* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 171512b7a76f61669b61d234965570e40f585fee
@ 2019-06-05 20:20 Michael Tremer
0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2019-06-05 20:20 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 20182 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 171512b7a76f61669b61d234965570e40f585fee (commit)
via 21a838238378b531551f42e2c582f0c5f82ca26f (commit)
via 3c91ee80925f175cd5c599a2d46b78f31d726a35 (commit)
via e1f8f870ea975c6c47afe8fd907ffb75980fe7db (commit)
via f1add9a8dd5271af669ee0831f30b207b33d158d (commit)
via 81bae51f6102a555ba50a5d42ed433288ddcfe54 (commit)
via a40bcbb02cf1012405c4a0507d4b54d4d8a45064 (commit)
via a5ba473c15c73a2e88d3333c73c1f13a332010b6 (commit)
via 9734a58faf9832a708057e44092b96976401a8eb (commit)
via 72ab71969fd88fc1bf78ddd77f066f86b15731c7 (commit)
from dc9ac30c8dfb157c8ac7af5849d166f42462b08d (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 171512b7a76f61669b61d234965570e40f585fee
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Jun 5 12:46:37 2019 +0100
Update contributors
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 21a838238378b531551f42e2c582f0c5f82ca26f
Author: Erik Kapfer <ummeegge(a)ipfire.org>
Date: Tue Jun 4 15:00:24 2019 +0200
suricata: Enable EVE logging
The EVE output facility outputs alerts, metadata, file info and protocol specific records through JSON.
for further informations please see --> https://suricata.readthedocs.io/en/suricata-4.1.2/output/eve/index.html .
Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org>
Acked-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 3c91ee80925f175cd5c599a2d46b78f31d726a35
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jun 5 20:56:35 2019 +0200
convert-ids-modifysids-file: Adjust code to use changed write_modify_sids_file function
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit e1f8f870ea975c6c47afe8fd907ffb75980fe7db
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Jun 5 12:42:53 2019 +0100
core133: Ship snort configuration converter
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit f1add9a8dd5271af669ee0831f30b207b33d158d
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jun 5 20:56:34 2019 +0200
convert-snort: Adjust code to use changed modify_sids_file function.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 81bae51f6102a555ba50a5d42ed433288ddcfe54
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jun 5 20:56:33 2019 +0200
ids-functions.pl: Rework function write_modify_sids_file().
Directly implement the logic to determine the used ruleset and if
IDS or IPS mode should be used into the function instead of pass those
details as arguments.
This helps to prevent from doing this stuff at several places again and again.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit a40bcbb02cf1012405c4a0507d4b54d4d8a45064
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Jun 5 12:41:37 2019 +0100
core133: Ship IPS changes
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit a5ba473c15c73a2e88d3333c73c1f13a332010b6
Author: Tim FitzGeorge <ipfr(a)tfitzgeorge.me.uk>
Date: Wed Jun 5 20:56:32 2019 +0200
suricata: correct rule actions in IPS mode
In IPS mode rule actions need to be have the action 'drop' for the
protection to work, however this is not appropriate for all rules.
Modify the generator for oinkmaster-modify-sids.conf to leave
rules with the action 'alert' here this is appropriate. Also add
a script to be run on update to correct existing downloaded rules.
Fixes #12086
Signed-off-by: Tim FitzGeorge <ipfr(a)tfitzgeorge.me.uk>
Tested-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 9734a58faf9832a708057e44092b96976401a8eb
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Jun 5 12:34:44 2019 +0100
core133: Ship IDS ruleset updater
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 72ab71969fd88fc1bf78ddd77f066f86b15731c7
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Jun 5 18:27:10 2019 +0200
update-ids-ruleset: Run as unprivileged user.
Check if the script has been launched as privileged user (root) and drop all
permissions by switching to the "nobody" user and group.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
.mailmap | 1 +
config/cfgroot/ids-functions.pl | 53 +++++++++++++++++++---
config/rootfiles/common/configroot | 1 +
config/rootfiles/core/133/filelists/files | 5 ++
config/rootfiles/core/133/update.sh | 3 ++
.../suricata/convert-ids-modifysids-file | 53 ++++++++++++++--------
config/suricata/convert-snort | 12 +----
html/cgi-bin/credits.cgi | 6 +--
html/cgi-bin/ids.cgi | 18 ++------
lfs/configroot | 1 +
lfs/suricata | 2 +
src/scripts/update-ids-ruleset | 14 ++++++
12 files changed, 116 insertions(+), 53 deletions(-)
copy src/initscripts/helper/getdnsfromdhcpc.pl => config/suricata/convert-ids-modifysids-file (62%)
Difference in files:
diff --git a/.mailmap b/.mailmap
index f920b448f..08653c701 100644
--- a/.mailmap
+++ b/.mailmap
@@ -33,3 +33,4 @@ Rene Zingel <linuxadmin(a)ea5c0bd1-69bd-2848-81d8-4f18e57aeed8>
Ronald Wiesinger <rowie(a)ipfire.org>
Stéphane Pautrel <steph78630(a)gmail.com>
Erik Kapfer <ummeegge(a)ipfire.org>
+Stephan Feddersen <sfeddersen(a)ipfire.org>
diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 88734a3ca..94de1373c 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -243,7 +243,7 @@ sub downloadruleset {
