* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 65d5ec52ce288bdffd9e989581e3b638dc948210
@ 2021-12-11 9:52 Arne Fitzenreiter
0 siblings, 0 replies; only message in thread
From: Arne Fitzenreiter @ 2021-12-11 9:52 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 16198 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 65d5ec52ce288bdffd9e989581e3b638dc948210 (commit)
via f23e0e5a7f860f6c8c15a9cecacadc9fa745651e (commit)
via 74070fe153775dbe975e77fa54f0a9733cea8e50 (commit)
via 3b1482e9394447343a3a0cfb9e2f9ec9b5f95626 (commit)
via ccf19569ab72b6b53b9e5f89003f7af971fbe8ab (commit)
from 2c13fafb7f6eec202d58ebdb6e7fe78e0311ba23 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 65d5ec52ce288bdffd9e989581e3b638dc948210
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Dec 8 18:18:05 2021 +0100
suricata: Disable sid 2210059.
This rule emits a massive logspam and temporary will be disabled until
a better solution is found.
Fixes #12738.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit f23e0e5a7f860f6c8c15a9cecacadc9fa745651e
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Dec 8 18:10:31 2021 +0100
suricata: Cleanup default loaded rules file.
There are no such rules file available and therefore cannot be loaded.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 74070fe153775dbe975e77fa54f0a9733cea8e50
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Dec 8 18:10:30 2021 +0100
suricata: Move default loaded rulefiles to own included file.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Acked-by: Michael Tremer <michael.tremer(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 3b1482e9394447343a3a0cfb9e2f9ec9b5f95626
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Mon Dec 6 18:01:32 2021 +0100
pcengines-apu-firmware: Update to version 4.15.0.1
- Update from 4.14.0.4 to 4.15.0.1
- Update of rootfile
- Changelog
v4.15.0.1
rebased with official coreboot repository commit 6973a3e7
v4.14.0.6
rebased with official coreboot repository commit d06c0917
Re-added GPIO bindings to fix LED and button functionality
v4.14.0.5
rebased with official coreboot repository commit d4c55353
Updated CPU declarations in ACPI to comply with newer ACPI standard
Removed GPIO bindings to fix conflict with OS drivers
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit ccf19569ab72b6b53b9e5f89003f7af971fbe8ab
Author: Jon Murphy <jcmurphy26(a)gmail.com>
Date: Sun Dec 5 00:46:20 2021 +0100
manualpages: Complete the list of user manual pages
Jon Murphy gathered all the links and made the updated file
available on the mailing list:
https://lists.ipfire.org/pipermail/development/2021-October/011383.html
https://lists.ipfire.org/pipermail/development/2021-December/011737.html
With kind permission from him, this patch contains the completed list.
The list was successfully checked with "./make.sh check-manualpages".
Signed-off-by: Leo-Andres Hofmann <hofmann(a)leo-andres.de>
Reported-by: Jon Murphy <jcmurphy26(a)gmail.com>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/cfgroot/manualpages | 81 +++++++++++++++++++++++-
config/rootfiles/common/suricata | 1 +
config/rootfiles/packages/pcengines-apu-firmware | 12 ++--
config/suricata/suricata-default-rules.yaml | 20 ++++++
config/suricata/suricata.yaml | 25 ++------
lfs/pcengines-apu-firmware | 16 ++---
lfs/suricata | 4 ++
src/patches/suricata-disable-sid-2210059.patch | 12 ++++
8 files changed, 133 insertions(+), 38 deletions(-)
create mode 100644 config/suricata/suricata-default-rules.yaml
create mode 100644 src/patches/suricata-disable-sid-2210059.patch
Difference in files:
diff --git a/config/cfgroot/manualpages b/config/cfgroot/manualpages
index e5ab1a13c..97246e6f0 100644
--- a/config/cfgroot/manualpages
+++ b/config/cfgroot/manualpages
@@ -1,7 +1,82 @@
-# User manual base URL (without trailing slash)
+# Assign manual page URL path to CGI file ([cgi basename]=[path/to/page])
+
+# Base URL (without trailing slash)
BASE_URL=https://wiki.ipfire.org
+index=configuration/system/startpage
-# Assign manual page URL path to CGI file ([cgi basename]=[path/to/page])
+# System menu
index=configuration/system/startpage
-pppsetup=configuration/system/dial
+mail=configuration/system/mail_service
+remote=configuration/system/ssh
+backup=configuration/system/backup
+gui=configuration/system/userinterface
+fireinfo=fireinfo
+vulnerabilities=configuration/system/vulnerabilities
+shutdown=configuration/system/shutdown
+credits=configuration/system/credits
+
+# Status menu
+system=configuration/status/system
+memory=configuration/status/memory
+services=configuration/status/services
+media=configuration/status/drives
+netexternal=configuration/status/network_ext
+netinternal=configuration/status/network_int
+netother=configuration/status/network_int
+netovpnrw=configuration/status/network_ovpnrw
+#netovpnsrv=
+hardwaregraphs=configuration/status/hardware_diagrams
+entropy=configuration/status/entropy
+connections=configuration/status/connections
+traffic=configuration/status/nettraffic
+#mdstat=
+
+# Network menu
+zoneconf=configuration/network/zoneconf
+dns=dns
+proxy=configuration/network/proxy
+urlfilter=configuration/network/proxy/url-filter
+#updatexlrator=configuration/network/proxy/update_accelerator
+dhcp=configuration/network/dhcp
+captive=configuration/network/captive
+connscheduler=configuration/network/connectionscheduler
+hosts=configuration/network/hosts
+dnsforward=configuration/network/dnsforward
+routing=configuration/network/static
+mac=configuration/network/mac-address
+wakeonlan=configuration/network/wake-on-lan
+
+# Services menu
+vpnmain=configuration/services/ipsec
+ovpnmain=configuration/services/openvpn
+ddns=configuration/services/dyndns
+time=configuration/services/ntp
qos=configuration/services/qos
+extrahd=configuration/services/extrahd
+
+# Firewall menu
+firewall=configuration/firewall
+fwhosts=configuration/firewall/fwgroups
+optionsfw=configuration/firewall/options
+ids=configuration/firewall/ips
+p2p-block=configuration/firewall/p2p-block
+location-block=configuration/firewall/geoip-block
+wireless=configuration/firewall/accesstoblue
+iptables=configuration/firewall/iptables
+
+# IPfire menu
+pakfire=configuration/ipfire/pakfire
+
+# Logs menu
+summary=configuration/logs/summary
+config=configuration/logs/logsettings
+proxylog=configuration/logs/proxy
+calamaris=configuration/logs/proxyreports
+firewalllog=configuration/logs/firewall
+firewalllogip=configuration/logs/firewall-ip
+firewalllogport=configuration/logs/firewall-port
+firewalllogcountry=configuration/logs/firewall-country
+ids=configuration/logs/ips
+#ovpnclients=
+urlfilter=configuration/logs/url-filter
+log=configuration/logs/system
diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata
index ff31ec7d2..41193f4ea 100644
--- a/config/rootfiles/common/suricata
+++ b/config/rootfiles/common/suricata
@@ -37,6 +37,7 @@ usr/share/suricata
#usr/share/suricata/rules/smtp-events.rules
#usr/share/suricata/rules/stream-events.rules
#usr/share/suricata/rules/tls-events.rules
+var/ipfire/suricata/suricata-default-rules.yaml
var/lib/suricata
var/lib/suricata/classification.config
var/lib/suricata/reference.config
diff --git a/config/rootfiles/packages/pcengines-apu-firmware b/config/rootfiles/packages/pcengines-apu-firmware
index 3ae4e74e9..de4f03efa 100644
--- a/config/rootfiles/packages/pcengines-apu-firmware
+++ b/config/rootfiles/packages/pcengines-apu-firmware
@@ -1,8 +1,8 @@
#lib/firmware/pcengines
#lib/firmware/pcengines/apu
-lib/firmware/pcengines/apu/apu1_v4.14.0.4.rom
-lib/firmware/pcengines/apu/apu2_v4.14.0.4.rom
-lib/firmware/pcengines/apu/apu3_v4.14.0.4.rom
-lib/firmware/pcengines/apu/apu4_v4.14.0.4.rom
-lib/firmware/pcengines/apu/apu5_v4.14.0.4.rom
-lib/firmware/pcengines/apu/apu6_v4.14.0.4.rom
+lib/firmware/pcengines/apu/apu1_v4.15.0.1.rom
+lib/firmware/pcengines/apu/apu2_v4.15.0.1.rom
+lib/firmware/pcengines/apu/apu3_v4.15.0.1.rom
+lib/firmware/pcengines/apu/apu4_v4.15.0.1.rom
+lib/firmware/pcengines/apu/apu5_v4.15.0.1.rom
+lib/firmware/pcengines/apu/apu6_v4.15.0.1.rom
diff --git a/config/suricata/suricata-default-rules.yaml b/config/suricata/suricata-default-rules.yaml
new file mode 100644
index 000000000..64493e462
--- /dev/null
+++ b/config/suricata/suricata-default-rules.yaml
@@ -0,0 +1,20 @@
+%YAML 1.1
+---
+
+# Default rules which helps
+ - /usr/share/suricata/rules/app-layer-events.rules
+ - /usr/share/suricata/rules/decoder-events.rules
+ - /usr/share/suricata/rules/dhcp-events.rules
+ - /usr/share/suricata/rules/dnp3-events.rules
+ - /usr/share/suricata/rules/dns-events.rules
+ - /usr/share/suricata/rules/files.rules
+ - /usr/share/suricata/rules/http-events.rules
+ - /usr/share/suricata/rules/ipsec-events.rules
+ - /usr/share/suricata/rules/kerberos-events.rules
+ - /usr/share/suricata/rules/modbus-events.rules
+ - /usr/share/suricata/rules/nfs-events.rules
+ - /usr/share/suricata/rules/ntp-events.rules
+ - /usr/share/suricata/rules/smb-events.rules
+ - /usr/share/suricata/rules/smtp-events.rules
+ - /usr/share/suricata/rules/stream-events.rules
+ - /usr/share/suricata/rules/tls-events.rules
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 0ad36e705..b4a188d40 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -46,28 +46,11 @@ vars:
##
default-rule-path: /var/lib/suricata
rule-files:
- # Default rules
- - /usr/share/suricata/rules/app-layer-events.rules
- - /usr/share/suricata/rules/decoder-events.rules
- - /usr/share/suricata/rules/dhcp-events.rules
- - /usr/share/suricata/rules/dnp3-events.rules
- - /usr/share/suricata/rules/dns-events.rules
- - /usr/share/suricata/rules/files.rules
- - /usr/share/suricata/rules/http2-events.rules
- - /usr/share/suricata/rules/http-events.rules
- - /usr/share/suricata/rules/ipsec-events.rules
- - /usr/share/suricata/rules/kerberos-events.rules
- - /usr/share/suricata/rules/modbus-events.rules
- - /usr/share/suricata/rules/mqtt-events.rules
- - /usr/share/suricata/rules/nfs-events.rules
- - /usr/share/suricata/rules/ntp-events.rules
- - /usr/share/suricata/rules/smb-events.rules
- - /usr/share/suricata/rules/smtp-events.rules
- - /usr/share/suricata/rules/stream-events.rules
- - /usr/share/suricata/rules/tls-events.rules
-
# Include enabled ruleset files from external file
- - !include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
+ include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
+
+ # Include default rules.
+ include: /var/ipfire/suricata/suricata-default-rules.yaml
classification-file: /var/lib/suricata/classification.config
reference-config-file: /var/lib/suricata/reference.config
diff --git a/lfs/pcengines-apu-firmware b/lfs/pcengines-apu-firmware
index 0224b028f..c6729772b 100644
--- a/lfs/pcengines-apu-firmware
+++ b/lfs/pcengines-apu-firmware
@@ -24,14 +24,14 @@
include Config
-VER = 4.14.0.4
+VER = 4.15.0.1
THISAPP = pcengines-apu-firmware-$(VER)
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = pcengines-apu-firmware
-PAK_VER = 9
+PAK_VER = 10
SUP_ARCH = i586 x86_64
DEPS = firmware-update
@@ -55,12 +55,12 @@ apu4_v$(VER).rom = $(DL_FROM)/apu4_v$(VER).rom
apu5_v$(VER).rom = $(DL_FROM)/apu5_v$(VER).rom
apu6_v$(VER).rom = $(DL_FROM)/apu6_v$(VER).rom
-apu1_v$(VER).rom_MD5 = e60ce8d903cb1e301aae1160aa8413cd
-apu2_v$(VER).rom_MD5 = 00da67aecd00e7479f0194ccc4ee5739
-apu3_v$(VER).rom_MD5 = 4f935c61fc4274c0b427d16d6aa0049a
-apu4_v$(VER).rom_MD5 = 3aed8f5e1e543a3912c808fe68067dde
-apu5_v$(VER).rom_MD5 = c39dbf45aa630c273fcace35fbc6324e
-apu6_v$(VER).rom_MD5 = b81f9da0f39b355344b602868b2ddcff
+apu1_v$(VER).rom_MD5 = 6b53385232624d48ec7c8fc7f0390413
+apu2_v$(VER).rom_MD5 = 062b6fe09e22077b7155f3eb3bf8ec34
+apu3_v$(VER).rom_MD5 = caa7a5b8d4977de9e4135ab1bc1d15dd
+apu4_v$(VER).rom_MD5 = ffc0f94f2d9c6c25e1d53e0386fbd20b
+apu5_v$(VER).rom_MD5 = e63e1f3392a414942ca65cfa46868665
+apu6_v$(VER).rom_MD5 = 9264657ad3fca49101b28901cf65f4bf
install : $(TARGET)
diff --git a/lfs/suricata b/lfs/suricata
index f5b68da8f..6a24a02ab 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -71,6 +71,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata-disable-sid-2210059.patch
cd $(DIR_APP) && LDFLAGS="$(LDFLAGS)" ./configure \
--prefix=/usr \
--sysconfdir=/etc \
@@ -96,6 +97,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
# Install IPFire related config file.
install -m 0644 $(DIR_SRC)/config/suricata/suricata.yaml /etc/suricata
+ # Install yaml file for loading default rules.
+ install -m 0664 $(DIR_SRC)/config/suricata/suricata-default-rules.yaml /var/ipfire/suricata
+
# Create emtpy rules directory.
-mkdir -p /var/lib/suricata
diff --git a/src/patches/suricata-disable-sid-2210059.patch b/src/patches/suricata-disable-sid-2210059.patch
new file mode 100644
index 000000000..54747dfd2
--- /dev/null
+++ b/src/patches/suricata-disable-sid-2210059.patch
@@ -0,0 +1,12 @@
+diff -Nur a/rules/stream-events.rules b/rules/stream-events.rules
+--- a/rules/stream-events.rules 2021-11-17 16:55:12.000000000 +0100
++++ b/rules/stream-events.rules 2021-12-08 18:12:39.850189502 +0100
+@@ -89,7 +89,7 @@
+ # rule to alert if a stream has excessive retransmissions
+ alert tcp any any -> any any (msg:"SURICATA STREAM excessive retransmissions"; flowbits:isnotset,tcp.retransmission.alerted; flowint:tcp.retransmission.count,>=,10; flowbits:set,tcp.retransmission.alerted; classtype:protocol-command-decode; sid:2210054; rev:1;)
+ # Packet on wrong thread. Fires at most once per flow.
+-alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; stream-event:wrong_thread; sid:2210059; rev:1;)
++#alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; stream-event:wrong_thread; sid:2210059; rev:1;)
+
+ # Packet with FIN+SYN set
+ alert tcp any any -> any any (msg:"SURICATA STREAM FIN SYN reuse"; stream-event:fin_syn; classtype:protocol-command-decode; sid:2210060; rev:1;)
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-12-11 9:52 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-11 9:52 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 65d5ec52ce288bdffd9e989581e3b638dc948210 Arne Fitzenreiter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox