diff options
author | robiscool <robrob2626@yahoo.com> | 2009-06-09 10:56:03 -0700 |
---|---|---|
committer | robiscool <robrob2626@yahoo.com> | 2009-06-09 10:56:03 -0700 |
commit | 9897f8deb603c33a57014230825fabf509e4b229 (patch) | |
tree | ef0246aa643a55626d7af95b0b572c95a6c41d78 | |
parent | 6aefeb8d9be1acd1e0cab8c3fde76f7a175740f1 (diff) | |
download | pfsense-packages-9897f8deb603c33a57014230825fabf509e4b229.tar.gz pfsense-packages-9897f8deb603c33a57014230825fabf509e4b229.tar.bz2 pfsense-packages-9897f8deb603c33a57014230825fabf509e4b229.zip |
Major feature update, added Emergingthreats rules,Alerts Tab logging type full or fast,Send alerts to main OS System logs,Log to a Tcpdump,Log to a mysql database,Log Alerts to a snort unified
-rwxr-xr-x | config/snort/snort.inc | 39 | ||||
-rw-r--r-- | config/snort/snort.xml | 8 | ||||
-rw-r--r-- | config/snort/snort_advanced.xml | 48 | ||||
-rw-r--r-- | config/snort/snort_download_rules.php | 173 |
4 files changed, 244 insertions, 24 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index a6cbc605..e7576ceb 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -50,7 +50,7 @@ function sync_package_snort_reinstall() start_service("snort"); } -function sync_package_snort() +function sync_package_snort() { global $config, $g; @@ -141,7 +141,7 @@ function sync_package_snort() /* TODO; get snort to start under nologin shell */ foreach($snortInterfaces as $snortIf) { - $start .= ";sleep 8;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i {$snortIf} -A fast -q"; + $start .= ";sleep 8;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i {$snortIf} -q"; } /* if block offenders is checked, start snort2c */ @@ -207,6 +207,7 @@ function snort_deinstall() { } function generate_snort_conf() { + global $config, $g; conf_mount_rw(); /* obtain external interface */ @@ -214,7 +215,32 @@ function generate_snort_conf() { $snort_ext_int = $config['installedpackages']['snort']['config'][0]['iface_array'][0]; $snort_config_pass_thru = $config['installedpackages']['snortadvanced']['config'][0]['configpassthru']; - + +/* define snortalertlogtype */ +$snortalertlogtype = $config['installedpackages']['snortadvanced']['config'][0]['snortalertlogtype']; +if ($snortalertlogtype == fast) + $snortalertlogtype_type = "output alert_fast: alert"; +else + $snortalertlogtype_type = "output alert_full: alert"; + +/* define alertsystemlog */ +$alertsystemlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['alertsystemlog']; +if ($alertsystemlog_info_chk == on) + $alertsystemlog_type = "output alert_syslog: log_alert"; + +/* define tcpdumplog */ +$tcpdumplog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['tcpdumplog']; +if ($tcpdumplog_info_chk == on) + $tcpdumplog_type = "output log_tcpdump: snorttcpd.log"; + +/* define snortmysqllog */ +$snortmysqllog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortmysqllog']; + +/* define snortunifiedlog */ +$snortunifiedlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortunifiedlog']; +if ($snortunifiedlog_info_chk == on) + $snortunifiedlog_type = "output alert_unified: snort.alert, limit 128\noutput log_unified: snort.log, limit 128"; + /* add auto update scripts to /etc/crontab */ // $text_ww = "*/60\t* \t 1\t *\t *\t root\t /usr/bin/nice -n20 /usr/local/pkg/snort_check_for_rule_updates.php"; // $filenamea = "/etc/crontab"; @@ -667,8 +693,11 @@ preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 }, trustservers, n # ##################### -output alert_syslog: LOG_AUTH LOG_ALERT LOG_CONS LOG_NDELAY LOG_PERROR LOG_PID -output alert_unified: filename snort.alert, limit 128 +$snortalertlogtype_type +$alertsystemlog_type +$tcpdumplog_type +$snortmysqllog_info_chk +$snortunifiedlog_type ################# # diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 9bccf830..e60a6328 100644 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -47,7 +47,7 @@ <faq>Currently there are no FAQ items provided.</faq> <name>Snort</name> <version>2.8.4.1</version> - <title>Services: Snort 2.8.4.1 pkg v. 1.1</title> + <title>Services: Snort 2.8.4.1 pkg v. 1.2</title> <include_file>/usr/local/pkg/snort.inc</include_file> <menu> <name>Snort</name> @@ -259,9 +259,9 @@ <type>checkbox</type> </field> <field> - <fielddescr>Snort signature info files.</fielddescr> - <fieldname>signatureinfo</fieldname> - <description>15,000 snort alert info summary files. At leats a 1GHz system requierment</description> + <fielddescr>Install emergingthreats rules.</fielddescr> + <fieldname>emergingthreats</fieldname> + <description>Emerging Threats is an open source community that produces fastest moving and diverse Snort Rules.