# Load perl module to deal with temporary files.
use File::Temp;
- # Generate temporay file name, located in "/var/tmp" and with a suffix of ".tar.gz".
+ # Generate temporary file name, located in "/var/tmp" and with a suffix of ".tar.gz".
my $tmp = File::Temp->new( SUFFIX => ".tar.gz", DIR => "/var/tmp/", UNLINK => 0 );
my $tmpfile = $tmp->filename();
@@ -293,6 +293,9 @@ sub downloadruleset {
# Overwrite existing rules tarball with the new downloaded one.
move("$tmpfile", "$rulestarball");
+ # Set correct ownership for the rulesdir and files.
+ set_ownership("$rulestarball");
+
# If we got here, everything worked fine. Return nothing.
return;
}
@@ -726,8 +729,15 @@ sub write_used_rulefiles_file(@) {
#
## Function to generate and write the file for modify the ruleset.
#
-sub write_modify_sids_file($) {
- my ($ruleaction) = @_;
+sub write_modify_sids_file() {
+ # Get configured settings.
+ my %idssettings=();
+ my %rulessettings=();
+ &General::readhash("$ids_settings_file", \%idssettings);
+ &General::readhash("$rules_settings_file", \%rulessettings);
+
+ # Gather the configured ruleset.
+ my $ruleset = $rulessettings{'RULES'};
# Open modify sid's file for writing.
open(FILE, ">$modify_sids_file") or die "Could not write to $modify_sids_file. $!\n";
@@ -736,9 +746,40 @@ sub write_modify_sids_file($) {
print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
# Check if the traffic only should be monitored.
- unless($ruleaction eq "alert") {
- # Tell oinkmaster to switch all rules from alert to drop.
- print FILE "modifysid \* \"alert\" \| \"drop\"\n";
+ unless($idssettings{'MONITOR_TRAFFIC_ONLY'} eq 'on') {
+ # Suricata is in IPS mode, which means that the rule actions have to be changed
+ # from 'alert' to 'drop', however not all rules should be changed. Some rules
+ # exist purely to set a flowbit which is used to convey other information, such
+ # as a specific type of file being downloaded, to other rulewhich then check for
+ # malware in that file. Rules which fall into the first category should stay as
+ # alert since not all flows of that type contain malware.
+
+ if($ruleset eq 'registered' or $ruleset eq 'subscripted' or $ruleset eq 'community') {
+ # These types of rulesfiles contain meta-data which gives the action that should
+ # be used when in IPS mode. Do the following:
+ #
+ # 1. Disable all rules and set the action to 'drop'
+ # 2. Set the action back to 'alert' if the rule contains 'flowbits:noalert;'
+ # This should give rules not in the policy a reasonable default if the user
+ # manually enables them.
+ # 3. Enable rules and set actions according to the meta-data strings.
+
+ my $policy = 'balanced'; # Placeholder to allow policy to be changed.
+
+ print FILE <<END;
+modifysid * "^#?(?:alert|drop)" | "#drop"
+modifysid * "^#drop(.+flowbits:noalert;)" | "#alert\${1}"
+modifysid * "^#(?:alert|drop)(.+policy $policy-ips alert)" | "alert\${1}"
+modifysid * "^#(?:alert|drop)(.+policy $policy-ips drop)" | "drop\${1}"
+END
+ } else {
+ # These rulefiles don't have the metadata, so set rules to 'drop' unless they
+ # contain the string 'flowbits:noalert;'.
