From mboxrd@z Thu Jan 1 00:00:00 1970 From: Arne Fitzenreiter To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, core131, created. e7a52c52d109e044bcce0ca52eb0b5a94c2ec03a Date: Sat, 20 Apr 2019 17:03:04 +0100 Message-ID: <20190420160305.7652384FDAF@people01.i.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6927370055920493249==" List-Id: --===============6927370055920493249== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, core131 has been created at e7a52c52d109e044bcce0ca52eb0b5a94c2ec03a (commit) - Log ----------------------------------------------------------------- commit e7a52c52d109e044bcce0ca52eb0b5a94c2ec03a Merge: 08639bc2a 9e65aa9ed Author: Arne Fitzenreiter Date: Sat Apr 20 17:35:54 2019 +0200 Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next commit 08639bc2a90ca945e710f5ca13556a50458f0056 Author: Arne Fitzenreiter Date: Sat Apr 20 17:21:03 2019 +0200 kernel: update 4.14.113 =20 Signed-off-by: Arne Fitzenreiter commit 5fa063f8590dcd85867935fd6d1a6bd570ac61c6 Author: Arne Fitzenreiter Date: Wed Apr 17 22:30:19 2019 +0200 kernel: update to 4.14.112 =20 Signed-off-by: Arne Fitzenreiter commit 26dc79a6fe16c83c5b57f4b6c7c3f73281a03d6c Author: Michael Tremer Date: Wed Apr 17 21:24:25 2019 +0100 suricata: Do not let oinkmaster be too verbose =20 Signed-off-by: Michael Tremer commit e96adc77972108de9cb8b4b6c0f7fbad07b76035 Author: Michael Tremer Date: Wed Apr 17 20:59:55 2019 +0100 suricata: Redirect oinkmaster output to perl function =20 The output was written to stderr before and landed in apache's error log where we do not want it. =20 Fixes: #12004 Signed-off-by: Michael Tremer commit 9e65aa9ed6d7a3a489c58a6f966eac34972c68f8 Author: Michael Tremer Date: Wed Apr 17 19:15:44 2019 +0100 Revert "hostapd: Always enable 80 MHz channel width for 802.11ac" =20 This reverts commit c31c8078cffcf3f933f567cb02a366ceedd6d5da. =20 Signed-off-by: Michael Tremer commit c25a386523c305615641a1810bcc3b009bc3cf07 Author: Michael Tremer Date: Wed Apr 17 07:38:27 2019 +0100 unbound: Drop unused function =20 Signed-off-by: Michael Tremer commit 64aed99df6ba3b057c35ebb6b9278a13ae5e575d Author: Michael Tremer Date: Wed Apr 17 05:16:05 2019 +0100 suricata: Change runmode to workers =20 Signed-off-by: Michael Tremer commit e91c83490be8d248796d50b0c9bca3976199551c Author: Arne Fitzenreiter Date: Tue Apr 16 18:05:18 2019 +0200 wireless-regdb: update to 2019.03.01 =20 Signed-off-by: Arne Fitzenreiter commit fea27a56f7ef299fa2793971ef6e49f3a423fdc3 Author: Michael Tremer Date: Tue Apr 16 13:23:17 2019 +0100 haproxy: Backup certificates, too =20 Signed-off-by: Michael Tremer commit 175f5c060ea8b967bc3020b376385d5b71116e92 Author: Michael Tremer Date: Tue Apr 16 13:22:10 2019 +0100 backup: Allow passing name of tarball for creation/restore =20 Signed-off-by: Michael Tremer commit 820b2909825479b52696886d1f9054c0f709d3f0 Author: Michael Tremer Date: Thu Apr 11 23:32:57 2019 +0100 Move IPS to a higher position in the Firewall menu =20 Signed-off-by: Michael Tremer commit 0851afba33bf8f1a4562a7e755bec5af23d4d03e Author: Michael Tremer Date: Thu Apr 11 23:24:28 2019 +0100 remote.cgi: Move SSH Agent Forwarding to the top =20 Signed-off-by: Michael Tremer commit 5e39f3c08a4a6e9f402b18c267fe82595cb0596b Author: Michael Tremer Date: Thu Apr 11 23:22:14 2019 +0100 sshctrl: Fix syntax of generated sed command =20 Signed-off-by: Michael Tremer commit e8b389e0f0a88f064c192305e8bbbc366300af24 Author: Michael Tremer Date: Thu Apr 11 23:02:57 2019 +0100 core131: Ship PTR changes in hosts.cgi =20 Signed-off-by: Michael Tremer commit 316d14c43ad3b0b27cfa6984d8253e8f9255a87c Author: Michael Tremer Date: Thu Apr 11 23:00:25 2019 +0100 Update list of contributors =20 Signed-off-by: Michael Tremer commit 6874a5765b887b51e324e1afbddc4516d66a710f Author: Peter M=C3=BCller Date: Mon Apr 8 18:04:00 2019 +0000 Unbound: do not generate PTR if the user requested not to, do so =20 Partially fixes #12030 =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit 5b2ec053c25b80843958864d4305b3108b55dd3c Author: Michael Tremer Date: Thu Apr 11 22:58:35 2019 +0100 Update translations =20 Signed-off-by: Michael Tremer commit c3c2ae4475a0e99a6163027405a45a1e2b4fa8b6 Author: Peter M=C3=BCller Date: Mon Apr 8 18:04:00 2019 +0000 add option for selective PTR generation on hosts.cgi =20 In some cases, it might be useful to create an additional host (i.e. for round robin loadbalancing) without assigning another PTR to the IP address specified. =20 This patch introduces the ability to check or uncheck PTR generation for each host individually. =20 Partially fixes #12030 =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit 32e7b93c284fe02450e28f431453621537214a03 Author: Michael Tremer Date: Thu Apr 11 21:59:41 2019 +0100 udev: Rename interfaces when MACs are uppercase =20 The script relied on the configuration being in lowercase. =20 If people manually editied their configuration file they might not have paid attention to this and therefore this script now also accepts uppercase MAC addresses. =20 Fixes: #12047 Signed-off-by: Michael Tremer commit dccbdf5b97130f72b4d0bb26d962ffcda8121a51 Author: Michael Tremer Date: Fri Apr 12 17:59:21 2019 +0100 suricata: Take as much off of the CPU as possible =20 https://suricata.readthedocs.io/en/suricata-4.1.3/performance/high-perfor= mance-config.html =20 This will compile the ruleset as efficient as possible and allows the IPS to run faster on smaller systems. =20 Signed-off-by: Michael Tremer commit 2c44da1382dfffb311b15250b9e02784b826dff2 Author: Michael Tremer Date: Thu Apr 11 10:29:56 2019 +0100 core131: Ship updated setup =20 Signed-off-by: Michael Tremer commit 0d34a479c878cd775e541601b2a72238eb3f7546 Author: Stefan Schantl Date: Fri Apr 12 18:21:01 2019 +0200 ids.cgi: Display oinkcode section after page load when neccessary. =20 Fixes #12048. =20 Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit d51d3c5b93886a66b75388d029e35eb07d9b06eb Author: Michael Tremer Date: Fri Apr 12 17:36:54 2019 +0100 IPS logging: Fix date comparison for last entry =20 Signed-off-by: Michael Tremer commit 2eb0c326da2196c56f6f955bf5371e5d8c7ca9db Author: Michael Tremer Date: Fri Apr 12 17:33:39 2019 +0100 IPS logging: There is no distinguation between suricata & snort required =20 Signed-off-by: Michael Tremer commit 19c066b602a12fcce601cfa2350b0d83b231717c Author: Michael Tremer Date: Fri Apr 12 17:32:02 2019 +0100 IPS logging: Fix reading date =20 The CGI script only compares mm/dd and does not care about the year. =20 Suricata, however, logs the year as well which has to be ignored here. =20 Signed-off-by: Michael Tremer commit a32c219fa4642127a97050bf5af60a03e4e5c2f8 Author: Michael Tremer Date: Thu Apr 11 07:55:36 2019 +0100 zabbix_agentd: Bump package version =20 Signed-off-by: Michael Tremer commit 41b7369f8078d5dc4998483fa005b2f8e3b89624 Author: Alexander Koch Date: Wed Apr 10 20:33:31 2019 +0200 zabbix_agentd: Bugfix for /etc/sudoers.d/zabbix.user =20 Files containing an '~' or '.' are ignored by sudo when placed in the inc= ludedir /etc/sudoers.d This makes the file useless. The file is renamed to "z= abbix" instead of "zabbix.user" to fix this. =20 See: https://www.sudo.ws/man/1.8.13/sudoers.man.html#Including_other_file= s_from_within_sudoers =20 Signed-off-by: Alexander Koch Signed-off-by: Michael Tremer commit 854b63c42af8f82106b587dc43945ad848f8994e Author: Alexander Koch Date: Wed Apr 10 20:33:30 2019 +0200 zabbix_agentd: update to 4.2.0 =20 Relase Notes: https://www.zabbix.com/rn/rn4.2.0 =20 Signed-off-by: Alexander Koch Signed-off-by: Michael Tremer commit a45bfbf1c5a8a7c10ad4bdcb5ed559ed38a796c5 Author: St=C3=A9phane Pautrel Date: Thu Apr 11 03:47:44 2019 +0100 installer+setup: Update French translation =20 Signed-off-by: Michael Tremer commit 3e11f8257dfe003aaad20d7ca73e3bc831131a96 Author: Arne Fitzenreiter Date: Thu Apr 11 07:34:14 2019 +0200 make.sh: fix syntax error =20 i have merged master>next and not deleted this line. =20 Signed-off-by: Arne Fitzenreiter commit d27675b08175ed7969d842fdc64f157797911faa Merge: a2907cdd9 ee82349a0 Author: Arne Fitzenreiter Date: Thu Apr 11 07:31:11 2019 +0200 Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next commit a2907cdd9fba3a6ce6af8cc75c656daf1fa43dc0 Merge: 4f30ce49b d01d68913 Author: Arne Fitzenreiter Date: Thu Apr 11 07:30:26 2019 +0200 Merge remote-tracking branch 'origin/master' into next =20 Signed-off-by: Arne Fitzenreiter commit ee82349a0ea00866d731936e769fab9441690932 Author: Stefan Schantl Date: Mon Apr 8 20:20:18 2019 +0200 convert-snort: Re-order steps at end of script =20 This will ensure that the whole IDS is configured property, if no or an empty snort config file is present. =20 Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit e4bc9b8b6fa0cc0d67d2f698e2bdd5d41af49f05 Author: Stefan Schantl Date: Mon Apr 8 20:02:53 2019 +0200 convert-snort: Fix logic for detecting enough free disk space. =20 The subfunction only will return something if the check fails - so the lo= gic of the if statement was wrong set and the downloader only was called if this check failed and to less diskspace would be available. =20 Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit ee53381ab167b195d2d4d94da3d2a3d4a024288d Author: Michael Tremer Date: Mon Apr 8 20:53:47 2019 +0100 core130: Ship SSH Agent Forwarding changes =20 Signed-off-by: Michael Tremer commit f9de28e6f0ca455aacca3b0fc30722b88d542630 Author: Peter M=C3=BCller Date: Mon Apr 8 16:35:00 2019 +0000 change AllowAgentForwarding in SSHD configuration if, necessary =20 Fixes #11931 =20 Signed-off-by: Peter M=C3=BCller Cc: Michael Tremer Signed-off-by: Michael Tremer commit e918b62ae223b31f459ca5843d291532f5188faf Author: Peter M=C3=BCller Date: Mon Apr 8 16:35:00 2019 +0000 allow SSH agent forwarding to be configured via WebUI =20 Fixes #11931 =20 Signed-off-by: Peter M=C3=BCller Cc: Michael Tremer Signed-off-by: Michael Tremer commit e1f6dfcbbc3c34130027ffe113488f5f3d9c9557 Author: Peter M=C3=BCller Date: Mon Apr 8 16:34:00 2019 +0000 add language strings for SSH agent forwarding settings =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit 4f30ce49b3c2375d52e7358d12a6235c3e35997d Author: Arne Fitzenreiter Date: Mon Apr 8 21:49:20 2019 +0200 rename core130 -> core131 =20 we need to insert a core update to fix urgent bugs =20 Signed-off-by: Arne Fitzenreiter commit f2afd5e70dc1c95c13aa75b0acf3da072d714af8 Author: Arne Fitzenreiter Date: Mon Apr 8 21:47:23 2019 +0200 kernel: update to 4.14.111 =20 Signed-off-by: Arne Fitzenreiter commit 47204d12f1387502612e8a66b4a1a8a853e33ebf Merge: 5f9bf17d7 918ee4a4c Author: Arne Fitzenreiter Date: Mon Apr 8 21:47:12 2019 +0200 Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next =20 Signed-off-by: Arne Fitzenreiter commit 918ee4a4cf5bb8d2a3ade16aac0dd643215c47e2 Author: Michael Tremer Date: Mon Apr 8 16:41:24 2019 +0100 strongswan: Manually install all routes for non-routed VPNs =20 This is a regression from disabling charon.install_routes. =20 VPNs are routing fine as long as traffic is passing through the firewall. Traps are not propertly used as long as these routes are not present and therefore we won't trigger any tunnels when traffic originates from the firewall. =20 Fixes: #12045 Signed-off-by: Michael Tremer commit 5f9bf17d76e43b1ee0bb4b880a9aa001844e4d4a Author: Arne Fitzenreiter Date: Mon Apr 8 16:18:00 2019 +0200 core130: update pakfire database after version change =20 Signed-off-by: Arne Fitzenreiter commit c557356ea4878f7f6d0d9431246bfc8e75018672 Author: Michael Tremer Date: Mon Apr 8 11:56:58 2019 +0100 core130: Ship perl-Net-SSLeay =20 This was still using the old version of OpenSSL. =20 Instead of linking the module (which we should have found earlier) the module uses dlopen :( =20 Fixes: #12044 Signed-off-by: Michael Tremer commit 0265f51e9f5b2635e9df6243f913d6043cde0af6 Author: Arne Fitzenreiter Date: Sun Apr 7 18:19:50 2019 +0200 core130: remove lm_sensors config =20 the sensor search has to redone after boot the new kernel. =20 Signed-off-by: Arne Fitzenreiter commit ca7af382032b3542584fb07b3fabe3976063e551 Author: Arne Fitzenreiter Date: Sun Apr 7 17:24:46 2019 +0200 core130: ship setup binary =20 The setup contain a IPFire version string. =20 Signed-off-by: Arne Fitzenreiter commit 44b0afe0298941eaeca862ad14c0f965103e158c Author: Arne Fitzenreiter Date: Sun Apr 7 17:13:43 2019 +0200 core130: ship pakfire version update =20 Signed-off-by: Arne Fitzenreiter commit 83c956c3c8d0bc60c2c6fa23f53bd68f6ac6d3ff Author: Arne Fitzenreiter Date: Sun Apr 7 17:01:08 2019 +0200 core130: add kernel to updater =20 Signed-off-by: Arne Fitzenreiter commit f40cd26de2a0353fca1fdee407cfce153b16c76d Author: Peter M=C3=BCller Date: Sat Apr 6 06:04:00 2019 +0000 Postfix: update to 3.4.5 =20 See http://www.postfix.org/announcements/postfix-3.4.5.html for release notes. =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit ee44d509b61eea858e38e8a4f1f57db6f9940cf3 Author: Matthias Fischer Date: Fri Apr 5 21:55:12 2019 +0200 wget: Update to 1.20.3 =20 For details see: https://fossies.org/linux/wget/ChangeLog =20 Excerpt from "NEWS": =20 "2019-04-05 Tim Ruehsen =20 Fix a buffer overflow vulnerability * src/iri.c(do_conversion): Reallocate the output buffer to a larger size if it is already full" =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit f903d3a6f0c4a3f2e5251fda7ea2d1b788606294 Author: Michael Tremer Date: Thu Apr 4 22:01:54 2019 +0100 suricata: Disable CPU affinity =20 Benchmarks have shown, that this is making the IPS slower across various hardware =20 Signed-off-by: Michael Tremer commit aa20f1b27727e8ed3d3d164eb3a66faa4ea0d4a4 Author: Arne Fitzenreiter Date: Fri Apr 5 07:46:34 2019 +0200 kernel: update to 4.14.110 =20 Signed-off-by: Arne Fitzenreiter commit aab33d48450aedf20409fe187f573d74eb60f95d Author: Michael Tremer Date: Thu Apr 4 09:05:25 2019 +0100 core130: Do not search for sensors on AWS =20 This causes some i2c drivers to load and tons of error messages being created in syslog. So we skip searching for any sensors that do not exist. =20 Signed-off-by: Michael Tremer commit ab79dc43bf66f66b0c34a10158d46e4727d4df6a Author: Michael Tremer Date: Thu Apr 4 11:52:30 2019 +0100 vpnmain.cgi: Set MTU to a default when editing an old connection =20 This field is required and therefore we need to initialize it for old connections. Right now, the CGI throws an error message when editing an existing connection without the MTU being filled in. =20 Signed-off-by: Michael Tremer commit aeecc7ae1025f93bae421c13cf05c612bd3e6241 Author: Michael Tremer Date: Thu Apr 4 02:07:16 2019 +0100 core130: Ship updated wget =20 Signed-off-by: Michael Tremer commit 7dd81936843944f0bd6fa35b95532bc0039b578f Author: Matthias Fischer Date: Thu Apr 4 09:43:50 2019 +0200 wget: Update to 1.20.2 =20 For details see: https://fossies.org/linux/wget/ChangeLog =20 Excerpt from "NEWS": =20 * Changes in Wget 1.20.2 ** NTLM authentication will retry under certain cases ** Fixed a buffer overflow vulnerability" =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 0ce95859da727188019a95d855a3053ce2bf8985 Author: Michael Tremer Date: Thu Apr 4 02:06:41 2019 +0100 core130: Ship updated nettle =20 Signed-off-by: Michael Tremer commit a4cc65bc4866583be8c625c33f20d7429a25a400 Author: Matthias Fischer Date: Thu Apr 4 09:37:25 2019 +0200 nettle: Update to 3.4.1 =20 For details see: https://fossies.org/linux/nettle/ChangeLog =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit c95ba2bbcc0b6c0b037f058a4395027f93dc093a Author: Michael Tremer Date: Thu Apr 4 02:05:52 2019 +0100 core130: Ship updated GnuTLS =20 Signed-off-by: Michael Tremer commit 34bbcff61f2de1fa76e4be20371d276f304277da Author: Matthias Fischer Date: Thu Apr 4 09:31:00 2019 +0200 gnutls: Update to 3.6.7.1 =20 For details see: https://lists.gnupg.org/pipermail/gnutls-help/2019-March/004497.html =20 Please note: A few days after the "3.6.7" release, "3.6.7.1" came out. =20 See: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/ =20 But the compressed directory version is still versioned 3.6.7. =20 Because of this, the fourth (sub)-version number required some lfs adjust= ments. =20 And: This version requires "nettle 3.4.1", which is sent in another commit. =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit ef1cb80375ca736b2aca12f2bbba2b5ffe7216de Author: Michael Tremer Date: Thu Apr 4 02:04:28 2019 +0100 core130: Ship updated apache =20 Signed-off-by: Michael Tremer commit 5f2e713ec888dfbbcdb609ee61e846c060ded96c Author: Matthias Fischer Date: Thu Apr 4 09:15:00 2019 +0200 apache: Update to 2.4.39 =20 For details see: http://mirror.checkdomain.de/apache//httpd/CHANGES_2.4.39 =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 72995596119e76e1c41395f21c097643bff44be6 Author: Michael Tremer Date: Thu Apr 4 02:00:29 2019 +0100 freeradius: Fix extra whitespace =20 Signed-off-by: Michael Tremer commit df95c62f3a26a71c41610df0ad49a590dc3abbb8 Merge: 94f89b821 0e54ca260 Author: Arne Fitzenreiter Date: Wed Apr 3 21:53:22 2019 +0000 Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next commit 94f89b821e0307f69bd99b19ca895219d779fabc Author: Michael Tremer Date: Wed Apr 3 21:52:04 2019 +0000 freeradius: handle special LDFLAGS to configure =20 Signed-off-by: Arne Fitzenreiter commit 0e54ca260288079e008393a1d2fc5cc8b9cdb7e7 Author: Michael Tremer Date: Wed Apr 3 00:42:19 2019 +0100 pcengines-apu-firmware: New package =20 This package ships the latest BIOS for PC Engines APU boards. =20 With help of the firmware-update package, this can be very easily updated when running IPFire. =20 Signed-off-by: Michael Tremer commit 2aca6aa061c2f680b46aea2dbeb36e4678ed57a3 Author: Michael Tremer Date: Wed Apr 3 00:33:44 2019 +0100 firmware-update: New package =20 This is a script that can update firmware on PC Engines APU systems =20 Signed-off-by: Michael Tremer commit 82d176d33bc2839ea31028b9f7dfb6d60f3860af Author: Michael Tremer Date: Wed Apr 3 00:26:13 2019 +0100 flashrom: New package =20 This is required to flash firmware =20 Signed-off-by: Michael Tremer commit 48d3cde9cec7add38fb3c62dd66079c5b2fec5aa Author: Michael Tremer Date: Mon Apr 1 21:58:23 2019 +0100 kernel: Disable some debugging in expactation to increase performance =20 Signed-off-by: Michael Tremer commit 474a6a59785123b7cdd645447f43c52307a6f6ba Author: Michael Tremer Date: Mon Apr 1 21:55:03 2019 +0100 kernel: Enable strict checks for /dev/mem =20 Signed-off-by: Michael Tremer commit 4038d70b768910c5dc5b2ce2c09e3e5b687064dd Author: Michael Tremer Date: Mon Apr 1 21:35:56 2019 +0100 freeradius: Fix build on armv5tel =20 Reported-by: Arne Fitzenreiter Signed-off-by: Michael Tremer commit 84fca55b3373f5acc3821b6a8e050bce89b679e8 Author: Michael Tremer Date: Mon Apr 1 16:53:50 2019 +0100 Update translations =20 Signed-off-by: Michael Tremer commit d38f3eed08d71343cc16de61373860e5aa7efcfd Author: Stefan Schantl Date: Mon Apr 1 17:32:34 2019 +0200 IDS: Rename sourcefire VRT rulesets to Talos VRT rulesets =20 Fixes #12019 =20 Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 78c8fe06a5841101c04c7a8e9f1117501f5fd6fc Merge: d00d788be 56f4ba9b0 Author: Arne Fitzenreiter Date: Sun Mar 31 18:36:44 2019 +0200 Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next commit 56f4ba9b017008584c132fdcca41557002a1d8f3 Author: Jonatan Schlag Date: Sun Mar 31 13:29:45 2019 +0100 Update borgbackup to version 1.1.9 =20 Fixes: #12016 =20 Signed-off-by: Jonatan Schlag Signed-off-by: Michael Tremer commit d00d788be47b9c17bc792be2c90d4c81a3ced544 Author: Arne Fitzenreiter Date: Sun Mar 31 11:46:34 2019 +0200 kernel: update to 4.14.109 =20 Signed-off-by: Arne Fitzenreiter commit 3005eb2234e5875389011d247785909d5f044c74 Author: Arne Fitzenreiter Date: Sat Mar 30 16:56:56 2019 +0100 kernel: update user regd patch from openwrt =20 Signed-off-by: Arne Fitzenreiter commit c955ae653ae8421621c49092fd3057ed99e0a4b1 Merge: 9f52e3506 c31c8078c Author: Arne Fitzenreiter Date: Sat Mar 30 16:55:35 2019 +0100 Merge remote-tracking branch 'ms/dfs' into next commit 9f52e35066b3fa8603e85784b7ede0532afc66e6 Author: Erik Kapfer Date: Fri Mar 29 10:44:43 2019 +0100 freeradius: Update to version 3.0.18 =20 Signed-off-by: Erik Kapfer Signed-off-by: Michael Tremer commit 10945e38f36893cba8f6c28c8756fa8741c08118 Author: Matthias Fischer Date: Wed Mar 27 20:54:10 2019 +0100 clamav: Update to 0.101.2 =20 For details see: https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html =20 "ClamAV 0.101.2 is a patch release to address a handful of security relat= ed bugs." =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit b666975ec292fec239aa6023dc79abf5538c9d95 Author: Michael Tremer Date: Thu Mar 28 12:51:06 2019 +0000 unbound-dhcp-leases-bridge: Replace leases file atomically =20 When there is a large number of leases, writing the file may take a long time. When unbound is re-reading its configuration in that time, the file might syntactically incorrect. =20 This change writes the file first and then moves it to the right place in one transaction. =20 Signed-off-by: Michael Tremer commit 35cdc506b06ed2e5fc8f7ad7fe57239eaadbda58 Author: Michael Tremer Date: Tue Mar 26 21:58:01 2019 +0000 suricata: Enable CPU affinity =20 This will tie the detection threads to a certain CPU and slightly increases throughput on my system. =20 Signed-off-by: Michael Tremer commit 4d093b810552339a6a7df774412c8e144f799331 Author: Michael Tremer Date: Tue Mar 26 21:18:45 2019 +0000 suricata: Tie queues to a CPU core =20 This should improve performance by a small margin =20 Signed-off-by: Michael Tremer commit effa44650ebc227d99a3781ba962e015a3430d3a Author: Erik Kapfer Date: Tue Mar 26 07:15:16 2019 +0100 nginx: Update to 1.15.9 =20 Fixes #12023 . Added support for http2. =20 Signed-off-by: Erik Kapfer Signed-off-by: Michael Tremer commit 2547e73e6b1c2e24e631140f328eeb49deddb6f9 Author: Michael Tremer Date: Fri Mar 22 07:28:23 2019 +0000 freeradius: Bump version because package is linked against old version of= OpenSSL =20 Signed-off-by: Michael Tremer commit 3657df4ea3b74b9aa7bc631106b2e3684a0bfe72 Author: Michael Tremer Date: Fri Mar 22 03:28:23 2019 +0000 DHCP: Remove double colon =20 In some languages, there were double colons in the DNS Update section =20 Signed-off-by: Michael Tremer commit abe21498524bce327404febe644b1361267d0957 Author: Michael Tremer Date: Fri Mar 22 02:58:57 2019 +0000 GeoIP: Do not crash when locations database does not exist =20 Fixes: #12021 Signed-off-by: Michael Tremer commit d4767896cb27880c2e042ffd49bdbcf7b99a2c64 Author: Michael Tremer Date: Thu Mar 21 20:50:30 2019 +0000 make.sh: Build libedit very early =20 Many packages can make use of this =20 Signed-off-by: Michael Tremer commit 3210e92212b70ab886fe31847c6397a273e784e6 Author: Michael Tremer Date: Thu Mar 21 20:48:39 2019 +0000 core130: Ship updated lua =20 Signed-off-by: Michael Tremer commit 6bc94afa0d36ecaa4691eaa4dbefa4322861893f Author: Matthias Fischer Date: Sun Mar 24 18:34:37 2019 +0100 lua: Update to 5.3.5 =20 For details see: =20 http://www.lua.org/bugs.html =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 67b943c18a36aa9801684ca85ac3390292651e87 Author: Michael Tremer Date: Thu Mar 21 20:39:51 2019 +0000 core130: Ship rrdtool and collectd =20 Signed-off-by: Michael Tremer commit b3a7120c1556bd060caf894fa0b4a5084fc7436a Author: Matthias Fischer Date: Sun Mar 24 18:21:20 2019 +0100 rrdtool: Update to 1.7.1 =20 Disabled 'lua' because otherwise building failed. =20 I didn't find any place or reason where 'lua' was used by 'rrdtool', so it was deactivated. =20 Disabling had no noticeable effects by now. Running. =20 Please note: '/usr/lib/collectd/rrdcached.so' and '/usr/lib/collectd/rrdtool.so' have = to be updated, too. =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit b6c60092db15360cd51091b9f5bcff637ee2ea7c Author: Michael Tremer Date: Fri Mar 22 15:22:43 2019 +0000 openvpn: Remove subnet check for static pools =20 Signed-off-by: Michael Tremer commit fd0b2742bf217cbacacd4725a2bd9ad4ec1b6aaf Author: Michael Tremer Date: Mon Mar 18 04:38:41 2019 +0000 dnsdist: Update to 1.3.3 =20 Signed-off-by: Michael Tremer commit aac6015042e28730982d643425f768f46dc9c603 Author: Michael Tremer Date: Mon Mar 18 02:54:37 2019 +0000 dnsdist: Install some symlinks to start the service =20 Signed-off-by: Michael Tremer commit 5b8ff1ccb6506942485ff221e13d163691109a6c Author: Michael Tremer Date: Mon Mar 18 02:54:15 2019 +0000 dnsdist: Add backup include =20 Signed-off-by: Michael Tremer commit af2dc11c921062608c4537368885eb195f54c177 Author: Michael Tremer Date: Sat Mar 16 23:09:11 2019 +0000 Rootfile update =20 Signed-off-by: Michael Tremer commit b60fd7a3e2640d7da41a3bdb875669c302849acc Author: Stefan Schantl Date: Mon Mar 18 20:33:28 2019 +0100 Core 130: Remove files after convert-snort has been launched =20 The converter requires /etc/snort/snort.conf to grab the used rule files (categories). After all settings have been converted, we are fine to dele= te all snort related files, because none of them is needed anymore. =20 Also the /var/ipfire/snort directory needs to be deleted. If it will be l= eft on the system and at any later time a backup will get restored, the converter wi= ll be started by the backup script, because it detects that a snort settins dir= exists and would be restore the old snort settings and replaces all current IPS = settings. =20 Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit ceaf0ef0087abb09e9cca1677c67776cf76ce417 Author: Michael Tremer Date: Mon Mar 18 17:26:16 2019 +0000 dnsforward.cgi: Add DNSSEC option to legend =20 Signed-off-by: Michael Tremer commit 08ded6035f61ed97e3a122dc1832703084b72f86 Author: Michael Tremer Date: Mon Mar 18 15:35:29 2019 +0000 dnsforward.cgi: Check DISABLE_DNSSEC checkbox when editing =20 Signed-off-by: Michael Tremer commit 3b521c724f09a45e09ac9228d8b65df0d8bd13a7 Author: Michael Tremer Date: Mon Mar 18 15:24:56 2019 +0000 ipsec-interfaces: Apply static routes (again) after creating IPsec interf= aces =20 Signed-off-by: Michael Tremer commit c31c8078cffcf3f933f567cb02a366ceedd6d5da Author: Michael Tremer Date: Wed Mar 13 18:37:28 2019 +0100 hostapd: Always enable 80 MHz channel width for 802.11ac =20 This is mandatory to support by all hardware and works well. =20 Signed-off-by: Michael Tremer commit 70a7c454af4a6a9ef7245def2f77119520de85af Author: Michael Tremer Date: Wed Mar 13 18:24:01 2019 +0100 hostapd: Automatically disassociate any clients with high error rates =20 Signed-off-by: Michael Tremer commit 30c33cb318cc399b32c9c06d99e88c52ba957ea9 Author: Michael Tremer Date: Thu Mar 14 13:07:11 2019 +0000 kernel: Enable debugging for Atheros drivers =20 Signed-off-by: Michael Tremer commit 62bf7bd2b2cba74cd7838014cdf3380611690d60 Author: Michael Tremer Date: Fri Mar 8 11:05:26 2019 +0000 kernel: Enable DFS support for ath*k drivers =20 Signed-off-by: Michael Tremer commit 57521504a89e792336f55e893564a000bfe4b1d7 Author: Michael Tremer Date: Sat Mar 16 12:34:19 2019 +0000 hostapd: Bump package version =20 Signed-off-by: Michael Tremer commit 5b4464a94478059ceebf266bc31dee4a4ba18fac Author: Peter M=C3=BCller Date: Sat Mar 16 14:20:00 2019 +0000 hostapd: make client isolation configurable via WebUI =20 hostapd supports client-isolation, but this feature could not be configured via the WebUI so far. Since it might be desired in public wireless networks, or even private ones, it makes sense to provide a radio button to let the user decide on. =20 Fixes #11974. =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit a10b0e5b448bf7e4a9bcc334e177ddae09806dc7 Author: Peter M=C3=BCller Date: Fri Mar 15 17:00:00 2019 +0000 ensure Tor daemon files have correct permissions =20 Set permissions for /var/lib/tor and /var/ipfire/tor to tor:tor, regardless whether Tor user has been created before or not. =20 This ensures Tor starts properly on existing systems after reinstallation of the add-on. Thanks to Michael for the hint. =20 Further, a comment for new Tor user in /etc/passwd has been added. =20 Fixes #11779. =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit a46903cce3863923838c5cc0721f4932adf2175d Author: Michael Tremer Date: Sat Mar 16 12:32:10 2019 +0000 core130: Ship updated unbound =20 Signed-off-by: Michael Tremer commit 6f8b156bf0dcda4a1bb8ccdc8db83a54b2d7d1d0 Author: Matthias Fischer Date: Fri Mar 15 19:15:19 2019 +0100 unbound: Update to 1.9.1 =20 For details see: https://nlnetlabs.nl/pipermail/unbound-users/2019-March/011415.html =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 2c703afc04448f15f9ad6b9c90be216bad256532 Author: Michael Tremer Date: Sat Mar 16 12:30:22 2019 +0000 core130: Ship updated ntp =20 Signed-off-by: Michael Tremer commit f81c2225198b894c180cf36b6ee2cd6c0ea3849d Author: Matthias Fischer Date: Fri Mar 15 19:10:11 2019 +0100 ntp: Update to 4.2.8p13 =20 For details see: http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 728f3d2e8f3d26e80154236c6d67e303e1f7f3b9 Author: Stefan Schantl Date: Sat Mar 16 13:04:18 2019 +0100 suricata: Fix ownership and file permissions of files inside /var/lib/sur= icata. =20 These files needs to have nobody.nobody as owner but requires read-acces = from everyone to allow the suricata user reading-in this files during startup. =20 Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 7bf5b0f22194fcb617f3e678c4a1c492b0faf01d Author: Stefan Schantl Date: Sat Mar 16 12:57:25 2019 +0100 logs.cgi/ids.dat: Fixup processing dates from logfiles which contains a y= ear =20 Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit e1d9148b61bc973ac1fef063b58500de4d881d7e Author: Michael Tremer Date: Sat Mar 16 10:00:19 2019 +0000 Fix python3-yaml rootfile =20 Signed-off-by: Michael Tremer commit 9c4477d0f394af12f51d74e52d1a1c85cd13b289 Author: Stefan Schantl Date: Fri Mar 15 15:33:29 2019 +0100 core130: Fix another error in rootfile =20 Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 03f68cbca90d9c1bc0b55c2f5aa4698a5d9d3eab Author: Michael Tremer Date: Fri Mar 15 13:20:23 2019 +0000 core130: Fix errors in rootfile =20 Signed-off-by: Michael Tremer commit 710afa00c6e1441ba45f3fdda2feaf613ffd0033 Author: Michael Tremer Date: Thu Mar 14 16:52:38 2019 +0000 Update IPS translation =20 * Fix typos * Fix compound nouns (especially in German) * Remove unused strings =20 Signed-off-by: Michael Tremer commit acb718b0bbfdf2b15bcc95abce2f4a7c23392362 Author: Michael Tremer Date: Thu Mar 14 14:01:45 2019 +0000 nut: Disable parallel build =20 nut just fails to build when running in parallel =20 Signed-off-by: Michael Tremer commit f9219b91a1f4648f6c2db9e3699169bb797e79c1 Author: Michael Tremer Date: Thu Mar 14 13:48:25 2019 +0000 core130: Ship suricata =20 Signed-off-by: Michael Tremer commit 3bc001dbf976a89dcf4fc15912b472073c9e45db Author: Michael Tremer Date: Thu Mar 14 13:20:56 2019 +0000 Update contributors =20 Signed-off-by: Michael Tremer commit cdfbdd1ada37183769c0b245218faff2cd300ac6 Author: Michael Tremer Date: Thu Mar 14 13:20:22 2019 +0000 Update translations =20 Signed-off-by: Michael Tremer commit 01604708c386da93713cffadb3d5d40665f62ec9 Merge: c578cbd35 e776d33c7 Author: Michael Tremer Date: Thu Mar 14 13:19:35 2019 +0000 Merge remote-tracking branch 'stevee/next-suricata' into next commit c578cbd35f8af09f452326ce643d13e92ddaed99 Author: Michael Tremer Date: Thu Mar 14 13:16:33 2019 +0000 core130: Ship updated firewall script =20 Signed-off-by: Michael Tremer commit 5fc5f703470b37b43e18be66da0fb181696428a7 Author: Peter M=C3=BCller Date: Mon Mar 11 20:07:00 2019 +0000 add IPtables chain for outgoing Tor traffic =20 If Tor is operating in relay mode, it has to open a lot of outgoing TCP connections. These should be separated from any other outgoing connections, as allowing _all_ outgoing traffic will be unwanted and risky in most cases. =20 Thereof, Tor will be running as a dedicated user (see second patch), allowing usage of user-based IPtables rulesets. =20 Partially fixes #11779. =20 Singed-off-by: Peter M=C3=BCller =20 Signed-off-by: Michael Tremer commit 4680d554fc52813b9e2a1bae3888d0b34dfbb5ad Author: Peter M=C3=BCller Date: Mon Mar 11 20:07:00 2019 +0000 run Tor under dedicated user =20 This allows more-fine granular firewall rules (see first patch for further information). Further, it prevents other services running as "nobody" (Apache, ...) from reading Tor relay keys. =20 Fixes #11779. =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit b450e7e3e6f47734e7282bf37953912b9ef6c740 Author: Michael Tremer Date: Thu Mar 14 13:15:03 2019 +0000 Start Core Update 130 =20 Signed-off-by: Michael Tremer commit e776d33c7018a314acfb8909e9581a26d544d7e7 Author: Stefan Schantl Date: Wed Mar 13 12:14:30 2019 +0100 suricata: Fix amount of listened nfqueues =20 Signed-off-by: Stefan Schantl commit e8b1b397c1dd4b158520b8c7905cd66b864c1051 Author: Stefan Schantl Date: Wed Mar 13 10:03:48 2019 +0100 suricata: Remove unneeded stuff during build =20 Signed-off-by: Stefan Schantl commit f717b1dc55595b4353fd7d3b44a057d282d19b62 Author: Stefan Schantl Date: Sun Mar 10 18:52:40 2019 +0100 IDS: Set owner of suricata logging directory to correct user =20 Signed-off-by: Stefan Schantl commit fd378b3b08f8458fd7c32e9eb0e2566de53ed02a Author: Stefan Schantl Date: Sun Mar 10 18:50:37 2019 +0100 Rename snort user and group to suricata =20 This only affects new installations. =20 Signed-off-by: Stefan Schantl commit 38081b8be19b56b7298d5a01e7218b774759406c Author: Michael Tremer Date: Sat Mar 2 17:26:34 2019 +0000 suricata: Run as non-root user =20 This patch does not have any effect (yet) and is untested because suricata needs to be built against libcap-ng which is currently not being packaged for IPFire. =20 Signed-off-by: Michael Tremer Signed-off-by: Stefan Schantl commit 2bec60c34725c759c98f4da276fc8149162b3397 Author: Stefan Schantl Date: Sun Mar 10 17:34:03 2019 +0100 suricata: Update to 4.1.3 =20 Signed-off-by: Stefan Schantl commit 1fbf0788bf66da1b93774a19d4b0db52b0fdfc73 Author: Stefan Schantl Date: Sun Mar 10 13:27:52 2019 +0100 Move IDS/IPS menu entry to firewall section =20 Fixes #12011. =20 Signed-off-by: Stefan Schantl commit b051eb68b6c12f619b1c3a76009d41ad59550b6b Author: Stefan Schantl Date: Sun Mar 3 15:10:02 2019 +0100 libcap-ng: New package =20 Signed-off-by: Stefan Schantl commit 26c758cf4870d834dfe4d20bb2ce76f701befd61 Author: Michael Tremer Date: Sat Mar 2 17:18:39 2019 +0000 suricata: Drop parsers I have never heard of =20 Signed-off-by: Michael Tremer Signed-off-by: Stefan Schantl commit 8efbd71caad61912817c5cf28974364a34dc6390 Author: Michael Tremer Date: Sat Mar 2 17:18:38 2019 +0000 suricata: Configure HTTP decoder =20 This will now scan all request and response bodies where possible and use up to 256MB of RAM =20 Signed-off-by: Michael Tremer Signed-off-by: Stefan Schantl commit 96495c9aa2a46896ebb5cbbdfa5fd4b961864215 Author: Michael Tremer Date: Sat Mar 2 17:18:37 2019 +0000 Revert "Suricata: detect DNS events on port 853, too" =20 This reverts commit ad99f959e2b83dd9f1275c1d385140271c8926ae. =20 It does not make any sense to try to decode the TLS connection with the DNS decoder. =20 Therefore should 853 (TCP only) be added to the TLS decoder. =20 Signed-off-by: Michael Tremer Signed-off-by: Stefan Schantl commit 5d04cfe7d582bc58a4e4f9995fe5f67fcc456456 Author: Michael Tremer Date: Thu Feb 28 19:37:38 2019 +0000 suricata: Use highest bit to mark packets =20 We are using the netfilter MARK in IPsec & QoS and this is causing conflicts. =20 Therefore, we use the highest bit in the IPS chain now and clear it afterwards because we do not really care about this after the packets have been passed through suricata. =20 Then, no other application has to worry about suricata. =20 Fixes: #12010 Signed-off-by: Arne Fitzenreiter Signed-off-by: Michael Tremer Signed-off-by: Stefan Schantl commit c9ee3592f00f0edc9467643a27ba1505cc8f879a Author: Michael Tremer Date: Thu Feb 28 14:28:25 2019 +0000 suricata: Fix syntax error =20 Signed-off-by: Michael Tremer Signed-off-by: Stefan Schantl commit 99d75ac72e66928f5218c222b0b3fd8fbfba179f Author: Michael Tremer Date: Thu Feb 28 14:28:24 2019 +0000 suricata: Start capture first and then load rules =20 Signed-off-by: Michael Tremer Signed-off-by: Stefan Schantl commit 890f1bf2954328f5e811757754d815dedf6f92c1 Author: Michael Tremer Date: Thu Feb 28 14:28:23 2019 +0000 suricata: Disable decoding for Teredo =20 This decoder is not very accurate and Teredo has been disabled in Windows by default. Nobody will use this. =20 Signed-off-by: Michael Tremer Signed-off-by: Stefan Schantl commit 0b340f0938e5f292f74f5f2e60b3d46d473f2096 Author: Michael Tremer Date: Thu Feb 28 14:28:22 2019 +0000 suricata: Increase memory size for the stream engine =20 This change also ensures that suricata has a decent number of streams preallocated to be able to handle any bursts in traffic. =20 Signed-off-by: Michael Tremer Signed-off-by: Stefan Schantl commit ab1444b4f4b9324e96fbb240929334b27611e12f Author: Michael Tremer Date: Thu Feb 28 14:28:21 2019 +0000 suricata: Log to syslog like a normal process =20 Signed-off-by: Michael Tremer Signed-off-by: Stefan Schantl commit 47cb057145c76d5faf7987de9e779bf07a029336 Author: Michael Tremer Date: Thu Feb 28 14:28:20 2019 +0000 suricata: Use up to 256MB of RAM for the flow cache =20 Signed-off-by: Michael Tremer Signed-off-by: Stefan Schantl commit 7eed864c93d143ef943b9f3f8bdf7b40a440cb71 Author: Michael Tremer Date: Thu Feb 28 14:28:19 2019 +0000 suricata: Use 64MB of RAM for defragmentation =20 Signed-off-by: Michael Tremer Signed-off-by: Stefan Schantl commit 83b576c892c82652b0b56efc200e52fd1dee30f9 Author: Michael Tremer Date: Thu Feb 28 14:28:18 2019 +0000 suricata: Use the correct path for the magic database =20 Signed-off-by: Michael Tremer Signed-off-by: Stefan Schantl commit 0e28ea9f3e72e0f4db9274c3b7021711d0c0c258 Author: Michael Tremer Date: Thu Feb 28 14:28:17 2019 +0000 suricata: Log to syslog =20 Signed-off-by: Michael Tremer Signed-off-by: Stefan Schantl commit 682f1fdaca919284af877894aecd1282595c1430 Author: Michael Tremer Date: Thu Feb 28 14:28:16 2019 +0000 suricata: We do not use any IP reputation lists =20 Signed-off-by: Michael Tremer Signed-off-by: Stefan Schantl commit cf976e93c419d2c268979397ec87e05a2b8b7636 Author: Michael Tremer Date: Thu Feb 28 14:28:14 2019 +0000 suricata: Allow 32MB of RAM for DNS decoding =20 Signed-off-by: Michael Tremer Signed-off-by: Stefan Schantl commit fe5bd1862f2dfce5b3123ed2d2bbb5a360f1cd40 Author: Michael Tremer Date: Thu Feb 28 14:28:12 2019 +0000 suricata: Drop sections that require Rust =20 Signed-off-by: Michael Tremer Signed-off-by: Stefan Schantl commit bc2cb52953c92ad9209576de316f2076cfdb4caf Author: Michael Tremer Date: Thu Feb 28 14:28:11 2019 +0000 suricata: Drop some commented stuff from configuration =20 The file is really large and we should not carry anything we will never use. =20 Signed-off-by: Michael Tremer Signed-off-by: Stefan Schantl commit 75fba6cd248af6925d62452c15d4a21a2a7a204a Author: Michael Tremer Date: Thu Feb 28 14:28:10 2019 +0000 suricata: Drop profiling section from configuration =20 This is not compiled in as it slows down detection and is only really useful for debugging =20 Signed-off-by: Michael Tremer Signed-off-by: Stefan Schantl commit 5196d8ddbb097c4485a01a0fee58ade94b7255ac Author: Michael Tremer Date: Thu Feb 28 14:28:09 2019 +0000 suricata: Set detection profile to high =20 This will merge rules more aggressively so that the engine is only processing those that can actually match. =20 Memory is cheap. People with little memory should not run suricata anyways. =20 Signed-off-by: Michael Tremer Signed-off-by: Stefan Schantl commit 9f726f8f536fb271e00c51ca7d10dac143dd3045 Author: Michael Tremer Date: Thu Feb 28 14:28:08 2019 +0000 suricata: Set default packet size to 1514 =20 We usually use a MTU of 1500 + Ethernet header =20 Signed-off-by: Michael Tremer Signed-off-by: Stefan Schantl commit 16446608cbe53bcd0873ed48b907b697441d31d1 Author: Michael Tremer Date: Thu Feb 28 14:28:07 2019 +0000 suricata: Set max-pending-packets to 1024 =20 Signed-off-by: Michael Tremer Signed-off-by: Stefan Schantl commit 1f3c61b66c77898707791519b837e61b1d2e6ad0 Author: Peter M=C3=BCller Date: Fri Feb 22 20:16:00 2019 +0000 Suricata: detect TLS traffic on port 444, too =20 This is the default port for IPFire's administrative web interface and should be monitored by Suricata, too. =20 Signed-off-by: Peter M=C3=BCller c: Stefan Schantl Acked-by: Michael Tremer Signed-off-by: Stefan Schantl commit cc636c4741e7928276a1a5c7048b4fc0693c7f23 Author: Stefan Schantl Date: Fri Feb 22 10:04:27 2019 +0100 convert-snort: Try to download ruleset if none is present. =20 Signed-off-by: Stefan Schantl commit 5d7d8749dc005bd883e3b7d53d953f334cdea5b4 Author: Stefan Schantl Date: Mon Feb 18 13:33:41 2019 +0100 convert-snort: Set correct ownership after modify_sids_file has been gene= rated. =20 Signed-off-by: Stefan Schantl commit d0f9526beb718ca934de9f8cea749bec4b04f3ad Author: Stefan Schantl Date: Mon Feb 18 13:29:47 2019 +0100 ids.cgi: Add language string for ignored hosts section. =20 Fixes #12002. =20 Signed-off-by: Stefan Schantl commit 06f57f72309f268d4f6b3490b33912813fbf1f1e Author: Michael Tremer Date: Mon Feb 18 10:28:13 2019 +0000 general-functions.pl: Only skip lines with a # at the beginning =20 This accidientially dropped all lines that include #. That resulted in colour codes not being loaded from file any more. =20 Signed-off-by: Michael Tremer Signed-off-by: Stefan Schantl commit 7c3b7cdcca852e4f5e5ee46b5291b8ba522535ec Author: Stefan Schantl Date: Mon Feb 18 10:55:27 2019 +0100 ids-functions.pl: Tune rules to always monitor in both directions. =20 This will allow to scan the traffic from an EXTERNAL_NET to the HOME_NET = and from the HOME_NET to the EXTERNAL_NET. =20 Reference: 10273 =20 Signed-off-by: Stefan Schantl commit 20b4c4d863d40f4b6cc1fd68eed17d1214a05f9e Author: Stefan Schantl Date: Mon Feb 18 10:01:47 2019 +0100 suricata: Swith to "16" as repeat-mark and repeat-mask. =20 Marks "1-3" are used for marking source-natted packets on the interfaces and 4 up to 6 for TOS and QOS. The mark "32" is used by IPsec. =20 See commit: f5ad510e3c0f416a1507999f5ad20ab171df9c07 =20 Signed-off-by: Stefan Schantl commit 77c07352a58a67e88a507feba982fe0f73518f59 Author: Stefan Schantl Date: Fri Feb 15 13:26:55 2019 +0100 Suricata: Start service on red.up event if requested =20 Signed-off-by: Stefan Schantl commit d215f6e9809e3a7e0b7356c985803291067d923e Author: Stefan Schantl Date: Fri Feb 15 12:39:56 2019 +0100 collectd: Stop collecting process details for snort =20 Signed-off-by: Stefan Schantl commit 0d8cc90f4dead04de7181634377fe11115678f34 Author: Stefan Schantl Date: Fri Feb 15 12:18:45 2019 +0100 services.cgi: Show status of suricata instead of snort =20 Signed-off-by: Stefan Schantl commit 1ef235f08dab44779d3b97854f25e234b6124cab Author: Stefan Schantl Date: Fri Feb 15 11:22:14 2019 +0100 logrotate: Rotate suricata logs instead of snort ones =20 Signed-off-by: Stefan Schantl commit 78690361abbff86772850947e1dac97eecfa0648 Author: Stefan Schantl Date: Thu Feb 14 12:37:13 2019 +0100 convert-snort: Always create directory and filelayout =20 Signed-off-by: Stefan Schantl commit b09c13f1b6276885cfc457fa04896bfd7ba240e6 Author: Stefan Schantl Date: Thu Feb 14 12:15:41 2019 +0100 convert-snort: Call subfunction to change ownership of rulestarball =20 Signed-off-by: Stefan Schantl commit 99b2e30636aa404f9fac355fcbbbe0a2e8f84e0a Author: Stefan Schantl Date: Thu Feb 14 11:43:31 2019 +0100 ids-ruleset-sources: Fix rootfile =20 Signed-off-by: Stefan Schantl commit c980ac7f2a0ba8ea08797005445328055993e31e Merge: c1c754a12 5368ccb0f Author: Stefan Schantl Date: Wed Feb 13 19:46:45 2019 +0100 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-= suricata commit c1c754a1211fbe50b7ba5b7a25444bd34b090957 Merge: f3cbcfeff 02a8a241b Author: Stefan Schantl Date: Fri Feb 8 09:59:31 2019 +0100 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-= suricata commit f3cbcfeff9e8ce263c812a25a24c7f4f14d4a64f Author: Stefan Schantl Date: Fri Feb 8 09:56:36 2019 +0100 libhtp: Update to 0.5.29 =20 Signed-off-by: Stefan Schantl commit 4434236e00a6e5fddbf031ca4777d2c00ad34482 Author: Stefan Schantl Date: Fri Feb 8 09:55:46 2019 +0100 ruleset-sources: Update sourcefire rulesets to latest snapshot version =20 Signed-off-by: Stefan Schantl commit ad99f959e2b83dd9f1275c1d385140271c8926ae Author: Peter M=C3=BCller Date: Thu Feb 7 17:47:00 2019 +0000 Suricata: detect DNS events on port 853, too =20 As DNS over TLS popularity is increasing, port 853 becomes more interesting for an attacker as a bypass method. Enabling this port for DNS monitoring makes sense in order to avoid unusual activity (non-DNS traffic) as well as "normal" DNS attacks. =20 Partially fixes #11808 =20 Signed-off-by: Peter M=C3=BCller Cc: Stefan Schantl Signed-off-by: Stefan Schantl commit 8723bb91aeff7dbbc173c6f7b8052a76203cb0a5 Author: Peter M=C3=BCller Date: Thu Feb 7 17:41:00 2019 +0000 Suricata: enable full detection for missing protocols =20 These are IMAP and MSN, which can be safely enabled. =20 Partially fixes #11808 =20 Signed-off-by: Peter M=C3=BCller Cc: Stefan Schantl Signed-off-by: Stefan Schantl commit 05a635ec04f1ca7ee85a1511757ef3fea28cdb5c Author: Peter M=C3=BCller Date: Thu Feb 7 17:38:00 2019 +0000 Suricata: detect TLS traffic on IMAPS/POP3S/SSMTP ports as, well =20 Partially fixes #11808 =20 Signed-off-by: Peter M=C3=BCller Cc: Stefan Schantl Signed-off-by: Stefan Schantl commit 5fbd7b29829caf0bcadcccd6f56ead51e2fb812e Author: Stefan Schantl Date: Thu Feb 7 10:33:29 2019 +0100 ids.cgi: Format and show date of the current ruleset again =20 Fixes #11992 =20 Signed-off-by: Stefan Schantl commit ee7fe87ea6341f201bad78910d1055ed17560766 Author: Stefan Schantl Date: Thu Feb 7 09:46:01 2019 +0100 ids.cgi: Change name of the button to apply the ruleset changes =20 Signed-off-by: Stefan Schantl commit e8ae413a79a9c5eea8952ca42449128d79682216 Author: Stefan Schantl Date: Thu Feb 7 09:02:32 2019 +0100 langs: Remove snort related and unused strings =20 Fixes #11993. =20 Signed-off-by: Stefan Schantl commit dd8d6f5ee8c6262b96319b84751a73044be23e39 Author: Stefan Schantl Date: Thu Feb 7 09:00:35 2019 +0100 logs.cgi/ids.dat: Do not call the IDS snort again =20 Signed-off-by: Stefan Schantl commit 5bd8940d68186e1ad2cbbb376c4bae6d512630bb Author: Stefan Schantl Date: Thu Feb 7 08:51:31 2019 +0100 ids.cgi: Improve showed messages while the IDS is working =20 Reference #11993 =20 Signed-off-by: Stefan Schantl commit e566e977f7605758df450c6128d1484cc5fb2a35 Author: Stefan Schantl Date: Thu Feb 7 08:28:29 2019 +0100 Add german translation for "system is offline" =20 Signed-off-by: Stefan Schantl commit 9074e3d74cc931244892d306b38c298ce8dd0f2b Author: Stefan Schantl Date: Thu Feb 7 08:24:15 2019 +0100 ids.cgi: Lock page while autoupdate script is running =20 Fixes #11991 =20 Signed-off-by: Stefan Schantl commit 5206a3358d18b8ec9b1ceca3e95a56516ae7b4ab Author: Stefan Schantl Date: Thu Feb 7 08:06:49 2019 +0100 update-ids-ruleset: Lock and Unlock the IDS page during runtime =20 Reference #11991 =20 Signed-off-by: Stefan Schantl commit 8076deba79f9bbd4e551fdfe1eb49e8a77b2c19e Author: Stefan Schantl Date: Thu Feb 7 07:59:20 2019 +0100 ids-functions.pl: Add code to lock/unlock ids page while autoupdating the= ruleset =20 Reference #11991 =20 Signed-off-by: Stefan Schantl commit 5f2145eb59d3f0f7cbc70cd4f071302fd56213ea Author: Stefan Schantl Date: Thu Feb 7 07:44:11 2019 +0100 ids.cgi: Show "Update Ruleset"-Button only if automatic updates are disab= led =20 Signed-off-by: Stefan Schantl commit f6eb1a40a00625b7a83984461242e86347e48579 Author: Stefan Schantl Date: Wed Feb 6 15:59:02 2019 +0100 aliases.cgi: Handle suricata related actions when dealing with aliases =20 When working with aliases (adding/modifying/removing), the file which contains the HOME_NET declarations needs to be re-generated and suricata requires a restart afterwards. =20 Fixes #11990 =20 Signed-off-by: Stefan Schantl commit 8117fff863431671939d5aa1c11c0a84e56298a2 Author: Stefan Schantl Date: Wed Feb 6 15:23:46 2019 +0100 IDS: Call helper script when red interface gets up =20 The helper script will be automatically called when the red interface get= s up and will re-generate the HOME_NET file, to take care if the IP-address of= this interface has changed. =20 Fixes #11989 =20 Signed-off-by: Stefan Schantl commit d8f19ebb5accbf4e850e881fbd0be8fd9d66660c Author: Stefan Schantl Date: Wed Feb 6 13:12:50 2019 +0100 IDS: Edit german translation for "ids oinkcode required". =20 Signed-off-by: Stefan Schantl commit 613f58fbfa9f536d9c84bc76354f7775b3e9b57f Author: Stefan Schantl Date: Wed Feb 6 12:49:01 2019 +0100 ids.cgi: Check if the selected ruleset requires an oinkcode =20 Fixes #11983 =20 Signed-off-by: Stefan Schantl commit f644a167ab06e5324c021144e08c00413472b143 Author: Stefan Schantl Date: Wed Feb 6 12:48:08 2019 +0100 ids.cgi: Only perform actions when saving ruleset settings, if there are = no error messages =20 Signed-off-by: Stefan Schantl commit 155b3b56a8e4c8765c473b853445e2957b0b852f Author: Stefan Schantl Date: Wed Feb 6 10:58:59 2019 +0100 ids-functions.pl: Do not send HEAD requests to sourcefire (snort.org) ser= vers =20 Using this feature to fetch the size of the requested tarball is not allo= wed by these servers, so skip this feature for their rulesets. =20 Fixes #11987 =20 Signed-off-by: Stefan Schantl commit c17a9778d62d964ac7d8e8da156ba0f08baf8748 Author: Stefan Schantl Date: Wed Feb 6 10:00:17 2019 +0100 Revert "ids-functions.pl: Use GET method to fetch Header data of a file" =20 Using the GET method will download the file twice and does not provide the desired mechanism here. =20 This reverts commit 81592314ebe93ae942f28a1bc9037185f155ccda. commit 422dc4caf97696ac34b65410784f22875f3412c0 Author: Stefan Schantl Date: Tue Feb 5 14:34:44 2019 +0100 ids.cgi: Fix HTML formated spaces. =20 Signed-off-by: Stefan Schantl commit 9e9b477d7c4fbad483f6307cf63bf475dd79141b Author: Stefan Schantl Date: Tue Feb 5 14:14:11 2019 +0100 ids.cgi: Rework "Enable IPS" section =20 Just use one language string for a maximum of flexiblity for the transloators. =20 Fixes #11986 =20 Signed-off-by: Stefan Schantl commit af0065691c6d3fcb14c646d1ec0b9c83bdd3313d Author: Stefan Schantl Date: Tue Feb 5 13:57:40 2019 +0100 suricata: Do not display messages when starting up =20 Fixes #11979. =20 Signed-off-by: Stefan Schantl commit cc9057c0148cddb231be85caa4c38d4cf721f0c3 Author: Stefan Schantl Date: Tue Feb 5 13:51:08 2019 +0100 ids.cgi: Change lang string from "Activate IPS" to "Enable IPS" =20 Reference #11986 =20 Signed-off-by: Stefan Schantl commit 318e7137e79f29574a5cc9677615a48b2a9b3e40 Author: Stefan Schantl Date: Tue Feb 5 13:25:27 2019 +0100 IDS: Rename IDS strings to IPS =20 Reference: #11986 =20 Signed-off-by: Stefan Schantl commit 97870bf29cd93669beef30b876e21f2fed5d6405 Author: Stefan Schantl Date: Tue Feb 5 12:43:49 2019 +0100 ids.cgi: Stop suricata when the rulest source has been changed =20 If the ruleset source has been changed, it has to be configured again. This happens because of different rule categories, filenames rule ID's et= c. =20 In case suricata currently is running it has to be stopped and after the = configuration has been done by the user, it can be launched again. =20 Signed-off-by: Stefan Schantl commit 5709768b0bab2b860911fcad66da8e0aec5c4eaa Author: Stefan Schantl Date: Tue Feb 5 12:36:30 2019 +0100 ids.cgi: Fix downloading rules if source changed =20 Fix the if statement to detect wheater the ruleset has been changed and automatically download the new one. =20 Fixes #11984. =20 Signed-off-by: Stefan Schantl commit b7a9b4edc28a678cd9d2b01e0ab6304597409860 Author: Stefan Schantl Date: Tue Feb 5 12:13:28 2019 +0100 ids.cgi: Update automatic download texts =20 Update the showed texts in the dropdown box as mentioned in the bug report. =20 Fixes #11985 =20 Signed-off-by: Stefan Schantl commit 81592314ebe93ae942f28a1bc9037185f155ccda Author: Stefan Schantl Date: Tue Feb 5 12:01:43 2019 +0100 ids-functions.pl: Use GET method to fetch Header data of a file =20 The sourcfire web servers does not support the HEAD request so we have to= do this with a GET here. =20 Fixes #11987 =20 Signed-off-by: Stefan Schantl commit 4924cfdc7312ce8c31101fefebf3f0371e7cd779 Author: Stefan Schantl Date: Tue Feb 5 11:55:37 2019 +0100 ids-functions.pl: Fix show HTTP error code and message =20 Signed-off-by: Stefan Schantl commit 067e1847dc1012316b23d7eb8dba8e25a65cd757 Author: Stefan Schantl Date: Fri Feb 1 14:34:25 2019 +0100 suricata.yaml: Add port 222 to list of SSH Ports =20 The SSH-server listened on port "222" as default on IPFire in the past. =20 Signed-off-by: Stefan Schantl commit bcbc9897e392a237105fc2e12af2323804bd2a42 Author: Stefan Schantl Date: Thu Jan 31 09:50:47 2019 +0100 ids-functions.pl: Grab address for RED by using get_red_address() functio= n. =20 Signed-off-by: Stefan Schantl commit de8e1e5b6ce6c8d82dc8e67c92af338206252dc2 Author: Stefan Schantl Date: Thu Jan 31 09:41:35 2019 +0100 ids-functions.pl: Add function to the the current assigned IP-address of = RED. =20 Signed-off-by: Stefan Schantl commit 912d7472a86b1347f3165c1850ed05ba2b7b641f Author: Stefan Schantl Date: Thu Jan 31 08:55:05 2019 +0100 ids.cgi: Automatically download ruleset if the ruleset source has been ch= anged. =20 Signed-off-by: Stefan Schantl commit c9b07d6a0cdb54c71d5aef4a75c40d505585a0fe Author: Stefan Schantl Date: Wed Jan 30 13:43:38 2019 +0100 initscripts/suricata: Generate firewall rules on start and reload =20 Fixes #11978 =20 Signed-off-by: Stefan Schantl commit 23c0347ac5d386e215c56ae9fa3af97e66f1c23f Author: Stefan Schantl Date: Wed Jan 30 12:04:54 2019 +0100 ids-functions.pl: Add RED address and aliases to the HOME_NET =20 Reference: #11981 =20 Signed-off-by: Stefan Schantl commit 77c3130174cd492f0bae12205cfd3000b9b7798c Author: Stefan Schantl Date: Wed Jan 30 11:57:49 2019 +0100 ids-functions.pl: Add get_aliases() =20 This subfunction is used to get all configured and enabled aliases for the RED network zone. They will be returned as an array. =20 Signed-off-by: Stefan Schantl commit d6f725e1857b19fefce67fc3bb63f7a379f549d4 Author: Stefan Schantl Date: Wed Jan 30 10:57:31 2019 +0100 update-ids-ruleset: Improve error reporting if the system is offline =20 Signed-off-by: Stefan Schantl commit e0cec9fe99c957a686182f6002185744edd8254d Author: Stefan Schantl Date: Wed Jan 30 10:53:17 2019 +0100 ids.cgi: Dynamically generate SHOW/HIDE for expanding or collapsing a rul= eset category =20 Signed-off-by: Stefan Schantl commit cf02bf2f7d23f9755a6e08383dd46fa9033d924b Author: Stefan Schantl Date: Wed Jan 30 10:12:11 2019 +0100 ids.cgi: Show IDS setting area only if a ruleset is present. =20 Signed-off-by: Stefan Schantl commit 013274d7d88653e5eaf22156754f0bb8c2e3ebaa Author: Stefan Schantl Date: Wed Jan 30 10:05:14 2019 +0100 ids.cgi: Diplay reason, why a ruleset could not be downloaded, if the sys= tem is offline. =20 Signed-off-by: Stefan Schantl commit 5fd2e9d64ac8363ac56bf0431ec3607e099b3f46 Author: Stefan Schantl Date: Wed Jan 30 09:57:49 2019 +0100 ids.cgi: Also download the ruleset when saving the ruleset settings =20 Signed-off-by: Stefan Schantl commit 34a3843865bfcb6c88cb10773570b96cd61363d6 Author: Stefan Schantl Date: Wed Jan 30 09:42:28 2019 +0100 ids.cgi: Add dropdown option for Emergingthreats.net Pro rules. =20 Signed-off-by: Stefan Schantl commit d618d67e010e94e1ef26f2570abe9d6748e90416 Author: Stefan Schantl Date: Wed Jan 30 09:39:17 2019 +0100 ids.cgi: Only show "update ruleset" button if a ruleset is present =20 Signed-off-by: Stefan Schantl commit 674912fc3abe6283566c4e51a5360dcbf5850f36 Author: Stefan Schantl Date: Wed Jan 30 09:33:47 2019 +0100 ids.cgi: Draw daemon status and setting in the same box. =20 Signed-off-by: Stefan Schantl commit 029b8ed2b1e039d216fc974db413cd5f3f718a3d Author: Stefan Schantl Date: Wed Jan 30 09:27:37 2019 +0100 ids.cgi: Show/Hide subscription code area dynamically. =20 Dynamically (Java Script) show/hide the area for entering the subscription code / oinkcode based on the choosen ruleset. =20 Signed-off-by: Stefan Schantl commit bc4a2223cccc4165f213ec3520aee23b2550a4d2 Author: Stefan Schantl Date: Wed Jan 30 09:25:34 2019 +0100 ids.cgi: Remove help text for obtaining an oinkcode =20 This information is only valid for sourcefire (snort) rulesets, may confuse users and therefore should be handled in the wiki. =20 Signed-off-by: Stefan Schantl commit 17c2c09bcc50376ef805a194eec8688a3dfcbc29 Author: Michael Tremer Date: Tue Jan 29 12:03:37 2019 +0000 suricata: Scan outgoing traffic, too =20 Connections from the firewall and through the proxy must be filtered, too =20 Signed-off-by: Michael Tremer Signed-off-by: Stefan Schantl commit 80592396611f06069a05494da2b228aad29af72a Author: Peter M=C3=BCller Date: Wed Jan 23 21:22:41 2019 +0100 Suricata: drop unused cuda HW acceleration =20 As stated in https://bugzilla.ipfire.org/show_bug.cgi?id=3D11808#c5 , Cuda hardware acceleration is unused and so the configuration file section can be removed. =20 This partially addresses #11808. =20 Signed-off-by: Peter M=C3=BCller Cc: Stefan Schantl Signed-off-by: Stefan Schantl commit 68699ecffff5e8c0d35883403451bec881bd33ec Author: Stefan Schantl Date: Tue Jan 29 11:23:54 2019 +0100 Revert "Add DDNS to core 107." =20 This reverts commit 197033fab234d4698b097fdb1b653b8ae39b1aae. commit ca8c92108af8ed2fce390592d8bd536f9caa2458 Author: Stefan Schantl Date: Tue Jan 29 09:09:11 2019 +0100 update-ids-ruleset: Set correct ownership for rulesdir and files =20 Signed-off-by: Stefan Schantl commit 36e69d34b1a59258bf17b886db323653dac1a13d Author: Stefan Schantl Date: Tue Jan 29 09:05:29 2019 +0100 convert-snort: Use set_ownership() from ids-functions.pl =20 Signed-off-by: Stefan Schantl commit 4fbd88bfad631b932973321004af3e26b6ca19d5 Author: Stefan Schantl Date: Tue Jan 29 09:01:20 2019 +0100 ruleset-sources: Add Emerging-Threads Pro ruleset =20 Signed-off-by: Stefan Schantl commit 9f9651e06aac68d650be585a7dd15a8a6c502d5c Author: Stefan Schantl Date: Tue Jan 29 09:00:26 2019 +0100 logs.cgi/log.dat: Change search pattern from snort to suricata =20 Signed-off-by: Stefan Schantl commit 3c59b1fab85f76f75e0b6bb89cd9c007b2416b57 Author: Stefan Schantl Date: Tue Jan 29 08:58:08 2019 +0100 ids-functions.pl: Set correct ownership for the stored error file. =20 Signed-off-by: Stefan Schantl commit 1fedede6a0982500847ef5d8747b5d3483991a05 Author: Stefan Schantl Date: Tue Jan 29 08:50:16 2019 +0100 ids-functions.pl: Add set_ownership() function. =20 This function is used to change the ownership of a given file or directory to the user "nobody" and the group "nobody", which is used by the WUI. =20 Signed-off-by: Stefan Schantl commit 8c27372438dd267648cba48b86d85a594f14be1c Author: Stefan Schantl Date: Tue Jan 29 08:40:34 2019 +0100 backup.pl: Run snort to suricata converter when a backup gets restored. =20 Signed-off-by: Stefan Schantl commit 85a62b05237a4087c9b80d0efadc71b2da45abfa Author: Stefan Schantl Date: Tue Jan 29 08:26:15 2019 +0100 IDS: Install snort to suricata converter =20 Signed-off-by: Stefan Schantl commit e4840020ed9962e3fac83c7a52670ed2cfd56672 Merge: 39155be80 61ee84291 Author: Stefan Schantl Date: Mon Jan 28 17:29:21 2019 +0100 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-= suricata commit 39155be80547e808e859f8f4dcd93763876bff5f Merge: 5b0b4182a d03916e55 Author: Stefan Schantl Date: Sat Jan 26 12:40:04 2019 +0100 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-= suricata commit 5b0b4182a8a0f7fa17548983a4e15aeed3aa2234 Author: Stefan Schantl Date: Tue Jan 22 15:36:00 2019 +0100 convert-snort: Settings converter from snort to suricata =20 Signed-off-by: Stefan Schantl commit 9283e9b9cf8326453086d9777b264d7e50b9660a Author: Stefan Schantl Date: Tue Jan 22 13:25:13 2019 +0100 ids.cgi: Move and rename GenerateIgnoreList() function to ids-functions.pl =20 Signed-off-by: Stefan Schantl commit c1a34012352f9eee339f78c00130807e275b05c2 Merge: b749416ad f6326e4f7 Author: Stefan Schantl Date: Mon Jan 21 13:04:13 2019 +0100 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-= suricata commit b749416ad71126d6a05eb92b1409f097cc127617 Author: Stefan Schantl Date: Sun Jan 6 14:11:30 2019 +0100 ids-functions.pl: Downloader should reads settings from correct file =20 In commit ea5c8eeb83a65791960d6cb5de6c7dc78db02fda the taken settings for the ruleset have been stored into an own file. =20 The Downloader now uses this file to read-in which ruleset should be used and downloaded. =20 Signed-off-by: Stefan Schantl commit 7b6f8596edd5591a1bde21b34a7665170e5d4353 Merge: ed809cf07 f1f40274a Author: Stefan Schantl Date: Fri Dec 28 07:36:59 2018 +0100 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-= suricata commit ed809cf07a5ccacc5817f682fc9103a2f52163d6 Author: Stefan Schantl Date: Fri Dec 28 07:36:19 2018 +0100 Ship update-ids-ruleset script also on x86_64 and aarch64 =20 Signed-off-by: Stefan Schantl commit 6994f00174d222a6e7dd9b812c5bebaad1e3fa3e Author: Stefan Schantl Date: Wed Dec 26 16:33:54 2018 +0100 ids-functions.pl: Downloader now also uses upstream proxy for HTTPS =20 Fixes #11953 =20 Signed-off-by: Stefan Schantl commit 04a0d07c97087c9d66e09155058beacee031d627 Author: Stefan Schantl Date: Wed Dec 26 16:05:46 2018 +0100 ids-functions.pl: Add function to get the version of suricata =20 The get_suricata_version() function is used to get the version of the on the system installed version of suricata. You can specify the how detailed the returned result should be "major" will return only the major version, were "minor" will provide the major and minor version (1.2 for example). All other calls will be answered with the full version string (1.2.3). =20 Signed-off-by: Stefan Schantl commit 2ee510888c4f4a0836ef4afe5b6e30c2b94f7ddb Author: Stefan Schantl Date: Tue Dec 25 20:19:12 2018 +0100 ids-functions.pl: Fix typo =20 Signed-off-by: Stefan Schantl commit 74cc8f5a3ddafb065dffd885222246842fc8304c Author: Stefan Schantl Date: Tue Dec 25 18:40:34 2018 +0100 ids-functions.pl: Introduce function write_modify_sids_file() =20 This function is used to write the corresponding file which tells oinkmaster to alter the whole ruleset and finally switches suricata into an IPS or IDS. =20 Signed-off-by: Stefan Schantl commit b02e30fd81e3e095ea3cd74cb8f0b056d68e10e7 Author: Stefan Schantl Date: Tue Dec 25 18:26:21 2018 +0100 ids.cgi: Move variable declaration to ids-functions.pl =20 Also move some functions from the cgi file to the library file. =20 Signed-off-by: Stefan Schantl commit 53817b89c0eb5f03830777982c86c58e4c097fa6 Author: Stefan Schantl Date: Mon Dec 24 13:19:06 2018 +0100 ids.cgi: Hack to use the correct language string for red network zone. =20 This hack is needed because "red" is used as "internet" in the language f= iles and "red1" contains the correct "red" translations. =20 Signed-off-by: Stefan Schantl commit 99b372b51d01e7c35ac6b24bea72ec9c739681c9 Author: Stefan Schantl Date: Mon Dec 24 13:18:14 2018 +0100 ids.cgi: Colourize network zones =20 Colourize the network with the proper colour. =20 Signed-off-by: Stefan Schantl commit 01d02eb63bbb2142b5f154f75f028448bdd47ca5 Author: Stefan Schantl Date: Mon Dec 24 10:03:18 2018 +0100 ids.cgi: Change RUN_MODE to MONITOR_TRAFFIC_ONLY =20 Signed-off-by: Stefan Schantl commit ea5c8eeb83a65791960d6cb5de6c7dc78db02fda Author: Stefan Schantl Date: Sun Dec 23 21:06:14 2018 +0100 ids.cgi: Seperate IPS and ruleset settings =20 Now each of both have their own corresponding configuration areas. The taken settings will be saved in "/var/ipfire/suricata/settings" for all IDS/IPS related settings and in "/var/ipfire/suricata/rules-settings"= for ruleset related settings. =20 Signed-off-by: Stefan Schantl commit aac8e30831b037034e932044b0ca941105f40d70 Author: Stefan Schantl Date: Sun Dec 23 21:05:37 2018 +0100 langs/en.pl: Fix typo =20 Signed-off-by: Stefan Schantl commit ebdd0f9a90da800cc6173f6f30fb0621dddc354b Author: Stefan Schantl Date: Thu Dec 20 13:18:48 2018 +0100 ids.cgi: Prevent from starting suricata without ruleset or selected netwo= rk zone =20 Signed-off-by: Stefan Schantl commit 0a1bba1a1d3ec8995f482b291d25c84374d11085 Author: Stefan Schantl Date: Thu Dec 20 11:55:13 2018 +0100 ids.cgi: Access ruleset by its own name =20 This improves accessing the single rules of a rule category. =20 Signed-off-by: Stefan Schantl commit 8353c3fd36c3e56861b9996c489836e4554c1ebd Author: Stefan Schantl Date: Tue Dec 18 15:19:30 2018 +0100 ids.cgi: Allways use the whitelist =20 Signed-off-by: Stefan Schantl commit 25b6545a6e5523d67484e15c5d8bafd941c8c9ae Author: Stefan Schantl Date: Tue Dec 18 15:14:08 2018 +0100 ids-functions.pl: Use temporary file in downloader. =20 Download the requested rules tarball into a temporay file and if every thing is fine, replace the old by the downloaded one. =20 In addition with the previously implemented file size check, we are saved now from a corrupt rules tarball on disk. =20 Signed-off-by: Stefan Schantl commit 96da5803a77ac8cae85fc8bc37e2153a19b5ab26 Author: Stefan Schantl Date: Tue Dec 18 14:16:13 2018 +0100 ids-functions.pl: Introduce filesize check for downloader =20 The downloader now requests the html header for the rulestarball and obtain the size of the file bevore downloading it. =20 After success the size of the downloaded file will be compared with the requested one before. If they do not match, an error will be gained. =20 Signed-off-by: Stefan Schantl commit 1201c1e74695fffeae36ba8a8a6adfe422a53ddd Author: Stefan Schantl Date: Tue Dec 18 14:12:52 2018 +0100 ids-functions.pl: Fix sub _cleanup_rulesdir() function =20 Signed-off-by: Stefan Schantl commit f5ad510e3c0f416a1507999f5ad20ab171df9c07 Author: Stefan Schantl Date: Mon Dec 17 15:04:48 2018 +0100 suricata: Use "2" as repeat-mark and repeat-mask. =20 The previous used "1" was already used to mark source-natted packets. =20 Signed-off-by: Stefan Schantl commit 208cb3363fc13bc9b918aeacb26e4c98d1d963d3 Author: Stefan Schantl Date: Mon Dec 17 15:03:10 2018 +0100 suricata: Update to 4.0.6 =20 Signed-off-by: Stefan Schantl commit a13ddf04d9b58ee469b5da6bc0dd5efb64d6ebad Merge: 8cf04a165 58e840bd9 Author: Stefan Schantl Date: Wed Dec 12 09:27:59 2018 +0100 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-= suricata =20 Signed-off-by: Stefan Schantl commit 8cf04a165696c512c8c2cb1f3d282c1f0cc88787 Author: Stefan Schantl Date: Fri Oct 12 15:43:16 2018 +0200 ids-functions.pl: Rework &_cleanup_rulesdir() function =20 * Use a directory listing and delete the files. * Keep files with "config" as file extension. =20 Signed-off-by: Stefan Schantl commit 4ce424884914e6ee5a721124eaec89b634c19f48 Author: Stefan Schantl Date: Fri Oct 12 15:18:38 2018 +0200 ids-functions.pl: Fix typo =20 Signed-off-by: Stefan Schantl commit 883820bdcb24414e965bd92844bb0b9c438b312b Author: Stefan Schantl Date: Fri Oct 12 15:16:32 2018 +0200 ids-functions.pl: Call &_cleanup_rulesdir() function before calling oinkm= aster. =20 Signed-off-by: Stefan Schantl commit b59cdbeea5eb2a83ac5c0be51541c471bd1cd809 Author: Stefan Schantl Date: Fri Oct 12 15:12:10 2018 +0200 ids-functions.pl: Add private function to cleanup the rules directory. =20 This private function is used to remove any files which are stored in the IDS rules directory and prevent from any old (unneeded or conflicting) fi= les after an update or complete change of the ruleset source. =20 Signed-off-by: Stefan Schantl commit 5d3b16c6df1a83d6eacb69a32176941a1e09a157 Author: Stefan Schantl Date: Fri Oct 12 13:08:35 2018 +0200 suricata: Rootfile update =20 Signed-off-by: Stefan Schantl commit 8d087d0391b8ab441a974b4cbc84980bb6055774 Merge: 89a12b384 e3ab1962e Author: Stefan Schantl Date: Tue Oct 2 07:35:13 2018 +0200 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-= suricata commit 89a12b3843d22a355adf1989e9bd823e170a2387 Author: Stefan Schantl Date: Mon Oct 1 20:14:00 2018 +0200 suricata: Set correct ownership for /var/lib/suricata =20 Signed-off-by: Stefan Schantl commit 2d475a3c6c8e37295f97a07dcca9a6eed2dbb21f Merge: eadad5fda 0a5823db0 Author: Stefan Schantl Date: Wed Sep 26 14:49:34 2018 +0200 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-= suricata commit eadad5fda6e7a798ad63261da4629673bd88cf76 Author: Stefan Schantl Date: Wed Sep 26 14:43:09 2018 +0200 ids.cgi: Add support for autoupdate of the IDS ruleset =20 Signed-off-by: Stefan Schantl commit 6c9458342b72d5eef122e4e146872ded98751d05 Author: Stefan Schantl Date: Wed Sep 26 14:42:47 2018 +0200 IDS: Update language files =20 Signed-off-by: Stefan Schantl commit 3aadbbca38882cf6e8af2370c26234de0940a099 Author: Stefan Schantl Date: Wed Sep 26 14:38:46 2018 +0200 stage2: Rootfile update for update-ids-ruleset script =20 Signed-off-by: Stefan Schantl commit 82979dec3655138b5c8467a63fc423b30961ef9c Author: Stefan Schantl Date: Wed Sep 26 14:11:31 2018 +0200 IDS: Introduce update-ids-ruleset =20 This script periodly will be called by fcron and is responsible for downloading and altering the ruleset, if autoupdate of the configured ruleset is enabled. =20 Signed-off-by: Stefan Schantl commit ed06bc811ffe055e2dadd226d27332892f4725db Author: Stefan Schantl Date: Wed Sep 26 14:09:53 2018 +0200 ids-functions.pl: Add backend code to handle the "cron" function of suric= atactrl =20 Signed-off-by: Stefan Schantl commit 6ce504a2f2c405c7a7baab6f74be779f903d89de Author: Stefan Schantl Date: Wed Sep 26 13:54:14 2018 +0200 suricatactrl: Add "cron" command =20 This command allows to enable the automatic update of the used IDS ruleset and to specify the update interval. =20 Signed-off-by: Stefan Schantl commit dae534f2ca7172a1171d77fe6acd034591233d58 Author: Stefan Schantl Date: Wed Sep 26 13:02:28 2018 +0200 ids.cgi: Only write oinkmaster-modify-sids.conf if neccessary. =20 Only write to the file if the runmode of the IDS has been changed. =20 Signed-off-by: Stefan Schantl commit 5508f18c012c5be264c9562b9327a41a2bebb2f8 Author: Stefan Schantl Date: Tue Sep 11 12:28:28 2018 +0200 logs.cgi/log.dat: Fix pattern to display oinkmaster related messages =20 Signed-off-by: Stefan Schantl commit 43ab7d9c30fb24bebd716e264530d7db3e84a007 Author: Stefan Schantl Date: Tue Sep 11 12:00:31 2018 +0200 ids.cgi: Set state of used rulefile to on if it contains rules =20 Only set the state of a used rulefile to "on" if it is present in the %idsrules hash. This happens if it contains at least one rule. =20 This prevents from showing a rulefile in the ruleset section if, it does not exist anymore or does not contains any rules at all. =20 Signed-off-by: Stefan Schantl commit b7e29743944953c973e3f858c10ab627949f898d Author: Stefan Schantl Date: Tue Sep 11 10:21:00 2018 +0200 ids.cgi: Introduce whitelisting of IP-addresses =20 If an IP-address has been added to the whitelist, any traffic from this host will not longer inspected by suricata. =20 Signed-off-by: Stefan Schantl commit 6f3b3cd089cea0f308c0b67e17ed864f6aa50b83 Author: Stefan Schantl Date: Thu Sep 6 13:28:20 2018 +0200 logs.cgi/ids.dat: Dont display/export empty events. =20 Check if the current processed event has at least datetime and a title. Otherwise skip it. =20 Signed-off-by: Stefan Schantl commit 63d911cdc5d3e8a706f222e2094f2f7350c5fa02 Author: Stefan Schantl Date: Thu Sep 6 13:22:18 2018 +0200 logs.cgi/ids.dat: Ease list of reported events =20 Just ease the strict layout by adding a simple line break. =20 Signed-off-by: Stefan Schantl commit f5ddcad1cc38cfcc3b01f819bc4c4f01e6d1c189 Author: Stefan Schantl Date: Thu Sep 6 12:09:34 2018 +0200 logs.cgi/ids.dat: Adjust code to show suricata events =20 As default show the events generated by suricata and if for a certain selected date no suricata log is available try to fall-back to read the events from the old snort alert files (if available). =20 Signed-off-by: Stefan Schantl commit 80bcd4dd1a424e1353aa0839e873ce9292cea3db Author: Stefan Schantl Date: Thu Aug 30 18:18:26 2018 +0200 ids.cgi: Hide rules config section if no rules a present =20 Do not show the rules config section anymore if there is not ruleset available. =20 Signed-off-by: Stefan Schantl commit fd72c85eb8bb11978957dc39da8a5822715a5453 Author: Stefan Schantl Date: Thu Aug 30 15:12:29 2018 +0200 Enable threshold file in suricata.yaml =20 Enable and specify the path to the threshold-file in the suricata.yaml, otherwise the programm is trying to read it from a build-in default location and prints the following error message: =20 Error opening file: "/etc/suricata//threshold.config": No such file or di= rectory =20 Fixes #11837. =20 Signed-off-by: Stefan Schantl commit 762a33f17ca8d86b979e22ddd538e76d32287d94 Author: Stefan Schantl Date: Thu Aug 30 14:13:37 2018 +0200 suricata: Add files to be backuped =20 Now all oinkmaster related config files and suricata related yaml files in "/var/ipfire/suricata/" will be included into the backups. =20 Also the entire ruleset is part of the backup, so after a backup has been restored, the IDS can be used in the same way as before. =20 Fixes #11835. =20 Signed-off-by: Stefan Schantl commit 21cab141ec018b885abf2849b82acb22684f0c80 Author: Stefan Schantl Date: Wed Aug 29 12:34:08 2018 +0200 suricata: Rule files are now located in /var/lib/suricata =20 Place the rulefiles from now in "/var/lib/suricata". =20 Fixes #11834 =20 Signed-off-by: Stefan Schantl commit d2e6bf6e5f0a3867664c68cd85dff686a08b696c Author: Stefan Schantl Date: Wed Aug 29 12:27:12 2018 +0200 suricata: Do not ship an example configuration file =20 Stop shipping a full example configuration file for suricata. =20 Fixes #11836. =20 Signed-off-by: Stefan Schantl commit 00512a5ac800205a9f46cd0936909d5c921e6643 Author: Stefan Schantl Date: Wed Aug 29 11:50:59 2018 +0200 ids.cgi: Create file for used rulefiles on first execution if not present =20 Create this file on first execution of the script if it does not exist ye= t. This will allow suricata to imediately be started. Otherwise the ruleset = has to be downloaded and configured before this file has been created and sur= icata could be launched. =20 Fixes #11833. =20 Signed-off-by: Stefan Schantl commit 004b13b7e801c18d399740c4e9b7866c9685637c Author: Stefan Schantl Date: Wed Aug 29 10:55:32 2018 +0200 ids.cgi: Fix get_memory_usage() =20 Change the get_memory_usage() function to grab and return the memory usage of the entire process, containing all sub-processes and threads. =20 Fixes #11821 =20 Signed-off-by: Stefan Schantl commit be52c68a2db2455f8118190a6bb37594891480a1 Author: Stefan Schantl Date: Mon Aug 27 15:11:28 2018 +0200 ids-functions.pl: Early abort downloadruleset() if no ruleset is configur= ed =20 Signed-off-by: Stefan Schantl commit e568796bb0a0fc2072c2494936ec678f4c7fe17f Author: Stefan Schantl Date: Sat Aug 25 15:48:58 2018 +0200 ids-functions.pl: Also check and fix the permissions of rulespath =20 Signed-off-by: Stefan Schantl commit 4892f82ca19ad29b2213825a9fc2200d9b801252 Author: Stefan Schantl Date: Sat Aug 25 15:22:53 2018 +0200 suricata: Fix rootfile =20 Signed-off-by: Stefan Schantl commit baeae346589a793b2d9dca39017e1eb7c00d5bf1 Author: Stefan Schantl Date: Fri Aug 24 15:15:09 2018 +0200 lfs/suricata: Move classification and reference config to /etc/suricata/r= ules =20 Signed-off-by: Stefan Schantl commit 330759d88a4adfbf5fc23cb575607b8b99b1b62b Author: Stefan Schantl Date: Fri Aug 24 14:55:40 2018 +0200 ids-functions.pl: Add priviate function _check_rulesdir_permissions() =20 This function checks if all files located in /etc/suricata/rules are writable by the effective user and group (nobody:nobody) and if not calls suricatactl to fix it. =20 Signed-off-by: Stefan Schantl commit 68123effb80c3509cb4855c46d3ff378ba7f13a0 Author: Stefan Schantl Date: Fri Aug 24 14:54:34 2018 +0200 suricatactrl: Add fix-rules-dir command =20 This command is used to set the ownership and permissions back to nobody:nobdoy which is used by the WUI to write the ruleset. =20 Signed-off-by: Stefan Schantl commit 9074853d8df16e729d7e3fe3fb6c465877614f2e Author: Stefan Schantl Date: Fri Aug 24 14:26:24 2018 +0200 suricatactrl: Add reload command =20 Signed-off-by: Stefan Schantl commit 335114b207971fa88bc768c7dea49747b15b4fae Author: Stefan Schantl Date: Fri Aug 24 11:11:15 2018 +0200 suricata.yaml: Start moving to IPFire specific configuration =20 Remove a lot of stuff and options which are deactivated during compiling, unsupported by the plattform or not used in IPFire. =20 Add an advice to the full documented suricata-example.yaml file which also is shipped by IPFire. =20 More work needs to be done. =20 See #11808 =20 Signed-off-by: Stefan Schantl commit af5e823247876c313f516a98efe38ad38db5a01f Author: Stefan Schantl Date: Fri Aug 24 10:54:07 2018 +0200 suricata.yaml: Adjust classification and reference config location =20 Both files are included in the various rulesets, therefore use them from the rules folder. =20 Signed-off-by: Stefan Schantl commit 13d077fdf2093a2e468b5cda1e9e44fa99ee03cc Author: Stefan Schantl Date: Fri Aug 24 10:28:42 2018 +0200 suricata.yaml: Fix include statement for homenet file =20 Signed-off-by: Stefan Schantl commit 5f630673850f01e4e1284d163a80772b2f7a46af Author: Stefan Schantl Date: Fri Aug 24 10:04:33 2018 +0200 suricata: Fix initscript when using a single core machine =20 Signed-off-by: Stefan Schantl commit 01ba4be48d1687d621b1d7242085aa077552cacd Author: Stefan Schantl Date: Fri Aug 24 07:39:04 2018 +0200 ids.cgi: Create oinkmaster related files at first call =20 With this commit, the CGI file will create the oinkmaster related files during first run if they does not exist. =20 Fixes #11822. =20 Signed-off-by: Stefan Schantl commit 308ba5e74c27e50e9fda4278749256d3ff541d5e Author: Stefan Schantl Date: Fri Aug 24 07:37:10 2018 +0200 ids-functions.pl: Add function to create empty files =20 This generic function can be used to create any kind of emtpy files - it just requires the full path and filename to work. =20 If the specified file exists at calltime, the function will abort to prevent from overwriting existing files and content. =20 Signed-off-by: Stefan Schantl commit cb52183c6a311d7413c286f73895b52a8e2e3a57 Merge: 7fe5bc826 c5486ccb9 Author: Stefan Schantl Date: Thu Aug 23 10:34:17 2018 +0200 Fix merge conflicts during merge of next and the suricata branch commit 7fe5bc8261d639753ee7a5a005ce06325231769b Merge: f7d76eecc 702f0ba83 Author: Stefan Schantl Date: Thu Aug 23 10:32:21 2018 +0200 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next commit c5486ccb9793029e58f0e6156d7d2f4d21de6cd0 Author: Stefan Schantl Date: Wed Aug 22 10:37:44 2018 +0200 oinkmaster: Ship IPFire specific config file =20 Ship an IPFire specific configuration file for oinkmaster. =20 This allows oinkmaster to do all the great rule modifications which have been introduced by the new ids.cgi file. =20 Signed-off-by: Stefan Schantl commit d2212836226ee8212eef3226acf3a4e6fa65643a Author: Stefan Schantl Date: Wed Aug 22 08:39:57 2018 +0200 ids.cgi: Rework handling of enabled/disabled sids =20 Now the enabled or disabled sids are stored in a single hash instead of two arrays, which easily can be modified. =20 When saving the ruleset, the new read_enabled_disabled_sids() function will be used to read-in the current (old) saved enabled or disabled sids and add them to the new hash structure. =20 After adding or modifiying sids to the hash, the entries will be written to the corresponding files. =20 Signed-off-by: Stefan Schantl commit a5d617520b144e22fd2b31795d2b04c8170f93ef Author: Stefan Schantl Date: Wed Aug 22 08:38:16 2018 +0200 ids.cgi: Add function to read the enabled/disabled sid files =20 This function is used to read-in the files for enabled or disabled sid files and stores the sid and their state into a temporary hash which will be returned by the function. =20 Signed-off-by: Stefan Schantl commit 5a28e721e08104e35c0e7f23a1aee4dff3fbae45 Author: Stefan Schantl Date: Tue Aug 21 19:18:01 2018 +0200 ids.cgi: Fix check if the IDS is running =20 The correct function name is ids_is_running()! =20 Signed-off-by: Stefan Schantl commit bbb6efae56957c1ec70d5ee7668c4cc68b4dd2b2 Author: Stefan Schantl Date: Sat Aug 18 14:48:30 2018 +0200 ids.cgi: Add backend code to handle switch between IDS and IPS mode =20 This commit adds the required backend code to allow switching between IDS and IPS mode of suricata. =20 Technically the behaviour of suricata is specified by the rules - each of them can contain the action "alert" or "drop" (There are more actions supported but these two are currently the important one) =20 When running in IDS mode, the ruleset does not need to be touched, because the default action is "alert". When switching to IPS mode, the CGI writes a single line to "oinkmaster-modify-sids.conf" which is included by oinkmaster and modify the action for each single rule from alert to drop. =20 Signed-off-by: Stefan Schantl commit a4ccfcbbc6073684768d951006232d410df091a1 Author: Stefan Schantl Date: Sat Aug 18 10:16:12 2018 +0200 ids.cgi: Allow to switch between IDS/IPS mode =20 Add the option to select the runmode for suricata, wheater it should run in intrusion detection mode or intrusion prevention mode. =20 If the option has not configured yet, it defaults to IPS mode. =20 Signed-off-by: Stefan Schantl commit d9711d91ef57f846eb09fd77ec9e7a58d745dc6d Author: Stefan Schantl Date: Sat Aug 18 10:01:14 2018 +0200 ids-functions.pl: Display error if oinkmaster cannot be executed =20 Signed-off-by: Stefan Schantl commit 88daf7eb3a9ba5ceb3df9f8197ea3cb5cfd4f30b Author: Stefan Schantl Date: Fri Aug 17 08:49:06 2018 +0200 ids-functions.pl: Log correct error message if download fails =20 Signed-off-by: Stefan Schantl commit 55658ee381aeeac19c63a0da8822fc3f727b135b Author: Stefan Schantl Date: Fri Aug 17 08:45:47 2018 +0200 suricata: Fix detection of enabled IDS on zone in initscript =20 I accidently commited the wrong file in the previous commit. This is the fixed and working version. =20 Signed-off-by: Stefan Schantl commit 00a031145e32d31a08037dda3c8a3cc7cc6c815e Author: Stefan Schantl Date: Fri Aug 17 08:24:19 2018 +0200 suricata: Give 644 permissions to the suricata pidfile =20 Signed-off-by: Stefan Schantl commit 04b5c77a450ceb8fd83898a90f096175580a058f Author: Stefan Schantl Date: Fri Aug 17 07:36:54 2018 +0200 ruleset-sources: Move to suricata optimized ruleset when using emerginthr= eads. =20 Signed-off-by: Stefan Schantl commit 3c2c54831fd7a5f1813376ceb45c22774631a5e7 Author: Stefan Schantl Date: Thu Aug 16 18:51:13 2018 +0200 suricata: Add code to create iptables rules to the initscript =20 Signed-off-by: Stefan Schantl commit 7c82ee6165d04597c371944490b085c240482424 Author: Stefan Schantl Date: Thu Aug 16 18:50:39 2018 +0200 firewall: Add chains for IPS (suricata) =20 Signed-off-by: Stefan Schantl commit cc60d3dfd3cd6ae9d38470d40edd646691e422ac Author: Stefan Schantl Date: Sun Aug 12 18:40:31 2018 +0200 suricata: Fix include of used rulefiles yaml =20 Signed-off-by: Stefan Schantl commit 423030555835840a1821b56408b5a19e6dcfe7e0 Author: Stefan Schantl Date: Sun Aug 12 07:05:24 2018 +0200 suricata: Use HOME_NET declaration from external file =20 Use the gernerated HOME_NET details from /var/ipfire/suricata/suricata-homenet.yaml which will be generated by the WUI. =20 Signed-off-by: Stefan Schantl commit 6187da5055dac1a10402d3c6eeaf1f9bed7f3890 Author: Stefan Schantl Date: Sat Aug 11 22:28:07 2018 +0200 IDS: Add reload option to initscript =20 Signed-off-by: Stefan Schantl commit e2e7880dc73fc98aa7409b2de2384e5c9e436f29 Author: Stefan Schantl Date: Sat Aug 11 22:11:18 2018 +0200 ids.cgi: Add code to start/stop/reload the IDS when neccessary =20 Signed-off-by: Stefan Schantl commit 5240a80987920b1b807e6609a6c10fb666235e21 Author: Stefan Schantl Date: Sat Aug 11 22:10:29 2018 +0200 ids-functions.pl: Add function to call suricatactrl binary =20 Signed-off-by: Stefan Schantl commit f7d76eecc6660bd2d59951a6aa138cd0f96a2e9d Merge: ca745a297 98ce89752 Author: Stefan Schantl Date: Sat Aug 11 19:50:20 2018 +0200 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next commit 8d2f6b0b59c3448dfa0fcab683fafc9604873a57 Author: Stefan Schantl Date: Thu Aug 9 15:33:25 2018 +0200 ids.cgi: Dynamically generate the HOME_NET details for suricata. =20 Introduce generate_home_net_file() which uses the current network config to obtain the network address and subnetmask for each available network zone, generate and write these HOME_NET information into a yaml compatible file which can be included into the suricata configuration file. =20 Signed-off-by: Stefan Schantl commit e0bfd338ee5c847b16ea534acf84fba645974ec7 Author: Stefan Schantl Date: Sun Aug 5 19:42:33 2018 +0200 ids.cgi: Rename form name from SNORT to IDS =20 Signed-off-by: Stefan Schantl commit 8766096429b7d19a78d632e96a84b32f058f8e80 Author: Stefan Schantl Date: Sun Aug 5 14:24:20 2018 +0200 ids.cgi: Display if the IDS is running =20 Signed-off-by: Stefan Schantl commit 796eea2154ae581aeae68be92bd04f105d0a939b Author: Stefan Schantl Date: Sun Aug 5 14:23:45 2018 +0200 ids-functions.pl: Add function to check if the IDS is running =20 Signed-off-by: Stefan Schantl commit 1286e0d41e75dd691a54ac130ae6d70bfc284e14 Author: Stefan Schantl Date: Sun Aug 5 12:57:44 2018 +0200 ids.cgi: Rework section to configure the IDS =20 Signed-off-by: Stefan Schantl commit 1cae702c22ed31784393980968634626af8fe653 Author: Stefan Schantl Date: Sat Aug 4 16:48:27 2018 +0200 ids-functions.pl: Add function to get the available network zones =20 The get_available_network_zones() function uses the /var/ipfire/ethernet/= settings file and translates the configured mode into an array, which contains the= names of the configured network zones. =20 The array will be returned and easily can be used to loop over this list = of available network zones and perform any kind of actions in other scripts. =20 Signed-off-by: Stefan Schantl commit ab114c276b0d719b9a9c43dea05870e4ceedbdbc Author: Stefan Schantl Date: Fri Aug 3 13:51:59 2018 +0200 ids.cgi: Call suricatactrl for restarting the IDS =20 Signed-off-by: Stefan Schantl commit 06b569a4429eb5641343fdf4c3472825dc327f09 Author: Stefan Schantl Date: Fri Aug 3 13:48:46 2018 +0200 oinkmaster: Install config file to /var/ipfire/suricata =20 Signed-off-by: Stefan Schantl commit d33874f4969f48d5dd880b212900220ba932d8f0 Author: Stefan Schantl Date: Fri Aug 3 10:20:18 2018 +0200 daq: Drop package =20 Signed-off-by: Stefan Schantl commit 843a8c570c6784ef6c66d214fbbbc2e67e4505c2 Author: Stefan Schantl Date: Fri Aug 3 10:19:35 2018 +0200 snort: Drop package =20 Signed-off-by: Stefan Schantl commit 914cca3d8e834c6ab051126f628daeef073b7106 Author: Stefan Schantl Date: Fri Aug 3 10:02:34 2018 +0200 initscripts: Link against suricata initscript in runlevels and red.up hook =20 Signed-off-by: Stefan Schantl commit 74b7d695c630c971fb4774e93c39b4954d7bb5fe Author: Stefan Schantl Date: Fri Aug 3 09:50:31 2018 +0200 misc-progs: Rename snortctrl to suricatactrl =20 Signed-off-by: Stefan Schantl commit ef640882ab4ff5f26fb7b4bf9a5f00ca4f94d172 Author: Stefan Schantl Date: Thu Aug 2 19:58:41 2018 +0200 make.sh: Add ids-ruleset-source =20 I accidently forgot to commit this file in 1d9b87914053e54550c6f2a76377a8= 001bbf1da6 =20 Signed-off-by: Stefan Schantl commit d72b3e64c2515546b78a7cf099157799481da130 Author: Stefan Schantl Date: Thu Aug 2 19:54:22 2018 +0200 suricata: Introduce basic initscript =20 Add a very basic initscript, which currently allows to start/stop/restart= suricata and check if the daemon is running. =20 The script will detect when starting suricata how many CPU cores are pres= ent on the system and will launch suricata in inline mode (NFQUEUE) and listen to as much queue= s as CPU cores are detected. =20 Signed-off-by: Stefan Schantl commit 101d3ece24c99a9696bb2dfe0add1cdfdebbbf91 Author: Stefan Schantl Date: Thu Aug 2 19:33:37 2018 +0200 ids-ruleset-sources: Update download URL for snort rules =20 Signed-off-by: Stefan Schantl commit bce84f3975eb04ac94ffe2e14039c1a6a8ac8030 Author: Stefan Schantl Date: Thu Aug 2 19:31:52 2018 +0200 ids-functions.pl: Rename ruleset-sources.list to ruleset-sources =20 Signed-off-by: Stefan Schantl commit 1d9b87914053e54550c6f2a76377a8001bbf1da6 Author: Stefan Schantl Date: Thu Aug 2 19:29:36 2018 +0200 ids-ruleset-sources: New package =20 Move the file which contains the download URL's for the IDS rulesets into an own common package. This will allow us in future to easily ship a changed file with a core update. =20 Signed-off-by: Stefan Schantl commit 72b2109c726c1ab78918648a6aa540cf137692b0 Author: Stefan Schantl Date: Thu Aug 2 15:47:31 2018 +0200 configroot: Move from snort to suricata =20 Create /var/ipfire/suricata and /var/ipfire/suricata/settings instead of /var/ipfire/snort and /var/ipfire/snort/settings. =20 Signed-off-by: Stefan Schantl commit 4c6d6c1ee3308e8143b95867376f29876739a149 Author: Stefan Schantl Date: Thu Aug 2 09:10:25 2018 +0200 suricata: Install very basic config file =20 This config file is mostly based on the example configuration shipped by the suricata project and needs to be enhanched. =20 See #11808. =20 Signed-off-by: Stefan Schantl commit 101c888174285f4d4e599902c7645d2e834ea027 Author: Stefan Schantl Date: Thu Aug 2 09:07:12 2018 +0200 ids.cgi: Generate suricata compatiple used-rulefiles file =20 * Rename filename to suricata-used-rulefiles.yaml * Adjust file generation as a yaml file to be compatible with suricata * Adjust code to correctly read-in and parse the changed file =20 Signed-off-by: Stefan Schantl commit 164eab662756366023016c88c27f1432f243832f Author: Stefan Schantl Date: Mon Jul 30 21:36:07 2018 +0200 ids-functions.pl: Move path details from snort to suricata =20 Signed-off-by: Stefan Schantl commit a8b8c9e5b2a2d993d06b774aefe7b6ff49adc739 Merge: 67752a951 434001d0a Author: Stefan Schantl Date: Mon Jul 30 21:33:25 2018 +0200 Merge branch 'next-new-ids.cgi' into next-suricata-and-cgi commit 67752a9510d9db653ca8aee9355e8fa63d0f9316 Author: Stefan Schantl Date: Mon Jul 23 20:21:38 2018 +0200 suricata: New package =20 Signed-off-by: Stefan Schantl commit 3498300d87ec69f5676d33e54dca4f3c6897d20f Author: Stefan Schantl Date: Mon Jul 23 20:20:29 2018 +0200 libhtp: New package =20 This is build and runtime dependency for suricata. =20 Signed-off-by: Stefan Schantl commit 91cc908f84a44ba9dc6493938c00aa982eafed81 Author: Stefan Schantl Date: Mon Jul 23 20:19:19 2018 +0200 yaml: New package =20 This is a build and runtime dependency for suricata. =20 Signed-off-by: Stefan Schantl commit 434001d0a0eb05946fccded7090e1e1fa6e2c64d Author: Stefan Schantl Date: Sat Jul 28 16:34:50 2018 +0200 IDS: Rework error and log handling in ids-functions.pl =20 Signed-off-by: Stefan Schantl commit 02844177afb86e070564ee776c5ca679d7cf374b Author: Stefan Schantl Date: Fri Jul 27 07:58:23 2018 +0200 IDS: Introduce settingsdir variable =20 The $settingsdir variable is declared in the ids-functions.pl and used to= to store the path where the various files which contains the settings for th= e IDS and oinkmaster is located. =20 Signed-off-by: Stefan Schantl commit 298ef5bafa8242fedf8b95ba8d8ad23e0c4c05b1 Author: Stefan Schantl Date: Thu Jul 26 15:56:47 2018 +0200 IDS: Move rulepath declaration to ids-functions.pl =20 This will help if the path ever changed. Also remove hard coded rulepath from oinkmaster call. =20 Signed-off-by: Stefan Schantl commit 9d18656ba7dd1bf98d5cd41423c8e44d355f1c25 Author: Stefan Schantl Date: Thu Jul 26 15:51:15 2018 +0200 ids.cgi: Rename snortrules hash to idsrules. =20 Signed-off-by: Stefan Schantl commit fdfd8913ab5da218c9c5303f67bb5b707da8ee30 Author: Stefan Schantl Date: Wed Feb 14 14:08:29 2018 +0100 ids.cgi: Drop code which is detecting if oinkmaster is running =20 This code is not longer required and therefore can be dropped. =20 Signed-off-by: Stefan Schantl commit 27760092c0a4973a92e1dcea8544866ae29d37da Author: Stefan Schantl Date: Wed Feb 14 14:03:08 2018 +0100 ids.cgi: Reimplement function to lock page and show working notice =20 Signed-off-by: Stefan Schantl commit eb5592c1ce15d579072689a7121ffbd87b3f22be Author: Stefan Schantl Date: Wed Feb 14 14:01:50 2018 +0100 ids-functions.pl: Also log errors to syslog =20 Signed-off-by: Stefan Schantl commit 0e40e1e772b2f29e71df807f9cb07098b0d23034 Author: Stefan Schantl Date: Wed Feb 14 14:00:57 2018 +0100 ids-functions.pl: Use pure perl to log oinkmaster result to syslog =20 Signed-off-by: Stefan Schantl commit 77910792754776c740ddd415d4737340052a4d91 Author: Stefan Schantl Date: Wed Feb 14 12:14:06 2018 +0100 ids-functions.pl: Make variables globally accessible =20 Signed-off-by: Stefan Schantl commit 3983aebdec7489ca0ce36956307a822ecdc820fd Author: Stefan Schantl Date: Wed Feb 14 10:20:23 2018 +0100 ids.cgi: Rework CGI logic to download a new ruleset =20 * Drop function to show a notice about snort is working. * Introduce the log_error function which is responsible for log any error messages. Currently it writes it to a tempory file, which will be read by the WUI, the message will be displayed and the temporary file will be released again. * Introduce a tiny function to easily perform a reload of the generated webpage. =20 Signed-off-by: Stefan Schantl commit a69b96d2002c14d3fe65dcf90f9731a9c631b624 Author: Stefan Schantl Date: Wed Feb 14 10:15:39 2018 +0100 ids.cgi: Use tarball information from ids-functions.pl =20 Directly use the value from the ids-functions.pl for the location and filename of the tarball which includes the snort ruleset. =20 This will save to declare this information twice and prevents from any failures if the location of filname every changes. =20 Signed-off-by: Stefan Schantl commit ad1d8a8accc454e0bf36e93fa9b6c5890ccc5024 Author: Stefan Schantl Date: Wed Feb 14 09:00:03 2018 +0100 ids.cgi: Drop dirty hook for updating the ruleset =20 Signed-off-by: Stefan Schantl commit 25f5cb0d4b4a6c2418c219d975eb95e393b4e9af Author: Stefan Schantl Date: Wed Feb 14 08:58:18 2018 +0100 ids.cgi: Move function to call oinkmaster to ids-functions.pl =20 Signed-off-by: Stefan Schantl commit eea2670b39ee6ba804d534e95b03d27059e45468 Author: Stefan Schantl Date: Wed Feb 14 08:52:21 2018 +0100 ids.cgi: Move downloader code to ids-functions.pl =20 Signed-off-by: Stefan Schantl commit 59052432f4cc108631a9b264f2f48aaf6ea76873 Author: Stefan Schantl Date: Wed Feb 14 08:20:50 2018 +0100 ids.cgi: Use ids-functions.pl for checking available discspace =20 Signed-off-by: Stefan Schantl commit 8dcebe5342c261eac9f7436ff382ac71d4890eca Author: Stefan Schantl Date: Wed Feb 14 08:18:15 2018 +0100 IDS: Introduce ids-functions.pl. =20 This library will contain a set of functions used by the IDS CGI script and the planned update script for auto-updating the snort ruleset. =20 Signed-off-by: Stefan Schantl commit c724524e2e9a0a5498ca7e29db8d1ec80a2a73af Author: Stefan Schantl Date: Mon Feb 12 15:38:25 2018 +0100 ids.cgi: Drop loading of File::Copy module. =20 This is not required, at any time by the script. =20 Signed-off-by: Stefan Schantl commit c77bd4923503e58fc2429ffed5e377132394e7a4 Author: Stefan Schantl Date: Tue Dec 19 11:57:19 2017 +0100 logs.cgi/log.dat: Add support for oinkmaster =20 This will allow to display the logged output of oinkmaster via the webinterface. =20 Signed-off-by: Stefan Schantl commit 1504a375179cecc182dd40b8a5324eb2c1320ada Author: Stefan Schantl Date: Tue Dec 19 11:56:04 2017 +0100 ids.cgi: Rework snort configuration area =20 Signed-off-by: Stefan Schantl commit a6edfcbd9b762832939209e538e31e79c0d32b65 Author: Stefan Schantl Date: Sun Dec 17 19:10:21 2017 +0100 ids.cgi: Pipe the oinkmaster output to the logger binary =20 This will allow anybody, to access the log of oinkmaster and get detailed information about any changes which have been done on the ruleset. =20 Signed-off-by: Stefan Schantl commit 43263ea68ecbd2bddfc84b3cee64ffc0aa9911e5 Author: Stefan Schantl Date: Sun Dec 17 19:08:25 2017 +0100 ids.cgi: Rework downloader for rulesets =20 Doing the rules download in pure perl instead of using the external wget. =20 Signed-off-by: Stefan Schantl commit e524290c9cd90a6d95475f2738bcb65d990cfbd0 Author: Stefan Schantl Date: Thu Dec 14 08:31:41 2017 +0100 ids.cgi: Drop old control code =20 The control file are not longer required, because the initscript uses the settings file to determine if snort should be started and binded to which interfaches. =20 Signed-off-by: Stefan Schantl commit c6bcdda1af86f803e980947aa66490f277b791d9 Author: Stefan Schantl Date: Wed Dec 13 15:06:42 2017 +0100 snort: Introduce ruleset-sources.list =20 This file contains the ruleset vendors and download urls and will be used by the ids.cgi. =20 If an url or filename changes, we easily can adjust this file. In most cases this will be needed when performing a snort update. =20 Signed-off-by: Stefan Schantl commit 9f5247f60cc66716de0b5b8bd14e0de118763fb5 Author: Stefan Schantl Date: Wed Dec 13 14:53:51 2017 +0100 general-functions.pl: readhash() Add code to handle optional comments in = files =20 Signed-off-by: Stefan Schantl commit ef5171ab7175d381a11f196de4e18b7e8af769e2 Author: Stefan Schantl Date: Wed Dec 13 14:50:12 2017 +0100 ids.cgi: Call oinkmaster without a log target =20 Signed-off-by: Stefan Schantl commit afe26a0586678f59e25a2a4ae1877737da064bfd Author: Stefan Schantl Date: Wed Dec 13 14:45:27 2017 +0100 ids.cgi: Introduce ruleset-source.list =20 This new file will contain the vendor information and url for downloading their ruleset. In future if the download location or filename changes, we only need to adjust this one file and ship it via a core update. =20 Also extend the downloadrulesfile to be able to directly call the subfunction. =20 Signed-off-by: Stefan Schantl commit a232b58ca78648f60f19b2464395c93cfc046b78 Author: Stefan Schantl Date: Wed Dec 13 14:40:47 2017 +0100 ids.cgi: Adjust code for saving snort settings =20 Signed-off-by: Stefan Schantl commit 8f22237bebe2d3880b27c671c173ffcf79040ed2 Author: Stefan Schantl Date: Wed Dec 13 11:53:44 2017 +0100 ids.cgi: Remove logfile after wget has successfully downloaded the ruleset =20 Signed-off-by: Stefan Schantl commit 500c5c55d0db331fe9b16afcdaedd9c5d218b327 Author: Stefan Schantl Date: Wed Dec 13 11:51:08 2017 +0100 ids.cgi: Rework code which shows if oinkmaster is working =20 Move the code for displaying a notice that snort currently is working into an own subfunction which will be called if oinkmaster currently is started. =20 Signed-off-by: Stefan Schantl commit aa12410222aef6afa63a03a7eb74512bf92daad4 Author: Stefan Schantl Date: Wed Dec 13 11:50:01 2017 +0100 ids.cgi: Drop old code for debuging purposes =20 Signed-off-by: Stefan Schantl commit c51a044a2a93042605fc599eaccf69f49fa7bc87 Author: Stefan Schantl Date: Wed Dec 13 11:46:40 2017 +0100 ids.cgi: Add check when altering the ruleset =20 Add a check if the currently processing sid is nummeric, otherwise skip i= t. =20 Signed-off-by: Stefan Schantl commit 525998650ab51df74317f362ccb1382870af4bbb Author: Stefan Schantl Date: Tue Dec 12 20:24:50 2017 +0100 ids.cgi: Rework code for downloading/updating the ruleset =20 Signed-off-by: Stefan Schantl commit 56dacb580e16210837ba55648ddfc9e18b860f02 Author: Stefan Schantl Date: Tue Dec 12 20:24:11 2017 +0100 ids.cgi: Move call of oinkmaster to an own subfunction =20 Signed-off-by: Stefan Schantl commit 376595057ba05eea8d9c6337d390374dec7749e0 Author: Stefan Schantl Date: Tue Dec 12 20:16:26 2017 +0100 ids.cgi: Always write config files for enabled/disabled rule files =20 If a single sid has been activated and then disabled without doing any other ruleset modifications only one of the oinkmaster files for enabled / disabled rules has been modified. =20 In this case it was possible, that the same sid, was part of the file for enabled rules and part of the file for disabled rules at the same time. =20 Signed-off-by: Stefan Schantl commit 466c67794b207f327a4b7478ce6f2c9c194df45f Author: Stefan Schantl Date: Tue Dec 12 20:15:00 2017 +0100 ids.cgi: Process enabled rulefiles in an own loop =20 Signed-off-by: Stefan Schantl commit 603334734a0199f6d4558e70ef859fe86fe243d6 Author: Stefan Schantl Date: Tue Dec 12 20:12:38 2017 +0100 ids.cgi: Drop enabled/disabled rules from cgiparams hash =20 Signed-off-by: Stefan Schantl commit b65b5ef3775cc724da41a47b5285b7057a2250fd Author: Stefan Schantl Date: Tue Dec 12 20:10:17 2017 +0100 ids.cgi: Drop enabled rulefile from cgiparams hash after processing =20 Signed-off-by: Stefan Schantl commit e573807983b0acf911dc688ae06bb5d7b2b7714b Author: Stefan Schantl Date: Mon Dec 11 14:22:07 2017 +0100 ids.cgi: Re-add code for enable/disable rulefiles =20 The enabled rulefiles (rule categories) now will be added to an own file, which will be included by the snort main config file. =20 This will allow us to update snort and push the new main config file without loosing the activated rulesets anymore. =20 * Introducing snort-used-rulefiles.conf =20 Signed-off-by: Stefan Schantl commit 0b89daee931885a9c34548009a556299d8adc62a Author: Stefan Schantl Date: Mon Dec 11 08:46:18 2017 +0100 ids.cgi: Code cleanup =20 * Drop a lot of unused variables and code. * Re-ordering some code parts. * Add a lot of comments. =20 Signed-off-by: Stefan Schantl commit 298723b9db481a07056377278a501d4a643c7a93 Author: Stefan Schantl Date: Mon Dec 11 08:33:36 2017 +0100 ids.cgi: Re-add code to save the ruleset. =20 The manually enabled or disabled rules by the user now will be written to own config files, which will be used by oinkmaster to keep these rules in the same state after a rules update has been performed. =20 In short words, if you adjust your ruleset, the changes will not be lost again if you perform an update of your ruleset. =20 * Grabbing and storing the cgi values now in an own hash (%cgiparams) * Introducing oinkmaster config files for enabled and disabled rules. =20 Signed-off-by: Stefan Schantl commit 0b568bb9650bfe9200d45d7a57b500747e37a73f Author: Stefan Schantl Date: Sun Dec 10 10:36:07 2017 +0100 ids.cgi: Drop unused css code =20 Signed-off-by: Stefan Schantl commit 177266446a3c9a9c63dbd4bd1af032339003ab3d Author: Stefan Schantl Date: Sun Dec 10 10:07:41 2017 +0100 ids.cgi: Rework code for displaying the single rules =20 The complete ruleset will be grouped as categories by it's corresponding rulefile and printed in hidden tables. =20 They easiely can be displayed by klicking on the show link and vice-versa. =20 Signed-off-by: Stefan Schantl commit f7fcd1c020f0eaaacf9068182e9f64750ccf7ea7 Author: Stefan Schantl Date: Wed Dec 6 11:44:30 2017 +0100 ids.cgi: Always display ruleset =20 Display the rule categories any time and do not hide them if no instance of snort is runing. =20 Signed-off-by: Stefan Schantl commit e3ab140634f8769399b258b8391ec58ec9035c1b Author: Stefan Schantl Date: Wed Dec 6 11:19:42 2017 +0100 ids.cgi: Remove comment lines for snort rules control =20 Signed-off-by: Stefan Schantl commit 3da6e01bcf1aefd1e495f64d251d0e39a94a4fdc Author: Stefan Schantl Date: Wed Dec 6 09:51:46 2017 +0100 ids.cgi: Refactor reading-in rule files. =20 Move the code for reading and parsing the snort rule files into an own subfunction. =20 * Drop code for reading in and modifying the snort main config file. * Rework code for parsing and adding the snort rules to the snortrules ha= sh. * Drop code for gathering a description for the rule files, which does not because of a file layout change and sadly there is not suitable descrip= tion shipped anymore by the snort team. =20 Signed-off-by: Stefan Schantl commit a70d269a9ad8ed8ee14f0d1de6426bf936750a3f Author: Stefan Schantl Date: Sat Dec 2 15:31:19 2017 +0100 ids.cgi: Move function to end of file =20 Move the function for doing the page refresh stuff to the end of the file= and do some layout changes for better reading the code. =20 Signed-off-by: Stefan Schantl commit 422204ff08af8f1932e57bace8125baa149329a7 Author: Stefan Schantl Date: Sat Dec 2 15:24:12 2017 +0100 ids.cgi: Use pure perl for directory listing =20 Use pure perl for getting the filelist of available rule files instead of using a sub-shell and unix commands. =20 Signed-off-by: Stefan Schantl commit fbd430172f49cb746975f5543c4e184748537b4e Author: Stefan Schantl Date: Sat Dec 2 15:17:49 2017 +0100 ids.cgi: Drop old code for uploading a ruleset =20 Signed-off-by: Stefan Schantl commit ca745a2978aadad52a487a7c6a1a8dcb8464aab3 Merge: b5ea63f85 4e4c122c5 Author: Stefan Schantl Date: Sat Jul 21 14:14:53 2018 +0200 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next commit b5ea63f85c7d2ff107cd5f1cf985e98e75a84efe Merge: fb22c9ffd 6a7e6b449 Author: Stefan Schantl Date: Thu Jul 19 18:10:23 2018 +0200 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next commit fb22c9ffd990eebee3249a3cbc2a6c8695b811b7 Merge: b56b67330 9aefd1ed0 Author: Stefan Schantl Date: Sun Jul 8 08:34:37 2018 +0200 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next commit b56b67330ce0927af61c38e1d02284154f912dda Author: Stefan Schantl Date: Wed Jun 27 19:38:41 2018 +0200 guardian: Update to 2.0.2 =20 Signed-off-by: Stefan Schantl commit 6d1ebd1d4323984108c2682d84fe07e54f647061 Author: Stefan Schantl Date: Wed Jun 27 19:36:28 2018 +0200 guardian.cgi: Remove support for owncloud =20 Owncloud as an addon has been dropped for IPFire. As a result of this, we do not need this code anymore. =20 Fixes #11572. =20 Signed-off-by: Stefan Schantl commit 74c193f266e9660c822bfc5e86d050d35539bab6 Merge: 5776b677d bc91a6628 Author: Stefan Schantl Date: Wed Jun 27 19:33:43 2018 +0200 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next commit 5776b677db10ad18aa9972b49900addaa8bf44ba Merge: 6600eeac4 f574f9ea0 Author: Stefan Schantl Date: Tue Nov 14 19:17:23 2017 +0100 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next commit 6600eeac49362964f6813c8c106aa68d6afe3d0e Author: Stefan Schantl Date: Thu Jun 8 14:13:24 2017 +0200 guardian: Bump package version. =20 During commit d68ead3decfdcc4ca4a1413e33f3c47270799836 the guardian.cgi has been changed, and therefore the package version of guardian needs to be bumped to ship the changed files. =20 Signed-off-by: Stefan Schantl commit 31313db780f894cdadd74dc4973e0fd6a22a4659 Merge: 5f9fb7a8f 357b8c141 Author: Stefan Schantl Date: Thu Jun 8 14:03:56 2017 +0200 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next commit 5f9fb7a8f6fb4109a6bc451aaf5b8aea74c12892 Merge: f707295a8 c6bc0fb03 Author: Stefan Schantl Date: Fri Nov 11 07:44:38 2016 +0100 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next commit f707295a85f820405a21a25a25c86c00e030ddb4 Merge: 197033fab f95b8b9f7 Author: Stefan Schantl Date: Wed Nov 2 10:00:00 2016 +0100 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next commit 197033fab234d4698b097fdb1b653b8ae39b1aae Author: Stefan Schantl Date: Fri Oct 28 15:35:53 2016 +0200 Add DDNS to core 107. =20 Signed-off-by: Stefan Schantl commit f2956cf42f04c7d6dcd5379b00ee779434a27d44 Author: Stefan Schantl Date: Fri Sep 30 10:34:22 2016 +0200 ddns: Import patches for schokokeks.org support. =20 Signed-off-by: Stefan Schantl ----------------------------------------------------------------------- hooks/post-receive -- IPFire 2.x development tree --===============6927370055920493249==--