Merge pull request #228 from jeffhammett/suricata-eve-alert-payload

pfsense · Dec 21, 2016 · 458e6dc · 458e6dc
2 parents 3757a99 + 3d54f2e
commit 458e6dc
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 2 deletions.
diff --git a/security/pfSense-pkg-suricata/Makefile b/security/pfSense-pkg-suricata/Makefile
@@ -2,7 +2,7 @@
 
 PORTNAME=	pfSense-pkg-suricata
 PORTVERSION=	3.0
-PORTREVISION=	10
+PORTREVISION=	11
 CATEGORIES=	security
 MASTER_SITES=	# empty
 DISTFILES=	# empty

diff --git a/security/pfSense-pkg-suricata/files/usr/local/pkg/suricata/suricata_generate_yaml.php b/security/pfSense-pkg-suricata/files/usr/local/pkg/suricata/suricata_generate_yaml.php
@@ -338,8 +338,19 @@
 
 // EVE log output included information
 $eve_out_types = "";
-if ($suricatacfg['eve_log_alerts'] == 'on')
+if (($suricatacfg['eve_log_alerts'] == 'on') && ($suricatacfg['eve_log_alerts_payload'] == 'off'))	
 	$eve_out_types .= "\n        - alert";
+
+if (($suricatacfg['eve_log_alerts'] == 'on') && ($suricatacfg['eve_log_alerts_payload'] == 'on')) {
+	$eve_out_types .= "\n        - alert:";
+	$eve_out_types .= "\n            payload: yes # enable dumping payload in Base64";
+	$eve_out_types .= "\n            payload-printable: yes # enable dumping payload in printable (lossy) format";
+	$eve_out_types .= "\n            packet: yes # enable dumping of packet (without stream segments)";
+	$eve_out_types .= "\n            http: yes # enable dumping of http fields";
+	$eve_out_types .= "\n            tls: yes # enable dumping of tls fields";
+        $eve_out_types .= "\n            ssh: yes # enable dumping of ssh fields";
+        $eve_out_types .= "\n            smtp: yes # enable dumping of smtp fields";
+		}
 
 if ($suricatacfg['eve_log_http'] == 'on') {
 	$eve_out_types .= "\n        - http:";

diff --git a/security/pfSense-pkg-suricata/files/usr/local/www/suricata/suricata_interfaces_edit.php b/security/pfSense-pkg-suricata/files/usr/local/www/suricata/suricata_interfaces_edit.php
@@ -149,6 +149,8 @@
 	$pconfig['eve_systemlog_priority'] = "notice";
 if (empty($pconfig['eve_log_alerts']))
 	$pconfig['eve_log_alerts'] = "on";
+if (empty($pconfig['eve_log_alerts_payload']))
+	$pconfig['eve_log_alerts_payload'] = "on";
 if (empty($pconfig['eve_log_http']))
 	$pconfig['eve_log_http'] = "on";
 if (empty($pconfig['eve_log_dns']))
@@ -295,6 +297,7 @@
 		if ($_POST['eve_systemlog_facility']) $natent['eve_systemlog_facility'] = $_POST['eve_systemlog_facility'];
 		if ($_POST['eve_systemlog_priority']) $natent['eve_systemlog_priority'] = $_POST['eve_systemlog_priority'];
 		if ($_POST['eve_log_alerts'] == "on") { $natent['eve_log_alerts'] = 'on'; }else{ $natent['eve_log_alerts'] = 'off'; }
+		if ($_POST['eve_log_alerts_payload'] == "on") { $natent['eve_log_alerts_payload'] = 'on'; }else{ $natent['eve_log_alerts_payload'] = 'off'; }
 		if ($_POST['eve_log_http'] == "on") { $natent['eve_log_http'] = 'on'; }else{ $natent['eve_log_http'] = 'off'; }
 		if ($_POST['eve_log_dns'] == "on") { $natent['eve_log_dns'] = 'on'; }else{ $natent['eve_log_dns'] = 'off'; }
 		if ($_POST['eve_log_tls'] == "on") { $natent['eve_log_tls'] = 'on'; }else{ $natent['eve_log_tls'] = 'off'; }
@@ -721,6 +724,14 @@ function suricata_get_config_lists($lists) {
 	'on'
 ));
 
+$group->add(new Form_Checkbox(
+	'eve_log_alerts_payload',
+	'Alert Payloads',
+	'Suricata will log additional payload data with alerts.',
+	$pconfig['eve_log_alerts_payload'] == 'on' ? true:false,
+	'on'
+));
+
 $group->add(new Form_Checkbox(
 	'eve_log_http',
 	'HTTP Traffic',
@@ -1156,6 +1167,7 @@ function enable_change() {
 		disableInput('eve_output_type', disable);
 		disableInput('eve_log_info', disable);
 		disableInput('eve_log_alerts', disable);
+		disableInput('eve_log_alerts_payload', disable);
 		disableInput('eve_log_http', disable);
 		disableInput('eve_log_dns', disable);
 		disableInput('eve_log_tls', disable);