Merge pull request #505 from bmeeks8/pfSense-pkg-suricata-4.0.3_2

security/pfSense-pkg-suricata/Makefile

@@ -2,7 +2,7 @@
 
 PORTNAME=	pfSense-pkg-suricata
 PORTVERSION=	4.0.3
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	security
 MASTER_SITES=	# empty
 DISTFILES=	# empty

security/pfSense-pkg-suricata/files/usr/local/pkg/suricata/suricata_check_for_rule_updates.php

@@ -49,7 +49,7 @@
 /* Working directory for downloaded rules tarballs */
 $tmpfname = "{$g['tmp_path']}/suricata_rules_up";
 
-/* Snort VRT Rules filenames and URL */
+/* Snort Rules filenames and URL */
 $snort_filename_md5 = "{$snort_filename}.md5";
 $snort_rule_url = VRT_DNLD_URL;
 
@@ -78,7 +78,7 @@
 	$emergingthreats_filename = ET_DNLD_FILENAME;
 	$emergingthreats_filename_md5 = ET_DNLD_FILENAME . ".md5";
 	$emergingthreats_url = ET_BASE_DNLD_URL;
-	// If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules
+	// If using Snort rules with ET, then we should use the open-nogpl ET rules
 	$emergingthreats_url .= $vrt_enabled == "on" ? "open-nogpl/" : "open/";
 	$emergingthreats_url .= "suricata-{$suri_eng_ver}/";
 	$et_name = "Emerging Threats Open";
@@ -397,17 +397,17 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
 		$emergingthreats = 'off';
 }
 
-/*  Check for and download any new Snort VRT sigs */
+/*  Check for and download any new Snort rule sigs */
 if ($snortdownload == 'on') {
 	if (empty($snort_filename)) {
-		log_error(gettext("No snortrules-snapshot filename has been set on Snort pkg GLOBAL SETTINGS tab.  Snort VRT rules cannot be updated."));
-		error_log(gettext("\tWARNING-- No snortrules-snapshot filename set on GLOBAL SETTINGS tab. Snort VRT rules cannot be updated!\n"), 3, SURICATA_RULES_UPD_LOGFILE);
+		log_error(gettext("No snortrules-snapshot filename has been set on Snort pkg GLOBAL SETTINGS tab.  Snort rules cannot be updated."));
+		error_log(gettext("\tWARNING-- No snortrules-snapshot filename set on GLOBAL SETTINGS tab. Snort rules cannot be updated!\n"), 3, SURICATA_RULES_UPD_LOGFILE);
 		$snortdownload = 'off';
 	}
 	elseif (suricata_check_rule_md5("{$snort_rule_url}{$snort_filename_md5}?oinkcode={$oinkid}", "{$tmpfname}/{$snort_filename_md5}", "Snort VRT rules")) {
 		/* download snortrules file */
 		$file_md5 = trim(file_get_contents("{$tmpfname}/{$snort_filename_md5}"));
-		if (!suricata_fetch_new_rules("{$snort_rule_url}{$snort_filename}?oinkcode={$oinkid}", "{$tmpfname}/{$snort_filename}", $file_md5, "Snort VRT rules"))
+		if (!suricata_fetch_new_rules("{$snort_rule_url}{$snort_filename}?oinkcode={$oinkid}", "{$tmpfname}/{$snort_filename}", $file_md5, "Snort rules"))
 			$snortdownload = 'off';
 	}
 	else
@@ -495,8 +495,8 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
 		/* Remove the old Snort rules files */
 		$vrt_prefix = VRT_FILE_PREFIX;
 		unlink_if_exists("{$suricatadir}rules/{$vrt_prefix}*.rules");
-		suricata_update_status(gettext("Installing Sourcefire VRT rules..."));
-		error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE);
+		suricata_update_status(gettext("Installing Snort rules..."));
+		error_log(gettext("\tExtracting and installing Snort rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE);
 
 		/* extract snort.org rules and add prefix to all snort.org files */
 		safe_mkdir("{$tmpfname}/snortrules");
@@ -526,7 +526,7 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
 			@copy("{$tmpfname}/{$snort_filename_md5}", "{$suricatadir}{$snort_filename_md5}");
 		}
 		suricata_update_status(gettext(" done.") . "\n");
-		error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
+		error_log(gettext("\tInstallation of Snort rules completed.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
 	}
 }
 

security/pfSense-pkg-suricata/files/usr/local/pkg/suricata/suricata_generate_yaml.php

@@ -59,20 +59,17 @@
 	$external_net = trim($external_net, ', ') . "]";
 }
 
-// Set the PASS LIST and write its contents to disk
-$plist = suricata_build_list($suricatacfg, $suricatacfg['passlistname'], true);
-@file_put_contents("{$suricatacfgdir}/passlist", implode("\n", $plist));
+// Set the PASS LIST and write its contents to disk,
+// but only if using Legacy Mode blocking. Otherwise,
+// just create an empty placeholder file.
+unlink_if_exists("{$suricatacfgdir}/rules/passlist.rules");
 $suri_passlist = "{$suricatacfgdir}/passlist";
-
-// If using inline IPS mode, generate PASS rules to substitute for the PASS LIST
-@file_put_contents("{$suricatacfgdir}/rules/passlist.rules", '');
-if ($suricatacfg['ips_mode'] == 'ips_mode_inline' && $suricatacfg['blockoffenders'] == 'on' && $suricatacfg['passlistname'] <> 'none') {
-	$sid_tmp = 1000001;
-	foreach ($plist as $ip_tmp) {
-		$line = "pass ip {$ip_tmp} any <> any any (msg:\"Pass List Entry - allow all traffic from/to {$ip_tmp}\"; sid:{$sid_tmp};)\n";
-		@file_put_contents("{$suricatacfgdir}/rules/passlist.rules", $line, FILE_APPEND);
-		$sid_tmp++;
-	}
+if ($suricatacfg['ips_mode'] == 'ips_mode_legacy' && $suricatacfg['blockoffenders'] == 'on' && $suricatacfg['passlistname'] != 'none') {
+	$plist = suricata_build_list($suricatacfg, $suricatacfg['passlistname'], true);
+	@file_put_contents("{$suricatacfgdir}/passlist", implode("\n", $plist));
+}
+else {
+	file_put_contents("{$suricatacfgdir}/passlist", '');
 }
 
 // Set default and user-defined variables for SERVER_VARS and PORT_VARS
@@ -160,6 +157,13 @@
 else
 	$intf_promisc_mode = "no";
 
+if (!empty($suricatacfg['intf_snaplen'])) {
+	$intf_snaplen = $suricatacfg['intf_snaplen'];
+}
+else {
+	$intf_snaplen = "1518";
+}
+
 // Add interface-specific blocking settings
 if ($suricatacfg['blockoffenders'] == 'on' && $suricatacfg['ips_mode'] == 'ips_mode_legacy')
 	$suri_blockoffenders = "yes";
@@ -852,8 +856,6 @@
 	$rules_files .= "\n - " . FLOWBITS_FILENAME;
 if (filesize("{$suricatacfgdir}/rules/custom.rules") > 0)
 	$rules_files .= "\n - custom.rules";
-if (filesize("{$suricatacfgdir}/rules/passlist.rules") > 0)
-	$rules_files .= "\n - passlist.rules";
 $rules_files = ltrim($rules_files, '\n -');
 
 // Add the general logging settings to the configuration (non-interface specific)
@@ -892,6 +894,7 @@
   - interface: {$if_real}
     checksum-checks: auto
     promisc: {$intf_promisc_mode}
+    snaplen: {$intf_snaplen}
 EOD;
 }
 

security/pfSense-pkg-suricata/files/usr/local/pkg/suricata/suricata_migrate_config.php

@@ -4,7 +4,7 @@
  *
  * part of pfSense (https://www.pfsense.org)
  * Copyright (c) 2016 Rubicon Communications, LLC (Netgate)
- * Copyright (C) 2017 Bill Meeks
+ * Copyright (C) 2018 Bill Meeks
  * All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -71,6 +71,35 @@
 	$updated_cfg = true;
 }
 
+/**********************************************************/
+/* Migrate content of any existing SID Mgmt files in the  */
+/* /var/db/suricata/sidmods directory to Base64 encoded   */
+/* strings in SID_MGMT_LIST array in config.xml.          */
+/**********************************************************/
+if (!is_array($config['installedpackages']['suricata']['sid_mgmt_lists'])) {
+	$config['installedpackages']['suricata']['sid_mgmt_lists'] = array();
+}
+if (empty($config['installedpackages']['suricata']['config'][0]['sid_list_migration']) && count($config['installedpackages']['suricata']['sid_mgmt_lists']) < 1) {
+	if (!is_array($config['installedpackages']['suricata']['sid_mgmt_lists']['item'])) {
+		$config['installedpackages']['suricata']['sid_mgmt_lists']['item'] = array();
+	}
+	$a_list = &$config['installedpackages']['suricata']['sid_mgmt_lists']['item'];
+	$sidmodfiles = return_dir_as_array("/var/db/suricata/sidmods/");
+	foreach ($sidmodfiles as $sidfile) {
+		$data = file_get_contents("/var/db/suricata/sidmods/" . $sidfile);
+		if ($data !== FALSE) {
+			$tmp = array();
+			$tmp['name'] = basename($sidfile);
+			$tmp['modtime'] = filemtime("/var/db/suricata/sidmods/" . $sidfile);
+			$tmp['content'] = base64_encode($data);
+			$a_list[] = $tmp;
+		}
+	}
+	$config['installedpackages']['suricata']['config'][0]['sid_list_migration'] = "1";
+	$updated_cfg = true;
+	unset($a_list);
+}
+
 /**********************************************************/
 /* Create new Auto GeoIP update setting if not set        */
 /**********************************************************/
@@ -550,16 +579,27 @@
 		$updated_cfg = true;
 	}
 
+	/**********************************************************/
+	/* Set default value for new interface snaplen parameter  */
+	/* if one has not been previously configured.             */
+	/**********************************************************/
+	if (empty($pconfig['intf_snaplen'])) {
+		$pconfig['intf_snaplen'] = "1518";
+		$updated_cfg = true;
+	}
+
 	// Save the new configuration data into the $config array pointer
 	$r = $pconfig;
 }
 // Release reference to final array element
 unset($r);
 
-// Write out the new configuration to disk if we changed anything
-if ($updated_cfg)
+// Log a message indicating what we did
+if ($updated_cfg) {
 	log_error("[Suricata] Settings successfully migrated to new configuration format.");
-else
+}
+else {
 	log_error("[Suricata] Configuration version is current.");
+}
 
 ?>