Merge pull request #900 from bmeeks8/snort-3.2.6

14 files changed, 257 insertions, 24 deletions

diff --git a/config/snort/deprecated_rules b/config/snort/deprecated_rules
new file mode 100644
index 00000000..3d8b2c3f
--- /dev/null
+++ b/config/snort/deprecated_rules
@@ -0,0 +1,62 @@
+#
+# Obsoleted Snort VRT rule categories
+#
+snort_attack-responses.rules
+snort_backdoor.rules
+snort_bad-traffic.rules
+snort_botnet-cnc.rules
+snort_chat.rules
+snort_ddos.rules
+snort_dns.rules
+snort_dos.rules
+snort_experimental.rules
+snort_exploit.rules
+snort_finger.rules
+snort_ftp.rules
+snort_icmp-info.rules
+snort_icmp.rules
+snort_imap.rules
+snort_info.rules
+snort_misc.rules
+snort_multimedia.rules
+snort_mysql.rules
+snort_nntp.rules
+snort_oracle.rules
+snort_other-ids.rules
+snort_p2p.rules
+snort_phishing-spam.rules
+snort_policy.rules
+snort_pop2.rules
+snort_pop3.rules
+snort_rpc.rules
+snort_rservices.rules
+snort_scada.rules
+snort_scan.rules
+snort_shellcode.rules
+snort_smtp.rules
+snort_snmp.rules
+snort_specific-threats.rules
+snort_spyware-put.rules
+snort_telnet.rules
+snort_tftp.rules
+snort_virus.rules
+snort_voip.rules
+snort_web-activex.rules
+snort_web-attacks.rules
+snort_web-cgi.rules
+snort_web-client.rules
+snort_web-coldfusion.rules
+snort_web-frontpage.rules
+snort_web-iis.rules
+snort_web-misc.rules
+snort_web-php.rules
+#
+# Obsoleted Emerging Threats Categories
+#
+emerging-rbn-malvertisers.rules
+emerging-rbn.rules
+#
+# Obsoleted Emerging Threats PRO Categories
+#
+etpro-rbn-malvertisers.rules
+etpro-rbn.rules
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index bb5ff792..027207b1 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -43,16 +43,13 @@ require("/usr/local/pkg/snort/snort_defs.inc");
 ini_set("memory_limit", "384M");
 
 // Explicitly declare this as global so it works through function call includes 
-global $g, $config, $rebuild_rules, $pfSense_snort_version;
+global $g, $config, $rebuild_rules;
 
 // Grab the Snort binary version programmatically, but if that fails use a safe default
 $snortver = array();
 $snortbindir = SNORT_PBI_BINDIR;
 exec("{$snortbindir}snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver);
 
-/* get installed package version for display */
-$snort_package_version = "Snort {$config['installedpackages']['package'][get_pkg_id("snort")]['version']}";
-
 /* Rebuild Rules Flag -- if "true", rebuild enforcing rules and flowbit-rules files */
 $rebuild_rules = false;
 
@@ -3671,6 +3668,73 @@ function snort_generate_conf($snortcfg) {
 	unset($home_net, $external_net, $ipvardef, $portvardef);
 }
 
+function snort_remove_dead_rules() {
+
+	/********************************************************/
+	/* This function removes dead and deprecated rules      */
+	/* category files from the base Snort rules directory   */
+	/* and from the RULESETS setting of each interface.     */
+	/* The file "deprecated_rules", if it exists, is used   */
+	/* to determine which rules files to remove.            */
+	/********************************************************/
+
+	global $config, $g;
+	$rulesdir = SNORTDIR . "/rules/";
+	$count = 0;
+	$cats = array();
+
+	// If there is no "deprecated_rules" file, then exit
+	if (!file_exists("{$rulesdir}deprecated_rules"))
+		return;
+
+	// Open a SplFileObject to read in deprecated rules
+	$file = new SplFileObject("{$rulesdir}/deprecated_rules");
+	$file->setFlags(SplFileObject::READ_AHEAD | SplFileObject::SKIP_EMPTY | SplFileObject::DROP_NEW_LINE);
+	while (!$file->eof()) {
+		$line = $file->fgets();
+
+		// Skip any lines with just spaces
+		if (trim($line) == "")
+			continue;
+
+		// Skip any comment lines starting with '#'
+		if (preg_match('/^\s*\#+/', $line))
+			continue;
+
+		$cats[] = $line;
+	}
+
+	// Close the SplFileObject since we are finished with it
+	$file = null;
+
+	// Delete any dead rules files from the Snort RULES directory
+	foreach ($cats as $file) {
+		if (file_exists("{$rulesdir}{$file}"))
+			$count++;
+		unlink_if_exists("{$rulesdir}{$file}");
+	}
+
+	// Log how many obsoleted files were removed
+	log_error(gettext("[Snort] Removed {$count} obsoleted rules category files."));
+
+	// Now remove any dead rules files from the interface configurations
+	if (!empty($cats) && is_array($config['installedpackages']['snortglobal']['rule'])) {
+		foreach ($config['installedpackages']['snortglobal']['rule'] as &$iface) {
+			$enabled_rules = explode("||", $iface['rulesets']);
+			foreach ($enabled_rules as $k => $v) {
+				foreach ($cats as $d) {
+					if (strpos(trim($v), $d) !== false)
+						unset($enabled_rules[$k]);
+				}
+			}
+			$iface['rulesets'] = implode("||", $enabled_rules);
+		}
+	}
+
+	// Clean up
+	unset($cats, $enabled_rules);
+}
+
 /* Uses XMLRPC to synchronize the changes to a remote node */
 function snort_sync_on_changes() {
 	global $config, $g;
@@ -3807,6 +3871,38 @@ function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $username,
 	if (!empty($sid_files) && $error == "")
 		log_error("[snort] Snort pkg XMLRPC CARP sync auto-SID conf files success with {$url}:{$port} (pfsense.exec_php).");
 
+	/*************************************************/
+	/* Send over any IPREP IP List files             */
+	/*************************************************/
+	$sid_files = glob(SNORT_IPREP_PATH . '*');
+	foreach ($sid_files as $file) {
+		$content = base64_encode(file_get_contents($file));
+		$payload = "@file_put_contents('{$file}', base64_decode('{$content}'));";
+
+		/* assemble xmlrpc payload */
+		$method = 'pfsense.exec_php';
+		$params = array( XML_RPC_encode($password), XML_RPC_encode($payload) );
+	
+		log_error("[snort] Snort XMLRPC CARP sync sending IPREP files to {$url}:{$port}.");
+		$msg = new XML_RPC_Message($method, $params);
+		$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
+		$cli->setCredentials($username, $password);
+		$resp = $cli->send($msg, $synctimeout);
+		$error = "";
+		if(!$resp) {
+			$error = "A communications error occurred while attempting Snort XMLRPC CARP sync with {$url}:{$port}.  Failed to transfer file: " . basename($file);
+			log_error($error);
+			file_notice("sync_settings", $error, "Snort Settings Sync", "");
+		} elseif($resp->faultCode()) {
+			$error = "An error code was received while attempting Snort XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file) . " - Code " . $resp->faultCode() . ": " . $resp->faultString();
+			log_error($error);
+			file_notice("sync_settings", $error, "Snort Settings Sync", "");
+		}
+	}
+
+	if (!empty($sid_files) && $error == "")
+		log_error("[snort] Snort pkg XMLRPC CARP sync IPREP files success with {$url}:{$port} (pfsense.exec_php).");
+
 	/**************************************************/
 	/* Send over the <snortglobal> portion of the     */
 	/* config.xml.  $xml will hold section to sync.   */
diff --git a/config/snort/snort.xml b/config/snort/snort.xml
index c9401f05..6c70b39e 100755
--- a/config/snort/snort.xml
+++ b/config/snort/snort.xml
@@ -47,7 +47,7 @@
 	<faq>Currently there are no FAQ items provided.</faq>
 	<name>Snort</name>
 	<version>2.9.7.3</version>
-	<title>Services:2.9.7.3 pkg v3.2.5</title>
+	<title>Services:2.9.7.3 pkg v3.2.6</title>
 	<include_file>/usr/local/pkg/snort/snort.inc</include_file>
 	<menu>
 		<name>Snort</name>
@@ -94,6 +94,11 @@
 		<item>https://packages.pfsense.org/packages/config/snort/snort_sync.xml</item>
 	</additional_files_needed>
 	<additional_files_needed>
+		<prefix>/usr/local/pkg/snort/</prefix>
+		<chmod>077</chmod>
+		<item>https://packages.pfsense.org/packages/config/snort/deprecated_rules</item>
+	</additional_files_needed>
+	<additional_files_needed>
 		<prefix>/usr/local/www/snort/</prefix>
 		<chmod>077</chmod>
 		<item>https://packages.pfsense.org/packages/config/snort/snort_alerts.php</item>
diff --git a/config/snort/snort_alerts.widget.php b/config/snort/snort_alerts.widget.php
index 96c70562..2b7a10c7 100644
--- a/config/snort/snort_alerts.widget.php
+++ b/config/snort/snort_alerts.widget.php
@@ -125,7 +125,10 @@ function snort_widget_get_alerts() {
 
 				/*              0         1            2      3       4   5     6   7       8   9       10 11             12       */
 				/* File format: timestamp,generator_id,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority */
-				$fd = fopen("/tmp/alert_snort{$snort_uuid}", "r");
+				if (!$fd = fopen("/tmp/alert_snort{$snort_uuid}", "r")) {
+					log_error(gettext("[Snort Widget] Failed to open file /tmp/alert_snort{$snort_uuid}"));
+					continue;
+				}
 				while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) {
 					if(count($fields) < 13)
 						continue;
diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php
index 842e39d5..0c4543cd 100755
--- a/config/snort/snort_check_for_rule_updates.php
+++ b/config/snort/snort_check_for_rule_updates.php
@@ -203,9 +203,11 @@ function snort_download_file_url($url, $file_out) {
 		}
 
 		curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
-		curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)");
-		curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
-		curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30);
+		curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 Chrome/43.0.2357.65 Safari/537.36");
+		curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, "TLSv1.2, TLSv1");
+		curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
+		curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, true);
+		curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 15);
 		curl_setopt($ch, CURLOPT_TIMEOUT, 0);
 
 		// Use the system proxy server setttings if configured
@@ -680,6 +682,12 @@ if ($emergingthreats == 'on') {
 	}
 }
 
+// If removing deprecated rules categories, then do it
+if ($config['installedpackages']['snortglobal']['hide_deprecated_rules'] == "on") {
+	log_error(gettext("[Snort] Hide Deprecated Rules is enabled.  Removing obsoleted rules categories."));
+	snort_remove_dead_rules();
+}
+
 function snort_apply_customizations($snortcfg, $if_real) {
 
 	global $vrt_enabled, $rebuild_rules;
diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php
index ee463ac9..0d24f197 100755
--- a/config/snort/snort_define_servers.php
+++ b/config/snort/snort_define_servers.php
@@ -107,11 +107,15 @@ if ($_POST['save']) {
 
 	foreach ($snort_servers as $key => $server) {
 		if ($_POST["def_{$key}"] && !is_alias($_POST["def_{$key}"]))
-			$input_errors[] = "Only aliases are allowed";
+			$input_errors[] = "Only aliases are allowed.";
+		if ($_POST["def_{$key}"] && is_alias($_POST["def_{$key}"]) && trim(filter_expand_alias($_POST["def_{$key}"])) == "")
+			$input_errors[] = "FQDN aliases are not allowed in Snort.";
 	}
 	foreach ($snort_ports as $key => $server) {
 		if ($_POST["def_{$key}"] && !is_alias($_POST["def_{$key}"]))
-			$input_errors[] = "Only aliases are allowed";
+			$input_errors[] = "Only aliases are allowed.";
+		if ($_POST["def_{$key}"] && is_alias($_POST["def_{$key}"]) && trim(filter_expand_alias($_POST["def_{$key}"])) == "")
+			$input_errors[] = "FQDN aliases are not allowed in Snort.";
 	}
 	/* if no errors write to conf */
 	if (!$input_errors) {
@@ -142,6 +146,9 @@ if ($_POST['save']) {
 		/* Soft-restart Snort to live-load new variables. */
 		snort_reload_config($a_nat[$id]);
 
+		/* Sync to configured CARP slaves if any are enabled */
+		snort_sync_on_changes();
+
 		/* after click go to this page */
 		header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
 		header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php
index 38471ef0..803c1491 100755
--- a/config/snort/snort_interfaces.php
+++ b/config/snort/snort_interfaces.php
@@ -125,7 +125,7 @@ if ($_POST['toggle'] && is_numericint($_POST['id'])) {
 	sleep(3); // So the GUI reports correctly
 }
 
-$pgtitle = "Services: $snort_package_version";
+$pgtitle = "Services: Snort " . SNORT_BIN_VERSION . " pkg v{$config['installedpackages']['package'][get_pkg_id("snort")]['version']}";
 include_once("head.inc");
 
 ?>
diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php
index 6c1d56ac..b2ecefee 100644
--- a/config/snort/snort_interfaces_global.php
+++ b/config/snort/snort_interfaces_global.php
@@ -60,6 +60,7 @@ else {
 	$pconfig['clearblocks'] = $config['installedpackages']['snortglobal']['clearblocks'] == "on" ? 'on' : 'off';
 	$pconfig['verbose_logging'] = $config['installedpackages']['snortglobal']['verbose_logging'] == "on" ? 'on' : 'off';
 	$pconfig['openappid_detectors'] = $config['installedpackages']['snortglobal']['openappid_detectors'] == "on" ? 'on' : 'off';
+	$pconfig['hide_deprecated_rules'] = $config['installedpackages']['snortglobal']['hide_deprecated_rules'] == "on" ? 'on' : 'off';
 }
 
 /* Set sensible values for any empty default params */
@@ -100,6 +101,7 @@ if (!$input_errors) {
 		$config['installedpackages']['snortglobal']['clearblocks'] = $_POST['clearblocks'] ? 'on' : 'off';
 		$config['installedpackages']['snortglobal']['verbose_logging'] = $_POST['verbose_logging'] ? 'on' : 'off';
 		$config['installedpackages']['snortglobal']['openappid_detectors'] = $_POST['openappid_detectors'] ? 'on' : 'off';
+		$config['installedpackages']['snortglobal']['hide_deprecated_rules'] = $_POST['hide_deprecated_rules'] ? 'on' : 'off';
 
 		// If any rule sets are being turned off, then remove them
 		// from the active rules section of each interface.  Start
@@ -136,6 +138,12 @@ if (!$input_errors) {
 			}
 		}
 
+		// If deprecated rules should be removed, then do it
+		if ($config['installedpackages']['snortglobal']['hide_deprecated_rules'] == "on") {
+			log_error(gettext("[Snort] Hide Deprecated Rules is enabled.  Removing obsoleted rules categories."));
+			snort_remove_dead_rules();
+		}
+
 		$config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode'];
 		$config['installedpackages']['snortglobal']['etpro_code'] = $_POST['etpro_code'];
 
@@ -334,6 +342,13 @@ if ($input_errors)
 	</td>
 </tr>
 <tr>
+	<td width="22%" valign="top" class="vncell"><?php echo gettext("Hide Deprecated Rules Categories"); ?></td>
+	<td width="78%" class="vtable"><input name="hide_deprecated_rules" id="hide_deprecated_rules" type="checkbox" value="yes" 
+		<?php if ($pconfig['hide_deprecated_rules']=="on") echo "checked"; ?> />
+		&nbsp;&nbsp;<?php echo gettext("Hide deprecated rules categories in the GUI and remove them from the configuration.  Default is ") . 
+		"<strong>" . gettext("Not Checked") . "</strong>" . gettext("."); ?></td>
+</tr>
+<tr>
 	<td colspan="2" valign="top" class="listtopic"><?php echo gettext("Rules Update Settings"); ?></td>
 </tr>
 <tr>
diff --git a/config/snort/snort_ip_reputation.php b/config/snort/snort_ip_reputation.php
index 4c3065a0..c190b0e6 100644
--- a/config/snort/snort_ip_reputation.php
+++ b/config/snort/snort_ip_reputation.php
@@ -170,6 +170,9 @@ if ($_POST['save'] || $_POST['apply']) {
 		snort_reload_config($a_nat[$id]);
 		$pconfig = $natent;
 
+		// Sync to configured CARP slaves if any are enabled
+		snort_sync_on_changes();
+
 		// We have saved changes and done a soft restart, so clear "dirty" flag
 		clear_subsystem_dirty('snort_iprep');
 	}
diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php
index dcc5aa76..ae1daf6a 100644
--- a/config/snort/snort_migrate_config.php
+++ b/config/snort/snort_migrate_config.php
@@ -117,6 +117,14 @@ if (empty($config['installedpackages']['snortglobal']['openappid_detectors'])) {
 }
 
 /**********************************************************/
+/* Create new HIDE_DEPRECATED_RULES setting if not set    */
+/**********************************************************/
+if (empty($config['installedpackages']['snortglobal']['hide_deprecated_rules'])) {
+	$config['installedpackages']['snortglobal']['hide_deprecated_rules'] = "off";
+	$updated_cfg = true;
+}
+
+/**********************************************************/
 /* Migrate per interface settings if required.            */
 /**********************************************************/
 foreach ($rule as &$r) {
@@ -533,7 +541,7 @@ unset($r);
 
 // Log a message if we changed anything
 if ($updated_cfg) {
-	$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.2.5";
+	$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.2.6";
 	log_error("[Snort] Settings successfully migrated to new configuration format...");
 }
 else
diff --git a/config/snort/snort_passlist_edit.php b/config/snort/snort_passlist_edit.php
index 9f95adb4..75724344 100644
--- a/config/snort/snort_passlist_edit.php
+++ b/config/snort/snort_passlist_edit.php
@@ -155,9 +155,12 @@ if ($_POST['save']) {
 		}
 	}
 
-	if ($_POST['address'])
+	if ($_POST['address']) {
 		if (!is_alias($_POST['address']))
-			$input_errors[] = gettext("A valid alias must be provided");
+			$input_errors[] = gettext("A valid alias must be provided.");
+		if (is_alias($_POST['address']) && trim(filter_expand_alias($_POST['address'])) == "")
+			$input_errors[] = gettext("FQDN aliases are not supported in Snort.");
+	}
 
 	if (!$input_errors) {
 		$p_list = array();
diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php
index 7b931246..280f0efe 100644
--- a/config/snort/snort_post_install.php
+++ b/config/snort/snort_post_install.php
@@ -85,6 +85,9 @@ conf_mount_rw();
 @rename("{$snortdir}/gen-msg.map-sample", "{$snortdir}/gen-msg.map");
 //@rename("{$snortdir}/attribute_table.dtd-sample", "{$snortdir}/attribute_table.dtd");
 
+/* Move deprecated_rules file to SNORTDIR/rules directory */
+@rename("/usr/local/pkg/snort/deprecated_rules", "{$snortdir}/rules/deprecated_rules");
+
 /* fix up the preprocessor rules filenames from a PBI package install */
 $preproc_rules = array("decoder.rules", "preprocessor.rules", "sensitive-data.rules");
 foreach ($preproc_rules as $file) {
@@ -245,9 +248,8 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
 	if (!($g['booting'])) {
 		if ($pkg_interface <> "console") {
 			update_status(gettext("Starting Snort using rebuilt configuration..."));
-			update_output_window(gettext("Please wait while Snort is started..."));
-			mwexec("{$rcdir}snort.sh start");
-			update_output_window(gettext("Snort has been started using the rebuilt configuration..."));
+			mwexec_bg("{$rcdir}snort.sh start");
+			update_output_window(gettext("Snort is starting as a background task using the rebuilt configuration..."));
 		}
 		else
 			mwexec_bg("{$rcdir}snort.sh start");
@@ -263,8 +265,8 @@ if (stristr($config['widgets']['sequence'], "snort_alerts-container") === FALSE)
 	$config['widgets']['sequence'] .= ",{$snort_widget_container}";
 
 /* Update Snort package version in configuration */
-$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.2.5";
-write_config("Snort pkg v3.2.5: post-install configuration saved.");
+$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.2.6";
+write_config("Snort pkg v3.2.6: post-install configuration saved.");
 
 /* Done with post-install, so clear flag */
 unset($g['snort_postinstall']);
diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php
index 9f6879ef..dd8ec660 100755
--- a/config/snort/snort_preprocessors.php
+++ b/config/snort/snort_preprocessors.php
@@ -80,6 +80,18 @@ $pconfig = array();
 if (isset($id) && isset($a_nat[$id])) {
 	$pconfig = $a_nat[$id];
 
+	// Initialize multiple config engine arrays for supported preprocessors if necessary
+	if (!is_array($pconfig['frag3_engine']['item']))
+		$pconfig['frag3_engine']['item'] = array();
+	if (!is_array($pconfig['stream5_tcp_engine']['item']))
+		$pconfig['stream5_tcp_engine']['item'] = array();
+	if (!is_array($pconfig['http_inspect_engine']['item']))
+		$pconfig['http_inspect_engine']['item'] = array();
+	if (!is_array($pconfig['ftp_server_engine']['item']))
+		$pconfig['ftp_server_engine']['item'] = array();
+	if (!is_array($pconfig['ftp_client_engine']['item']))
+		$pconfig['ftp_client_engine']['item'] = array();
+
 	/************************************************************/
 	/* To keep new users from shooting themselves in the foot   */
 	/* enable the most common required preprocessors by default */
@@ -451,6 +463,12 @@ if ($_POST['save']) {
 			$input_errors[] = gettext("The value for Application ID Stats Period must be between 60 and 3600.");
 	}
 
+	// Validate Portscan Ignore_Scanners parameter
+	if ($_POST['sf_portscan'] == 'on' && is_alias($_POST['pscan_ignore_scanners'])) {
+		if (trim(filter_expand_alias($_POST["def_{$key}"])) == "")
+			$input_errors[] = gettext("FQDN aliases are not supported in Snort for the PORTSCAN IGNORE_SCANNERS parameter.");
+	}
+
 	/* if no errors write to conf */
 	if (!$input_errors) {
 		/* post new options */
@@ -569,6 +587,9 @@ if ($_POST['save']) {
 		    !empty($natent['host_attribute_data']))
 			snort_reload_config($natent, "SIGURG");
 
+		/* Sync to configured CARP slaves if any are enabled */
+		snort_sync_on_changes();
+
 		/* after click go to this page */
 		header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
 		header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
@@ -1500,10 +1521,10 @@ if ($savemsg) {
 			<?php
 			$values = array('Credit Card', 'Email Addresses', 'U.S. Phone Numbers', 'U.S. Social Security Numbers');
 			foreach ($values as $val): ?>
-			<option value="<?=$val;?>"
-			<?php if (preg_match("/$val/",$pconfig['sdf_alert_data_type'])) echo "selected"; ?>> 
+				<option value="<?=$val;?>"
+				<?php if (strpos($pconfig['sdf_alert_data_type'], $val) !== FALSE) echo "selected"; ?>> 
 				<?=gettext($val);?></option>
-				<?php endforeach; ?>
+			<?php endforeach; ?>
 			</select><br/><?php echo gettext("Choose which types of sensitive data to detect.  Use CTRL + Click for multiple selections."); ?><br/>
 		</td>
 	</tr>
diff --git a/pkg_config.10.xml b/pkg_config.10.xml
index f1821f45..9e25457b 100644
--- a/pkg_config.10.xml
+++ b/pkg_config.10.xml
@@ -404,7 +404,7 @@
 		</build_pbi>
 		<build_options>barnyard2_UNSET_FORCE=ODBC PGSQL PRELUDE;barnyard2_SET_FORCE=GRE IPV6 MPLS MYSQL PORT_PCAP BRO;snort_SET_FORCE=BARNYARD PERFPROFILE SOURCEFIRE GRE IPV6 NORMALIZER APPID;snort_UNSET_FORCE=PULLEDPORK FILEINSPECT HA</build_options>
 		<config_file>https://packages.pfsense.org/packages/config/snort/snort.xml</config_file>
-		<version>3.2.5</version>
+		<version>3.2.6</version>
 		<required_version>2.2</required_version>
 		<status>Stable</status>
 		<configurationfile>/snort.xml</configurationfile>