</description> <type>checkbox</type> </field> </fields> diff --git a/config/snort/snort_advanced.xml b/config/snort/snort_advanced.xml index 35db6945..227c0ce4 100644 --- a/config/snort/snort_advanced.xml +++ b/config/snort/snort_advanced.xml @@ -111,6 +111,54 @@ <cols>40</cols> <rows>5</rows> </field> + <field> + <fielddescr>Snort signature info files.</fielddescr> + <fieldname>signatureinfo</fieldname> + <description>Snort signature info files will be installed during updates. At leats 500 mb of memory is needed.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Alerts Tab logging type.</fielddescr> + <fieldname>snortalertlogtype</fieldname> + <description>Please choose the type of Alert logging you will like see in the Alerts Tab. The options are Full descriptions or Fast short descriptions</description> + <type>select</type> + <options> + <option> + <name>fast</name> + <value>fast</value> + </option> + <option> + <name>full</name> + <value>full</value> + </option> + </options> + </field> + <field> + <fielddescr>Send alerts to main System logs.</fielddescr> + <fieldname>alertsystemlog</fieldname> + <description>Snort will send Alerts to the Pfsense system logs.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Log to a Tcpdump file.</fielddescr> + <fieldname>tcpdumplog</fieldname> + <description>Snort will log packets to a tcpdump-formatted file. The file then can be analyzed by a wireshark type of application. WARNING: File may become large.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Log to a mysql database.</fielddescr> + <fieldname>snortmysqllog</fieldname> + <description>Example: output database: log, mysql, dbname=snort user=snort host=localhost password=xyz</description> + <type>input</type> + <size>101</size> + <value></value> + </field> + <field> + <fielddescr>Log Alerts to a snort unified file.</fielddescr> + <fieldname>snortunifiedlog</fieldname> + <description>Snort will log Alerts to a file in the UNIFIED format.</description> + <type>checkbox</type> + </field> </fields> <custom_php_deinstall_command> snort_advanced(); diff --git a/config/snort/snort_download_rules.php b/config/snort/snort_download_rules.php index e82a0239..240f9ea6 100644 --- a/config/snort/snort_download_rules.php +++ b/config/snort/snort_download_rules.php @@ -32,6 +32,8 @@ $tmpfname = "/tmp/snort_rules_up"; $snortdir = "/usr/local/etc/snort"; $snort_filename_md5 = "snortrules-snapshot-2.8.tar.gz.md5"; $snort_filename = "snortrules-snapshot-2.8.tar.gz"; +$emergingthreats_filename_md5 = "version.txt"; +$emergingthreats_filename = "emerging.rules.tar.gz"; require_once("guiconfig.inc"); require_once("functions.inc"); @@ -174,7 +176,7 @@ if (file_exists($tmpfname)) { /* unhide progress bar and lets end this party */ unhide_progress_bar_status(); -/* download md5 sig */ +/* download md5 sig from snort.org */ if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { update_status(gettext("md5 temp file exists...")); } else { @@ -188,6 +190,19 @@ if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { update_status(gettext("Done. downloading md5")); } +/* download md5 sig from emergingthreats.net */ +$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; +if ($emergingthreats_url_chk == on) { + update_status(gettext("Downloading md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://www.emergingthreats.net/version.txt"); +// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/version.txt"); + $f = fopen("{$tmpfname}/version.txt", 'w'); + fwrite($f, $image); + fclose($f); + update_status(gettext("Done. downloading md5")); +} + /* Time stamps define */ $last_md5_download = $config['installedpackages']['snort']['last_md5_download']; $last_rules_install = $config['installedpackages']['snort']['last_rules_install']; @@ -204,7 +219,22 @@ if (0 == filesize("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5")){ exit(0); } -/* Check if were up to date */ +/* If emergingthreats md5 file is empty wait 15min exit */ +$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; +if ($emergingthreats_url_chk == on) { +if (0 == filesize("{$tmpfname}/version.txt")){ + update_status(gettext("There was an error getting emergingthreats md5.")); + update_output_window(gettext("There was an error getting emergingthreats md5.")); + hide_progress_bar_status(); + /* Display last time of sucsessful md5 check from cache */ +// echo "\n<p align=center><b>You last checked for updates: </b>{$last_md5_download}</p>\n"; +// echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n"; + echo "\n\n</body>\n</html>\n"; + exit(0); + } +} + +/* Check if were up to date snort.org */ if (file_exists("{$snortdir}/snortrules-snapshot-2.8.tar.gz.md5")){ $md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); $md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; @@ -222,25 +252,92 @@ if ($md5_check_new == $md5_check_old) { echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n"; // echo "P is this code {$premium_subscriber}"; echo "\n\n</body>\n</html>\n"; - exit(0); + $snort_md5_check_ok = on; } } +/* Check if were up to date emergingthreats.net */ +$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; +if ($emergingthreats_url_chk == on) { +if (file_exists("{$snortdir}/version.txt")){ +$emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/version.txt"); +$emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; +$emerg_md5_check_old_parse = file_get_contents("{$snortdir}/version.txt"); +$emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; +/* Write out time of last sucsessful md5 to cache */ +$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); +write_config(); +if ($emerg_md5_check_new == $emerg_md5_check_old) { + update_status(gettext("Your emergingthreats rules are up to date...")); + update_output_window(gettext("You may start Snort now, check update.")); + hide_progress_bar_status(); + $emerg_md5_check_chk_ok = on; + /* Timestamps to html */ +// echo "\n<p align=center><b>You last checked for updates: </b>{$last_md5_download}</p>\n"; +// echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n"; + } + } +} + +/* Make Clean Snort Directory emergingthreats not checked */ +if ($snort_md5_check_ok == on && $emergingthreats_url_chk != on) { + update_status(gettext("Cleaning the snort Directory...")); + update_output_window(gettext("removing...")); + exec("/bin/rm -r {$snortdir}/rules/emerging*"); + exec("/bin/rm -r {$snortdir}/version.txt"); + update_status(gettext("Done making snort direcory.")); +} + +/* Check if were up to date exits */ +if ($snort_md5_check_ok == on && $emerg_md5_check_chk_ok == on) { + update_status(gettext("Your rules are up to date...")); + update_output_window(gettext("You may start Snort now...")); + exit(0); +} + +if ($snort_md5_check_ok == on && $emergingthreats_url_chk != on) { + update_status(gettext("Your rules are up to date...")); + update_output_window(gettext("You may start Snort now...")); + exit(0); +} + /* "You are Not Up to date */; update_status(gettext("You are NOT up to date...")); + update_output_window(gettext("Stoping Snort service...")); +stop_service("snort"); +sleep(2); +// start_service("snort"); /* download snortrules file */ +if ($snort_md5_check_ok != on) { if (file_exists("{$tmpfname}/{$snort_filename}")) { update_status(gettext("Snortrule tar file exists...")); } else { + unhide_progress_bar_status(); update_status(gettext("There is a new set of Snort rules posted. Downloading...")); update_output_window(gettext("May take 4 to 10 min...")); -// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz", $tmpfname . "/{$snort_filename}", "read_body_firmware"); - download_file_with_progress_bar("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz?oink_code={$oinkid}", $tmpfname . "/{$snort_filename}", "read_body_firmware"); +// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz", $tmpfname . "/{$snort_filename}", "read_body_firmware"); + download_file_with_progress_bar("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz?oink_code={$oinkid}", $tmpfname . "/{$snort_filename}", "read_body_firmware"); update_all_status($static_output); update_status(gettext("Done downloading rules file.")); + } } +/* download emergingthreats rules file */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { + update_status(gettext("Emergingthreats tar file exists...")); +} else { + update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); +// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware"); + download_file_with_progress_bar("http://www.emergingthreats.net/rules/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware"); + update_all_status($static_output); + update_status(gettext("Done downloading Emergingthreats rules file.")); + } + } + } /* Compair md5 sig to file sig */ @@ -271,7 +368,8 @@ if (file_exists("{$tmpfname}/{$snort_filename}")) { //} /* Untar snort rules file individually to help people with low system specs */ -if (file_exists("{$tmpfname}/$snort_filename")) { +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$snort_filename}")) { update_status(gettext("Extracting rules...")); update_output_window(gettext("May take a while...")); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} rules/"); @@ -296,46 +394,70 @@ if (file_exists("{$tmpfname}/$snort_filename")) { update_status(gettext("The Download rules file missing...")); update_output_window(gettext("Error rules extracting failed...")); exit(0); + } +} + +/* Untar emergingthreats rules to tmp */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { + update_status(gettext("Extracting rules...