating new rules more easy and faster. WARNING: untranslated string: gen dh = Generate new Diffie-Hellman parameters WARNING: untranslated string: generate dh key = Generate Diffie-Hellman parameters +WARNING: untranslated string: generate ptr = Generate PTR WARNING: untranslated string: geoip = GeoIP WARNING: untranslated string: geoipblock = GeoIP Block WARNING: untranslated string: geoipblock block countries = Block countries @@ -1048,6 +1062,23 @@ WARNING: untranslated string: guardian priority level = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: guardian watch snort alertfile = unknown string WARNING: untranslated string: hardware support = Hardware Support +WARNING: untranslated string: ids apply = Apply +WARNING: untranslated string: ids apply ruleset changes = The ruleset changes are being applied. Please wait until all operations have completed successfully... +WARNING: untranslated string: ids automatic rules update = Automatic Rule Update +WARNING: untranslated string: ids download new ruleset = Downloading and unpacking new ruleset. Please wait until all operations have completed successfully... +WARNING: untranslated string: ids enable = Enable Intrusion Prevention System +WARNING: untranslated string: ids hide = Hide +WARNING: untranslated string: ids ignored hosts = Whitelisted Hosts +WARNING: untranslated string: ids log hits = Total of number of activated rules for +WARNING: untranslated string: ids monitor traffic only = Monitor traffic only +WARNING: untranslated string: ids monitored interfaces = Monitored Interfaces +WARNING: untranslated string: ids no network zone = Please select at least one network zone to be monitored +WARNING: untranslated string: ids no ruleset available = No ruleset is available. Please download one first +WARNING: untranslated string: ids oinkcode required = The selected ruleset requires a subscription or an Oinkcode +WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... +WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids show = Show +WARNING: untranslated string: ids working = Changes are being applied. Please wait until all operations have completed successfully... WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string WARNING: untranslated string: imei = IMEI WARNING: untranslated string: imsi = IMSI @@ -1158,6 +1189,7 @@ WARNING: untranslated string: proxy reports daily = Daily reports WARNING: untranslated string: proxy reports monthly = Monthly reports WARNING: untranslated string: proxy reports today = Today WARNING: untranslated string: proxy reports weekly = Weekly reports +WARNING: untranslated string: ptr = PTR WARNING: untranslated string: qos enter bandwidths = You will need to enter your downstream and upstream bandwidth! WARNING: untranslated string: random number generator daemon = Random Number Generator Daemon WARNING: untranslated string: rdns = rDNS @@ -1178,6 +1210,7 @@ WARNING: untranslated string: software version = Software Version WARNING: untranslated string: source ip country = Source IP Country WARNING: untranslated string: ssh = SSH WARNING: untranslated string: ssh active sessions = Active logins +WARNING: untranslated string: ssh agent forwarding = Allow SSH Agent Forwarding WARNING: untranslated string: ssh login time = Logged in since WARNING: untranslated string: ssh no active logins = No active logins WARNING: untranslated string: ssh username = Username @@ -1185,6 +1218,7 @@ WARNING: untranslated string: static routes = Static Routes WARNING: untranslated string: subnet mask = Subnet Mask WARNING: untranslated string: support donation = Support the IPFire project with your donation WARNING: untranslated string: system has rdrand = This system has support for Intel(R) RDRAND. +WARNING: untranslated string: system is offline = The system is offline. WARNING: untranslated string: ta key = TLS-Authentification-Key WARNING: untranslated string: tcp more reliable = TCP (more reliable) WARNING: untranslated string: ten minutes = 10 Minutes @@ -1245,6 +1279,7 @@ WARNING: untranslated string: unblock = Unblock WARNING: untranslated string: unblock all = Unblock all WARNING: untranslated string: uncheck all = Uncheck all WARNING: untranslated string: unlimited = Unlimited +WARNING: untranslated string: update ruleset = Update ruleset WARNING: untranslated string: uplink = Uplink WARNING: untranslated string: uplink bit rate = Uplink Bit Rate WARNING: untranslated string: upload dh key = Upload Diffie-Hellman parameters diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 0e95d6045..9a4339db9 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -230,6 +230,7 @@ WARNING: translation string unused: domain not set WARNING: translation string unused: donation-link WARNING: translation string unused: done WARNING: translation string unused: download dh parameter +WARNING: translation string unused: download new ruleset WARNING: translation string unused: driver WARNING: translation string unused: dstprt range overlaps WARNING: translation string unused: dstprt within existing @@ -249,7 +250,6 @@ WARNING: translation string unused: email text WARNING: translation string unused: emailreportlevel WARNING: translation string unused: enable javascript WARNING: translation string unused: enable wildcards -WARNING: translation string unused: enabled on WARNING: translation string unused: enabledtitle WARNING: translation string unused: encrypted WARNING: translation string unused: err bk 1 @@ -364,6 +364,10 @@ WARNING: translation string unused: icmp selected but no type WARNING: translation string unused: icmp type WARNING: translation string unused: id WARNING: translation string unused: ids preprocessor +WARNING: translation string unused: ids rules license +WARNING: translation string unused: ids rules license1 +WARNING: translation string unused: ids rules license2 +WARNING: translation string unused: ids rules license3 WARNING: translation string unused: ike encryption WARNING: translation string unused: ike grouptype WARNING: translation string unused: ike integrity @@ -624,6 +628,8 @@ WARNING: translation string unused: sitekeyfile WARNING: translation string unused: smbreload WARNING: translation string unused: smtphost WARNING: translation string unused: smtpport +WARNING: translation string unused: snort hits +WARNING: translation string unused: snort working WARNING: translation string unused: source ip bad WARNING: translation string unused: source ip in use WARNING: translation string unused: source ip or net @@ -716,6 +722,7 @@ WARNING: translation string unused: unencrypted WARNING: translation string unused: update transcript WARNING: translation string unused: updatedatabase WARNING: translation string unused: updates +WARNING: translation string unused: updates installed WARNING: translation string unused: updates is old1 WARNING: translation string unused: updates is old2 WARNING: translation string unused: updxlrtr children @@ -728,6 +735,7 @@ WARNING: translation string unused: updxlrtr update notification WARNING: translation string unused: updxlrtr used by WARNING: translation string unused: upload fcdsl.o WARNING: translation string unused: upload file +WARNING: translation string unused: upload new ruleset WARNING: translation string unused: upload static key WARNING: translation string unused: upload successful WARNING: translation string unused: upload synch.bin @@ -770,17 +778,23 @@ WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: Captive clients = unknown string +WARNING: untranslated string: Daily = Daily +WARNING: untranslated string: Disabled = Disabled WARNING: untranslated string: Scan for Songs = unknown string +WARNING: untranslated string: Weekly = Weekly WARNING: untranslated string: bytes = unknown string WARNING: untranslated string: crypto error = Cryptographic error WARNING: untranslated string: crypto warning = Cryptographic warning WARNING: untranslated string: default IP address = Default IP Address WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) +WARNING: untranslated string: dnsforward dnssec disabled = DNSSEC Validation is disabled WARNING: untranslated string: dnsforward forward_servers = Nameservers +WARNING: untranslated string: emerging pro rules = Emergingthreats.net Pro Rules WARNING: untranslated string: fwdfw all subnets = All subnets WARNING: untranslated string: fwhost cust geoipgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string +WARNING: untranslated string: generate ptr = Generate PTR WARNING: untranslated string: guardian block a host = unknown string WARNING: untranslated string: guardian block httpd brute-force = unknown string WARNING: untranslated string: guardian block ssh brute-force = unknown string @@ -816,6 +830,23 @@ WARNING: untranslated string: guardian priolevel_very_low = unknown string WARNING: untranslated string: guardian priority level = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: guardian watch snort alertfile = unknown string +WARNING: untranslated string: ids apply = Apply +WARNING: untranslated string: ids apply ruleset changes = The ruleset changes are being applied. Please wait until all operations have completed successfully... +WARNING: untranslated string: ids automatic rules update = Automatic Rule Update +WARNING: untranslated string: ids download new ruleset = Downloading and unpacking new ruleset. Please wait until all operations have completed successfully... +WARNING: untranslated string: ids enable = Enable Intrusion Prevention System +WARNING: untranslated string: ids hide = Hide +WARNING: untranslated string: ids ignored hosts = Whitelisted Hosts +WARNING: untranslated string: ids log hits = Total of number of activated rules for +WARNING: untranslated string: ids monitor traffic only = Monitor traffic only +WARNING: untranslated string: ids monitored interfaces = Monitored Interfaces +WARNING: untranslated string: ids no network zone = Please select at least one network zone to be monitored +WARNING: untranslated string: ids no ruleset available = No ruleset is available. Please download one first +WARNING: untranslated string: ids oinkcode required = The selected ruleset requires a subscription or an Oinkcode +WARNING: untranslated string: ids ruleset autoupdate in progress = Ruleset update in progress. Please wait until all operations have completed successfully... +WARNING: untranslated string: ids ruleset settings = Ruleset Settings +WARNING: untranslated string: ids show = Show +WARNING: untranslated string: ids working = Changes are being applied. Please wait until all operations have completed successfully... WARNING: untranslated string: ike lifetime should be between 1 and 8 hours = unknown string WARNING: untranslated string: info messages = unknown string WARNING: untranslated string: interface mode = Interface @@ -838,16 +869,20 @@ WARNING: untranslated string: no data = unknown string WARNING: untranslated string: ovpn error dh = The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br> WARNING: untranslated string: ovpn error md5 = You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br> WARNING: untranslated string: ovpn warning rfc3280 = Your host certificate is not RFC3280 compliant. <br>Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br> +WARNING: untranslated string: ptr = PTR WARNING: untranslated string: route config changed = unknown string WARNING: untranslated string: routing config added = unknown string WARNING: untranslated string: routing config changed = unknown string WARNING: untranslated string: routing table = unknown string WARNING: untranslated string: ssh active sessions = Active logins +WARNING: untranslated string: ssh agent forwarding = Allow SSH Agent Forwarding WARNING: untranslated string: ssh login time = Logged in since WARNING: untranslated string: ssh no active logins = No active logins WARNING: untranslated string: ssh username = Username WARNING: untranslated string: subnet mask = Subnet Mask +WARNING: untranslated string: system is offline = The system is offline. WARNING: untranslated string: transport mode does not support vti = VTI is not support in transport mode +WARNING: untranslated string: update ruleset = Update ruleset WARNING: untranslated string: vpn start action add = Wait for connection initiation WARNING: untranslated string: vpn statistics n2n = unknown string WARNING: untranslated string: vpn wait = WAITING diff --git a/doc/language_missings b/doc/language_missings index 12ef6e673..9d13d4775 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -35,10 +35,14 @@ < dhcp server enabled on blue interface < dh name is invalid < done +< emerging pro rules < emerging rules < g.dtm < g.lite < guardian +< ids hide +< ids rules update +< ids show < insert removable device < interface mode < notes @@ -188,6 +192,7 @@ < crypto error < cryptographic settings < crypto warning +< Daily < dead peer detection < default < default ip @@ -205,12 +210,14 @@ < dh key warn1 < dh name is invalid < dh parameter +< Disabled < dl client arch insecure < dnat address < dnsforward < dnsforward add a new entry < dnsforward configuration < dns forward disable dnssec +< dnsforward dnssec disabled < dnsforward edit an entry < dnsforward entries < dnsforward forward_servers @@ -253,6 +260,7 @@ < email text < email tls < email usemail +< emerging pro rules < emerging rules < encryption < entropy @@ -485,9 +493,27 @@ < fw settings ruletable < gen dh < generate dh key +< generate ptr < grouptype < guardian < hardware support +< ids apply +< ids apply ruleset changes +< ids automatic rules update +< ids download new ruleset +< ids enable +< ids hide +< ids ignored hosts +< ids log hits +< ids monitored interfaces +< ids monitor traffic only +< ids no network zone +< ids no ruleset available +< ids oinkcode required +< ids ruleset autoupdate in progress +< ids ruleset settings +< ids show +< ids working < imei < imsi < incoming compression in bytes per second @@ -495,6 +521,7 @@ < incoming overhead in bytes per second < integrity < interface mode +< intrusion prevention system < invalid input for dpd delay < invalid input for dpd timeout < invalid input for inactivity timeout @@ -630,11 +657,13 @@ < proxy reports monthly < proxy reports today < proxy reports weekly +< ptr < qos enter bandwidths < random number generator daemon < rdns < red1 < required field +< runmode < samba join a domain < samba join domain < search @@ -647,6 +676,7 @@ < source ip country < ssh < ssh active sessions +< ssh agent forwarding < ssh login time < ssh no active logins < ssh username @@ -656,6 +686,7 @@ < system has hwrng < system has rdrand < system information +< system is offline < ta key < tcp more reliable < ten minutes @@ -724,6 +755,7 @@ < unblock all < uncheck all < unlimited +< update ruleset < updxlrtr sources < updxlrtr standard view < updxlrtr used by @@ -749,6 +781,7 @@ < vpn statistic rw < vpn wait < vpn weak +< Weekly < wireless network < wlanap < wlanap configuration @@ -804,10 +837,33 @@ # Checking cgi-bin translations for language: fr # ############################################################################ < cryptographic settings +< Daily < default IP address +< Disabled < dns forward disable dnssec +< dnsforward dnssec disabled < dns forwarding dnssec disabled notice +< emerging pro rules +< generate ptr +< ids apply +< ids apply ruleset changes +< ids automatic rules update +< ids download new ruleset +< ids enable +< ids hide +< ids ignored hosts +< ids log hits +< ids monitored interfaces +< ids monitor traffic only +< ids no network zone +< ids no ruleset available +< ids oinkcode required +< ids ruleset autoupdate in progress +< ids ruleset settings +< ids show +< ids working < interface mode +< intrusion prevention system < invalid input for interface address < invalid input for interface mode < invalid input for interface mtu @@ -822,8 +878,14 @@ < ipsec settings < local ip address < mtu +< ptr +< runmode +< ssh agent forwarding < subnet mask +< system is offline < transport mode does not support vti +< update ruleset +< Weekly ############################################################################ # Checking cgi-bin translations for language: it # ############################################################################ @@ -895,14 +957,17 @@ < crypto error < cryptographic settings < crypto warning +< Daily < default IP address < dhcp dns enable update < dhcp dns key name < dhcp dns update < dhcp dns update algo < dhcp dns update secret +< Disabled < dl client arch insecure < dns forward disable dnssec +< dnsforward dnssec disabled < dnsforward forward_servers < dns forwarding dnssec disabled notice < dnssec disabled warning @@ -927,6 +992,7 @@ < email text < email tls < email usemail +< emerging pro rules < fifteen minutes < firewall graph country < firewall graph ip @@ -948,6 +1014,7 @@ < fwhost cust geoipgroup < fwhost cust geoiplocation < fwhost newgeoipgrp +< generate ptr < geoip < geoipblock < geoipblock block countries @@ -960,9 +1027,27 @@ < geoipblock flag < guaranteed bandwith < guardian +< ids apply +< ids apply ruleset changes +< ids automatic rules update +< ids download new ruleset +< ids enable +< ids hide +< ids ignored hosts +< ids log hits +< ids monitored interfaces +< ids monitor traffic only +< ids no network zone +< ids no ruleset available +< ids oinkcode required +< ids ruleset autoupdate in progress +< ids ruleset settings +< ids show +< ids working < incoming compression in bytes per second < incoming overhead in bytes per second < interface mode +< intrusion prevention system < invalid input for inactivity timeout < invalid input for interface address < invalid input for interface mode @@ -1005,16 +1090,20 @@ < pptp netconfig < pptp peer < pptp route +< ptr < rdns < required field +< runmode < samba join a domain < samba join domain < search < ssh active sessions +< ssh agent forwarding < ssh login time < ssh no active logins < ssh username < subnet mask +< system is offline < tcp more reliable < ten minutes < thirty minutes @@ -1026,6 +1115,7 @@ < unblock all < uncheck all < unlimited +< update ruleset < uplink bit rate < vpn broken < vpn connecting @@ -1040,6 +1130,7 @@ < vpn statistic rw < vpn wait < vpn weak +< Weekly < wireless network < wlanap < wlanap configuration @@ -1133,6 +1224,7 @@ < crypto error < cryptographic settings < crypto warning +< Daily < default < default IP address < dh @@ -1146,8 +1238,10 @@ < dh key warn1 < dh name is invalid < dh parameter +< Disabled < dl client arch insecure < dns forward disable dnssec +< dnsforward dnssec disabled < dnsforward forward_servers < dns forwarding dnssec disabled notice < dnssec aware @@ -1180,6 +1274,7 @@ < email text < email tls < email usemail +< emerging pro rules < fifteen minutes < firewall graph country < firewall graph ip @@ -1204,6 +1299,7 @@ < fwhost newgeoipgrp < gen dh < generate dh key +< generate ptr < geoip < geoipblock < geoipblock block countries @@ -1215,11 +1311,29 @@ < geoipblock enable feature < geoipblock flag < guardian +< ids apply +< ids apply ruleset changes +< ids automatic rules update +< ids download new ruleset +< ids enable +< ids hide +< ids ignored hosts +< ids log hits +< ids monitored interfaces +< ids monitor traffic only +< ids no network zone +< ids no ruleset available +< ids oinkcode required +< ids ruleset autoupdate in progress +< ids ruleset settings +< ids show +< ids working < imei < imsi < incoming compression in bytes per second < incoming overhead in bytes per second < interface mode +< intrusion prevention system < invalid input for inactivity timeout < invalid input for interface address < invalid input for interface mode @@ -1289,9 +1403,11 @@ < pptp netconfig < pptp peer < pptp route +< ptr < random number generator daemon < rdns < required field +< runmode < samba join a domain < samba join domain < search @@ -1300,10 +1416,12 @@ < software version < source ip country < ssh active sessions +< ssh agent forwarding < ssh login time < ssh no active logins < ssh username < subnet mask +< system is offline < ta key < tcp more reliable < ten minutes @@ -1317,6 +1435,7 @@ < unblock all < uncheck all < unlimited +< update ruleset < uplink bit rate < upload dh key < vendor @@ -1333,6 +1452,7 @@ < vpn statistic rw < vpn wait < vpn weak +< Weekly < wireless network < wlanap < wlanap configuration @@ -1487,6 +1607,7 @@ < crypto error < cryptographic settings < crypto warning +< Daily < dead peer detection < default < default ip @@ -1504,12 +1625,14 @@ < dh key warn1 < dh name is invalid < dh parameter +< Disabled < dl client arch insecure < dnat address < dnsforward < dnsforward add a new entry < dnsforward configuration < dns forward disable dnssec +< dnsforward dnssec disabled < dnsforward edit an entry < dnsforward entries < dnsforward forward_servers @@ -1552,6 +1675,7 @@ < email text < email tls < email usemail +< emerging pro rules < emerging rules < encryption < entropy @@ -1776,6 +1900,7 @@ < fw settings ruletable < gen dh < generate dh key +< generate ptr < geoip < geoipblock < geoipblock block countries @@ -1789,6 +1914,23 @@ < grouptype < guardian < hardware support +< ids apply +< ids apply ruleset changes +< ids automatic rules update +< ids download new ruleset +< ids enable +< ids hide +< ids ignored hosts +< ids log hits +< ids monitored interfaces +< ids monitor traffic only +< ids no network zone +< ids no ruleset available +< ids oinkcode required +< ids ruleset autoupdate in progress +< ids ruleset settings +< ids show +< ids working < imei < imsi < incoming compression in bytes per second @@ -1796,6 +1938,7 @@ < incoming overhead in bytes per second < integrity < interface mode +< intrusion prevention system < invalid input for dpd delay < invalid input for dpd timeout < invalid input for inactivity timeout @@ -1917,11 +2060,13 @@ < proxy reports monthly < proxy reports today < proxy reports weekly +< ptr < qos enter bandwidths < random number generator daemon < rdns < red1 < required field +< runmode < samba join a domain < samba join domain < search @@ -1933,6 +2078,7 @@ < source ip country < ssh < ssh active sessions +< ssh agent forwarding < ssh login time < ssh no active logins < ssh username @@ -1941,6 +2087,7 @@ < support donation < system has hwrng < system has rdrand +< system is offline < ta key < tcp more reliable < ten minutes @@ -2009,6 +2156,7 @@ < unblock all < uncheck all < unlimited +< update ruleset < updxlrtr sources < updxlrtr standard view < updxlrtr used by @@ -2034,6 +2182,7 @@ < vpn statistic rw < vpn wait < vpn weak +< Weekly < wireless network < wlanap < wlanap configuration @@ -2221,6 +2370,7 @@ < crypto error < cryptographic settings < crypto warning +< Daily < day-graph < dead peer detection < default @@ -2239,6 +2389,7 @@ < dh key warn1 < dh name is invalid < dh parameter +< Disabled < disk access per < dl client arch insecure < dnat address @@ -2246,6 +2397,7 @@ < dnsforward add a new entry < dnsforward configuration < dns forward disable dnssec +< dnsforward dnssec disabled < dnsforward edit an entry < dnsforward entries < dnsforward forward_servers @@ -2289,6 +2441,7 @@ < email text < email tls < email usemail +< emerging pro rules < emerging rules < encryption < entropy @@ -2514,6 +2667,7 @@ < fw settings ruletable < gen dh < generate dh key +< generate ptr < geoip < geoipblock < geoipblock block countries @@ -2528,6 +2682,23 @@ < guardian < hardware support < hour-graph +< ids apply +< ids apply ruleset changes +< ids automatic rules update +< ids download new ruleset +< ids enable +< ids hide +< ids ignored hosts +< ids log hits +< ids monitored interfaces +< ids monitor traffic only +< ids no network zone +< ids no ruleset available +< ids oinkcode required +< ids ruleset autoupdate in progress +< ids ruleset settings +< ids show +< ids working < imei < imsi < incoming compression in bytes per second @@ -2536,6 +2707,7 @@ < incoming traffic in bytes per second < integrity < interface mode +< intrusion prevention system < invalid input for dpd delay < invalid input for dpd timeout < invalid input for inactivity timeout @@ -2655,11 +2827,13 @@ < proxy reports monthly < proxy reports today < proxy reports weekly +< ptr < qos enter bandwidths < random number generator daemon < rdns < red1 < required field +< runmode < samba join a domain < samba join domain < search @@ -2671,6 +2845,7 @@ < source ip country < ssh < ssh active sessions +< ssh agent forwarding < ssh login time < ssh no active logins < ssh username @@ -2679,6 +2854,7 @@ < support donation < system has hwrng < system has rdrand +< system is offline < ta key < tcp more reliable < ten minutes @@ -2747,6 +2923,7 @@ < unblock all < uncheck all < unlimited +< update ruleset < updxlrtr sources < updxlrtr standard view < updxlrtr used by @@ -2773,6 +2950,7 @@ < vpn wait < vpn weak < week-graph +< Weekly < wireless network < wlanap < wlanap configuration @@ -2831,12 +3009,35 @@ < crypto error < cryptographic settings < crypto warning +< Daily < default IP address +< Disabled < dns forward disable dnssec +< dnsforward dnssec disabled < dnsforward forward_servers < dns forwarding dnssec disabled notice +< emerging pro rules < fwdfw all subnets +< generate ptr +< ids apply +< ids apply ruleset changes +< ids automatic rules update +< ids download new ruleset +< ids enable +< ids hide +< ids ignored hosts +< ids log hits +< ids monitored interfaces +< ids monitor traffic only +< ids no network zone +< ids no ruleset available +< ids oinkcode required +< ids ruleset autoupdate in progress +< ids ruleset settings +< ids show +< ids working < interface mode +< intrusion prevention system < invalid input for interface address < invalid input for interface mode < invalid input for interface mtu @@ -2855,13 +3056,19 @@ < ovpn error dh < ovpn error md5 < ovpn warning rfc3280 +< ptr +< runmode < ssh active sessions +< ssh agent forwarding < ssh login time < ssh no active logins < ssh username < subnet mask +< system is offline < transport mode does not support vti +< update ruleset < vpn start action add < vpn wait +< Weekly < wlanap neighbor scan < wlanap neighbor scan warning diff --git a/html/cgi-bin/aliases.cgi b/html/cgi-bin/aliases.cgi index 7c3ba91ae..4e61eb65e 100644 --- a/html/cgi-bin/aliases.cgi +++ b/html/cgi-bin/aliases.cgi @@ -33,6 +33,7 @@ use strict; require '/var/ipfire/general-functions.pl'; # replace /var/ipcop with /var/ipcop in case of manual install require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; +require "${General::swroot}/ids-functions.pl";
my $configfwdfw = "${General::swroot}/firewall/config"; my $configinput = "${General::swroot}/firewall/input"; @@ -105,6 +106,9 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { # Rebuild configuration file if needed &BuildConfiguration; + + # Handle suricata related actions. + &HandleSuricata(); }
ERROR: # Leave the faulty field untouched @@ -139,6 +143,9 @@ if ($settings{'ACTION'} eq $Lang::tr{'toggle enable disable'}) { # Rebuild configuration file &BuildConfiguration; + + # Handle Suricata related actions. + &HandleSuricata(); }
if ($settings{'ACTION'} eq $Lang::tr{'add'}) { @@ -220,6 +227,9 @@ if ($settings{'ACTION'} eq $Lang::tr{'add'}) { &SortDataFile; # sort newly added/modified entry
&BuildConfiguration; # then re-build conf which use new data + + # Handle Suricata related actions. + &HandleSuricata(); ## ## if entering data line is repetitive, choose here to not erase fields between each addition @@ -251,6 +261,9 @@ if ($settings{'ACTION'} eq $Lang::tr{'remove'}) { &General::log($Lang::tr{'ip alias removed'});
&BuildConfiguration; # then re-build conf which use new data + + # Handle Suricata related actions. + &HandleSuricata(); }
@@ -557,3 +570,16 @@ sub BuildConfiguration { system '/usr/local/bin/setaliases'; }
+# +## Handle Suricata related actions. +# +sub HandleSuricata() { + # Check if suricata is running. + if(&IDS::ids_is_running()) { + # Re-generate file which contains the HOME_NET declaration. + &IDS::generate_home_net_file(); + + # Call suricatactrl to perform a restart of suricata. + &IDS::call_suricatactrl("restart"); + } +} diff --git a/html/cgi-bin/credits.cgi b/html/cgi-bin/credits.cgi index e687c9559..baa49fd3b 100644 --- a/html/cgi-bin/credits.cgi +++ b/html/cgi-bin/credits.cgi @@ -64,12 +64,12 @@ Michael Tremer, Arne Fitzenreiter, Christian Schmidt, Alexander Marx, -Matthias Fischer, Stefan Schantl, +Matthias Fischer, Jan Paul Tücking, Jonatan Schlag, -Erik Kapfer, Peter Müller, +Erik Kapfer, Dirk Wagner, Marcel Lorenz, Alf Høgemark, @@ -90,12 +90,13 @@ Rene Zingel, Sascha Kilian, Ronald Wiesinger, Stephan Feddersen, +Stéphane Pautrel, Justin Luth, Michael Eitelwein, -Stéphane Pautrel, Bernhard Bitsch, Dominik Hassler, Larsen, +Alexander Koch, Gabriel Rolland, Anton D. Seliverstov, Bernhard Bittner, @@ -105,7 +106,6 @@ Jakub Ratajczak, Jorrit de Jonge, Jörn-Ingo Weigert, Przemek Zdroik, -Alexander Koch, Alexander Rudolf Gruber, Andrew Bellows, Axel Gembe, diff --git a/html/cgi-bin/dnsforward.cgi b/html/cgi-bin/dnsforward.cgi index d9807c90e..626b664fd 100644 --- a/html/cgi-bin/dnsforward.cgi +++ b/html/cgi-bin/dnsforward.cgi @@ -189,7 +189,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) $cgiparams{'ZONE'} = $temp[1]; $cgiparams{'FORWARD_SERVERS'} = join(",", split(/|/, $temp[2])); $cgiparams{'REMARK'} = $temp[3]; - $cgiparams{'DISABLE_DNSSEC'} = $temp[4]; + $cgiparams{'DISABLE_DNSSEC'} = ($temp[4] eq "on") ? "on" : "off"; } } } @@ -250,7 +250,7 @@ print <<END </tr> <tr> <td width ='20%' class='base'>$Lang::tr{'dns forward disable dnssec'}:</td> - <td><input type='checkbox' name='DISABLE_DNSSEC' $checked{'DISABLE_DNSSEC'}' /></td> + <td><input type='checkbox' name='DISABLE_DNSSEC' $checked{'DISABLE_DNSSEC'}{'on'} /></td> </tr> </table> <br> @@ -392,6 +392,8 @@ print <<END <td class='base'>$Lang::tr{'edit'}</td> <td> <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td> <td class='base'>$Lang::tr{'remove'}</td> + <td> <span style="background-color: $Header::colourred"> </span></td> + <td class='base'>$Lang::tr{'dnsforward dnssec disabled'}</td> </tr> </table> END diff --git a/html/cgi-bin/hosts.cgi b/html/cgi-bin/hosts.cgi index 41fe8a5b6..973c480b3 100644 --- a/html/cgi-bin/hosts.cgi +++ b/html/cgi-bin/hosts.cgi @@ -2,9 +2,9 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # -# This program is free software you can redistribute it and/or modify # +# This program is free software you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # # the Free Software Foundation, either version 3 of the License, or # # (at your option) any later version. # @@ -50,9 +50,10 @@ our %settings = (); #Must not be saved ! $settings{'EN'} = ''; # reuse for dummy field in position zero $settings{'IP'} = ''; -$settings{'HOST'} = ''; -$settings{'DOM'} = ''; -my @nosaved=('EN','IP','HOST','DOM'); # List here ALL setting2 fields. Mandatory +$settings{'HOST'} = ''; +$settings{'DOM'} = ''; +$settings{'PTR'} = ''; +my @nosaved=('EN','IP','HOST','DOM','PTR'); # List here ALL setting2 fields. Mandatory
$settings{'ACTION'} = ''; # add/edit/remove $settings{'KEY1'} = ''; # point record for ACTION @@ -78,6 +79,10 @@ if (open(FILE, "$datafile")) { ## Settings1 Box not used... &General::readhash("${General::swroot}/main/settings", %settings);
+# Set PTR to off if filed was not received +if ($settings{'PTR'} eq '') { + $settings{'PTR'} = 'off'; +}
## Now manipulate the multi-line list with Settings2 # Basic actions are: @@ -122,13 +127,12 @@ if ($settings{'ACTION'} eq $Lang::tr{'add'}) { $errormessage = $Lang::tr{'invalid domain name'}; }
- unless ($errormessage) { if ($settings{'KEY1'} eq '') { #add or edit ? - unshift (@current, "$settings{'EN'},$settings{'IP'},$settings{'HOST'},$settings{'DOM'}\n"); + unshift (@current, "$settings{'EN'},$settings{'IP'},$settings{'HOST'},$settings{'DOM'},$settings{'PTR'}\n"); &General::log($Lang::tr{'hosts config added'}); } else { - @current[$settings{'KEY1'}] = "$settings{'EN'},$settings{'IP'},$settings{'HOST'},$settings{'DOM'}\n"; + @current[$settings{'KEY1'}] = "$settings{'EN'},$settings{'IP'},$settings{'HOST'},$settings{'DOM'},$settings{'PTR'}\n"; $settings{'KEY1'} = ''; # End edit mode &General::log($Lang::tr{'hosts config changed'}); } @@ -150,6 +154,11 @@ if ($settings{'ACTION'} eq $Lang::tr{'edit'}) { $settings{'IP'}=$temp[1]; $settings{'HOST'}=$temp[2]; $settings{'DOM'}=$temp[3]; + if ($temp[4] eq '') { + $settings{'PTR'} = 'on'; + } else { + $settings{'PTR'}=$temp[4]; + } }
if ($settings{'ACTION'} eq $Lang::tr{'remove'}) { @@ -190,6 +199,7 @@ if ($settings{'ACTION'} eq '' ) { # First launch from GUI # Place here default value when nothing is initialized $settings{'EN'} = 'on'; $settings{'DOM'} = $settings{'DOMAINNAME'}; + $settings{'PTR'} = 'on'; }
&Header::openpage($Lang::tr{'hostname'}, 1, ''); @@ -238,6 +248,7 @@ if ($errormessage) { # Second check box is for editing the list # $checked{'EN'}{'on'} = ($settings{'EN'} eq '' ) ? '' : "checked='checked'"; +$checked{'PTR'}{'on'} = ($settings{'PTR'} eq 'off' ) ? '' : "checked='checked'";
my $buttontext = $Lang::tr{'add'}; if ($settings{'KEY1'} ne '') { @@ -257,9 +268,16 @@ print <<END <td><input type='text' name='IP' value='$settings{'IP'}' /></td> <td class='base'>$Lang::tr{'hostname'}: <img src='/blob.gif' alt='*' /></td> <td><input type='text' name='HOST' value='$settings{'HOST'}' /></td> -</tr><tr> +</tr> +<tr> <td class='base'>$Lang::tr{'domain name'}:</td> <td><input type='text' name='DOM' value='$settings{'DOM'}' /></td> + <td class='base'>$Lang::tr{'generate ptr'}:</td> + <td><input type='checkbox' name='PTR' $checked{'PTR'}{'on'} /></td> +</tr> +<tr> + <td> </td> + <td> </td> <td class='base'>$Lang::tr{'enabled'}</td> <td><input type='checkbox' name='EN' $checked{'EN'}{'on'} /></td> </tr> @@ -288,7 +306,8 @@ print <<END <tr> <th width='20%' align='center'><a href='$ENV{'SCRIPT_NAME'}?IP'><b>$Lang::tr{'host ip'}</b></a></th> <th width='20%' align='center'><a href='$ENV{'SCRIPT_NAME'}?HOST'><b>$Lang::tr{'hostname'}</b></a></th> - <th width='50%' align='center'><a href='$ENV{'SCRIPT_NAME'}?DOM'><b>$Lang::tr{'domain name'}</b></a></th> + <th width='40%' align='center'><a href='$ENV{'SCRIPT_NAME'}?DOM'><b>$Lang::tr{'domain name'}</b></a></th> + <th width='10%' align='center' class='boldbase'><b>$Lang::tr{'ptr'}</b></th> <th width='10%' colspan='3' class='boldbase' align='center'><b>$Lang::tr{'action'}</b></th> </tr> END @@ -315,6 +334,12 @@ foreach my $line (@current) { $gdesc = $Lang::tr{'click to enable'}; }
+ if ($temp[4] eq '' || $temp[4] eq 'on') { + $temp[4] = $Lang::tr{'yes'}; + } else { + $temp[4] = $Lang::tr{'no'}; + } + #Colorize each line if ($settings{'KEY1'} eq $key) { print "<tr bgcolor='${Header::colouryellow}'>"; @@ -329,6 +354,7 @@ foreach my $line (@current) { <td align='center' $col>$temp[1]</td> <td align='center' $col>$temp[2]</td> <td align='center' $col>$temp[3]</td> +<td align='center' $col>$temp[4]</td> <td align='center' $col> <form method='post' action='$ENV{'SCRIPT_NAME'}'> <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' /> @@ -430,14 +456,14 @@ sub SortDataFile my $key = 0; foreach my $line (@current) { chomp( $line); #remove newline because can be on field 5 or 6 (addition of REMARK) - my @temp = ( '','','', ''); + my @temp = ( '','','','',''); @temp = split (',',$line);
# Build a pair 'Field Name',value for each of the data dataline. # Each SORTABLE field must have is pair. # Other data fields (non sortable) can be grouped in one - my @record = ('KEY',$key++,'EN',$temp[0],'IP',$temp[1],'HOST',$temp[2],'DOM',$temp[3]); + my @record = ('KEY',$key++,'EN',$temp[0],'IP',$temp[1],'HOST',$temp[2],'DOM',$temp[3],'PTR',$temp[4]); my $record = {}; # create a reference to empty hash %{$record} = @record; # populate that hash with @record $entries{$record->{KEY}} = $record; # add this to a hash of hashes @@ -447,7 +473,7 @@ sub SortDataFile
# Each field value is printed , with the newline ! Don't forget separator and order of them. foreach my $entry (sort fixedleasesort keys %entries) { - print FILE "$entries{$entry}->{EN},$entries{$entry}->{IP},$entries{$entry}->{HOST},$entries{$entry}->{DOM}\n"; + print FILE "$entries{$entry}->{EN},$entries{$entry}->{IP},$entries{$entry}->{HOST},$entries{$entry}->{DOM},$entries{$entry}->{PTR}\n"; }
close(FILE); diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 5a3f4c314..00db6a0c3 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2015 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,390 +24,713 @@ use strict; # enable only the following on debugging purpose #use warnings; #use CGI::Carp 'fatalsToBrowser'; -use File::Copy;
require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; - -sub refreshpage{&Header::openbox( 'Waiting', 1, "<meta http-equiv='refresh' content='1;'>" );print "<center><img src='/images/clock.gif' alt='' /><br/><font color='red'>$Lang::tr{'pagerefresh'}</font></center>";&Header::closebox();} - -$a = new CGI; +require "${General::swroot}/ids-functions.pl";
my %color = (); my %mainsettings = (); +my %idsrules = (); +my %idssettings=(); +my %rulessettings=(); +my %rulesetsources = (); +my %cgiparams=(); +my %checked=(); +my %selected=(); +my %ignored=(); + +# Read-in main settings, for language, theme and colors. &General::readhash("${General::swroot}/main/settings", %mainsettings); &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", %color);
-my %snortsettings=(); -my %checked=(); -my %selected=(); -my %netsettings=(); -our $errormessage = ''; -our $results = ''; -our $tempdir = ''; -our $url=''; -&General::readhash("${General::swroot}/ethernet/settings", %netsettings); +# Get the available network zones, based on the config type of the system and store +# the list of zones in an array. +my @network_zones = &IDS::get_available_network_zones(); + +my $errormessage; + +# Create files if they does not exist yet. +&IDS::check_and_create_filelayout(); + +# Hash which contains the colour code of a network zone. +my %colourhash = ( + 'red' => $Header::colourred, + 'green' => $Header::colourgreen, + 'blue' => $Header::colourblue, + 'orange' => $Header::colourorange +);
&Header::showhttpheaders();
-$snortsettings{'ENABLE_SNORT'} = 'off'; -$snortsettings{'ENABLE_SNORT_GREEN'} = 'off'; -$snortsettings{'ENABLE_SNORT_BLUE'} = 'off'; -$snortsettings{'ENABLE_SNORT_ORANGE'} = 'off'; -$snortsettings{'ACTION'} = ''; -$snortsettings{'RULES'} = ''; -$snortsettings{'OINKCODE'} = ''; -$snortsettings{'INSTALLDATE'} = ''; -$snortsettings{'FILE'} = ''; -$snortsettings{'UPLOAD'} = ''; - -&Header::getcgihash(%snortsettings, {'wantfile' => 1, 'filevar' => 'FH'}); - -####################### Added for snort rules control ################################# -my $snortrulepath; # change to "/etc/snort/rules" - maniac -my @snortconfig; -my $restartsnortrequired = 0; -my %snortrules; -my $rule = ''; -my $table1colour = ''; -my $table2colour = ''; -my $var = ''; -my $value = ''; -my $tmp = ''; -my $linkedrulefile = ''; -my $border = ''; -my $checkboxname = ''; - -if (-e "/etc/snort/snort.conf") { - - - # Open snort.conf file, read it in, close it, and re-open for writing - open(FILE, "/etc/snort/snort.conf") or die 'Unable to read snort config file.'; - @snortconfig = <FILE>; - close(FILE); - open(FILE, ">/etc/snort/snort.conf") or die 'Unable to write snort config file.'; - - my @rules = `cd /etc/snort/rules/ && ls *.rules 2>/dev/null`; # With this loop the rule might be display with correct rulepath set - foreach (@rules) { - chomp $_; - my $temp = join(";",@snortconfig); - if ( $temp =~ /$_/ ){next;} - else { push(@snortconfig,"#include $RULE_PATH/".$_);} - } - - # Loop over each line - foreach my $line (@snortconfig) { - # Trim the line - chomp $line; +#Get GUI values +&Header::getcgihash(%cgiparams);
- # Check for a line with .rules - if ($line =~ /.rules$/) { - # Parse out rule file name - $rule = $line; - $rule =~ s/$RULE_PATH///i; - $rule =~ s/ ?include ?//i; - $rule =~ s/#//i; - my $snortrulepathrule = "$snortrulepath/$rule"; - - # Open rule file and read in contents - open(RULEFILE, "$snortrulepath/$rule") or die "Unable to read snort rule file for reading => $snortrulepath/$rule."; - my @snortrulefile = <RULEFILE>; - close(RULEFILE); - open(RULEFILE, ">$snortrulepath/$rule") or die "Unable to write snort rule file for writing $snortrulepath/$rule"; +## Add/edit an entry to the ignore file. +# +if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq $Lang::tr{'update'})) {
- # Local vars - my $dashlinecnt = 0; - my $desclook = 1; - my $snortruledesc = ''; - my %snortruledef = (); - my $rulecnt = 1; - - # Loop over rule file contents - foreach my $ruleline (@snortrulefile) { - chomp $ruleline; - - # If still looking for a description - if ($desclook) { - # If line does not start with a # anymore, then done looking for a description - if ($ruleline !~ /^#/) { - $desclook = 0; - } + # Check if any input has been performed. + if ($cgiparams{'IGNORE_ENTRY_ADDRESS'} ne '') {
- # If see more than one dashed line, (start to) create rule file description - if ($dashlinecnt > 1) { - # Check for a line starting with a # - if ($ruleline =~ /^#/ and $ruleline !~ /^#alert/) { - # Create tempruleline - my $tempruleline = $ruleline; - - # Strip off # and clean up line - $tempruleline =~ s/# ?//i; - - # Check for part of a description - if ($snortruledesc eq '') { - $snortruledesc = $tempruleline; - } else { - $snortruledesc .= " $tempruleline"; - } - } else { - # Must be done - $desclook = 0; - } - } + # Check if the given input is no valid IP-address or IP-address with subnet, display an error message. + if ((!&General::validip($cgiparams{'IGNORE_ENTRY_ADDRESS'})) && (!&General::validipandmask($cgiparams{'IGNORE_ENTRY_ADDRESS'}))) { + $errormessage = "$Lang::tr{'guardian invalid address or subnet'}"; + } + } else { + $errormessage = "$Lang::tr{'guardian empty input'}"; + }
- # If have a dashed line, increment count - if ($ruleline =~ /# ?-+/) { - $dashlinecnt++; - } - } else { - # Parse out rule file rule's message for display - if ($ruleline =~ /(msg:"[^"]+";)/) { - my $msg = ''; - $msg = $1; - $msg =~ s/msg:"//i; - $msg =~ s/";//i; - $snortruledef{$rulecnt}{'Description'} = $msg; - - # Check for 'Save' and rule file displayed in query string - if (($snortsettings{'ACTION'} eq $Lang::tr{'update'}) && ($ENV{'QUERY_STRING'} =~ /$rule/i)) { - # Check for a disable rule which is now enabled, or an enabled rule which is now disabled - if ((($ruleline =~ /^#/) && (exists $snortsettings{"SNORT_RULE_$rule_$rulecnt"})) || (($ruleline !~ /^#/) && (!exists $snortsettings{"SNORT_RULE_$rule_$rulecnt"}))) { - $restartsnortrequired = 1; - } - - # Strip out leading # from rule line - $ruleline =~ s/# ?//i; - - # Check if it does not exists (which means it is disabled), append a # - if (!exists $snortsettings{"SNORT_RULE_$rule_$rulecnt"}) { - $ruleline = "#"." $ruleline"; - } - } - - # Check if ruleline does not begin with a #, so it is enabled - if ($ruleline !~ /^#/) { - $snortruledef{$rulecnt++}{'State'} = 'Enabled'; - } else { - # Otherwise it is disabled - $snortruledef{$rulecnt++}{'State'} = 'Disabled'; - } - } - } + # Go further if there was no error. + if ($errormessage eq '') { + my %ignored = (); + my $id; + my $status;
- # Print ruleline to RULEFILE - print RULEFILE "$ruleline\n"; - } + # Assign hash values. + my $new_entry_address = $cgiparams{'IGNORE_ENTRY_ADDRESS'}; + my $new_entry_remark = $cgiparams{'IGNORE_ENTRY_REMARK'};
- # Close RULEFILE - close(RULEFILE); + # Read-in ignoredfile. + &General::readhasharray($IDS::ignored_file, %ignored);
- # Check for 'Save' - if ($snortsettings{'ACTION'} eq $Lang::tr{'update'}) { - # Check for a disable rule which is now enabled, or an enabled rule which is now disabled - if ((($line =~ /^#/) && (exists $snortsettings{"SNORT_RULE_$rule"})) || (($line !~ /^#/) && (!exists $snortsettings{"SNORT_RULE_$rule"}))) { - $restartsnortrequired = 1; - } + # Check if we should edit an existing entry and got an ID. + if (($cgiparams{'WHITELIST'} eq $Lang::tr{'update'}) && ($cgiparams{'ID'})) { + # Assin the provided id. + $id = $cgiparams{'ID'};
- # Strip out leading # from rule line - $line =~ s/# ?//i; + # Undef the given ID. + undef($cgiparams{'ID'});
- # Check if it does not exists (which means it is disabled), append a # - if (!exists $snortsettings{"SNORT_RULE_$rule"}) { - $line = "# $line"; - } + # Grab the configured status of the corresponding entry. + $status = $ignored{$id}[2]; + } else { + # Each newly added entry automatically should be enabled. + $status = "enabled";
- } + # Generate the ID for the new entry. + # + # Sort the keys by their ID and store them in an array. + my @keys = sort { $a <=> $b } keys %ignored;
- # Check for rule state - if ($line =~ /^#/) { - $snortrules{$rule}{"State"} = "Disabled"; - } else { - $snortrules{$rule}{"State"} = "Enabled"; - } + # Reverse the key array. + my @reversed = reverse(@keys);
- # Set rule description - $snortrules{$rule}{"Description"} = $snortruledesc; + # Obtain the last used id. + my $last_id = @reversed[0];
- # Loop over sorted rules - foreach my $ruledef (sort {$a <=> $b} keys(%snortruledef)) { - $snortrules{$rule}{"Definition"}{$ruledef}{'Description'} = $snortruledef{$ruledef}{'Description'}; - $snortrules{$rule}{"Definition"}{$ruledef}{'State'} = $snortruledef{$ruledef}{'State'}; - } + # Increase the last id by one and use it as id for the new entry. + $id = ++$last_id; + } + + # Add/Modify the entry to/in the ignored hash. + $ignored{$id} = ["$new_entry_address", "$new_entry_remark", "$status"]; + + # Write the changed ignored hash to the ignored file. + &General::writehasharray($IDS::ignored_file, %ignored); + + # Regenerate the ignore file. + &IDS::generate_ignore_file(); + } + + # Check if the IDS is running. + if(&IDS::ids_is_running()) { + # Call suricatactrl to perform a reload. + &IDS::call_suricatactrl("reload"); + } + +## Toggle Enabled/Disabled for an existing entry on the ignore list. +# + +} elsif ($cgiparams{'WHITELIST'} eq $Lang::tr{'toggle enable disable'}) { + my %ignored = (); + + # Only go further, if an ID has been passed. + if ($cgiparams{'ID'}) { + # Assign the given ID. + my $id = $cgiparams{'ID'};
- $snortruledesc = ''; - print FILE "$line\n"; - } elsif ($line =~ /var RULE_PATH/) { - ($tmp, $tmp, $snortrulepath) = split(' ', $line); - print FILE "$line\n"; + # Undef the given ID. + undef($cgiparams{'ID'}); + + # Read-in ignoredfile. + &General::readhasharray($IDS::ignored_file, %ignored); + + # Grab the configured status of the corresponding entry. + my $status = $ignored{$id}[2]; + + # Switch the status. + if ($status eq "disabled") { + $status = "enabled"; } else { - print FILE "$line\n"; + $status = "disabled"; + } + + # Modify the status of the existing entry. + $ignored{$id} = ["$ignored{$id}[0]", "$ignored{$id}[1]", "$status"]; + + # Write the changed ignored hash to the ignored file. + &General::writehasharray($IDS::ignored_file, %ignored); + + # Regenerate the ignore file. + &IDS::generate_ignore_file(); + + # Check if the IDS is running. + if(&IDS::ids_is_running()) { + # Call suricatactrl to perform a reload. + &IDS::call_suricatactrl("reload"); } } - close(FILE);
- if ($restartsnortrequired) { - system('/usr/local/bin/snortctrl restart >/dev/null'); +## Remove entry from ignore list. +# +} elsif ($cgiparams{'WHITELIST'} eq $Lang::tr{'remove'}) { + my %ignored = (); + + # Read-in ignoredfile. + &General::readhasharray($IDS::ignored_file, %ignored); + + # Drop entry from the hash. + delete($ignored{$cgiparams{'ID'}}); + + # Undef the given ID. + undef($cgiparams{'ID'}); + + # Write the changed ignored hash to the ignored file. + &General::writehasharray($IDS::ignored_file, %ignored); + + # Regenerate the ignore file. + &IDS::generate_ignore_file(); + + # Check if the IDS is running. + if(&IDS::ids_is_running()) { + # Call suricatactrl to perform a reload. + &IDS::call_suricatactrl("reload"); } }
-####################### End added for snort rules control ################################# +# Check if the page is locked, in this case, the ids_page_lock_file exists. +if (-e $IDS::ids_page_lock_file) { + # Lock the webpage and print notice about autoupgrade of the ruleset + # is in progess. + &working_notice("$Lang::tr{'ids ruleset autoupdate in progress'}"); + + # Loop and check if the file still exists. + while(-e $IDS::ids_page_lock_file) { + # Sleep for a second and re-check. + sleep 1; + }
-if ($snortsettings{'OINKCODE'} ne "") { - $errormessage = $Lang::tr{'invalid input for oink code'} unless ($snortsettings{'OINKCODE'} =~ /^[a-z0-9]+$/); + # Page has been unlocked, perform a reload. + &reload(); }
-if (!$errormessage) { - if ($snortsettings{'RULES'} eq 'subscripted') { - $url=" https://www.snort.org/rules/snortrules-snapshot-29120.tar.gz?oinkcode=$snort..."; - } elsif ($snortsettings{'RULES'} eq 'registered') { - $url=" https://www.snort.org/rules/snortrules-snapshot-29120.tar.gz?oinkcode=$snort..."; - } elsif ($snortsettings{'RULES'} eq 'community') { - $url=" https://www.snort.org/rules/community"; - } else { - $url="https://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz"; +# Check if any error has been stored. +if (-e $IDS::storederrorfile) { + # Open file to read in the stored error message. + open(FILE, "<$IDS::storederrorfile") or die "Could not open $IDS::storederrorfile. $!\n"; + + # Read the stored error message. + $errormessage = <FILE>; + + # Close file. + close (FILE); + + # Delete the file, which is now not longer required. + unlink($IDS::storederrorfile); +} + +## Grab all available rules and store them in the idsrules hash. +# +# Open rules directory and do a directory listing. +opendir(DIR, $IDS::rulespath) or die $!; + # Loop through the direcory. + while (my $file = readdir(DIR)) { + + # We only want files. + next unless (-f "$IDS::rulespath/$file"); + + # Ignore empty files. + next if (-z "$IDS::rulespath/$file"); + + # Use a regular expression to find files ending in .rules + next unless ($file =~ m/.rules$/); + + # Ignore files which are not read-able. + next unless (-R "$IDS::rulespath/$file"); + + # Skip whitelist rules file. + next if( $file eq "whitelist.rules"); + + # Call subfunction to read-in rulefile and add rules to + # the idsrules hash. + &readrulesfile("$file"); }
- if ($snortsettings{'ACTION'} eq $Lang::tr{'save'} && $snortsettings{'ACTION2'} eq "snort" ) { - &General::writehash("${General::swroot}/snort/settings", %snortsettings); - if ($snortsettings{'ENABLE_SNORT'} eq 'on') - { - system ('/usr/bin/touch', "${General::swroot}/snort/enable"); - } else { - unlink "${General::swroot}/snort/enable"; - } - if ($snortsettings{'ENABLE_SNORT_GREEN'} eq 'on') - { - system ('/usr/bin/touch', "${General::swroot}/snort/enable_green"); - } else { - unlink "${General::swroot}/snort/enable_green"; - } - if ($snortsettings{'ENABLE_SNORT_BLUE'} eq 'on') - { - system ('/usr/bin/touch', "${General::swroot}/snort/enable_blue"); - } else { - unlink "${General::swroot}/snort/enable_blue"; +closedir(DIR); + +# Gather used rulefiles. +# +# Check if the file for activated rulefiles is not empty. +if(-f $IDS::used_rulefiles_file) { + # Open the file for used rulefile and read-in content. + open(FILE, $IDS::used_rulefiles_file) or die "Could not open $IDS::used_rulefiles_file. $!\n"; + + # Read-in content. + my @lines = <FILE>; + + # Close file. + close(FILE); + + # Loop through the array. + foreach my $line (@lines) { + # Remove newlines. + chomp($line); + + # Skip comments. + next if ($line =~ /#/); + + # Skip blank lines. + next if ($line =~ /^\s*$/); + + # Gather rule sid and message from the ruleline. + if ($line =~ /.*- (.*)/) { + my $rulefile = $1; + + # Check if the current rulefile exists in the %idsrules hash. + # If not, the file probably does not exist anymore or contains + # no rules. + if($idsrules{$rulefile}) { + # Add the rulefile state to the %idsrules hash. + $idsrules{$rulefile}{'Rulefile'}{'State'} = "on"; + } } - if ($snortsettings{'ENABLE_SNORT_ORANGE'} eq 'on') - { - system ('/usr/bin/touch', "${General::swroot}/snort/enable_orange"); + } +} + +# Save ruleset configuration. +if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) { + my %oldsettings; + my %rulesetsources; + + # Read-in current (old) IDS settings. + &General::readhash("$IDS::rules_settings_file", %oldsettings); + + # Get all available ruleset locations. + &General::readhash("$IDS::rulesetsourcesfile", %rulesetsources); + + # Prevent form name from been stored in conf file. + delete $cgiparams{'RULESET'}; + + # Grab the URL based on the choosen vendor. + my $url = $rulesetsources{$cgiparams{'RULES'}}; + + # Check if the choosen vendor (URL) requires an subscription/oinkcode. + if ($url =~ /<oinkcode>/ ) { + # Check if an subscription/oinkcode has been provided. + if ($cgiparams{'OINKCODE'}) { + # Check if the oinkcode contains unallowed chars. + unless ($cgiparams{'OINKCODE'} =~ /^[a-z0-9]+$/) { + $errormessage = $Lang::tr{'invalid input for oink code'}; + } } else { - unlink "${General::swroot}/snort/enable_orange"; + # Print an error message, that an subsription/oinkcode is required for this + # vendor. + $errormessage = $Lang::tr{'ids oinkcode required'}; } - if ($snortsettings{'ENABLE_PREPROCESSOR_HTTP_INSPECT'} eq 'on') - { - system ('/usr/bin/touch', "${General::swroot}/snort/enable_preprocessor_http_inspect"); - } else { - unlink "${General::swroot}/snort/enable_preprocessor_http_inspect"; + } + + # Go on if there are no error messages. + if (!$errormessage) { + # Store settings into settings file. + &General::writehash("$IDS::rules_settings_file", %cgiparams); + + # Check if the the automatic rule update hass been touched. + if($cgiparams{'AUTOUPDATE_INTERVAL'} ne $oldsettings{'AUTOUPDATE_INTERVAL'}) { + # Call suricatactrl to set the new interval. + &IDS::call_suricatactrl("cron", $cgiparams{'AUTOUPDATE_INTERVAL'}); }
- system('/usr/local/bin/snortctrl restart >/dev/null'); - } + # Check if a ruleset is present - if not or the source has been changed download it. + if((! %idsrules) || ($oldsettings{'RULES'} ne $cgiparams{'RULES'})) { + # Check if the red device is active. + unless (-e "${General::swroot}/red/active") { + $errormessage = "$Lang::tr{'could not download latest updates'} - $Lang::tr{'system is offline'}"; + }
- # INSTALLMD5 is not in the form, so not retrieved by getcgihash - &General::readhash("${General::swroot}/snort/settings", %snortsettings); + # Check if enought free disk space is availabe. + if(&IDS::checkdiskspace()) { + $errormessage = "$Lang::tr{'not enough disk space'}"; + } + + # Check if any errors happend. + unless ($errormessage) { + # Lock the webpage and print notice about downloading + # a new ruleset. + &working_notice("$Lang::tr{'ids working'}");
- if ($snortsettings{'ACTION'} eq $Lang::tr{'download new ruleset'} || $snortsettings{'ACTION'} eq $Lang::tr{'upload new ruleset'}) { - my @df = `/bin/df -B M /var`; - foreach my $line (@df) { - next if $line =~ m/^Filesystem/; - my $return; + # Call subfunction to download the ruleset. + if(&IDS::downloadruleset()) { + $errormessage = $Lang::tr{'could not download latest updates'};
- if ($line =~ m/dev/ ) { - $line =~ m/^.* (\d+)M.*$/; - my @temp = split(/ +/,$line); - if ($1<300) { - $errormessage = "$Lang::tr{'not enough disk space'} < 300MB, /var $1MB"; + # Call function to store the errormessage. + &IDS::_store_error_message($errormessage); } else { - if ( $snortsettings{'ACTION'} eq $Lang::tr{'download new ruleset'}) { - &downloadrulesfile(); - sleep(3); - $return = `cat /var/tmp/log 2>/dev/null`; - - } elsif ( $snortsettings{'ACTION'} eq $Lang::tr{'upload new ruleset'}) { - my $upload = $a->param("UPLOAD"); - open UPLOADFILE, ">/var/tmp/snortrules.tar.gz"; - binmode $upload; - while ( <$upload> ) { - print UPLOADFILE; - } - close UPLOADFILE; - } + # Call subfunction to launch oinkmaster. + &IDS::oinkmaster(); + } + + # Check if the IDS is running. + if(&IDS::ids_is_running()) { + # Call suricatactrl to stop the IDS - because of the changed + # ruleset - the use has to configure it before suricata can be + # used again. + &IDS::call_suricatactrl("stop"); + }
- if ($return =~ "ERROR") { - $errormessage = "<br /><pre>".$return."</pre>"; - } else { - system("/usr/local/bin/oinkmaster.pl -v -s -u file:///var/tmp/snortrules.tar.gz -C /var/ipfire/snort/oinkmaster.conf -o /etc/snort/rules >>/var/tmp/log 2>&1 &"); - sleep(2); + # Perform a reload of the page. + &reload(); + } + } + } + +# Save ruleset. +} elsif ($cgiparams{'RULESET'} eq $Lang::tr{'ids apply'}) { + # Arrays to store which rulefiles have been enabled and will be used. + my @enabled_rulefiles; + + # Hash to store the user-enabled and disabled sids. + my %enabled_disabled_sids; + + # Loop through the hash of idsrules. + foreach my $rulefile(keys %idsrules) { + # Check if the rulefile is enabled. + if ($cgiparams{$rulefile} eq "on") { + # Add rulefile to the array of enabled rulefiles. + push(@enabled_rulefiles, $rulefile); + + # Drop item from cgiparams hash. + delete $cgiparams{$rulefile}; + } + } + + # Read-in the files for enabled/disabled sids. + # This will be done by calling the read_enabled_disabled_sids_file function two times + # and merge the returned hashes together into the enabled_disabled_sids hash. + %enabled_disabled_sids = ( + &read_enabled_disabled_sids_file($IDS::disabled_sids_file), + &read_enabled_disabled_sids_file($IDS::enabled_sids_file)); + + # Loop through the hash of idsrules. + foreach my $rulefile (keys %idsrules) { + # Loop through the single rules of the rulefile. + foreach my $sid (keys %{$idsrules{$rulefile}}) { + # Skip the current sid if it is not numeric. + next unless ($sid =~ /\d+/ ); + + # Check if there exists a key in the cgiparams hash for this sid. + if (exists($cgiparams{$sid})) { + # Look if the rule is disabled. + if ($idsrules{$rulefile}{$sid}{'State'} eq "off") { + # Check if the state has been set to 'on'. + if ($cgiparams{$sid} eq "on") { + # Add/Modify the sid to/in the enabled_disabled_sids hash. + $enabled_disabled_sids{$sid} = "enabled"; + + # Drop item from cgiparams hash. + delete $cgiparams{$rulefile}{$sid}; } } + } else { + # Look if the rule is enabled. + if ($idsrules{$rulefile}{$sid}{'State'} eq "on") { + # Check if the state is 'on' and should be disabled. + # In this case there is no entry + # for the sid in the cgiparams hash. + # Add/Modify it to/in the enabled_disabled_sids hash. + $enabled_disabled_sids{$sid} = "disabled"; + + # Drop item from cgiparams hash. + delete $cgiparams{$rulefile}{$sid}; + } } } } + + # Open enabled sid's file for writing. + open(ENABLED_FILE, ">$IDS::enabled_sids_file") or die "Could not write to $IDS::enabled_sids_file. $!\n"; + + # Open disabled sid's file for writing. + open(DISABLED_FILE, ">$IDS::disabled_sids_file") or die "Could not write to $IDS::disabled_sids_file. $!\n"; + + # Write header to the files. + print ENABLED_FILE "#Autogenerated file. Any custom changes will be overwritten!\n"; + print DISABLED_FILE "#Autogenerated file. Any custom changes will be overwritten!\n"; + + # Check if the hash for enabled/disabled files contains any entries. + if (%enabled_disabled_sids) { + # Loop through the hash. + foreach my $sid (keys %enabled_disabled_sids) { + # Check if the sid is enabled. + if ($enabled_disabled_sids{$sid} eq "enabled") { + # Print the sid to the enabled_sids file. + print ENABLED_FILE "enablesid $sid\n"; + # Check if the sid is disabled. + } elsif ($enabled_disabled_sids{$sid} eq "disabled") { + # Print the sid to the disabled_sids file. + print DISABLED_FILE "disablesid $sid\n"; + # Something strange happende - skip the current sid. + } else { + next; + } + } + } + + # Close file for enabled_sids after writing. + close(ENABLED_FILE); + + # Close file for disabled_sids after writing. + close(DISABLED_FILE); + + # Call function to generate and write the used rulefiles file. + &IDS::write_used_rulefiles_file(@enabled_rulefiles); + + # Lock the webpage and print message. + &working_notice("$Lang::tr{'ids apply ruleset changes'}"); + + # Call oinkmaster to alter the ruleset. + &IDS::oinkmaster(); + + # Check if the IDS is running. + if(&IDS::ids_is_running()) { + # Call suricatactrl to perform a reload. + &IDS::call_suricatactrl("reload"); + } + + # Reload page. + &reload(); + +# Download new ruleset. +} elsif ($cgiparams{'RULESET'} eq $Lang::tr{'update ruleset'}) { + # Check if the red device is active. + unless (-e "${General::swroot}/red/active") { + $errormessage = "$Lang::tr{'could not download latest updates'} - $Lang::tr{'system is offline'}"; + } + + # Check if enought free disk space is availabe. + if(&IDS::checkdiskspace()) { + $errormessage = "$Lang::tr{'not enough disk space'}"; + } + + # Check if any errors happend. + unless ($errormessage) { + # Lock the webpage and print notice about downloading + # a new ruleset. + &working_notice("$Lang::tr{'ids download new ruleset'}"); + + # Call subfunction to download the ruleset. + if(&IDS::downloadruleset()) { + $errormessage = $Lang::tr{'could not download latest updates'}; + + # Call function to store the errormessage. + &IDS::_store_error_message($errormessage); + + # Preform a reload of the page. + &reload(); + } else { + # Call subfunction to launch oinkmaster. + &IDS::oinkmaster(); + + # Check if the IDS is running. + if(&IDS::ids_is_running()) { + # Call suricatactrl to perform a reload. + &IDS::call_suricatactrl("reload"); + } + + # Perform a reload of the page. + &reload(); + } + } +# Save IDS settings. +} elsif ($cgiparams{'IDS'} eq $Lang::tr{'save'}) { + my %oldidssettings; + my $reload_page; + my $monitored_zones = 0; + + # Read-in current (old) IDS settings. + &General::readhash("$IDS::ids_settings_file", %oldidssettings); + + # Prevent form name from been stored in conf file. + delete $cgiparams{'IDS'}; + + # Check if the IDS should be enabled. + if ($cgiparams{'ENABLE_IDS'} eq "on") { + # Check if any ruleset is available. Otherwise abort and display an error. + unless(%idsrules) { + $errormessage = $Lang::tr{'ids no ruleset available'}; + } + + # Loop through the array of available interfaces. + foreach my $zone (@network_zones) { + # Convert interface name into upper case. + my $zone_upper = uc($zone); + + # Check if the IDS is enabled for this interaces. + if ($cgiparams{"ENABLE_IDS_$zone_upper"}) { + # Increase count. + $monitored_zones++; + } + } + + # Check if at least one zone should be monitored, or show an error. + unless ($monitored_zones >= 1) { + $errormessage = $Lang::tr{'ids no network zone'}; + } + } + + # Go on if there are no error messages. + if (!$errormessage) { + # Store settings into settings file. + &General::writehash("$IDS::ids_settings_file", %cgiparams); + } + + # Generate file to store the home net. + &IDS::generate_home_net_file(); + + # Temporary variable to set the ruleaction. + # Default is "drop" to use suricata as IPS. + my $ruleaction="drop"; + + # Check if the traffic only should be monitored. + if($cgiparams{'MONITOR_TRAFFIC_ONLY'} eq 'on') { + # Switch the ruleaction to "alert". + # Suricata acts as an IDS only. + $ruleaction="alert"; + } + + # Write the modify sid's file and pass the taken ruleaction. + &IDS::write_modify_sids_file($ruleaction); + + # Check if "MONITOR_TRAFFIC_ONLY" has been changed. + if($cgiparams{'MONITOR_TRAFFIC_ONLY'} ne $oldidssettings{'MONITOR_TRAFFIC_ONLY'}) { + # Check if a ruleset exists. + if (%idsrules) { + # Lock the webpage and print message. + &working_notice("$Lang::tr{'ids working'}"); + + # Call oinkmaster to alter the ruleset. + &IDS::oinkmaster(); + + # Set reload_page to "True". + $reload_page="True"; + } + } + + # Check if the IDS currently is running. + if(&IDS::ids_is_running()) { + # Check if ENABLE_IDS is set to on. + if($cgiparams{'ENABLE_IDS'} eq "on") { + # Call suricatactrl to perform a reload of suricata. + &IDS::call_suricatactrl("reload"); + } else { + # Call suricatactrl to stop suricata. + &IDS::call_suricatactrl("stop"); + } + } else { + # Call suricatactrl to start suricata. + &IDS::call_suricatactrl("start"); + } + + # Check if the page should be reloaded. + if ($reload_page) { + # Perform a reload of the page. + &reload(); + } }
-$checked{'ENABLE_SNORT'}{'off'} = ''; -$checked{'ENABLE_SNORT'}{'on'} = ''; -$checked{'ENABLE_SNORT'}{$snortsettings{'ENABLE_SNORT'}} = "checked='checked'"; -$checked{'ENABLE_SNORT_GREEN'}{'off'} = ''; -$checked{'ENABLE_SNORT_GREEN'}{'on'} = ''; -$checked{'ENABLE_SNORT_GREEN'}{$snortsettings{'ENABLE_SNORT_GREEN'}} = "checked='checked'"; -$checked{'ENABLE_SNORT_BLUE'}{'off'} = ''; -$checked{'ENABLE_SNORT_BLUE'}{'on'} = ''; -$checked{'ENABLE_SNORT_BLUE'}{$snortsettings{'ENABLE_SNORT_BLUE'}} = "checked='checked'"; -$checked{'ENABLE_SNORT_ORANGE'}{'off'} = ''; -$checked{'ENABLE_SNORT_ORANGE'}{'on'} = ''; -$checked{'ENABLE_SNORT_ORANGE'}{$snortsettings{'ENABLE_SNORT_ORANGE'}} = "checked='checked'"; +# Read-in idssettings and rulesetsettings +&General::readhash("$IDS::ids_settings_file", %idssettings); +&General::readhash("$IDS::rules_settings_file", %rulessettings); + +# If no autoupdate intervall has been configured yet, set default value. +unless(exists($rulessettings{'AUTOUPDATE_INTERVAL'})) { + # Set default to "weekly". + $rulessettings{'AUTOUPDATE_INTERVAL'} = 'weekly'; +} + +# Read-in ignored hosts. +&General::readhasharray("$IDS::settingsdir/ignored", %ignored); + +$checked{'ENABLE_IDS'}{'off'} = ''; +$checked{'ENABLE_IDS'}{'on'} = ''; +$checked{'ENABLE_IDS'}{$idssettings{'ENABLE_IDS'}} = "checked='checked'"; +$checked{'MONITOR_TRAFFIC_ONLY'}{'off'} = ''; +$checked{'MONITOR_TRAFFIC_ONLY'}{'on'} = ''; +$checked{'MONITOR_TRAFFIC_ONLY'}{$idssettings{'MONITOR_TRAFFIC_ONLY'}} = "checked='checked'"; $selected{'RULES'}{'nothing'} = ''; $selected{'RULES'}{'community'} = ''; $selected{'RULES'}{'emerging'} = ''; $selected{'RULES'}{'registered'} = ''; $selected{'RULES'}{'subscripted'} = ''; -$selected{'RULES'}{$snortsettings{'RULES'}} = "selected='selected'"; +$selected{'RULES'}{$rulessettings{'RULES'}} = "selected='selected'"; +$selected{'AUTOUPDATE_INTERVAL'}{'off'} = ''; +$selected{'AUTOUPDATE_INTERVAL'}{'daily'} = ''; +$selected{'AUTOUPDATE_INTERVAL'}{'weekly'} = ''; +$selected{'AUTOUPDATE_INTERVAL'}{$rulessettings{'AUTOUPDATE_INTERVAL'}} = "selected='selected'";
&Header::openpage($Lang::tr{'intrusion detection system'}, 1, '');
-####################### Added for snort rules control ################################# -print "<script type='text/javascript' src='/include/snortupdateutility.js'></script>"; +### Java Script ### +print"<script>\n"; + +# Java script variable declaration for show and hide. +print"var show = "$Lang::tr{'ids show'}";\n"; +print"var hide = "$Lang::tr{'ids hide'}";\n"; + print <<END -<style type="text/css"> -<!-- -.section { - border: groove; -} -.row1color { - border: ridge; - background-color: $color{'color22'}; -} -.row2color { - border: ridge; - background-color: $color{'color20'}; -} -.rowselected { - border: double #FF0000; - background-color: #DCDCDC; -} ---> -</style> + // Java Script function to show/hide the text input field for + // Oinkcode/Subscription code. + var update_code = function() { + if($('#RULES').val() == 'registered') { + $('#code').show(); + } else if($('#RULES').val() == 'subscripted') { + $('#code').show(); + } else if($('#RULES').val() == 'emerging_pro') { + $('#code').show(); + } else { + $('#code').hide(); + } + }; + + // JQuery function to call corresponding function when + // the ruleset is changed or the page is loaded for showing/hiding + // the code area. + $(document).ready(function() { + $('#RULES').change(update_code); + update_code(); + }); + + // Tiny java script function to show/hide the rules + // of a given category. + function showhide(tblname) { + $("#" + tblname).toggle(); + + // Get current content of the span element. + var content = document.getElementById("span_" + tblname); + + if (content.innerHTML === show) { + content.innerHTML = hide; + } else { + content.innerHTML = show; + } + } +</script> END ; -####################### End added for snort rules control #################################
&Header::openbigbox('100%', 'left', '', $errormessage);
-############### -# DEBUG DEBUG -# &Header::openbox('100%', 'left', 'DEBUG'); -# my $debugCount = 0; -# foreach my $line (sort keys %snortsettings) { -# print "$line = $snortsettings{$line}<br />\n"; -# $debugCount++; -# } -# print " Count: $debugCount\n"; -# &Header::closebox(); -# DEBUG DEBUG -############### - if ($errormessage) { &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); print "<class name='base'>$errormessage\n"; @@ -415,252 +738,441 @@ if ($errormessage) { &Header::closebox(); }
-my $return = `pidof oinkmaster.pl -x`; -chomp($return); -if ($return) { - &Header::openbox( 'Waiting', 1, "<meta http-equiv='refresh' content='10;'>" ); +# Draw current state of the IDS +&Header::openbox('100%', 'left', $Lang::tr{'intrusion detection system'}); + +# Check if the IDS is running and obtain the process-id. +my $pid = &IDS::ids_is_running(); + +# Display some useful information, if suricata daemon is running. +if ($pid) { + # Gather used memory. + my $memory = &get_memory_usage($pid); + print <<END; - <table> - <tr><td> - <img src='/images/indicator.gif' alt='$Lang::tr{'aktiv'}' /> - <td> - $Lang::tr{'snort working'} - <tr><td colspan='2' align='center'> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' alt='$Lang::tr{'reload'}' title='$Lang::tr{'reload'}' src='/images/view-refresh.png' /> - </form> - <tr><td colspan='2' align='left'><pre> + <table width='95%' cellspacing='0' class='tbl'> + <tr> + <th bgcolor='$color{'color20'}' colspan='3' align='left'><strong>$Lang::tr{'intrusion detection'}</strong></th> + </tr> + + <tr> + <td class='base'>$Lang::tr{'guardian daemon'}</td> + <td align='center' colspan='2' width='75%' bgcolor='${Header::colourgreen}'><font color='white'><strong>$Lang::tr{'running'}</strong></font></td> + </tr> + + <tr> + <td class='base'></td> + <td bgcolor='$color{'color20'}' align='center'><strong>PID</strong></td> + <td bgcolor='$color{'color20'}' align='center'><strong>$Lang::tr{'memory'}</strong></td> + </tr> + + <tr> + <td class='base'></td> + <td bgcolor='$color{'color22'}' align='center'>$pid</td> + <td bgcolor='$color{'color22'}' align='center'>$memory KB</td> + </tr> + </table> END - my @output = `tail -20 /var/tmp/log`; - foreach (@output) { - print "$_"; - } +} else { + # Otherwise display a hint that the service is not launched. print <<END; - </pre> + <table width='95%' cellspacing='0' class='tbl'> + <tr> + <th bgcolor='$color{'color20'}' colspan='3' align='left'><strong>$Lang::tr{'intrusion detection'}</strong></th> + </tr> + + <tr> + <td class='base'>$Lang::tr{'guardian daemon'}</td> + <td align='center' width='75%' bgcolor='${Header::colourred}'><font color='white'><strong>$Lang::tr{'stopped'}</strong></font></td> + </tr> </table> END - &Header::closebox(); - &Header::closebigbox(); - &Header::closepage(); - exit; - refreshpage(); }
-&Header::openbox('100%', 'left', $Lang::tr{'intrusion detection system'}); +# Only show this area, if a ruleset is present. +if (%idsrules) { + + print <<END + + <br><br><h2>$Lang::tr{'settings'}</h2> + + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <table width='100%' border='0'> + <tr> + <td class='base' colspan='2'> + <input type='checkbox' name='ENABLE_IDS' $checked{'ENABLE_IDS'}{'on'}> $Lang::tr{'ids enable'} + </td> + + <td class='base' colspan='2'> + <input type='checkbox' name='MONITOR_TRAFFIC_ONLY' $checked{'MONITOR_TRAFFIC_ONLY'}{'on'}> $Lang::tr{'ids monitor traffic only'} + </td> + </tr> + + <tr> + <td><br><br></td> + <td><br><br></td> + <td><br><br></td> + <td><br><br></td> + </tr> + + <tr> + <td colspan='4'><b>$Lang::tr{'ids monitored interfaces'}</b><br></td> + </tr> + + <tr> +END +; + + # Loop through the array of available networks and print config options. + foreach my $zone (@network_zones) { + my $checked_input; + my $checked_forward; + + # Convert current zone name to upper case. + my $zone_upper = uc($zone); + + # Set zone name. + my $zone_name = $zone; + + # Dirty hack to get the correct language string for the red zone. + if ($zone eq "red") { + $zone_name = "red1"; + } + + # Grab checkbox status from settings hash. + if ($idssettings{"ENABLE_IDS_$zone_upper"} eq "on") { + $checked_input = "checked = 'checked'"; + } + + print "<td class='base' width='25%'>\n"; + print "<input type='checkbox' name='ENABLE_IDS_$zone_upper' $checked_input>\n"; + print " $Lang::tr{'enabled on'}<font color='$colourhash{$zone}'> $Lang::tr{$zone_name}</font>\n"; + print "</td>\n"; + } + print <<END -<form method='post' action='$ENV{'SCRIPT_NAME'}'><table width='100%'> -<tr><td class='base'><input type='checkbox' name='ENABLE_SNORT_GREEN' $checked{'ENABLE_SNORT_GREEN'}{'on'} />GREEN Snort + </tr> + </table> + + <br><br> + + <table width='100%'> + <tr> + <td align='right'><input type='submit' name='IDS' value='$Lang::tr{'save'}' /></td> + </tr> + </table> + </form> END ; -if ($netsettings{'BLUE_DEV'} ne '') { - print " <input type='checkbox' name='ENABLE_SNORT_BLUE' $checked{'ENABLE_SNORT_BLUE'}{'on'} /> BLUE Snort"; -} -if ($netsettings{'ORANGE_DEV'} ne '') { - print " <input type='checkbox' name='ENABLE_SNORT_ORANGE' $checked{'ENABLE_SNORT_ORANGE'}{'on'} /> ORANGE Snort"; + } - print " <input type='checkbox' name='ENABLE_SNORT' $checked{'ENABLE_SNORT'}{'on'} /> RED Snort"; + +&Header::closebox(); + +# Draw elements for ruleset configuration. +&Header::openbox('100%', 'center', $Lang::tr{'ids ruleset settings'});
print <<END -</td></tr> -<tr> - <td><br><br></td> -</tr> -<tr> - <td><b>$Lang::tr{'ids rules update'}</b></td> -</tr> -<tr> - <td><select name='RULES'> - <option value='nothing' $selected{'RULES'}{'nothing'} >$Lang::tr{'no'}</option> +<form method='post' action='$ENV{'SCRIPT_NAME'}'> + <table width='100%' border='0'> + <tr> + <td><b>$Lang::tr{'ids rules update'}</b></td> + <td><b>$Lang::tr{'ids automatic rules update'}</b></td> + </tr> + + <tr> + <td><select name='RULES' id='RULES'> <option value='emerging' $selected{'RULES'}{'emerging'} >$Lang::tr{'emerging rules'}</option> + <option value='emerging_pro' $selected{'RULES'}{'emerging_pro'} >$Lang::tr{'emerging pro rules'}</option> <option value='community' $selected{'RULES'}{'community'} >$Lang::tr{'community rules'}</option> <option value='registered' $selected{'RULES'}{'registered'} >$Lang::tr{'registered user rules'}</option> <option value='subscripted' $selected{'RULES'}{'subscripted'} >$Lang::tr{'subscripted user rules'}</option> </select> - </td> -</tr> -<tr> - <td><br /> - $Lang::tr{'ids rules license'} <a href='https://www.snort.org/subscribe' target='_blank'>www.snort.org</a>$Lang::tr{'ids rules license1'}<br /><br /> - $Lang::tr{'ids rules license2'} <a href='https://www.snort.org/account/oinkcode' target='_blank'>Get an Oinkcode</a>, $Lang::tr{'ids rules license3'} - </td> -</tr> -<tr> - <td nowrap='nowrap'>Oinkcode: <input type='text' size='40' name='OINKCODE' value='$snortsettings{'OINKCODE'}' /></td> -</tr> -<tr> - <td width='30%' align='left'><br><input type='submit' name='ACTION' value='$Lang::tr{'download new ruleset'}' /> + </td> + + <td> + <select name='AUTOUPDATE_INTERVAL'> + <option value='off' $selected{'AUTOUPDATE_INTERVAL'}{'off'} >- $Lang::tr{'Disabled'} -</option> + <option value='daily' $selected{'AUTOUPDATE_INTERVAL'}{'daily'} >$Lang::tr{'Daily'}</option> + <option value='weekly' $selected{'AUTOUPDATE_INTERVAL'}{'weekly'} >$Lang::tr{'Weekly'}</option> + </select> + </td> + </tr> + + <tr> + <td colspan='2'><br><br></td> + </tr> + + <tr style='display:none' id='code'> + <td colspan='2'>Oinkcode: <input type='text' size='40' name='OINKCODE' value='$rulessettings{'OINKCODE'}'></td> + </tr> + + <tr> + <td> </td> + + <td align='right'> END ; -if ( -e "/var/tmp/snortrules.tar.gz"){ - my @Info = stat("/var/tmp/snortrules.tar.gz"); - $snortsettings{'INSTALLDATE'} = localtime($Info[9]); -} -print " $Lang::tr{'updates installed'}: $snortsettings{'INSTALLDATE'}</td>"; + # Show the "Update Ruleset"-Button only if a ruleset has been downloaded yet and automatic updates are disabled. + if ((%idsrules) && ($rulessettings{'AUTOUPDATE_INTERVAL'} eq "off")) { + # Display button to update the ruleset. + print"<input type='submit' name='RULESET' value='$Lang::tr{'update ruleset'}'>\n"; + } +print <<END; + <input type='submit' name='RULESET' value='$Lang::tr{'save'}'> + </td>
-print <<END -</tr> -</table> -<br><br> -<table width='100%'> -<tr> - <td align='right'><input type='hidden' name='ACTION2' value='snort' /><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td> -</tr> -</table> + </tr> + </table> </form> END ;
-if ($results ne '') { - print "$results"; -} +&Header::closebox(); + +# +# Whitelist / Ignorelist +# +&Header::openbox('100%', 'center', $Lang::tr{'ids ignored hosts'}); + +print <<END; + <table width='100%'> + <tr> + <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'ip address'}</b></td> + <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'remark'}</b></td> + <td class='base' colspan='3' bgcolor='$color{'color20'}'></td> + </tr> +END + # Check if some hosts have been added to be ignored. + if (keys (%ignored)) { + my $col = ""; + + # Loop through all entries of the hash. + while( (my $key) = each %ignored) { + # Assign data array positions to some nice variable names. + my $address = $ignored{$key}[0]; + my $remark = $ignored{$key}[1]; + my $status = $ignored{$key}[2]; + + # Check if the key (id) number is even or not. + if ($cgiparams{'ID'} eq $key) { + $col="bgcolor='${Header::colouryellow}'"; + } elsif ($key % 2) { + $col="bgcolor='$color{'color22'}'"; + } else { + $col="bgcolor='$color{'color20'}'"; + } + + # Choose icon for the checkbox. + my $gif; + my $gdesc; + + # Check if the status is enabled and select the correct image and description. + if ($status eq 'enabled' ) { + $gif = 'on.gif'; + $gdesc = $Lang::tr{'click to disable'}; + } else { + $gif = 'off.gif'; + $gdesc = $Lang::tr{'click to enable'}; + } + +print <<END; + <tr> + <td width='20%' class='base' $col>$address</td> + <td width='65%' class='base' $col>$remark</td> + + <td align='center' $col> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='WHITELIST' value='$Lang::tr{'toggle enable disable'}' /> + <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$gdesc' title='$gdesc' /> + <input type='hidden' name='ID' value='$key' /> + </form> + </td> + + <td align='center' $col> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='WHITELIST' value='$Lang::tr{'edit'}' /> + <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' /> + <input type='hidden' name='ID' value='$key' /> + </form> + </td> + + <td align='center' $col> + <form method='post' name='$key' action='$ENV{'SCRIPT_NAME'}'> + <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' title='$Lang::tr{'remove'}' alt='$Lang::tr{'remove'}'> + <input type='hidden' name='ID' value='$key'> + <input type='hidden' name='WHITELIST' value='$Lang::tr{'remove'}'> + </form> + </td> + </tr> +END + } + } else { + # Print notice that currently no hosts are ignored. + print "<tr>\n"; + print "<td class='base' colspan='2'>$Lang::tr{'guardian no entries'}</td>\n"; + print "</tr>\n"; + } + + print "</table>\n"; + + # Section to add new elements or edit existing ones. +print <<END; + <br> + <hr> + <br> + + <div align='center'> + <table width='100%'> +END + + # Assign correct headline and button text. + my $buttontext; + my $entry_address; + my $entry_remark; + + # Check if an ID (key) has been given, in this case an existing entry should be edited. + if ($cgiparams{'ID'} ne '') { + $buttontext = $Lang::tr{'update'}; + print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'update'}</b></td></tr>\n"; + + # Grab address and remark for the given key. + $entry_address = $ignored{$cgiparams{'ID'}}[0]; + $entry_remark = $ignored{$cgiparams{'ID'}}[1]; + } else { + $buttontext = $Lang::tr{'add'}; + print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'dnsforward add a new entry'}</b></td></tr>\n"; + } + +print <<END; + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='ID' value='$cgiparams{'ID'}'> + <tr> + <td width='30%'>$Lang::tr{'ip address'}: </td> + <td width='50%'><input type='text' name='IGNORE_ENTRY_ADDRESS' value='$entry_address' size='24' /></td> + + <td width='30%'>$Lang::tr{'remark'}: </td> + <td wicth='50%'><input type='text' name=IGNORE_ENTRY_REMARK value='$entry_remark' size='24' /></td> + <td align='center' width='20%'><input type='submit' name='WHITELIST' value='$buttontext' /></td> + </tr> + </form> + </table> + </div> +END
&Header::closebox();
-####################### Added for snort rules control ################################# -if ( -e "${General::swroot}/snort/enable" || -e "${General::swroot}/snort/enable_green" || -e "${General::swroot}/snort/enable_blue" || -e "${General::swroot}/snort/enable_orange" ) { - &Header::openbox('100%', 'LEFT', $Lang::tr{'intrusion detection system rules'}); - # Output display table for rule files - print "<table width='100%'><tr><td valign='top'><table>"; +# Only show the section for configuring the ruleset if one is present. +if (%idsrules) { + # Load neccessary perl modules for file stat and to format the timestamp. + use File::stat; + use POSIX qw( strftime );
- print "<form method='post'>"; + # Call stat on the rulestarball. + my $stat = stat("$IDS::rulestarball");
- # Local vars - my $ruledisplaycnt = 1; - my $rulecnt = keys %snortrules; - $rulecnt++; - $rulecnt = $rulecnt / 2; + # Get timestamp the file creation. + my $mtime = $stat->mtime;
- # Loop over each rule file - foreach my $rulefile (sort keys(%snortrules)) { - my $rulechecked = ''; + # Convert into human read-able format. + my $rulesdate = strftime('%Y-%m-%d %H:%M:%S', localtime($mtime));
- # Hide inkompatible Block rules - if ($rulefile =~'-BLOCK.rules') { - next; - } + &Header::openbox('100%', 'LEFT', "$Lang::tr{'intrusion detection system rules'} ($rulesdate)" );
- # Check if reached half-way through rule file rules to start new column - if ($ruledisplaycnt > $rulecnt) { - print "</table></td><td valign='top'><table>"; - $ruledisplaycnt = 0; - } + print"<form method='POST' action='$ENV{'SCRIPT_NAME'}'>\n"; + + # Output display table for rule files + print "<table width='100%'>\n"; + + # Loop over each rule file + foreach my $rulefile (sort keys(%idsrules)) { + my $rulechecked = '';
# Check if rule file is enabled - if ($snortrules{$rulefile}{"State"} eq 'Enabled') { + if ($idsrules{$rulefile}{'Rulefile'}{'State'} eq 'on') { $rulechecked = 'CHECKED'; }
- # Create rule file link, vars array, and display flag - my $rulefilelink = "?RULEFILE=$rulefile"; - my $rulefiletoclose = ''; - my @queryvars = (); - my $displayrulefilerules = 0; - - # Check for passed in query string - if ($ENV{'QUERY_STRING'}) { - # Split out vars - @queryvars = split(/&/, $ENV{'QUERY_STRING'}); - - # Loop over values - foreach $value (@queryvars) { - # Split out var pairs - ($var, $linkedrulefile) = split(/=/, $value); - - # Check if var is 'RULEFILE' - if ($var eq 'RULEFILE') { - # Check if rulefile equals linkedrulefile - if ($rulefile eq $linkedrulefile) { - # Set display flag - $displayrulefilerules = 1; - - # Strip out rulefile from rulefilelink - $rulefilelink =~ s/RULEFILE=$linkedrulefile//g; - } else { - # Add linked rule file to rulefilelink - $rulefilelink .= "&RULEFILE=$linkedrulefile"; - } - } - } - } + # Convert rulefile name into category name. + my $categoryname = &_rulefile_to_category($rulefile);
- # Strip out extra & & ? from rulefilelink - $rulefilelink =~ s/^?&/?/i; + # Table and rows for the rule files. + print"<tr>\n"; + print"<td class='base' width='5%'>\n"; + print"<input type='checkbox' name='$rulefile' $rulechecked>\n"; + print"</td>\n"; + print"<td class='base' width='90%'><b>$rulefile</b></td>\n"; + print"<td class='base' width='5%' align='right'>\n"; + print"<a href="javascript:showhide('$categoryname')"><span id='span_$categoryname'>$Lang::tr{'ids show'}</span></a>\n"; + print"</td>\n"; + print"</tr>\n";
- # Check for a single '?' and replace with page for proper link display - if ($rulefilelink eq '?') { - $rulefilelink = "ids.cgi"; - } + # Rows which will be hidden per default and will contain the single rules. + print"<tr style='display:none' id='$categoryname'>\n"; + print"<td colspan='3'>\n";
- # Output rule file name and checkbox - print "<tr><td class='base' valign='top'><input type='checkbox' NAME='SNORT_RULE_$rulefile' $rulechecked> <a href='$rulefilelink'>$rulefile</a></td></tr>"; - print "<tr><td class='base' valign='top'>"; - - # Check for empty 'Description' - if ($snortrules{$rulefile}{'Description'} eq '') { - print "<table width='100%'><tr><td class='base'>No description available</td></tr>"; - } else { - # Output rule file 'Description' - print "<table width='100%'><tr><td class='base'>$snortrules{$rulefile}{'Description'}</td></tr>"; - } + # Local vars + my $lines; + my $rows; + my $col;
- # Check for display flag - if ($displayrulefilerules) { - # Rule file definition rule display - print "<tr><td class='base' valign='top'><table border='0'><tr>"; + # New table for the single rules. + print "<table width='100%'>\n";
+ # Loop over rule file rules + foreach my $sid (sort {$a <=> $b} keys(%{$idsrules{$rulefile}})) { # Local vars - my $ruledefdisplaycnt = 0; - my $ruledefcnt = keys %{$snortrules{$rulefile}{"Definition"}}; - $ruledefcnt++; - $ruledefcnt = $ruledefcnt / 2; - - # Loop over rule file rules - foreach my $ruledef (sort {$a <=> $b} keys(%{$snortrules{$rulefile}{"Definition"}})) { - # Local vars - my $ruledefchecked = ''; - - # If have display 2 rules, start new row - if (($ruledefdisplaycnt % 2) == 0) { - print "</tr><tr>"; - $ruledefdisplaycnt = 0; - } + my $ruledefchecked = '';
- # Check for rules state - if ($snortrules{$rulefile}{'Definition'}{$ruledef}{'State'} eq 'Enabled') { - $ruledefchecked = 'CHECKED'; - } + # Skip rulefile itself. + next if ($sid eq "Rulefile");
- # Create rule file rule's checkbox - $checkboxname = "SNORT_RULE_$rulefile"; - $checkboxname .= "_$ruledef"; - print "<td class='base'><input type='checkbox' NAME='$checkboxname' $ruledefchecked> $snortrules{$rulefile}{'Definition'}{$ruledef}{'Description'}</td>"; + # If 2 rules have been displayed, start a new row + if (($lines % 2) == 0) { + print "</tr><tr>\n";
- # Increment count - $ruledefdisplaycnt++; + # Increase rows by once. + $rows++; }
- # If do not have second rule for row, create empty cell - if (($ruledefdisplaycnt % 2) != 0) { - print "<td class='base'></td>"; + # Colour lines. + if ($rows % 2) { + $col="bgcolor='$color{'color20'}'"; + } else { + $col="bgcolor='$color{'color22'}'"; }
- # Close display table - print "</tr></table></td></tr>"; - } + # Set rule state + if ($idsrules{$rulefile}{$sid}{'State'} eq 'on') { + $ruledefchecked = 'CHECKED'; + }
- # Close display table - print "</table>"; + # Create rule checkbox and display rule description + print "<td class='base' width='5%' align='right' $col>\n"; + print "<input type='checkbox' NAME='$sid' $ruledefchecked>\n"; + print "</td>\n"; + print "<td class='base' width='45%' $col>$idsrules{$rulefile}{$sid}{'Description'}</td>";
- # Increment ruledisplaycnt - $ruledisplaycnt++; + # Increment rule count + $lines++; + } + + # If do not have a second rule for row, create empty cell + if (($lines % 2) != 0) { + print "<td class='base'></td>"; + } + + # Close display table + print "</tr></table></td></tr>"; } - print "</td></tr></table></td></tr></table>"; - print <<END + + # Close display table + print "</table>"; + +print <<END <table width='100%'> <tr> - <td width='100%' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'update'}' /></td> - <!-- space for future online help link --> - </td> + <td width='100%' align='right'><input type='submit' name='RULESET' value='$Lang::tr{'ids apply'}'></td> </tr> </table> </form> @@ -669,31 +1181,205 @@ END &Header::closebox(); }
-####################### End added for snort rules control ################################# &Header::closebigbox(); &Header::closepage();
-sub downloadrulesfile { - my $peer; - my $peerport; +# +## A function to display a notice, to lock the webpage and +## tell the user which action currently will be performed. +# +sub working_notice ($) { + my ($message) = @_; + + &Header::openpage($Lang::tr{'intrusion detection system'}, 1, ''); + &Header::openbigbox('100%', 'left', '', $errormessage); + &Header::openbox( 'Waiting', 1,); + print <<END; + <table> + <tr> + <td><img src='/images/indicator.gif' alt='$Lang::tr{'aktiv'}' /></td> + <td>$message</td> + </tr> + </table> +END + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage(); +}
- unlink("/var/tmp/log"); +# +## A tiny function to perform a reload of the webpage after one second. +# +sub reload () { + print "<meta http-equiv='refresh' content='1'>\n";
- unless (-e "${General::swroot}/red/active") { - $errormessage = $Lang::tr{'could not download latest updates'}; - return undef; + # Stop the script. + exit; +} + +# +## Private function to read-in and parse rules of a given rulefile. +# +## The given file will be read, parsed and all valid rules will be stored by ID, +## message/description and it's state in the idsrules hash. +# +sub readrulesfile ($) { + my $rulefile = shift; + + # Open rule file and read in contents + open(RULEFILE, "$IDS::rulespath/$rulefile") or die "Unable to read $rulefile!"; + + # Store file content in an array. + my @lines = <RULEFILE>; + + # Close file. + close(RULEFILE); + + # Loop over rule file contents + foreach my $line (@lines) { + # Remove whitespaces. + chomp $line; + + # Skip blank lines. + next if ($line =~ /^\s*$/); + + # Local vars. + my $sid; + my $msg; + + # Gather rule sid and message from the ruleline. + if ($line =~ m/.*msg:"(.*?)"; .* sid:(.*?); /) { + $msg = $1; + $sid = $2; + + # Check if a rule has been found. + if ($sid && $msg) { + # Add rule to the idsrules hash. + $idsrules{$rulefile}{$sid}{'Description'} = $msg; + + # Grab status of the rule. Check if ruleline starts with a "dash". + if ($line =~ /^#/) { + # If yes, the rule is disabled. + $idsrules{$rulefile}{$sid}{'State'} = "off"; + } else { + # Otherwise the rule is enabled. + $idsrules{$rulefile}{$sid}{'State'} = "on"; + } + } + } } +}
- my %proxysettings=(); - &General::readhash("${General::swroot}/proxy/settings", %proxysettings); +# +## Function to get the used memory of a given process-id. +# +sub get_memory_usage($) { + my ($pid) = @_; + + my $memory = 0; + + # Try to open the status file for the given process-id on the pseudo + # file system proc. + if (open(FILE, "/proc/$pid/status")) { + # Loop through the entire file. + while (<FILE>) { + # Splitt current line content and store them into variables. + my ($key, $value) = split(":", $_, 2); + + # Check if the current key is the one which contains the memory usage. + # The wanted one is VmRSS which contains the Real-memory (resident set) + # of the entire process. + if ($key eq "VmRSS") { + # Found the memory usage add it to the memory variable. + $memory += $value; + + # Break the loop. + last; + } + } + + # Close file handle. + close(FILE);
- if ($_=$proxysettings{'UPSTREAM_PROXY'}) { - ($peer, $peerport) = (/^(?:[a-zA-Z ]+://)?(?:[A-Za-z0-9_.-]*?(?::[A-Za-z0-9_.-]*?)?@)?([a-zA-Z0-9._-]*?)(?::([0-9]{1,5}))?(?:/.*?)?$/); + # Return memory usage. + return $memory; }
- if ($peer) { - system("wget -r --proxy=on --proxy-user=$proxysettings{'UPSTREAM_USER'} --proxy-passwd=$proxysettings{'UPSTREAM_PASSWORD'} -e http_proxy=http://$peer:$peerport/ -e https_proxy=http://$peer:$peerport/ -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz $url"); - } else { - system("wget -r -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz $url"); + # If the file could not be open, return nothing. + return; +} + +# +## Function to read-in the given enabled or disables sids file. +# +sub read_enabled_disabled_sids_file($) { + my ($file) = @_; + + # Temporary hash to store the sids and their state. It will be + # returned at the end of this function. + my %temphash; + + # Open the given filename. + open(FILE, "$file") or die "Could not open $file. $!\n"; + + # Loop through the file. + while(<FILE>) { + # Remove newlines. + chomp $_; + + # Skip blank lines. + next if ($_ =~ /^\s*$/); + + # Skip coments. + next if ($_ =~ /^#/); + + # Splitt line into sid and state part. + my ($state, $sid) = split(" ", $_); + + # Skip line if the sid is not numeric. + next unless ($sid =~ /\d+/ ); + + # Check if the sid was enabled. + if ($state eq "enablesid") { + # Add the sid and its state as enabled to the temporary hash. + $temphash{$sid} = "enabled"; + # Check if the sid was disabled. + } elsif ($state eq "disablesid") { + # Add the sid and its state as disabled to the temporary hash. + $temphash{$sid} = "disabled"; + # Invalid state - skip the current sid and state. + } else { + next; + } } + + # Close filehandle. + close(FILE); + + # Return the hash. + return %temphash; +} + +# +## Private function to convert a given rulefile to a category name. +## ( No file extension anymore and if the name contained a dot, it +## would be replaced by a underline sign.) +# +sub _rulefile_to_category($) { + my ($filename) = @_; + + # Splitt the filename into single chunks and store them in a + # temorary array. + my @parts = split(/./, $filename); + + # Return / Remove last element of the temporary array. + # This removes the file extension. + pop @parts; + + # Join together the single elements of the temporary array. + # If these are more than one, use a "underline" for joining. + my $category = join '_', @parts; + + # Return the converted filename. + return $category; } diff --git a/html/cgi-bin/logs.cgi/ids.dat b/html/cgi-bin/logs.cgi/ids.dat index 030fd4b64..8918bc6da 100644 --- a/html/cgi-bin/logs.cgi/ids.dat +++ b/html/cgi-bin/logs.cgi/ids.dat @@ -157,7 +157,7 @@ if ($multifile) { if ($cgiparams{'ACTION'} eq $Lang::tr{'export'}) { print "Content-type: text/plain\n\n"; - print "IPFire IDS snort log\r\n"; + print "IPFire IPS log\r\n"; print "Date: $cgiparams{'DAY'} $longmonths[$cgiparams{'MONTH'}]\r\n"; print "\r\n";
@@ -167,6 +167,10 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'export'}) { my ($datetime,$title,$priority,$classification,$srcip,$srcport,$destip,$destport,$sid,$refs) = split(/|/); $refs =~ s/,$//; + + # Skip event if no datetime and title are available. + next unless (($datetime) && ($title)); + print "Date: $datetime\n"; print "Name: $title\n"; print "Priority: $priority\n"; @@ -250,7 +254,7 @@ END &Header::closebox();
&Header::openbox('100%', 'left', $Lang::tr{'log'}); -print "<p><b>$Lang::tr{'snort hits'} $longmonthstr $daystr: $lines</b></p>"; +print "<p><b>$Lang::tr{'ids log hits'} $longmonthstr $daystr: $lines</b></p>";
if ($start == -1) { $start = $lines - ${Header::viewsize}; } @@ -285,6 +289,10 @@ foreach $_ (@slice) else { print "<tr bgcolor='$color{'color22'}'><td>\n"; } my ($datetime,$title,$priority,$classification,$srcip,$srcport,$destip,$destport,$sid,$refs) = split(/|/); + + # Only show the current event if at least datetime and title are available. + next unless (($datetime) && ($title)); + print <<END <table width='100%'> <tr> @@ -351,7 +359,7 @@ END } print <<END </tr> -</table> +</table><br> </td></tr> END ; @@ -376,10 +384,21 @@ sub processevent
my $filestr=''; if ($datediff==0) { - $filestr="/var/log/snort/alert"; + # If there is no datediff, directly assign the suricata fast.log. + $filestr="/var/log/suricata/fast.log"; } else { - $filestr="/var/log/snort/alert.$datediff"; - $filestr = "$filestr.gz" if -f "$filestr.gz"; + # If there is a datediff, assign the datediff to the filestring. + $filestr="/var/log/suricata/fast.log.$datediff"; + + # The files are compressed add the extension to the filestring. + $filestr="$filestr.gz"; + + # If the file does not exist, try to fallback to legacy snort alert file. + unless (-f $filestr) { + # Assign snort alert file, the datediff and extension for compressed file. + $filestr = "/var/log/snort/alert.$datediff"; + $filestr = "$filestr.gz"; + } } if (!(open (LOG,($filestr =~ /.gz$/ ? "gzip -dc $filestr |" : $filestr)))) { $errormessage="$errormessage$Lang::tr{'date not in logs'}: $filestr $Lang::tr{'could not be opened'}"; @@ -393,7 +412,7 @@ sub processevent &append; $line = 1; } - ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport, $sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a"); + ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport,$sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a"); @refs = (); $_ =~ m/:([0-9]{1,5})] (.*) [**]/; $title = &Header::cleanhtml($2,"y"); @@ -413,8 +432,8 @@ sub processevent $destport = $10; }
- if ($_ =~ m/^([0-9/]{3,5})-([0-9:]{5,8}).([0-9]{1,14})/) { - ($date,$time) = ($1,$2); + if ($_ =~ m/^([0-9/]{3,5})(/\d+)?-([0-9:]{5,8}).([0-9]{1,14})/) { + ($date,$time) = ($1,$3); } if ($_ =~ m/[Xref =>.*]/) { $_ =~ s/][Xref => /, /g; @@ -426,7 +445,11 @@ sub processevent } } $line++; - unless ($line == 1 || $date ne "$monthstr/$daystr") { &append; } + + # Check if all data is collected and the date of the event fits the desired date to + # get displayed. + if ($line gt 1 && $date eq "$monthstr/$daystr") { &append; } + close(LOG); } } diff --git a/html/cgi-bin/logs.cgi/log.dat b/html/cgi-bin/logs.cgi/log.dat index 153ffb5f0..136fed77c 100644 --- a/html/cgi-bin/logs.cgi/log.dat +++ b/html/cgi-bin/logs.cgi/log.dat @@ -63,10 +63,11 @@ my %sections = ( 'ipsec' => '(ipsec_[\w_]+: |pluto[.*]: |charon: |vpnwatch: )', 'kernel' => '(kernel: (?!DROP_))', 'ntp' => '(ntpd(?:ate)?[.*]: )', + 'oinkmaster' => '(oinkmaster[.*]: )', 'openvpn' => '(openvpnserver[.*]: |.*n2n[.*]: )', 'pakfire' => '(pakfire:)', 'red' => '(red:|pppd[.*]: |chat[.*]|pppoe[.*]|pptp[.*]|pppoa[.*]|pppoa3[.*]|pppoeci[.*]|ipppd|ipppd[.*]|kernel: ippp\d|kernel: isdn.*|ibod[.*]|dhcpcd[.*]|modem_run[.*])', - 'snort' => '(snort[.*]: )', + 'suricata' => '(suricata[.*]: )', 'squid' => '(squid[.*]: |squid: )', 'ssh' => '(sshd(?:(.*))?[.*]: )', 'unbound' => '(unbound: [.*:.*])(.*:.*$)', @@ -90,10 +91,11 @@ my %trsections = ( 'ipsec' => 'IPSec', 'kernel' => "$Lang::tr{'kernel'}", 'ntp' => 'NTP', + 'oinkmaster' => 'Oinkmaster', 'openvpn' => 'OpenVPN', 'pakfire' => 'Pakfire', 'red' => 'RED', - 'snort' => "$Lang::tr{'intrusion detection'}", + 'suricata' => "$Lang::tr{'intrusion detection'}", 'squid' => "$Lang::tr{'web proxy'}", 'ssh' => 'SSH', 'unbound' => 'DNS: Unbound', diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 4fb234995..812680328 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -469,10 +469,7 @@ sub addccdnet $errormessage=$Lang::tr{'ccd err invalidnet'}; return; } - - $errormessage=&General::checksubnets($ccdname,$ccdnet); - - + if (!$errormessage) { my %ccdconfhash=(); $baseaddress=&General::getnetworkip($ccdip,$subcidr); diff --git a/html/cgi-bin/remote.cgi b/html/cgi-bin/remote.cgi index 1b3dfed70..8beb84efa 100644 --- a/html/cgi-bin/remote.cgi +++ b/html/cgi-bin/remote.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2014 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -105,6 +105,7 @@ else { # used $remotesettings{'ENABLE_SSH_PASSWORDS'} = 'on' unless exists $remotesettings{'ENABLE_SSH_PASSWORDS'}; $remotesettings{'ENABLE_SSH_KEYS'} = 'on' unless exists $remotesettings{'ENABLE_SSH_KEYS'}; + $remotesettings{'SSH_AGENT_FORWARDING'} = 'off' unless exists $remotesettings{'SSH_AGENT_FORWARDING'};
$checked{'ENABLE_SSH'}{'off'} = ''; $checked{'ENABLE_SSH'}{'on'} = ''; @@ -121,6 +122,9 @@ $checked{'ENABLE_SSH_KEYS'}{$remotesettings{'ENABLE_SSH_KEYS'}} = "checked='chec $checked{'SSH_PORT'}{'off'} = ''; $checked{'SSH_PORT'}{'on'} = ''; $checked{'SSH_PORT'}{$remotesettings{'SSH_PORT'}} = "checked='checked'"; +$checked{'SSH_AGENT_FORWARDING'}{'off'} = ''; +$checked{'SSH_AGENT_FORWARDING'}{'on'} = ''; +$checked{'SSH_AGENT_FORWARDING'}{$remotesettings{'SSH_AGENT_FORWARDING'}} = "checked='checked'";
&Header::openpage($Lang::tr{'remote access'}, 1, '');
@@ -141,6 +145,11 @@ print <<END <td><input type='checkbox' name='ENABLE_SSH' $checked{'ENABLE_SSH'}{'on'} /></td> <td class='base' colspan='2'>$Lang::tr{'ssh access'}</td> </tr> +<tr> + <td> </td> + <td><input type='checkbox' name='SSH_AGENT_FORWARDING' $checked{'SSH_AGENT_FORWARDING'}{'on'} /></td> + <td width='100%' class='base'>$Lang::tr{'ssh agent forwarding'}</td> +</tr> <tr> <td> </td> <td><input type='checkbox' name='ENABLE_SSH_PORTFW' $checked{'ENABLE_SSH_PORTFW'}{'on'} /></td> diff --git a/html/cgi-bin/services.cgi b/html/cgi-bin/services.cgi index 64fdbba05..26ab4f314 100644 --- a/html/cgi-bin/services.cgi +++ b/html/cgi-bin/services.cgi @@ -56,6 +56,7 @@ my %servicenames =( $Lang::tr{'secure shell server'} => 'sshd', $Lang::tr{'vpn'} => 'charon', $Lang::tr{'web proxy'} => 'squid', + $Lang::tr{'intrusion detection system'} => 'suricata', 'OpenVPN' => 'openvpn' );
@@ -71,30 +72,15 @@ my %link =( $Lang::tr{'vpn'} => "<a href='vpnmain.cgi'>$Lang::tr{'vpn'}</a>", $Lang::tr{'web proxy'} => "<a href='proxy.cgi'>$Lang::tr{'web proxy'}</a>", 'OpenVPN' => "<a href='ovpnmain.cgi'>OpenVPN</a>", - "$Lang::tr{'intrusion detection system'} (GREEN)" => "<a href='ids.cgi'>$Lang::tr{'intrusion detection system'} (GREEN)</a>", - "$Lang::tr{'intrusion detection system'} (RED)" => "<a href='ids.cgi'>$Lang::tr{'intrusion detection system'} (RED)</a>", - "$Lang::tr{'intrusion detection system'} (ORANGE)" => "<a href='ids.cgi'>$Lang::tr{'intrusion detection system'} (ORANGE)</a>", - "$Lang::tr{'intrusion detection system'} (BLUE)" => "<a href='ids.cgi'>$Lang::tr{'intrusion detection system'} (BLUE)</a>" + "$Lang::tr{'intrusion detection system'}" => "<a href='ids.cgi'>$Lang::tr{'intrusion detection system'}</a>", );
-my $lines=0; # Used to count the outputlines to make different bgcolor - -my $iface = ''; -if (open(FILE, "${General::swroot}/red/iface")){ - $iface = <FILE>; - close FILE; - chomp $iface; -} - -$servicenames{"$Lang::tr{'intrusion detection system'} (RED)"} = "snort_${iface}"; -$servicenames{"$Lang::tr{'intrusion detection system'} (GREEN)"} = "snort_$netsettings{'GREEN_DEV'}"; +# Hash to overwrite the process name of a process if it differs fromt the launch command. +my %overwrite_exename_hash = ( + "suricata" => "Suricata-Main" +);
-if ($netsettings{'ORANGE_DEV'} ne ''){ - $servicenames{"$Lang::tr{'intrusion detection system'} (ORANGE)"} = "snort_$netsettings{'ORANGE_DEV'}"; -} -if ($netsettings{'BLUE_DEV'} ne ''){ - $servicenames{"$Lang::tr{'intrusion detection system'} (BLUE)"} = "snort_$netsettings{'BLUE_DEV'}"; -} +my $lines=0; # Used to count the outputlines to make different bgcolor
my @querry = split(/?/,$ENV{'QUERY_STRING'}); $querry[0] = '' unless defined $querry[0]; @@ -258,7 +244,20 @@ sub isrunning{ my $memory;
$cmd =~ /(^[a-z]+)/; - $exename = $1; + + # Check if the exename needs to be overwritten. + # This happens if the expected process name string + # differs from the real one. This may happened if + # a service uses multiple processes or threads. + if (exists($overwrite_exename_hash{$1})) { + # Grab the string which will be reported by + # the process from the corresponding hash. + $exename = $overwrite_exename_hash{$1}; + } else { + # Directly expect the launched command as + # process name. + $exename = $1; + }
if (open(FILE, "/var/run/${cmd}.pid")){ $pid = <FILE>; chomp $pid; diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 00282d50b..ecf860d85 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1363,6 +1363,10 @@ END $cgiparams{'MODE'} = "tunnel"; }
+ if ($cgiparams{'INTERFACE_MTU'} eq "") { + $cgiparams{'INTERFACE_MTU'} = 1500; + } + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { diff --git a/html/cgi-bin/wlanap.cgi b/html/cgi-bin/wlanap.cgi index 72c9a1298..44b0b4053 100644 --- a/html/cgi-bin/wlanap.cgi +++ b/html/cgi-bin/wlanap.cgi @@ -75,6 +75,7 @@ $wlanapsettings{'DRIVER'} = 'NL80211'; $wlanapsettings{'HTCAPS'} = ''; $wlanapsettings{'VHTCAPS'} = ''; $wlanapsettings{'NOSCAN'} = 'off'; +$wlanapsettings{'CLIENTISOLATION'} = 'off';
&General::readhash("/var/ipfire/wlanap/settings", %wlanapsettings); &Header::getcgihash(%wlanapsettings); @@ -252,6 +253,10 @@ $checked{'NOSCAN'}{'off'} = ''; $checked{'NOSCAN'}{'on'} = ''; $checked{'NOSCAN'}{$wlanapsettings{'NOSCAN'}} = "checked='checked'";
+$checked{'CLIENTISOLATION'}{'off'} = ''; +$checked{'CLIENTISOLATION'}{'on'} = ''; +$checked{'CLIENTISOLATION'}{$wlanapsettings{'CLIENTISOLATION'}} = "checked='checked'"; + $selected{'ENC'}{$wlanapsettings{'ENC'}} = "selected='selected'"; $selected{'CHANNEL'}{$wlanapsettings{'CHANNEL'}} = "selected='selected'"; $selected{'COUNTRY'}{$wlanapsettings{'COUNTRY'}} = "selected='selected'"; @@ -377,6 +382,7 @@ print <<END <tr><td width='25%' class='base'>SSID: </td><td class='base' colspan='3'><input type='text' name='SSID' size='30' value='$wlanapsettings{'SSID'}' /></td></tr> <!--SSID Broadcast: on => HIDESSID: off --> <tr><td width='25%' class='base'>SSID Broadcast: </td><td class='base' colspan='3'>on <input type='radio' name='HIDESSID' value='off' $checked{'HIDESSID'}{'off'} /> | <input type='radio' name='HIDESSID' value='on' $checked{'HIDESSID'}{'on'} /> off</td></tr> +<tr><td width='25%' class='base'>Client Isolation: </td><td class='base' colspan='3'>on <input type='radio' name='CLIENTISOLATION' value='off' $checked{'CLIENTISOLATION'}{'off'} /> | <input type='radio' name='CLIENTISOLATION' value='on' $checked{'CLIENTISOLATION'}{'on'} /> off</td></tr>
<tr><td width='25%' class='base'>$Lang::tr{'wlanap country'}: </td><td class='base' colspan='3'> @@ -614,6 +620,7 @@ dump_file=/tmp/hostapd.dump auth_algs=1 ctrl_interface=/var/run/hostapd ctrl_interface_group=0 +disassoc_low_ack=1 END ; if ( $wlanapsettings{'HIDESSID'} eq 'on' ){ @@ -632,6 +639,14 @@ END
}
+ # https://forum.ipfire.org/viewtopic.php?f=22&t=12274&p=79070#p79070 + if ( $wlanapsettings{'CLIENTISOLATION'} eq 'on' ){ + print CONFIGFILE <<END +ap_isolate=1 +END +; + } + if ( $wlanapsettings{'NOSCAN'} eq 'on' ){ print CONFIGFILE <<END noscan=1 diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index ce7090c39..90b1ada06 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -83,6 +83,8 @@ 'ConnSched time' => 'Zeit:', 'ConnSched up' => 'Herauf', 'ConnSched weekdays' => 'Wochentage:', +'Daily' => 'Täglich', +'Disabled' => 'Deaktiviert', 'Edit an existing route' => 'Eine existierende Route editieren', 'Enter TOS' => 'Aktivieren oder deaktivieren Sie die TOS-Bits <br /> und klicken Sie danach auf <i>Speichern</i>.', 'Existing Files' => 'Dateien in der Datenbank', @@ -121,6 +123,7 @@ 'Utilization on' => 'Auslastung auf', 'Verbose' => 'Verbose', 'WakeOnLan' => 'Wake On LAN', +'Weekly' => 'Wöchentlich', 'a ca certificate with this name already exists' => 'Ein CA-Zertifikat mit diesem Namen existiert bereits.', 'a connection with this common name already exists' => 'Eine Verbindung mit diesem gemeinsamen Namen existiert bereits.', 'a connection with this name already exists' => 'Eine Verbindung mit diesem Namen existiert bereits.', @@ -821,6 +824,7 @@ 'dnsforward' => 'DNS-Weiterleitung', 'dnsforward add a new entry' => 'Neuen Eintrag hinzufügen', 'dnsforward configuration' => 'Einstellungen für DNS Weiterleitung', +'dnsforward dnssec disabled' => 'DNSSEC-Validierung deaktiviert', 'dnsforward edit an entry' => 'Existierenden Eintrag bearbeiten', 'dnsforward entries' => 'Aktuelle Einträge', 'dnsforward forward_servers' => 'DNS-Server', @@ -1257,6 +1261,7 @@ 'generate a certificate' => 'Erzeuge ein Zertifikat:', 'generate dh key' => 'Diffie-Hellman Key generieren', 'generate iso' => 'ISO erstellen', +'generate ptr' => 'PTR erzeugen', 'generate root/host certificates' => 'Erzeuge Root/Host-Zertifikate', 'generate tripwire keys and init' => 'Tripwire Initalisierung', 'generatekeys' => 'Neue Schlüssel erzeugen', @@ -1325,14 +1330,23 @@ 'idle' => 'Leerlauf', 'idle timeout' => 'Leerlauf-Wartezeit in Min. (0 zum Deaktivieren):', 'idle timeout not set' => 'Leerlauf-Wartezeit nicht angegeben.', -'ids log viewer' => 'Ansicht IDS-Protokoll', -'ids logs' => 'IDS-Protokolldateien', -'ids preprocessor' => 'IDS-Präprozessor', -'ids rules license' => 'Um Sourcefire VRT Zertifizierte Regeln zu nutzen, müssen Sie sich unter', -'ids rules license1' => ' registrieren.', -'ids rules license2' => 'Bestätigen Sie die Lizenz; aktivieren Sie Ihren Account, indem Sie auf den Link, den Sie per Mail erhalten haben, klicken. Gehen Sie dann zu', -'ids rules license3' => 'klicken Sie den "Generate code"-Knopf und kopieren Sie den 40-Zeichen Oinkcode in das untere Feld.', -'ids rules update' => 'Snort Regeln Update', +'ids apply' => 'Übernehmen', +'ids apply ruleset changes' => 'Regeländerungen werden übernommen. Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde...', +'ids automatic rules update' => 'Automatische Regelaktualisierung', +'ids download new ruleset' => 'Das neue Regelsatz wird heruntergeladen und entpackt. Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde...', +'ids enable' => 'Intrusion-Prevention-System aktivieren', +'ids ignored hosts' => 'Ausnahmeliste', +'ids log hits' => 'Gesamtanzahl der aktivierten Regeln für', +'ids log viewer' => 'Ansicht IPS-Protokoll', +'ids logs' => 'IPS-Protokolldateien', +'ids monitor traffic only' => 'Netzwerk-Pakete nur überprüfen', +'ids monitored interfaces' => 'Überwachte Netzwerkzonen', +'ids no network zone' => 'Bitte wählen Sie mindestens eine Netzwerkzone aus, die überwacht werden soll', +'ids no ruleset available' => 'Es ist kein Regelsatz verfügbar. Bitte laden Sie einen Regelsatz herunter.', +'ids oinkcode required' => 'Für den ausgewählten Regelsatz wird ein Abonnement oder ein Oinkcode benötigt', +'ids ruleset autoupdate in progress' => 'Der Regelsatz wird gerade aktualisiert. Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde...', +'ids ruleset settings' => 'Regelsatzeinstellungen', +'ids working' => 'Änderungen werden übernommen. Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde.', 'iface' => 'Iface', 'ignore filter' => '"Ignorieren"-Filter', 'ike encryption' => 'IKE Verschlüsselung:', @@ -1365,11 +1379,12 @@ 'interface' => 'Schnittstelle', 'interfaces' => 'Interfaces', 'internet' => 'INTERNET', -'intrusion detection' => 'Einbruchdetektierung', -'intrusion detection system' => 'Einbruchsdetektierung', -'intrusion detection system log viewer' => 'Betrachter der IDS-Protokolldateien', -'intrusion detection system rules' => 'Regeln für die Einbruchsdetektierung', -'intrusion detection system2' => 'Intrusion Detection System:', +'intrusion detection' => 'Intrusion-Prevention', +'intrusion detection system' => 'Intrusion-Prevention-System', +'intrusion detection system log viewer' => 'Betrachter der IPS-Protokolldateien', +'intrusion detection system rules' => 'Regelset', +'intrusion detection system2' => 'Intrusion-Prevention-System', +'intrusion prevention system' => 'Intrusion-Prevention-System', 'invalid broadcast ip' => 'Ungültige Broadcast-IP', 'invalid cache size' => 'Ungültige Cache-Größe.', 'invalid characters found in pre-shared key' => 'Ungültige Zeichen im Pre-Shared Schlüssel gefunden.', @@ -1984,6 +1999,7 @@ 'proxy reports today' => 'Heute', 'proxy reports weekly' => 'Wöchentliche Berichte', 'psk' => 'PSK', +'ptr' => 'PTR', 'pulse' => 'Puls', 'pulse dial' => 'Pulswahl:', 'qos add subclass' => 'Unterklasse hinzufügen', @@ -2012,7 +2028,7 @@ 'refresh' => 'Aktualisieren', 'refresh index page while connected' => 'Aktualisiere index.cgi Seite während der Verbindung', 'refresh update list' => 'Aktualisiere Update-Liste', -'registered user rules' => 'Sourcefire VRT Regeln für registrierte Benutzer', +'registered user rules' => 'Talos VRT Regeln für registrierte Benutzer', 'released' => 'Freigegeben', 'reload' => 'neu laden', 'remark' => 'Anmerkung', @@ -2059,6 +2075,7 @@ 'rsvd dst port overlap' => 'Dieser Zielportbereich überlappt mit einem Port, der für die ausschließliche Benutzung durch IPFire reserviert ist:', 'rsvd src port overlap' => 'Dieser Quellportbereich überlappt mit einem Port, der für die ausschließliche Benutzung durch IPFire reserviert ist:', 'rules already up to date' => 'Regeln sind schon aktuell', +'runmode' => 'Runmode', 'running' => 'LÄUFT', 'safe removal of umounted device' => 'Sie können gefahrlos das abgemeldete Gerät entfernen', 'samba' => 'Samba', @@ -2141,8 +2158,6 @@ 'smtphost' => 'Smtp Host', 'smtpport' => 'Smtp Port', 'snat new source ip address' => 'Neue Quell-IP-Adresse', -'snort hits' => 'Gesamtanzahl der aktivierten Intrusion-Regeln für', -'snort working' => 'Snort führt gerade eine Aufgabe aus... Bitte warten Sie, bis diese erfolgreich beendet wurde.', 'socket options' => 'Socket Options', 'software version' => 'Software-Version', 'sort ascending' => 'Sortiere aufsteigend', @@ -2174,6 +2189,7 @@ 'ssh access' => 'SSH-Zugriff', 'ssh access tip' => 'IPFire SSH läuft nicht auf dem Standardport 22!', 'ssh active sessions' => 'Aktive Benutzeranmeldungen', +'ssh agent forwarding' => 'Weiterleitung des SSH-Agenten (Agent Forwarding) zulassen', 'ssh fingerprint' => 'Fingerabdruck', 'ssh host keys' => 'SSH Host Schlüssel', 'ssh is disabled' => 'Secure Shell ist deaktiviert. Halte an.', @@ -2220,7 +2236,7 @@ 'subnet' => 'Subnet', 'subnet is invalid' => 'Netzmaske ist ungültig', 'subnet mask' => 'Subnetzmaske', -'subscripted user rules' => 'Sourcefire VRT Regeln mit Abonnement', +'subscripted user rules' => 'Talos VRT Regeln mit Abonnement', 'successfully refreshed updates list' => 'Update-Liste erfolgreich aktualisiert.', 'summaries kept' => 'Zusammenfassungen aufheben für', 'sunday' => 'Sonntag', @@ -2232,6 +2248,7 @@ 'system has hwrng' => 'Dieses System hat einen Hardware-Zufallszahlengenerator.', 'system has rdrand' => 'Dieses System unterstützt Intel(R) RDRAND.', 'system information' => 'Systeminformationen', +'system is offline' => 'Das System ist offline.', 'system log viewer' => 'Betrachter der Systemprotokolldateien', 'system logs' => 'Systemprotokolldateien', 'system status information' => 'System-Statusinformationen', @@ -2381,6 +2398,7 @@ 'unnamed' => 'Unbenannt', 'update' => 'Aktualisieren', 'update accelerator' => 'Update-Accelerator', +'update ruleset' => 'Regelsatz aktualisieren', 'update time' => 'Aktualisiere die Uhrzeit:', 'update transcript' => 'Aktualisieren', 'updatedatabase' => 'Datenbank auf Stand der letzten Reports setzen', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 7697dc202..98e99f150 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -83,6 +83,8 @@ 'ConnSched time' => 'Time:', 'ConnSched up' => 'Up', 'ConnSched weekdays' => 'Days of the week:', +'Daily' => 'Daily', +'Disabled' => 'Disabled', 'Edit an existing route' => 'Edit an existing route', 'Enter TOS' => 'Activate or deactivate TOS-bits <br /> and then press <i>Save</i>.', 'Existing Files' => 'Files in database', @@ -121,6 +123,7 @@ 'Utilization on' => 'Utilization on', 'Verbose' => 'Verbose:', 'WakeOnLan' => 'Wake On Lan', +'Weekly' => 'Weekly', 'a ca certificate with this name already exists' => 'A CA certificate with this name already exists.', 'a connection with this common name already exists' => 'A connection with this common name already exists.', 'a connection with this name already exists' => 'A connection with this name already exists.', @@ -783,10 +786,10 @@ 'dhcp configuration' => 'DHCP configuration', 'dhcp create fixed leases' => 'Create fixed leases', 'dhcp dns enable update' => 'Enable DNS Update (RFC2136):', -'dhcp dns key name' => 'Key Name:', +'dhcp dns key name' => 'Key Name', 'dhcp dns update' => 'DNS Update', -'dhcp dns update algo' => 'Algorithm:', -'dhcp dns update secret' => 'Secret:', +'dhcp dns update algo' => 'Algorithm', +'dhcp dns update secret' => 'Secret', 'dhcp fixed lease err1' => 'For a fix lease you have to enter the MAC address or the hostname, or you enter both.', 'dhcp fixed lease help1' => 'IP Addresses might be entered as FQDN', 'dhcp mode' => 'DHCP', @@ -848,6 +851,7 @@ 'dnsforward' => 'DNS Forwarding', 'dnsforward add a new entry' => 'Add a new entry', 'dnsforward configuration' => 'DNS forward configuration', +'dnsforward dnssec disabled' => 'DNSSEC Validation is disabled', 'dnsforward edit an entry' => 'Edit an existing entry', 'dnsforward entries' => 'Current entries', 'dnsforward forward_servers' => 'Nameservers', @@ -951,6 +955,7 @@ 'email tls' => 'Use TLS', 'email usemail' => 'Activate Mail Service', 'emailreportlevel' => 'E-mailreportlevel', +'emerging pro rules' => 'Emergingthreats.net Pro Rules', 'emerging rules' => 'Emergingthreats.net Community Rules', 'empty' => 'This field may be left blank', 'empty profile' => 'empty', @@ -1288,6 +1293,7 @@ 'generate a certificate' => 'Generate a certificate:', 'generate dh key' => 'Generate Diffie-Hellman parameters', 'generate iso' => 'Generate ISO', +'generate ptr' => 'Generate PTR', 'generate root/host certificates' => 'Generate root/host certificates', 'generate tripwire keys and init' => 'generate tripwire keys and init', 'generatekeys' => 'Generate Keys', @@ -1357,14 +1363,26 @@ 'idle' => 'Idle', 'idle timeout' => 'Idle timeout (mins; 0 to disable):', 'idle timeout not set' => 'Idle timeout not set.', -'ids log viewer' => 'IDS log viewer', -'ids logs' => 'IDS Logs', -'ids preprocessor' => 'IDS preprocessor', -'ids rules license' => 'To utilize Sourcefire VRT Certified Rules, you need to register on', -'ids rules license1' => '.', -'ids rules license2' => 'Acknowledge the license, activate your account by visiting the url you got via mail. Then go to', -'ids rules license3' => 'press the "Generate code"-button and copy the 40 character Oinkcode into the field below.', -'ids rules update' => 'Snort rules update', +'ids apply' => 'Apply', +'ids apply ruleset changes' => 'The ruleset changes are being applied. Please wait until all operations have completed successfully...', +'ids automatic rules update' => 'Automatic Rule Update', +'ids download new ruleset' => 'Downloading and unpacking new ruleset. Please wait until all operations have completed successfully...', +'ids enable' => 'Enable Intrusion Prevention System', +'ids hide' => 'Hide', +'ids ignored hosts' => 'Whitelisted Hosts', +'ids log hits' => 'Total of number of activated rules for', +'ids log viewer' => 'IPS Log Viewer', +'ids logs' => 'IPS Logs', +'ids monitor traffic only' => 'Monitor traffic only', +'ids monitored interfaces' => 'Monitored Interfaces', +'ids no network zone' => 'Please select at least one network zone to be monitored', +'ids no ruleset available' => 'No ruleset is available. Please download one first', +'ids oinkcode required' => 'The selected ruleset requires a subscription or an Oinkcode', +'ids rules update' => 'Ruleset', +'ids ruleset autoupdate in progress' => 'Ruleset update in progress. Please wait until all operations have completed successfully...', +'ids ruleset settings' => 'Ruleset Settings', +'ids show' => 'Show', +'ids working' => 'Changes are being applied. Please wait until all operations have completed successfully...', 'iface' => 'Iface', 'ignore filter' => 'Ignore filter', 'ike encryption' => 'IKE Encryption:', @@ -1399,11 +1417,12 @@ 'interface mode' => 'Interface', 'interfaces' => 'Interfaces', 'internet' => 'INTERNET', -'intrusion detection' => 'Intrusion Detection', -'intrusion detection system' => 'Intrusion Detection System', -'intrusion detection system log viewer' => 'Intrusion Detection System Log Viewer', -'intrusion detection system rules' => 'intrusion detection system rules', -'intrusion detection system2' => 'Intrusion Detection System:', +'intrusion detection' => 'Intrusion Prevention', +'intrusion detection system' => 'Intrusion Prevention System', +'intrusion detection system log viewer' => 'Intrusion Prevention System Log Viewer', +'intrusion detection system rules' => 'Ruleset', +'intrusion detection system2' => 'Intrusion Prevention System', +'intrusion prevention system' => 'Intrusion Prevention System', 'invalid broadcast ip' => 'Invalid broadcast IP', 'invalid cache size' => 'Invalid cache size.', 'invalid characters found in pre-shared key' => 'Invalid characters found in pre-shared key.', @@ -2018,6 +2037,7 @@ 'proxy reports today' => 'Today', 'proxy reports weekly' => 'Weekly reports', 'psk' => 'PSK', +'ptr' => 'PTR', 'pulse' => 'Pulse', 'pulse dial' => 'Pulse dial:', 'qos add subclass' => 'Add subclass', @@ -2047,7 +2067,7 @@ 'refresh' => 'Refresh', 'refresh index page while connected' => 'Refresh index.cgi page while connected', 'refresh update list' => 'Refresh update list', -'registered user rules' => 'Sourcefire VRT rules for registered users', +'registered user rules' => 'Talos VRT rules for registered users', 'released' => 'Released', 'reload' => 'reload', 'remark' => 'Remark', @@ -2094,6 +2114,7 @@ 'rsvd dst port overlap' => 'Destination Port Range overlaps a port reserved for IPFire:', 'rsvd src port overlap' => 'Source Port Range overlaps a port reserved for IPFire:', 'rules already up to date' => 'Rules already up to date', +'runmode' => 'Runmode', 'running' => 'RUNNING', 'safe removal of umounted device' => 'You can safely remove the unmounted device', 'samba' => 'Samba', @@ -2180,8 +2201,6 @@ 'smtphost' => 'SMTP host', 'smtpport' => 'SMTP port', 'snat new source ip address' => 'New source IP address', -'snort hits' => 'Total of number of Intrusion rules activated for', -'snort working' => 'Snort is working ... Please wait until all operations have completed successfully.', 'socket options' => 'Socket options', 'software version' => 'Software Version', 'sort ascending' => 'Sort ascending', @@ -2213,6 +2232,7 @@ 'ssh access' => 'SSH Access', 'ssh access tip' => 'IPFire SSH is not using default port 22!', 'ssh active sessions' => 'Active logins', +'ssh agent forwarding' => 'Allow SSH Agent Forwarding', 'ssh fingerprint' => 'Fingerprint', 'ssh host keys' => 'SSH Host Keys', 'ssh is disabled' => 'SSH is disabled. Stopping.', @@ -2259,7 +2279,7 @@ 'subnet' => 'Subnet', 'subnet is invalid' => 'Netmask is invalid', 'subnet mask' => 'Subnet Mask', -'subscripted user rules' => 'Sourcefire VRT rules with subscription', +'subscripted user rules' => 'Talos VRT rules with subscription', 'successfully refreshed updates list' => 'Successfully refreshed updates list.', 'summaries kept' => 'Keep summaries for', 'sunday' => 'Sunday', @@ -2271,6 +2291,7 @@ 'system has hwrng' => 'This system has a hardware random number generator.', 'system has rdrand' => 'This system has support for Intel(R) RDRAND.', 'system information' => 'System Information', +'system is offline' => 'The system is offline.', 'system log viewer' => 'System Log Viewer', 'system logs' => 'System Logs', 'system status information' => 'System Status Information', @@ -2423,6 +2444,7 @@ 'unnamed' => 'Unnamed', 'update' => 'Update', 'update accelerator' => 'Update Accelerator', +'update ruleset' => 'Update ruleset', 'update time' => 'Update the time:', 'update transcript' => 'Update transcript', 'updatedatabase' => 'Update Database with last report', diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl index ede7b661d..23bc20727 100644 --- a/langs/es/cgi-bin/es.pl +++ b/langs/es/cgi-bin/es.pl @@ -1474,7 +1474,7 @@ 'refresh' => 'Actualizar', 'refresh index page while connected' => 'Actualizar la página index.cgi cuando esté conectado', 'refresh update list' => 'Recargar página de actualizaciones', -'registered user rules' => 'Reglas VRT sourcefire para usuarios registrados', +'registered user rules' => 'Reglas VRT talos para usuarios registrados', 'released' => 'Liberado', 'reload' => 'recargar', 'remark' => 'Remarcar', @@ -1669,7 +1669,7 @@ 'subject warn' => 'Advertencia. Se ha alcanzado un nível que requiere su atencion', 'subnet' => 'Subred', 'subnet is invalid' => 'Máscara de red no es válida', -'subscripted user rules' => 'Reglas VRT sourcefire con suscripción', +'subscripted user rules' => 'Reglas VRT talos con suscripción', 'successfully refreshed updates list' => 'Las listas de actualizaciones se refrescaron exitosamente.', 'summaries kept' => 'Mantener sumarios para', 'sunday' => 'Domingo', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index 745066715..b4ecf32fa 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -2028,7 +2028,7 @@ 'refresh' => 'Rafraîchir', 'refresh index page while connected' => 'Rafraîchir la page index.cgi tout en restant connecté', 'refresh update list' => 'Rafraîchir la liste des mises à jour', -'registered user rules' => 'Règles Sourcefire VRT pour les utilisateurs enregistrés', +'registered user rules' => 'Règles Talos VRT pour les utilisateurs enregistrés', 'released' => 'Disponible', 'reload' => 'Recharger', 'remark' => 'Remarque ', @@ -2239,7 +2239,7 @@ 'subject warn' => 'Attention - Le niveau d'alerte a été atteint', 'subnet' => 'Sous-réseau', 'subnet is invalid' => 'Le masque réseau est non valide', -'subscripted user rules' => 'Règles Sourcefire VRT avec abonnement', +'subscripted user rules' => 'Règles Talos VRT avec abonnement', 'successfully refreshed updates list' => 'La liste des mises à jour a été rafraîchie avec succès.', 'summaries kept' => 'Conserver pour les résumés', 'sunday' => 'Dimanche', diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl index 02e047bb3..6c9137c28 100644 --- a/langs/it/cgi-bin/it.pl +++ b/langs/it/cgi-bin/it.pl @@ -1872,7 +1872,7 @@ 'refresh' => 'Aggiorna', 'refresh index page while connected' => 'Aggiorna la pagina index.cgi mentre si é collegati', 'refresh update list' => 'Refresh update list', -'registered user rules' => 'Sourcefire VRT rules for registered users', +'registered user rules' => 'Talos VRT rules for registered users', 'released' => 'Released', 'reload' => 'reload', 'remark' => 'Commento', @@ -2075,7 +2075,7 @@ 'subject warn' => 'Warning - warnlevel reached', 'subnet' => 'Subnet', 'subnet is invalid' => 'Netmask is invalid', -'subscripted user rules' => 'Sourcefire VRT rules with subscription', +'subscripted user rules' => 'Talos VRT rules with subscription', 'successfully refreshed updates list' => 'Successfully refreshed updates list.', 'summaries kept' => 'Tenere il sommaro per', 'sunday' => 'Domenica', diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl index 49c0cced6..5fa89b1ac 100644 --- a/langs/nl/cgi-bin/nl.pl +++ b/langs/nl/cgi-bin/nl.pl @@ -1824,7 +1824,7 @@ 'refresh' => 'Ververs', 'refresh index page while connected' => 'Ververs de index.cgi pagina terwijl verbonden', 'refresh update list' => 'Ververs update-lijst', -'registered user rules' => 'Sourcefire VRT regels voor geregistreerde gebruikers', +'registered user rules' => 'Talos VRT regels voor geregistreerde gebruikers', 'released' => 'Released', 'reload' => 'herlaad', 'remark' => 'Opmerking', @@ -2023,7 +2023,7 @@ 'subject warn' => 'Waarschuwing – waarschuwingsniveau bereikt', 'subnet' => 'Subnet', 'subnet is invalid' => 'Netmasker is ongeldig', -'subscripted user rules' => 'Sourcefire VRT regels met abonnement', +'subscripted user rules' => 'Talos VRT regels met abonnement', 'successfully refreshed updates list' => 'Lijst succesvol bijgewerkt.', 'summaries kept' => 'Bewaar samenvattingen voor', 'sunday' => 'Zondag', diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl index e2f9da5c0..521381af2 100644 --- a/langs/pl/cgi-bin/pl.pl +++ b/langs/pl/cgi-bin/pl.pl @@ -1486,7 +1486,7 @@ 'refresh' => 'Odśwież', 'refresh index page while connected' => 'Odśwież stronę index.cgi po połączeniu', 'refresh update list' => 'Odśwież listę aktualizacji', -'registered user rules' => 'Reguły Sourcefire VRT dla zarejestrowanych użytkowników', +'registered user rules' => 'Reguły Talos VRT dla zarejestrowanych użytkowników', 'released' => 'Opublikowany', 'reload' => 'wczytaj', 'remark' => 'Komentarz', @@ -1681,7 +1681,7 @@ 'subject warn' => 'Ostrzeżenie - osiągnięto poziom ostrzeżenia', 'subnet' => 'Podsieć', 'subnet is invalid' => 'Maska sieci jest niepoprawna', -'subscripted user rules' => 'Reguły Sourcefire VRT z subskrypcją', +'subscripted user rules' => 'Reguły Talos VRT z subskrypcją', 'successfully refreshed updates list' => 'Pomyślnie odświeżono listę aktualizacji.', 'summaries kept' => 'Przechowuj podsumowania przez', 'sunday' => 'Niedziela', diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl index 4b0edb582..9ac46d459 100644 --- a/langs/ru/cgi-bin/ru.pl +++ b/langs/ru/cgi-bin/ru.pl @@ -1481,7 +1481,7 @@ 'refresh' => 'Обновить', 'refresh index page while connected' => 'Обновлять index.cgi при подключении', 'refresh update list' => 'Refresh update list', -'registered user rules' => 'Sourcefire VRT rules for registered users', +'registered user rules' => 'Talos VRT rules for registered users', 'released' => 'Released', 'reload' => 'reload', 'remark' => 'Пояснение', @@ -1676,7 +1676,7 @@ 'subject warn' => 'Warning - warnlevel reached', 'subnet' => 'Subnet', 'subnet is invalid' => 'Netmask is invalid', -'subscripted user rules' => 'Sourcefire VRT rules with subscription', +'subscripted user rules' => 'Talos VRT rules with subscription', 'successfully refreshed updates list' => 'Successfully refreshed updates list.', 'summaries kept' => 'Хранить', 'sunday' => 'Воскресенье', diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl index 114d0a297..1917b8241 100644 --- a/langs/tr/cgi-bin/tr.pl +++ b/langs/tr/cgi-bin/tr.pl @@ -779,10 +779,10 @@ 'dhcp configuration' => 'DHCP yapılandırması', 'dhcp create fixed leases' => 'Sabit kiralama oluştur', 'dhcp dns enable update' => 'DNS güncelleştirmesini aktifleştir (RFC2136):', -'dhcp dns key name' => 'Anahtar adı:', +'dhcp dns key name' => 'Anahtar adı', 'dhcp dns update' => 'DNS güncelleme', -'dhcp dns update algo' => 'Algoritma:', -'dhcp dns update secret' => 'Gizli:', +'dhcp dns update algo' => 'Algoritma', +'dhcp dns update secret' => 'Gizli', 'dhcp fixed lease err1' => 'Bu düzeltme için MAC adresini, ana bilgisayar adını veya her ikisinide girmeniz gerekir', 'dhcp fixed lease help1' => 'IP adresleri tam tanımlanmış alan adları (FQDN) şeklinde girilmelidir.', 'dhcp mode' => 'DHCP', diff --git a/lfs/borgbackup b/lfs/borgbackup index a00a059b5..be472311b 100644 --- a/lfs/borgbackup +++ b/lfs/borgbackup @@ -24,7 +24,7 @@
include Config
-VER = 1.0.12 +VER = 1.1.9
THISAPP = borgbackup-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = borgbackup -PAK_VER = 1 +PAK_VER = 2
DEPS = "python3 python3-llfuse python3-msgpack"
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 7bd9fa82a517d559d56a4e1ff5965bc8 +$(DL_FILE)_MD5 = 0fda2c1f636754d0748569bff67a6836
install : $(TARGET)
diff --git a/lfs/configroot b/lfs/configroot index 4e6751eee..33e89e06b 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -54,7 +54,7 @@ $(TARGET) : ethernet extrahd/bin fwlogs fwhosts firewall isdn key langs logging mac main \ menu.d modem optionsfw \ ovpn patches pakfire portfw ppp private proxy/advanced/cre \ - proxy/calamaris/bin qos/bin red remote sensors snort time \ + proxy/calamaris/bin qos/bin red remote sensors suricata time \ updatexlrator/bin updatexlrator/autocheck urlfilter/autoupdate urlfilter/bin upnp vpn \ wakeonlan wireless ; do \ mkdir -p $(CONFIG_ROOT)/$$i; \ @@ -69,7 +69,7 @@ $(TARGET) : isdn/settings mac/settings main/hosts main/routing main/settings optionsfw/settings \ ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \ ppp/settings-5 ppp/settings proxy/settings proxy/squid.conf proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \ - qos/tosconfig snort/settings upnp/settings vpn/config vpn/settings vpn/ipsec.conf \ + qos/tosconfig suricata/settings upnp/settings vpn/config vpn/settings vpn/ipsec.conf \ vpn/ipsec.secrets vpn/caconfig wakeonlan/clients.conf wireless/config wireless/settings; do \ touch $(CONFIG_ROOT)/$$i; \ done @@ -80,6 +80,7 @@ $(TARGET) : cp $(DIR_SRC)/config/cfgroot/network-functions.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/geoip-functions.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/aws-functions.pl $(CONFIG_ROOT)/ + cp $(DIR_SRC)/config/cfgroot/ids-functions.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/lang.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/countries.pl $(CONFIG_ROOT)/ cp $(DIR_SRC)/config/cfgroot/graphs.pl $(CONFIG_ROOT)/ @@ -132,6 +133,9 @@ $(TARGET) : echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings
+ # Install snort to suricata converter. + cp $(DIR_SRC)/config/suricata/convert-snort /usr/sbin/convert-snort + # Add conntrack helper default settings for proto in FTP H323 IRC SIP TFTP; do \ echo "CONNTRACK_$${proto}=on" >> $(CONFIG_ROOT)/optionsfw/settings; \ diff --git a/lfs/dnsdist b/lfs/dnsdist index 3e10c9eb2..5963c5acd 100644 --- a/lfs/dnsdist +++ b/lfs/dnsdist @@ -24,7 +24,7 @@
include Config
-VER = 0.0.498gac688af +VER = 1.3.3
THISAPP = dnsdist-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -33,11 +33,11 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) SUP_ARCH = x86_64 i586 PROG = dnsdist -PAK_VER = 1 +PAK_VER = 2
DEPS = ""
-MAX_PARALLELISM = $(shell echo $$(( $(SYSTEM_MEMORY) / 512))) +MAX_PARALLELISM = $(shell echo $$(( $(SYSTEM_MEMORY) / 1024)))
############################################################################### # Top-level Rules @@ -47,7 +47,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = b1bc53b3a35aef7006b74086919847bf +$(DL_FILE)_MD5 = 6bbcdf5296ac5303e88d779d1d57a4df
install : $(TARGET)
@@ -80,13 +80,23 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && ./configure --prefix=/usr --sysconfdir=/etc + cd $(DIR_APP) && ./configure \ + --prefix=/usr \ + --sysconfdir=/etc \ + --enable-openssl \ + --disable-gnutls \ + --with-lua \ + --without-net-snmp + cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install
#install initscripts $(call INSTALL_INITSCRIPT,dnsdist)
+ install -v -m 644 $(DIR_SRC)/config/backup/includes/dnsdist \ + /var/ipfire/backup/addons/includes/dnsdist + @rm -rf $(DIR_APP) @$(POSTBUILD)
diff --git a/lfs/firmware-update b/lfs/firmware-update new file mode 100644 index 000000000..53e8f039f --- /dev/null +++ b/lfs/firmware-update @@ -0,0 +1,85 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 20190329 + +THISAPP = firmware-update-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = https://source.ipfire.org/releases/firmware-update/ +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) +PROG = firmware-update +PAK_VER = 1 + +DEPS = "flashrom" + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = 493f6d678bd9d3c7f35b25256e423ad2 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +dist: + @$(PAK) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && [ -x "configure" ] || sh ./autogen.sh + cd $(DIR_APP) && ./configure --prefix=/usr + cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make install + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/lfs/flashrom b/lfs/flashrom new file mode 100644 index 000000000..5d1753591 --- /dev/null +++ b/lfs/flashrom @@ -0,0 +1,83 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 1.0.1 + +THISAPP = flashrom-v$(VER) +DL_FILE = $(THISAPP).tar.bz2 +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) +PROG = flashrom +PAK_VER = 1 + +DEPS = "" + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = 6a108a81db229016abd7f5397da39255 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +dist: + @$(PAK) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make install PREFIX=/usr + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/lfs/freeradius b/lfs/freeradius index 8435684df..604116f6c 100644 --- a/lfs/freeradius +++ b/lfs/freeradius @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,18 +24,22 @@
include Config
-VER = 3.0.14 +VER = 3.0.18
THISAPP = freeradius-server-$(VER) -DL_FILE = $(THISAPP).tar.gz +DL_FILE = $(THISAPP).tar.bz2 DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = freeradius -PAK_VER = 3 +PAK_VER = 5
DEPS = "samba"
+ifeq "$(BUILD_ARCH)" "armv5tel" + LDFLAGS += -latomic +endif + ############################################################################### # Top-level Rules ############################################################################### @@ -44,7 +48,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 71f0593f68e6d4dd2efc47a61219643d +$(DL_FILE)_MD5 = 05f0c8c7ac79659f808ff31751daa857
install : $(TARGET)
@@ -76,7 +80,7 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) - @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE) $(UPDATE_AUTOMAKE) cd $(DIR_APP) && \ ./configure \ @@ -94,7 +98,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --without-rlm_sql_db2 \ --without-rlm_sql_oracle \ --without-rlm_sql_sqlite \ - --without-rlm_sql_mysql + --without-rlm_sql_mysql \ + LDFLAGS="$(LDFLAGS)"
cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install diff --git a/lfs/gnutls b/lfs/gnutls index 8e6b54236..6d24800b8 100644 --- a/lfs/gnutls +++ b/lfs/gnutls @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,10 +24,11 @@
include Config
-VER = 3.5.19 +VER = 3.6.7 +SUBVER = .1
THISAPP = gnutls-$(VER) -DL_FILE = $(THISAPP).tar.xz +DL_FILE = $(THISAPP)$(SUBVER).tar.xz DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) @@ -40,7 +41,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 1002f4099ce11d785e9811099aaa59a6 +$(DL_FILE)_MD5 = 92a8049e618afa60e2c852da1884c457
install : $(TARGET)
diff --git a/lfs/haproxy b/lfs/haproxy index ac531bede..3bdbd28fa 100644 --- a/lfs/haproxy +++ b/lfs/haproxy @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = haproxy -PAK_VER = 9 +PAK_VER = 10
DEPS = ""
diff --git a/lfs/hostapd b/lfs/hostapd index 233863646..64ff28e4b 100644 --- a/lfs/hostapd +++ b/lfs/hostapd @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = hostapd -PAK_VER = 44 +PAK_VER = 45
DEPS = ""
diff --git a/lfs/ids-ruleset-sources b/lfs/ids-ruleset-sources new file mode 100644 index 000000000..d55b1a074 --- /dev/null +++ b/lfs/ids-ruleset-sources @@ -0,0 +1,53 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = ipfire + +THISAPP = ids-ruleset-sources +TARGET = $(DIR_INFO)/$(THISAPP) + +############################################################################### +# Top-level Rules +############################################################################### + +install : $(TARGET) + +check : + +download : + +md5 : + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : + @$(PREBUILD) + # Simple install the ruleset sources file. + install -m 644 $(DIR_SRC)/config/suricata/ruleset-sources \ + /var/ipfire/suricata/ + @$(POSTBUILD) diff --git a/lfs/initscripts b/lfs/initscripts index c053b7115..055e106d0 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -121,8 +121,8 @@ $(TARGET) : ln -sf ../init.d/fcron /etc/rc.d/rc0.d/K08fcron ln -sf ../init.d/fcron /etc/rc.d/rc3.d/S40fcron ln -sf ../init.d/fcron /etc/rc.d/rc6.d/K08fcron - ln -sf ../init.d/snort /etc/rc.d/rc0.d/K78snort - ln -sf ../init.d/snort /etc/rc.d/rc6.d/K78snort + ln -sf ../init.d/suricata /etc/rc.d/rc0.d/K78suricata + ln -sf ../init.d/suricata /etc/rc.d/rc6.d/K78suricata ln -sf ../init.d/network /etc/rc.d/rc0.d/K80network ln -sf ../init.d/network /etc/rc.d/rc3.d/S20network ln -sf ../init.d/network /etc/rc.d/rc6.d/K80network @@ -188,8 +188,6 @@ $(TARGET) : ln -sf ../init.d/wlanclient /etc/rc.d/rc3.d/S19wlanclient ln -sf ../init.d/wlanclient /etc/rc.d/rc6.d/K82wlanclient
- ln -sf ../../../../../usr/local/bin/snortctrl \ - /etc/rc.d/init.d/networking/red.up/23-RS-snort ln -sf ../../../../../usr/local/bin/qosctrl \ /etc/rc.d/init.d/networking/red.up/24-RS-qos ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/27-RS-squid diff --git a/lfs/snort b/lfs/libcap-ng similarity index 74% rename from lfs/snort rename to lfs/libcap-ng index c66a0dd1a..0cbe3e634 100644 --- a/lfs/snort +++ b/lfs/libcap-ng @@ -24,9 +24,9 @@
include Config
-VER = 2.9.12 +VER = 0.7.9
-THISAPP = snort-$(VER) +THISAPP = libcap-ng-$(VER) DL_FILE = $(THISAPP).tar.gz DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 3a305d9c44bd0319aa50783a60c8947f +$(DL_FILE)_MD5 = 2398d695508fab9ce33668c53a89b0e9
install : $(TARGET)
@@ -69,37 +69,12 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) - @rm -rf $(DIR_APP) $(DIR_SRC)/snort* && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && ./configure \ --prefix=/usr \ - --sysconfdir=/etc/snort \ - --target=i586 \ - --enable-linux-smp-stats \ - --disable-open-appid \ - --enable-gre \ - --enable-mpls \ - --enable-targetbased \ - --enable-ppm \ - --enable-non-ether-decoders \ - --enable-perfprofiling \ - --enable-active-response \ - --enable-normalizer \ - --enable-reload \ - --enable-react \ - --enable-flexresp3 + --disable-static
cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install - mv /usr/bin/snort /usr/sbin/ - -mkdir -p /etc/snort/rules - - cd $(DIR_APP) && install -m 0644 \ - etc/reference.config etc/classification.config /etc/snort/rules - cd $(DIR_APP) && install -m 0644 etc/unicode.map /etc/snort - install -m 0644 $(DIR_SRC)/config/snort/snort.conf /etc/snort - cp /etc/snort/snort.conf /etc/snort/snort.conf.template - chown -R nobody:nobody /etc/snort - -mkdir -p /var/log/snort - chown -R snort:snort /var/log/snort - @rm -rf $(DIR_APP) $(DIR_SRC)/snort* + @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/libhtp b/lfs/libhtp new file mode 100644 index 000000000..212514dfb --- /dev/null +++ b/lfs/libhtp @@ -0,0 +1,80 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2015 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 0.5.29 + +THISAPP = libhtp-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = 5feb73647723db5b458d00faddb30954 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && ./autogen.sh + cd $(DIR_APP) && ./configure \ + --prefix=/usr \ + --disable-static + cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make install + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/lfs/linux b/lfs/linux index 5dde9bdf0..974c2a2f4 100644 --- a/lfs/linux +++ b/lfs/linux @@ -24,8 +24,8 @@
include Config
-VER = 4.14.103 -ARM_PATCHES = 4.14.103-ipfire0 +VER = 4.14.113 +ARM_PATCHES = 4.14.113-ipfire0
THISAPP = linux-$(VER) DL_FILE = linux-$(VER).tar.xz @@ -34,7 +34,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) CFLAGS = CXXFLAGS =
-PAK_VER = 81 +PAK_VER = 82 DEPS = ""
HEADERS_ARCH = $(BUILD_PLATFORM) @@ -82,8 +82,8 @@ objects =$(DL_FILE) \ $(DL_FILE) = $(URL_IPFIRE)/$(DL_FILE) arm-multi-patches-$(ARM_PATCHES).patch.xz = $(URL_IPFIRE)/arm-multi-patches-$(ARM_PATCHES).patch.xz
-$(DL_FILE)_MD5 = 7092950433828a3dbe62a981decfd4f8 -arm-multi-patches-$(ARM_PATCHES).patch.xz_MD5 = 1cda52264dad96fcba65bd335fbbfa95 +$(DL_FILE)_MD5 = fd34a25839945f902f0c6d694d42ea7f +arm-multi-patches-$(ARM_PATCHES).patch.xz_MD5 = 51eab5175bf8f0ad986006c74e60b472
install : $(TARGET)
@@ -128,7 +128,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np2 < $(DIR_SRC)/src/patches/v4l-dvb_fix_tua6034_pll.patch
# Wlan Patches - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.9.8-ath_ignore_eeprom_regd.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.14_ath_user_regd.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.9.8-iwlwifi-noibss_only_on_radar_chan.patch
# Add LED trigger diff --git a/lfs/lua b/lfs/lua index 9217e8bac..e70b9cd00 100644 --- a/lfs/lua +++ b/lfs/lua @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 5.3.0 +VER = 5.3.5
THISAPP = lua-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = a1b0a7e92d0c85bbff7a8d27bf29f8af +$(DL_FILE)_MD5 = 4f4b4f323fd3514a68e0ab3da8ce3455
install : $(TARGET)
@@ -71,7 +71,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && cp -v src/luaconf.h src/luaconf.h.template.in - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/lua-5.3.0-autotoolize.patch + + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/lua/lua-5.3.5-autotoolize.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/lua/lua-5.3.5-shared_library-1.patch + cd $(DIR_APP) && autoreconf -vfi cd $(DIR_APP) && ./configure --prefix=/usr cd $(DIR_APP) && make $(MAKETUNING) diff --git a/lfs/nettle b/lfs/nettle index 2d3f4864e..36f247d34 100644 --- a/lfs/nettle +++ b/lfs/nettle @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 3.3 +VER = 3.4.1
THISAPP = nettle-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 10f969f78a463704ae73529978148dbe +$(DL_FILE)_MD5 = 9bdebb0e2f638d3b9d91f7fc264b70c1
install : $(TARGET)
diff --git a/lfs/nginx b/lfs/nginx index f6496196c..5a24678c8 100644 --- a/lfs/nginx +++ b/lfs/nginx @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 1.15.1 +VER = 1.15.9
THISAPP = nginx-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = nginx -PAK_VER = 8 +PAK_VER = 9
############################################################################### # Top-level Rules @@ -42,7 +42,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 2dd5a265c54a76b699443931d80a61b9 +$(DL_FILE)_MD5 = 00dde20d4d2cc65bdaf8950a5bd3e14b
install : $(TARGET)
@@ -99,7 +99,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --with-http_stub_status_module \ --with-http_dav_module \ --with-http_sub_module \ + --with-http_v2_module \ --with-pcre + cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install mkdir -p /var/log/nginx /var/spool/nginx diff --git a/lfs/ntp b/lfs/ntp index 8f845409c..040a0c2ae 100644 --- a/lfs/ntp +++ b/lfs/ntp @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 4.2.8p12 +VER = 4.2.8p13
THISAPP = ntp-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 1522d66574bae14abb2622746dad2bdc +$(DL_FILE)_MD5 = ea040ab9b4ca656b5229b89d6b822f13
install : $(TARGET)
diff --git a/lfs/nut b/lfs/nut index c1f019274..1502c63cb 100644 --- a/lfs/nut +++ b/lfs/nut @@ -80,7 +80,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && ./configure --prefix=/usr --sysconfdir=/etc/nut \ --with-usb --with-user=root --with-group=nut \ --with-wrap=no --with-udev-dir=/etc/udev - cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make #$(MAKETUNING) cd $(DIR_APP) && make install # sed -i -e "s|ATTR{|SYSFS{|g" /etc/udev/rules.d/52-nut-usbups.rules mkdir -p /var/state/ups diff --git a/lfs/oinkmaster b/lfs/oinkmaster index 3403eb837..51b99ecec 100644 --- a/lfs/oinkmaster +++ b/lfs/oinkmaster @@ -71,8 +71,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/oinkmaster-2.0-add_community_rules.patch cd $(DIR_APP) && chown nobody:nobody oinkmaster.pl - cd $(DIR_APP) && cp -f oinkmaster.conf /var/ipfire/snort/ - cd /var/ipfire/snort && patch -Np1 < $(DIR_SRC)/src/patches/oinkmaster-tmp.patch + cd $(DIR_APP) && install -m 0644 $(DIR_SRC)/config/oinkmaster/oinkmaster.conf \ + /var/ipfire/suricata/ + cd /var/ipfire/suricata && patch -Np1 < $(DIR_SRC)/src/patches/oinkmaster-tmp.patch cd $(DIR_APP) && install -m 0755 oinkmaster.pl /usr/local/bin/ @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/pcengines-apu-firmware b/lfs/pcengines-apu-firmware new file mode 100644 index 000000000..f318a60a6 --- /dev/null +++ b/lfs/pcengines-apu-firmware @@ -0,0 +1,97 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 4.9.0.3 + +THISAPP = pcengines-apu-firmware-$(VER) +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) +PROG = pcengines-apu-firmware +PAK_VER = 1 + +DEPS = "firmware-update" + +############################################################################### +# Top-level Rules +############################################################################### + +objects = \ + apu1_v$(VER).rom \ + apu2_v$(VER).rom \ + apu3_v$(VER).rom \ + apu4_v$(VER).rom \ + apu5_v$(VER).rom + +apu1_v$(VER).rom = $(DL_FROM)/apu1_v$(VER).rom +apu2_v$(VER).rom = $(DL_FROM)/apu2_v$(VER).rom +apu3_v$(VER).rom = $(DL_FROM)/apu3_v$(VER).rom +apu4_v$(VER).rom = $(DL_FROM)/apu4_v$(VER).rom +apu5_v$(VER).rom = $(DL_FROM)/apu5_v$(VER).rom + +apu1_v$(VER).rom_MD5 = eb446600520f9abc3704cd806cbf160f +apu2_v$(VER).rom_MD5 = c61e10a6b2f76c8ada4e81f9e654decd +apu3_v$(VER).rom_MD5 = d1390d76d0ee18912825fd95b08e3f26 +apu4_v$(VER).rom_MD5 = c36cc13a1ba196b33eb85592bd44fad7 +apu5_v$(VER).rom_MD5 = da69300aed63e89e827f1e3ee3adc06d + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +dist: + @$(PAK) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + + # Install firmware to /lib/firmware + mkdir -pv /lib/firmware/pcengines/apu + cd $(DIR_DL) && install -v -m 644 $(objects) \ + /lib/firmware/pcengines/apu + + @$(POSTBUILD) diff --git a/lfs/postfix b/lfs/postfix index c34162d41..41ac90879 100644 --- a/lfs/postfix +++ b/lfs/postfix @@ -24,7 +24,7 @@
include Config
-VER = 3.4.3 +VER = 3.4.5
THISAPP = postfix-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = postfix -PAK_VER = 19 +PAK_VER = 20
DEPS = ""
@@ -66,7 +66,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 7f539d5497f4cb0c3f5b66227aaeb561 +$(DL_FILE)_MD5 = 093109941095390562166de766d4720d
install : $(TARGET)
diff --git a/lfs/rrdtool b/lfs/rrdtool index 36d373d2c..9244bc75a 100644 --- a/lfs/rrdtool +++ b/lfs/rrdtool @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 1.6.0 +VER = 1.7.1
THISAPP = rrdtool-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 4ff52cc44b935b02d2742e6875094da5 +$(DL_FILE)_MD5 = 5f6133630324efe82c8dcefab2056818
install : $(TARGET)
@@ -75,6 +75,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --disable-rrdcgi \ --enable-perl \ --enable-perl-site-install \ + --disable-lua \ --disable-tcl \ --disable-ruby \ --disable-python diff --git a/lfs/suricata b/lfs/suricata new file mode 100644 index 000000000..d7b5b71d6 --- /dev/null +++ b/lfs/suricata @@ -0,0 +1,118 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 4.1.3 + +THISAPP = suricata-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = 35c4a8e6be3910831649a073950195df + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && ./configure \ + --prefix=/usr \ + --sysconfdir=/etc \ + --localstatedir=/var \ + --enable-gccprotect \ + --disable-gccmarch-native \ + --enable-non-bundled-htp \ + --enable-nfqueue \ + --disable-static \ + --disable-python \ + --disable-suricata-update + cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make install + cd $(DIR_APP) && make install-conf + + # Remove default suricata config file. + rm -rvf /etc/suricata/suricata.yaml + + # Install IPFire related config file. + install -m 0644 $(DIR_SRC)/config/suricata/suricata.yaml /etc/suricata + + # Remove shipped rules. + rm -rvf /usr/share/suricata + + # Create emtpy rules directory. + -mkdir -p /var/lib/suricata + + # Move config files for references, threshold and classification + # to the rules directory. + mv /etc/suricata/*.config /var/lib/suricata + + # Set correct permissions for the files. + chmod 644 /var/lib/suricata/*.config + + # Set correct ownership for /var/lib/suricata and the + # contained files + chown -R nobody:nobody /var/lib/suricata + + # Create logging directory. + -mkdir -p /var/log/suricata + + # Set correct ownership for /var/log/suricata. + chown suricata:suricata /var/log/suricata + + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/lfs/tor b/lfs/tor index 384b1b213..2b0e0903a 100644 --- a/lfs/tor +++ b/lfs/tor @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = tor -PAK_VER = 34 +PAK_VER = 35
DEPS = ""
@@ -82,8 +82,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var \ - --with-tor-user=nobody \ - --with-tor-group=nobody + --with-tor-user=tor \ + --with-tor-group=tor
cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install diff --git a/lfs/unbound b/lfs/unbound index b090010d4..87666dfce 100644 --- a/lfs/unbound +++ b/lfs/unbound @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 1.9.0 +VER = 1.9.1
THISAPP = unbound-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 1026159991a3883518525bc18e25582f +$(DL_FILE)_MD5 = 5d954920d192b33f7c88f015dd969940
install : $(TARGET)
diff --git a/lfs/wireless-regdb b/lfs/wireless-regdb index 84cad32ea..182f0371f 100644 --- a/lfs/wireless-regdb +++ b/lfs/wireless-regdb @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 2014.11.18 +VER = 2019.03.01
THISAPP = wireless-regdb-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -41,7 +41,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = d750c402c5510add7380edcb1d9b75b2 +$(DL_FILE)_MD5 = b5eb2d0cc23f5e495a59405e34ce437f
install : $(TARGET)
diff --git a/lfs/daq b/lfs/yaml similarity index 93% rename from lfs/daq rename to lfs/yaml index 4e9e1c935..81cdd4fd1 100644 --- a/lfs/daq +++ b/lfs/yaml @@ -24,9 +24,9 @@
include Config
-VER = 2.0.6 +VER = 0.2.1
-THISAPP = daq-$(VER) +THISAPP = yaml-$(VER) DL_FILE = $(THISAPP).tar.gz DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 2cd6da422a72c129c685fc4bb848c24c +$(DL_FILE)_MD5 = 72724b9736923c517e5a8fc6757ef03d
install : $(TARGET)
@@ -70,8 +70,10 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && ./configure --prefix=/usr - cd $(DIR_APP) && make + cd $(DIR_APP) && ./configure \ + --prefix=/usr \ + --disable-static + cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index b086d9f1a..23b77b930 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -24,7 +24,7 @@
include Config
-VER = 4.0.4 +VER = 4.2.0
THISAPP = zabbix-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = zabbix_agentd -PAK_VER = 1 +PAK_VER = 2 DEPS = ""
############################################################################### @@ -43,7 +43,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 46fdb83d4b24e13127a20a3e874b1d8f +$(DL_FILE)_MD5 = 20f261708f95787f3dbea3eab89f804d
install : $(TARGET)
@@ -108,7 +108,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
# Install sudoers include file install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/sudoers \ - /etc/sudoers.d/zabbix.user + /etc/sudoers.d/zabbix
# Install include file for backup install -v -m 644 $(DIR_SRC)/config/backup/includes/zabbix_agentd \ diff --git a/make.sh b/make.sh index 08cf31901..d015dd95a 100755 --- a/make.sh +++ b/make.sh @@ -24,8 +24,8 @@
NAME="IPFire" # Software name SNAME="ipfire" # Short name -VERSION="2.21" # Version number -CORE="130" # Core Level (Filename) +VERSION="2.23" # Version number +CORE="131" # Core Level (Filename) PAKFIRE_CORE="130" # Core Level (PAKFIRE) GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` # Git Branch SLOGAN="www.ipfire.org" # Software slogan @@ -1084,6 +1084,7 @@ buildipfire() { lfsmake2 openssl [ "${BUILD_ARCH}" = "i586" ] && lfsmake2 openssl KCFG='-sse2' lfsmake2 popt + lfsmake2 libedit lfsmake2 libusb lfsmake2 libusb-compat lfsmake2 libpcap @@ -1097,6 +1098,7 @@ buildipfire() { lfsmake2 zd1211-firmware lfsmake2 rpi-firmware lfsmake2 intel-microcode + lfsmake2 pcengines-apu-firmware lfsmake2 bc lfsmake2 u-boot MKIMAGE=1 lfsmake2 cpio @@ -1216,6 +1218,7 @@ buildipfire() { lfsmake2 attr lfsmake2 acl lfsmake2 libcap + lfsmake2 libcap-ng lfsmake2 pciutils lfsmake2 usbutils lfsmake2 libxml2 @@ -1314,9 +1317,11 @@ buildipfire() { lfsmake2 setserial lfsmake2 setup lfsmake2 libdnet - lfsmake2 daq - lfsmake2 snort + lfsmake2 yaml + lfsmake2 libhtp + lfsmake2 suricata lfsmake2 oinkmaster + lfsmake2 ids-ruleset-sources lfsmake2 squid lfsmake2 squidguard lfsmake2 calamaris @@ -1584,10 +1589,11 @@ buildipfire() { lfsmake2 dehydrated lfsmake2 shairport-sync lfsmake2 borgbackup - lfsmake2 libedit lfsmake2 knot lfsmake2 spectre-meltdown-checker lfsmake2 zabbix_agentd + lfsmake2 flashrom + lfsmake2 firmware-update }
buildinstaller() { diff --git a/src/initscripts/networking/red.up/23-suricata b/src/initscripts/networking/red.up/23-suricata new file mode 100644 index 000000000..1514909ee --- /dev/null +++ b/src/initscripts/networking/red.up/23-suricata @@ -0,0 +1,33 @@ +#!/usr/bin/perl +# +# Helper script to regenerate the file which contains the HOME_NET declaration +# including the assigned IP-address of red and any configured aliases. + +use strict; + +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/ids-functions.pl"; + +# Hash to store the IDS settings. +my %ids_settings = (); + +# Read-in IDS settings. +&General::readhash("$IDS::ids_settings_file", %ids_settings); + +# Check if suricata is enabled. +if($ids_settings{'ENABLE_IDS'} eq "on") { + # Regenerate the file with HOME_NET details. + &IDS::generate_home_net_file(); + + # Set correct ownership. + &IDS::set_ownership("$IDS::homenet_file"); + + # Check if suricata is running. + if(&IDS::ids_is_running()) { + # Call suricatactrl to perform a restart of suricata. + &IDS::call_suricatactrl("restart"); + } else { + # Call suricatactrl to start suricata. + &IDS::call_suricatactrl("start"); + } +} diff --git a/src/initscripts/packages/dnsdist b/src/initscripts/packages/dnsdist index 03e6ab81b..a70bd3806 100644 --- a/src/initscripts/packages/dnsdist +++ b/src/initscripts/packages/dnsdist @@ -14,7 +14,8 @@ case "${1}" in start) boot_mesg "Starting dnsdist..." - loadproc /usr/bin/dnsdist -d ${ARGS} + /usr/bin/dnsdist --supervised ${ARGS} >/dev/null & + evaluate_retval ;;
stop) diff --git a/src/initscripts/packages/tor b/src/initscripts/packages/tor index 551538e2f..754a2786f 100644 --- a/src/initscripts/packages/tor +++ b/src/initscripts/packages/tor @@ -21,8 +21,11 @@ function setup_firewall() { # Flush all rules. flush_firewall
+ # Allow incoming traffic to Tor relay (and directory) port and + # all outgoing TCP connections from Tor user. if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_PORT}" ]; then iptables -A TOR_INPUT -p tcp --dport "${TOR_RELAY_PORT}" -j ACCEPT + iptables -A TOR_OUTPUT -p tcp -m owner --uid-owner tor -j ACCEPT fi
if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_DIRPORT}" ] && [ "${TOR_RELAY_DIRPORT}" -ne 0 ]; then @@ -33,6 +36,7 @@ function setup_firewall() { function flush_firewall() { # Flush all rules. iptables -F TOR_INPUT + iptables -F TOR_OUTPUT }
case "${1}" in diff --git a/src/initscripts/system/collectd b/src/initscripts/system/collectd index cdb8693ae..5233525f0 100644 --- a/src/initscripts/system/collectd +++ b/src/initscripts/system/collectd @@ -35,6 +35,11 @@ case "$1" in touch /etc/sysconfig/lm_sensors fi
+ # Do not search for sensors when running on AWS + if [ -e "/var/run/aws-instance-id" ]; then + touch /etc/sysconfig/lm_sensors + fi + # At first run search for sensors with sensors-detect if [ ! -e /etc/sysconfig/lm_sensors ]; then boot_mesg "Searching for Sensors..." diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 2739a6834..be6c9169f 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -185,6 +185,12 @@ iptables_init() { iptables -A INPUT -j GUARDIAN iptables -A FORWARD -j GUARDIAN
+ # IPS (suricata) chains + iptables -N IPS + iptables -A INPUT -j IPS + iptables -A FORWARD -j IPS + iptables -A OUTPUT -j IPS + # Block non-established IPsec networks iptables -N IPSECBLOCK iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK @@ -294,9 +300,11 @@ iptables_init() { iptables -N OVPNINPUT iptables -A INPUT -j OVPNINPUT
- # Tor + # Tor (inbound and outbound) iptables -N TOR_INPUT iptables -A INPUT -j TOR_INPUT + iptables -N TOR_OUTPUT + iptables -A OUTPUT -j TOR_OUTPUT # Jump into the actual firewall ruleset. iptables -N INPUTFW diff --git a/src/initscripts/system/snort b/src/initscripts/system/snort deleted file mode 100644 index 5c4304247..000000000 --- a/src/initscripts/system/snort +++ /dev/null @@ -1,146 +0,0 @@ -#!/bin/sh -######################################################################## -# Begin $rc_base/init.d/snort -# -# Description : Snort Initscript -# -# Authors : Michael Tremer for ipfire.org - mitch@ipfire.org -# -# Version : 01.00 -# -# Notes : -# -######################################################################## - -. /etc/sysconfig/rc -. ${rc_functions} - -PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH - -eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) -eval $(/usr/local/bin/readhash /var/ipfire/snort/settings) - -ALIASFILE="/var/ipfire/ethernet/aliases" - -case "$1" in - start) - if [ "$BLUE_NETADDRESS" ]; then - BLUE_NET="$BLUE_NETADDRESS/$BLUE_NETMASK," - BLUE_IP="$BLUE_ADDRESS," - fi - - if [ "$ORANGE_NETADDRESS" ]; then - ORANGE_NET="$ORANGE_NETADDRESS/$ORANGE_NETMASK," - ORANGE_IP="$ORANGE_ADDRESS," - fi - - if [ "$ENABLE_SNORT_ORANGE" == "on" ]; then - DEVICES+="$ORANGE_DEV " - HOMENET+="$ORANGE_IP" - else - HOMENET+="$ORANGE_NET" - fi - - if [ "$ENABLE_SNORT_BLUE" == "on" ]; then - DEVICES+="$BLUE_DEV " - HOMENET+="$BLUE_IP" - else - HOMENET+="$BLUE_NET" - fi - - if [ "$ENABLE_SNORT_GREEN" == "on" ]; then - DEVICES+="$GREEN_DEV " - HOMENET+="$GREEN_ADDRESS," - else - HOMENET+="$GREEN_NETADDRESS/$GREEN_NETMASK," - fi - - if [ "$ENABLE_SNORT" == "on" ]; then - DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null` - LOCAL_IP=`cat /var/ipfire/red/local-ipaddress 2>/dev/null` - if [ "$LOCAL_IP" ]; then - HOMENET+="$LOCAL_IP," - fi - - # Check if the red device is set to static and - # any aliases have been configured. - if [ "${RED_TYPE}" == "STATIC" ] && [ -s "${ALIASFILE}" ]; then - # Read in aliases file. - while IFS="," read -r address mode remark; do - # Check if the alias is enabled. - [ "${mode}" = "on" ] || continue - - # Add alias to the list of HOMENET addresses. - HOMENET+="${address}," - done < "${ALIASFILE}" - fi - fi - HOMENET+="127.0.0.1" - echo "ipvar HOME_NET [$HOMENET]" > /etc/snort/vars - - DNS1=`cat /var/ipfire/red/dns1 2>/dev/null` - DNS2=`cat /var/ipfire/red/dns2 2>/dev/null` - - if [ "$DNS2" ]; then - echo "ipvar DNS_SERVERS [$DNS1,$DNS2]" >> /etc/snort/vars - else - echo "ipvar DNS_SERVERS $DNS1" >> /etc/snort/vars - fi - - for DEVICE in $DEVICES; do - boot_mesg "Starting Intrusion Detection System on $DEVICE..." - /usr/sbin/snort -c /etc/snort/snort.conf -i $DEVICE -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path /var/run - evaluate_retval - sleep 1 - chmod 644 /var/run/snort_$DEVICE.pid - done - ;; - - stop) - DEVICES="" - if [ -r /var/run/snort_$BLUE_DEV.pid ]; then - DEVICES+="$BLUE_DEV " - fi - - if [ -r /var/run/snort_$GREEN_DEV.pid ]; then - DEVICES+="$GREEN_DEV " - fi - - if [ -r /var/run/snort_$ORANGE_DEV.pid ]; then - DEVICES+="$ORANGE_DEV " - fi - - RED=`cat /var/ipfire/red/iface 2>/dev/null` - if [ -r /var/run/snort_$RED.pid ]; then - DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null` - fi - - for DEVICE in $DEVICES; do - boot_mesg "Stopping Intrusion Detection System on $DEVICE..." - killproc -p /var/run/snort_$DEVICE.pid /var/run - done - - rm /var/run/snort_* >/dev/null 2>/dev/null - - # Don't report returncode of rm if snort was not started - exit 0 - ;; - - status) - statusproc /usr/sbin/snort - ;; - - restart) - $0 stop - $0 start - ;; - - *) - echo "Usage: $0 {start|stop|restart|status}" - exit 1 - ;; -esac - -chmod 644 /var/log/snort/* 2>/dev/null - -# End $rc_base/init.d/snort diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata new file mode 100644 index 000000000..16548753e --- /dev/null +++ b/src/initscripts/system/suricata @@ -0,0 +1,174 @@ +#!/bin/sh +######################################################################## +# Begin $rc_base/init.d/suricata +# +# Description : Suricata Initscript +# +# Author : Stefan Schantl stefan.schantl@ipfire.org +# +# Version : 01.00 +# +# Notes : +# +######################################################################## + +. /etc/sysconfig/rc +. ${rc_functions} + +PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH + +eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings) + +# Name of the firewall chain. +FW_CHAIN="IPS" + +# Optional options for the Netfilter queue. +NFQ_OPTS="--queue-bypass " + +# Array containing the 4 possible network zones. +network_zones=( red green blue orange ) + +# Mark and Mask options. +MARK="0x70000000" +MASK="0x70000000" + +# PID file of suricata. +PID_FILE="/var/run/suricata.pid" + +# Function to get the amount of CPU cores of the system. +function get_cpu_count { + CPUCOUNT=0 + + # Loop through "/proc/cpuinfo" and count the amount of CPU cores. + while read line; do + [ "$line" ] && [ -z "${line%processor*}" ] && ((CPUCOUNT++)) + done </proc/cpuinfo + + echo $CPUCOUNT +} + +# Function to create the firewall rules to pass the traffic to suricata. +function generate_fw_rules { + cpu_count=$(get_cpu_count) + + # Flush the firewall chain. + iptables -F "$FW_CHAIN" + + # Loop through the array of network zones. + for zone in "${network_zones[@]}"; do + # Convert zone into upper case. + zone_upper=${zone^^} + + # Generate variable name for checking if the IDS is + # enabled on the zone. + enable_ids_zone="ENABLE_IDS_$zone_upper" + + # Check if the IDS is enabled for this network zone. + if [ "${!enable_ids_zone}" == "on" ]; then + # Generate name of the network interface. + network_device=$zone + network_device+="0" + + # Assign NFQ_OPTS + NFQ_OPTIONS=$NFQ_OPTS + + # Check if there are multiple cpu cores available. + if [ "$cpu_count" -gt "1" ]; then + # Balance beetween all queues. + NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))" + NFQ_OPTIONS+=" --queue-cpu-fanout" + else + # Send all packets to queue 0. + NFQ_OPTIONS+="--queue-num 0" + fi + + # Create firewall rules to queue the traffic and pass to + # the IDS. + iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + fi + done + + # Clear repeat bit, so that it does not confuse IPsec or QoS + iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" +} + +# Function to flush the firewall chain. +function flush_fw_chain { + # Call iptables and flush the chain + iptables -F "$FW_CHAIN" +} + +case "$1" in + start) + # Get amount of CPU cores. + cpu_count=$(get_cpu_count) + + # Numer of NFQUES. + NFQUEUES= + + for i in $(seq 0 $((cpu_count-1)) ); do + NFQUEUES+="-q $i " + done + + # Check if the IDS should be started. + if [ "$ENABLE_IDS" == "on" ]; then + # Start the IDS. + boot_mesg "Starting Intrusion Detection System..." + /usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES >/dev/null 2>/dev/null + evaluate_retval + + # Allow reading the pidfile. + chmod 644 $PID_FILE + + # Flush the firewall chain + flush_fw_chain + + # Generate firewall rules + generate_fw_rules + fi + ;; + + stop) + boot_mesg "Stopping Intrusion Detection System..." + killproc -p $PID_FILE /var/run + + # Flush firewall chain. + flush_fw_chain + + # Remove suricata control socket. + rm /var/run/suricata/* >/dev/null 2>/dev/null + + # Don't report returncode of rm if suricata was not started + exit 0 + ;; + + status) + statusproc /usr/bin/suricata + ;; + + restart) + $0 stop + $0 start + ;; + reload) + # Send SIGUSR2 to the suricata process to perform a reload + # of the ruleset. + kill -USR2 $(pidof suricata) + + # Flush the firewall chain. + flush_fw_chain + + # Generate firewall rules. + generate_fw_rules + ;; + + *) + echo "Usage: $0 {start|stop|restart|reload|status}" + exit 1 + ;; +esac + +chmod 644 /var/log/suricata/* 2>/dev/null + +# End $rc_base/init.d/suricata diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index af9bcef73..fbb096e0d 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -24,30 +24,6 @@ EDNS_DEFAULT_BUFFER_SIZE=4096 # Load optional configuration [ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
-function cidr() { - local cidr nbits IFS; - IFS=. read -r i1 i2 i3 i4 <<< ${1} - IFS=. read -r m1 m2 m3 m4 <<< ${2} - cidr=$(printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))") - nbits=0 - IFS=. - for dec in $2 ; do - case $dec in - 255) let nbits+=8;; - 254) let nbits+=7;; - 252) let nbits+=6;; - 248) let nbits+=5;; - 240) let nbits+=4;; - 224) let nbits+=3;; - 192) let nbits+=2;; - 128) let nbits+=1;; - 0);; - *) echo "Error: $dec is not recognised"; exit 1 - esac - done - echo "${cidr}/${nbits}" -} - ip_address_revptr() { local addr=${1}
@@ -172,9 +148,9 @@ own_hostname() { }
update_hosts() { - local enabled address hostname domainname + local enabled address hostname domainname generateptr
- while IFS="," read -r enabled address hostname domainname; do + while IFS="," read -r enabled address hostname domainname generateptr; do [ "${enabled}" = "on" ] || continue
# Build FQDN @@ -185,6 +161,9 @@ update_hosts() { # Skip reverse resolution if the address equals the GREEN address [ "${address}" = "${GREEN_ADDRESS}" ] && continue
+ # Skip reverse resolution if user requested not to do so + [ "${generateptr}" = "off" ] && continue + # Add RDNS address=$(ip_address_revptr ${address}) unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${fqdn}" diff --git a/src/installer/po/fr.po b/src/installer/po/fr.po index 818bdb46e..9c6bcd60d 100644 --- a/src/installer/po/fr.po +++ b/src/installer/po/fr.po @@ -1,23 +1,25 @@ # SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR The IPFire Project (www.ipfire.org) # This file is distributed under the same license as the PACKAGE package. -# +# # Translators: # nonux nonux@free.fr, 2015 # Philippe B philippe@123-newbeetle.com, 2016 +# Stephane PAUTREL contact@acb78.com, 2019 msgid "" msgstr "" "Project-Id-Version: IPFire Project\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2014-11-05 01:29+0000\n" -"PO-Revision-Date: 2017-09-20 08:56+0000\n" -"Last-Translator: Philippe B philippe@123-newbeetle.com\n" +"PO-Revision-Date: 2019-04-11 23:25+0200\n" +"Last-Translator: Stephane PAUTREL contact@acb78.com\n" "Language-Team: French (http://www.transifex.com/mstremer/ipfire/language/fr/)%5Cn" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Language: fr\n" "Plural-Forms: nplurals=2; plural=(n > 1);\n" +"X-Generator: Poedit 2.2.1\n"
#: main.c:78 main.c:179 main.c:404 main.c:670 main.c:702 main.c:893 msgid "OK" @@ -34,7 +36,7 @@ msgstr "J'accepte la licence"
#: main.c:384 msgid "Warning: Unattended installation will start in 10 seconds..." -msgstr "Attention: Une installation sans surveillance va débuter dans 10 secondes..." +msgstr "Attention : Une installation sans surveillance va débuter dans 10 secondes..."
#: main.c:403 msgid "Language selection" @@ -42,7 +44,7 @@ msgstr "Sélection de la langue"
#: main.c:403 msgid "Select the language you wish to use for the installation." -msgstr "Sélectionnez la langue que vous souhaitez utiliser pour l'installation." +msgstr "Choisir la langue que vous souhaitez utiliser pour l'installation."
#: main.c:418 msgid "Unattended mode" @@ -58,7 +60,10 @@ msgid "" "Welcome to the %s installation program.\n" "\n" "Selecting Cancel on any of the following screens will reboot the computer." -msgstr "Bienvenue dans le programme d'installation de %s.\n\nSélectionner Echap sur une écran redémarrera l'ordinateur." +msgstr "" +"Bienvenue dans le programme d'installation de %s.\n" +"\n" +"Sélectionner Echap sur un écran redémarrera l'ordinateur."
#: main.c:428 msgid "Start installation" @@ -75,12 +80,13 @@ msgid "" "No source drive could be found.\n" "\n" "You can try downloading the required installation image." -msgstr "Aucune disque source trouvé.\n\nVous pouvez essayer de télécharger l'image d'installation nécessaire." +msgstr "" +"Aucune disque source trouvé.\n" +"\n" +"Vous pouvez essayer de télécharger l'image d'installation nécessaire."
#: main.c:456 -msgid "" -"Please make sure to connect your machine to a network and the installer will" -" try connect to acquire an IP address." +msgid "Please make sure to connect your machine to a network and the installer will try connect to acquire an IP address." msgstr "Soyez certain que votre machine est connectée à un réseau et l'installateur va tenter de récupérer une adresse IP."
#: main.c:460 @@ -96,15 +102,18 @@ msgid "" "Networking could not be started but is required to go on with the installation.\n" "\n" "Please connect your machine to a network with a DHCP server and retry." -msgstr "Une connexion réseau ne peut être initiée et est nécessaire pour pour poursuivre l'installation.\n\nMerci de connecter votre machine à une serveur DHCP et réessayer." +msgstr "" +"Une connexion réseau ne peut être initiée et est nécessaire afin de poursuivre l'installation.\n" +"\n" +"Merci de connecter votre machine à un serveur DHCP et réessayer."
#: main.c:487 main.c:516 msgid "Retry" -msgstr "Ré-essayer" +msgstr "Réessayer"
#: main.c:501 msgid "Downloading installation image..." -msgstr "Téléchargement de l'image d'installation ..." +msgstr "Téléchargement de l'image d'installation..."
#: main.c:510 #, c-format @@ -118,14 +127,20 @@ msgid "" " Reason: %s\n" "\n" "%s" -msgstr "L'image d'installation ne peut être téléchargée.\nRaison:%s\n\n%s" +msgstr "" +"L'image d'installation ne peut être téléchargée.\n" +"Motif :%s\n" +"\n" +"%s"
#: main.c:528 #, c-format msgid "" "Could not mount %s to %s:\n" " %s\n" -msgstr "Impossible de monter %s vers %s:\n%s\n" +msgstr "" +"Impossible de monter %s vers %s:\n" +"%s\n"
#: main.c:543 msgid "License Agreement" @@ -133,7 +148,7 @@ msgstr "Contrat de licence"
#: main.c:544 msgid "License not accepted!" -msgstr "Contrat de licence non accepté!" +msgstr "Contrat de licence non accepté !"
#: main.c:566 msgid "No hard disk found." @@ -148,14 +163,20 @@ msgid "" "Select the disk(s) you want to install IPFire on. First those will be partitioned, and then the partitions will have a filesystem put on them.\n" "\n" "ALL DATA ON THE DISK WILL BE DESTROYED." -msgstr "Selectionner le disque sur lequel vous voulez installer IPFire. Il sera d'abord partitioné et un système de fichier y sera créé.\n\nTOUTES LES DONNÉES DUS DISQUE SERONT PERDUES." +msgstr "" +"Choisir le disque sur lequel vous souhaitez installer IPFire. Il sera d'abord partitionné et un système de fichier y sera créé.\n" +"\n" +"TOUTES LES DONNEES DU DISQUE SERONT PERDUES."
#: main.c:599 msgid "" "No disk has been selected.\n" "\n" "Please select one or more disks you want to install IPFire on." -msgstr "Aucun disque selectionné.\n\nSelectionnez un dsique au moins sur le(s)quel(s) sera installé IPFire." +msgstr "" +"Aucun disque sélectionné.\n" +"\n" +"Choisissez au moins un disque sur le(s)quel(s) sera installé IPFire."
#: main.c:617 #, c-format @@ -165,7 +186,12 @@ msgid "" " %s\n" "\n" "Do you agree to continue?" -msgstr "Le programme d'installation va maintenant préparer le disque choisi.\n\n%s\n\nEtes vous d'accord pour continuer?" +msgstr "" +"Le programme d'installation va maintenant préparer le disque choisi.\n" +"\n" +"%s\n" +"\n" +"Etes vous d'accord pour continuer ?"
#: main.c:619 msgid "Disk Setup" @@ -184,7 +210,13 @@ msgid "" " %s\n" "\n" "Do you agree to continue?" -msgstr "Le programme d'installation va maintenant paramétrer la configuration RAID sur les disques sélectionnés.\n\n%s\n%s\n\nEtes vous d'accord pour continuer?" +msgstr "" +"Le programme d'installation va maintenant paramétrer la configuration RAID sur les disques choisis.\n" +"\n" +"%s\n" +"%s\n" +"\n" +"Etes-vous d'accord pour continuer ?"
#: main.c:629 msgid "RAID Setup" @@ -199,8 +231,7 @@ msgid "Your harddisk is too small." msgstr "Votre disque dur est trop petit."
#: main.c:671 -msgid "" -"Your harddisk is very small, but you can continue without a swap partition." +msgid "Your harddisk is very small, but you can continue without a swap partition." msgstr "Votre disque dur est très petit, mais vous pouvez continuer sans la partition d'échange."
#: main.c:684 @@ -217,7 +248,7 @@ msgstr "Système de fichier XFS"
#: main.c:687 msgid "ReiserFS Filesystem" -msgstr "Système de fichier ReiserFS" +msgstr "Système de fichier ReiserFS"
#: main.c:701 msgid "Filesystem Selection" @@ -225,7 +256,7 @@ msgstr "Choix du système de fichier"
#: main.c:701 msgid "Please choose your filesystem:" -msgstr "Merci de choisir votre système de fichier : " +msgstr "Merci de choisir votre système de fichier :"
#: main.c:712 msgid "Building RAID..." @@ -288,7 +319,10 @@ msgid "" "A backup file has been found on the installation image.\n" "\n" "Do you want to restore the backup?" -msgstr "Un fichier de sauvegarde a été trouvé sur l'image d'installation.\n\nVoulez vous restaurer cette sauvegarde?" +msgstr "" +"Un fichier de sauvegarde a été trouvé sur l'image d'installation.\n" +"\n" +"Voulez vous restaurer cette sauvegarde ?"
#: main.c:827 msgid "Yes" @@ -316,16 +350,19 @@ msgid "" "%s was successfully installed!\n" "\n" "Please remove any installation mediums from this system and hit the reboot button. Once the system has restarted you will be asked to setup networking and system passwords. After that, you should point your web browser at https://%s:444 (or what ever you name your %s) for the web configuration console." -msgstr "%s a été installé correctement.\n\nRetirer tous les médias d'installation du système et appuyer sur redémarrer. Une fois que le système redémarré, vous devrez paramètrer les réseaux et les mots de passe système. Ensuite, vous devrez faire pointer votre navigateur vers https://%s:444 (ou le nom que vous avez donné à votre %s) pour la console de configuration web." +msgstr "" +"%s a été installé correctement.\n" +"\n" +"Retirer tous les médias d'installation du système et appuyer sur redémarrer. Une fois le système redémarré, vous devrez paramétrer les réseaux et les mots de passe système. Ensuite, vous devrez faire pointer votre navigateur vers https://%s:444 (ou le nom que vous avez donné à votre %s) pour la console de configuration web."
#: main.c:882 msgid "Congratulations!" -msgstr "Félécitations!" +msgstr "Félicitations !"
#: main.c:882 msgid "Reboot" -msgstr "Re-démarrer" +msgstr "Redémarrer"
#: main.c:893 msgid "Setup has failed. Press Ok to reboot." -msgstr "La configuration a échoué. Appuyez sur OK pour re-démarrer." +msgstr "La configuration a échoué. Appuyez sur OK pour redémarrer." diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile index c3329b130..bea54e773 100644 --- a/src/misc-progs/Makefile +++ b/src/misc-progs/Makefile @@ -24,7 +24,7 @@ LIBS = -lsmooth -lnewt
PROGS = iowrap SUID_PROGS = squidctrl sshctrl ipfirereboot \ - ipsecctrl timectrl dhcpctrl snortctrl \ + ipsecctrl timectrl dhcpctrl suricatactrl \ applejuicectrl rebuildhosts backupctrl collectdctrl \ logwatch wioscan wiohelper openvpnctrl firewallctrl \ wirelessctrl getipstat qosctrl launch-ether-wake \ diff --git a/src/misc-progs/snortctrl.c b/src/misc-progs/snortctrl.c deleted file mode 100644 index 57025757c..000000000 --- a/src/misc-progs/snortctrl.c +++ /dev/null @@ -1,38 +0,0 @@ -/* This file is part of the IPFire Firewall. - * - * This program is distributed under the terms of the GNU General Public - * Licence. See the file COPYING for details. - * - */ - -#include <stdlib.h> -#include <stdio.h> -#include <string.h> -#include <unistd.h> -#include <sys/types.h> -#include <fcntl.h> -#include "setuid.h" - -int main(int argc, char *argv[]) { - - if (!(initsetuid())) - exit(1); - - if (argc < 2) { - fprintf(stderr, "\nNo argument given.\n\nsnortctrl (start|stop|restart)\n\n"); - exit(1); - } - - if (strcmp(argv[1], "start") == 0) { - safe_system("/etc/rc.d/init.d/snort start"); - } else if (strcmp(argv[1], "stop") == 0) { - safe_system("/etc/rc.d/init.d/snort stop"); - } else if (strcmp(argv[1], "restart") == 0) { - safe_system("/etc/rc.d/init.d/snort restart"); - } else { - fprintf(stderr, "\nBad argument given.\n\nsnortctrl (start|stop|restart)\n\n"); - exit(1); - } - - return 0; -} diff --git a/src/misc-progs/sshctrl.c b/src/misc-progs/sshctrl.c index 30074973d..f855c5a4a 100644 --- a/src/misc-progs/sshctrl.c +++ b/src/misc-progs/sshctrl.c @@ -72,9 +72,14 @@ int main(int argc, char *argv[]) strlcat(command, "s/^AllowTcpForwarding .*$/AllowTcpForwarding no/;", STRING_SIZE - 1 ); if(findkey(kv, "SSH_PORT", buffer) && !strcmp(buffer,"on")) - strlcat(command, "s/^Port .*$/Port 22/", STRING_SIZE - 1 ); + strlcat(command, "s/^Port .*$/Port 22/;", STRING_SIZE - 1 ); else - strlcat(command, "s/^Port .*$/Port 222/", STRING_SIZE - 1 ); + strlcat(command, "s/^Port .*$/Port 222/;", STRING_SIZE - 1 ); + + if(findkey(kv, "SSH_AGENT_FORWARDING", buffer) && !strcmp(buffer,"on")) + strlcat(command, "s/^AllowAgentForwarding .*$/AllowAgentForwarding yes/;", STRING_SIZE - 1 ); + else + strlcat(command, "s/^AllowAgentForwarding .*$/AllowAgentForwarding no/;", STRING_SIZE - 1 );
freekeyvalues(kv);
diff --git a/src/misc-progs/suricatactrl.c b/src/misc-progs/suricatactrl.c new file mode 100644 index 000000000..cca0873e6 --- /dev/null +++ b/src/misc-progs/suricatactrl.c @@ -0,0 +1,54 @@ +/* This file is part of the IPFire Firewall. + * + * This program is distributed under the terms of the GNU General Public + * Licence. See the file COPYING for details. + * + */ + +#include <stdlib.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <sys/types.h> +#include <fcntl.h> +#include "setuid.h" + +int main(int argc, char *argv[]) { + + if (!(initsetuid())) + exit(1); + + if (argc < 2) { + fprintf(stderr, "\nNo argument given.\n\nsuricatactrl (start|stop|restart|reload)\n\n"); + exit(1); + } + + if (strcmp(argv[1], "start") == 0) { + safe_system("/etc/rc.d/init.d/suricata start"); + } else if (strcmp(argv[1], "stop") == 0) { + safe_system("/etc/rc.d/init.d/suricata stop"); + } else if (strcmp(argv[1], "restart") == 0) { + safe_system("/etc/rc.d/init.d/suricata restart"); + } else if (strcmp(argv[1], "reload") == 0) { + safe_system("/etc/rc.d/init.d/suricata reload"); + } else if (strcmp(argv[1], "fix-rules-dir") == 0) { + safe_system("chown -R nobody:nobody /var/lib/suricata"); + } else if (strcmp(argv[1], "cron") == 0) { + safe_system("rm /etc/fcron.*/suricata >/dev/null 2>&1"); + if (strcmp(argv[2], "off") == 0) { + return(1); + } else if (strcmp(argv[2], "daily") == 0){ + safe_system("ln -s /usr/local/bin/update-ids-ruleset /etc/fcron.daily/suricata"); + } else if (strcmp(argv[2], "weekly") == 0){ + safe_system("ln -s /usr/local/bin/update-ids-ruleset /etc/fcron.weekly/suricata"); + } else{ + printf("invalid parameter(s)\n"); + return(1); + } + } else { + fprintf(stderr, "\nBad argument given.\n\nsuricatactrl (start|stop|restart|reload)\n\n"); + exit(1); + } + + return 0; +} diff --git a/src/pakfire/pakfire.conf b/src/pakfire/pakfire.conf index 2f8f9cd6d..cfe48f575 100644 --- a/src/pakfire/pakfire.conf +++ b/src/pakfire/pakfire.conf @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2017 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # diff --git a/src/paks/dnsdist/install.sh b/src/paks/dnsdist/install.sh new file mode 100644 index 000000000..74966d643 --- /dev/null +++ b/src/paks/dnsdist/install.sh @@ -0,0 +1,35 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2007 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh + +extract_files + +restore_backup "${NAME}" + +start_service "${NAME}" + +# Enable autostart +ln -sf ../init.d/dnsdist /etc/rc.d/rc0.d/K25dnsdist +ln -sf ../init.d/dnsdist /etc/rc.d/rc3.d/S35dnsdist +ln -sf ../init.d/dnsdist /etc/rc.d/rc6.d/K25dnsdist diff --git a/src/paks/dnsdist/uninstall.sh b/src/paks/dnsdist/uninstall.sh new file mode 100644 index 000000000..966c525c4 --- /dev/null +++ b/src/paks/dnsdist/uninstall.sh @@ -0,0 +1,34 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2007 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh + +extract_backup_includes + +stop_service ${NAME} + +make_backup ${NAME} + +remove_files + +rm -rfv /etc/rc.d/rc*.d/*dnsdist diff --git a/src/paks/dnsdist/update.sh b/src/paks/dnsdist/update.sh new file mode 100644 index 000000000..89c40d0d7 --- /dev/null +++ b/src/paks/dnsdist/update.sh @@ -0,0 +1,26 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2007 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +./uninstall.sh +./install.sh diff --git a/src/paks/tor/install.sh b/src/paks/tor/install.sh index 31c5fecae..268bccecd 100644 --- a/src/paks/tor/install.sh +++ b/src/paks/tor/install.sh @@ -17,11 +17,24 @@ # along with IPFire; if not, write to the Free Software # # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # # -# Copyright (C) 2007 IPFire-Team info@ipfire.org. # +# Copyright (C) 2007-2019 IPFire-Team info@ipfire.org. # # # ############################################################################ # . /opt/pakfire/lib/functions.sh + +# Run Tor as dedicated user and make sure user and group exist +if ! getent group tor &>/dev/null; then + groupadd -g 119 tor +fi + +if ! getent passwd tor; then + useradd -u 119 -g tor -c "Tor daemon user" -d /var/empty -s /bin/false tor +fi + +# Adjust some folder permission for new UID/GID +chown -R tor:tor /var/lib/tor /var/ipfire/tor + extract_files restore_backup ${NAME} start_service --background ${NAME} diff --git a/src/paks/zabbix_agentd/update.sh b/src/paks/zabbix_agentd/update.sh index 89c40d0d7..7fc1c96fb 100644 --- a/src/paks/zabbix_agentd/update.sh +++ b/src/paks/zabbix_agentd/update.sh @@ -24,3 +24,8 @@ . /opt/pakfire/lib/functions.sh ./uninstall.sh ./install.sh + +# Ensure /etc/sudoers.d/zabbix.user is renamed to /etc/sudoers.d/zabbix +if [ -e /etc/sudoers.d/zabbix.user ]; then + mv -v /etc/sudoers.d/zabbix.user /etc/sudoers.d/zabbix +fi diff --git a/src/patches/linux/linux-4.14_ath_user_regd.patch b/src/patches/linux/linux-4.14_ath_user_regd.patch new file mode 100644 index 000000000..179f323c8 --- /dev/null +++ b/src/patches/linux/linux-4.14_ath_user_regd.patch @@ -0,0 +1,71 @@ +diff -Naur linux-4.14.103.org/drivers/net/wireless/ath/regd.c linux-4.14.103/drivers/net/wireless/ath/regd.c +--- linux-4.14.103.org/drivers/net/wireless/ath/regd.c 2019-02-23 09:06:44.000000000 +0100 ++++ linux-4.14.103/drivers/net/wireless/ath/regd.c 2019-03-30 11:35:53.177299394 +0100 +@@ -24,6 +24,7 @@ + #include "regd_common.h" + + static int __ath_regd_init(struct ath_regulatory *reg); ++static struct reg_dmn_pair_mapping *ath_get_regpair(int regdmn); + + /* + * This is a set of common rules used by our world regulatory domains. +@@ -116,6 +117,9 @@ + + static bool dynamic_country_user_possible(struct ath_regulatory *reg) + { ++// if (IS_ENABLED(CPTCFG_ATH_USER_REGD)) ++ return true; ++ + if (IS_ENABLED(CONFIG_ATH_REG_DYNAMIC_USER_CERT_TESTING)) + return true; + +@@ -188,6 +192,8 @@ + + static bool ath_reg_dyn_country_user_allow(struct ath_regulatory *reg) + { ++// if (IS_ENABLED(CPTCFG_ATH_USER_REGD)) ++ return true; + if (!IS_ENABLED(CONFIG_ATH_REG_DYNAMIC_USER_REG_HINTS)) + return false; + if (!dynamic_country_user_possible(reg)) +@@ -345,6 +351,9 @@ + struct ieee80211_channel *ch; + unsigned int i; + ++// if (IS_ENABLED(CPTCFG_ATH_USER_REGD)) ++ return; ++ + for (band = 0; band < NUM_NL80211_BANDS; band++) { + if (!wiphy->bands[band]) + continue; +@@ -378,6 +387,9 @@ + { + struct ieee80211_supported_band *sband; + ++// if (IS_ENABLED(CPTCFG_ATH_USER_REGD)) ++ return; ++ + sband = wiphy->bands[NL80211_BAND_2GHZ]; + if (!sband) + return; +@@ -407,6 +419,9 @@ + struct ieee80211_channel *ch; + unsigned int i; + ++// if (IS_ENABLED(CPTCFG_ATH_USER_REGD)) ++ return; ++ + if (!wiphy->bands[NL80211_BAND_5GHZ]) + return; + +@@ -639,6 +654,10 @@ + const struct ieee80211_regdomain *regd; + + wiphy->reg_notifier = reg_notifier; ++ ++// if (IS_ENABLED(CPTCFG_ATH_USER_REGD)) ++ return 0; ++ + wiphy->regulatory_flags |= REGULATORY_STRICT_REG | + REGULATORY_CUSTOM_REG; + diff --git a/src/patches/linux/linux-4.9.8-ath_ignore_eeprom_regd.patch b/src/patches/linux/linux-4.9.8-ath_ignore_eeprom_regd.patch deleted file mode 100644 index ca835eb9a..000000000 --- a/src/patches/linux/linux-4.9.8-ath_ignore_eeprom_regd.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff -Naur linux-4.9.8.org/drivers/net/wireless/ath/regd.c linux-4.9.8/drivers/net/wireless/ath/regd.c ---- linux-4.9.8.org/drivers/net/wireless/ath/regd.c 2017-02-04 09:47:29.000000000 +0100 -+++ linux-4.9.8/drivers/net/wireless/ath/regd.c 2017-02-11 15:31:20.502527360 +0100 -@@ -341,6 +341,8 @@ - struct ieee80211_channel *ch; - unsigned int i; - -+ return; -+ - for (band = 0; band < NUM_NL80211_BANDS; band++) { - if (!wiphy->bands[band]) - continue; -@@ -374,6 +376,8 @@ - { - struct ieee80211_supported_band *sband; - -+ return; -+ - sband = wiphy->bands[NL80211_BAND_2GHZ]; - if (!sband) - return; -@@ -402,6 +406,8 @@ - struct ieee80211_channel *ch; - unsigned int i; - -+ return; -+ - if (!wiphy->bands[NL80211_BAND_5GHZ]) - return; - -@@ -632,6 +638,8 @@ - { - const struct ieee80211_regdomain *regd; - -+ return 0; -+ - wiphy->reg_notifier = reg_notifier; - wiphy->regulatory_flags |= REGULATORY_STRICT_REG | - REGULATORY_CUSTOM_REG; diff --git a/src/patches/lua-5.3.0-autotoolize.patch b/src/patches/lua/lua-5.3.5-autotoolize.patch similarity index 99% rename from src/patches/lua-5.3.0-autotoolize.patch rename to src/patches/lua/lua-5.3.5-autotoolize.patch index 3e4723a57..76747923a 100644 --- a/src/patches/lua-5.3.0-autotoolize.patch +++ b/src/patches/lua/lua-5.3.5-autotoolize.patch @@ -110,7 +110,7 @@ diff -up lua-5.3.0/src/luaconf.h.template.in.autoxxx lua-5.3.0/src/luaconf.h.tem
/* ** =================================================================== -@@ -175,9 +180,9 @@ +@@ -200,9 +205,9 @@
#else /* }{ */
diff --git a/src/patches/lua/lua-5.3.5-shared_library-1.patch b/src/patches/lua/lua-5.3.5-shared_library-1.patch new file mode 100644 index 000000000..857fddc6c --- /dev/null +++ b/src/patches/lua/lua-5.3.5-shared_library-1.patch @@ -0,0 +1,61 @@ +Submitted By: Igor Živković contact@igor-zivkovic.from.hr +Date: 2013-06-19 +Initial Package Version: 5.2.2 +Upstream Status: Rejected +Origin: Arch Linux packages repository +Description: Adds the compilation of a shared library. + +diff -Naur lua-5.3.0.orig/Makefile lua-5.3.0/Makefile +--- lua-5.3.0.orig/Makefile 2014-10-30 00:14:41.000000000 +0100 ++++ lua-5.3.0/Makefile 2015-01-19 22:14:09.822290828 +0100 +@@ -52,7 +52,7 @@ + all: $(PLAT) + + $(PLATS) clean: +- cd src && $(MAKE) $@ ++ cd src && $(MAKE) $@ V=$(V) R=$(R) + + test: dummy + src/lua -v +diff -Naur lua-5.3.0.orig/src/Makefile lua-5.3.0/src/Makefile +--- lua-5.3.0.orig/src/Makefile 2015-01-05 17:04:52.000000000 +0100 ++++ lua-5.3.0/src/Makefile 2015-01-19 22:14:52.559378543 +0100 +@@ -7,7 +7,7 @@ + PLAT= none + + CC= gcc -std=gnu99 +-CFLAGS= -O2 -Wall -Wextra -DLUA_COMPAT_5_2 $(SYSCFLAGS) $(MYCFLAGS) ++CFLAGS= -fPIC -O2 -Wall -Wextra -DLUA_COMPAT_5_2 $(SYSCFLAGS) $(MYCFLAGS) + LDFLAGS= $(SYSLDFLAGS) $(MYLDFLAGS) + LIBS= -lm $(SYSLIBS) $(MYLIBS) + +@@ -29,6 +29,7 @@ + PLATS= aix bsd c89 freebsd generic linux macosx mingw posix solaris + + LUA_A= liblua.a ++LUA_SO= liblua.so + CORE_O= lapi.o lcode.o lctype.o ldebug.o ldo.o ldump.o lfunc.o lgc.o llex.o \ + lmem.o lobject.o lopcodes.o lparser.o lstate.o lstring.o ltable.o \ + ltm.o lundump.o lvm.o lzio.o +@@ -43,7 +44,7 @@ + LUAC_O= luac.o + + ALL_O= $(BASE_O) $(LUA_O) $(LUAC_O) +-ALL_T= $(LUA_A) $(LUA_T) $(LUAC_T) ++ALL_T= $(LUA_A) $(LUA_T) $(LUAC_T) $(LUA_SO) + ALL_A= $(LUA_A) + + # Targets start here. +@@ -59,6 +60,12 @@ + $(AR) $@ $(BASE_O) + $(RANLIB) $@ + ++$(LUA_SO): $(CORE_O) $(LIB_O) ++ $(CC) -shared -ldl -Wl,-soname,$(LUA_SO).$(V) -o $@.$(R) $? -lm $(MYLDFLAGS) ++ ln -sf $(LUA_SO).$(R) $(LUA_SO).$(V) ++ ln -sf $(LUA_SO).$(R) $(LUA_SO) ++ ++ + $(LUA_T): $(LUA_O) $(LUA_A) + $(CC) -o $@ $(LDFLAGS) $(LUA_O) $(LUA_A) $(LIBS) + diff --git a/src/scripts/update-ids-ruleset b/src/scripts/update-ids-ruleset new file mode 100644 index 000000000..14ea25ec6 --- /dev/null +++ b/src/scripts/update-ids-ruleset @@ -0,0 +1,76 @@ +#!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2018 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +use strict; + +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/ids-functions.pl"; +require "${General::swroot}/lang.pl"; + +# Check if the red device is active. +unless (-e "${General::swroot}/red/active") { + # Store notice in the syslog. + &IDS::_log_to_syslog("The system is offline."); + + # Store error message for displaying in the WUI. + &IDS::_store_error_message("$Lang::tr{'could not download latest updates'} - $Lang::tr{'system is offline'}"); + + # Exit. + exit 0; +} + +# Check if enought free disk space is availabe. +if(&IDS::checkdiskspace()) { + # Store the error message for displaying in the WUI. + &IDS::_store_error_message("$Lang::tr{'not enough disk space'}"); + + # Exit. + exit 0; +} + +# Lock the IDS page. +&IDS::lock_ids_page(); + +# Call the download function and gather the new ruleset. +if(&IDS::downloadruleset()) { + # Store error message for displaying in the WUI. + &IDS::_store_error_message("$Lang::tr{'could not download latest updates'}"); + + # Exit. + exit 0; +} + +# Call oinkmaster to alter the ruleset. +&IDS::oinkmaster(); + +# Set correct ownership for the rulesdir and files. +&IDS::set_ownership("$IDS::rulespath"); + +# Unlock the IDS page. +&IDS::unlock_ids_page(); + +# Check if the IDS is running. +if(&IDS::ids_is_running()) { + # Call suricatactrl to perform a reload. + &IDS::call_suricatactrl("reload"); +} + +1; diff --git a/src/setup/po/fr.po b/src/setup/po/fr.po index 46a74b55b..a7c1df1dc 100644 --- a/src/setup/po/fr.po +++ b/src/setup/po/fr.po @@ -1,27 +1,29 @@ # SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR The IPFire Project (www.ipfire.org) # This file is distributed under the same license as the PACKAGE package. -# +# # Translators: -# Cedric RIVERA, 2016 # irenee Munyaneza muirenee@yahoo.fr, 2014 -# Nicolas Cuffia cuffia.cuceglio@vivaldi.net, 2016 # nonux nonux@free.fr, 2015 -# Philippe B philippe@123-newbeetle.com, 2016 # Sebastien Labrie fonkyy@gmail.com, 2015 +# Nicolas Cuffia cuffia.cuceglio@vivaldi.net, 2016 +# Philippe B philippe@123-newbeetle.com, 2016 +# Cedric RIVERA, 2016 +# Stephane PAUTREL contact@acb78.com, 2019 msgid "" msgstr "" "Project-Id-Version: IPFire Project\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2014-08-21 15:12+0000\n" -"PO-Revision-Date: 2017-09-20 09:45+0000\n" -"Last-Translator: Cedric RIVERA\n" +"PO-Revision-Date: 2019-04-12 00:50+0200\n" +"Last-Translator: Stephane PAUTREL contact@acb78.com\n" "Language-Team: French (http://www.transifex.com/mstremer/ipfire/language/fr/)%5Cn" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Language: fr\n" "Plural-Forms: nplurals=2; plural=(n > 1);\n" +"X-Generator: Poedit 2.2.1\n"
#: dhcp.c:50 msgid "Start address:" @@ -41,15 +43,15 @@ msgstr "DNS secondaire :"
#: dhcp.c:54 msgid "Default lease (mins):" -msgstr "Bail par défaut (mins) :" +msgstr "Bail par défaut (mns) :"
#: dhcp.c:55 msgid "Max lease (mins):" -msgstr "Bail maximum (mins) :" +msgstr "Bail maximum (mns) :"
#: dhcp.c:56 msgid "Domain name suffix:" -msgstr "Suffixe du nom de domaine : " +msgstr "Suffixe du nom de domaine :"
#: dhcp.c:86 dhcp.c:93 dhcp.c:101 domainname.c:34 hostname.c:37 keymap.c:70 #: misc.c:40 misc.c:52 netstuff.c:377 netstuff.c:566 netstuff.c:704 @@ -65,7 +67,7 @@ msgstr "Configuration du serveur DHCP"
#: dhcp.c:116 msgid "Configure the DHCP server by entering the settings information." -msgstr "Configurer le serveur DHCP en entrant les informations de paramètrage." +msgstr "Configurer le serveur DHCP en saisissant les informations de paramétrage."
#: dhcp.c:125 msgid "Enabled" @@ -90,7 +92,9 @@ msgstr "Annuler" msgid "" "The following fields are invalid:\n" "\n" -msgstr "Les champs suivants sont invalides:\n\n" +msgstr "" +"Les champs suivants sont invalides :\n" +"\n"
#: dhcp.c:159 msgid "Start address" @@ -122,7 +126,7 @@ msgstr "Nom de domaine"
#: domainname.c:42 msgid "Enter Domain name" -msgstr "Entrez le nom de domaine" +msgstr "Saisir le nom de domaine."
#: domainname.c:48 msgid "Domain name cannot be empty." @@ -142,7 +146,7 @@ msgstr "Nom d'hôte"
#: hostname.c:46 msgid "Enter the machine's hostname." -msgstr "Entrez le nom d'hôte de la machine." +msgstr "Saisir le nom d'hôte de la machine."
#: hostname.c:53 msgid "Hostname cannot be empty." @@ -154,15 +158,15 @@ msgstr "Le nom de domaine ne doit pas contenir d'espaces."
#: hostname.c:58 msgid "Hostname may only contain letters, numbers and hyphens." -msgstr "Le hostname doit seulement contenir des lettres, chiffres et trais d'union." +msgstr "Le nom d'hôte doit seulement contenir des lettres, chiffres et trais d'union."
#: keymap.c:84 main.c:67 msgid "Keyboard mapping" -msgstr "Mappage du clavier" +msgstr "Mappage clavier"
#: keymap.c:85 msgid "Choose the type of keyboard you are using from the list below." -msgstr "Choisir le type de clavier utilisé depuis la liste ci-dessous." +msgstr "Choisir le type de clavier utilisé dans la liste suivante."
#: main.c:68 timezone.c:77 msgid "Timezone" @@ -174,7 +178,7 @@ msgstr "Réseau"
#: main.c:72 misc.c:147 msgid "ISDN" -msgstr "ISDN" +msgstr "RNIS"
#: main.c:73 msgid "'root' password" @@ -182,11 +186,11 @@ msgstr "Mot de passe "root""
#: main.c:74 msgid "'admin' password" -msgstr "Most de passe "admin"" +msgstr "Mot de passe "admin""
#: main.c:90 msgid " <Tab>/<Alt-Tab> between elements | <Space> selects" -msgstr "<Tab>/<Alt-Tab> entre les éléments | <Espace> selection" +msgstr "<Tab>/<Alt-Tab> entre les éléments | <Espace> sélection"
#: main.c:97 msgid "Section menu" @@ -194,7 +198,7 @@ msgstr "Menu de sélection"
#: main.c:98 msgid "Select the item you wish to configure." -msgstr "Sélectionner l'artivle à confurer." +msgstr "Choisir l'élément à configurer."
#: main.c:99 msgid "Quit" @@ -209,15 +213,13 @@ msgid "Warning" msgstr "Avertissement"
#: main.c:175 -msgid "" -"Initial setup was not entirely complete. You must ensure that Setup is " -"properly finished by running setup again at the shell." -msgstr "Le paramétrage initial n'est pas terminé. Assurez vous que le paramétrage s'est correctement terminé en exécutant de nouveau setup depuis le shell." +msgid "Initial setup was not entirely complete. You must ensure that Setup is properly finished by running setup again at the shell." +msgstr "Le paramétrage initial n'est pas terminé. Assurez-vous que le paramétrage s'est correctement terminé en exécutant de nouveau setup depuis le shell."
#: misc.c:62 #, c-format msgid "Unable to write %s/main/hostname.conf" -msgstr "Impossible d'écriere %s/main/hostname.conf" +msgstr "Impossible d'écrire %s/main/hostname.conf"
#: misc.c:71 msgid "Unable to open main hosts file." @@ -241,11 +243,11 @@ msgstr "Impossible de définir le nom d'hôte"
#: misc.c:147 msgid "Scanning and configuring ISDN devices." -msgstr "Détection et configuration des interfaces ISDN." +msgstr "Détection et configuration des interfaces RNIS."
#: misc.c:148 msgid "Unable to scan for ISDN devices." -msgstr "Détection des périphériques ISDN impossible." +msgstr "Détection des périphériques RNIS impossible."
#: netstuff.c:86 #, c-format @@ -271,23 +273,23 @@ msgstr "Connexion PPP (PPPoE, modem, ATM ...)"
#: netstuff.c:113 msgid "DHCP Hostname:" -msgstr "Nom d'hôte DHCP:" +msgstr "Nom d'hôte DHCP :"
#: netstuff.c:115 msgid "Force DHCP MTU:" -msgstr "Forcer taille MTU pour DHCP:" +msgstr "Forcer taille MTU pour DHCP :"
#: netstuff.c:134 msgid "IP address:" -msgstr "Adresse IP" +msgstr "Adresse IP :"
#: netstuff.c:146 msgid "Network mask:" -msgstr "Masque de sous-réseau : " +msgstr "Masque sous-réseau :"
#: netstuff.c:173 networking.c:749 msgid "The following fields are invalid:" -msgstr "Les champs suivants sont invalides : " +msgstr "Les champs suivants sont invalides :"
#: netstuff.c:183 msgid "IP address" @@ -303,12 +305,12 @@ msgstr "Nom d'hôte DHCP"
#: netstuff.c:396 netstuff.c:709 msgid "Unset" -msgstr "Non-défini" +msgstr "Non défini"
#: netstuff.c:669 #, c-format msgid "Please choose a networkcard for the following interface - %s." -msgstr "Choisissez un adaptateur réseau pour l'interface - %s." +msgstr "Veuillez choisir un adaptateur réseau pour l'interface - %s."
#: netstuff.c:672 msgid "Extended Network Menu" @@ -328,15 +330,15 @@ msgstr "Identification du périphérique"
#: netstuff.c:678 msgid "The lights on the selected port should flash now for 10 seconds..." -msgstr "Le témoin lumineux du port sélectionné doit clignoter maintenant pendant 10 secondes ..." +msgstr "Le témoin lumineux du port sélectionné doit clignoter maintenant pendant 10 secondes..."
#: netstuff.c:679 msgid "Identification is not supported by this interface." -msgstr "L'identification n'est pas supporté par cet interface." +msgstr "L'identification n'est pas supportée par cette interface."
#: netstuff.c:691 msgid "There are no unassigned interfaces on your system." -msgstr "Aucune interface assignée sur votre système." +msgstr "Aucune interface assignée à votre système."
#: netstuff.c:732 #, c-format @@ -345,11 +347,11 @@ msgstr "Confirmez-vous la suppression de l'interface assignée %s ?"
#: netstuff.c:755 msgid "Select network driver" -msgstr "Selectionnez le pilote réseau" +msgstr "Choisir le pilote réseau"
#: netstuff.c:755 msgid "Set additional module parameters" -msgstr "Régler des paramètres supplémentaires du moduie" +msgstr "Régler des paramètres supplémentaires du module"
#: netstuff.c:762 msgid "Loading module..." @@ -357,7 +359,7 @@ msgstr "Chargement du module..."
#: netstuff.c:777 msgid "Unable to load driver module." -msgstr "Incapable de charger le module du pilote" +msgstr "Ne peut pas charger le module du pilote"
#: netstuff.c:780 msgid "Module name cannot be blank." @@ -369,7 +371,7 @@ msgstr "Arrêt du réseau..."
#: networking.c:115 msgid "Restarting network..." -msgstr "Re-démarrage du réseau..." +msgstr "Redémarrage du réseau..."
#: networking.c:146 msgid "No GREEN interface assigned." @@ -437,7 +439,7 @@ msgstr "Réglages DNS et Passerelle"
#: networking.c:260 msgid "When configuration is complete, a network restart will be required." -msgstr "A l'issue de la configuration un redémarrage de la couche réseau est nécessaire." +msgstr "A l'issue de la configuration, un redémarrage de la couche réseau est nécessaire."
#: networking.c:267 #, c-format @@ -445,11 +447,14 @@ msgid "" "Current config: %s\n" "\n" "%s" -msgstr "Configuration actuelle: %s\n\n%s" +msgstr "" +"Configuration actuelle : %s\n" +"\n" +"%s"
#: networking.c:268 msgid "Network configuration menu" -msgstr "Menu de configuration Reseau" +msgstr "Menu de configuration Réseau"
#: networking.c:269 networking.c:520 networking.c:642 msgid "Done" @@ -457,12 +462,8 @@ msgstr "Terminé"
#: networking.c:300 #, c-format -msgid "" -"Select the network configuration for %s. The following configuration types " -"list those interfaces which have ethernet attached. If you change this " -"setting, a network restart will be required, and you will have to " -"reconfigure the network driver assignments." -msgstr "Choisir la configuration réseau pour %s. Les types de configuration suivants énumèrent les interfaces ethernet connectées. Tous changements dans le paramétrage nécessitent une reconfiguration de la couche réseau et des pilotes associés." +msgid "Select the network configuration for %s. The following configuration types list those interfaces which have ethernet attached. If you change this setting, a network restart will be required, and you will have to reconfigure the network driver assignments." +msgstr "Choisir la configuration réseau pour %s. Les types suivants correspondent aux interfaces Ethernet connectées. Tout changement dans le paramétrage nécessite une reconfiguration de la couche réseau et des pilotes associés."
#: networking.c:307 #, c-format @@ -470,27 +471,33 @@ msgid "" "Not enough netcards for your choice.\n" "\n" "Needed: %d - Available: %d\n" -msgstr "Pas assez d'adaptateurs réseaux pour votre choix.\n\nAttendu: %d - Disponible: %d\n\n" +msgstr "" +"Pas assez d'adaptateurs réseaux pour votre choix.\n" +"\n" +"Attendu: %d - Disponible: %d\n" +"\n"
#: networking.c:359 msgid "" "Configure network drivers, and which interface each card is assigned to. The current configuration is as follows:\n" "\n" -msgstr "Configuration des pilotes réseaux et des interfaces associées aux adaptateurs réseaux. La configuration est la suivante:\n" +msgstr "La configuration des pilotes réseaux et des interfaces associées aux adaptateurs réseaux est la suivante :\n"
#: networking.c:408 msgid "Do you wish to change these settings?" -msgstr "Voulez-vous changer ces paramètres?" +msgstr "Voulez-vous changer ces paramètres ?"
#: networking.c:447 msgid "Restarting non-local network..." -msgstr "Redémarrage du réseau distant ..." +msgstr "Redémarrage du réseau distant..."
#: networking.c:464 msgid "" "Please choose the interface you wish to change.\n" "\n" -msgstr "S'il vous plaît, choisissez l'interface que vous voulez changer.\n\n" +msgstr "" +"Veuillez choisir l'interface que vous souhaitez changer.\n" +"\n"
#: networking.c:519 msgid "Assigned Cards" @@ -502,26 +509,20 @@ msgstr "Enlever"
#: networking.c:556 networking.c:649 #, c-format -msgid "" -"If you change this IP address, and you are logged in remotely, your " -"connection to the %s machine will be broken, and you will have to reconnect " -"on the new IP. This is a risky operation, and should only be attempted if " -"you have physical access to the machine, should something go wrong." -msgstr "Si vous changez cette adresse IP et si vous êtes connecté à distance alors votre accès à la machine %s sera rompu et il vous sera nécessaire de vous reconnecter à la nouvelle adresse IP. C'est une situation dangereuse qui ne doit être tentée que si vous avez accès physiquement à l'ordinateur afin d'éviter une complication inattendue." +msgid "If you change this IP address, and you are logged in remotely, your connection to the %s machine will be broken, and you will have to reconnect on the new IP. This is a risky operation, and should only be attempted if you have physical access to the machine, should something go wrong." +msgstr "Si vous changez cette adresse IP et si vous êtes connecté à distance alors votre accès à la machine %s sera rompu et il sera nécessaire de vous reconnecter à la nouvelle adresse IP. C'est une situation dangereuse qui ne doit être tentée que si vous avez accès physiquement à l'ordinateur afin d'éviter une complication inattendue."
#: networking.c:641 msgid "Select the interface you wish to reconfigure." -msgstr "Selectionnez l'interface que vous souhaitez reconfigurer." +msgstr "Choisir l'interface que vous souhaitez reconfigurer."
#: networking.c:729 msgid "Default gateway:" -msgstr "Passerelle par defaut" +msgstr "Passerelle par défaut :"
#: networking.c:744 -msgid "" -"Enter the DNS and gateway information. These settings are used only with " -"Static IP (and DHCP if DNS set) on the RED interface." -msgstr "Saisir les informations relatives au DNS et à la passerelle. Ces paramètres sont utilisés dans la cas d'une configuration statique de la couche IP (et DHCP pour le DNS) sur l'interface ROUGE." +msgid "Enter the DNS and gateway information. These settings are used only with Static IP (and DHCP if DNS set) on the RED interface." +msgstr "Saisir les informations relatives aux DNS et à la passerelle. Ces paramètres sont utilisés dans le cas d'une configuration statique de la couche IP (et DHCP pour le DNS) sur l'interface ROUGE."
#: networking.c:773 msgid "Default gateway" @@ -532,9 +533,8 @@ msgid "Secondary DNS specified without a Primary DNS" msgstr "DNS secondaire spécifié sans DNS primaire"
#: passwords.c:33 -msgid "" -"Enter the 'root' user password. Login as this user for commandline access." -msgstr "Entrez le mot de passe pour le super-utilisateur 'root'. Se connecter avec celui-ci pour les accès en ligne de commande." +msgid "Enter the 'root' user password. Login as this user for commandline access." +msgstr "Saisir le mot de passe du super-utilisateur 'root' permettant de se connecter en ligne de commande."
#: passwords.c:38 passwords.c:61 msgid "Setting password" @@ -542,18 +542,16 @@ msgstr "Configuration du mot de passe"
#: passwords.c:38 msgid "Setting 'root' password...." -msgstr "Paramétrage du mot de passe pour le super-utilisateur 'root' ..." +msgstr "Paramétrage du mot de passe pour le super-utilisateur 'root'..."
#: passwords.c:39 msgid "Problem setting 'root' password." -msgstr "Problème lors du paramétrage du mot de passe pour le super-utilisateur 'root' ..." +msgstr "Problème lors du paramétrage du mot de passe pour le super-utilisateur 'root'..."
#: passwords.c:53 #, c-format -msgid "" -"Enter %s 'admin' user password. This is the user to use for logging into the" -" %s web administration pages." -msgstr "Saisir le mot de passe %s pour l'utilisateur 'admin'. Cet utilisateur est nécessaire pour se connecter aux pages web %s d'administration." +msgid "Enter %s 'admin' user password. This is the user to use for logging into the %s web administration pages." +msgstr "Saisir le mot de passe %s de l'utilisateur 'admin' nécessaire à la connexion aux pages web d'administration %s."
#: passwords.c:60 #, c-format @@ -563,28 +561,28 @@ msgstr "Paramétrage du mot de passe %s pour le compte utilisateur 'admin'..." #: passwords.c:62 #, c-format msgid "Problem setting %s 'admin' user password." -msgstr "Problème rencontré lors de mise en place du mot de passe %s pour l'utilisateur 'admin'." +msgstr "Problème rencontré lors de la saisie du mot de passe %s pour l'utilisateur 'admin'."
#: passwords.c:76 msgid "Password:" -msgstr "Mot de passe" +msgstr "Mot de passe :"
#: passwords.c:77 msgid "Again:" -msgstr "Encore" +msgstr "Confirmer :"
#: passwords.c:95 msgid "Password cannot be blank." -msgstr "Le mot de passe ne doit pas être vide" +msgstr "Le mot de passe ne doit pas être vide."
#: passwords.c:102 msgid "Passwords do not match." -msgstr "Les mots de passe de correspondent pas." +msgstr "Les mots de passe ne correspondent pas."
#: passwords.c:109 msgid "Password cannot contain spaces." -msgstr "Le mot de passe ne doit pas contenir des espaces" +msgstr "Le mot de passe ne doit pas contenir d'espaces"
#: timezone.c:77 msgid "Choose the timezone you are in from the list below." -msgstr "Choisir le fuseau horaire adéquate dans la liste suivante. " +msgstr "Choisir le fuseau horaire approprié dans la liste suivante."
hooks/post-receive -- IPFire 2.x development tree