From: Arne Fitzenreiter <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, core131, created. e7a52c52d109e044bcce0ca52eb0b5a94c2ec03a
Date: Sat, 20 Apr 2019 17:03:04 +0100 [thread overview]
Message-ID: <20190420160305.7652384FDAF@people01.i.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 145318 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, core131 has been created
at e7a52c52d109e044bcce0ca52eb0b5a94c2ec03a (commit)
- Log -----------------------------------------------------------------
commit e7a52c52d109e044bcce0ca52eb0b5a94c2ec03a
Merge: 08639bc2a 9e65aa9ed
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Sat Apr 20 17:35:54 2019 +0200
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
commit 08639bc2a90ca945e710f5ca13556a50458f0056
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Sat Apr 20 17:21:03 2019 +0200
kernel: update 4.14.113
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 5fa063f8590dcd85867935fd6d1a6bd570ac61c6
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Wed Apr 17 22:30:19 2019 +0200
kernel: update to 4.14.112
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 26dc79a6fe16c83c5b57f4b6c7c3f73281a03d6c
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Apr 17 21:24:25 2019 +0100
suricata: Do not let oinkmaster be too verbose
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit e96adc77972108de9cb8b4b6c0f7fbad07b76035
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Apr 17 20:59:55 2019 +0100
suricata: Redirect oinkmaster output to perl function
The output was written to stderr before and landed in apache's
error log where we do not want it.
Fixes: #12004
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 9e65aa9ed6d7a3a489c58a6f966eac34972c68f8
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Apr 17 19:15:44 2019 +0100
Revert "hostapd: Always enable 80 MHz channel width for 802.11ac"
This reverts commit c31c8078cffcf3f933f567cb02a366ceedd6d5da.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit c25a386523c305615641a1810bcc3b009bc3cf07
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Apr 17 07:38:27 2019 +0100
unbound: Drop unused function
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 64aed99df6ba3b057c35ebb6b9278a13ae5e575d
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Apr 17 05:16:05 2019 +0100
suricata: Change runmode to workers
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit e91c83490be8d248796d50b0c9bca3976199551c
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Tue Apr 16 18:05:18 2019 +0200
wireless-regdb: update to 2019.03.01
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit fea27a56f7ef299fa2793971ef6e49f3a423fdc3
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Apr 16 13:23:17 2019 +0100
haproxy: Backup certificates, too
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 175f5c060ea8b967bc3020b376385d5b71116e92
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Apr 16 13:22:10 2019 +0100
backup: Allow passing name of tarball for creation/restore
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 820b2909825479b52696886d1f9054c0f709d3f0
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Apr 11 23:32:57 2019 +0100
Move IPS to a higher position in the Firewall menu
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 0851afba33bf8f1a4562a7e755bec5af23d4d03e
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Apr 11 23:24:28 2019 +0100
remote.cgi: Move SSH Agent Forwarding to the top
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 5e39f3c08a4a6e9f402b18c267fe82595cb0596b
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Apr 11 23:22:14 2019 +0100
sshctrl: Fix syntax of generated sed command
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit e8b389e0f0a88f064c192305e8bbbc366300af24
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Apr 11 23:02:57 2019 +0100
core131: Ship PTR changes in hosts.cgi
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 316d14c43ad3b0b27cfa6984d8253e8f9255a87c
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Apr 11 23:00:25 2019 +0100
Update list of contributors
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 6874a5765b887b51e324e1afbddc4516d66a710f
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon Apr 8 18:04:00 2019 +0000
Unbound: do not generate PTR if the user requested not to, do so
Partially fixes #12030
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 5b2ec053c25b80843958864d4305b3108b55dd3c
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Apr 11 22:58:35 2019 +0100
Update translations
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit c3c2ae4475a0e99a6163027405a45a1e2b4fa8b6
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon Apr 8 18:04:00 2019 +0000
add option for selective PTR generation on hosts.cgi
In some cases, it might be useful to create an additional
host (i.e. for round robin loadbalancing) without assigning
another PTR to the IP address specified.
This patch introduces the ability to check or uncheck
PTR generation for each host individually.
Partially fixes #12030
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 32e7b93c284fe02450e28f431453621537214a03
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Apr 11 21:59:41 2019 +0100
udev: Rename interfaces when MACs are uppercase
The script relied on the configuration being in lowercase.
If people manually editied their configuration file they might
not have paid attention to this and therefore this script now
also accepts uppercase MAC addresses.
Fixes: #12047
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit dccbdf5b97130f72b4d0bb26d962ffcda8121a51
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Apr 12 17:59:21 2019 +0100
suricata: Take as much off of the CPU as possible
https://suricata.readthedocs.io/en/suricata-4.1.3/performance/high-performance-config.html
This will compile the ruleset as efficient as possible and
allows the IPS to run faster on smaller systems.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 2c44da1382dfffb311b15250b9e02784b826dff2
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Apr 11 10:29:56 2019 +0100
core131: Ship updated setup
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 0d34a479c878cd775e541601b2a72238eb3f7546
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Apr 12 18:21:01 2019 +0200
ids.cgi: Display oinkcode section after page load when neccessary.
Fixes #12048.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit d51d3c5b93886a66b75388d029e35eb07d9b06eb
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Apr 12 17:36:54 2019 +0100
IPS logging: Fix date comparison for last entry
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 2eb0c326da2196c56f6f955bf5371e5d8c7ca9db
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Apr 12 17:33:39 2019 +0100
IPS logging: There is no distinguation between suricata & snort required
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 19c066b602a12fcce601cfa2350b0d83b231717c
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Apr 12 17:32:02 2019 +0100
IPS logging: Fix reading date
The CGI script only compares mm/dd and does not care about the year.
Suricata, however, logs the year as well which has to be ignored here.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit a32c219fa4642127a97050bf5af60a03e4e5c2f8
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Apr 11 07:55:36 2019 +0100
zabbix_agentd: Bump package version
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 41b7369f8078d5dc4998483fa005b2f8e3b89624
Author: Alexander Koch <ipfire(a)starkstromkonsument.de>
Date: Wed Apr 10 20:33:31 2019 +0200
zabbix_agentd: Bugfix for /etc/sudoers.d/zabbix.user
Files containing an '~' or '.' are ignored by sudo when placed in the includedir /etc/sudoers.d This makes the file useless. The file is renamed to "zabbix" instead of "zabbix.user" to fix this.
See: https://www.sudo.ws/man/1.8.13/sudoers.man.html#Including_other_files_from_within_sudoers
Signed-off-by: Alexander Koch <ipfire(a)starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 854b63c42af8f82106b587dc43945ad848f8994e
Author: Alexander Koch <ipfire(a)starkstromkonsument.de>
Date: Wed Apr 10 20:33:30 2019 +0200
zabbix_agentd: update to 4.2.0
Relase Notes: https://www.zabbix.com/rn/rn4.2.0
Signed-off-by: Alexander Koch <ipfire(a)starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit a45bfbf1c5a8a7c10ad4bdcb5ed559ed38a796c5
Author: Stéphane Pautrel <stephane.pautrel(a)gmail.com>
Date: Thu Apr 11 03:47:44 2019 +0100
installer+setup: Update French translation
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 3e11f8257dfe003aaad20d7ca73e3bc831131a96
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Thu Apr 11 07:34:14 2019 +0200
make.sh: fix syntax error
i have merged master>next and not deleted this line.
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit d27675b08175ed7969d842fdc64f157797911faa
Merge: a2907cdd9 ee82349a0
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Thu Apr 11 07:31:11 2019 +0200
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
commit a2907cdd9fba3a6ce6af8cc75c656daf1fa43dc0
Merge: 4f30ce49b d01d68913
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Thu Apr 11 07:30:26 2019 +0200
Merge remote-tracking branch 'origin/master' into next
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit ee82349a0ea00866d731936e769fab9441690932
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Apr 8 20:20:18 2019 +0200
convert-snort: Re-order steps at end of script
This will ensure that the whole IDS is configured property, if
no or an empty snort config file is present.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit e4bc9b8b6fa0cc0d67d2f698e2bdd5d41af49f05
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Apr 8 20:02:53 2019 +0200
convert-snort: Fix logic for detecting enough free disk space.
The subfunction only will return something if the check fails - so the logic
of the if statement was wrong set and the downloader only was called if
this check failed and to less diskspace would be available.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit ee53381ab167b195d2d4d94da3d2a3d4a024288d
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Apr 8 20:53:47 2019 +0100
core130: Ship SSH Agent Forwarding changes
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit f9de28e6f0ca455aacca3b0fc30722b88d542630
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon Apr 8 16:35:00 2019 +0000
change AllowAgentForwarding in SSHD configuration if, necessary
Fixes #11931
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Cc: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit e918b62ae223b31f459ca5843d291532f5188faf
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon Apr 8 16:35:00 2019 +0000
allow SSH agent forwarding to be configured via WebUI
Fixes #11931
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Cc: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit e1f6dfcbbc3c34130027ffe113488f5f3d9c9557
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon Apr 8 16:34:00 2019 +0000
add language strings for SSH agent forwarding settings
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 4f30ce49b3c2375d52e7358d12a6235c3e35997d
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Mon Apr 8 21:49:20 2019 +0200
rename core130 -> core131
we need to insert a core update to fix urgent bugs
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit f2afd5e70dc1c95c13aa75b0acf3da072d714af8
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Mon Apr 8 21:47:23 2019 +0200
kernel: update to 4.14.111
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 47204d12f1387502612e8a66b4a1a8a853e33ebf
Merge: 5f9bf17d7 918ee4a4c
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Mon Apr 8 21:47:12 2019 +0200
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 918ee4a4cf5bb8d2a3ade16aac0dd643215c47e2
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Apr 8 16:41:24 2019 +0100
strongswan: Manually install all routes for non-routed VPNs
This is a regression from disabling charon.install_routes.
VPNs are routing fine as long as traffic is passing through
the firewall. Traps are not propertly used as long as these
routes are not present and therefore we won't trigger any
tunnels when traffic originates from the firewall.
Fixes: #12045
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 5f9bf17d76e43b1ee0bb4b880a9aa001844e4d4a
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Mon Apr 8 16:18:00 2019 +0200
core130: update pakfire database after version change
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit c557356ea4878f7f6d0d9431246bfc8e75018672
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Apr 8 11:56:58 2019 +0100
core130: Ship perl-Net-SSLeay
This was still using the old version of OpenSSL.
Instead of linking the module (which we should have found earlier)
the module uses dlopen :(
Fixes: #12044
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 0265f51e9f5b2635e9df6243f913d6043cde0af6
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Sun Apr 7 18:19:50 2019 +0200
core130: remove lm_sensors config
the sensor search has to redone after boot the new kernel.
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit ca7af382032b3542584fb07b3fabe3976063e551
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Sun Apr 7 17:24:46 2019 +0200
core130: ship setup binary
The setup contain a IPFire version string.