+ print FILE <<END;
+modifysid * "^(#?)(?:alert|drop)" | "\${1}drop"
+modifysid * "^(#?)drop(.+flowbits:noalert;)" | "\${1}alert\${2}"
+END
+ }
}
# Close file handle.
diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot
index a7f27fe55..56b0257bc 100644
--- a/config/rootfiles/common/configroot
+++ b/config/rootfiles/common/configroot
@@ -3,6 +3,7 @@ usr/sbin/convert-outgoingfw
usr/sbin/convert-portfw
usr/sbin/convert-snort
usr/sbin/convert-xtaccess
+usr/sbin/convert-ids-modifysids-file
usr/sbin/firewall-policy
#var/ipfire
var/ipfire/addon-lang
diff --git a/config/rootfiles/core/133/filelists/files b/config/rootfiles/core/133/filelists/files
index 97a603ad8..7998df231 100644
--- a/config/rootfiles/core/133/filelists/files
+++ b/config/rootfiles/core/133/filelists/files
@@ -3,6 +3,11 @@ etc/issue
etc/rc.d/init.d/smt
srv/web/ipfire/cgi-bin/credits.cgi
srv/web/ipfire/cgi-bin/dhcp.cgi
+srv/web/ipfire/cgi-bin/ids.cgi
srv/web/ipfire/cgi-bin/ovpnmain.cgi
srv/web/ipfire/cgi-bin/vpnmain.cgi
srv/web/ipfire/cgi-bin/vulnerabilities.cgi
+usr/local/bin/update-ids-ruleset
+usr/sbin/convert-ids-modifysids-file
+usr/sbin/convert-snort
+var/ipfire/ids-functions.pl
diff --git a/config/rootfiles/core/133/update.sh b/config/rootfiles/core/133/update.sh
index 9d708f092..a05ad0741 100644
--- a/config/rootfiles/core/133/update.sh
+++ b/config/rootfiles/core/133/update.sh
@@ -62,6 +62,9 @@ telinit u
# Regenerate /etc/ipsec.conf
sudo -u nobody /srv/web/ipfire/cgi-bin/vpnmain.cgi
+# Modify suricata modify-sids file
+/usr/sbin/convert-ids-modifysids-file
+
# Start services
/usr/local/bin/ipsecctrl S
/etc/init.d/suricata restart
diff --git a/config/suricata/convert-ids-modifysids-file b/config/suricata/convert-ids-modifysids-file
new file mode 100644
index 000000000..adcc10577
--- /dev/null
+++ b/config/suricata/convert-ids-modifysids-file
@@ -0,0 +1,60 @@
+#!/usr/bin/perl
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2019 IPFire Development Team <info(a)ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+use strict;
+
+require '/var/ipfire/general-functions.pl';
+require "${General::swroot}/ids-functions.pl";
+
+exit unless(-f $IDS::ids_settings_file and -f $IDS::rules_settings_file);
+
+#
+## Step 1: Re-generate and write the file to modify the ruleset.
+#
+
+# Call subfunction and pass the desired IDS action.
+&IDS::write_modify_sids_file();
+
+# Set correct ownership.
+&IDS::set_ownership("$IDS::modify_sids_file");
+
+#
+## Step 2: Call oinkmaster to extract and setup the rules structures.
+#
+
+# Check if a rulestarball is present.
+if (-f $IDS::rulestarball) {
+ # Launch oinkmaster by calling the subfunction.
+ &IDS::oinkmaster();
+
+ # Set correct ownership for the rulesdir and files.
+ &IDS::set_ownership("$IDS::rulespath");
+}
+
+#
+## Step 3: Reload the IDS ruleset if running.
+#
+
+# Check if the IDS should be started.
+if($idssettings{"ENABLE_IDS"} eq "on") {
+ # Call suricatactrl and reload the rules.
+ &IDS::call_suricatactrl("reload");
+}
diff --git a/config/suricata/convert-snort b/config/suricata/convert-snort
index 83931fa5b..5ed36954f 100644
--- a/config/suricata/convert-snort
+++ b/config/suricata/convert-snort
@@ -196,18 +196,8 @@ if (-f $guardian_meta) {
## Step 5: Generate and write the file to modify the ruleset.
#
-# Converters default is to only monitor the traffic, so set the IDS action to
-# "alert".
-my $IDS_action = "alert";
-
-# Check if the traffic only should be monitored.
-if ($idssettings{"MONITOR_TRAFFIC_ONLY"} eq "off") {
- # Swith IDS action to alert only.
- $IDS_action = "drop";
-}
-
# Call subfunction and pass the desired IDS action.
-&IDS::write_modify_sids_file($IDS_action);
+&IDS::write_modify_sids_file();
# Set correct ownership.
&IDS::set_ownership("$IDS::modify_sids_file");
diff --git a/html/cgi-bin/credits.cgi b/html/cgi-bin/credits.cgi
index 7119a4628..6ce9542b2 100644
--- a/html/cgi-bin/credits.cgi
+++ b/html/cgi-bin/credits.cgi
@@ -92,11 +92,11 @@ Sascha Kilian,
Ronald Wiesinger,
Stephan Feddersen,
Stéphane Pautrel,
+Florian Bührle,
+Bernhard Bitsch,
Justin Luth,
Michael Eitelwein,
-Bernhard Bitsch,
Dominik Hassler,
-Florian Bührle,
Larsen,
Gabriel Rolland,
Anton D. Seliverstov,
@@ -107,6 +107,7 @@ Jakub Ratajczak,
Jorrit de Jonge,
Jörn-Ingo Weigert,
Przemek Zdroik,
+Tim FitzGeorge,
Alexander Rudolf Gruber,
Andrew Bellows,
Axel Gembe,
@@ -134,7 +135,6 @@ Robert Möker,
Stefan Ernst,
Stefan Ferstl,
Thomas Ebert,
-Tim FitzGeorge,
Timmothy Wilson,
Umberto Parma
<!-- END -->
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 00db6a0c3..74f5ca223 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -359,7 +359,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
$errormessage = "$Lang::tr{'could not download latest updates'} - $Lang::tr{'system is offline'}";
}
- # Check if enought free disk space is availabe.
+ # Check if enough free disk space is availabe.
if(&IDS::checkdiskspace()) {
$errormessage = "$Lang::tr{'not enough disk space'}";
}
@@ -370,6 +370,9 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
# a new ruleset.
&working_notice("$Lang::tr{'ids working'}");
+ # Write the modify sid's file and pass the taken ruleaction.
+ &IDS::write_modify_sids_file();
+
# Call subfunction to download the ruleset.
if(&IDS::downloadruleset()) {
$errormessage = $Lang::tr{'could not download latest updates'};
@@ -598,19 +601,8 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
# Generate file to store the home net.
&IDS::generate_home_net_file();
- # Temporary variable to set the ruleaction.
- # Default is "drop" to use suricata as IPS.
- my $ruleaction="drop";
-
- # Check if the traffic only should be monitored.
- if($cgiparams{'MONITOR_TRAFFIC_ONLY'} eq 'on') {
- # Switch the ruleaction to "alert".
- # Suricata acts as an IDS only.
- $ruleaction="alert";
- }
-
# Write the modify sid's file and pass the taken ruleaction.
- &IDS::write_modify_sids_file($ruleaction);
+ &IDS::write_modify_sids_file();
# Check if "MONITOR_TRAFFIC_ONLY" has been changed.
if($cgiparams{'MONITOR_TRAFFIC_ONLY'} ne $oldidssettings{'MONITOR_TRAFFIC_ONLY'}) {
diff --git a/lfs/configroot b/lfs/configroot
index d4eb545f0..227d09239 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -135,6 +135,7 @@ $(TARGET) :
# Install snort to suricata converter.
cp $(DIR_SRC)/config/suricata/convert-snort /usr/sbin/convert-snort
+ cp $(DIR_SRC)/config/suricata/convert-ids-modifysids-file /usr/sbin/convert-ids-modifysids-file
# Add conntrack helper default settings
for proto in FTP H323 IRC SIP TFTP; do \
diff --git a/lfs/suricata b/lfs/suricata
index 310920606..6f779d875 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -80,6 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
--enable-nfqueue \
--disable-static \
--disable-python \
+ --with-libjansson-libraries=/usr/lib \
+ --with-libjansson-includes=/usr/include \
--disable-suricata-update
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
diff --git a/src/scripts/update-ids-ruleset b/src/scripts/update-ids-ruleset
index 956c3a1f5..dbe5b6849 100644
--- a/src/scripts/update-ids-ruleset
+++ b/src/scripts/update-ids-ruleset
@@ -20,11 +20,25 @@
###############################################################################
use strict;
+use POSIX;
require '/var/ipfire/general-functions.pl';
require "${General::swroot}/ids-functions.pl";
require "${General::swroot}/lang.pl";
+# The user and group name as which this script should be run.
+my $run_as = 'nobody';
+
+# Get user and group id of the user.
+my ( $uid, $gid ) = ( getpwnam $run_as )[ 2, 3 ];
+
+# Check if the script currently runs as root.
+if ( $> == 0 ) {
+ # Drop privileges and switch to the specified user and group.
+ POSIX::setgid( $gid );
+ POSIX::setuid( $uid );
+}
+
# Check if the red device is active.
unless (-e "${General::swroot}/red/active") {
# Store notice in the syslog.
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-06-05 20:20 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-05 20:20 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 171512b7a76f61669b61d234965570e40f585fee Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox