From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 171512b7a76f61669b61d234965570e40f585fee Date: Wed, 05 Jun 2019 21:20:26 +0100 Message-ID: <20190605202027.1F7B284FDBF@people01.i.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0175858112263360079==" List-Id: --===============0175858112263360079== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via 171512b7a76f61669b61d234965570e40f585fee (commit) via 21a838238378b531551f42e2c582f0c5f82ca26f (commit) via 3c91ee80925f175cd5c599a2d46b78f31d726a35 (commit) via e1f8f870ea975c6c47afe8fd907ffb75980fe7db (commit) via f1add9a8dd5271af669ee0831f30b207b33d158d (commit) via 81bae51f6102a555ba50a5d42ed433288ddcfe54 (commit) via a40bcbb02cf1012405c4a0507d4b54d4d8a45064 (commit) via a5ba473c15c73a2e88d3333c73c1f13a332010b6 (commit) via 9734a58faf9832a708057e44092b96976401a8eb (commit) via 72ab71969fd88fc1bf78ddd77f066f86b15731c7 (commit) from dc9ac30c8dfb157c8ac7af5849d166f42462b08d (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 171512b7a76f61669b61d234965570e40f585fee Author: Michael Tremer Date: Wed Jun 5 12:46:37 2019 +0100 Update contributors =20 Signed-off-by: Michael Tremer commit 21a838238378b531551f42e2c582f0c5f82ca26f Author: Erik Kapfer Date: Tue Jun 4 15:00:24 2019 +0200 suricata: Enable EVE logging =20 The EVE output facility outputs alerts, metadata, file info and protocol = specific records through JSON. for further informations please see --> https://suricata.readthedocs.io/e= n/suricata-4.1.2/output/eve/index.html . =20 Signed-off-by: Erik Kapfer Acked-by: Stefan Schantl Signed-off-by: Michael Tremer commit 3c91ee80925f175cd5c599a2d46b78f31d726a35 Author: Stefan Schantl Date: Wed Jun 5 20:56:35 2019 +0200 convert-ids-modifysids-file: Adjust code to use changed write_modify_sids= _file function =20 Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit e1f8f870ea975c6c47afe8fd907ffb75980fe7db Author: Michael Tremer Date: Wed Jun 5 12:42:53 2019 +0100 core133: Ship snort configuration converter =20 Signed-off-by: Michael Tremer commit f1add9a8dd5271af669ee0831f30b207b33d158d Author: Stefan Schantl Date: Wed Jun 5 20:56:34 2019 +0200 convert-snort: Adjust code to use changed modify_sids_file function. =20 Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 81bae51f6102a555ba50a5d42ed433288ddcfe54 Author: Stefan Schantl Date: Wed Jun 5 20:56:33 2019 +0200 ids-functions.pl: Rework function write_modify_sids_file(). =20 Directly implement the logic to determine the used ruleset and if IDS or IPS mode should be used into the function instead of pass those details as arguments. =20 This helps to prevent from doing this stuff at several places again and a= gain. =20 Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit a40bcbb02cf1012405c4a0507d4b54d4d8a45064 Author: Michael Tremer Date: Wed Jun 5 12:41:37 2019 +0100 core133: Ship IPS changes =20 Signed-off-by: Michael Tremer commit a5ba473c15c73a2e88d3333c73c1f13a332010b6 Author: Tim FitzGeorge Date: Wed Jun 5 20:56:32 2019 +0200 suricata: correct rule actions in IPS mode =20 In IPS mode rule actions need to be have the action 'drop' for the protection to work, however this is not appropriate for all rules. Modify the generator for oinkmaster-modify-sids.conf to leave rules with the action 'alert' here this is appropriate. Also add a script to be run on update to correct existing downloaded rules. =20 Fixes #12086 =20 Signed-off-by: Tim FitzGeorge Tested-by: Peter M=C3=BCller Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 9734a58faf9832a708057e44092b96976401a8eb Author: Michael Tremer Date: Wed Jun 5 12:34:44 2019 +0100 core133: Ship IDS ruleset updater =20 Signed-off-by: Michael Tremer commit 72ab71969fd88fc1bf78ddd77f066f86b15731c7 Author: Stefan Schantl Date: Wed Jun 5 18:27:10 2019 +0200 update-ids-ruleset: Run as unprivileged user. =20 Check if the script has been launched as privileged user (root) and drop = all permissions by switching to the "nobody" user and group. =20 Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: .mailmap | 1 + config/cfgroot/ids-functions.pl | 53 +++++++++++++++++++-= -- config/rootfiles/common/configroot | 1 + config/rootfiles/core/133/filelists/files | 5 ++ config/rootfiles/core/133/update.sh | 3 ++ .../suricata/convert-ids-modifysids-file | 53 ++++++++++++++------= -- config/suricata/convert-snort | 12 +---- html/cgi-bin/credits.cgi | 6 +-- html/cgi-bin/ids.cgi | 18 ++------ lfs/configroot | 1 + lfs/suricata | 2 + src/scripts/update-ids-ruleset | 14 ++++++ 12 files changed, 116 insertions(+), 53 deletions(-) copy src/initscripts/helper/getdnsfromdhcpc.pl =3D> config/suricata/convert-= ids-modifysids-file (62%) Difference in files: diff --git a/.mailmap b/.mailmap index f920b448f..08653c701 100644 --- a/.mailmap +++ b/.mailmap @@ -33,3 +33,4 @@ Rene Zingel Ronald Wiesinger St=C3=A9phane Pautrel Erik Kapfer +Stephan Feddersen diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl index 88734a3ca..94de1373c 100644 --- a/config/cfgroot/ids-functions.pl +++ b/config/cfgroot/ids-functions.pl @@ -243,7 +243,7 @@ sub downloadruleset { # Load perl module to deal with temporary files. use File::Temp; =20 - # Generate temporay file name, located in "/var/tmp" and with a suffix of "= .tar.gz". + # Generate temporary file name, located in "/var/tmp" and with a suffix of = ".tar.gz". my $tmp =3D File::Temp->new( SUFFIX =3D> ".tar.gz", DIR =3D> "/var/tmp/", U= NLINK =3D> 0 ); my $tmpfile =3D $tmp->filename(); =20 @@ -293,6 +293,9 @@ sub downloadruleset { # Overwrite existing rules tarball with the new downloaded one. move("$tmpfile", "$rulestarball"); =20 + # Set correct ownership for the rulesdir and files. + set_ownership("$rulestarball"); + # If we got here, everything worked fine. Return nothing. return; } @@ -726,8 +729,15 @@ sub write_used_rulefiles_file(@) { # ## Function to generate and write the file for modify the ruleset. # -sub write_modify_sids_file($) { - my ($ruleaction) =3D @_; +sub write_modify_sids_file() { + # Get configured settings. + my %idssettings=3D(); + my %rulessettings=3D(); + &General::readhash("$ids_settings_file", \%idssettings); + &General::readhash("$rules_settings_file", \%rulessettings); + + # Gather the configured ruleset. + my $ruleset =3D $rulessettings{'RULES'}; =20 # Open modify sid's file for writing. open(FILE, ">$modify_sids_file") or die "Could not write to $modify_sids_fi= le. $!\n"; @@ -736,9 +746,40 @@ sub write_modify_sids_file($) { print FILE "#Autogenerated file. Any custom changes will be overwritten!\n"; =20 # Check if the traffic only should be monitored. - unless($ruleaction eq "alert") { - # Tell oinkmaster to switch all rules from alert to drop. - print FILE "modifysid \* \"alert\" \| \"drop\"\n"; + unless($idssettings{'MONITOR_TRAFFIC_ONLY'} eq 'on') { + # Suricata is in IPS mode, which means that the rule actions have to be ch= anged + # from 'alert' to 'drop', however not all rules should be changed. Some r= ules + # exist purely to set a flowbit which is used to convey other information,= such + # as a specific type of file being downloaded, to other rulewhich then che= ck for + # malware in that file. Rules which fall into the first category should s= tay as + # alert since not all flows of that type contain malware. + + if($ruleset eq 'registered' or $ruleset eq 'subscripted' or $ruleset eq 'c= ommunity') { + # These types of rulesfiles contain meta-data which gives the action that= should + # be used when in IPS mode. Do the following: + # + # 1. Disable all rules and set the action to 'drop' + # 2. Set the action back to 'alert' if the rule contains 'flowbits:noaler= t;' + # This should give rules not in the policy a reasonable default if the= user + # manually enables them. + # 3. Enable rules and set actions according to the meta-data strings. + + my $policy =3D 'balanced'; # Placeholder to allow policy to be changed. + + print FILE < = # +# = # +# This program is free software: you can redistribute it and/or modify = # +# it under the terms of the GNU General Public License as published by = # +# the Free Software Foundation, either version 3 of the License, or = # +# (at your option) any later version. = # +# = # +# This program is distributed in the hope that it will be useful, = # +# but WITHOUT ANY WARRANTY; without even the implied warranty of = # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the = # +# GNU General Public License for more details. = # +# = # +# You should have received a copy of the GNU General Public License = # +# along with this program. If not, see . = # +# = # +############################################################################= ### + +use strict; + +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/ids-functions.pl"; + +exit unless(-f $IDS::ids_settings_file and -f $IDS::rules_settings_file); + +# +## Step 1: Re-generate and write the file to modify the ruleset. +# + +# Call subfunction and pass the desired IDS action. +&IDS::write_modify_sids_file(); + +# Set correct ownership. +&IDS::set_ownership("$IDS::modify_sids_file"); + +# +## Step 2: Call oinkmaster to extract and setup the rules structures. +# + +# Check if a rulestarball is present. +if (-f $IDS::rulestarball) { + # Launch oinkmaster by calling the subfunction. + &IDS::oinkmaster(); + + # Set correct ownership for the rulesdir and files. + &IDS::set_ownership("$IDS::rulespath"); +} + +# +## Step 3: Reload the IDS ruleset if running. +# + +# Check if the IDS should be started. +if($idssettings{"ENABLE_IDS"} eq "on") { + # Call suricatactrl and reload the rules. + &IDS::call_suricatactrl("reload"); +} diff --git a/config/suricata/convert-snort b/config/suricata/convert-snort index 83931fa5b..5ed36954f 100644 --- a/config/suricata/convert-snort +++ b/config/suricata/convert-snort @@ -196,18 +196,8 @@ if (-f $guardian_meta) { ## Step 5: Generate and write the file to modify the ruleset. # =20 -# Converters default is to only monitor the traffic, so set the IDS action to -# "alert". -my $IDS_action =3D "alert"; - -# Check if the traffic only should be monitored. -if ($idssettings{"MONITOR_TRAFFIC_ONLY"} eq "off") { - # Swith IDS action to alert only. - $IDS_action =3D "drop"; -} - # Call subfunction and pass the desired IDS action. -&IDS::write_modify_sids_file($IDS_action); +&IDS::write_modify_sids_file(); =20 # Set correct ownership. &IDS::set_ownership("$IDS::modify_sids_file"); diff --git a/html/cgi-bin/credits.cgi b/html/cgi-bin/credits.cgi index 7119a4628..6ce9542b2 100644 --- a/html/cgi-bin/credits.cgi +++ b/html/cgi-bin/credits.cgi @@ -92,11 +92,11 @@ Sascha Kilian, Ronald Wiesinger, Stephan Feddersen, St=C3=A9phane Pautrel, +Florian B=C3=BChrle, +Bernhard Bitsch, Justin Luth, Michael Eitelwein, -Bernhard Bitsch, Dominik Hassler, -Florian B=C3=BChrle, Larsen, Gabriel Rolland, Anton D. Seliverstov, @@ -107,6 +107,7 @@ Jakub Ratajczak, Jorrit de Jonge, J=C3=B6rn-Ingo Weigert, Przemek Zdroik, +Tim FitzGeorge, Alexander Rudolf Gruber, Andrew Bellows, Axel Gembe, @@ -134,7 +135,6 @@ Robert M=C3=B6ker, Stefan Ernst, Stefan Ferstl, Thomas Ebert, -Tim FitzGeorge, Timmothy Wilson, Umberto Parma diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 00db6a0c3..74f5ca223 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -359,7 +359,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) { $errormessage =3D "$Lang::tr{'could not download latest updates'} - $Lan= g::tr{'system is offline'}"; } =20 - # Check if enought free disk space is availabe. + # Check if enough free disk space is availabe. if(&IDS::checkdiskspace()) { $errormessage =3D "$Lang::tr{'not enough disk space'}"; } @@ -370,6 +370,9 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) { # a new ruleset. &working_notice("$Lang::tr{'ids working'}"); =20 + # Write the modify sid's file and pass the taken ruleaction. + &IDS::write_modify_sids_file(); + # Call subfunction to download the ruleset. if(&IDS::downloadruleset()) { $errormessage =3D $Lang::tr{'could not download latest updates'}; @@ -598,19 +601,8 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) { # Generate file to store the home net. &IDS::generate_home_net_file(); =20 - # Temporary variable to set the ruleaction. - # Default is "drop" to use suricata as IPS. - my $ruleaction=3D"drop"; - - # Check if the traffic only should be monitored. - if($cgiparams{'MONITOR_TRAFFIC_ONLY'} eq 'on') { - # Switch the ruleaction to "alert". - # Suricata acts as an IDS only. - $ruleaction=3D"alert"; - } - # Write the modify sid's file and pass the taken ruleaction. - &IDS::write_modify_sids_file($ruleaction); + &IDS::write_modify_sids_file(); =20 # Check if "MONITOR_TRAFFIC_ONLY" has been changed. if($cgiparams{'MONITOR_TRAFFIC_ONLY'} ne $oldidssettings{'MONITOR_TRAFFIC_O= NLY'}) { diff --git a/lfs/configroot b/lfs/configroot index d4eb545f0..227d09239 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -135,6 +135,7 @@ $(TARGET) : =20 # Install snort to suricata converter. cp $(DIR_SRC)/config/suricata/convert-snort /usr/sbin/convert-snort + cp $(DIR_SRC)/config/suricata/convert-ids-modifysids-file /usr/sbin/conve= rt-ids-modifysids-file =20 # Add conntrack helper default settings for proto in FTP H323 IRC SIP TFTP; do \ diff --git a/lfs/suricata b/lfs/suricata index 310920606..6f779d875 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -80,6 +80,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --enable-nfqueue \ --disable-static \ --disable-python \ + --with-libjansson-libraries=3D/usr/lib \ + --with-libjansson-includes=3D/usr/include \ --disable-suricata-update cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install diff --git a/src/scripts/update-ids-ruleset b/src/scripts/update-ids-ruleset index 956c3a1f5..dbe5b6849 100644 --- a/src/scripts/update-ids-ruleset +++ b/src/scripts/update-ids-ruleset @@ -20,11 +20,25 @@ ############################################################################= ### =20 use strict; +use POSIX; =20 require '/var/ipfire/general-functions.pl'; require "${General::swroot}/ids-functions.pl"; require "${General::swroot}/lang.pl"; =20 +# The user and group name as which this script should be run. +my $run_as =3D 'nobody'; + +# Get user and group id of the user. +my ( $uid, $gid ) =3D ( getpwnam $run_as )[ 2, 3 ]; + +# Check if the script currently runs as root. +if ( $> =3D=3D 0 ) { + # Drop privileges and switch to the specified user and group. + POSIX::setgid( $gid ); + POSIX::setuid( $uid ); +} + # Check if the red device is active. unless (-e "${General::swroot}/red/active") { # Store notice in the syslog. hooks/post-receive -- IPFire 2.x development tree --===============0175858112263360079==--