suricata: T751: Initial support for suricata

vyos · May 3, 2024 · 9aa1484 · 9aa1484
1 parent 91c1a85
commit 9aa1484
Show file tree

Hide file tree

Showing 8 changed files with 1,588 additions and 1 deletion.
diff --git a/data/templates/ids/suricata.j2 b/data/templates/ids/suricata.j2
diff --git a/data/templates/ids/suricata_logrotate.j2 b/data/templates/ids/suricata_logrotate.j2
@@ -0,0 +1,17 @@
+{% for filename in [(output.eve.filename | default("eve.json"))] %}
+{{ filename if filename.startswith("/") else ("/var/log/suricata/" + filename) }}
+{% endfor %}{
+    weekly
+    dateext
+    dateformat _%Y-%m-%d_%H-%M-%S
+    maxsize 10M
+    rotate 10
+    missingok
+    nocompress
+    nocreate
+    nomail
+    sharedscripts
+    postrotate
+            /bin/kill -HUP `cat /var/run/suricata.pid 2>/dev/null` 2>/dev/null || true
+    endscript
+}
diff --git a/debian/control b/debian/control
@@ -163,6 +163,8 @@ Depends:
 # End "service dns dynamic"
 # # For "service ids"
   fastnetmon [amd64],
+  suricata,
+  suricata-update,
 # End "service ids"
 # # For "service ndp-proxy"
   ndppd,

diff --git a/interface-definitions/service_ids_suricata.xml.in b/interface-definitions/service_ids_suricata.xml.in
@@ -0,0 +1,136 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="service">
+    <children>
+      <node name="ids">
+        <properties>
+          <help>Intrusion Detection System</help>
+        </properties>
+        <children>
+          <node name="suricata" owner="${vyos_conf_scripts_dir}/service_ids_suricata.py">
+            <properties>
+              <help>Suricata high performance Network IDS, IPS and Network Security Monitoring engine</help>
+              <priority>740</priority>
+            </properties>
+            <children>
+              #include <include/generic-interface-multi.xml.i>
+              <tagNode name="address-group">
+                <properties>
+                  <help>Address group name</help>
+                  <completionHelp>
+                    <list>home-net external-net http-servers smtp-servers sql-servers dns-servers telnet-servers aim-servers dc-servers dnp3-server dnp3-client modbus-client modbus-server enip-client enip-server</list>
+                  </completionHelp>
+                  <constraint>
+                    <regex>[a-z0-9-]+</regex>
+                  </constraint>
+                </properties>
+                <children>
+                  <leafNode name="network">
+                    <properties>
+                      <help>Address group values</help>
+                      <valueHelp>
+                        <format>txt</format>
+                        <description>Named address group (e.g., $home-net)</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>ipv4net</format>
+                        <description>IPv4 prefix(es) to group</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>ipv6net</format>
+                        <description>IPv6 prefix(es) to group</description>
+                      </valueHelp>
+                      <multi/>
+                    </properties>
+                  </leafNode>
+                </children>
+              </tagNode>
+              <tagNode name="port-group">
+                <properties>
+                  <help>Port group name</help>
+                  <completionHelp>
+                    <list>http-ports shellcode-ports oracle-ports ssh-ports dnp3-ports modbus-ports file-data-ports ftp-ports geneve-ports vxlan-ports teredo-ports</list>
+                  </completionHelp>
+                  <constraint>
+                    <regex>[a-z0-9-]+</regex>
+                  </constraint>
+                </properties>
+                <children>
+                  <leafNode name="port">
+                    <properties>
+                      <help>Port-group member</help>
+                      <valueHelp>
+                        <format>txt</format>
+                        <description>Named port group (e.g., !$http-ports)</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>u32:1-65535</format>
+                        <description>Numbered port</description>
+                      </valueHelp>
+                      <constraint>
+                        <regex>!?\$?[a-z0-9-]+</regex>
+                      </constraint>
+                      <multi/>
+                    </properties>
+                  </leafNode>
+                </children>
+              </tagNode>
+              <node name="output">
+                <properties>
+                  <help>Suricata log outputs</help>
+                </properties>
+                <children>
+                  <node name="eve">
+                    <properties>
+                      <help>Extensible Event Format (nicknamed EVE) event log in JSON format</help>
+                    </properties>
+                    <children>
+                      <leafNode name="filetype">
+                        <properties>
+                          <help>EVE logging destination</help>
+                          <completionHelp>
+                            <list>regular syslog</list>
+                          </completionHelp>
+                          <valueHelp>
+                            <format>regular</format>
+                            <description>Log to filename</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>syslog</format>
+                            <description>Log to syslog</description>
+                          </valueHelp>
+                          <constraint>
+                            <regex>(regular|syslog)</regex>
+                          </constraint>
+                        </properties>
+                        <defaultValue>regular</defaultValue>
+                      </leafNode>
+                      <leafNode name="filename">
+                        <properties>
+                          <help>Log file name in default Suricata log directory</help>
+                        </properties>
+                        <defaultValue>eve.json</defaultValue>
+                      </leafNode>
+                      <leafNode name="type">
+                        <properties>
+                          <help>Log types</help>
+                          <completionHelp>
+                            <list>alert anomaly http dns tls files drop smtp dnp3 ftp rdp nfs smb tftp ikev2 dcerpc krb5 snmp rfb sip dhcp ssh mqtt http2 flow netflow</list>
+                          </completionHelp>
+                          <constraint>
+                            <regex>(alert|anomaly|http|dns|tls|files|drop|smtp|dnp3|ftp|rdp|nfs|smb|tftp|ikev2|dcerpc|krb5|snmp|rfb|sip|dhcp|ssh|mqtt|http2|flow|netflow)</regex>
+                          </constraint>
+                          <multi/>
+                        </properties>
+                      </leafNode>
+                    </children>
+                  </node>
+                </children>
+              </node>
+            </children>
+          </node>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/op-mode-definitions/suricata.xml.in b/op-mode-definitions/suricata.xml.in
@@ -0,0 +1,23 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="update">
+    <children>
+      <node name="suricata">
+        <properties>
+          <help>Update Suricata</help>
+        </properties>
+        <command>sudo suricata-update -c /run/suricata-update.yaml --suricata-conf /run/suricata.yaml</command>
+      </node>
+    </children>
+  </node>
+  <node name="restart">
+    <children>
+      <node name="suricata">
+        <properties>
+          <help>Restart Suricata service</help>
+        </properties>
+        <command>if systemctl is-active --quiet suricata; then sudo systemctl restart suricata.service; else echo "Service Suricata not configured"; fi</command>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/python/vyos/base.py b/python/vyos/base.py
@@ -41,7 +41,7 @@ def print(self):
                 isfirstmessage = False
                 initial_indent = self.standardindent
             print(f'{mes}')
-        print('')
+        print('', flush=True)
 
 
 class Warning():

diff --git a/src/conf_mode/service_ids_suricata.py b/src/conf_mode/service_ids_suricata.py
@@ -0,0 +1,87 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2024 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+
+from sys import exit
+
+from vyos.base import Warning
+from vyos.config import Config
+from vyos.template import render
+from vyos.utils.process import call
+from vyos import ConfigError
+from vyos import airbag
+airbag.enable()
+
+config_file = '/run/suricata.yaml'
+rotate_file = '/etc/logrotate.d/suricata'
+
+def get_config(config=None):
+    if config:
+        conf = config
+    else:
+        conf = Config()
+    base = ['service', 'ids', 'suricata']
+    if not conf.exists(base):
+        return None
+
+    suricata = conf.get_config_dict(base, key_mangling=('-', '_'),
+                                      get_first_key=True,
+                                      with_recursive_defaults=True)
+
+    return suricata
+
+def verify(suricata):
+    if not suricata:
+        return None
+
+    if 'interface' not in suricata:
+        raise ConfigError('No interfaces configured')
+
+def generate(suricata):
+    if not suricata:
+        for file in [config_file, rotate_file]:
+            if os.path.isfile(file):
+                os.unlink(file)
+
+        return None
+
+    render(config_file, 'ids/suricata.j2', suricata)
+    render(rotate_file, 'ids/suricata_logrotate.j2', suricata)
+    return None
+
+def apply(suricata):
+    systemd_service = 'suricata.service'
+    if not suricata or 'interface' not in suricata:
+        # Stop suricata service if removed
+        call(f'systemctl stop {systemd_service}')
+    else:
+        Warning('To fetch the latest rules, use "update suricata"; '
+                'To periodically fetch the latest rules, '
+                'use the task scheduler!')
+        call(f'systemctl restart {systemd_service}')
+
+    return None
+
+if __name__ == '__main__':
+    try:
+        c = get_config()
+        verify(c)
+        generate(c)
+        apply(c)
+    except ConfigError as e:
+        print(e)
+        exit(1)
diff --git a/src/etc/systemd/system/suricata.service.d/10-override.conf b/src/etc/systemd/system/suricata.service.d/10-override.conf
@@ -0,0 +1,3 @@
+[Service]
+ExecStart=
+ExecStart=/usr/bin/suricata -D --af-packet -c /run/suricata.yaml --pidfile /run/suricata.pid