suricata: T751: Initial support for suricata

3 files changed, 206 insertions, 0 deletions

diff --git a/src/conf_mode/service_ids_suricata.py b/src/conf_mode/service_ids_suricata.py
new file mode 100755
index 000000000..49fbce244
--- /dev/null
+++ b/src/conf_mode/service_ids_suricata.py
@@ -0,0 +1,190 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2024 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+
+from sys import exit
+
+from vyos.base import Warning
+from vyos.config import Config
+from vyos.template import render
+from vyos.utils.process import call
+from vyos import ConfigError
+from vyos import airbag
+airbag.enable()
+
+config_file = '/run/suricata/suricata.yaml'
+rotate_file = '/etc/logrotate.d/suricata'
+
+address_group_defaults = {
+    'home-net': {'address': ['192.168.0.0/16','10.0.0.0/8','172.16.0.0/12']},
+    'external-net': {'group': ['!home-net']},
+    'http-servers': {'group': ['home-net']},
+    'smtp-servers': {'group': ['home-net']},
+    'sql-servers': {'group': ['home-net']},
+    'dns-servers': {'group': ['home-net']},
+    'telnet-servers': {'group': ['home-net']},
+    'aim-servers': {'group': ['external-net']},
+    'dc-servers': {'group': ['home-net']},
+    'dnp3-server': {'group': ['home-net']},
+    'modbus-client': {'group': ['home-net']},
+    'modbus-server': {'group': ['home-net']},
+    'enip-client': {'group': ['home-net']},
+    'enip-server': {'group': ['home-net']},
+}
+
+port_group_defaults = {
+    'http-ports': {'port': ['80']},
+    'shellcode-ports': {'port': ['!80']},
+    'oracle-ports': {'port': ['1521']},
+    'ssh-ports': {'port': ['22']},
+    'dnp3-ports': {'port': ['20000']},
+    'modbus-ports': {'port': ['502']},
+    'file-data-ports': {'port': ['110', '143'], 'group': ['http-ports']},
+    'ftp-ports': {'port': ['21']},
+    'geneve-ports': {'port': ['6081']},
+    'vxlan-ports': {'port': ['4789']},
+    'teredo-ports': {'port': ['3544']},
+}
+
+def get_config(config=None):
+    if config:
+        conf = config
+    else:
+        conf = Config()
+    base = ['service', 'ids', 'suricata']
+    if not conf.exists(base):
+        return None
+
+    suricata = conf.get_config_dict(base,
+                                      get_first_key=True,
+                                      with_recursive_defaults=True)
+
+    # Ensure minimal defaults are present
+    suricata['address-group'] = address_group_defaults | suricata.get('address-group', {})
+    suricata['port-group'] = port_group_defaults | suricata.get('port-group', {})
+
+    return suricata
+
+# https://en.wikipedia.org/wiki/Topological_sorting#Depth-first_search
+def topological_sort(source):
+    sorted_nodes = []
+    permanent_marks = set()
+    temporary_marks = set()
+
+    def visit(n, v):
+        if n in permanent_marks:
+            return
+        if n in temporary_marks:
+            raise ConfigError('At least one cycle exists in the referenced groups')
+
+        temporary_marks.add(n)
+
+        for m in v.get('group', []):
+            m = m.lstrip('!')
+            if m not in source:
+                raise ConfigError(f'Undefined referenced group "{m}"')
+            visit(m, source[m])
+
+        temporary_marks.remove(n)
+        permanent_marks.add(n)
+        sorted_nodes.append((n, v))
+
+    while len(permanent_marks) < len(source):
+        n = next(n for n in source.keys() if n not in permanent_marks)
+        visit(n, source[n])
+
+    return sorted_nodes
+
+def verify(suricata):
+    if not suricata:
+        return None
+
+    if 'interface' not in suricata:
+        raise ConfigError('No interfaces configured')
+
+    try:
+        topological_sort(suricata['address-group'])
+    except (ConfigError,StopIteration) as e:
+        raise ConfigError(f'Invalid address-group: {e}')
+
+    try:
+        topological_sort(suricata['port-group'])
+    except (ConfigError,StopIteration) as e:
+        raise ConfigError(f'Invalid port-group: {e}')
+
+def generate(suricata):
+    if not suricata:
+        for file in [config_file, rotate_file]:
+            if os.path.isfile(file):
+                os.unlink(file)
+
+        return None
+
+    # Config-related formatters
+    def to_var(s:str):
+        return s.replace('-','_').upper()
+
+    def to_val(s:str):
+        return s.replace('-',':')
+
+    def to_ref(s:str):
+        if s[0] == '!':
+            return '!$' + to_var(s[1:])
+        return '$' + to_var(s)
+
+    def to_config(kind:str):
+        def format_group(group):
+            (name, value) = group
+            property = [to_val(property) for property in value.get(kind,[])]
+            group = [to_ref(group) for group in value.get('group',[])]
+            return (to_var(name), property + group)
+        return format_group
+
+    # Format the address group
+    suricata['address-group'] = map(to_config('address'),
+                                    topological_sort(suricata['address-group']))
+
+    # Format the port group
+    suricata['port-group'] = map(to_config('port'),
+                                    topological_sort(suricata['port-group']))
+
+    render(config_file, 'ids/suricata.j2', {'suricata': suricata})
+    render(rotate_file, 'ids/suricata_logrotate.j2', suricata)
+    return None
+
+def apply(suricata):
+    systemd_service = 'suricata.service'
+    if not suricata or 'interface' not in suricata:
+        # Stop suricata service if removed
+        call(f'systemctl stop {systemd_service}')
+    else:
+        Warning('To fetch the latest rules, use "update suricata"; '
+                'To periodically fetch the latest rules, '
+                'use the task scheduler!')
+        call(f'systemctl restart {systemd_service}')
+
+    return None
+
+if __name__ == '__main__':
+    try:
+        c = get_config()
+        verify(c)
+        generate(c)
+        apply(c)
+    except ConfigError as e:
+        print(e)
+        exit(1)
diff --git a/src/etc/systemd/system/suricata.service.d/10-override.conf b/src/etc/systemd/system/suricata.service.d/10-override.conf
new file mode 100644
index 000000000..781256cf5
--- /dev/null
+++ b/src/etc/systemd/system/suricata.service.d/10-override.conf
@@ -0,0 +1,9 @@
+[Service]
+ExecStart=
+ExecStart=/usr/bin/suricata -D --af-packet -c /run/suricata/suricata.yaml --pidfile /run/suricata/suricata.pid
+PIDFile=
+PIDFile=/run/suricata/suricata.pid
+ExecReload=
+ExecReload=/usr/bin/suricatasc -c reload-rules /run/suricata/suricata.socket ; /bin/kill -HUP $MAINPID
+ExecStop=
+ExecStop=/usr/bin/suricatasc -c shutdown /run/suricata/suricata.socket
diff --git a/src/validators/port-range-exclude b/src/validators/port-range-exclude
new file mode 100755
index 000000000..4c049e98f
--- /dev/null
+++ b/src/validators/port-range-exclude
@@ -0,0 +1,7 @@
+#!/bin/sh
+arg="$1"
+if [ "${arg:0:1}" != "!" ]; then
+  exit 1
+fi
+path=$(dirname "$0")
+${path}/port-range "${arg:1}"