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 44b0afe0298941eaeca862ad14c0f965103e158c
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Sun Apr 7 17:13:43 2019 +0200
core130: ship pakfire version update
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 83c956c3c8d0bc60c2c6fa23f53bd68f6ac6d3ff
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Sun Apr 7 17:01:08 2019 +0200
core130: add kernel to updater
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit f40cd26de2a0353fca1fdee407cfce153b16c76d
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Sat Apr 6 06:04:00 2019 +0000
Postfix: update to 3.4.5
See http://www.postfix.org/announcements/postfix-3.4.5.html for
release notes.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit ee44d509b61eea858e38e8a4f1f57db6f9940cf3
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date: Fri Apr 5 21:55:12 2019 +0200
wget: Update to 1.20.3
For details see:
https://fossies.org/linux/wget/ChangeLog
Excerpt from "NEWS":
"2019-04-05 Tim Ruehsen <tim.ruehsen(a)gmx.de>
Fix a buffer overflow vulnerability
* src/iri.c(do_conversion): Reallocate the output buffer to a larger
size if it is already full"
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit f903d3a6f0c4a3f2e5251fda7ea2d1b788606294
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Apr 4 22:01:54 2019 +0100
suricata: Disable CPU affinity
Benchmarks have shown, that this is making the IPS slower
across various hardware
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit aa20f1b27727e8ed3d3d164eb3a66faa4ea0d4a4
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Fri Apr 5 07:46:34 2019 +0200
kernel: update to 4.14.110
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit aab33d48450aedf20409fe187f573d74eb60f95d
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Apr 4 09:05:25 2019 +0100
core130: Do not search for sensors on AWS
This causes some i2c drivers to load and tons of error messages
being created in syslog. So we skip searching for any sensors
that do not exist.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit ab79dc43bf66f66b0c34a10158d46e4727d4df6a
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Apr 4 11:52:30 2019 +0100
vpnmain.cgi: Set MTU to a default when editing an old connection
This field is required and therefore we need to initialize it
for old connections. Right now, the CGI throws an error message
when editing an existing connection without the MTU being filled
in.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit aeecc7ae1025f93bae421c13cf05c612bd3e6241
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Apr 4 02:07:16 2019 +0100
core130: Ship updated wget
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 7dd81936843944f0bd6fa35b95532bc0039b578f
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date: Thu Apr 4 09:43:50 2019 +0200
wget: Update to 1.20.2
For details see:
https://fossies.org/linux/wget/ChangeLog
Excerpt from "NEWS":
* Changes in Wget 1.20.2
** NTLM authentication will retry under certain cases
** Fixed a buffer overflow vulnerability"
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 0ce95859da727188019a95d855a3053ce2bf8985
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Apr 4 02:06:41 2019 +0100
core130: Ship updated nettle
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit a4cc65bc4866583be8c625c33f20d7429a25a400
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date: Thu Apr 4 09:37:25 2019 +0200
nettle: Update to 3.4.1
For details see:
https://fossies.org/linux/nettle/ChangeLog
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit c95ba2bbcc0b6c0b037f058a4395027f93dc093a
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Apr 4 02:05:52 2019 +0100
core130: Ship updated GnuTLS
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 34bbcff61f2de1fa76e4be20371d276f304277da
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date: Thu Apr 4 09:31:00 2019 +0200
gnutls: Update to 3.6.7.1
For details see:
https://lists.gnupg.org/pipermail/gnutls-help/2019-March/004497.html
Please note:
A few days after the "3.6.7" release, "3.6.7.1" came out.
See:
https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/
But the compressed directory version is still versioned 3.6.7.
Because of this, the fourth (sub)-version number required some lfs adjustments.
And:
This version requires "nettle 3.4.1", which is sent in another commit.
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit ef1cb80375ca736b2aca12f2bbba2b5ffe7216de
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Apr 4 02:04:28 2019 +0100
core130: Ship updated apache
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 5f2e713ec888dfbbcdb609ee61e846c060ded96c
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date: Thu Apr 4 09:15:00 2019 +0200
apache: Update to 2.4.39
For details see:
http://mirror.checkdomain.de/apache//httpd/CHANGES_2.4.39
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 72995596119e76e1c41395f21c097643bff44be6
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Apr 4 02:00:29 2019 +0100
freeradius: Fix extra whitespace
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit df95c62f3a26a71c41610df0ad49a590dc3abbb8
Merge: 94f89b821 0e54ca260
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Wed Apr 3 21:53:22 2019 +0000
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
commit 94f89b821e0307f69bd99b19ca895219d779fabc
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Apr 3 21:52:04 2019 +0000
freeradius: handle special LDFLAGS to configure
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 0e54ca260288079e008393a1d2fc5cc8b9cdb7e7
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Apr 3 00:42:19 2019 +0100
pcengines-apu-firmware: New package
This package ships the latest BIOS for PC Engines APU boards.
With help of the firmware-update package, this can be very easily
updated when running IPFire.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 2aca6aa061c2f680b46aea2dbeb36e4678ed57a3
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Apr 3 00:33:44 2019 +0100
firmware-update: New package
This is a script that can update firmware on PC Engines APU systems
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 82d176d33bc2839ea31028b9f7dfb6d60f3860af
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Apr 3 00:26:13 2019 +0100
flashrom: New package
This is required to flash firmware
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 48d3cde9cec7add38fb3c62dd66079c5b2fec5aa
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Apr 1 21:58:23 2019 +0100
kernel: Disable some debugging in expactation to increase performance
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 474a6a59785123b7cdd645447f43c52307a6f6ba
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Apr 1 21:55:03 2019 +0100
kernel: Enable strict checks for /dev/mem
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 4038d70b768910c5dc5b2ce2c09e3e5b687064dd
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Apr 1 21:35:56 2019 +0100
freeradius: Fix build on armv5tel
Reported-by: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 84fca55b3373f5acc3821b6a8e050bce89b679e8
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Apr 1 16:53:50 2019 +0100
Update translations
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit d38f3eed08d71343cc16de61373860e5aa7efcfd
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Apr 1 17:32:34 2019 +0200
IDS: Rename sourcefire VRT rulesets to Talos VRT rulesets
Fixes #12019
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 78c8fe06a5841101c04c7a8e9f1117501f5fd6fc
Merge: d00d788be 56f4ba9b0
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Sun Mar 31 18:36:44 2019 +0200
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
commit 56f4ba9b017008584c132fdcca41557002a1d8f3
Author: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
Date: Sun Mar 31 13:29:45 2019 +0100
Update borgbackup to version 1.1.9
Fixes: #12016
Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit d00d788be47b9c17bc792be2c90d4c81a3ced544
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Sun Mar 31 11:46:34 2019 +0200
kernel: update to 4.14.109
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 3005eb2234e5875389011d247785909d5f044c74
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Sat Mar 30 16:56:56 2019 +0100
kernel: update user regd patch from openwrt
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit c955ae653ae8421621c49092fd3057ed99e0a4b1
Merge: 9f52e3506 c31c8078c
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Sat Mar 30 16:55:35 2019 +0100
Merge remote-tracking branch 'ms/dfs' into next
commit 9f52e35066b3fa8603e85784b7ede0532afc66e6
Author: Erik Kapfer <ummeegge(a)ipfire.org>
Date: Fri Mar 29 10:44:43 2019 +0100
freeradius: Update to version 3.0.18
Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 10945e38f36893cba8f6c28c8756fa8741c08118
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date: Wed Mar 27 20:54:10 2019 +0100
clamav: Update to 0.101.2
For details see:
https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
"ClamAV 0.101.2 is a patch release to address a handful of security related bugs."
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit b666975ec292fec239aa6023dc79abf5538c9d95
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Mar 28 12:51:06 2019 +0000
unbound-dhcp-leases-bridge: Replace leases file atomically
When there is a large number of leases, writing the file may
take a long time. When unbound is re-reading its configuration
in that time, the file might syntactically incorrect.
This change writes the file first and then moves it
to the right place in one transaction.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 35cdc506b06ed2e5fc8f7ad7fe57239eaadbda58
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Mar 26 21:58:01 2019 +0000
suricata: Enable CPU affinity
This will tie the detection threads to a certain CPU and
slightly increases throughput on my system.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 4d093b810552339a6a7df774412c8e144f799331
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Mar 26 21:18:45 2019 +0000
suricata: Tie queues to a CPU core
This should improve performance by a small margin
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit effa44650ebc227d99a3781ba962e015a3430d3a
Author: Erik Kapfer <ummeegge(a)ipfire.org>
Date: Tue Mar 26 07:15:16 2019 +0100
nginx: Update to 1.15.9
Fixes #12023 .
Added support for http2.
Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 2547e73e6b1c2e24e631140f328eeb49deddb6f9
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Mar 22 07:28:23 2019 +0000
freeradius: Bump version because package is linked against old version of OpenSSL
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 3657df4ea3b74b9aa7bc631106b2e3684a0bfe72
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Mar 22 03:28:23 2019 +0000
DHCP: Remove double colon
In some languages, there were double colons in the DNS Update section
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit abe21498524bce327404febe644b1361267d0957
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Mar 22 02:58:57 2019 +0000
GeoIP: Do not crash when locations database does not exist
Fixes: #12021
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit d4767896cb27880c2e042ffd49bdbcf7b99a2c64
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Mar 21 20:50:30 2019 +0000
make.sh: Build libedit very early
Many packages can make use of this
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 3210e92212b70ab886fe31847c6397a273e784e6
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Mar 21 20:48:39 2019 +0000
core130: Ship updated lua
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 6bc94afa0d36ecaa4691eaa4dbefa4322861893f
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date: Sun Mar 24 18:34:37 2019 +0100
lua: Update to 5.3.5
For details see:
http://www.lua.org/bugs.html
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 67b943c18a36aa9801684ca85ac3390292651e87
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Mar 21 20:39:51 2019 +0000
core130: Ship rrdtool and collectd
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit b3a7120c1556bd060caf894fa0b4a5084fc7436a
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date: Sun Mar 24 18:21:20 2019 +0100
rrdtool: Update to 1.7.1
Disabled 'lua' because otherwise building failed.
I didn't find any place or reason where 'lua' was used by 'rrdtool', so it
was deactivated.
Disabling had no noticeable effects by now. Running.
Please note:
'/usr/lib/collectd/rrdcached.so' and '/usr/lib/collectd/rrdtool.so' have to
be updated, too.
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit b6c60092db15360cd51091b9f5bcff637ee2ea7c
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Mar 22 15:22:43 2019 +0000
openvpn: Remove subnet check for static pools
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit fd0b2742bf217cbacacd4725a2bd9ad4ec1b6aaf
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Mar 18 04:38:41 2019 +0000
dnsdist: Update to 1.3.3
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit aac6015042e28730982d643425f768f46dc9c603
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Mar 18 02:54:37 2019 +0000
dnsdist: Install some symlinks to start the service
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 5b8ff1ccb6506942485ff221e13d163691109a6c
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Mar 18 02:54:15 2019 +0000
dnsdist: Add backup include
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit af2dc11c921062608c4537368885eb195f54c177
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Sat Mar 16 23:09:11 2019 +0000
Rootfile update
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit b60fd7a3e2640d7da41a3bdb875669c302849acc
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Mar 18 20:33:28 2019 +0100
Core 130: Remove files after convert-snort has been launched
The converter requires /etc/snort/snort.conf to grab the used rule files
(categories). After all settings have been converted, we are fine to delete all
snort related files, because none of them is needed anymore.
Also the /var/ipfire/snort directory needs to be deleted. If it will be left on the
system and at any later time a backup will get restored, the converter will be
started by the backup script, because it detects that a snort settins dir exists
and would be restore the old snort settings and replaces all current IPS settings.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit ceaf0ef0087abb09e9cca1677c67776cf76ce417
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Mar 18 17:26:16 2019 +0000
dnsforward.cgi: Add DNSSEC option to legend
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 08ded6035f61ed97e3a122dc1832703084b72f86
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Mar 18 15:35:29 2019 +0000
dnsforward.cgi: Check DISABLE_DNSSEC checkbox when editing
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 3b521c724f09a45e09ac9228d8b65df0d8bd13a7
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Mar 18 15:24:56 2019 +0000
ipsec-interfaces: Apply static routes (again) after creating IPsec interfaces
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit c31c8078cffcf3f933f567cb02a366ceedd6d5da
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Mar 13 18:37:28 2019 +0100
hostapd: Always enable 80 MHz channel width for 802.11ac
This is mandatory to support by all hardware and works well.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 70a7c454af4a6a9ef7245def2f77119520de85af
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Mar 13 18:24:01 2019 +0100
hostapd: Automatically disassociate any clients with high error rates
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 30c33cb318cc399b32c9c06d99e88c52ba957ea9
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Mar 14 13:07:11 2019 +0000
kernel: Enable debugging for Atheros drivers
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 62bf7bd2b2cba74cd7838014cdf3380611690d60
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Mar 8 11:05:26 2019 +0000
kernel: Enable DFS support for ath*k drivers
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 57521504a89e792336f55e893564a000bfe4b1d7
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Sat Mar 16 12:34:19 2019 +0000
hostapd: Bump package version
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 5b4464a94478059ceebf266bc31dee4a4ba18fac
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Sat Mar 16 14:20:00 2019 +0000
hostapd: make client isolation configurable via WebUI
hostapd supports client-isolation, but this feature could
not be configured via the WebUI so far. Since it might be
desired in public wireless networks, or even private ones,
it makes sense to provide a radio button to let the user
decide on.
Fixes #11974.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit a10b0e5b448bf7e4a9bcc334e177ddae09806dc7
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Fri Mar 15 17:00:00 2019 +0000
ensure Tor daemon files have correct permissions
Set permissions for /var/lib/tor and /var/ipfire/tor to
tor:tor, regardless whether Tor user has been created before
or not.
This ensures Tor starts properly on existing systems after
reinstallation of the add-on. Thanks to Michael for the hint.
Further, a comment for new Tor user in /etc/passwd has been added.
Fixes #11779.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit a46903cce3863923838c5cc0721f4932adf2175d
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Sat Mar 16 12:32:10 2019 +0000
core130: Ship updated unbound
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 6f8b156bf0dcda4a1bb8ccdc8db83a54b2d7d1d0
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date: Fri Mar 15 19:15:19 2019 +0100
unbound: Update to 1.9.1
For details see:
https://nlnetlabs.nl/pipermail/unbound-users/2019-March/011415.html
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 2c703afc04448f15f9ad6b9c90be216bad256532
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Sat Mar 16 12:30:22 2019 +0000
core130: Ship updated ntp
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit f81c2225198b894c180cf36b6ee2cd6c0ea3849d
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date: Fri Mar 15 19:10:11 2019 +0100
ntp: Update to 4.2.8p13
For details see:
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 728f3d2e8f3d26e80154236c6d67e303e1f7f3b9
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Mar 16 13:04:18 2019 +0100
suricata: Fix ownership and file permissions of files inside /var/lib/suricata.
These files needs to have nobody.nobody as owner but requires read-acces from everyone
to allow the suricata user reading-in this files during startup.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 7bf5b0f22194fcb617f3e678c4a1c492b0faf01d
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Mar 16 12:57:25 2019 +0100
logs.cgi/ids.dat: Fixup processing dates from logfiles which contains a year
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit e1d9148b61bc973ac1fef063b58500de4d881d7e
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Sat Mar 16 10:00:19 2019 +0000
Fix python3-yaml rootfile
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 9c4477d0f394af12f51d74e52d1a1c85cd13b289
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Mar 15 15:33:29 2019 +0100
core130: Fix another error in rootfile
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 03f68cbca90d9c1bc0b55c2f5aa4698a5d9d3eab
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Mar 15 13:20:23 2019 +0000
core130: Fix errors in rootfile
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 710afa00c6e1441ba45f3fdda2feaf613ffd0033
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Mar 14 16:52:38 2019 +0000
Update IPS translation
* Fix typos
* Fix compound nouns (especially in German)
* Remove unused strings
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit acb718b0bbfdf2b15bcc95abce2f4a7c23392362
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Mar 14 14:01:45 2019 +0000
nut: Disable parallel build
nut just fails to build when running in parallel
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit f9219b91a1f4648f6c2db9e3699169bb797e79c1
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Mar 14 13:48:25 2019 +0000
core130: Ship suricata
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 3bc001dbf976a89dcf4fc15912b472073c9e45db
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Mar 14 13:20:56 2019 +0000
Update contributors
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit cdfbdd1ada37183769c0b245218faff2cd300ac6
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Mar 14 13:20:22 2019 +0000
Update translations
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 01604708c386da93713cffadb3d5d40665f62ec9
Merge: c578cbd35 e776d33c7
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Mar 14 13:19:35 2019 +0000
Merge remote-tracking branch 'stevee/next-suricata' into next
commit c578cbd35f8af09f452326ce643d13e92ddaed99
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Mar 14 13:16:33 2019 +0000
core130: Ship updated firewall script
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 5fc5f703470b37b43e18be66da0fb181696428a7
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon Mar 11 20:07:00 2019 +0000
add IPtables chain for outgoing Tor traffic
If Tor is operating in relay mode, it has to open a lot of outgoing
TCP connections. These should be separated from any other outgoing
connections, as allowing _all_ outgoing traffic will be unwanted and
risky in most cases.
Thereof, Tor will be running as a dedicated user (see second patch),
allowing usage of user-based IPtables rulesets.
Partially fixes #11779.
Singed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 4680d554fc52813b9e2a1bae3888d0b34dfbb5ad
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon Mar 11 20:07:00 2019 +0000
run Tor under dedicated user
This allows more-fine granular firewall rules (see first patch for
further information). Further, it prevents other services running as
"nobody" (Apache, ...) from reading Tor relay keys.
Fixes #11779.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit b450e7e3e6f47734e7282bf37953912b9ef6c740
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Mar 14 13:15:03 2019 +0000
Start Core Update 130
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit e776d33c7018a314acfb8909e9581a26d544d7e7
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Mar 13 12:14:30 2019 +0100
suricata: Fix amount of listened nfqueues
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit e8b1b397c1dd4b158520b8c7905cd66b864c1051
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Mar 13 10:03:48 2019 +0100
suricata: Remove unneeded stuff during build
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit f717b1dc55595b4353fd7d3b44a057d282d19b62
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sun Mar 10 18:52:40 2019 +0100
IDS: Set owner of suricata logging directory to correct user
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit fd378b3b08f8458fd7c32e9eb0e2566de53ed02a
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sun Mar 10 18:50:37 2019 +0100
Rename snort user and group to suricata
This only affects new installations.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 38081b8be19b56b7298d5a01e7218b774759406c
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Sat Mar 2 17:26:34 2019 +0000
suricata: Run as non-root user
This patch does not have any effect (yet) and is untested
because suricata needs to be built against libcap-ng which
is currently not being packaged for IPFire.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 2bec60c34725c759c98f4da276fc8149162b3397
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sun Mar 10 17:34:03 2019 +0100
suricata: Update to 4.1.3
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 1fbf0788bf66da1b93774a19d4b0db52b0fdfc73
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sun Mar 10 13:27:52 2019 +0100
Move IDS/IPS menu entry to firewall section
Fixes #12011.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit b051eb68b6c12f619b1c3a76009d41ad59550b6b
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sun Mar 3 15:10:02 2019 +0100
libcap-ng: New package
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 26c758cf4870d834dfe4d20bb2ce76f701befd61
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Sat Mar 2 17:18:39 2019 +0000
suricata: Drop parsers I have never heard of
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 8efbd71caad61912817c5cf28974364a34dc6390
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Sat Mar 2 17:18:38 2019 +0000
suricata: Configure HTTP decoder
This will now scan all request and response bodies where possible
and use up to 256MB of RAM
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 96495c9aa2a46896ebb5cbbdfa5fd4b961864215
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Sat Mar 2 17:18:37 2019 +0000
Revert "Suricata: detect DNS events on port 853, too"
This reverts commit ad99f959e2b83dd9f1275c1d385140271c8926ae.
It does not make any sense to try to decode the TLS connection
with the DNS decoder.
Therefore should 853 (TCP only) be added to the TLS decoder.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 5d04cfe7d582bc58a4e4f9995fe5f67fcc456456
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Feb 28 19:37:38 2019 +0000
suricata: Use highest bit to mark packets
We are using the netfilter MARK in IPsec & QoS and this
is causing conflicts.
Therefore, we use the highest bit in the IPS chain now
and clear it afterwards because we do not really care about
this after the packets have been passed through suricata.
Then, no other application has to worry about suricata.
Fixes: #12010
Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit c9ee3592f00f0edc9467643a27ba1505cc8f879a
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Feb 28 14:28:25 2019 +0000
suricata: Fix syntax error
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 99d75ac72e66928f5218c222b0b3fd8fbfba179f
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Feb 28 14:28:24 2019 +0000
suricata: Start capture first and then load rules
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 890f1bf2954328f5e811757754d815dedf6f92c1
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Feb 28 14:28:23 2019 +0000
suricata: Disable decoding for Teredo
This decoder is not very accurate and Teredo has been
disabled in Windows by default. Nobody will use this.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 0b340f0938e5f292f74f5f2e60b3d46d473f2096
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Feb 28 14:28:22 2019 +0000
suricata: Increase memory size for the stream engine
This change also ensures that suricata has a decent number
of streams preallocated to be able to handle any bursts in traffic.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit ab1444b4f4b9324e96fbb240929334b27611e12f
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Feb 28 14:28:21 2019 +0000
suricata: Log to syslog like a normal process
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 47cb057145c76d5faf7987de9e779bf07a029336
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Feb 28 14:28:20 2019 +0000
suricata: Use up to 256MB of RAM for the flow cache
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 7eed864c93d143ef943b9f3f8bdf7b40a440cb71
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Feb 28 14:28:19 2019 +0000
suricata: Use 64MB of RAM for defragmentation
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 83b576c892c82652b0b56efc200e52fd1dee30f9
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Feb 28 14:28:18 2019 +0000
suricata: Use the correct path for the magic database
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 0e28ea9f3e72e0f4db9274c3b7021711d0c0c258
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Feb 28 14:28:17 2019 +0000
suricata: Log to syslog
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 682f1fdaca919284af877894aecd1282595c1430
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Feb 28 14:28:16 2019 +0000
suricata: We do not use any IP reputation lists
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit cf976e93c419d2c268979397ec87e05a2b8b7636
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Feb 28 14:28:14 2019 +0000
suricata: Allow 32MB of RAM for DNS decoding
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit fe5bd1862f2dfce5b3123ed2d2bbb5a360f1cd40
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Feb 28 14:28:12 2019 +0000
suricata: Drop sections that require Rust
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit bc2cb52953c92ad9209576de316f2076cfdb4caf
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Feb 28 14:28:11 2019 +0000
suricata: Drop some commented stuff from configuration
The file is really large and we should not carry anything we will
never use.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 75fba6cd248af6925d62452c15d4a21a2a7a204a
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Feb 28 14:28:10 2019 +0000
suricata: Drop profiling section from configuration
This is not compiled in as it slows down detection and is
only really useful for debugging
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 5196d8ddbb097c4485a01a0fee58ade94b7255ac
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Feb 28 14:28:09 2019 +0000
suricata: Set detection profile to high
This will merge rules more aggressively so that the engine
is only processing those that can actually match.
Memory is cheap. People with little memory should not run
suricata anyways.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 9f726f8f536fb271e00c51ca7d10dac143dd3045
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Feb 28 14:28:08 2019 +0000
suricata: Set default packet size to 1514
We usually use a MTU of 1500 + Ethernet header
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 16446608cbe53bcd0873ed48b907b697441d31d1
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Feb 28 14:28:07 2019 +0000
suricata: Set max-pending-packets to 1024
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 1f3c61b66c77898707791519b837e61b1d2e6ad0
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Fri Feb 22 20:16:00 2019 +0000
Suricata: detect TLS traffic on port 444, too
This is the default port for IPFire's administrative web interface
and should be monitored by Suricata, too.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
c: Stefan Schantl <stefan.schantl(a)ipfire.org>
Acked-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit cc636c4741e7928276a1a5c7048b4fc0693c7f23
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Feb 22 10:04:27 2019 +0100
convert-snort: Try to download ruleset if none is present.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 5d7d8749dc005bd883e3b7d53d953f334cdea5b4
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Feb 18 13:33:41 2019 +0100
convert-snort: Set correct ownership after modify_sids_file has been generated.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit d0f9526beb718ca934de9f8cea749bec4b04f3ad
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Feb 18 13:29:47 2019 +0100
ids.cgi: Add language string for ignored hosts section.
Fixes #12002.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 06f57f72309f268d4f6b3490b33912813fbf1f1e
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Feb 18 10:28:13 2019 +0000
general-functions.pl: Only skip lines with a # at the beginning
This accidientially dropped all lines that include #. That resulted
in colour codes not being loaded from file any more.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 7c3b7cdcca852e4f5e5ee46b5291b8ba522535ec
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Feb 18 10:55:27 2019 +0100
ids-functions.pl: Tune rules to always monitor in both directions.
This will allow to scan the traffic from an EXTERNAL_NET to the HOME_NET and from
the HOME_NET to the EXTERNAL_NET.
Reference: 10273
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 20b4c4d863d40f4b6cc1fd68eed17d1214a05f9e
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Feb 18 10:01:47 2019 +0100
suricata: Swith to "16" as repeat-mark and repeat-mask.
Marks "1-3" are used for marking source-natted packets on the
interfaces and 4 up to 6 for TOS and QOS. The mark "32" is used by IPsec.
See commit: f5ad510e3c0f416a1507999f5ad20ab171df9c07
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 77c07352a58a67e88a507feba982fe0f73518f59
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Feb 15 13:26:55 2019 +0100
Suricata: Start service on red.up event if requested
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit d215f6e9809e3a7e0b7356c985803291067d923e
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Feb 15 12:39:56 2019 +0100
collectd: Stop collecting process details for snort
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 0d8cc90f4dead04de7181634377fe11115678f34
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Feb 15 12:18:45 2019 +0100
services.cgi: Show status of suricata instead of snort
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 1ef235f08dab44779d3b97854f25e234b6124cab
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Feb 15 11:22:14 2019 +0100
logrotate: Rotate suricata logs instead of snort ones
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 78690361abbff86772850947e1dac97eecfa0648
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Feb 14 12:37:13 2019 +0100
convert-snort: Always create directory and filelayout
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit b09c13f1b6276885cfc457fa04896bfd7ba240e6
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Feb 14 12:15:41 2019 +0100
convert-snort: Call subfunction to change ownership of rulestarball
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 99b2e30636aa404f9fac355fcbbbe0a2e8f84e0a
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Feb 14 11:43:31 2019 +0100
ids-ruleset-sources: Fix rootfile
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit c980ac7f2a0ba8ea08797005445328055993e31e
Merge: c1c754a12 5368ccb0f
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Feb 13 19:46:45 2019 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
commit c1c754a1211fbe50b7ba5b7a25444bd34b090957
Merge: f3cbcfeff 02a8a241b
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Feb 8 09:59:31 2019 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
commit f3cbcfeff9e8ce263c812a25a24c7f4f14d4a64f
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Feb 8 09:56:36 2019 +0100
libhtp: Update to 0.5.29
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 4434236e00a6e5fddbf031ca4777d2c00ad34482
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Feb 8 09:55:46 2019 +0100
ruleset-sources: Update sourcefire rulesets to latest snapshot version
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit ad99f959e2b83dd9f1275c1d385140271c8926ae
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Thu Feb 7 17:47:00 2019 +0000
Suricata: detect DNS events on port 853, too
As DNS over TLS popularity is increasing, port 853 becomes
more interesting for an attacker as a bypass method. Enabling
this port for DNS monitoring makes sense in order to avoid
unusual activity (non-DNS traffic) as well as "normal" DNS
attacks.
Partially fixes #11808
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Cc: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 8723bb91aeff7dbbc173c6f7b8052a76203cb0a5
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Thu Feb 7 17:41:00 2019 +0000
Suricata: enable full detection for missing protocols
These are IMAP and MSN, which can be safely enabled.
Partially fixes #11808
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Cc: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 05a635ec04f1ca7ee85a1511757ef3fea28cdb5c
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Thu Feb 7 17:38:00 2019 +0000
Suricata: detect TLS traffic on IMAPS/POP3S/SSMTP ports as, well
Partially fixes #11808
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Cc: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 5fbd7b29829caf0bcadcccd6f56ead51e2fb812e
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Feb 7 10:33:29 2019 +0100
ids.cgi: Format and show date of the current ruleset again
Fixes #11992
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit ee7fe87ea6341f201bad78910d1055ed17560766
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Feb 7 09:46:01 2019 +0100
ids.cgi: Change name of the button to apply the ruleset changes
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit e8ae413a79a9c5eea8952ca42449128d79682216
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Feb 7 09:02:32 2019 +0100
langs: Remove snort related and unused strings
Fixes #11993.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit dd8d6f5ee8c6262b96319b84751a73044be23e39
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Feb 7 09:00:35 2019 +0100
logs.cgi/ids.dat: Do not call the IDS snort again
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 5bd8940d68186e1ad2cbbb376c4bae6d512630bb
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Feb 7 08:51:31 2019 +0100
ids.cgi: Improve showed messages while the IDS is working
Reference #11993
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit e566e977f7605758df450c6128d1484cc5fb2a35
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Feb 7 08:28:29 2019 +0100
Add german translation for "system is offline"
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 9074e3d74cc931244892d306b38c298ce8dd0f2b
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Feb 7 08:24:15 2019 +0100
ids.cgi: Lock page while autoupdate script is running
Fixes #11991
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 5206a3358d18b8ec9b1ceca3e95a56516ae7b4ab
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Feb 7 08:06:49 2019 +0100
update-ids-ruleset: Lock and Unlock the IDS page during runtime
Reference #11991
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 8076deba79f9bbd4e551fdfe1eb49e8a77b2c19e
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Feb 7 07:59:20 2019 +0100
ids-functions.pl: Add code to lock/unlock ids page while autoupdating the ruleset
Reference #11991
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 5f2145eb59d3f0f7cbc70cd4f071302fd56213ea
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Feb 7 07:44:11 2019 +0100
ids.cgi: Show "Update Ruleset"-Button only if automatic updates are disabled
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit f6eb1a40a00625b7a83984461242e86347e48579
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Feb 6 15:59:02 2019 +0100
aliases.cgi: Handle suricata related actions when dealing with aliases
When working with aliases (adding/modifying/removing), the file which
contains the HOME_NET declarations needs to be re-generated and suricata
requires a restart afterwards.
Fixes #11990
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 8117fff863431671939d5aa1c11c0a84e56298a2
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Feb 6 15:23:46 2019 +0100
IDS: Call helper script when red interface gets up
The helper script will be automatically called when the red interface gets up
and will re-generate the HOME_NET file, to take care if the IP-address of this
interface has changed.
Fixes #11989
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit d8f19ebb5accbf4e850e881fbd0be8fd9d66660c
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Feb 6 13:12:50 2019 +0100
IDS: Edit german translation for "ids oinkcode required".
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 613f58fbfa9f536d9c84bc76354f7775b3e9b57f
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Feb 6 12:49:01 2019 +0100
ids.cgi: Check if the selected ruleset requires an oinkcode
Fixes #11983
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit f644a167ab06e5324c021144e08c00413472b143
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Feb 6 12:48:08 2019 +0100
ids.cgi: Only perform actions when saving ruleset settings, if there are no error messages
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 155b3b56a8e4c8765c473b853445e2957b0b852f
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Feb 6 10:58:59 2019 +0100
ids-functions.pl: Do not send HEAD requests to sourcefire (snort.org) servers
Using this feature to fetch the size of the requested tarball is not allowed by these
servers, so skip this feature for their rulesets.
Fixes #11987
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit c17a9778d62d964ac7d8e8da156ba0f08baf8748
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Feb 6 10:00:17 2019 +0100
Revert "ids-functions.pl: Use GET method to fetch Header data of a file"
Using the GET method will download the file twice and does not provide the
desired mechanism here.
This reverts commit 81592314ebe93ae942f28a1bc9037185f155ccda.
commit 422dc4caf97696ac34b65410784f22875f3412c0
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Feb 5 14:34:44 2019 +0100
ids.cgi: Fix HTML formated spaces.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 9e9b477d7c4fbad483f6307cf63bf475dd79141b
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Feb 5 14:14:11 2019 +0100
ids.cgi: Rework "Enable IPS" section
Just use one language string for a maximum of flexiblity for the
transloators.
Fixes #11986
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit af0065691c6d3fcb14c646d1ec0b9c83bdd3313d
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Feb 5 13:57:40 2019 +0100
suricata: Do not display messages when starting up
Fixes #11979.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit cc9057c0148cddb231be85caa4c38d4cf721f0c3
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Feb 5 13:51:08 2019 +0100
ids.cgi: Change lang string from "Activate IPS" to "Enable IPS"
Reference #11986
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 318e7137e79f29574a5cc9677615a48b2a9b3e40
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Feb 5 13:25:27 2019 +0100
IDS: Rename IDS strings to IPS
Reference: #11986
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 97870bf29cd93669beef30b876e21f2fed5d6405
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Feb 5 12:43:49 2019 +0100
ids.cgi: Stop suricata when the rulest source has been changed
If the ruleset source has been changed, it has to be configured again.
This happens because of different rule categories, filenames rule ID's etc.
In case suricata currently is running it has to be stopped and after the configuration
has been done by the user, it can be launched again.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 5709768b0bab2b860911fcad66da8e0aec5c4eaa
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Feb 5 12:36:30 2019 +0100
ids.cgi: Fix downloading rules if source changed
Fix the if statement to detect wheater the ruleset has been
changed and automatically download the new one.
Fixes #11984.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit b7a9b4edc28a678cd9d2b01e0ab6304597409860
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Feb 5 12:13:28 2019 +0100
ids.cgi: Update automatic download texts
Update the showed texts in the dropdown box as mentioned in the
bug report.
Fixes #11985
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 81592314ebe93ae942f28a1bc9037185f155ccda
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Feb 5 12:01:43 2019 +0100
ids-functions.pl: Use GET method to fetch Header data of a file
The sourcfire web servers does not support the HEAD request so we have to do
this with a GET here.
Fixes #11987
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 4924cfdc7312ce8c31101fefebf3f0371e7cd779
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Feb 5 11:55:37 2019 +0100
ids-functions.pl: Fix show HTTP error code and message
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 067e1847dc1012316b23d7eb8dba8e25a65cd757
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Feb 1 14:34:25 2019 +0100
suricata.yaml: Add port 222 to list of SSH Ports
The SSH-server listened on port "222" as default on IPFire in the past.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit bcbc9897e392a237105fc2e12af2323804bd2a42
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Jan 31 09:50:47 2019 +0100
ids-functions.pl: Grab address for RED by using get_red_address() function.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit de8e1e5b6ce6c8d82dc8e67c92af338206252dc2
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Jan 31 09:41:35 2019 +0100
ids-functions.pl: Add function to the the current assigned IP-address of RED.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 912d7472a86b1347f3165c1850ed05ba2b7b641f
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Jan 31 08:55:05 2019 +0100
ids.cgi: Automatically download ruleset if the ruleset source has been changed.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit c9b07d6a0cdb54c71d5aef4a75c40d505585a0fe
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 30 13:43:38 2019 +0100
initscripts/suricata: Generate firewall rules on start and reload
Fixes #11978
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 23c0347ac5d386e215c56ae9fa3af97e66f1c23f
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 30 12:04:54 2019 +0100
ids-functions.pl: Add RED address and aliases to the HOME_NET
Reference: #11981
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 77c3130174cd492f0bae12205cfd3000b9b7798c
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 30 11:57:49 2019 +0100
ids-functions.pl: Add get_aliases()
This subfunction is used to get all configured and enabled aliases
for the RED network zone. They will be returned as an array.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit d6f725e1857b19fefce67fc3bb63f7a379f549d4
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 30 10:57:31 2019 +0100
update-ids-ruleset: Improve error reporting if the system is offline
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit e0cec9fe99c957a686182f6002185744edd8254d
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 30 10:53:17 2019 +0100
ids.cgi: Dynamically generate SHOW/HIDE for expanding or collapsing a ruleset category
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit cf02bf2f7d23f9755a6e08383dd46fa9033d924b
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 30 10:12:11 2019 +0100
ids.cgi: Show IDS setting area only if a ruleset is present.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 013274d7d88653e5eaf22156754f0bb8c2e3ebaa
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 30 10:05:14 2019 +0100
ids.cgi: Diplay reason, why a ruleset could not be downloaded, if the system is offline.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 5fd2e9d64ac8363ac56bf0431ec3607e099b3f46
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 30 09:57:49 2019 +0100
ids.cgi: Also download the ruleset when saving the ruleset settings
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 34a3843865bfcb6c88cb10773570b96cd61363d6
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 30 09:42:28 2019 +0100
ids.cgi: Add dropdown option for Emergingthreats.net Pro rules.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit d618d67e010e94e1ef26f2570abe9d6748e90416
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 30 09:39:17 2019 +0100
ids.cgi: Only show "update ruleset" button if a ruleset is present
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 674912fc3abe6283566c4e51a5360dcbf5850f36
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 30 09:33:47 2019 +0100
ids.cgi: Draw daemon status and setting in the same box.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 029b8ed2b1e039d216fc974db413cd5f3f718a3d
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 30 09:27:37 2019 +0100
ids.cgi: Show/Hide subscription code area dynamically.
Dynamically (Java Script) show/hide the area for entering the
subscription code / oinkcode based on the choosen ruleset.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit bc4a2223cccc4165f213ec3520aee23b2550a4d2
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jan 30 09:25:34 2019 +0100
ids.cgi: Remove help text for obtaining an oinkcode
This information is only valid for sourcefire (snort) rulesets, may
confuse users and therefore should be handled in the wiki.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 17c2c09bcc50376ef805a194eec8688a3dfcbc29
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Jan 29 12:03:37 2019 +0000
suricata: Scan outgoing traffic, too
Connections from the firewall and through the proxy must be filtered, too
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 80592396611f06069a05494da2b228aad29af72a
Author: Peter Müller <peter.mueller(a)link38.eu>
Date: Wed Jan 23 21:22:41 2019 +0100
Suricata: drop unused cuda HW acceleration
As stated in https://bugzilla.ipfire.org/show_bug.cgi?id=11808#c5 ,
Cuda hardware acceleration is unused and so the configuration file
section can be removed.
This partially addresses #11808.
Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
Cc: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 68699ecffff5e8c0d35883403451bec881bd33ec
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Jan 29 11:23:54 2019 +0100
Revert "Add DDNS to core 107."
This reverts commit 197033fab234d4698b097fdb1b653b8ae39b1aae.
commit ca8c92108af8ed2fce390592d8bd536f9caa2458
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Jan 29 09:09:11 2019 +0100
update-ids-ruleset: Set correct ownership for rulesdir and files
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 36e69d34b1a59258bf17b886db323653dac1a13d
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Jan 29 09:05:29 2019 +0100
convert-snort: Use set_ownership() from ids-functions.pl
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 4fbd88bfad631b932973321004af3e26b6ca19d5
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Jan 29 09:01:20 2019 +0100
ruleset-sources: Add Emerging-Threads Pro ruleset
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 9f9651e06aac68d650be585a7dd15a8a6c502d5c
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Jan 29 09:00:26 2019 +0100
logs.cgi/log.dat: Change search pattern from snort to suricata
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 3c59b1fab85f76f75e0b6bb89cd9c007b2416b57
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Jan 29 08:58:08 2019 +0100
ids-functions.pl: Set correct ownership for the stored error file.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 1fedede6a0982500847ef5d8747b5d3483991a05
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Jan 29 08:50:16 2019 +0100
ids-functions.pl: Add set_ownership() function.
This function is used to change the ownership of a given file
or directory to the user "nobody" and the group "nobody", which is
used by the WUI.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 8c27372438dd267648cba48b86d85a594f14be1c
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Jan 29 08:40:34 2019 +0100
backup.pl: Run snort to suricata converter when a backup gets restored.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 85a62b05237a4087c9b80d0efadc71b2da45abfa
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Jan 29 08:26:15 2019 +0100
IDS: Install snort to suricata converter
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit e4840020ed9962e3fac83c7a52670ed2cfd56672
Merge: 39155be80 61ee84291
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Jan 28 17:29:21 2019 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
commit 39155be80547e808e859f8f4dcd93763876bff5f
Merge: 5b0b4182a d03916e55
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Jan 26 12:40:04 2019 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
commit 5b0b4182a8a0f7fa17548983a4e15aeed3aa2234
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Jan 22 15:36:00 2019 +0100
convert-snort: Settings converter from snort to suricata
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 9283e9b9cf8326453086d9777b264d7e50b9660a
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Jan 22 13:25:13 2019 +0100
ids.cgi: Move and rename GenerateIgnoreList() function to ids-functions.pl
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit c1a34012352f9eee339f78c00130807e275b05c2
Merge: b749416ad f6326e4f7
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Jan 21 13:04:13 2019 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
commit b749416ad71126d6a05eb92b1409f097cc127617
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sun Jan 6 14:11:30 2019 +0100
ids-functions.pl: Downloader should reads settings from correct file
In commit ea5c8eeb83a65791960d6cb5de6c7dc78db02fda the taken settings
for the ruleset have been stored into an own file.
The Downloader now uses this file to read-in which ruleset should be used
and downloaded.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 7b6f8596edd5591a1bde21b34a7665170e5d4353
Merge: ed809cf07 f1f40274a
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Dec 28 07:36:59 2018 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
commit ed809cf07a5ccacc5817f682fc9103a2f52163d6
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Dec 28 07:36:19 2018 +0100
Ship update-ids-ruleset script also on x86_64 and aarch64
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 6994f00174d222a6e7dd9b812c5bebaad1e3fa3e
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Dec 26 16:33:54 2018 +0100
ids-functions.pl: Downloader now also uses upstream proxy for HTTPS
Fixes #11953
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 04a0d07c97087c9d66e09155058beacee031d627
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Dec 26 16:05:46 2018 +0100
ids-functions.pl: Add function to get the version of suricata
The get_suricata_version() function is used to get the version
of the on the system installed version of suricata. You can
specify the how detailed the returned result should be "major" will
return only the major version, were "minor" will provide the major
and minor version (1.2 for example). All other calls will be answered
with the full version string (1.2.3).
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 2ee510888c4f4a0836ef4afe5b6e30c2b94f7ddb
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Dec 25 20:19:12 2018 +0100
ids-functions.pl: Fix typo
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 74cc8f5a3ddafb065dffd885222246842fc8304c
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Dec 25 18:40:34 2018 +0100
ids-functions.pl: Introduce function write_modify_sids_file()
This function is used to write the corresponding file which
tells oinkmaster to alter the whole ruleset and finally
switches suricata into an IPS or IDS.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit b02e30fd81e3e095ea3cd74cb8f0b056d68e10e7
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Dec 25 18:26:21 2018 +0100
ids.cgi: Move variable declaration to ids-functions.pl
Also move some functions from the cgi file to the library file.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 53817b89c0eb5f03830777982c86c58e4c097fa6
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Dec 24 13:19:06 2018 +0100
ids.cgi: Hack to use the correct language string for red network zone.
This hack is needed because "red" is used as "internet" in the language files
and "red1" contains the correct "red" translations.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 99b372b51d01e7c35ac6b24bea72ec9c739681c9
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Dec 24 13:18:14 2018 +0100
ids.cgi: Colourize network zones
Colourize the network with the proper colour.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 01d02eb63bbb2142b5f154f75f028448bdd47ca5
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Dec 24 10:03:18 2018 +0100
ids.cgi: Change RUN_MODE to MONITOR_TRAFFIC_ONLY
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit ea5c8eeb83a65791960d6cb5de6c7dc78db02fda
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sun Dec 23 21:06:14 2018 +0100
ids.cgi: Seperate IPS and ruleset settings
Now each of both have their own corresponding configuration areas.
The taken settings will be saved in "/var/ipfire/suricata/settings" for
all IDS/IPS related settings and in "/var/ipfire/suricata/rules-settings" for
ruleset related settings.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit aac8e30831b037034e932044b0ca941105f40d70
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sun Dec 23 21:05:37 2018 +0100
langs/en.pl: Fix typo
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit ebdd0f9a90da800cc6173f6f30fb0621dddc354b
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Dec 20 13:18:48 2018 +0100
ids.cgi: Prevent from starting suricata without ruleset or selected network zone
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 0a1bba1a1d3ec8995f482b291d25c84374d11085
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Dec 20 11:55:13 2018 +0100
ids.cgi: Access ruleset by its own name
This improves accessing the single rules of a rule category.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 8353c3fd36c3e56861b9996c489836e4554c1ebd
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Dec 18 15:19:30 2018 +0100
ids.cgi: Allways use the whitelist
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 25b6545a6e5523d67484e15c5d8bafd941c8c9ae
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Dec 18 15:14:08 2018 +0100
ids-functions.pl: Use temporary file in downloader.
Download the requested rules tarball into a temporay file
and if every thing is fine, replace the old by the
downloaded one.
In addition with the previously implemented file size check,
we are saved now from a corrupt rules tarball on disk.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 96da5803a77ac8cae85fc8bc37e2153a19b5ab26
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Dec 18 14:16:13 2018 +0100
ids-functions.pl: Introduce filesize check for downloader
The downloader now requests the html header for the rulestarball
and obtain the size of the file bevore downloading it.
After success the size of the downloaded file will be compared with
the requested one before. If they do not match, an error will be gained.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 1201c1e74695fffeae36ba8a8a6adfe422a53ddd
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Dec 18 14:12:52 2018 +0100
ids-functions.pl: Fix sub _cleanup_rulesdir() function
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit f5ad510e3c0f416a1507999f5ad20ab171df9c07
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Dec 17 15:04:48 2018 +0100
suricata: Use "2" as repeat-mark and repeat-mask.
The previous used "1" was already used to mark source-natted
packets.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 208cb3363fc13bc9b918aeacb26e4c98d1d963d3
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Dec 17 15:03:10 2018 +0100
suricata: Update to 4.0.6
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit a13ddf04d9b58ee469b5da6bc0dd5efb64d6ebad
Merge: 8cf04a165 58e840bd9
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Dec 12 09:27:59 2018 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 8cf04a165696c512c8c2cb1f3d282c1f0cc88787
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Oct 12 15:43:16 2018 +0200
ids-functions.pl: Rework &_cleanup_rulesdir() function
* Use a directory listing and delete the files.
* Keep files with "config" as file extension.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 4ce424884914e6ee5a721124eaec89b634c19f48
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Oct 12 15:18:38 2018 +0200
ids-functions.pl: Fix typo
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 883820bdcb24414e965bd92844bb0b9c438b312b
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Oct 12 15:16:32 2018 +0200
ids-functions.pl: Call &_cleanup_rulesdir() function before calling oinkmaster.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit b59cdbeea5eb2a83ac5c0be51541c471bd1cd809
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Oct 12 15:12:10 2018 +0200
ids-functions.pl: Add private function to cleanup the rules directory.
This private function is used to remove any files which are stored in the
IDS rules directory and prevent from any old (unneeded or conflicting) files
after an update or complete change of the ruleset source.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 5d3b16c6df1a83d6eacb69a32176941a1e09a157
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Oct 12 13:08:35 2018 +0200
suricata: Rootfile update
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 8d087d0391b8ab441a974b4cbc84980bb6055774
Merge: 89a12b384 e3ab1962e
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Oct 2 07:35:13 2018 +0200
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
commit 89a12b3843d22a355adf1989e9bd823e170a2387
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Oct 1 20:14:00 2018 +0200
suricata: Set correct ownership for /var/lib/suricata
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 2d475a3c6c8e37295f97a07dcca9a6eed2dbb21f
Merge: eadad5fda 0a5823db0
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Sep 26 14:49:34 2018 +0200
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
commit eadad5fda6e7a798ad63261da4629673bd88cf76
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Sep 26 14:43:09 2018 +0200
ids.cgi: Add support for autoupdate of the IDS ruleset
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 6c9458342b72d5eef122e4e146872ded98751d05
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Sep 26 14:42:47 2018 +0200
IDS: Update language files
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 3aadbbca38882cf6e8af2370c26234de0940a099
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Sep 26 14:38:46 2018 +0200
stage2: Rootfile update for update-ids-ruleset script
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 82979dec3655138b5c8467a63fc423b30961ef9c
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Sep 26 14:11:31 2018 +0200
IDS: Introduce update-ids-ruleset
This script periodly will be called by fcron
and is responsible for downloading and altering
the ruleset, if autoupdate of the configured ruleset is
enabled.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit ed06bc811ffe055e2dadd226d27332892f4725db
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Sep 26 14:09:53 2018 +0200
ids-functions.pl: Add backend code to handle the "cron" function of suricatactrl
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 6ce504a2f2c405c7a7baab6f74be779f903d89de
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Sep 26 13:54:14 2018 +0200
suricatactrl: Add "cron" command
This command allows to enable the automatic update
of the used IDS ruleset and to specify the update interval.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit dae534f2ca7172a1171d77fe6acd034591233d58
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Sep 26 13:02:28 2018 +0200
ids.cgi: Only write oinkmaster-modify-sids.conf if neccessary.
Only write to the file if the runmode of the IDS has been changed.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 5508f18c012c5be264c9562b9327a41a2bebb2f8
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Sep 11 12:28:28 2018 +0200
logs.cgi/log.dat: Fix pattern to display oinkmaster related messages
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 43ab7d9c30fb24bebd716e264530d7db3e84a007
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Sep 11 12:00:31 2018 +0200
ids.cgi: Set state of used rulefile to on if it contains rules
Only set the state of a used rulefile to "on" if it is present in
the %idsrules hash. This happens if it contains at least one rule.
This prevents from showing a rulefile in the ruleset section if, it
does not exist anymore or does not contains any rules at all.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit b7e29743944953c973e3f858c10ab627949f898d
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Sep 11 10:21:00 2018 +0200
ids.cgi: Introduce whitelisting of IP-addresses
If an IP-address has been added to the whitelist, any traffic from
this host will not longer inspected by suricata.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 6f3b3cd089cea0f308c0b67e17ed864f6aa50b83
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Sep 6 13:28:20 2018 +0200
logs.cgi/ids.dat: Dont display/export empty events.
Check if the current processed event has at least datetime and a title.
Otherwise skip it.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 63d911cdc5d3e8a706f222e2094f2f7350c5fa02
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Sep 6 13:22:18 2018 +0200
logs.cgi/ids.dat: Ease list of reported events
Just ease the strict layout by adding a simple line break.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit f5ddcad1cc38cfcc3b01f819bc4c4f01e6d1c189
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Sep 6 12:09:34 2018 +0200
logs.cgi/ids.dat: Adjust code to show suricata events
As default show the events generated by suricata and if
for a certain selected date no suricata log is available
try to fall-back to read the events from the old snort
alert files (if available).
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 80bcd4dd1a424e1353aa0839e873ce9292cea3db
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Aug 30 18:18:26 2018 +0200
ids.cgi: Hide rules config section if no rules a present
Do not show the rules config section anymore if there is not
ruleset available.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit fd72c85eb8bb11978957dc39da8a5822715a5453
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Aug 30 15:12:29 2018 +0200
Enable threshold file in suricata.yaml
Enable and specify the path to the threshold-file in the suricata.yaml,
otherwise the programm is trying to read it from a build-in default
location and prints the following error message:
Error opening file: "/etc/suricata//threshold.config": No such file or directory
Fixes #11837.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 762a33f17ca8d86b979e22ddd538e76d32287d94
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Aug 30 14:13:37 2018 +0200
suricata: Add files to be backuped
Now all oinkmaster related config files and suricata
related yaml files in "/var/ipfire/suricata/" will be
included into the backups.
Also the entire ruleset is part of the backup, so after a
backup has been restored, the IDS can be used in the same way
as before.
Fixes #11835.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 21cab141ec018b885abf2849b82acb22684f0c80
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Aug 29 12:34:08 2018 +0200
suricata: Rule files are now located in /var/lib/suricata
Place the rulefiles from now in "/var/lib/suricata".
Fixes #11834
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit d2e6bf6e5f0a3867664c68cd85dff686a08b696c
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Aug 29 12:27:12 2018 +0200
suricata: Do not ship an example configuration file
Stop shipping a full example configuration file for suricata.
Fixes #11836.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 00512a5ac800205a9f46cd0936909d5c921e6643
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Aug 29 11:50:59 2018 +0200
ids.cgi: Create file for used rulefiles on first execution if not present
Create this file on first execution of the script if it does not exist yet.
This will allow suricata to imediately be started. Otherwise the ruleset has
to be downloaded and configured before this file has been created and suricata
could be launched.
Fixes #11833.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 004b13b7e801c18d399740c4e9b7866c9685637c
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Aug 29 10:55:32 2018 +0200
ids.cgi: Fix get_memory_usage()
Change the get_memory_usage() function to grab and return the
memory usage of the entire process, containing all sub-processes and
threads.
Fixes #11821
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit be52c68a2db2455f8118190a6bb37594891480a1
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Aug 27 15:11:28 2018 +0200
ids-functions.pl: Early abort downloadruleset() if no ruleset is configured
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit e568796bb0a0fc2072c2494936ec678f4c7fe17f
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Aug 25 15:48:58 2018 +0200
ids-functions.pl: Also check and fix the permissions of rulespath
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 4892f82ca19ad29b2213825a9fc2200d9b801252
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Aug 25 15:22:53 2018 +0200
suricata: Fix rootfile
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit baeae346589a793b2d9dca39017e1eb7c00d5bf1
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Aug 24 15:15:09 2018 +0200
lfs/suricata: Move classification and reference config to /etc/suricata/rules
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 330759d88a4adfbf5fc23cb575607b8b99b1b62b
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Aug 24 14:55:40 2018 +0200
ids-functions.pl: Add priviate function _check_rulesdir_permissions()
This function checks if all files located in /etc/suricata/rules are
writable by the effective user and group (nobody:nobody) and if not
calls suricatactl to fix it.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 68123effb80c3509cb4855c46d3ff378ba7f13a0
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Aug 24 14:54:34 2018 +0200
suricatactrl: Add fix-rules-dir command
This command is used to set the ownership and permissions
back to nobody:nobdoy which is used by the WUI to write the
ruleset.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 9074853d8df16e729d7e3fe3fb6c465877614f2e
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Aug 24 14:26:24 2018 +0200
suricatactrl: Add reload command
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 335114b207971fa88bc768c7dea49747b15b4fae
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Aug 24 11:11:15 2018 +0200
suricata.yaml: Start moving to IPFire specific configuration
Remove a lot of stuff and options which are deactivated during compiling,
unsupported by the plattform or not used in IPFire.
Add an advice to the full documented suricata-example.yaml file which also
is shipped by IPFire.
More work needs to be done.
See #11808
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit af5e823247876c313f516a98efe38ad38db5a01f
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Aug 24 10:54:07 2018 +0200
suricata.yaml: Adjust classification and reference config location
Both files are included in the various rulesets, therefore use them
from the rules folder.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 13d077fdf2093a2e468b5cda1e9e44fa99ee03cc
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Aug 24 10:28:42 2018 +0200
suricata.yaml: Fix include statement for homenet file
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 5f630673850f01e4e1284d163a80772b2f7a46af
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Aug 24 10:04:33 2018 +0200
suricata: Fix initscript when using a single core machine
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 01ba4be48d1687d621b1d7242085aa077552cacd
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Aug 24 07:39:04 2018 +0200
ids.cgi: Create oinkmaster related files at first call
With this commit, the CGI file will create the oinkmaster related
files during first run if they does not exist.
Fixes #11822.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 308ba5e74c27e50e9fda4278749256d3ff541d5e
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Aug 24 07:37:10 2018 +0200
ids-functions.pl: Add function to create empty files
This generic function can be used to create any kind of emtpy files -
it just requires the full path and filename to work.
If the specified file exists at calltime, the function will abort
to prevent from overwriting existing files and content.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit cb52183c6a311d7413c286f73895b52a8e2e3a57
Merge: 7fe5bc826 c5486ccb9
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Aug 23 10:34:17 2018 +0200
Fix merge conflicts during merge of next and the suricata branch
commit 7fe5bc8261d639753ee7a5a005ce06325231769b
Merge: f7d76eecc 702f0ba83
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Aug 23 10:32:21 2018 +0200
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit c5486ccb9793029e58f0e6156d7d2f4d21de6cd0
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Aug 22 10:37:44 2018 +0200
oinkmaster: Ship IPFire specific config file
Ship an IPFire specific configuration file for oinkmaster.
This allows oinkmaster to do all the great rule modifications which
have been introduced by the new ids.cgi file.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit d2212836226ee8212eef3226acf3a4e6fa65643a
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Aug 22 08:39:57 2018 +0200
ids.cgi: Rework handling of enabled/disabled sids
Now the enabled or disabled sids are stored in a single
hash instead of two arrays, which easily can be modified.
When saving the ruleset, the new read_enabled_disabled_sids() function
will be used to read-in the current (old) saved enabled or disabled sids
and add them to the new hash structure.
After adding or modifiying sids to the hash, the entries will be written
to the corresponding files.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit a5d617520b144e22fd2b31795d2b04c8170f93ef
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Aug 22 08:38:16 2018 +0200
ids.cgi: Add function to read the enabled/disabled sid files
This function is used to read-in the files for enabled or disabled sid
files and stores the sid and their state into a temporary hash which will
be returned by the function.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 5a28e721e08104e35c0e7f23a1aee4dff3fbae45
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Aug 21 19:18:01 2018 +0200
ids.cgi: Fix check if the IDS is running
The correct function name is ids_is_running()!
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit bbb6efae56957c1ec70d5ee7668c4cc68b4dd2b2
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Aug 18 14:48:30 2018 +0200
ids.cgi: Add backend code to handle switch between IDS and IPS mode
This commit adds the required backend code to allow switching
between IDS and IPS mode of suricata.
Technically the behaviour of suricata is specified by the rules -
each of them can contain the action "alert" or "drop" (There are
more actions supported but these two are currently the important one)
When running in IDS mode, the ruleset does not need to be touched,
because the default action is "alert". When switching to IPS mode,
the CGI writes a single line to "oinkmaster-modify-sids.conf" which
is included by oinkmaster and modify the action for each single rule
from alert to drop.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit a4ccfcbbc6073684768d951006232d410df091a1
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Aug 18 10:16:12 2018 +0200
ids.cgi: Allow to switch between IDS/IPS mode
Add the option to select the runmode for suricata, wheater it
should run in intrusion detection mode or intrusion prevention mode.
If the option has not configured yet, it defaults to IPS mode.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit d9711d91ef57f846eb09fd77ec9e7a58d745dc6d
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Aug 18 10:01:14 2018 +0200
ids-functions.pl: Display error if oinkmaster cannot be executed
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 88daf7eb3a9ba5ceb3df9f8197ea3cb5cfd4f30b
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Aug 17 08:49:06 2018 +0200
ids-functions.pl: Log correct error message if download fails
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 55658ee381aeeac19c63a0da8822fc3f727b135b
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Aug 17 08:45:47 2018 +0200
suricata: Fix detection of enabled IDS on zone in initscript
I accidently commited the wrong file in the previous commit.
This is the fixed and working version.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 00a031145e32d31a08037dda3c8a3cc7cc6c815e
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Aug 17 08:24:19 2018 +0200
suricata: Give 644 permissions to the suricata pidfile
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 04b5c77a450ceb8fd83898a90f096175580a058f
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Aug 17 07:36:54 2018 +0200
ruleset-sources: Move to suricata optimized ruleset when using emerginthreads.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 3c2c54831fd7a5f1813376ceb45c22774631a5e7
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Aug 16 18:51:13 2018 +0200
suricata: Add code to create iptables rules to the initscript
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 7c82ee6165d04597c371944490b085c240482424
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Aug 16 18:50:39 2018 +0200
firewall: Add chains for IPS (suricata)
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit cc60d3dfd3cd6ae9d38470d40edd646691e422ac
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sun Aug 12 18:40:31 2018 +0200
suricata: Fix include of used rulefiles yaml
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 423030555835840a1821b56408b5a19e6dcfe7e0
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sun Aug 12 07:05:24 2018 +0200
suricata: Use HOME_NET declaration from external file
Use the gernerated HOME_NET details from
/var/ipfire/suricata/suricata-homenet.yaml which will be
generated by the WUI.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 6187da5055dac1a10402d3c6eeaf1f9bed7f3890
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Aug 11 22:28:07 2018 +0200
IDS: Add reload option to initscript
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit e2e7880dc73fc98aa7409b2de2384e5c9e436f29
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Aug 11 22:11:18 2018 +0200
ids.cgi: Add code to start/stop/reload the IDS when neccessary
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 5240a80987920b1b807e6609a6c10fb666235e21
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Aug 11 22:10:29 2018 +0200
ids-functions.pl: Add function to call suricatactrl binary
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit f7d76eecc6660bd2d59951a6aa138cd0f96a2e9d
Merge: ca745a297 98ce89752
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Aug 11 19:50:20 2018 +0200
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit 8d2f6b0b59c3448dfa0fcab683fafc9604873a57
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Aug 9 15:33:25 2018 +0200
ids.cgi: Dynamically generate the HOME_NET details for suricata.
Introduce generate_home_net_file() which uses the current network
config to obtain the network address and subnetmask for each
available network zone, generate and write these HOME_NET information
into a yaml compatible file which can be included into the suricata
configuration file.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit e0bfd338ee5c847b16ea534acf84fba645974ec7
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sun Aug 5 19:42:33 2018 +0200
ids.cgi: Rename form name from SNORT to IDS
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 8766096429b7d19a78d632e96a84b32f058f8e80
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sun Aug 5 14:24:20 2018 +0200
ids.cgi: Display if the IDS is running
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 796eea2154ae581aeae68be92bd04f105d0a939b
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sun Aug 5 14:23:45 2018 +0200
ids-functions.pl: Add function to check if the IDS is running
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 1286e0d41e75dd691a54ac130ae6d70bfc284e14
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sun Aug 5 12:57:44 2018 +0200
ids.cgi: Rework section to configure the IDS
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 1cae702c22ed31784393980968634626af8fe653
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Aug 4 16:48:27 2018 +0200
ids-functions.pl: Add function to get the available network zones
The get_available_network_zones() function uses the /var/ipfire/ethernet/settings
file and translates the configured mode into an array, which contains the names
of the configured network zones.
The array will be returned and easily can be used to loop over this list of
available network zones and perform any kind of actions in other scripts.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit ab114c276b0d719b9a9c43dea05870e4ceedbdbc
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Aug 3 13:51:59 2018 +0200
ids.cgi: Call suricatactrl for restarting the IDS
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 06b569a4429eb5641343fdf4c3472825dc327f09
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Aug 3 13:48:46 2018 +0200
oinkmaster: Install config file to /var/ipfire/suricata
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit d33874f4969f48d5dd880b212900220ba932d8f0
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Aug 3 10:20:18 2018 +0200
daq: Drop package
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 843a8c570c6784ef6c66d214fbbbc2e67e4505c2
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Aug 3 10:19:35 2018 +0200
snort: Drop package
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 914cca3d8e834c6ab051126f628daeef073b7106
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Aug 3 10:02:34 2018 +0200
initscripts: Link against suricata initscript in runlevels and red.up hook
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 74b7d695c630c971fb4774e93c39b4954d7bb5fe
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Aug 3 09:50:31 2018 +0200
misc-progs: Rename snortctrl to suricatactrl
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit ef640882ab4ff5f26fb7b4bf9a5f00ca4f94d172
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Aug 2 19:58:41 2018 +0200
make.sh: Add ids-ruleset-source
I accidently forgot to commit this file in 1d9b87914053e54550c6f2a76377a8001bbf1da6
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit d72b3e64c2515546b78a7cf099157799481da130
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Aug 2 19:54:22 2018 +0200
suricata: Introduce basic initscript
Add a very basic initscript, which currently allows to start/stop/restart suricata and
check if the daemon is running.
The script will detect when starting suricata how many CPU cores are present on the system and
will launch suricata in inline mode (NFQUEUE) and listen to as much queues as CPU cores are
detected.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 101d3ece24c99a9696bb2dfe0add1cdfdebbbf91
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Aug 2 19:33:37 2018 +0200
ids-ruleset-sources: Update download URL for snort rules
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit bce84f3975eb04ac94ffe2e14039c1a6a8ac8030
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Aug 2 19:31:52 2018 +0200
ids-functions.pl: Rename ruleset-sources.list to ruleset-sources
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 1d9b87914053e54550c6f2a76377a8001bbf1da6
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Aug 2 19:29:36 2018 +0200
ids-ruleset-sources: New package
Move the file which contains the download URL's for the IDS rulesets
into an own common package. This will allow us in future to easily ship
a changed file with a core update.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 72b2109c726c1ab78918648a6aa540cf137692b0
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Aug 2 15:47:31 2018 +0200
configroot: Move from snort to suricata
Create /var/ipfire/suricata and /var/ipfire/suricata/settings instead of
/var/ipfire/snort and /var/ipfire/snort/settings.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 4c6d6c1ee3308e8143b95867376f29876739a149
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Aug 2 09:10:25 2018 +0200
suricata: Install very basic config file
This config file is mostly based on the example configuration shipped
by the suricata project and needs to be enhanched.
See #11808.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 101c888174285f4d4e599902c7645d2e834ea027
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Aug 2 09:07:12 2018 +0200
ids.cgi: Generate suricata compatiple used-rulefiles file
* Rename filename to suricata-used-rulefiles.yaml
* Adjust file generation as a yaml file to be compatible with suricata
* Adjust code to correctly read-in and parse the changed file
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 164eab662756366023016c88c27f1432f243832f
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Jul 30 21:36:07 2018 +0200
ids-functions.pl: Move path details from snort to suricata
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit a8b8c9e5b2a2d993d06b774aefe7b6ff49adc739
Merge: 67752a951 434001d0a
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Jul 30 21:33:25 2018 +0200
Merge branch 'next-new-ids.cgi' into next-suricata-and-cgi
commit 67752a9510d9db653ca8aee9355e8fa63d0f9316
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Jul 23 20:21:38 2018 +0200
suricata: New package
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 3498300d87ec69f5676d33e54dca4f3c6897d20f
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Jul 23 20:20:29 2018 +0200
libhtp: New package
This is build and runtime dependency for suricata.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 91cc908f84a44ba9dc6493938c00aa982eafed81
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Jul 23 20:19:19 2018 +0200
yaml: New package
This is a build and runtime dependency for suricata.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 434001d0a0eb05946fccded7090e1e1fa6e2c64d
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Jul 28 16:34:50 2018 +0200
IDS: Rework error and log handling in ids-functions.pl
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 02844177afb86e070564ee776c5ca679d7cf374b
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Jul 27 07:58:23 2018 +0200
IDS: Introduce settingsdir variable
The $settingsdir variable is declared in the ids-functions.pl and used to to
store the path where the various files which contains the settings for the IDS and
oinkmaster is located.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 298ef5bafa8242fedf8b95ba8d8ad23e0c4c05b1
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Jul 26 15:56:47 2018 +0200
IDS: Move rulepath declaration to ids-functions.pl
This will help if the path ever changed. Also remove hard coded rulepath
from oinkmaster call.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 9d18656ba7dd1bf98d5cd41423c8e44d355f1c25
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Jul 26 15:51:15 2018 +0200
ids.cgi: Rename snortrules hash to idsrules.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit fdfd8913ab5da218c9c5303f67bb5b707da8ee30
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Feb 14 14:08:29 2018 +0100
ids.cgi: Drop code which is detecting if oinkmaster is running
This code is not longer required and therefore can be dropped.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 27760092c0a4973a92e1dcea8544866ae29d37da
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Feb 14 14:03:08 2018 +0100
ids.cgi: Reimplement function to lock page and show working notice
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit eb5592c1ce15d579072689a7121ffbd87b3f22be
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Feb 14 14:01:50 2018 +0100
ids-functions.pl: Also log errors to syslog
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 0e40e1e772b2f29e71df807f9cb07098b0d23034
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Feb 14 14:00:57 2018 +0100
ids-functions.pl: Use pure perl to log oinkmaster result to syslog
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 77910792754776c740ddd415d4737340052a4d91
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Feb 14 12:14:06 2018 +0100
ids-functions.pl: Make variables globally accessible
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 3983aebdec7489ca0ce36956307a822ecdc820fd
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Feb 14 10:20:23 2018 +0100
ids.cgi: Rework CGI logic to download a new ruleset
* Drop function to show a notice about snort is working.
* Introduce the log_error function which is responsible for log any
error messages. Currently it writes it to a tempory file, which will
be read by the WUI, the message will be displayed and the temporary file
will be released again.
* Introduce a tiny function to easily perform a reload of the generated
webpage.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit a69b96d2002c14d3fe65dcf90f9731a9c631b624
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Feb 14 10:15:39 2018 +0100
ids.cgi: Use tarball information from ids-functions.pl
Directly use the value from the ids-functions.pl for the
location and filename of the tarball which includes the snort ruleset.
This will save to declare this information twice and prevents from any
failures if the location of filname every changes.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit ad1d8a8accc454e0bf36e93fa9b6c5890ccc5024
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Feb 14 09:00:03 2018 +0100
ids.cgi: Drop dirty hook for updating the ruleset
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 25f5cb0d4b4a6c2418c219d975eb95e393b4e9af
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Feb 14 08:58:18 2018 +0100
ids.cgi: Move function to call oinkmaster to ids-functions.pl
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit eea2670b39ee6ba804d534e95b03d27059e45468
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Feb 14 08:52:21 2018 +0100
ids.cgi: Move downloader code to ids-functions.pl
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 59052432f4cc108631a9b264f2f48aaf6ea76873
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Feb 14 08:20:50 2018 +0100
ids.cgi: Use ids-functions.pl for checking available discspace
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 8dcebe5342c261eac9f7436ff382ac71d4890eca
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Feb 14 08:18:15 2018 +0100
IDS: Introduce ids-functions.pl.
This library will contain a set of functions used by the IDS CGI script
and the planned update script for auto-updating the snort ruleset.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit c724524e2e9a0a5498ca7e29db8d1ec80a2a73af
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Feb 12 15:38:25 2018 +0100
ids.cgi: Drop loading of File::Copy module.
This is not required, at any time by the script.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit c77bd4923503e58fc2429ffed5e377132394e7a4
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Dec 19 11:57:19 2017 +0100
logs.cgi/log.dat: Add support for oinkmaster
This will allow to display the logged output of oinkmaster
via the webinterface.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 1504a375179cecc182dd40b8a5324eb2c1320ada
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Dec 19 11:56:04 2017 +0100
ids.cgi: Rework snort configuration area
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit a6edfcbd9b762832939209e538e31e79c0d32b65
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sun Dec 17 19:10:21 2017 +0100
ids.cgi: Pipe the oinkmaster output to the logger binary
This will allow anybody, to access the log of oinkmaster and
get detailed information about any changes which have been done
on the ruleset.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 43263ea68ecbd2bddfc84b3cee64ffc0aa9911e5
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sun Dec 17 19:08:25 2017 +0100
ids.cgi: Rework downloader for rulesets
Doing the rules download in pure perl instead of using
the external wget.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit e524290c9cd90a6d95475f2738bcb65d990cfbd0
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Dec 14 08:31:41 2017 +0100
ids.cgi: Drop old control code
The control file are not longer required, because the
initscript uses the settings file to determine if snort
should be started and binded to which interfaches.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit c6bcdda1af86f803e980947aa66490f277b791d9
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Dec 13 15:06:42 2017 +0100
snort: Introduce ruleset-sources.list
This file contains the ruleset vendors and download urls and
will be used by the ids.cgi.
If an url or filename changes, we easily can adjust this file. In most
cases this will be needed when performing a snort update.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 9f5247f60cc66716de0b5b8bd14e0de118763fb5
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Dec 13 14:53:51 2017 +0100
general-functions.pl: readhash() Add code to handle optional comments in files
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit ef5171ab7175d381a11f196de4e18b7e8af769e2
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Dec 13 14:50:12 2017 +0100
ids.cgi: Call oinkmaster without a log target
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit afe26a0586678f59e25a2a4ae1877737da064bfd
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Dec 13 14:45:27 2017 +0100
ids.cgi: Introduce ruleset-source.list
This new file will contain the vendor information and url
for downloading their ruleset. In future if the download location
or filename changes, we only need to adjust this one file and ship
it via a core update.
Also extend the downloadrulesfile to be able to directly call the
subfunction.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit a232b58ca78648f60f19b2464395c93cfc046b78
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Dec 13 14:40:47 2017 +0100
ids.cgi: Adjust code for saving snort settings
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 8f22237bebe2d3880b27c671c173ffcf79040ed2
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Dec 13 11:53:44 2017 +0100
ids.cgi: Remove logfile after wget has successfully downloaded the ruleset
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 500c5c55d0db331fe9b16afcdaedd9c5d218b327
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Dec 13 11:51:08 2017 +0100
ids.cgi: Rework code which shows if oinkmaster is working
Move the code for displaying a notice that snort currently is working
into an own subfunction which will be called if oinkmaster currently
is started.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit aa12410222aef6afa63a03a7eb74512bf92daad4
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Dec 13 11:50:01 2017 +0100
ids.cgi: Drop old code for debuging purposes
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit c51a044a2a93042605fc599eaccf69f49fa7bc87
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Dec 13 11:46:40 2017 +0100
ids.cgi: Add check when altering the ruleset
Add a check if the currently processing sid is nummeric, otherwise skip it.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 525998650ab51df74317f362ccb1382870af4bbb
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Dec 12 20:24:50 2017 +0100
ids.cgi: Rework code for downloading/updating the ruleset
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 56dacb580e16210837ba55648ddfc9e18b860f02
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Dec 12 20:24:11 2017 +0100
ids.cgi: Move call of oinkmaster to an own subfunction
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 376595057ba05eea8d9c6337d390374dec7749e0
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Dec 12 20:16:26 2017 +0100
ids.cgi: Always write config files for enabled/disabled rule files
If a single sid has been activated and then disabled without doing
any other ruleset modifications only one of the oinkmaster files
for enabled / disabled rules has been modified.
In this case it was possible, that the same sid, was part of the
file for enabled rules and part of the file for disabled rules at the
same time.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 466c67794b207f327a4b7478ce6f2c9c194df45f
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Dec 12 20:15:00 2017 +0100
ids.cgi: Process enabled rulefiles in an own loop
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 603334734a0199f6d4558e70ef859fe86fe243d6
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Dec 12 20:12:38 2017 +0100
ids.cgi: Drop enabled/disabled rules from cgiparams hash
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit b65b5ef3775cc724da41a47b5285b7057a2250fd
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Dec 12 20:10:17 2017 +0100
ids.cgi: Drop enabled rulefile from cgiparams hash after processing
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit e573807983b0acf911dc688ae06bb5d7b2b7714b
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Dec 11 14:22:07 2017 +0100
ids.cgi: Re-add code for enable/disable rulefiles
The enabled rulefiles (rule categories) now will be added
to an own file, which will be included by the snort main config
file.
This will allow us to update snort and push the new main config file
without loosing the activated rulesets anymore.
* Introducing snort-used-rulefiles.conf
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 0b89daee931885a9c34548009a556299d8adc62a
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Dec 11 08:46:18 2017 +0100
ids.cgi: Code cleanup
* Drop a lot of unused variables and code.
* Re-ordering some code parts.
* Add a lot of comments.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 298723b9db481a07056377278a501d4a643c7a93
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Dec 11 08:33:36 2017 +0100
ids.cgi: Re-add code to save the ruleset.
The manually enabled or disabled rules by the user now will be written
to own config files, which will be used by oinkmaster to keep these rules
in the same state after a rules update has been performed.
In short words, if you adjust your ruleset, the changes will not be lost
again if you perform an update of your ruleset.
* Grabbing and storing the cgi values now in an own hash (%cgiparams)
* Introducing oinkmaster config files for enabled and disabled rules.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 0b568bb9650bfe9200d45d7a57b500747e37a73f
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sun Dec 10 10:36:07 2017 +0100
ids.cgi: Drop unused css code
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 177266446a3c9a9c63dbd4bd1af032339003ab3d
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sun Dec 10 10:07:41 2017 +0100
ids.cgi: Rework code for displaying the single rules
The complete ruleset will be grouped as categories by it's
corresponding rulefile and printed in hidden tables.
They easiely can be displayed by klicking on the show link and
vice-versa.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit f7fcd1c020f0eaaacf9068182e9f64750ccf7ea7
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Dec 6 11:44:30 2017 +0100
ids.cgi: Always display ruleset
Display the rule categories any time and do not hide them
if no instance of snort is runing.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit e3ab140634f8769399b258b8391ec58ec9035c1b
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Dec 6 11:19:42 2017 +0100
ids.cgi: Remove comment lines for snort rules control
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 3da6e01bcf1aefd1e495f64d251d0e39a94a4fdc
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Dec 6 09:51:46 2017 +0100
ids.cgi: Refactor reading-in rule files.
Move the code for reading and parsing the snort rule files
into an own subfunction.
* Drop code for reading in and modifying the snort main config file.
* Rework code for parsing and adding the snort rules to the snortrules hash.
* Drop code for gathering a description for the rule files, which does not
because of a file layout change and sadly there is not suitable description
shipped anymore by the snort team.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit a70d269a9ad8ed8ee14f0d1de6426bf936750a3f
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Dec 2 15:31:19 2017 +0100
ids.cgi: Move function to end of file
Move the function for doing the page refresh stuff to the end of the file and
do some layout changes for better reading the code.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 422204ff08af8f1932e57bace8125baa149329a7
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Dec 2 15:24:12 2017 +0100
ids.cgi: Use pure perl for directory listing
Use pure perl for getting the filelist of available
rule files instead of using a sub-shell and unix commands.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit fbd430172f49cb746975f5543c4e184748537b4e
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Dec 2 15:17:49 2017 +0100
ids.cgi: Drop old code for uploading a ruleset
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit ca745a2978aadad52a487a7c6a1a8dcb8464aab3
Merge: b5ea63f85 4e4c122c5
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Jul 21 14:14:53 2018 +0200
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit b5ea63f85c7d2ff107cd5f1cf985e98e75a84efe
Merge: fb22c9ffd 6a7e6b449
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Jul 19 18:10:23 2018 +0200
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit fb22c9ffd990eebee3249a3cbc2a6c8695b811b7
Merge: b56b67330 9aefd1ed0
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sun Jul 8 08:34:37 2018 +0200
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit b56b67330ce0927af61c38e1d02284154f912dda
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jun 27 19:38:41 2018 +0200
guardian: Update to 2.0.2
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 6d1ebd1d4323984108c2682d84fe07e54f647061
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jun 27 19:36:28 2018 +0200
guardian.cgi: Remove support for owncloud
Owncloud as an addon has been dropped for IPFire. As a result of this,
we do not need this code anymore.
Fixes #11572.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 74c193f266e9660c822bfc5e86d050d35539bab6
Merge: 5776b677d bc91a6628
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jun 27 19:33:43 2018 +0200
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit 5776b677db10ad18aa9972b49900addaa8bf44ba
Merge: 6600eeac4 f574f9ea0
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Tue Nov 14 19:17:23 2017 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit 6600eeac49362964f6813c8c106aa68d6afe3d0e
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Jun 8 14:13:24 2017 +0200
guardian: Bump package version.
During commit d68ead3decfdcc4ca4a1413e33f3c47270799836 the guardian.cgi
has been changed, and therefore the package version of guardian
needs to be bumped to ship the changed files.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit 31313db780f894cdadd74dc4973e0fd6a22a4659
Merge: 5f9fb7a8f 357b8c141
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Thu Jun 8 14:03:56 2017 +0200
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit 5f9fb7a8f6fb4109a6bc451aaf5b8aea74c12892
Merge: f707295a8 c6bc0fb03
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Nov 11 07:44:38 2016 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit f707295a85f820405a21a25a25c86c00e030ddb4
Merge: 197033fab f95b8b9f7
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Nov 2 10:00:00 2016 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit 197033fab234d4698b097fdb1b653b8ae39b1aae
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Oct 28 15:35:53 2016 +0200
Add DDNS to core 107.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
commit f2956cf42f04c7d6dcd5379b00ee779434a27d44
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Fri Sep 30 10:34:22 2016 +0200
ddns: Import patches for schokokeks.org support.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
-----------------------------------------------------------------------
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2019-04-20 16:03 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190420160305.7652384FDAF@people01.i.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox