summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--interface-definitions/service_ids_suricata.xml.in250
-rw-r--r--interface-definitions/service_suricata.xml.in246
-rwxr-xr-xsrc/conf_mode/service_suricata.py (renamed from src/conf_mode/service_ids_suricata.py)2
3 files changed, 247 insertions, 251 deletions
diff --git a/interface-definitions/service_ids_suricata.xml.in b/interface-definitions/service_ids_suricata.xml.in
deleted file mode 100644
index 8c1973567..000000000
--- a/interface-definitions/service_ids_suricata.xml.in
+++ /dev/null
@@ -1,250 +0,0 @@
-<?xml version="1.0"?>
-<interfaceDefinition>
- <node name="service">
- <children>
- <node name="ids">
- <children>
- <node name="suricata" owner="${vyos_conf_scripts_dir}/service_ids_suricata.py">
- <properties>
- <help>Network IDS, IPS and Network Security Monitoring</help>
- <priority>740</priority>
- </properties>
- <children>
- #include <include/generic-interface-multi.xml.i>
- <tagNode name="address-group">
- <properties>
- <help>Address group name</help>
- <completionHelp>
- <list>home-net external-net http-servers smtp-servers sql-servers dns-servers telnet-servers aim-servers dc-servers dnp3-server dnp3-client modbus-client modbus-server enip-client enip-server</list>
- </completionHelp>
- <constraint>
- <regex>[a-z0-9-]+</regex>
- </constraint>
- </properties>
- <children>
- <leafNode name="address">
- <properties>
- <help>IP address or subnet</help>
- <valueHelp>
- <format>ipv4</format>
- <description>IPv4 address to match</description>
- </valueHelp>
- <valueHelp>
- <format>ipv6</format>
- <description>IPv6 address to match</description>
- </valueHelp>
- <valueHelp>
- <format>ipv4net</format>
- <description>IPv4 prefix to match</description>
- </valueHelp>
- <valueHelp>
- <format>ipv6net</format>
- <description>IPv6 prefix to match</description>
- </valueHelp>
- <valueHelp>
- <format>!ipv4</format>
- <description>Exclude the specified IPv4 address from matches</description>
- </valueHelp>
- <valueHelp>
- <format>!ipv6</format>
- <description>Exclude the specified IPv6 address from matches</description>
- </valueHelp>
- <valueHelp>
- <format>!ipv4net</format>
- <description>Exclude the specified IPv6 prefix from matches</description>
- </valueHelp>
- <valueHelp>
- <format>!ipv6net</format>
- <description>Exclude the specified IPv6 prefix from matches</description>
- </valueHelp>
- <constraint>
- <validator name="ipv4-address"/>
- <validator name="ipv6-address"/>
- <validator name="ipv4-prefix"/>
- <validator name="ipv6-prefix"/>
- <validator name="ipv4-address-exclude"/>
- <validator name="ipv6-address-exclude"/>
- <validator name="ipv4-prefix-exclude"/>
- <validator name="ipv6-prefix-exclude"/>
- </constraint>
- <multi/>
- </properties>
- </leafNode>
- <leafNode name="group">
- <properties>
- <help>Address group</help>
- <completionHelp>
- <path>service ids suricata address-group</path>
- <list>home-net external-net http-servers smtp-servers sql-servers dns-servers telnet-servers aim-servers dc-servers dnp3-server dnp3-client modbus-client modbus-server enip-client enip-server</list>
- </completionHelp>
- <valueHelp>
- <format>string</format>
- <description>Address group to match</description>
- </valueHelp>
- <valueHelp>
- <format>!string</format>
- <description>Exclude the specified address group from matches</description>
- </valueHelp>
- <constraint>
- <regex>!?[a-z0-9-]+</regex>
- </constraint>
- <multi/>
- </properties>
- </leafNode>
- </children>
- </tagNode>
- <tagNode name="port-group">
- <properties>
- <help>Port group name</help>
- <completionHelp>
- <list>http-ports shellcode-ports oracle-ports ssh-ports dnp3-ports modbus-ports file-data-ports ftp-ports geneve-ports vxlan-ports teredo-ports</list>
- </completionHelp>
- <constraint>
- <regex>[a-z0-9-]+</regex>
- </constraint>
- </properties>
- <children>
- <leafNode name="port">
- <properties>
- <help>Port number</help>
- <valueHelp>
- <format>u32:1-65535</format>
- <description>Numeric port to match</description>
- </valueHelp>
- <valueHelp>
- <format>!u32:1-65535</format>
- <description>Numeric port to exclude from matches</description>
- </valueHelp>
- <valueHelp>
- <format>start-end</format>
- <description>Numbered port range (e.g. 1001-1005) to match</description>
- </valueHelp>
- <valueHelp>
- <format>!start-end</format>
- <description>Numbered port range (e.g. !1001-1005) to exclude from matches</description>
- </valueHelp>
- <constraint>
- <validator name="port-range"/>
- <validator name="port-range-exclude"/>
- </constraint>
- <multi/>
- </properties>
- </leafNode>
- <leafNode name="group">
- <properties>
- <help>Port group</help>
- <completionHelp>
- <path>service ids suricata port-group</path>
- <list>http-ports shellcode-ports oracle-ports ssh-ports dnp3-ports modbus-ports file-data-ports ftp-ports geneve-ports vxlan-ports teredo-ports</list>
- </completionHelp>
- <valueHelp>
- <format>string</format>
- <description>Port group to match</description>
- </valueHelp>
- <valueHelp>
- <format>!string</format>
- <description>Exclude the specified port group from matches</description>
- </valueHelp>
- <constraint>
- <regex>!?[a-z0-9-]+</regex>
- </constraint>
- <multi/>
- </properties>
- </leafNode>
- </children>
- </tagNode>
- <node name="log">
- <properties>
- <help>Suricata log outputs</help>
- </properties>
- <children>
- <node name="eve">
- <properties>
- <help>Extensible Event Format (EVE)</help>
- </properties>
- <children>
- <leafNode name="filetype">
- <properties>
- <help>EVE logging destination</help>
- <completionHelp>
- <list>regular syslog</list>
- </completionHelp>
- <valueHelp>
- <format>regular</format>
- <description>Log to filename</description>
- </valueHelp>
- <valueHelp>
- <format>syslog</format>
- <description>Log to syslog</description>
- </valueHelp>
- <constraint>
- <regex>(regular|syslog)</regex>
- </constraint>
- </properties>
- <defaultValue>regular</defaultValue>
- </leafNode>
- <leafNode name="filename">
- <properties>
- <help>Log file</help>
- <valueHelp>
- <format>filename</format>
- <description>File name in default Suricata log directory</description>
- </valueHelp>
- <valueHelp>
- <format>/path</format>
- <description>Absolute file path</description>
- </valueHelp>
- </properties>
- <defaultValue>eve.json</defaultValue>
- </leafNode>
- <leafNode name="type">
- <properties>
- <help>Log types</help>
- <completionHelp>
- <list>alert anomaly drop files http dns tls smtp dnp3 ftp rdp nfs smb tftp ikev2 dcerpc krb5 snmp rfb sip dhcp ssh mqtt http2 flow netflow</list>
- </completionHelp>
- <valueHelp>
- <format>alert</format>
- <description>Record events for rule matches</description>
- </valueHelp>
- <valueHelp>
- <format>anomaly</format>
- <description>Record unexpected conditions such as truncated packets, packets with invalid IP/UDP/TCP length values, and other events that render the packet invalid for further processing or describe unexpected behavior on an established stream</description>
- </valueHelp>
- <valueHelp>
- <format>drop</format>
- <description>Record events for dropped packets</description>
- </valueHelp>
- <valueHelp>
- <format>file</format>
- <description>Record file details (e.g., MD5) for files extracted from application protocols (e.g., HTTP)</description>
- </valueHelp>
- <valueHelp>
- <format>application (http, dns, tls, ...)</format>
- <description>Record application-level transactions</description>
- </valueHelp>
- <valueHelp>
- <format>flow</format>
- <description>Record bi-directional flows</description>
- </valueHelp>
- <valueHelp>
- <format>netflow</format>
- <description>Record uni-directional flows</description>
- </valueHelp>
- <constraint>
- <regex>(alert|anomaly|http|dns|tls|files|drop|smtp|dnp3|ftp|rdp|nfs|smb|tftp|ikev2|dcerpc|krb5|snmp|rfb|sip|dhcp|ssh|mqtt|http2|flow|netflow)</regex>
- </constraint>
- <multi/>
- </properties>
- </leafNode>
- </children>
- </node>
- </children>
- </node>
- </children>
- </node>
- </children>
- </node>
- </children>
- </node>
-</interfaceDefinition>
diff --git a/interface-definitions/service_suricata.xml.in b/interface-definitions/service_suricata.xml.in
new file mode 100644
index 000000000..e21320bfe
--- /dev/null
+++ b/interface-definitions/service_suricata.xml.in
@@ -0,0 +1,246 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+ <node name="service">
+ <children>
+ <node name="suricata" owner="${vyos_conf_scripts_dir}/service_suricata.py">
+ <properties>
+ <help>Network IDS, IPS and Security Monitoring</help>
+ <priority>740</priority>
+ </properties>
+ <children>
+ #include <include/generic-interface-multi.xml.i>
+ <tagNode name="address-group">
+ <properties>
+ <help>Address group name</help>
+ <completionHelp>
+ <list>home-net external-net http-servers smtp-servers sql-servers dns-servers telnet-servers aim-servers dc-servers dnp3-server dnp3-client modbus-client modbus-server enip-client enip-server</list>
+ </completionHelp>
+ <constraint>
+ <regex>[a-z0-9-]+</regex>
+ </constraint>
+ </properties>
+ <children>
+ <leafNode name="address">
+ <properties>
+ <help>IP address or subnet</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IPv4 address to match</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6</format>
+ <description>IPv6 address to match</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv4net</format>
+ <description>IPv4 prefix to match</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6net</format>
+ <description>IPv6 prefix to match</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!ipv4</format>
+ <description>Exclude the specified IPv4 address from matches</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!ipv6</format>
+ <description>Exclude the specified IPv6 address from matches</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!ipv4net</format>
+ <description>Exclude the specified IPv6 prefix from matches</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!ipv6net</format>
+ <description>Exclude the specified IPv6 prefix from matches</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-address"/>
+ <validator name="ipv6-address"/>
+ <validator name="ipv4-prefix"/>
+ <validator name="ipv6-prefix"/>
+ <validator name="ipv4-address-exclude"/>
+ <validator name="ipv6-address-exclude"/>
+ <validator name="ipv4-prefix-exclude"/>
+ <validator name="ipv6-prefix-exclude"/>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="group">
+ <properties>
+ <help>Address group</help>
+ <completionHelp>
+ <path>service ids suricata address-group</path>
+ <list>home-net external-net http-servers smtp-servers sql-servers dns-servers telnet-servers aim-servers dc-servers dnp3-server dnp3-client modbus-client modbus-server enip-client enip-server</list>
+ </completionHelp>
+ <valueHelp>
+ <format>string</format>
+ <description>Address group to match</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!string</format>
+ <description>Exclude the specified address group from matches</description>
+ </valueHelp>
+ <constraint>
+ <regex>!?[a-z0-9-]+</regex>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ <tagNode name="port-group">
+ <properties>
+ <help>Port group name</help>
+ <completionHelp>
+ <list>http-ports shellcode-ports oracle-ports ssh-ports dnp3-ports modbus-ports file-data-ports ftp-ports geneve-ports vxlan-ports teredo-ports</list>
+ </completionHelp>
+ <constraint>
+ <regex>[a-z0-9-]+</regex>
+ </constraint>
+ </properties>
+ <children>
+ <leafNode name="port">
+ <properties>
+ <help>Port number</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Numeric port to match</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!u32:1-65535</format>
+ <description>Numeric port to exclude from matches</description>
+ </valueHelp>
+ <valueHelp>
+ <format>start-end</format>
+ <description>Numbered port range (e.g. 1001-1005) to match</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!start-end</format>
+ <description>Numbered port range (e.g. !1001-1005) to exclude from matches</description>
+ </valueHelp>
+ <constraint>
+ <validator name="port-range"/>
+ <validator name="port-range-exclude"/>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="group">
+ <properties>
+ <help>Port group</help>
+ <completionHelp>
+ <path>service ids suricata port-group</path>
+ <list>http-ports shellcode-ports oracle-ports ssh-ports dnp3-ports modbus-ports file-data-ports ftp-ports geneve-ports vxlan-ports teredo-ports</list>
+ </completionHelp>
+ <valueHelp>
+ <format>string</format>
+ <description>Port group to match</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!string</format>
+ <description>Exclude the specified port group from matches</description>
+ </valueHelp>
+ <constraint>
+ <regex>!?[a-z0-9-]+</regex>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ <node name="log">
+ <properties>
+ <help>Suricata log outputs</help>
+ </properties>
+ <children>
+ <node name="eve">
+ <properties>
+ <help>Extensible Event Format (EVE)</help>
+ </properties>
+ <children>
+ <leafNode name="filetype">
+ <properties>
+ <help>EVE logging destination</help>
+ <completionHelp>
+ <list>regular syslog</list>
+ </completionHelp>
+ <valueHelp>
+ <format>regular</format>
+ <description>Log to filename</description>
+ </valueHelp>
+ <valueHelp>
+ <format>syslog</format>
+ <description>Log to syslog</description>
+ </valueHelp>
+ <constraint>
+ <regex>(regular|syslog)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>regular</defaultValue>
+ </leafNode>
+ <leafNode name="filename">
+ <properties>
+ <help>Log file</help>
+ <valueHelp>
+ <format>filename</format>
+ <description>File name in default Suricata log directory</description>
+ </valueHelp>
+ <valueHelp>
+ <format>/path</format>
+ <description>Absolute file path</description>
+ </valueHelp>
+ </properties>
+ <defaultValue>eve.json</defaultValue>
+ </leafNode>
+ <leafNode name="type">
+ <properties>
+ <help>Log types</help>
+ <completionHelp>
+ <list>alert anomaly drop files http dns tls smtp dnp3 ftp rdp nfs smb tftp ikev2 dcerpc krb5 snmp rfb sip dhcp ssh mqtt http2 flow netflow</list>
+ </completionHelp>
+ <valueHelp>
+ <format>alert</format>
+ <description>Record events for rule matches</description>
+ </valueHelp>
+ <valueHelp>
+ <format>anomaly</format>
+ <description>Record unexpected conditions such as truncated packets, packets with invalid IP/UDP/TCP length values, and other events that render the packet invalid for further processing or describe unexpected behavior on an established stream</description>
+ </valueHelp>
+ <valueHelp>
+ <format>drop</format>
+ <description>Record events for dropped packets</description>
+ </valueHelp>
+ <valueHelp>
+ <format>file</format>
+ <description>Record file details (e.g., MD5) for files extracted from application protocols (e.g., HTTP)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>application (http, dns, tls, ...)</format>
+ <description>Record application-level transactions</description>
+ </valueHelp>
+ <valueHelp>
+ <format>flow</format>
+ <description>Record bi-directional flows</description>
+ </valueHelp>
+ <valueHelp>
+ <format>netflow</format>
+ <description>Record uni-directional flows</description>
+ </valueHelp>
+ <constraint>
+ <regex>(alert|anomaly|http|dns|tls|files|drop|smtp|dnp3|ftp|rdp|nfs|smb|tftp|ikev2|dcerpc|krb5|snmp|rfb|sip|dhcp|ssh|mqtt|http2|flow|netflow)</regex>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ </children>
+ </node>
+ </children>
+ </node>
+</interfaceDefinition>
diff --git a/src/conf_mode/service_ids_suricata.py b/src/conf_mode/service_suricata.py
index 49fbce244..cce4de6e3 100755
--- a/src/conf_mode/service_ids_suricata.py
+++ b/src/conf_mode/service_suricata.py
@@ -65,7 +65,7 @@ def get_config(config=None):
conf = config
else:
conf = Config()
- base = ['service', 'ids', 'suricata']
+ base = ['service', 'suricata']
if not conf.exists(base):
return None