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$tmpfname} rules/"); + } + } } +/* Untar snort signatures */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$snort_filename}")) { $signature_info_chk = $config['installedpackages']['snort']['config'][0]['signatureinfo']; if ($premium_url_chk == on) { update_status(gettext("Extracting Signatures...")); update_output_window(gettext("May take a while...")); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} doc/signatures/"); update_status(gettext("Done extracting Signatures.")); + } + } } -/* Making Cleaning Snort Directory */ -if (file_exists("{$snortdir}")) { +/* Make Clean Snort Directory */ +if ($snort_md5_check_ok != on && $emerg_md5_check_chk_ok != on) { +if (file_exists("{$snortdir}/rules")) { update_status(gettext("Cleaning the snort Directory...")); update_output_window(gettext("removing...")); exec("/bin/rm -r {$snortdir}/*"); - exec("/bin/rm -r /usr/local/lib/snort/dynamicrules/*"); + exec("/bin/rm -r {$snortdir}/rules/*"); + exec("/bin/rm -r /usr/local/lib/snort/dynamicrules/*"); } else { update_status(gettext("Making Snort Directory...")); update_output_window(gettext("should be fast...")); exec("/bin/mkdir {$snortdir}"); + exec("/bin/mkdir {$snortdir}/rules"); exec("/bin/rm -r /usr/local/lib/snort/dynamicrules/*"); update_status(gettext("Done making snort direcory.")); + } } -/* Copy rules dir to snort dir */ +/* Copy snort rules and emergingthreats dir to snort dir */ +if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on) { if (file_exists("{$tmpfname}/rules")) { update_status(gettext("Copying rules...")); update_output_window(gettext("May take a while...")); - exec("/bin/mv -f {$tmpfname}/rules {$snortdir}/rules"); + exec("/bin/cp {$tmpfname}/rules/* {$snortdir}/rules"); update_status(gettext("Done copping rules.")); /* Write out time of last sucsessful rule install catch */ $config['installedpackages']['snort']['last_rules_install'] = date("Y-M-jS-h:i-A"); write_config(); } else { update_status(gettext("Directory rules does not exists...")); - update_output_window(gettext("Error copping rules direcory...")); + update_output_window(gettext("Error copying rules direcory...")); exit(0); + } } /* Copy md5 sig to snort dir */ +if ($snort_md5_check_ok != on) { if (file_exists("{$tmpfname}/$snort_filename_md5")) { update_status(gettext("Copying md5 sig to snort directory...")); exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); @@ -343,9 +465,25 @@ if (file_exists("{$tmpfname}/$snort_filename_md5")) { update_status(gettext("The md5 file does not exist...")); update_output_window(gettext("Error copping config...")); exit(0); + } +} + +/* Copy emergingthreats md5 sig to snort dir */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) { + update_status(gettext("Copying md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); +} else { + update_status(gettext("The emergingthreats md5 file does not exist...")); + update_output_window(gettext("Error copping config...")); + exit(0); + } + } } /* Copy configs to snort dir */ +if ($snort_md5_check_ok != on) { if (file_exists("{$tmpfname}/etc/Makefile.am")) { update_status(gettext("Copying configs to snort directory...")); exec("/bin/cp {$tmpfname}/etc/* {$snortdir}"); @@ -353,9 +491,11 @@ if (file_exists("{$tmpfname}/etc/Makefile.am")) { update_status(gettext("The snort configs does not exist...")); update_output_window(gettext("Error copping config...")); exit(0); + } } /* Copy signatures dir to snort dir */ +if ($snort_md5_check_ok != on) { $signature_info_chk = $config['installedpackages']['snort']['config'][0]['signatureinfo']; if ($premium_url_chk == on) { if (file_exists("{$tmpfname}/doc/signatures")) { @@ -368,9 +508,11 @@ if (file_exists("{$tmpfname}/doc/signatures")) { update_output_window(gettext("Error copping signature...")); exit(0); } + } } - + /* Copy so_rules dir to snort lib dir */ +if ($snort_md5_check_ok != on) { if (file_exists("{$tmpfname}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { update_status(gettext("Copying so_rules...")); update_output_window(gettext("May take a while...")); @@ -394,12 +536,13 @@ if (file_exists("{$tmpfname}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { update_status(gettext("Directory so_rules does not exist...")); update_output_window(gettext("Error copping so_rules...")); exit(0); + } } /* php code finish */ -update_status(gettext("Rules update finished...")); -update_output_window(gettext("You may start Snort now finnal.")); +update_status(gettext("The Rules update finished...")); +update_output_window(gettext("Please reboot Pfsense before starting Snort...")); /* hide progress bar and lets end this party */ hide_progress_bar_status(); |