diff options
| author | Ermal <eri@pfsense.org> | 2012-06-14 19:41:26 +0000 |
|---|---|---|
| committer | Ermal <eri@pfsense.org> | 2012-06-14 19:43:45 +0000 |
| commit | 88f5369c7eaf2cf478c501755e87083bb721edb5 (patch) | |
| tree | 49086a30be614e13c2d8d1749da690543e7dbeec | |
| parent | e9807d02b51e3d095395d3ac77abf0e1c043bc44 (diff) | |
| download | pfsense-packages-88f5369c7eaf2cf478c501755e87083bb721edb5.tar.gz pfsense-packages-88f5369c7eaf2cf478c501755e87083bb721edb5.tar.bz2 pfsense-packages-88f5369c7eaf2cf478c501755e87083bb721edb5.zip | |
Move logs and alert file to per instance folder. Also remove configuration only on deletion of an instance and not when its stopped
| -rw-r--r-- | config/snort/snort.inc | 210 | ||||
| -rw-r--r-- | config/snort/snort_alerts.php | 63 | ||||
| -rw-r--r-- | config/snort/snort_blocked.php | 166 | ||||
| -rw-r--r-- | config/snort/snort_check_cron_misc.inc | 38 | ||||
| -rw-r--r-- | config/snort/snort_check_for_rule_updates.php | 5 | ||||
| -rw-r--r-- | config/snort/snort_download_rules.php | 5 | ||||
| -rw-r--r-- | config/snort/snort_interfaces.php | 2 |
7 files changed, 156 insertions, 333 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index f667481f..05280e20 100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -262,15 +262,11 @@ function Running_Stop($snort_uuid, $if_real, $id) { if (isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) { killbypid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}"); exec("/bin/rm {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid"); - exec("/bin/rm /var/log/snort/snort_{$snort_uuid}_{$if_real}*"); - @unlink("/var/log/snort/alert_{$snort_uuid}"); - exec("/bin/rm -r /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); } if (isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid")) { killbypid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid"); exec("/bin/rm {$g['varrun_path']}/barnyard2_{$snort_uuid}_{$if_real}*"); - exec("/bin/rm /var/log/snort/snort.u2_{$snort_uuid}_{$if_real}*"); } /* Log Iface stop */ @@ -283,7 +279,7 @@ function Running_Start($snort_uuid, $if_real, $id) { $snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable']; if ($snort_info_chk == 'on') - exec("/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); + exec("/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); else return; @@ -291,9 +287,8 @@ function Running_Start($snort_uuid, $if_real, $id) { /* top will have trouble if the uuid is to far back */ $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; $snortbarnyardlog_mysql_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; - if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '') { - exec("/usr/local/bin/barnyard2 -r {$snort_uuid} -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path {$g['varrun_path']} --nolock-pidfile -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort -D -q"); - } + if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '') + exec("/usr/local/bin/barnyard2 -r {$snort_uuid} -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path {$g['varrun_path']} --nolock-pidfile -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q"); /* Log Iface stop */ exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule START for {$id}_{$snort_uuid}_{$if_real}...'"); @@ -353,49 +348,7 @@ function snort_get_real_interface($interface) { snort is linked to these files while running, do not take the easy way out by touch and rm, snort will lose sync and not log. - this code needs to be watched. */ - -/* list dir files */ -function snort_file_list($snort_log_dir, $snort_log_file) -{ - $dir = opendir ("$snort_log_dir"); - while (false !== ($file = readdir($dir))) { - if (strpos($file, "$snort_log_file",1) ) - $file_list[] = basename($file); - } - return $file_list; -} - -/* snort dir files */ -function snort_file_sort($snort_file1, $snort_file2) -{ - if ($snort_file1 == $snort_file2) - return 0; - - return ($snort_file1 < $snort_file2); // ? -1 : 1; // this flips the array -} - -/* build files newest first array */ -function snort_build_order($snort_list) -{ - foreach ($snort_list as $value_list) - $list_order[] = $value_list; - - return $list_order; -} - -/* keep the newest remove the rest */ -function snort_remove_files($snort_list_rm, $snort_file_safe) -{ - foreach ($snort_list_rm as $value_list) { - if ($value_list != $snort_file_safe) - @unlink("/var/log/snort/$value_list"); - else - file_put_contents("/var/log/snort/$snort_file_safe", ""); - } -} - function post_delete_logs() { global $config, $g; @@ -404,41 +357,27 @@ function post_delete_logs() if (!is_array($config['installedpackages']['snortglobal']['rule'])) return; - $snort_log_dir = '/var/log/snort'; - foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { $if_real = snort_get_real_interface($value['interface']); $snort_uuid = $value['uuid']; + $snort_log_dir = "/var/log/snort/snort_{$if_real}{$snort_uuid}"; if ($if_real != '' && $snort_uuid != '') { - if ($value['snortunifiedlog'] == 'on') { - $snort_log_file_u2 = "{$snort_uuid}_{$if_real}.u2."; - $snort_list_u2 = snort_file_list($snort_log_dir, $snort_log_file_u2); - if (is_array($snort_list_u2)) { - usort($snort_list_u2, "snort_file_sort"); - $snort_u2_rm_list = snort_build_order($snort_list_u2); - snort_remove_files($snort_u2_rm_list, $snort_u2_rm_list[0]); - } - } else - exec("/bin/rm $snort_log_dir/snort_{$snort_uuid}_{$if_real}.u2*"); - - if ($value['tcpdumplog'] == 'on') { - $snort_log_file_tcpd = "{$snort_uuid}_{$if_real}.tcpdump."; - $snort_list_tcpd = snort_file_list($snort_log_dir, $snort_log_file_tcpd); - if (is_array($snort_list_tcpd)) { - usort($snort_list_tcpd, "snort_file_sort"); - $snort_tcpd_rm_list = snort_build_order($snort_list_tcpd); - snort_remove_files($snort_tcpd_rm_list, $snort_tcpd_rm_list[0]); - } - } else - exec("/bin/rm $snort_log_dir/snort_{$snort_uuid}_{$if_real}.tcpdump*"); + $filelist = glob("{$snort_log_dir}/*{$snort_uuid}_{$if_real}.u2.*"); + unset($filelist[count($filelist) - 1]); + foreach ($filelist as $file) + @unlink($file); + $filelist = glob("{$snort_log_dir}/*{$snort_uuid}_{$if_real}.tcpdump.*"); + unset($filelist[count($filelist) - 1]); + foreach ($filelist as $file) + @unlink($file); /* create barnyard2 configuration file */ //if ($value['barnyard_enable'] == 'on') //create_barnyard2_conf($id, $if_real, $snort_uuid); if ($value['perform_stat'] == 'on') - @file_put_contents("/var/log/snort/snort_{$snort_uuid}_{$if_real}.stats", ""); + @file_put_contents("{$snort_log_dir}/{$if_real}.stats", ""); } } } @@ -465,7 +404,7 @@ function snort_postinstall() @rename('/usr/local/etc/snort/gen-msg.map-sample', '/usr/local/etc/snort/gen-msg.map'); @unlink('/usr/local/etc/snort/sid'); @unlink('/usr/local/etc/rc.d/snort'); - @unlink('/usr/local/etc/rc.d/bardyard2'); + @unlink('/usr/local/etc/rc.d/barnyard2'); /* remove example files */ if (file_exists('/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0')) @@ -474,40 +413,11 @@ function snort_postinstall() if (file_exists('/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so')) exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*'); - /* create a few directories and ensure the sample files are in place */ - if (!is_dir('/usr/local/etc/snort')) - exec('/bin/mkdir -p /usr/local/etc/snort/custom_rules'); - if (!is_dir('/usr/local/etc/snort/whitelist')) - exec('/bin/mkdir -p /usr/local/etc/snort/whitelist/'); - if (!is_dir('/var/log/snort')) - exec('/bin/mkdir -p /var/log/snort'); - else - exec('/bin/rm -r /var/log/snort/*'); - - if (!is_dir('/var/log/snort/barnyard2')) - exec('/bin/mkdir -p /var/log/snort/barnyard2'); - if (!is_dir('/usr/local/lib/snort/dynamicrules/')) - exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); - if (!file_exists('/var/db/whitelist')) - touch('/var/db/whitelist'); - - /* XXX: These are needed if you run snort as snort user mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true); mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true); mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true); mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true); mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true); - */ - /* important */ - mwexec('/bin/chmod 660 /var/db/whitelist', true); - mwexec('/bin/chmod -R 660 /usr/local/etc/snort/*', true); - mwexec('/bin/chmod -R 660 /tmp/snort*', true); - mwexec('/bin/chmod -R 660 /var/run/snort*', true); - mwexec('/bin/chmod 770 /usr/local/lib/snort', true); - mwexec('/bin/chmod 770 /usr/local/etc/snort', true); - mwexec('/bin/chmod 770 /usr/local/etc/whitelist', true); - mwexec('/bin/chmod 770 /var/log/snort', true); - mwexec('/bin/chmod 770 /var/log/snort/barnyard2', true); /* move files around, make it look clean */ mwexec('/bin/mkdir -p /usr/local/www/snort/css'); @@ -826,28 +736,6 @@ function sync_snort_package_config() if (!is_dir('/var/log/snort')) exec('/bin/mkdir -p /var/log/snort'); - if (!is_dir('/var/log/snort')) - exec('/bin/mkdir -p /var/log/snort'); - - if (!is_dir('/var/log/snort/barnyard2')) - exec('/bin/mkdir -p /var/log/snort/barnyard2'); - - /* XXX: These are needed if snort is run as snort user - mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true); - mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true); - mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true); - mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true); - mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true); - */ - - /* important */ - mwexec('/bin/chmod 770 /var/db/whitelist', true); - mwexec('/bin/chmod 770 /var/run/snort*', true); - mwexec('/bin/chmod 770 /tmp/snort*', true); - mwexec('/bin/chmod -R 770 /var/log/snort', true); - mwexec('/bin/chmod -R 770 /usr/local/lib/snort', true); - mwexec('/bin/chmod -R 770 /usr/local/etc/snort/', true); - conf_mount_ro(); } @@ -975,7 +863,7 @@ function create_snort_sh() { $snortbarnyardlog_mysql_info_chk = $value['barnyard_mysql']; if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '') - $start_barnyard2 = "sleep 4;/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort -D -q"; + $start_barnyard2 = "sleep 4;/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q"; else $start_barnyard2 = ""; @@ -995,7 +883,7 @@ else # Start snort and barnyard2 /bin/rm {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid - /usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} + /usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} $start_barnyard2 /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD START For {$snort_uuid}_{$if_real}..." @@ -1071,7 +959,7 @@ function create_rules_iface($id, $if_real, $snort_uuid) if ($folder_chk == "empty") { if (!is_dir("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules")) - exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"); + exec("/bin/mkdir -p {$if_rule_dir}/rules"); exec("/bin/cp /usr/local/etc/snort/rules/* {$if_rule_dir}/rules"); if (file_exists("/usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules")) exec("/bin/cp /usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules {$if_rule_dir}/local_{$snort_uuid}_{$if_real}.rules"); @@ -1085,23 +973,15 @@ function create_barnyard2_conf($id, $if_real, $snort_uuid) { if (!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf")) exec("/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); - if (!file_exists("/var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo")) { - mwexec("/usr/bin/touch /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo", true); - /* XXX: This is needed if snort is run as snort user */ - //mwexec("/usr/sbin/chown snort:snort /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo", true); + if (!file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/barnyard2/{$snort_uuid}_{$if_real}.waldo")) { + @touch("/var/log/snort/snort_{$if_real}{$snort_uuid}/barnyard2/{$snort_uuid}_{$if_real}.waldo"); mwexec("/bin/chmod 770 /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo", true); } $barnyard2_conf_text = generate_barnyard2_conf($id, $if_real, $snort_uuid); /* write out barnyard2_conf */ - $bconf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", "w"); - if(!$bconf) { - log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf for writing."); - return; - } - fwrite($bconf, $barnyard2_conf_text); - fclose($bconf); + @file_put_contents("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", $barnyard2_conf_text); } /* open barnyard2.conf for writing" */ @@ -1131,7 +1011,7 @@ config sid_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/sid config hostname: $snortbarnyardlog_hostname_info_chk config interface: {$snort_uuid}_{$if_real} config decode_data_link -config waldo_file: /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo +config waldo_file: /var/log/snort/snort_{$if_real}{$snort_uuid}/barnyard2/{$snort_uuid}_{$if_real}.waldo ## START user pass through ## @@ -1142,7 +1022,7 @@ config waldo_file: /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo # Step 2: setup the input plugins input unified2 -config logdir: /var/log/snort +config logdir: /var/log/snort/snort_{$if_real}{$snort_uuid} # database: log to a variety of databases # output database: log, mysql, user=xxxx password=xxxxxx dbname=xxxx host=xxx.xxx.xxx.xxxx @@ -1158,7 +1038,7 @@ function create_snort_conf($id, $if_real, $snort_uuid) { global $config, $g; - if (!empty($if_real)&& !empty($snort_uuid)) { + if (!empty($if_real) && !empty($snort_uuid)) { if (!is_dir("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}")) { exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); @touch("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf"); @@ -1251,35 +1131,49 @@ function generate_snort_conf($id, $if_real, $snort_uuid) $external_net = create_snort_externalnet($id, $if_real); /* obtain external interface */ - /* XXX: make multi wan friendly */ $snort_ext_int = $snortcfg['interface']; /* user added arguments */ $snort_config_pass_thru = str_replace("\r", "", base64_decode($snortcfg['configpassthru'])); - /* create basic files */ + /* create a few directories and ensure the sample files are in place */ + if (!is_dir('/usr/local/etc/snort')) + exec('/bin/mkdir -p /usr/local/etc/snort/custom_rules'); if (!is_dir("/usr/local/etc/snort/snort/snort_{$snort_uuid}_{$if_real}")) exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); - - exec("/bin/cp /usr/local/etc/snort/gen-msg.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map"); - exec("/bin/cp /usr/local/etc/snort/classification.config /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config"); - exec("/bin/cp /usr/local/etc/snort/reference.config /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config"); - exec("/bin/cp /usr/local/etc/snort/sid-msg.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/sid-msg.map"); - exec("/bin/cp /usr/local/etc/snort/unicode.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/unicode.map"); - exec("/bin/cp /usr/local/etc/snort/threshold.conf /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/threshold.conf"); - exec("/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); - if (!is_dir("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules")) exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"); + if (!is_dir('/usr/local/etc/snort/whitelist')) + exec('/bin/mkdir -p /usr/local/etc/snort/whitelist/'); + if (!is_dir("/var/log/snort/snort_{$if_real}{$snort_uuid}")) + exec("/bin/mkdir -p /var/log/snort/snort_{$if_real}{$snort_uuid}"); + if (!is_dir("/var/log/snort/snort_{$if_real}{$snort_uuid}/barnyard2")) + exec("/bin/mkdir -p /var/log/snort/snort_{$if_real}{$snort_uuid}/barnyard2"); + if (!is_dir('/usr/local/lib/snort/dynamicrules')) + exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules'); + if (!is_dir('/usr/local/lib/snort/dynamicengine')) + exec('/bin/mkdir -p /usr/local/lib/snort/dynamicengine'); + if (!is_dir('/usr/local/lib/snort/dynamicpreprocessor')) + exec('/bin/mkdir -p /usr/local/lib/snort/dynamicpreprocessor'); + if (!file_exists('/var/db/whitelist')) + @touch('/var/db/whitelist'); + + @copy("/usr/local/etc/snort/gen-msg.map", "/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map"); + @copy("/usr/local/etc/snort/classification.config", "/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config"); + @copy("/usr/local/etc/snort/reference.config", "/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config"); + @copy("/usr/local/etc/snort/sid-msg.map", "/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/sid-msg.map"); + @copy("/usr/local/etc/snort/unicode.map", "/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/unicode.map"); + @copy("/usr/local/etc/snort/threshold.conf", "/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/threshold.conf"); + @touch("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); /* define basic log filename */ $snortunifiedlogbasic_type = "output unified: filename snort_{$snort_uuid}_{$if_real}.log, limit 128"; /* define snortalertlogtype */ if ($config['installedpackages']['snortglobal']['snortalertlogtype'] == "fast") - $snortalertlogtype_type = "output alert_fast: alert_{$snort_uuid}"; + $snortalertlogtype_type = "output alert_fast: alert"; else - $snortalertlogtype_type = "output alert_full: alert_{$snort_uuid}"; + $snortalertlogtype_type = "output alert_full: alert"; /* define alertsystemlog */ $alertsystemlog_type = ""; @@ -1603,7 +1497,7 @@ function generate_snort_conf($id, $if_real, $snort_uuid) # ########################## -preprocessor perfmonitor: time 300 file /var/log/snort/snort_{$snort_uuid}_{$if_real}.stats pktcnt 10000 +preprocessor perfmonitor: time 300 file /var/log/snort/snort_{$if_real}{$snort_uuid}/{$if_real}.stats pktcnt 10000 EOD; @@ -1986,7 +1880,7 @@ config event_queue: max_queue 8 log 3 order_events content_length #Configure dynamic loaded libraries dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor -dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so +dynamicengine directory /usr/local/lib/snort/dynamicengine dynamicdetection directory /usr/local/lib/snort/dynamicrules ################### diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 3094d1a7..077fcfb6 100644 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -48,8 +48,11 @@ if (!is_array($config['installedpackages']['snortglobal']['rule'])) $config['installedpackages']['snortglobal']['rule'] = array(); $a_instance = &$config['installedpackages']['snortglobal']['rule']; $snort_uuid = $a_instance[0]['uuid']; -if ($_POST['instance']) +$if_real = snort_get_real_interface($a_instance[0]['interface']); +if ($_POST['instance']) { $snort_uuid = $a_instance[$_POST['instance']]['uuid']; + $if_real = snort_get_real_interface($a_instance[$_POST['instance']]['interface']); +} if (is_array($config['installedpackages']['snortglobal']['alertsblocks'])) { $pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh']; @@ -63,57 +66,36 @@ if (is_array($config['installedpackages']['snortglobal']['alertsblocks'])) { if ($_POST['save']) { - //unset($input_errors); - //$pconfig = $_POST; - - /* input validation */ - if ($_POST['save']) - { - - // if (($_POST['radiusacctport'] && !is_port($_POST['radiusacctport']))) { - // $input_errors[] = "A valid port number must be specified. [".$_POST['radiusacctport']."]"; - // } - - } - - /* no errors */ - if (!$input_errors) { - if (!is_array($config['installedpackages']['snortglobal']['alertsblocks'])) - $config['installedpackages']['snortglobal']['alertsblocks'] = array(); - $config['installedpackages']['snortglobal']['alertsblocks']['arefresh'] = $_POST['arefresh'] ? 'on' : 'off'; - $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber'] = $_POST['alertnumber']; - - write_config(); + if (!is_array($config['installedpackages']['snortglobal']['alertsblocks'])) + $config['installedpackages']['snortglobal']['alertsblocks'] = array(); + $config['installedpackages']['snortglobal']['alertsblocks']['arefresh'] = $_POST['arefresh'] ? 'on' : 'off'; + $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber'] = $_POST['alertnumber']; - header("Location: /snort/snort_alerts.php"); - exit; - } + write_config(); + header("Location: /snort/snort_alerts.php"); + exit; } -if ($_GET['action'] == "clear" || $_POST['clear']) -{ - if (file_exists("/var/log/snort/alert_{$snort_uuid}")) - { +if ($_GET['action'] == "clear" || $_POST['clear']) { + if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { conf_mount_rw(); - @file_put_contents("/var/log/snort/alert_{$snort_uuid}", ""); + @file_put_contents("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert", ""); post_delete_logs(); /* XXX: This is needed is snort is run as snort user */ //mwexec('/usr/sbin/chown snort:snort /var/log/snort/*', true); mwexec('/bin/chmod 660 /var/log/snort/*', true); - mwexec('/usr/bin/killall -HUP snort', true); + mwexec("/bin/pkill -HUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a"); conf_mount_ro(); } header("Location: /snort/snort_alerts.php"); exit; } -if ($_POST['download']) -{ - +if ($_POST['download']) { $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); - $file_name = "snort_logs_{$save_date}.tar.gz"; - exec("/usr/bin/tar cfz /tmp/{$file_name} /var/log/snort"); + $file_name = "snort_logs_{$save_date}_{$if_real}.tar.gz"; + exec("/usr/bin/tar cfz /tmp/{$file_name} /var/log/snort/snort_{$if_real}{$snort_uuid}"); if (file_exists("/tmp/{$file_name}")) { $file = "/tmp/snort_logs_{$save_date}.tar.gz"; @@ -132,7 +114,6 @@ if ($_POST['download']) exit; } - /* WARNING: took me forever to figure reg expression, dont lose */ // $fileline = '12/09-18:12:02.086733 [**] [122:6:0] (portscan) TCP Filtered Decoy Portscan [**] [Priority: 3] {PROTO:255} 125.135.214.166 -> 70.61.243.50'; function get_snort_alert_date($fileline) @@ -381,16 +362,16 @@ if ($pconfig['arefresh'] == 'on') <?php /* make sure alert file exists */ - if (!file_exists("/var/log/snort/alert_{$snort_uuid}")) - exec("/usr/bin/touch /var/log/snort/alert_{$snort_uuid}"); + if (!file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) + @touch("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert"); $logent = $anentries; /* detect the alert file type */ if ($snortalertlogt == 'full') - $alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents("/var/log/snort/alert_{$snort_uuid}")))); + $alerts_array = array_reverse(explode("\n\n", file_get_contents("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert"))); else - $alerts_array = array_reverse(array_filter(split("\n", file_get_contents("/var/log/snort/alert_{$snort_uuid}")))); + $alerts_array = array_reverse(explode("\n", file_get_contents("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert"))); diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index 932e0983..e28f725d 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -41,11 +41,9 @@ $pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks $pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber']; if ($pconfig['blertnumber'] == '' || $pconfig['blertnumber'] == '0') -{ $bnentries = '500'; -}else{ +else $bnentries = $pconfig['blertnumber']; -} if($_POST['todelete'] or $_GET['todelete']) { if($_POST['todelete']) @@ -57,10 +55,8 @@ if($_POST['todelete'] or $_GET['todelete']) { if ($_POST['remove']) { exec("/sbin/pfctl -t snort2c -T flush"); - sleep(1); header("Location: /snort/snort_blocked.php"); exit; - } /* TODO: build a file with block ip and disc */ @@ -73,31 +69,30 @@ if ($_POST['download']) exec('/bin/mkdir /tmp/snort_blocked'); exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.pf'); - $blocked_ips_array_save = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.pf')))); + $blocked_ips_array_save = str_replace(' ', '', explode("\n", file_get_contents('/tmp/snort_block.pf'))); if ($blocked_ips_array_save[0] != '') { /* build the list */ file_put_contents("/tmp/snort_blocked/snort_block.pf", ""); - foreach($blocked_ips_array_save as $counter => $fileline3) - file_put_contents("/tmp/snort_blocked/snort_block.pf", "{$fileline3}\n", FILE_APPEND); + foreach($blocked_ips_array_save as $counter => $fileline) + file_put_contents("/tmp/snort_blocked/snort_block.pf", "{$fileline}\n", FILE_APPEND); } exec("/usr/bin/tar cfz /tmp/snort_blocked_{$save_date}.tar.gz /tmp/snort_blocked"); if(file_exists("/tmp/snort_blocked_{$save_date}.tar.gz")) { - $file = "/tmp/snort_blocked_{$save_date}.tar.gz"; header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); header("Pragma: private"); // needed for IE header("Cache-Control: private, must-revalidate"); // needed for IE header('Content-type: application/force-download'); header('Content-Transfer-Encoding: Binary'); - header("Content-length: ".filesize($file)); + header("Content-length: " . filesize("/tmp/snort_blocked_{$save_date}.tar.gz")); header("Content-disposition: attachment; filename = {$file_name}"); readfile("$file"); - exec("/bin/rm /tmp/snort_blocked_{$save_date}.tar.gz"); - exec("/bin/rm /tmp/snort_block.pf"); - exec("/bin/rm /tmp/snort_blocked/snort_block.pf"); od_end_clean(); //importanr or other post will fail + @unlink("/tmp/snort_blocked_{$save_date}.tar.gz"); + @unlink("/tmp/snort_block.pf"); + @unlink("/tmp/snort_blocked/snort_block.pf"); } else echo 'Error no saved file.'; @@ -106,13 +101,6 @@ if ($_POST['download']) if ($_POST['save']) { - /* input validation */ - if ($_POST['save']) - { - - - } - /* no errors */ if (!$input_errors) { @@ -122,7 +110,7 @@ if ($_POST['save']) write_config(); header("Location: /snort/snort_blocked.php"); - + exit; } } @@ -295,74 +283,66 @@ if ($pconfig['brefresh'] == 'on') /* set the arrays */ exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache'); - $blocked_ips_array = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.cache')))); - foreach (glob("/var/log/snort/alert_*") as $alert) { - $alerts_array = array_reverse(explode("\n\n", file_get_contents("{$alert}"))); - - $logent = $bnentries; - - if ($blocked_ips_array[0] != '' && $alerts_array[0] != '') - { - - /* build the list and compare blocks to alerts */ - $counter = 0; - foreach($alerts_array as $fileline) - { - - $counter++; - - $alert_ip_src = get_snort_alert_ip_src($fileline); - $alert_ip_disc = get_snort_alert_disc($fileline); - $alert_ip_src_array[] = get_snort_alert_ip_src($fileline); + $blocked_ips_array = explode("\n", str_replace(' ', '', file_get_contents('/tmp/snort_block.cache'))); + if (!empty($blocked_ips_array)) { + $input = array(); + $alert_ip_src_array = array(); + foreach (glob("/var/log/snort/*/alert") as $alert) { + $alerts_array = array_reverse(explode("\n\n", file_get_contents($alert))); + if (!empty($alerts_array[0])) { + /* build the list and compare blocks to alerts */ + $counter = 0; + foreach($alerts_array as $fileline) { + + $counter++; + + $alert_ip_src = get_snort_alert_ip_src($fileline); + $alert_ip_disc = get_snort_alert_disc($fileline); + $alert_ip_src_array[] = get_snort_alert_ip_src($fileline); + + if (in_array("$alert_ip_src", $blocked_ips_array)) + $input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n"; + } - if (in_array("$alert_ip_src", $blocked_ips_array)) - $input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n"; } + } - foreach($blocked_ips_array as $alert_block_ip) - { - - if (!in_array($alert_block_ip, $alert_ip_src_array)) - { - $input[] = "[$alert_block_ip] " . "[N\A]\n"; - } - } + foreach($blocked_ips_array as $alert_block_ip) { + if (is_ipaddr($alert_block_ip) && !in_array($alert_block_ip, $alert_ip_src_array)) + $input[] = "[$alert_block_ip] " . "[N\A]\n"; + } - /* reduce double occurrences */ - $result = array_unique($input); + /* reduce double occurrences */ + $result = array_unique($input); - /* buil final list, preg_match, buld html */ - $counter2 = 0; + /* buil final list, preg_match, buld html */ + $counter2 = 0; + $logent = $bnentries; - foreach($result as $fileline2) - { - if($logent <= $counter2) + foreach($result as $fileline) { + if($logent <= $counter2) continue; - $counter2++; + $counter2++; - $alert_block_ip_str = get_snort_block_ip($fileline2); + $alert_block_ip_str = get_snort_block_ip($fileline); - if($alert_block_ip_str != '') - { - $alert_block_ip_match = array('[',']'); - $alert_block_ip = str_replace($alert_block_ip_match, '', "$alert_block_ip_str"); - }else{ - $alert_block_ip = 'empty'; - } + if($alert_block_ip_str != '') { + $alert_block_ip_match = array('[',']'); + $alert_block_ip = str_replace($alert_block_ip_match, '', "$alert_block_ip_str"); + } else + $alert_block_ip = 'empty'; - $alert_block_disc_str = get_snort_block_disc($fileline2); + $alert_block_disc_str = get_snort_block_disc($fileline); - if($alert_block_disc_str != '') - { - $alert_block_disc_match = array('] [',']'); - $alert_block_disc = str_replace($alert_block_disc_match, '', "$alert_block_disc_str"); - }else{ - $alert_block_disc = 'empty'; - } + if($alert_block_disc_str != '') { + $alert_block_disc_match = array('] [',']'); + $alert_block_disc = str_replace($alert_block_disc_match, '', "$alert_block_disc_str"); + }else + $alert_block_disc = 'empty'; - /* use one echo to do the magic*/ - echo "<tr> + /* use one echo to do the magic*/ + echo "<tr> <td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($alert_block_ip)) . "'> <img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td> <td> {$counter2}</td> @@ -370,40 +350,12 @@ if ($pconfig['brefresh'] == 'on') <td> {$alert_block_disc}</td> </tr>\n"; - } - - }else{ - - /* if alerts file is empty and blocked table is not empty */ - $counter2 = 0; - - foreach($blocked_ips_array as $alert_block_ip) - { - if($logent <= $counter2) - continue; - - $counter2++; - - $alert_block_disc = 'N/A'; - - /* use one echo to do the magic*/ - echo "<tr> - <td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($alert_block_ip)) . "'> - <img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td> - <td> {$counter2}</td> - <td> {$alert_block_ip}</td> - <td> {$alert_block_disc}</td> - </tr>\n"; - } } - } echo '</table>' . "\n"; - - if (empty($blocked_ips_array[0])) - echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\"><br><strong>There are currently no items being blocked by snort.</strong></td></tr>"; - else - echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter2} items listed.</td></tr>"; + echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter2} items listed.</td></tr>"; + } else + echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\"><br><strong>There are currently no items being blocked by snort.</strong></td></tr>"; ?> </td> diff --git a/config/snort/snort_check_cron_misc.inc b/config/snort/snort_check_cron_misc.inc index 28d454b0..84f62a0d 100644 --- a/config/snort/snort_check_cron_misc.inc +++ b/config/snort/snort_check_cron_misc.inc @@ -50,27 +50,31 @@ if ($g['booting']==true) if ($snortloglimit == 'off') return; -$snortloglimitDSKsize = exec('/bin/df -k /var | grep -v "Filesystem" | awk \'{print $4}\''); - -$snortlogAlertsizeKB = snort_Getdirsize('/var/log/snort/alert'); -$snortloglimitAlertsizeKB = round($snortlogAlertsizeKB * .70); -$snortloglimitsizeKB = round($snortloglimitsize * 1024); +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + return; -/* do I need HUP kill ? */ -if (snort_Getdirsize('/var/log/snort/') >= $snortloglimitsizeKB ) { +$snortloglimitDSKsize = exec('/bin/df -k /var | grep -v "Filesystem" | awk \'{print $4}\''); - conf_mount_rw(); - if(file_exists('/var/log/snort/alert')) { - if ($snortlogAlertsizeKB >= $snortloglimitAlertsizeKB) { - exec('/bin/echo "" > /var/log/snort/alert'); +foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { + $if_real = snort_get_real_interface($value['interface']); + $snort_uuid = $value['uuid']; + $snort_log_dir = "/var/log/snort/snort_{$if_real}{$snort_uuid}"; + + if (file_exists("{$snort_log_dir}/alert")) { + $snortlogAlertsizeKB = snort_Getdirsize("{$snort_log_dir}/alert"); + $snortloglimitAlertsizeKB = round($snortlogAlertsizeKB * .70); + $snortloglimitsizeKB = round($snortloglimitsize * 1024); + + /* do I need HUP kill ? */ + if (snort_Getdirsize($snort_log_dir) >= $snortloglimitsizeKB ) { + conf_mount_rw(); + if ($snortlogAlertsizeKB >= $snortloglimitAlertsizeKB) + @file_put_contents("{$snort_log_dir}/alert", ""); + post_delete_logs(); + conf_mount_ro(); } - post_delete_logs(); - /* XXX: This is needed if snort is run as snort user */ - //mwexec('/usr/sbin/chown snort:snort /var/log/snort/*', true); - mwexec('/bin/chmod 660 /var/log/snort/*', true); - } - conf_mount_ro(); + } } ?> diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 41995e9d..8e1f196f 100644 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -661,11 +661,6 @@ if (is_dir('/usr/local/etc/snort/tmp')) { exec("/bin/rm -r /usr/local/etc/snort/tmp/rules_bk"); } -/* XXX: These are needed if snort is run as snort user -mwexec("/usr/sbin/chown -R snort:snort /var/log/snort", true); -mwexec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort", true); -mwexec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort", true); -*/ /* make all dirs snorts */ mwexec("/bin/chmod -R 755 /var/log/snort", true); mwexec("/bin/chmod -R 755 /usr/local/etc/snort", true); diff --git a/config/snort/snort_download_rules.php b/config/snort/snort_download_rules.php index 238a61d8..b65a3083 100644 --- a/config/snort/snort_download_rules.php +++ b/config/snort/snort_download_rules.php @@ -722,11 +722,6 @@ if (is_dir('/usr/local/etc/snort/tmp')) { exec("/bin/rm -r /usr/local/etc/snort/tmp/rules_bk"); } -/* XXX: These are needed if snort is run as snort user -mwexec("/usr/sbin/chown -R snort:snort /var/log/snort", true); -mwexec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort", true); -mwexec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort", true); -*/ /* make all dirs snorts */ mwexec("/bin/chmod -R 755 /var/log/snort", true); mwexec("/bin/chmod -R 755 /usr/local/etc/snort", true); diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php index 86a9aff6..31f266c9 100644 --- a/config/snort/snort_interfaces.php +++ b/config/snort/snort_interfaces.php @@ -57,6 +57,8 @@ if (isset($_POST['del_x'])) { $snort_uuid = $a_nat[$rulei]['uuid']; Running_Stop($snort_uuid,$if_real, $rulei); + exec("/bin/rm -r /var/log/snort/snort_{$if_real}{$snort_uuid}"); + exec("/bin/rm -r /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); unset($a_nat[$rulei]); } |