From a57d0e88c227876ae3debd67f4d87dad6e2baf1a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 9 Jun 2017 19:52:13 +0200
Subject: [PATCH] intrusion detection: undo previous, switch to --pcap=intX

---
 .../service/templates/OPNsense/IDS/rc.conf.d  | 28 +++++++++++++++++--
 .../templates/OPNsense/IDS/suricata.yaml      |  6 +---
 2 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/src/opnsense/service/templates/OPNsense/IDS/rc.conf.d b/src/opnsense/service/templates/OPNsense/IDS/rc.conf.d
index 2d452f10f..45e65cf88 100644
--- a/src/opnsense/service/templates/OPNsense/IDS/rc.conf.d
+++ b/src/opnsense/service/templates/OPNsense/IDS/rc.conf.d
@@ -1,12 +1,34 @@
+{# Macro import #}
+{% from 'OPNsense/Macros/interface.macro' import physical_interface %}
 {% if helpers.exists('OPNsense.IDS.general') and OPNsense.IDS.general.enabled|default("0") == "1" %}
-suricata_opnsense_bootup_run="/usr/local/opnsense/scripts/suricata/setup.sh"
 suricata_enable="YES"
+suricata_opnsense_bootup_run="/usr/local/opnsense/scripts/suricata/setup.sh"
+
 {% if OPNsense.IDS.general.ips|default("0") == "1" %}
-suricata_netmap="YES"
+# IPS mode, switch to netmap
+suricata_netmap=YES
+
 {% else %}
+
 # IDS mode, pcap live mode
-suricata_flags="-D --pcap"
+{% set addFlags=[] %}
+{% for intfName in OPNsense.IDS.general.interfaces.split(',') %}
+{%   if loop.index == 1 %}
+{# enable first interface #}
+suricata_interface="{{ physical_interface(intfName) }}"
+{%   else %}
+{#   store additional interfaces to addFlags #}
+{%      do addFlags.append(physical_interface(intfName)) %}
+{%   endif %}
+{% endfor %}
+{#   append additional interfaces #}
+suricata_flags="-D {%
+   for intf in addFlags
+%} --pcap={{ intf }}  {% endfor
+%} "
+
 {% endif %}
+
 {% else %}
 suricata_enable="NO"
 {% endif %}
diff --git a/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml b/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml
index ed70760a8..9189ec298 100644
--- a/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml
+++ b/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml
@@ -748,12 +748,8 @@ logging:
       format: "[%i] <%d> -- "
 
 pcap:
-  {% if helpers.exists('OPNsense.IDS.general.interfaces') %}
-    {% for intfName in OPNsense.IDS.general.interfaces.split(',') %}
-  - interface: {{physical_interface(intfName)}}
+  - interface: default
     promisc: {% if helpers.exists('OPNsense.IDS.general.promisc') and OPNsense.IDS.general.promisc|default('0') == '1' %}yes{% else %}no{% endif %} #  promiscuous mode
-    {% endfor %}
-  {% endif %}
 
 pcap-file:
   # Possible values are: