diff options
author | robiscool <robrob2626@yahoo.com> | 2012-06-15 13:11:49 -0700 |
---|---|---|
committer | robiscool <robrob2626@yahoo.com> | 2012-06-15 13:11:49 -0700 |
commit | 3d6508062e1067ad3d64d2bd3874aa76620c8028 (patch) | |
tree | db728a3e749a53cb9d2265e980c4a1d6e325d408 /config/snort-dev/snort.inc | |
parent | b867840765d95e8984508cf2bbca23d38211b4b0 (diff) | |
download | pfsense-packages-3d6508062e1067ad3d64d2bd3874aa76620c8028.tar.gz pfsense-packages-3d6508062e1067ad3d64d2bd3874aa76620c8028.tar.bz2 pfsense-packages-3d6508062e1067ad3d64d2bd3874aa76620c8028.zip |
snort-dev, remove win line ends that git auto adds, fix major startup issues, fix stop issues, add new log options
Diffstat (limited to 'config/snort-dev/snort.inc')
-rw-r--r-- | config/snort-dev/snort.inc | 5034 |
1 files changed, 2524 insertions, 2510 deletions
diff --git a/config/snort-dev/snort.inc b/config/snort-dev/snort.inc index 49439149..afb46018 100644 --- a/config/snort-dev/snort.inc +++ b/config/snort-dev/snort.inc @@ -1,2510 +1,2524 @@ -<?php
-/*
- snort.inc
- Copyright (C) 2006 Scott Ullrich
- Copyright (C) 2009-2010 Robert Zelaya
- Copyright (C) 2011 Ermal Luci
- part of pfSense
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once("pfsense-utils.inc");
-require_once("config.inc");
-require_once("functions.inc");
-
-// Needed on 2.0 because of filter_get_vpns_list()
-require_once("filter.inc");
-
-/* package version */
-$snort_package_version = 'Snort 2.9.2.3 pkg v. 2.2';
-$snort_rules_file = "snortrules-snapshot-2922.tar.gz";
-
-/* Allow additional execution time 0 = no limit. */
-ini_set('max_execution_time', '9999');
-ini_set('max_input_time', '9999');
-
-/* define oinkid */
-if ($config['installedpackages']['snortglobal'])
- $oinkid = $config['installedpackages']['snortglobal']['oinkmastercode'];
-else
- $config['installedpackages']['snortglobal'] = array();
-
-/* find out if were in 1.2.3-RELEASE */
-if (intval($config['version']) > 6)
- $snort_pfsense_basever = 'no';
-else
- $snort_pfsense_basever = 'yes';
-
-/* find out what arch where in x86 , x64 */
-global $snort_arch;
-$snort_arch = 'x86';
-$snort_arch_ck = php_uname("m");
-if ($snort_arch_ck == 'i386')
- $snort_arch = 'x86';
-else if ($snort_arch_ck == "amd64")
- $snort_arch = 'x64';
-else
- $snort_arch = "Unknown";
-
-/* tell me my theme */
-$pfsense_theme_is = $config['theme'];
-
-/* func builds custom white lists */
-function find_whitelist_key($find_wlist_number) {
- global $config, $g;
-
- if (!is_array($config['installedpackages']['snortglobal']['whitelist']))
- $config['installedpackages']['snortglobal']['whitelist'] = array();
- if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item']))
- return 0; /* XXX */
-
- foreach ($config['installedpackages']['snortglobal']['whitelist']['item'] as $w_key => $value) {
- if ($value['name'] == $find_wlist_number)
- return $w_key;
- }
-}
-
-/* func builds custom suppress lists */
-function find_suppress_key($find_slist_number) {
- global $config, $g;
-
- if (!is_array($config['installedpackages']['snortglobal']['suppress']))
- $config['installedpackages']['snortglobal']['suppress'] = array();
- if (!is_array($config['installedpackages']['snortglobal']['suppress']['item']))
- return 0; /* XXX */
-
- foreach ($config['installedpackages']['snortglobal']['suppress']['item'] as $s_key => $value) {
- if ($value['name'] == $find_slist_number)
- return $s_key;
- }
-}
-
-/* func builds custom whitelests */
-function build_base_whitelist($build_netlist, $wanip, $wangw, $wandns, $vips, $vpns, $userwips) {
- global $config, $g, $snort_pfsense_basever;
-
- /* build an interface array list */
- if (function_exists('get_configured_interface_list'))
- $int_array = get_configured_interface_list();
- else {
- $int_array = array('lan');
- for ($j = 1; isset ($config['interfaces']['opt' . $j]); $j++)
- if(isset($config['interfaces']['opt' . $j]['enable']))
- if(isset($config['interfaces']['opt' . $j]['gateway']))
- $int_array[] = "opt{$j}";
- }
-
- $home_net = "";
-
- /* iterate through interface list and write out whitelist items
- * and also compile a home_net list for snort.
- */
- foreach ($int_array as $int) {
- /* calculate interface subnet information */
- if (function_exists('get_interface_ip')) {
- $subnet = get_interface_ip($int);
- if (is_ipaddr($subnet)) {
- $sn = get_interface_subnet($int);
- $home_net .= "{$subnet}/{$sn} ";
- }
- } else {
- $ifcfg = $config['interfaces'][$int];
- switch ($ifcfg['ipaddr']) {
- case "pppoe":
- case "pptp":
- case "l2tp":
- if (function_exists('get_interface_ip'))
- $subnet = get_interface_ip($int);
- else
- $subnet = find_interface_ip("ng0");
-
- if (is_ipaddr($subnet))
- $home_net .= "{$subnet} ";
- break;
- case "dhcp":
- $subnet = find_interface_ip(snort_get_real_interface($int));
- if (is_ipaddr($subnet))
- $home_net .= "{$subnet} ";
- break;
- default:
- if (is_ipaddr($ifcfg['ipaddr'])) {
- $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']);
- if ($ifcfg['subnet'])
- $home_net .= "{$subnet}/{$ifcfg['subnet']} ";
- }
- break;
- }
- }
- }
-
- if ($snort_pfsense_basever == 'yes' && $wanip == 'yes') {
- /* add all WAN ips to the whitelist */
- $wan_if = get_real_wan_interface();
- $ip = find_interface_ip($wan_if);
- if (is_ipaddr($ip))
- $home_net .= "{$ip} ";
- }
-
- if ($wangw == 'yes') {
- /* Add Gateway on WAN interface to whitelist (For RRD graphs) */
- $gw = get_interface_gateway('wan');
- if($gw)
- $home_net .= "{$gw} ";
- }
-
- if($wandns == 'yes') {
- /* Add DNS server for WAN interface to whitelist */
- $dns_servers = get_dns_servers();
- foreach ($dns_servers as $dns) {
- if($dns)
- $home_net .= "{$dns} ";
- }
- }
-
- if($vips == 'yes') {
- /* iterate all vips and add to whitelist */
- if (is_array($config['virtualip']) && is_array($config['virtualip']['vip'])) {
- foreach($config['virtualip']['vip'] as $vip)
- if($vip['subnet'])
- $home_net .= "{$vip['subnet']} ";
- }
- }
-
- /* Add loopback to whitelist (ftphelper) */
- $home_net .= "127.0.0.1 ";
-
- /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */
- if ($vpns == 'yes') {
- if ($snort_pfsense_basever == 'yes') // chk what pfsense version were on
- $vpns_list = get_vpns_list();
- else if ($snort_pfsense_basever == 'no') // chk what pfsense version were on
- $vpns_list = filter_get_vpns_list();
-
- if (!empty($vpns_list))
- $home_net .= "{$vpns_list} ";
- }
-
- /* never ever compair numbers to words */
- if ($userwips > -1) {
- if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item']))
- $config['installedpackages']['snortglobal']['whitelist']['item'] = array();
-
- $home_net .= $config['installedpackages']['snortglobal']['whitelist']['item'][$userwips]['address'];
- }
-
- $home_net = trim($home_net);
-
- /* this foe whitelistfile, convert spaces to carriage returns */
- if ($build_netlist == 'whitelist') {
- $whitelist_home_net = str_replace(" ", "\n", $home_net);
- $whitelist_home_net = str_replace(" ", "\n", $home_net);
- return $whitelist_home_net;
- }
-
- /* this is for snort.conf */
- $validator = explode(" ", $home_net);
- $valresult = array();
- foreach ($validator as $vald) {
- if (empty($vald))
- continue;
- $valresult[] = $vald;
- }
- $home_net = implode(",", $valresult);
- $home_net = "[{$home_net}]";
-
- return $home_net;
-}
-
-
-/* checks to see if snort is running yes/no and stop/start */
-function Running_Ck($snort_uuid, $if_real, $id) {
- global $config;
-
- $snort_uph = 'no';
- $snort_up_prell = exec("/bin/ps -ax | /usr/bin/grep \"R {$snort_uuid}\" | /usr/bin/grep -v grep | /usr/bin/awk '{print \$1;}'");
- if ($snort_up_prell != '')
- $snort_uph = 'yes';
-
- return $snort_uph;
-}
-
-/* checks to see if barnyard2 is running yes/no */
-function Running_Ck_b($snort_uuid, $if_real, $id) {
- global $config;
-
- $snort_up_b = 'no';
- $snort_up_pre_b = exec("/bin/ps -ax | /usr/bin/grep barnyard2 | /usr/bin/grep \"f snort_{$snort_uuid}_{$if_real}.u2\" | /usr/bin/grep -v grep | /usr/bin/awk '{print \$1;}'");
- if ($snort_up_pre_b != '')
- $snort_up_b = 'yes';
-
- return $snort_up_b;
-}
-
-function Running_Stop($snort_uuid, $if_real, $id) {
- global $config, $g;
-
- /* if snort.sh crashed this will remove the pid */
- @unlink("{$g['tmp_path']}/snort.sh.pid");
-
- $start_up = exec("/bin/ps -ax | /usr/bin/grep \"R {$snort_uuid}\" | /usr/bin/grep -v grep | /usr/bin/awk '{ print \$1; }'");
- $start_upb = exec("/bin/ps -ax | /usr/bin/grep \"snort_{$snort_uuid}_{$if_real}.u2\" | /usr/bin/grep -v grep | /usr/bin/awk '{ print \$1; }'");
-
-
- if ($start_up != '') {
- exec("/bin/kill {$start_up}");
- exec("/bin/rm /var/log/snort/run/snort_{$if_real}{$snort_uuid}*");
- exec("/bin/rm /var/log/snort/snort_{$if_real}{$snort_uuid}/snort_{$snort_uuid}_{$if_real}*");
- @unlink("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert_{$snort_uuid}");
- }
-
- if ($start_upb != '') {
- exec("/bin/kill {$start_upb}");
- exec("/bin/rm /var/run/barnyard2_{$snort_uuid}_{$if_real}*");
- exec("/bin/rm /var/log/snort/snort_{$if_real}{$snort_uuid}/snort.u2_{$snort_uuid}_{$if_real}*");
- }
-
- /* Log Iface stop */
- exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule STOP for {$snort_uuid}_{$if_real}...'");
- sleep(2); // Give time so GUI displays correctly
-}
-
-function Running_Start($snort_uuid, $if_real, $id) {
- global $config;
-
- /* if snort.sh crashed this will remove the pid */
- @unlink("{$g['tmp_path']}/snort.sh.pid");
-
- $snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable'];
- if ($snort_info_chk == 'on')
- exec("/usr/local/bin/snort -R \"{$snort_uuid}\" -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
- else
- return;
-
- /* define snortbarnyardlog_chk */
- /* top will have trouble if the uuid is to far back */
- $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable'];
- $snortbarnyardlog_mysql_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql'];
- if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '') {
- exec("/usr/local/bin/barnyard2 -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$snort_uuid}_{$if_real}/ -D -q");
- }
-
- /* Log Iface stop */
- exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule START for {$id}_{$snort_uuid}_{$if_real}...'");
- sleep(2); // Give time so GUI displays correctly
-}
-
-function snort_get_friendly_interface($interface) {
-
- if (function_exists('convert_friendly_interface_to_friendly_descr'))
- $iface = convert_friendly_interface_to_friendly_descr($interface);
- else {
- if (!$interface || ($interface == "wan"))
- $iface = "WAN";
- else if(strtolower($interface) == "lan")
- $iface = "LAN";
- else if(strtolower($interface) == "pppoe")
- $iface = "PPPoE";
- else if(strtolower($interface) == "pptp")
- $iface = "PPTP";
- else
- $iface = strtoupper($interface);
- }
-
- return $iface;
-}
-
-/* get the real iface name of wan */
-function snort_get_real_interface($interface) {
- global $config;
-
- $lc_interface = strtolower($interface);
- if (function_exists('get_real_interface'))
- return get_real_interface($lc_interface);
- else {
- if ($lc_interface == "lan") {
- if ($config['inerfaces']['lan'])
- return $config['interfaces']['lan']['if'];
- return $interface;
- }
- if ($lc_interface == "wan")
- return $config['interfaces']['wan']['if'];
- $ifdescrs = array();
- for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) {
- $ifname = "opt{$j}";
- if(strtolower($ifname) == $lc_interface)
- return $config['interfaces'][$ifname]['if'];
- if(isset($config['interfaces'][$ifname]['descr']) && (strtolower($config['interfaces'][$ifname]['descr']) == $lc_interface))
- return $config['interfaces'][$ifname]['if'];
- }
- }
-
- return $interface;
-}
-
-/*
- this code block is for deleteing logs while keeping the newest file,
- snort is linked to these files while running, do not take the easy way out
- by touch and rm, snort will lose sync and not log.
-
- this code needs to be watched.
- */
-
-/* list dir files */
-function snort_file_list($snort_log_dir, $snort_log_file)
-{
- $dir = opendir ("$snort_log_dir");
- while (false !== ($file = readdir($dir))) {
- if (strpos($file, "$snort_log_file",1) )
- $file_list[] = basename($file);
- }
- return $file_list;
-}
-
-/* snort dir files */
-function snort_file_sort($snort_file1, $snort_file2)
-{
- if ($snort_file1 == $snort_file2)
- return 0;
-
- return ($snort_file1 < $snort_file2); // ? -1 : 1; // this flips the array
-}
-
-/* build files newest first array */
-function snort_build_order($snort_list)
-{
- foreach ($snort_list as $value_list)
- $list_order[] = $value_list;
-
- return $list_order;
-}
-
-/* keep the newest remove the rest */
-function snort_remove_files($snort_list_rm, $snort_file_safe)
-{
- foreach ($snort_list_rm as $value_list) {
- if ($value_list != $snort_file_safe)
- @unlink("/var/log/snort/$value_list");
- else
- file_put_contents("/var/log/snort/$snort_file_safe", "");
- }
-}
-
-/*
- * TODO:
- * This is called by snort_alerts.php.
- *
- * This func needs to be made to only clear one interface rule log
- * at a time.
- *
- */
-function post_delete_logs()
-{
- global $config, $g;
-
- /* do not start config build if rules is empty */
- if (!is_array($config['installedpackages']['snortglobal']['rule']))
- return;
-
- $snort_log_dir = '/var/log/snort';
-
- foreach ($config['installedpackages']['snortglobal']['rule'] as $value) {
- $result_lan = $value['interface'];
- $if_real = snort_get_real_interface($result_lan);
- $snort_uuid = $value['uuid'];
-
- if ($if_real != '' && $snort_uuid != '') {
- if ($value['snortunifiedlog'] == 'on') {
- $snort_log_file_u2 = "{$snort_uuid}_{$if_real}.u2.";
- $snort_list_u2 = snort_file_list($snort_log_dir, $snort_log_file_u2);
- if (is_array($snort_list_u2)) {
- usort($snort_list_u2, "snort_file_sort");
- $snort_u2_rm_list = snort_build_order($snort_list_u2);
- snort_remove_files($snort_u2_rm_list, $snort_u2_rm_list[0]);
- }
- } else
- exec("/bin/rm $snort_log_dir/snort_{$snort_uuid}_{$if_real}.u2*");
-
- if ($value['tcpdumplog'] == 'on') {
- $snort_log_file_tcpd = "{$snort_uuid}_{$if_real}.tcpdump.";
- $snort_list_tcpd = snort_file_list($snort_log_dir, $snort_log_file_tcpd);
- if (is_array($snort_list_tcpd)) {
- usort($snort_list_tcpd, "snort_file_sort");
- $snort_tcpd_rm_list = snort_build_order($snort_list_tcpd);
- snort_remove_files($snort_tcpd_rm_list, $snort_tcpd_rm_list[0]);
- }
- } else
- exec("/bin/rm $snort_log_dir/snort_{$snort_uuid}_{$if_real}.tcpdump*");
-
- /* create barnyard2 configuration file */
- //if ($value['barnyard_enable'] == 'on')
- //create_barnyard2_conf($id, $if_real, $snort_uuid);
-
- if ($value['perform_stat'] == 'on')
- @file_put_contents("/var/log/snort/snort_{$snort_uuid}_{$if_real}.stats", "");
- }
- }
-}
-
-function snort_postinstall()
-{
- global $config, $g, $snort_pfsense_basever, $snort_arch;
-
- /* snort -> advanced features */
- if (is_array($config['installedpackages']['snortglobal'])) {
- $bpfbufsize = $config['installedpackages']['snortglobal']['bpfbufsize'];
- $bpfmaxbufsize = $config['installedpackages']['snortglobal']['bpfmaxbufsize'];
- $bpfmaxinsns = $config['installedpackages']['snortglobal']['bpfmaxinsns'];
- }
-
- /* cleanup default files */
- @rename('/usr/local/etc/snort/snort.conf-sample', '/usr/local/etc/snort/snort.conf');
- @rename('/usr/local/etc/snort/threshold.conf-sample', '/usr/local/etc/snort/threshold.conf');
- @rename('/usr/local/etc/snort/sid-msg.map-sample', '/usr/local/etc/snort/sid-msg.map');
- @rename('/usr/local/etc/snort/unicode.map-sample', '/usr/local/etc/snort/unicode.map');
- @rename('/usr/local/etc/snort/classification.config-sample', '/usr/local/etc/snort/classification.config');
- @rename('/usr/local/etc/snort/generators-sample', '/usr/local/etc/snort/generators');
- @rename('/usr/local/etc/snort/reference.config-sample', '/usr/local/etc/snort/reference.config');
- @rename('/usr/local/etc/snort/gen-msg.map-sample', '/usr/local/etc/snort/gen-msg.map');
- @unlink('/usr/local/etc/snort/sid');
- @unlink('/usr/local/etc/rc.d/snort');
- @unlink('/usr/local/etc/rc.d/bardyard2');
-
- /* remove example files */
- if (file_exists('/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0'))
- exec('/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*');
-
- if (file_exists('/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so'))
- exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*');
-
- /* create a few directories and ensure the sample files are in place */
- if (!is_dir('/usr/local/etc/snort'))
- exec('/bin/mkdir -p /usr/local/etc/snort/custom_rules');
- if (!is_dir('/usr/local/etc/snort/whitelist'))
- exec('/bin/mkdir -p /usr/local/etc/snort/whitelist/');
- /* NOTE: the diff between the if check and the exec() extra run is by design */
- if (!is_dir('/var/log/snort'))
- exec('/bin/mkdir -p /var/log/snort/run');
- else
- exec('/bin/rm -r /var/log/snort/*; /bin/mkdir -p /var/log/snort/run');
-
- if (!is_dir('/var/log/snort/barnyard2'))
- exec('/bin/mkdir -p /var/log/snort/barnyard2');
- if (!is_dir('/usr/local/lib/snort/dynamicrules/'))
- exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/');
- if (!file_exists('/var/db/whitelist'))
- touch('/var/db/whitelist');
-
- /* XXX: These are needed if you run snort as snort user
- mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true);
- mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true);
- mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true);
- mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true);
- mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true);
- */
- /* important */
- mwexec('/bin/chmod 660 /var/db/whitelist', true);
- mwexec('/bin/chmod -R 660 /usr/local/etc/snort/*', true);
- mwexec('/bin/chmod -R 660 /tmp/snort*', true);
- mwexec('/bin/chmod -R 660 /var/run/snort*', true);
- mwexec('/bin/chmod -R 660 /var/snort/run/*', true);
- mwexec('/bin/chmod 770 /usr/local/lib/snort', true);
- mwexec('/bin/chmod 770 /usr/local/etc/snort', true);
- mwexec('/bin/chmod 770 /usr/local/etc/whitelist', true);
- mwexec('/bin/chmod 770 /var/log/snort', true);
- mwexec('/bin/chmod 770 /var/log/snort/run', true);
- mwexec('/bin/chmod 770 /var/log/snort/barnyard2', true);
-
- /* move files around, make it look clean */
- mwexec('/bin/mkdir -p /usr/local/www/snort/css');
- mwexec('/bin/mkdir -p /usr/local/www/snort/images');
-
- chdir ("/usr/local/www/snort/css/");
- exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/css/style.css');
- exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/css/sexybuttons.css');
- chdir("/usr/local/www/snort/images/");
- exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/alert.jpg');
- exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/down.gif');
- exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/down2.gif');
- exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon-table-sort.png');
- exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon-table-sort-asc.png');
- exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon-table-sort-desc.png');
- exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/up.gif');
- exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/up2.gif');
- exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/logo.jpg');
- exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon_excli.png');
- exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/arrow_down.png');
- exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/awesome-overlay-sprite.png');
- exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/logo22.png');
- exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/page_white_text.png');
-
- /* remake saved settings */
- if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
- update_status(gettext("Saved settings detected..."));
- update_output_window(gettext("Please wait... rebuilding files..."));
- sync_snort_package_config();
- update_output_window(gettext("Finnished Rebuilding files..."));
- }
-}
-
-function snort_Getdirsize($node) {
- if(!is_readable($node))
- return false;
-
- $blah = exec( "/usr/bin/du -kd $node" );
- return substr( $blah, 0, strpos($blah, 9) );
-}
-
-/* func for log dir size limit cron */
-function snort_snortloglimit_install_cron($should_install) {
- global $config, $g;
-
- if (!is_array($config['cron']['item']))
- $config['cron']['item'] = array();
-
- $x=0;
- $is_installed = false;
- foreach($config['cron']['item'] as $item) {
- if (strstr($item['command'], '/usr/local/pkg/snort/snort_check_cron_misc.inc')) {
- $is_installed = true;
- break;
- }
- $x++;
- }
-
- switch($should_install) {
- case true:
- if(!$is_installed) {
-
- $cron_item = array();
- $cron_item['minute'] = "*/5";
- $cron_item['hour'] = "*";
- $cron_item['mday'] = "*";
- $cron_item['month'] = "*";
- $cron_item['wday'] = "*";
- $cron_item['who'] = "root";
- $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc";
- $config['cron']['item'][] = $cron_item;
- }
- break;
- case false:
- if($is_installed == true)
- unset($config['cron']['item'][$x]);
- break;
- }
-}
-
-/* func for updating cron */
-function snort_rm_blocked_install_cron($should_install) {
- global $config, $g;
-
- if (!is_array($config['cron']['item']))
- $config['cron']['item'] = array();
-
- $x=0;
- $is_installed = false;
- foreach($config['cron']['item'] as $item) {
- if (strstr($item['command'], "snort2c")) {
- $is_installed = true;
- break;
- }
- $x++;
- }
-
- $snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked'];
- if ($snort_rm_blocked_info_ck == "1h_b") {
- $snort_rm_blocked_min = "*/5";
- $snort_rm_blocked_hr = "*";
- $snort_rm_blocked_mday = "*";
- $snort_rm_blocked_month = "*";
- $snort_rm_blocked_wday = "*";
- $snort_rm_blocked_expire = "3600";
- }
- if ($snort_rm_blocked_info_ck == "3h_b") {
- $snort_rm_blocked_min = "*/15";
- $snort_rm_blocked_hr = "*";
- $snort_rm_blocked_mday = "*";
- $snort_rm_blocked_month = "*";
- $snort_rm_blocked_wday = "*";
- $snort_rm_blocked_expire = "10800";
- }
- if ($snort_rm_blocked_info_ck == "6h_b") {
- $snort_rm_blocked_min = "*/30";
- $snort_rm_blocked_hr = "*";
- $snort_rm_blocked_mday = "*";
- $snort_rm_blocked_month = "*";
- $snort_rm_blocked_wday = "*";
- $snort_rm_blocked_expire = "21600";
- }
- if ($snort_rm_blocked_info_ck == "12h_b") {
- $snort_rm_blocked_min = "2";
- $snort_rm_blocked_hr = "*/1";
- $snort_rm_blocked_mday = "*";
- $snort_rm_blocked_month = "*";
- $snort_rm_blocked_wday = "*";
- $snort_rm_blocked_expire = "43200";
- }
- if ($snort_rm_blocked_info_ck == "1d_b") {
- $snort_rm_blocked_min = "2";
- $snort_rm_blocked_hr = "*/2";
- $snort_rm_blocked_mday = "*";
- $snort_rm_blocked_month = "*";
- $snort_rm_blocked_wday = "*";
- $snort_rm_blocked_expire = "86400";
- }
- if ($snort_rm_blocked_info_ck == "4d_b") {
- $snort_rm_blocked_min = "2";
- $snort_rm_blocked_hr = "*/8";
- $snort_rm_blocked_mday = "*";
- $snort_rm_blocked_month = "*";
- $snort_rm_blocked_wday = "*";
- $snort_rm_blocked_expire = "345600";
- }
- if ($snort_rm_blocked_info_ck == "7d_b") {
- $snort_rm_blocked_min = "2";
- $snort_rm_blocked_hr = "*/14";
- $snort_rm_blocked_mday = "*";
- $snort_rm_blocked_month = "*";
- $snort_rm_blocked_wday = "*";
- $snort_rm_blocked_expire = "604800";
- }
- if ($snort_rm_blocked_info_ck == "28d_b") {
- $snort_rm_blocked_min = "2";
- $snort_rm_blocked_hr = "0";
- $snort_rm_blocked_mday = "*/2";
- $snort_rm_blocked_month = "*";
- $snort_rm_blocked_wday = "*";
- $snort_rm_blocked_expire = "2419200";
- }
- switch($should_install) {
- case true:
- if(!$is_installed) {
- $cron_item = array();
- $cron_item['minute'] = "$snort_rm_blocked_min";
- $cron_item['hour'] = "$snort_rm_blocked_hr";
- $cron_item['mday'] = "$snort_rm_blocked_mday";
- $cron_item['month'] = "$snort_rm_blocked_month";
- $cron_item['wday'] = "$snort_rm_blocked_wday";
- $cron_item['who'] = "root";
- $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c";
- $config['cron']['item'][] = $cron_item;
- }
- break;
- case false:
- if ($is_installed == true)
- unset($config['cron']['item'][$x]);
- break;
- }
-}
-
-/* func to install snort update */
-function snort_rules_up_install_cron($should_install) {
- global $config, $g;
-
- if(!$config['cron']['item'])
- $config['cron']['item'] = array();
-
- $x=0;
- $is_installed = false;
- foreach($config['cron']['item'] as $item) {
- if (strstr($item['command'], "snort_check_for_rule_updates.php")) {
- $is_installed = true;
- break;
- }
- $x++;
- }
- $snort_rules_up_info_ck = $config['installedpackages']['snortglobal']['autorulesupdate7'];
- if ($snort_rules_up_info_ck == "6h_up") {
- $snort_rules_up_min = "3";
- $snort_rules_up_hr = "*/6";
- $snort_rules_up_mday = "*";
- $snort_rules_up_month = "*";
- $snort_rules_up_wday = "*";
- }
- if ($snort_rules_up_info_ck == "12h_up") {
- $snort_rules_up_min = "3";
- $snort_rules_up_hr = "*/12";
- $snort_rules_up_mday = "*";
- $snort_rules_up_month = "*";
- $snort_rules_up_wday = "*";
- }
- if ($snort_rules_up_info_ck == "1d_up") {
- $snort_rules_up_min = "3";
- $snort_rules_up_hr = "0";
- $snort_rules_up_mday = "*/1";
- $snort_rules_up_month = "*";
- $snort_rules_up_wday = "*";
- }
- if ($snort_rules_up_info_ck == "4d_up") {
- $snort_rules_up_min = "3";
- $snort_rules_up_hr = "0";
- $snort_rules_up_mday = "*/4";
- $snort_rules_up_month = "*";
- $snort_rules_up_wday = "*";
- }
- if ($snort_rules_up_info_ck == "7d_up") {
- $snort_rules_up_min = "3";
- $snort_rules_up_hr = "0";
- $snort_rules_up_mday = "*/7";
- $snort_rules_up_month = "*";
- $snort_rules_up_wday = "*";
- }
- if ($snort_rules_up_info_ck == "28d_up") {
- $snort_rules_up_min = "3";
- $snort_rules_up_hr = "0";
- $snort_rules_up_mday = "*/28";
- $snort_rules_up_month = "*";
- $snort_rules_up_wday = "*";
- }
- switch($should_install) {
- case true:
- if(!$is_installed) {
- $cron_item = array();
- $cron_item['minute'] = "$snort_rules_up_min";
- $cron_item['hour'] = "$snort_rules_up_hr";
- $cron_item['mday'] = "$snort_rules_up_mday";
- $cron_item['month'] = "$snort_rules_up_month";
- $cron_item['wday'] = "$snort_rules_up_wday";
- $cron_item['who'] = "root";
- $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log";
- $config['cron']['item'][] = $cron_item;
- }
- break;
- case false:
- if($is_installed == true)
- unset($config['cron']['item'][$x]);
- break;
- }
-}
-
-/* Only run when all ifaces needed to sync. Expects filesystem rw */
-function sync_snort_package_config()
-{
- global $config, $g;
-
- /* RedDevil suggested code */
- /* TODO: more testing needs to be done */
- /* may cause voip to fail */
- //exec("/sbin/sysctl net.bpf.bufsize=8388608");
- //exec("/sbin/sysctl net.bpf.maxbufsize=4194304");
- //exec("/sbin/sysctl net.bpf.maxinsns=512");
- //exec("/sbin/sysctl net.inet.tcp.rfc1323=1");
-
- conf_mount_rw();
-
- /* do not start config build if rules is empty */
- if (!is_array($config['installedpackages']['snortglobal']['rule'])) {
- exec('/bin/rm /usr/local/etc/rc.d/snort.sh');
- conf_mount_ro();
- return;
- }
-
- foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) {
- $if_real = snort_get_real_interface($value['interface']);
- $snort_uuid = $value['uuid'];
-
- if ($if_real != '' && $snort_uuid != '') {
-
- /* only build whitelist when needed */
- if ($value['blockoffenders7'] == 'on')
- create_snort_whitelist($id, $if_real);
-
- /* only build threshold when needed */
- if ($value['suppresslistname'] != 'default')
- create_snort_suppress($id, $if_real);
-
- /* create snort configuration file */
- create_snort_conf($id, $if_real, $snort_uuid);
-
- /* if rules exist cp rules to each iface */
- create_rules_iface($id, $if_real, $snort_uuid);
-
- /* create barnyard2 configuration file */
- if ($value['barnyard_enable'] == 'on')
- create_barnyard2_conf($id, $if_real, $snort_uuid);
- }
- }
-
- /* create snort bootup file snort.sh only create once */
- create_snort_sh();
-
- /* all new files are for the user snort nologin */
- if (!is_dir("/var/log/snort/snort_{$if_real}{$snort_uuid}"))
- exec("/bin/mkdir -p /var/log/snort/snort_{$if_real}{$snort_uuid}");
-
- if (!is_dir('/var/log/snort/run'))
- exec('/bin/mkdir -p /var/log/snort/run');
-
- if (!is_dir("/var/log/snort/barnyard2/snort_{$if_real}{$snort_uuid}"))
- exec("/bin/mkdir -p /var/log/snort/barnyard2/snort_{$if_real}{$snort_uuid}");
-
- /* XXX: These are needed if snort is run as snort user
- mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true);
- mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true);
- mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true);
- mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true);
- mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true);
- */
-
- /* important */
- mwexec('/bin/chmod 770 /var/db/whitelist', true);
- mwexec('/bin/chmod 770 /var/run/snort*', true);
- mwexec('/bin/chmod 770 /tmp/snort*', true);
- mwexec('/bin/chmod -R 770 /var/log/snort', true);
- mwexec('/bin/chmod -R 770 /usr/local/lib/snort', true);
- mwexec('/bin/chmod -R 770 /usr/local/etc/snort/', true);
-
- conf_mount_ro();
-}
-
-/* Start of main config files */
-
-/* create threshold file */
-function create_snort_suppress($id, $if_real) {
- global $config, $g;
-
- /* make sure dir is there */
- if (!is_dir('/usr/local/etc/snort/suppress'))
- exec('/bin/mkdir -p /usr/local/etc/snort/suppress');
-
- if (!is_array($config['installedpackages']['snortglobal']['rule']))
- return;
-
- if ($config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname'] != 'default') {
- $whitelist_key_s = find_suppress_key($config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname']);
-
- /* file name */
- $suppress_file_name = $config['installedpackages']['snortglobal']['suppress']['item'][$whitelist_key_s]['name'];
-
- /* Message */
- $s_data = '# This file is auto generated by the snort package. Please do not edit this file by hand.' . "\n\n";
-
- /* user added arguments */
- $s_data .= str_replace("\r", "", base64_decode($config['installedpackages']['snortglobal']['suppress']['item'][$whitelist_key_s]['suppresspassthru']));
-
- /* open snort's whitelist for writing */
- @file_put_contents("/usr/local/etc/snort/suppress/$suppress_file_name", $s_data);
- }
-}
-
-function create_snort_whitelist($id, $if_real) {
- global $config, $g;
-
- /* make sure dir is there */
- if (!is_dir('/usr/local/etc/snort/whitelist'))
- exec('/bin/mkdir -p /usr/local/etc/snort/whitelist');
-
- if ($config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'] == 'default') {
-
- $w_data = build_base_whitelist('whitelist', 'yes', 'yes', 'yes', 'yes', 'yes', 'no');
-
- /* open snort's whitelist for writing */
- @file_put_contents("/usr/local/etc/snort/whitelist/defaultwlist", $w_data);
-
- } else if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'])) {
- $whitelist_key_w = find_whitelist_key($config['installedpackages']['snortglobal']['rule'][$id]['whitelistname']);
-
- if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item']))
- return;
-
- $whitelist = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w];
- $w_data = build_base_whitelist($whitelist['snortlisttype'], $whitelist['wanips'], $whitelist['wangateips'],
- $whitelist['wandnsips'], $whitelist['vips'], $whitelist['vpnips'], $whitelist_key_w);
-
- /* open snort's whitelist for writing */
- @file_put_contents("/usr/local/etc/snort/whitelist/" . $config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'], $w_data);
- }
-}
-
-function create_snort_homenet($id, $if_real) {
- global $config, $g;
-
- if ($config['installedpackages']['snortglobal']['rule'][$id]['homelistname'] == 'default' || $config['installedpackages']['snortglobal']['rule'][$id]['homelistname'] == '')
- return build_base_whitelist('netlist', 'yes', 'yes', 'yes', 'yes', 'yes', 'no');
- else if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['homelistname'])) {
- $whitelist_key_h = find_whitelist_key($config['installedpackages']['snortglobal']['rule'][$id]['homelistname']);
-
- if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item']))
- return;
-
- $build_netlist_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['snortlisttype'];
- $wanip_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wanips'];
- $wangw_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wangateips'];
- $wandns_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wandnsips'];
- $vips_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['vips'];
- $vpns_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['vpnips'];
-
- return build_base_whitelist($build_netlist_h, $wanip_h, $wangw_h, $wandns_h, $vips_h, $vpns_h, $whitelist_key_h);
- }
-}
-
-function create_snort_externalnet($id, $if_real) {
- global $config, $g;
-
- if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['externallistname'])) {
- $whitelist_key_ex = find_whitelist_key($config['installedpackages']['snortglobal']['rule'][$id]['externallistname']);
-
- if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item']))
- return;
-
- $build_netlist_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['snortlisttype'];
- $wanip_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wanips'];
- $wangw_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wangateips'];
- $wandns_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wandnsips'];
- $vips_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['vips'];
- $vpns_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['vpnips'];
-
- return build_base_whitelist($build_netlist_ex, $wanip_ex, $wangw_ex, $wandns_ex, $vips_ex, $vpns_ex, $whitelist_key_ex);
- }
-}
-
-/* open snort.sh for writing" */
-function create_snort_sh()
-{
- global $config, $g;
-
- if (!is_array($config['installedpackages']['snortglobal']['rule']))
- return;
-
- $snortconf =& $config['installedpackages']['snortglobal']['rule'];
-
- $snort_sh_text3 = array();
- $snort_sh_text4 = array();
-
- /* do not start config build if rules is empty */
- if (!empty($snortconf)) {
- foreach ($snortconf as $value) {
- $snort_uuid = $value['uuid'];
- $result_lan = $value['interface'];
- $if_real = snort_get_real_interface($result_lan);
-
- /* define snortbarnyardlog_chk */
- $snortbarnyardlog_info_chk = $value['barnyard_enable'];
- $snortbarnyardlog_mysql_info_chk = $value['barnyard_mysql'];
-
- if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '')
- $start_barnyard2 = "sleep 4;/usr/local/bin/barnyard2 -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q";
-
- $snort_sh_text3[] = <<<EOE
-
-###### For Each Iface
-
-#### Fake start only used on bootup and Pfsense IP changes
-#### Only try to restart if snort is running on Iface
-if [ "`/bin/ps -ax | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/grep -v grep | /usr/bin/awk '{print $1;}'`" != "" ]; then
- snort_pid=`/bin/ps -ax | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/grep -v grep | /usr/bin/awk '{print $1;}'`
- /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort already running, soft restart"
-
- #### Restart Iface
- /bin/kill -HUP \${snort_pid}
- /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Soft Reload For {$snort_uuid}_{$if_real}..."
-else
- # Start snort and barnyard2
- /bin/echo "snort.sh run" > /tmp/snort.sh.pid
- /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid
-
- /usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}
- $start_barnyard2
-
- /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD START For {$snort_uuid}_{$if_real}..."
-fi
-
-EOE;
-
- $snort_sh_text4[] = <<<EOF
-
-pid_s=`/bin/ps -ax | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/grep -v grep | /usr/bin/awk '{print \$1;}'`
-sleep 3
-pid_b=`/bin/ps -ax | /usr/bin/grep "snort_{$snort_uuid}_{$if_real}.u2" | /usr/bin/grep -v grep | /usr/bin/awk '{print \$1;}'`
-if [ \${pid_s} ] ; then
-
- /bin/echo "snort.sh run" > /tmp/snort.sh.pid
- /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD STOP For {$snort_uuid}_{$if_real}..."
-
- /bin/kill \${pid_s}
- sleep 3
- /bin/kill \${pid_b}
-
- /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid
-fi
-
-EOF;
- }
- }
-
-
- $start_snort_iface_start = implode("\n\n", $snort_sh_text3);
- $start_snort_iface_stop = implode("\n\n", $snort_sh_text4);
-
- $snort_sh_text = <<<EOD
-#!/bin/sh
-########
-# This file was automatically generated
-# by the pfSense service handler.
-# Code added to protect from double starts on pfSense bootup
-######## Begining of Main snort.sh
-
-rc_start() {
-
- /bin/echo "snort.sh run" > /tmp/snort.sh.pid
- $start_snort_iface_start
- /bin/rm /tmp/snort.sh.pid
-}
-
-rc_stop() {
-
- $start_snort_iface_stop
- /bin/rm /tmp/snort.sh.pid
- /bin/rm /var/run/snort*
-
-}
-
-case $1 in
- start)
- rc_start
- ;;
- stop)
- rc_stop
- ;;
- restart)
- rc_start
- ;;
-esac
-
-EOD;
-
- /* write out snort.sh */
- $bconf = fopen("/usr/local/etc/rc.d/snort.sh", "w");
- if(!$bconf) {
- log_error("Could not open /usr/local/etc/rc.d/snort.sh for writing.");
- return;
- }
- fwrite($bconf, $snort_sh_text);
- fclose($bconf);
- @chmod("/usr/local/etc/rc.d/snort.sh", 0755);
-}
-
-/* if rules exist copy to new interfaces */
-function create_rules_iface($id, $if_real, $snort_uuid)
-{
- global $config, $g;
-
- $if_rule_dir = "/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}";
- $folder_chk = (count(glob("{$if_rule_dir}/rules/*")) === 0) ? 'empty' : 'full';
-
- if ($folder_chk == "empty") {
- if (!is_dir("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"))
- exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules");
- exec("/bin/cp /usr/local/etc/snort/rules/* {$if_rule_dir}/rules");
- if (file_exists("/usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules"))
- exec("/bin/cp /usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules {$if_rule_dir}/local_{$snort_uuid}_{$if_real}.rules");
- }
-}
-
-/* open barnyard2.conf for writing */
-function create_barnyard2_conf($id, $if_real, $snort_uuid) {
- global $config, $g;
-
- if (!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"))
- exec("/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf");
-
- if (!file_exists("/var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo")) {
- mwexec("/usr/bin/touch /var/log/snort/barnyard2/snort_{$if_real}{$snort_uuid}/{$snort_uuid}_{$if_real}.waldo", true);
- /* XXX: This is needed if snort is run as snort user */
- //mwexec("/usr/sbin/chown snort:snort /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo", true);
- mwexec("/bin/chmod 770 /var/log/snort/barnyard2/snort_{$if_real}{$snort_uuid}/{$snort_uuid}_{$if_real}.waldo", true);
- }
-
- $barnyard2_conf_text = generate_barnyard2_conf($id, $if_real, $snort_uuid);
-
- /* write out barnyard2_conf */
- $bconf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", "w");
- if(!$bconf) {
- log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf for writing.");
- return;
- }
- fwrite($bconf, $barnyard2_conf_text);
- fclose($bconf);
-}
-
-/* open barnyard2.conf for writing" */
-function generate_barnyard2_conf($id, $if_real, $snort_uuid) {
- global $config, $g;
-
- /* define snortbarnyardlog */
- /* TODO: add support for the other 5 output plugins */
-
- $snortbarnyardlog_database_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql'];
- $snortbarnyardlog_hostname_info_chk = exec("/bin/hostname");
- /* user add arguments */
- $snortbarnyardlog_config_pass_thru = str_replace("\r", "", base64_decode($config['installedpackages']['snortglobal']['rule'][$id]['barnconfigpassthru']));
-
- $barnyard2_conf_text = <<<EOD
-
-# barnyard2.conf
-# barnyard2 can be found at http://www.securixlive.com/barnyard2/index.php
-#
-# set the appropriate paths to the file(s) your Snort process is using
-
-config reference_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config
-config classification_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config
-config gen_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map
-config sid_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/sid-msg.map
-
-config hostname: $snortbarnyardlog_hostname_info_chk
-config interface: {$snort_uuid}_{$if_real}
-config decode_data_link
-config waldo_file: /var/log/snort/barnyard2/snort_{$if_real}{$snort_uuid}/{$snort_uuid}_{$if_real}.waldo
-
-## START user pass through ##
-
- {$snortbarnyardlog_config_pass_thru}
-
-## END user pass through ##
-
-# Step 2: setup the input plugins
-input unified2
-
-config logdir: /var/log/snort/snort_{$if_real}{$snort_uuid}
-
-# database: log to a variety of databases
-# output database: log, mysql, user=xxxx password=xxxxxx dbname=xxxx host=xxx.xxx.xxx.xxxx
-
- $snortbarnyardlog_database_info_chk
-
-EOD;
-
- return $barnyard2_conf_text;
-}
-
-function create_snort_conf($id, $if_real, $snort_uuid)
-{
- global $config, $g;
-
- if (!empty($if_real)&& !empty($snort_uuid)) {
- if (!is_dir("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}")) {
- exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}");
- @touch("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf");
- }
-
- $snort_conf_text = generate_snort_conf($id, $if_real, $snort_uuid);
- if (empty($snort_conf_text))
- return;
-
- /* write out snort.conf */
- $conf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf", "w");
- if(!$conf) {
- log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf for writing.");
- return -1;
- }
- fwrite($conf, $snort_conf_text);
- fclose($conf);
- }
-}
-
-function snort_deinstall() {
- global $config, $g;
-
- /* remove custom sysctl */
- remove_text_from_file("/etc/sysctl.conf", "sysctl net.bpf.bufsize=20480");
-
- /* decrease bpf buffers back to 4096, from 20480 */
- exec('/sbin/sysctl net.bpf.bufsize=4096');
- mwexec('/usr/bin/killall snort', true);
- sleep(2);
- mwexec('/usr/bin/killall -9 snort', true);
- sleep(2);
- mwexec('/usr/bin/killall barnyard2', true);
- sleep(2);
- mwexec('/usr/bin/killall -9 barnyard2', true);
- sleep(2);
- mwexec('/usr/sbin/pw userdel snort; /usr/sbin/pw groupdel snort', true);
- mwexec('/bin/rm -rf /usr/local/etc/snort*; /bin/rm -rf /usr/local/pkg/snort*', true);
- mwexec('/bin/rm -r /usr/local/bin/barnyard2', true);
- mwexec('/bin/rm -rf /usr/local/www/snort; /bin/rm -rf /var/log/snort; /bin/rm -rf /usr/local/lib/snort', true);
-
- /* Remove snort cron entries Ugly code needs smoothness*/
- if (!function_exists('snort_deinstall_cron')) {
- function snort_deinstall_cron($crontask) {
- global $config, $g;
-
- if(!is_array($config['cron']['item']))
- return;
-
- $x=0;
- $is_installed = false;
- foreach($config['cron']['item'] as $item) {
- if (strstr($item['command'], $crontask)) {
- $is_installed = true;
- break;
- }
- $x++;
- }
- if ($is_installed == true)
- unset($config['cron']['item'][$x]);
- }
- }
-
- snort_deinstall_cron("snort2c");
- snort_deinstall_cron("snort_check_for_rule_updates.php");
- snort_deinstall_cron("/usr/local/pkg/snort/snort_check_cron_misc.inc");
- configure_cron();
-
- /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */
- /* Keep this as a last step */
- if ($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on')
- unset($config['installedpackages']['snortglobal']);
-}
-
-function generate_snort_conf($id, $if_real, $snort_uuid)
-{
- global $config, $g, $snort_pfsense_basever;
-
- if (!is_array($config['installedpackages']['snortglobal']['rule']))
- return;
-
- $snortcfg =& $config['installedpackages']['snortglobal']['rule'][$id];
-
- /* custom home nets */
- $home_net = create_snort_homenet($id, $if_real);
-
- if ($snortcfg['externallistname'] == 'default')
- $external_net = '!$HOME_NET';
- else
- $external_net = create_snort_externalnet($id, $if_real);
-
- /* obtain external interface */
- /* XXX: make multi wan friendly */
- $snort_ext_int = $snortcfg['interface'];
-
- /* user added arguments */
- $snort_config_pass_thru = str_replace("\r", "", base64_decode($snortcfg['configpassthru']));
-
- /* create basic files */
- if (!is_dir("/usr/local/etc/snort/snort/snort_{$snort_uuid}_{$if_real}"))
- exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}");
-
- exec("/bin/cp /usr/local/etc/snort/gen-msg.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map");
- exec("/bin/cp /usr/local/etc/snort/classification.config /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config");
- exec("/bin/cp /usr/local/etc/snort/reference.config /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config");
- exec("/bin/cp /usr/local/etc/snort/sid-msg.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/sid-msg.map");
- exec("/bin/cp /usr/local/etc/snort/unicode.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/unicode.map");
- exec("/bin/cp /usr/local/etc/snort/threshold.conf /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/threshold.conf");
- exec("/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf");
-
- if (!is_dir("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"))
- exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules");
-
- /* define basic log filename */
- $snortunifiedlogbasic_type = "output unified: filename snort_{$snort_uuid}_{$if_real}.log, limit 128";
-
- /* define snortalertlogtype */
- if ($config['installedpackages']['snortglobal']['snortalertlogtype'] == "fast")
- $snortalertlogtype_type = "output alert_fast: alert_{$snort_uuid}";
- else
- $snortalertlogtype_type = "output alert_full: alert_{$snort_uuid}";
-
- /* define alertsystemlog */
- $alertsystemlog_type = "";
- if ($snortcfg['alertsystemlog'] == "on")
- $alertsystemlog_type = "output alert_syslog: log_alert";
-
- /* define tcpdumplog */
- $tcpdumplog_type = "";
- if ($snortcfg['tcpdumplog'] == "on")
- $tcpdumplog_type = "output log_tcpdump: snort_{$snort_uuid}_{$if_real}.tcpdump";
-
- /* define snortunifiedlog */
- $snortunifiedlog_type = "";
- if ($snortcfg['snortunifiedlog'] == "on")
- $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, limit 128";
-
- /* define spoink */
- $spoink_type = "";
- if ($snortcfg['blockoffenders7'] == "on") {
- if ($snortcfg['whitelistname'] == "default")
- $spoink_whitelist_name = 'defaultwlist';
- else if (file_exists("/usr/local/etc/snort/whitelist/{$snortcfg['whitelistname']}"))
- $spoink_whitelist_name = $snortcfg['whitelistname'];
-
- $pfkill = "";
- if ($snortcfg['blockoffenderskill'] == "on")
- $pfkill = "kill";
-
- $spoink_type = "output alert_pf: /usr/local/etc/snort/whitelist/{$spoink_whitelist_name},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}";
- }
-
- /* define threshold file */
- $threshold_file_name = "";
- if ($snortcfg['suppresslistname'] != 'default') {
- if (file_exists("/usr/local/etc/snort/suppress/{$snortcfg['suppresslistname']}"))
- $threshold_file_name = "include /usr/local/etc/snort/suppress/{$snortcfg['suppresslistname']}";
- }
-
- /* define servers and ports snortdefservers */
- /* def DNS_SERVSERS */
- $def_dns_servers_info_chk = $snortcfg['def_dns_servers'];
- if ($def_dns_servers_info_chk == "")
- $def_dns_servers_type = "\$HOME_NET";
- else
- $def_dns_servers_type = "$def_dns_servers_info_chk";
-
- /* def DNS_PORTS */
- $def_dns_ports_info_chk = $snortcfg['def_dns_ports'];
- if ($def_dns_ports_info_chk == "")
- $def_dns_ports_type = "53";
- else
- $def_dns_ports_type = "$def_dns_ports_info_chk";
-
- /* def SMTP_SERVSERS */
- $def_smtp_servers_info_chk = $snortcfg['def_smtp_servers'];
- if ($def_smtp_servers_info_chk == "")
- $def_smtp_servers_type = "\$HOME_NET";
- else
- $def_smtp_servers_type = "$def_smtp_servers_info_chk";
-
- /* def SMTP_PORTS */
- $def_smtp_ports_info_chk = $snortcfg['def_smtp_ports'];
- if ($def_smtp_ports_info_chk == "")
- $def_smtp_ports_type = "25";
- else
- $def_smtp_ports_type = "$def_smtp_ports_info_chk";
-
- /* def MAIL_PORTS */
- $def_mail_ports_info_chk = $snortcfg['def_mail_ports'];
- if ($def_mail_ports_info_chk == "")
- $def_mail_ports_type = "25,143,465,691";
- else
- $def_mail_ports_type = "$def_mail_ports_info_chk";
-
- /* def HTTP_SERVSERS */
- $def_http_servers_info_chk = $snortcfg['def_http_servers'];
- if ($def_http_servers_info_chk == "")
- $def_http_servers_type = "\$HOME_NET";
- else
- $def_http_servers_type = "$def_http_servers_info_chk";
-
- /* def WWW_SERVSERS */
- $def_www_servers_info_chk = $snortcfg['def_www_servers'];
- if ($def_www_servers_info_chk == "")
- $def_www_servers_type = "\$HOME_NET";
- else
- $def_www_servers_type = "$def_www_servers_info_chk";
-
- /* def HTTP_PORTS */
- $def_http_ports_info_chk = $snortcfg['def_http_ports'];
- if ($def_http_ports_info_chk == "")
- $def_http_ports_type = "80";
- else
- $def_http_ports_type = "$def_http_ports_info_chk";
-
- /* def SQL_SERVSERS */
- $def_sql_servers_info_chk = $snortcfg['def_sql_servers'];
- if ($def_sql_servers_info_chk == "")
- $def_sql_servers_type = "\$HOME_NET";
- else
- $def_sql_servers_type = "$def_sql_servers_info_chk";
-
- /* def ORACLE_PORTS */
- $def_oracle_ports_info_chk = $snortcfg['def_oracle_ports'];
- if ($def_oracle_ports_info_chk == "")
- $def_oracle_ports_type = "1521";
- else
- $def_oracle_ports_type = "$def_oracle_ports_info_chk";
-
- /* def MSSQL_PORTS */
- $def_mssql_ports_info_chk = $snortcfg['def_mssql_ports'];
- if ($def_mssql_ports_info_chk == "")
- $def_mssql_ports_type = "1433";
- else
- $def_mssql_ports_type = "$def_mssql_ports_info_chk";
-
- /* def TELNET_SERVSERS */
- $def_telnet_servers_info_chk = $snortcfg['def_telnet_servers'];
- if ($def_telnet_servers_info_chk == "")
- $def_telnet_servers_type = "\$HOME_NET";
- else
- $def_telnet_servers_type = "$def_telnet_servers_info_chk";
-
- /* def TELNET_PORTS */
- $def_telnet_ports_info_chk = $snortcfg['def_telnet_ports'];
- if ($def_telnet_ports_info_chk == "")
- $def_telnet_ports_type = "23";
- else
- $def_telnet_ports_type = "$def_telnet_ports_info_chk";
-
- /* def SNMP_SERVSERS */
- $def_snmp_servers_info_chk = $snortcfg['def_snmp_servers'];
- if ($def_snmp_servers_info_chk == "")
- $def_snmp_servers_type = "\$HOME_NET";
- else
- $def_snmp_servers_type = "$def_snmp_servers_info_chk";
-
- /* def SNMP_PORTS */
- $def_snmp_ports_info_chk = $snortcfg['def_snmp_ports'];
- if ($def_snmp_ports_info_chk == "")
- $def_snmp_ports_type = "161";
- else
- $def_snmp_ports_type = "$def_snmp_ports_info_chk";
-
- /* def FTP_SERVSERS */
- $def_ftp_servers_info_chk = $snortcfg['def_ftp_servers'];
- if ($def_ftp_servers_info_chk == "")
- $def_ftp_servers_type = "\$HOME_NET";
- else
- $def_ftp_servers_type = "$def_ftp_servers_info_chk";
-
- /* def FTP_PORTS */
- $def_ftp_ports_info_chk = $snortcfg['def_ftp_ports'];
- if ($def_ftp_ports_info_chk == "")
- $def_ftp_ports_type = "21";
- else
- $def_ftp_ports_type = "$def_ftp_ports_info_chk";
-
- /* def SSH_SERVSERS */
- $def_ssh_servers_info_chk = $snortcfg['def_ssh_servers'];
- if ($def_ssh_servers_info_chk == "")
- $def_ssh_servers_type = "\$HOME_NET";
- else
- $def_ssh_servers_type = "$def_ssh_servers_info_chk";
-
- /* if user has defined a custom ssh port, use it */
- if(isset($config['system']['ssh']['port']))
- $ssh_port = $config['system']['ssh']['port'];
- else
- $ssh_port = "22";
-
- /* def SSH_PORTS */
- $def_ssh_ports_info_chk = $snortcfg['def_ssh_ports'];
- if ($def_ssh_ports_info_chk == "")
- $def_ssh_ports_type = "{$ssh_port}";
- else
- $def_ssh_ports_type = "$def_ssh_ports_info_chk";
-
- /* def POP_SERVSERS */
- $def_pop_servers_info_chk = $snortcfg['def_pop_servers'];
- if ($def_pop_servers_info_chk == "")
- $def_pop_servers_type = "\$HOME_NET";
- else
- $def_pop_servers_type = "$def_pop_servers_info_chk";
-
- /* def POP2_PORTS */
- $def_pop2_ports_info_chk = $snortcfg['def_pop2_ports'];
- if ($def_pop2_ports_info_chk == "")
- $def_pop2_ports_type = "109";
- else
- $def_pop2_ports_type = "$def_pop2_ports_info_chk";
-
- /* def POP3_PORTS */
- $def_pop3_ports_info_chk = $snortcfg['def_pop3_ports'];
- if ($def_pop3_ports_info_chk == "")
- $def_pop3_ports_type = "110";
- else
- $def_pop3_ports_type = "$def_pop3_ports_info_chk";
-
- /* def IMAP_SERVSERS */
- $def_imap_servers_info_chk = $snortcfg['def_imap_servers'];
- if ($def_imap_servers_info_chk == "")
- $def_imap_servers_type = "\$HOME_NET";
- else
- $def_imap_servers_type = "$def_imap_servers_info_chk";
-
- /* def IMAP_PORTS */
- $def_imap_ports_info_chk = $snortcfg['def_imap_ports'];
- if ($def_imap_ports_info_chk == "")
- $def_imap_ports_type = "143";
- else
- $def_imap_ports_type = "$def_imap_ports_info_chk";
-
- /* def SIP_PROXY_IP */
- $def_sip_proxy_ip_info_chk = $snortcfg['def_sip_proxy_ip'];
- if ($def_sip_proxy_ip_info_chk == "")
- $def_sip_proxy_ip_type = "\$HOME_NET";
- else
- $def_sip_proxy_ip_type = "$def_sip_proxy_ip_info_chk";
-
- /* def SIP_PROXY_PORTS */
- $def_sip_proxy_ports_info_chk = $snortcfg['def_sip_proxy_ports'];
- if ($def_sip_proxy_ports_info_chk == "")
- $def_sip_proxy_ports_type = "5060:5090,16384:32768";
- else
- $def_sip_proxy_ports_type = "$def_sip_proxy_ports_info_chk";
-
- /* def SIP_SERVERS */
- $def_sip_servers_info_chk = $snortcfg['def_sip_servers'];
- if ($def_sip_servers_info_chk == "")
- $def_sip_servers_type = "\$HOME_NET";
- else
- $def_sip_servers_type = "$def_sip_servers_info_chk";
-
- /* def SIP_PORTS */
- $def_sip_ports_info_chk = $snortcfg['def_sip_ports'];
- if ($def_sip_ports_info_chk == "")
- $def_sip_ports_type = "5060:5090,16384:32768";
- else
- $def_sip_ports_type = "$def_sip_ports_info_chk";
-
- /* def AUTH_PORTS */
- $def_auth_ports_info_chk = $snortcfg['def_auth_ports'];
- if ($def_auth_ports_info_chk == "")
- $def_auth_ports_type = "113";
- else
- $def_auth_ports_type = "$def_auth_ports_info_chk";
-
- /* def FINGER_PORTS */
- $def_finger_ports_info_chk = $snortcfg['def_finger_ports'];
- if ($def_finger_ports_info_chk == "")
- $def_finger_ports_type = "79";
- else
- $def_finger_ports_type = "$def_finger_ports_info_chk";
-
- /* def IRC_PORTS */
- $def_irc_ports_info_chk = $snortcfg['def_irc_ports'];
- if ($def_irc_ports_info_chk == "")
- $def_irc_ports_type = "6665,6666,6667,6668,6669,7000";
- else
- $def_irc_ports_type = "$def_irc_ports_info_chk";
-
- /* def NNTP_PORTS */
- $def_nntp_ports_info_chk = $snortcfg['def_nntp_ports'];
- if ($def_nntp_ports_info_chk == "")
- $def_nntp_ports_type = "119";
- else
- $def_nntp_ports_type = "$def_nntp_ports_info_chk";
-
- /* def RLOGIN_PORTS */
- $def_rlogin_ports_info_chk = $snortcfg['def_rlogin_ports'];
- if ($def_rlogin_ports_info_chk == "")
- $def_rlogin_ports_type = "513";
- else
- $def_rlogin_ports_type = "$def_rlogin_ports_info_chk";
-
- /* def RSH_PORTS */
- $def_rsh_ports_info_chk = $snortcfg['def_rsh_ports'];
- if ($def_rsh_ports_info_chk == "")
- $def_rsh_ports_type = "514";
- else
- $def_rsh_ports_type = "$def_rsh_ports_info_chk";
-
- /* def SSL_PORTS */
- $def_ssl_ports_info_chk = $snortcfg['def_ssl_ports'];
- if ($def_ssl_ports_info_chk == "")
- $def_ssl_ports_type = "443,465,563,636,989,990,992,993,994,995";
- else
- $def_ssl_ports_type = "$def_ssl_ports_info_chk";
-
- /* if user is on pppoe, we really want to use ng0 interface */
- if ($snort_pfsense_basever == 'yes' && $snort_ext_int == "wan")
- $snort_ext_int = get_real_wan_interface();
-
- /* set the snort performance model */
- if($snortcfg['performance'])
- $snort_performance = $snortcfg['performance'];
- else
- $snort_performance = "ac-bnfa";
-
-
- /* generate rule sections to load */
- $enabled_rulesets = $snortcfg['rulesets'];
- $selected_rules_sections = "";
- if (!empty($enabled_rulesets)) {
- $enabled_rulesets_array = split("\|\|", $enabled_rulesets);
- foreach($enabled_rulesets_array as $enabled_item)
- $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n";
- }
-
- /////////////////////////////
-
- /* preprocessor code */
-
- /* def perform_stat */
- $snort_perform_stat = <<<EOD
-
-##########################
- #
-# NEW #
-# Performance Statistics #
- #
-##########################
-
-preprocessor perfmonitor: time 300 file /var/log/snort/snort_{$if_real}{$snort_uuid}/snort_{$snort_uuid}_{$if_real}.stats pktcnt 10000
-
-EOD;
-
- $def_perform_stat_info_chk = $snortcfg['perform_stat'];
- if ($def_perform_stat_info_chk == "on")
- $def_perform_stat_type = "$snort_perform_stat";
- else
- $def_perform_stat_type = "";
-
- $def_flow_depth_info_chk = $snortcfg['flow_depth'];
- if (empty($def_flow_depth_info_chk))
- $def_flow_depth_type = '0';
- else
- $def_flow_depth_type = $snortcfg['flow_depth'];
-
- /* def http_inspect */
- $snort_http_inspect = <<<EOD
-
-#################
- #
-# HTTP Inspect #
- #
-#################
-
-preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
-
-# TODO: pfsense GUI needed for ports
-preprocessor http_inspect_server: server default \
- http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
- ports { 80 8080 } \
- non_strict \
- non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
- flow_depth {$def_flow_depth_type} \
- apache_whitespace no \
- directory no \
- iis_backslash no \
- u_encode yes \
- extended_response_inspection \
- inspect_gzip \
- normalize_utf \
- unlimited_decompress \
- ascii no \
- chunk_length 500000 \
- bare_byte yes \
- double_decode yes \
- iis_unicode no \
- iis_delimiter no \
- multi_slash no \
- server_flow_depth 0 \
- client_flow_depth 0 \
- post_depth 65495 \
- oversize_dir_length 500 \
- max_header_length 750 \
- max_headers 100 \
- max_spaces 0 \
- small_chunk_length { 10 5 } \
- enable_cookie \
- normalize_javascript \
- utf_8 no \
- webroot no
-
-EOD;
-
- $def_http_inspect_info_chk = $snortcfg['http_inspect'];
- if ($def_http_inspect_info_chk == "on")
- $def_http_inspect_type = "$snort_http_inspect";
- else
- $def_http_inspect_type = "";
-
- /* def other_preprocs */
- $snort_other_preprocs = <<<EOD
-
-##################
- #
-# Other preprocs #
- #
-##################
-
-preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779
-preprocessor bo
-
-EOD;
-
- $def_other_preprocs_info_chk = $snortcfg['other_preprocs'];
- if ($def_other_preprocs_info_chk == "on")
- $def_other_preprocs_type = "$snort_other_preprocs";
- else
- $def_other_preprocs_type = "";
-
- /* def ftp_preprocessor */
- $snort_ftp_preprocessor = <<<EOD
-
-#####################
- #
-# ftp preprocessor #
- #
-#####################
-
-preprocessor ftp_telnet: global \
- inspection_type stateful \
- encrypted_traffic no
-
-preprocessor ftp_telnet_protocol: telnet \
- normalize \
- ayt_attack_thresh 200 \
- detect_anomalies
-
-preprocessor ftp_telnet_protocol: \
- ftp server default \
- def_max_param_len 100 \
- # TODO add pfsense GUI
- ports { 21 } \
- telnet_cmds yes \
- ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
- ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
- ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
- ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
- ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
- ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
- ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
- ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
- ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
- ftp_cmds { XSEN XSHA1 XSHA256 } \
- alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \
- alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \
- alt_max_param_len 256 { CWD RNTO } \
- alt_max_param_len 400 { PORT } \
- alt_max_param_len 512 { SIZE } \
- chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
- chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
- chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
- chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
- chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
- chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
- chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
- chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
- cmd_validity ALLO < int [ char R int ] > \
- cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
- cmd_validity MACB < string > \
- cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
- cmd_validity MODE < char ASBCZ > \
- cmd_validity PORT < host_port > \
- cmd_validity PROT < char CSEP > \
- cmd_validity STRU < char FRPO [ string ] > \
- cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >
-
-preprocessor ftp_telnet_protocol: ftp client default \
- max_resp_len 256 \
- bounce yes \
- telnet_cmds yes
-
-EOD;
-
- $def_ftp_preprocessor_info_chk = $snortcfg['ftp_preprocessor'];
- if ($def_ftp_preprocessor_info_chk == "on")
- $def_ftp_preprocessor_type = "$snort_ftp_preprocessor";
- else
- $def_ftp_preprocessor_type = "";
-
- /* def smtp_preprocessor */
- $snort_smtp_preprocessor = <<<EOD
-
-#####################
- #
-# SMTP preprocessor #
- #
-#####################
-
-# TODO add pfsense GUI
-preprocessor SMTP: ports { 25 465 691 } \
- inspection_type stateful \
- b64_decode_depth 0 \
- qp_decode_depth 0 \
- bitenc_decode_depth 0 \
- uu_decode_depth 0 \
- log_mailfrom \
- log_rcptto \
- log_filename \
- log_email_hdrs \
- normalize cmds \
- normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
- normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
- normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
- normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
- max_command_line_len 512 \
- max_header_line_len 1000 \
- max_response_line_len 512 \
- alt_max_command_line_len 260 { MAIL } \
- alt_max_command_line_len 300 { RCPT } \
- alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
- alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
- alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
- valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
- valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
- valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
- valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
- xlink2state { enabled }
-
-EOD;
-
- $def_smtp_preprocessor_info_chk = $snortcfg['smtp_preprocessor'];
- if ($def_smtp_preprocessor_info_chk == "on")
- $def_smtp_preprocessor_type = "$snort_smtp_preprocessor";
- else
- $def_smtp_preprocessor_type = "";
-
- /* def sf_portscan */
- $snort_sf_portscan = <<<EOD
-
-################
- #
-# sf Portscan #
- #
-################
-
-preprocessor sfportscan: scan_type { all } \
- proto { all } \
- memcap { 10000000 } \
- sense_level { medium } \
- ignore_scanners { \$HOME_NET }
-
-EOD;
-
- $def_sf_portscan_info_chk = $snortcfg['sf_portscan'];
- if ($def_sf_portscan_info_chk == "on")
- $def_sf_portscan_type = "$snort_sf_portscan";
- else
- $def_sf_portscan_type = "";
-
- /* def dce_rpc_2 */
- $snort_dce_rpc_2 = <<<EOD
-
-###############
- #
-# NEW #
-# DCE/RPC 2 #
- #
-###############
-
-preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
-preprocessor dcerpc2_server: default, policy WinXP, \
- detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
- autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
- smb_max_chain 3, \
- smb_invalid_shares ["C$", "D$", "ADMIN$"]
-
-EOD;
-
- $def_dce_rpc_2_info_chk = $snortcfg['dce_rpc_2'];
- if ($def_dce_rpc_2_info_chk == "on")
- $def_dce_rpc_2_type = "$snort_dce_rpc_2";
- else
- $def_dce_rpc_2_type = "";
-
- /* def dns_preprocessor */
- $snort_dns_preprocessor = <<<EOD
-
-####################
- #
-# DNS preprocessor #
- #
-####################
-
-# TODO add pfsense GUI
-preprocessor dns: \
- ports { 53 } \
- enable_rdata_overflow
-
-EOD;
-
- $def_dns_preprocessor_info_chk = $snortcfg['dns_preprocessor'];
- if ($def_dns_preprocessor_info_chk == "on")
- $def_dns_preprocessor_type = "$snort_dns_preprocessor";
- else
- $def_dns_preprocessor_type = "";
-
- /* def SSL_PORTS IGNORE */
- $def_ssl_ports_ignore_info_chk = $snortcfg['def_ssl_ports_ignore'];
- if ($def_ssl_ports_ignore_info_chk == "")
- $def_ssl_ports_ignore_type = "443 465 563 636 989 990 992 993 994 995";
- else
- $def_ssl_ports_ignore_type = "$def_ssl_ports_ignore_info_chk";
-
- /* stream5 queued settings */
-
-
- $def_max_queued_bytes_info_chk = $snortcfg['max_queued_bytes'];
- if ($def_max_queued_bytes_info_chk == '')
- $def_max_queued_bytes_type = '';
- else
- $def_max_queued_bytes_type = ' max_queued_bytes ' . $snortcfg['max_queued_bytes'] . ',';
-
- $def_max_queued_segs_info_chk = $snortcfg['max_queued_segs'];
- if ($def_max_queued_segs_info_chk == '')
- $def_max_queued_segs_type = '';
- else
- $def_max_queued_segs_type = ' max_queued_segs ' . $snortcfg['max_queued_segs'] . ',';
-
- $snort_preprocessor_decoder_rules = "";
- if (file_exists("/usr/local/etc/snort/preproc_rules/preprocessor.rules"))
- $snort_preprocessor_decoder_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n";
- if (file_exists("/usr/local/etc/snort/preproc_rules/decoder.rules"))
- $snort_preprocessor_decoder_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n";
-
- /* build snort configuration file */
- $snort_conf_text = <<<EOD
-
-##############################################################################
-# #
-# snort configuration file generated by the pfSense package manager system #
-# see /usr/local/pkg/snort.inc # #
-# for snort ver. 2.9.2.3 #
-# more information Snort can be found at http://www.snort.org/ #
-# #
-##############################################################################
-
-#########################
- #
-# Define Local Network #
- #
-#########################
-
-# TODO: bug, auto gen is adding extra 127.0.0.1
-ipvar HOME_NET {$home_net}
-ipvar EXTERNAL_NET {$external_net}
-
-###################
- #
-# Define Servers #
- #
-###################
-
-ipvar DNS_SERVERS [{$def_dns_servers_type}]
-ipvar SMTP_SERVERS [{$def_smtp_servers_type}]
-ipvar HTTP_SERVERS [{$def_http_servers_type}]
-ipvar SQL_SERVERS [{$def_sql_servers_type}]
-ipvar TELNET_SERVERS [{$def_telnet_servers_type}]
-ipvar FTP_SERVERS [{$def_ftp_servers_type}]
-ipvar SSH_SERVERS [{$def_ssh_servers_type}]
-ipvar SIP_PROXY_IP [{$def_sip_proxy_ip_type}]
-ipvar SIP_SERVERS [{$def_sip_servers_type}]
-ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
-# def below may have been removed
-ipvar POP_SERVERS [{$def_pop_servers_type}]
-ipvar IMAP_SERVERS [{$def_imap_servers_type}]
-ipvar RPC_SERVERS [\$HOME_NET]
-ipvar WWW_SERVERS [{$def_www_servers_type}]
-ipvar SNMP_SERVERS [{$def_snmp_servers_type}]
-
-
-########################
- #
-# Define Server Ports #
- #
-########################
-
-portvar HTTP_PORTS [{$def_http_ports_type}]
-portvar SHELLCODE_PORTS !80
-portvar ORACLE_PORTS [{$def_oracle_ports_type}]
-portvar FTP_PORTS [{$def_ftp_ports_type}]
-portvar SSH_PORTS [{$def_ssh_ports_type}]
-portvar SIP_PORTS [{$def_sip_ports_type}]
-### Below ports need new gui ###
-portvar FILE_DATA_PORTS [\$HTTP_PORTS,110,143]
-portvar GTP_PORTS [2123,2152,3386]
-portvar MODBUS_PORTS [502]
-portvar DNP3_PORTS [20000]
-# These ports may have been removed left here so no custom rules break
-portvar AUTH_PORTS [{$def_auth_ports_type}]
-portvar DNS_PORTS [{$def_dns_ports_type}]
-portvar FINGER_PORTS [{$def_finger_ports_type}]
-portvar IMAP_PORTS [{$def_imap_ports_type}]
-portvar IRC_PORTS [{$def_irc_ports_type}]
-portvar MSSQL_PORTS [{$def_mssql_ports_type}]
-portvar NNTP_PORTS [{$def_nntp_ports_type}]
-portvar POP2_PORTS [{$def_pop2_ports_type}]
-portvar POP3_PORTS [{$def_pop3_ports_type}]
-portvar SUNRPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
-portvar RLOGIN_PORTS [{$def_rlogin_ports_type}]
-portvar RSH_PORTS [{$def_rsh_ports_type}]
-portvar SMB_PORTS [139,445]
-portvar SMTP_PORTS [{$def_smtp_ports_type}]
-portvar SNMP_PORTS [{$def_snmp_ports_type}]
-portvar TELNET_PORTS [{$def_telnet_ports_type}]
-portvar MAIL_PORTS [{$def_mail_ports_type}]
-portvar SSL_PORTS [{$def_sip_proxy_ports_type}]
-portvar SIP_PROXY_PORTS [{$def_sip_ports_type}]
-
-# These ports may have been removed left here so no custom rules break
-# DCERPC NCACN-IP-TCP
-portvar DCERPC_NCACN_IP_TCP [139,445]
-portvar DCERPC_NCADG_IP_UDP [138,1024:]
-portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
-portvar DCERPC_NCACN_UDP_LONG [135,1024:]
-portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:]
-portvar DCERPC_NCACN_TCP [2103,2105,2107]
-portvar DCERPC_BRIGHTSTORE [6503,6504]
-
-
-#####################
- #
-# Define Rule Paths #
- #
-#####################
-
-var RULE_PATH /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules
-var PREPROC_RULE_PATH /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/preproc_rules
-var SO_RULE_PATH /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/so_rules
-
-#############################################################
-# #
-# reputation preprocessor, ALWAYS USE FULL PATHS, BUG 89986 #
-# #
-#############################################################
-
-#var WHITE_LIST_PATH ../rules
-#var BLACK_LIST_PATH ../rules
-
-################################
- #
-# Configure the snort decoder #
- #
-################################
-
-config checksum_mode: all
-config disable_decode_alerts
-config disable_tcpopt_experimental_alerts
-config disable_tcpopt_obsolete_alerts
-config disable_ttcp_alerts
-config disable_tcpopt_alerts
-config disable_tcpopt_ttcp_alerts
-config disable_ipopt_alerts
-config disable_decode_drops
-
-################ The following is for inline mode tunning ################
-
-# config enable_decode_oversized_alerts
-# config enable_decode_oversized_drops
-# config flowbits_size: 64
-
-#### make sure I enable gui for this ##########
-# config ignore_ports: tcp 21 6667:6671 1356 #
-# config ignore_ports: udp 1:17 53 #
-###############################################
-
-# Configure active response for non inline
-# config response: eth0 attempts 2
-
-# Configure DAQ related options for inline mode
-#
-# config daq: <type>
-# config daq_dir: <dir>
-# config daq_mode: <mode>
-# config daq_var: <var>
-#
-# <type> ::= pcap | afpacket | dump | nfq | ipq | ipfw
-# <mode> ::= read-file | passive | inline
-# <var> ::= arbitrary <name>=<value passed to DAQ
-# <dir> ::= path as to where to look for DAQ module so's
-
-## gui needed for pfsense ##
-# config daq: afpacket
-
-#############################################################
-
-########################################
-# Configure specific UID and GID
-# to run snort as after dropping privs
-#
-# config set_gid:
-# config set_uid:
-########################################
-
-########################################
-#
-# Configure default snaplen. Snort
-# defaults to MTU of in use interface
-#
-# config snaplen:
-#
-# TODO: gui needed for pfsense
-#
-########################################
-
-################################################################
-#
-# Configure default bpf_file to use for filtering what traffic
-# reaches snort. options (-F)
-#
-# config bpf_file:
-#
-# TODO: gui needed for pfsense
-#
-###############################################################
-
-#####################################################################
-#
-# Configure default log directory for snort to log to. options (-l)
-#
-# config logdir:
-#
-#####################################################################
-
-###################################
- #
-# Configure the detection engine #
-# Use lower memory models #
- #
-###################################
-
-# TODO: gui needed for pfsense
-# Configure PCRE match limitations
-config pcre_match_limit: 3500
-config pcre_match_limit_recursion: 1500
-
-#############################################################################
-# #
-# Configure the detection engine #
-# Use lower memory models for pfsense #
-# #
-# #
-# Notes #
-# #
-# ac, ac-q, ac-bnfa, ac-bnfa-q, lowmem, lowmem-q #
-# ac-split shorthand for search-method ac, split-any-any, intel-cpm,ac-nq, #
-# ac-bnfa-nq This is the default search method if none is specified. #
-# lowmem-nq, ac-std, acs, ac-banded, ac-sparsebands #
-# #
-#############################################################################
-
-config detection: search-method {$snort_performance} search-optimize max-pattern-len 20
-config event_queue: max_queue 8 log 3 order_events content_length
-
-###################################################
-# Configure GTP if it is to be used
-####################################################
-
-# TODO: gui needed for pfsense
-# config enable_gtp
-
-###################################################
-# Per packet and rule latency enforcement, README.ppm
-###################################################
-
-# Per Packet latency configuration
-#config ppm: max-pkt-time 250, \
-# fastpath-expensive-packets, \
-# pkt-log
-
-# Per Rule latency configuration
-#config ppm: max-rule-time 200, \
-# threshold 3, \
-# suspend-expensive-rules, \
-# suspend-timeout 20, \
-# rule-log alert
-
-###################################################
-# Configure Perf Profiling for debugging, README.PerfProfiling
-###################################################
-
-#config profile_rules: print all, sort avg_ticks
-#config profile_preprocs: print all, sort avg_ticks
-
-###################################################
-# Configure protocol aware flushing. README.stream5
-###################################################
-config paf_max: 16000
-
-##################################################
-# Configure dynamic loaded libraries
-##################################################
-
-dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor
-dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so
-dynamicdetection directory /usr/local/lib/snort/dynamicrules
-
-###################
- #
-# Flow and stream #
- #
-###################
-
-# TODO: gui needed for pfsense
-# GTP Control Channle Preprocessor, README.GTP
-preprocessor gtp: ports { 2123 3386 2152 }
-
-####################################################
-# Inline packet normalization, README.normalize
-# Does nothing in IDS mode
-#
-# preprocessor normalize_ip4
-# preprocessor normalize_tcp: ips ecn stream
-# preprocessor normalize_icmp4
-# preprocessor normalize_ip6
-# preprocessor normalize_icmp6
-####################################################
-
-# this tuning ,may need testing
-preprocessor frag3_global: max_frags 65536
-preprocessor frag3_engine: policy bsd detect_anomalies
-
-preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp yes, max_tcp 262144, max_udp 131072, max_active_responses 2, min_response_seconds 5
-
-preprocessor stream5_tcp: policy BSD, ports both all, timeout 180, {$def_max_queued_bytes_type}{$def_max_queued_segs_type}
-preprocessor stream5_udp: timeout 180
-preprocessor stream5_icmp:
-
- {$def_perform_stat_type}
-
- {$def_http_inspect_type}
-
- {$def_other_preprocs_type}
-
- {$def_ftp_preprocessor_type}
-
- {$def_smtp_preprocessor_type}
-
- {$def_sf_portscan_type}
-
-########################
- #
-# ARP spoof detection. #
- #
-########################
-
-# preprocessor arpspoof
-# preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
-
-##########################
- #
-# SSH anomaly detection #
- #
-##########################
-
-preprocessor ssh: server_ports { 22 } \
- autodetect \
- max_client_bytes 19600 \
- max_encrypted_packets 20 \
- max_server_version_len 100 \
- enable_respoverflow enable_ssh1crc32 \
- enable_srvoverflow enable_protomismatch
-
-
- {$def_dce_rpc_2_type}
-
- {$def_dns_preprocessor_type}
-
-##############################
- #
-# NEW #
-# Ignore SSL and Encryption #
- #
-##############################
-
-preprocessor ssl: ports { {$def_ssl_ports_ignore_type} }, trustservers, noinspect_encrypted
-
-
-###########################################################
- #
-# SDF sensitive data preprocessor, README.sensitive_data #
- #
-###########################################################
-
-# TODO: add pfsense GUI
-preprocessor sensitive_data: alert_threshold 20
-
-#############################################################
- #
-# SIP Session Initiation Protocol preprocessor, README.sip #
- #
-#############################################################
-
-# TODO: add pfsense GUI
-preprocessor sip: max_sessions 40000, \
- ports { 5060 5061 5600 }, \
- methods { invite \
- cancel \
- ack \
- bye \
- register \
- options \
- refer \
- subscribe \
- update \
- join \
- info \
- message \
- notify \
- benotify \
- do \
- qauth \
- sprack \
- publish \
- service \
- unsubscribe \
- prack }, \
- max_uri_len 512, \
- max_call_id_len 80, \
- max_requestName_len 20, \
- max_from_len 256, \
- max_to_len 256, \
- max_via_len 1024, \
- max_contact_len 512, \
- max_content_len 2048
-
-##################################
- #
-# IMAP preprocessor, README.imap #
- #
-##################################
-
-# TODO: add pfsense GUI
-preprocessor imap: \
- ports { 143 } \
- b64_decode_depth 0 \
- qp_decode_depth 0 \
- bitenc_decode_depth 0 \
- uu_decode_depth 0
-
-##################################
- #
-# POP preprocessor, README.pop #
- #
-##################################
-
-# TODO: add pfsense GUI
-preprocessor pop: \
- ports { 110 } \
- b64_decode_depth 0 \
- qp_decode_depth 0 \
- bitenc_decode_depth 0 \
- uu_decode_depth 0
-
-#######################################
- #
-# Modbus preprocessor, README.modbus #
-# Used for SCADA #
- #
-#######################################
-
-# TODO: add pfsense GUI
-preprocessor modbus: ports { 502 }
-
-
-###############################################
- #
-# DNP3 preprocessor, EADME.dnp3 #
- #
-###############################################
-
-# TODO: add pfsense GUI
-preprocessor dnp3: ports { 20000 } \
- memcap 262144 \
- check_crc
-
-###############################################
- #
-# Reputation preprocessor, README.reputation #
- #
-###############################################
-
-#preprocessor reputation: \
-# memcap 500, \
-# priority whitelist, \
-# nested_ip inner, \
-# whitelist $WHITE_LIST_PATH/white_list.rules, \
-# blacklist $BLACK_LIST_PATH/black_list.rules
-
-
-#####################
- #
-# Snort Output Logs #
- #
-#####################
-
-$snortunifiedlogbasic_type
-$snortalertlogtype_type
-$alertsystemlog_type
-$tcpdumplog_type
-$snortmysqllog_info_chk
-$snortunifiedlog_type
-$spoink_type
-
-#################
- #
-# Misc Includes #
- #
-#################
-
-include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config
-include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config
-{$snort_preprocessor_decoder_rules}
-
-$threshold_file_name
-
-# Snort user pass through configuration
-{$snort_config_pass_thru}
-
-###################
- #
-# Rules Selection #
- #
-###################
-
- {$selected_rules_sections}
-
-EOD;
-
- return $snort_conf_text;
-}
-
-/* hide progress bar */
-function hide_progress_bar_status() {
- global $snort_filename, $snort_filename_md5, $console_mode;
-
- ob_flush();
- if(!$console_mode)
- echo "\n<script type=\"text/javascript\">document.progressbar.style.visibility='hidden';\n</script>";
-}
-
-/* unhide progress bar */
-function unhide_progress_bar_status() {
- global $snort_filename, $snort_filename_md5, $console_mode;
-
- ob_flush();
- if(!$console_mode)
- echo "\n<script type=\"text/javascript\">document.progressbar.style.visibility='visible';\n</script>";
-}
-
-/* update both top and bottom text box during an operation */
-function update_all_status($status) {
- global $snort_filename, $snort_filename_md5, $console_mode;
-
- ob_flush();
- if(!$console_mode) {
- update_status($status);
- update_output_window($status);
- }
-}
-
-######## new
-
-// returns array that matches pattern, option to replace objects in matches
-function snortScanDirFilter($arrayList, $pattmatch, $pattreplace, $pattreplacewith)
-{
- foreach ( $arrayList as $val )
- {
- if (preg_match($pattmatch, $val, $matches)) {
- if ($pattreplace != '') {
- $matches2 = preg_replace($pattreplace, $pattreplacewith, $matches[0]);
- $filterDirList[] = $matches2;
- }else{
- $filterDirList[] = $matches[0];
- }
- }
- }
- return $filterDirList;
-}
-
-?>
+<?php +/* + snort.inc + Copyright (C) 2006 Scott Ullrich + Copyright (C) 2009-2010 Robert Zelaya + Copyright (C) 2011 Ermal Luci + part of pfSense + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("pfsense-utils.inc"); +require_once("config.inc"); +require_once("functions.inc"); + +// Needed on 2.0 because of filter_get_vpns_list() +require_once("filter.inc"); + +/* package version */ +$snort_package_version = 'Snort 2.9.2.3 pkg v. 2.2'; +$snort_rules_file = "snortrules-snapshot-2922.tar.gz"; + +/* Allow additional execution time 0 = no limit. */ +ini_set('max_execution_time', '9999'); +ini_set('max_input_time', '9999'); + +/* define oinkid */ +if ($config['installedpackages']['snortglobal']) + $oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; +else + $config['installedpackages']['snortglobal'] = array(); + +/* find out if were in 1.2.3-RELEASE */ +if (intval($config['version']) > 6) + $snort_pfsense_basever = 'no'; +else + $snort_pfsense_basever = 'yes'; + +/* find out what arch where in x86 , x64 */ +global $snort_arch; +$snort_arch = 'x86'; +$snort_arch_ck = php_uname("m"); +if ($snort_arch_ck == 'i386') + $snort_arch = 'x86'; +else if ($snort_arch_ck == "amd64") + $snort_arch = 'x64'; +else + $snort_arch = "Unknown"; + +/* tell me my theme */ +$pfsense_theme_is = $config['theme']; + +/* func builds custom white lists */ +function find_whitelist_key($find_wlist_number) { + global $config, $g; + + if (!is_array($config['installedpackages']['snortglobal']['whitelist'])) + $config['installedpackages']['snortglobal']['whitelist'] = array(); + if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) + return 0; /* XXX */ + + foreach ($config['installedpackages']['snortglobal']['whitelist']['item'] as $w_key => $value) { + if ($value['name'] == $find_wlist_number) + return $w_key; + } +} + +/* func builds custom suppress lists */ +function find_suppress_key($find_slist_number) { + global $config, $g; + + if (!is_array($config['installedpackages']['snortglobal']['suppress'])) + $config['installedpackages']['snortglobal']['suppress'] = array(); + if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) + return 0; /* XXX */ + + foreach ($config['installedpackages']['snortglobal']['suppress']['item'] as $s_key => $value) { + if ($value['name'] == $find_slist_number) + return $s_key; + } +} + +/* func builds custom whitelests */ +function build_base_whitelist($build_netlist, $wanip, $wangw, $wandns, $vips, $vpns, $userwips) { + global $config, $g, $snort_pfsense_basever; + + /* build an interface array list */ + if (function_exists('get_configured_interface_list')) + $int_array = get_configured_interface_list(); + else { + $int_array = array('lan'); + for ($j = 1; isset ($config['interfaces']['opt' . $j]); $j++) + if(isset($config['interfaces']['opt' . $j]['enable'])) + if(isset($config['interfaces']['opt' . $j]['gateway'])) + $int_array[] = "opt{$j}"; + } + + $home_net = ""; + + /* iterate through interface list and write out whitelist items + * and also compile a home_net list for snort. + */ + foreach ($int_array as $int) { + /* calculate interface subnet information */ + if (function_exists('get_interface_ip')) { + $subnet = get_interface_ip($int); + if (is_ipaddr($subnet)) { + $sn = get_interface_subnet($int); + $home_net .= "{$subnet}/{$sn} "; + } + } else { + $ifcfg = $config['interfaces'][$int]; + switch ($ifcfg['ipaddr']) { + case "pppoe": + case "pptp": + case "l2tp": + if (function_exists('get_interface_ip')) + $subnet = get_interface_ip($int); + else + $subnet = find_interface_ip("ng0"); + + if (is_ipaddr($subnet)) + $home_net .= "{$subnet} "; + break; + case "dhcp": + $subnet = find_interface_ip(snort_get_real_interface($int)); + if (is_ipaddr($subnet)) + $home_net .= "{$subnet} "; + break; + default: + if (is_ipaddr($ifcfg['ipaddr'])) { + $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']); + if ($ifcfg['subnet']) + $home_net .= "{$subnet}/{$ifcfg['subnet']} "; + } + break; + } + } + } + + if ($snort_pfsense_basever == 'yes' && $wanip == 'yes') { + /* add all WAN ips to the whitelist */ + $wan_if = get_real_wan_interface(); + $ip = find_interface_ip($wan_if); + if (is_ipaddr($ip)) + $home_net .= "{$ip} "; + } + + if ($wangw == 'yes') { + /* Add Gateway on WAN interface to whitelist (For RRD graphs) */ + $gw = get_interface_gateway('wan'); + if($gw) + $home_net .= "{$gw} "; + } + + if($wandns == 'yes') { + /* Add DNS server for WAN interface to whitelist */ + $dns_servers = get_dns_servers(); + foreach ($dns_servers as $dns) { + if($dns) + $home_net .= "{$dns} "; + } + } + + if($vips == 'yes') { + /* iterate all vips and add to whitelist */ + if (is_array($config['virtualip']) && is_array($config['virtualip']['vip'])) { + foreach($config['virtualip']['vip'] as $vip) + if($vip['subnet']) + $home_net .= "{$vip['subnet']} "; + } + } + + /* Add loopback to whitelist (ftphelper) */ + $home_net .= "127.0.0.1 "; + + /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */ + if ($vpns == 'yes') { + if ($snort_pfsense_basever == 'yes') // chk what pfsense version were on + $vpns_list = get_vpns_list(); + else if ($snort_pfsense_basever == 'no') // chk what pfsense version were on + $vpns_list = filter_get_vpns_list(); + + if (!empty($vpns_list)) + $home_net .= "{$vpns_list} "; + } + + /* never ever compair numbers to words */ + if ($userwips > -1) { + if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) + $config['installedpackages']['snortglobal']['whitelist']['item'] = array(); + + $home_net .= $config['installedpackages']['snortglobal']['whitelist']['item'][$userwips]['address']; + } + + $home_net = trim($home_net); + + /* this foe whitelistfile, convert spaces to carriage returns */ + if ($build_netlist == 'whitelist') { + $whitelist_home_net = str_replace(" ", "\n", $home_net); + $whitelist_home_net = str_replace(" ", "\n", $home_net); + return $whitelist_home_net; + } + + /* this is for snort.conf */ + $validator = explode(" ", $home_net); + $valresult = array(); + foreach ($validator as $vald) { + if (empty($vald)) + continue; + $valresult[] = $vald; + } + $home_net = implode(",", $valresult); + $home_net = "[{$home_net}]"; + + return $home_net; +} + + +/* checks to see if snort is running yes/no and stop/start */ +function Running_Ck($snort_uuid, $if_real, $id) { + global $config; + + $snort_uph = 'no'; + $snort_up_prell = exec("/bin/pgrep -f 'snort.*R {$snort_uuid}'"); + if ($snort_up_prell != '') + $snort_uph = 'yes'; + + return $snort_uph; +} + +/* checks to see if barnyard2 is running yes/no */ +function Running_Ck_b($snort_uuid, $if_real, $id) { + global $config; + + $snort_up_b = 'no'; + $snort_up_pre_b = exec("/bin/pgrep -f 'barnyard2.*{$snort_uuid}_{$if_real}'"); + if ($snort_up_pre_b != '') + $snort_up_b = 'yes'; + + return $snort_up_b; +} + +function Running_Stop($snort_uuid, $if_real, $id) { + global $config, $g; + + /* if snort.sh crashed this will remove the pid */ + @unlink("{$g['tmp_path']}/snort.sh.pid"); + + $start_up = exec("/bin/pgrep -f 'snort.*R {$snort_uuid}'"); + $start_upb = exec("/bin/pgrep -f 'barnyard2.*{$snort_uuid}_{$if_real}'"); + + + /* + * TODO: Add a GUI option that lets the user keep full logs + */ + if ($start_up != '') { + @exec("/bin/kill {$start_up}"); + @exec("/bin/rm /var/log/snort/run/snort_{$if_real}{$snort_uuid}*"); + @exec("/bin/rm /var/log/snort/{$snort_uuid}_{$if_real}/snort.u1*"); + @exec("/bin/rm /var/log/snort/{$snort_uuid}_{$if_real}/snort.u2*"); + } + + if ($start_upb != '') { + @exec("/bin/kill {$start_upb}"); + @exec("/bin/rm /var/log/snort/run/barnyard2_{$snort_uuid}_{$if_real}*"); + @exec("/bin/rm /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}/snort.u1*"); + @exec("/bin/rm /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}/snort.u2*"); + } + + /* Log Iface stop */ + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule STOP for {$snort_uuid}_{$if_real}...'"); + sleep(2); // Give time so GUI displays correctly +} + +function Running_Start($snort_uuid, $if_real, $id) { + global $config; + + /* if snort.sh crashed this will remove the pid */ + @unlink("{$g['tmp_path']}/snort.sh.pid"); + + $snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable']; + if ($snort_info_chk == 'on') + exec("/usr/local/bin/snort -R \"{$snort_uuid}\" -D -q -l /var/log/snort/{$snort_uuid}_{$if_real} --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); + else + return; + + /* define snortbarnyardlog_chk */ + /* top will have trouble if the uuid is to far back */ + $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; + if ($snortbarnyardlog_info_chk == 'on') { + exec("/usr/local/bin/barnyard2 -f \"snort.u2\" --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/{$snort_uuid}_{$if_real} -D -q"); + } + + /* Log Iface stop */ + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule START for {$id}_{$snort_uuid}_{$if_real}...'"); + sleep(2); // Give time so GUI displays correctly +} + +function snort_get_friendly_interface($interface) { + + if (function_exists('convert_friendly_interface_to_friendly_descr')) + $iface = convert_friendly_interface_to_friendly_descr($interface); + else { + if (!$interface || ($interface == "wan")) + $iface = "WAN"; + else if(strtolower($interface) == "lan") + $iface = "LAN"; + else if(strtolower($interface) == "pppoe") + $iface = "PPPoE"; + else if(strtolower($interface) == "pptp") + $iface = "PPTP"; + else + $iface = strtoupper($interface); + } + + return $iface; +} + +/* get the real iface name of wan */ +function snort_get_real_interface($interface) { + global $config; + + $lc_interface = strtolower($interface); + if (function_exists('get_real_interface')) + return get_real_interface($lc_interface); + else { + if ($lc_interface == "lan") { + if ($config['inerfaces']['lan']) + return $config['interfaces']['lan']['if']; + return $interface; + } + if ($lc_interface == "wan") + return $config['interfaces']['wan']['if']; + $ifdescrs = array(); + for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) { + $ifname = "opt{$j}"; + if(strtolower($ifname) == $lc_interface) + return $config['interfaces'][$ifname]['if']; + if(isset($config['interfaces'][$ifname]['descr']) && (strtolower($config['interfaces'][$ifname]['descr']) == $lc_interface)) + return $config['interfaces'][$ifname]['if']; + } + } + + return $interface; +} + +/* + this code block is for deleteing logs while keeping the newest file, + snort is linked to these files while running, do not take the easy way out + by touch and rm, snort will lose sync and not log. + + this code needs to be watched. + */ + +/* list dir files */ +function snort_file_list($snort_log_dir, $snort_log_file) +{ + $dir = opendir ("$snort_log_dir"); + while (false !== ($file = readdir($dir))) { + if (strpos($file, "$snort_log_file",1) ) + $file_list[] = basename($file); + } + return $file_list; +} + +/* snort dir files */ +function snort_file_sort($snort_file1, $snort_file2) +{ + if ($snort_file1 == $snort_file2) + return 0; + + return ($snort_file1 < $snort_file2); // ? -1 : 1; // this flips the array +} + +/* build files newest first array */ +function snort_build_order($snort_list) +{ + foreach ($snort_list as $value_list) + $list_order[] = $value_list; + + return $list_order; +} + +/* keep the newest remove the rest */ +function snort_remove_files($snort_list_rm, $snort_file_safe) +{ + foreach ($snort_list_rm as $value_list) { + if ($value_list != $snort_file_safe) + @unlink("/var/log/snort/$value_list"); + else + file_put_contents("/var/log/snort/$snort_file_safe", ""); + } +} + +/* + * TODO: + * This is called by snort_alerts.php. + * + * This func needs to be made to only clear one interface rule log + * at a time. + * + */ +function post_delete_logs() +{ + global $config, $g; + + /* do not start config build if rules is empty */ + if (!is_array($config['installedpackages']['snortglobal']['rule'])) + return; + + $snort_log_dir = '/var/log/snort'; + + foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { + $result_lan = $value['interface']; + $if_real = snort_get_real_interface($result_lan); + $snort_uuid = $value['uuid']; + + if ($if_real != '' && $snort_uuid != '') { + if ($value['snortunifiedlog'] == 'on') { + $snort_log_file_u2 = "snort.u2."; + $snort_list_u2 = snort_file_list($snort_log_dir, $snort_log_file_u2); + if (is_array($snort_list_u2)) { + usort($snort_list_u2, "snort_file_sort"); + $snort_u2_rm_list = snort_build_order($snort_list_u2); + snort_remove_files($snort_u2_rm_list, $snort_u2_rm_list[0]); + } + } else + exec("/bin/rm $snort_log_dir/{$snort_uuid}_{$if_real}/snort.u2*"); + + if ($value['tcpdumplog'] == 'on') { + $snort_log_file_tcpd = "snort.tcpdump."; + $snort_list_tcpd = snort_file_list($snort_log_dir, $snort_log_file_tcpd); + if (is_array($snort_list_tcpd)) { + usort($snort_list_tcpd, "snort_file_sort"); + $snort_tcpd_rm_list = snort_build_order($snort_list_tcpd); + snort_remove_files($snort_tcpd_rm_list, $snort_tcpd_rm_list[0]); + } + } else + exec("/bin/rm $snort_log_dir/{$snort_uuid}_{$if_real}/snort.tcpdump*"); + + /* create barnyard2 configuration file */ + //if ($value['barnyard_enable'] == 'on') + //create_barnyard2_conf($id, $if_real, $snort_uuid); + + if ($value['perform_stat'] == 'on') + @file_put_contents("$snort_log_dirt/{$snort_uuid}_{$if_real}/snort.stats", ""); + } + } +} + +function snort_postinstall() +{ + global $config, $g, $snort_pfsense_basever, $snort_arch; + + /* snort -> advanced features */ + if (is_array($config['installedpackages']['snortglobal'])) { + $bpfbufsize = $config['installedpackages']['snortglobal']['bpfbufsize']; + $bpfmaxbufsize = $config['installedpackages']['snortglobal']['bpfmaxbufsize']; + $bpfmaxinsns = $config['installedpackages']['snortglobal']['bpfmaxinsns']; + } + + /* cleanup default files */ + @rename('/usr/local/etc/snort/snort.conf-sample', '/usr/local/etc/snort/snort.conf'); + @rename('/usr/local/etc/snort/threshold.conf-sample', '/usr/local/etc/snort/threshold.conf'); + @rename('/usr/local/etc/snort/sid-msg.map-sample', '/usr/local/etc/snort/sid-msg.map'); + @rename('/usr/local/etc/snort/unicode.map-sample', '/usr/local/etc/snort/unicode.map'); + @rename('/usr/local/etc/snort/classification.config-sample', '/usr/local/etc/snort/classification.config'); + @rename('/usr/local/etc/snort/generators-sample', '/usr/local/etc/snort/generators'); + @rename('/usr/local/etc/snort/reference.config-sample', '/usr/local/etc/snort/reference.config'); + @rename('/usr/local/etc/snort/gen-msg.map-sample', '/usr/local/etc/snort/gen-msg.map'); + @unlink('/usr/local/etc/snort/sid'); + @unlink('/usr/local/etc/rc.d/snort'); + @unlink('/usr/local/etc/rc.d/bardyard2'); + + /* remove example files */ + if (file_exists('/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0')) + exec('/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*'); + + if (file_exists('/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so')) + exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*'); + + /* create a few directories and ensure the sample files are in place */ + if (!is_dir('/usr/local/etc/snort')) + exec('/bin/mkdir -p /usr/local/etc/snort/custom_rules'); + if (!is_dir('/usr/local/etc/snort/whitelist')) + exec('/bin/mkdir -p /usr/local/etc/snort/whitelist/'); + /* NOTE: the diff between the if check and the exec() extra run is by design */ + if (!is_dir('/var/log/snort')) + exec('/bin/mkdir -p /var/log/snort/run'); + else + exec('/bin/rm -r /var/log/snort/*; /bin/mkdir -p /var/log/snort/run'); + + if (!is_dir('/var/log/snort/barnyard2')) + exec('/bin/mkdir -p /var/log/snort/barnyard2'); + if (!is_dir('/usr/local/lib/snort/dynamicrules/')) + exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); + if (!file_exists('/var/db/whitelist')) + touch('/var/db/whitelist'); + + /* XXX: These are needed if you run snort as snort user + mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true); + mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true); + mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true); + mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true); + mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true); + */ + /* important */ + mwexec('/bin/chmod 660 /var/db/whitelist', true); + mwexec('/bin/chmod -R 660 /usr/local/etc/snort/*', true); + mwexec('/bin/chmod -R 660 /tmp/snort*', true); + mwexec('/bin/chmod -R 660 /var/run/snort*', true); + mwexec('/bin/chmod -R 660 /var/snort/run/*', true); + mwexec('/bin/chmod 770 /usr/local/lib/snort', true); + mwexec('/bin/chmod 770 /usr/local/etc/snort', true); + mwexec('/bin/chmod 770 /usr/local/etc/whitelist', true); + mwexec('/bin/chmod 770 /var/log/snort', true); + mwexec('/bin/chmod 770 /var/log/snort/run', true); + mwexec('/bin/chmod 770 /var/log/snort/barnyard2', true); + + /* move files around, make it look clean */ + mwexec('/bin/mkdir -p /usr/local/www/snort/css'); + mwexec('/bin/mkdir -p /usr/local/www/snort/images'); + + chdir ("/usr/local/www/snort/css/"); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/css/style.css'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/css/sexybuttons.css'); + chdir("/usr/local/www/snort/images/"); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/alert.jpg'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/down.gif'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/down2.gif'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon-table-sort.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon-table-sort-asc.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon-table-sort-desc.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/up.gif'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/up2.gif'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/logo.jpg'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon_excli.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/arrow_down.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/awesome-overlay-sprite.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/logo22.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/page_white_text.png'); + + /* remake saved settings */ + if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { + update_status(gettext("Saved settings detected...")); + update_output_window(gettext("Please wait... rebuilding files...")); + sync_snort_package_config(); + update_output_window(gettext("Finnished Rebuilding files...")); + } +} + +function snort_Getdirsize($node) { + if(!is_readable($node)) + return false; + + $blah = exec( "/usr/bin/du -kd $node" ); + return substr( $blah, 0, strpos($blah, 9) ); +} + +/* func for log dir size limit cron */ +function snort_snortloglimit_install_cron($should_install) { + global $config, $g; + + if (!is_array($config['cron']['item'])) + $config['cron']['item'] = array(); + + $x=0; + $is_installed = false; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], '/usr/local/pkg/snort/snort_check_cron_misc.inc')) { + $is_installed = true; + break; + } + $x++; + } + + switch($should_install) { + case true: + if(!$is_installed) { + + $cron_item = array(); + $cron_item['minute'] = "*/5"; + $cron_item['hour'] = "*"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc"; + $config['cron']['item'][] = $cron_item; + } + break; + case false: + if($is_installed == true) + unset($config['cron']['item'][$x]); + break; + } +} + +/* func for updating cron */ +function snort_rm_blocked_install_cron($should_install) { + global $config, $g; + + if (!is_array($config['cron']['item'])) + $config['cron']['item'] = array(); + + $x=0; + $is_installed = false; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort2c")) { + $is_installed = true; + break; + } + $x++; + } + + $snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked']; + if ($snort_rm_blocked_info_ck == "1h_b") { + $snort_rm_blocked_min = "*/5"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "3600"; + } + if ($snort_rm_blocked_info_ck == "3h_b") { + $snort_rm_blocked_min = "*/15"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "10800"; + } + if ($snort_rm_blocked_info_ck == "6h_b") { + $snort_rm_blocked_min = "*/30"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "21600"; + } + if ($snort_rm_blocked_info_ck == "12h_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/1"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "43200"; + } + if ($snort_rm_blocked_info_ck == "1d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/2"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "86400"; + } + if ($snort_rm_blocked_info_ck == "4d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/8"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "345600"; + } + if ($snort_rm_blocked_info_ck == "7d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/14"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "604800"; + } + if ($snort_rm_blocked_info_ck == "28d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "0"; + $snort_rm_blocked_mday = "*/2"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "2419200"; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "$snort_rm_blocked_min"; + $cron_item['hour'] = "$snort_rm_blocked_hr"; + $cron_item['mday'] = "$snort_rm_blocked_mday"; + $cron_item['month'] = "$snort_rm_blocked_month"; + $cron_item['wday'] = "$snort_rm_blocked_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; + $config['cron']['item'][] = $cron_item; + } + break; + case false: + if ($is_installed == true) + unset($config['cron']['item'][$x]); + break; + } +} + +/* func to install snort update */ +function snort_rules_up_install_cron($should_install) { + global $config, $g; + + if(!$config['cron']['item']) + $config['cron']['item'] = array(); + + $x=0; + $is_installed = false; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort_check_for_rule_updates.php")) { + $is_installed = true; + break; + } + $x++; + } + $snort_rules_up_info_ck = $config['installedpackages']['snortglobal']['autorulesupdate7']; + if ($snort_rules_up_info_ck == "6h_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "*/6"; + $snort_rules_up_mday = "*"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "12h_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "*/12"; + $snort_rules_up_mday = "*"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "1d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/1"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "4d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/4"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "7d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/7"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "28d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/28"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "$snort_rules_up_min"; + $cron_item['hour'] = "$snort_rules_up_hr"; + $cron_item['mday'] = "$snort_rules_up_mday"; + $cron_item['month'] = "$snort_rules_up_month"; + $cron_item['wday'] = "$snort_rules_up_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log"; + $config['cron']['item'][] = $cron_item; + } + break; + case false: + if($is_installed == true) + unset($config['cron']['item'][$x]); + break; + } +} + +/* Only run when all ifaces needed to sync. Expects filesystem rw */ +function sync_snort_package_config() +{ + global $config, $g; + + /* RedDevil suggested code */ + /* TODO: more testing needs to be done */ + /* may cause voip to fail */ + //exec("/sbin/sysctl net.bpf.bufsize=8388608"); + //exec("/sbin/sysctl net.bpf.maxbufsize=4194304"); + //exec("/sbin/sysctl net.bpf.maxinsns=512"); + //exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); + + conf_mount_rw(); + + /* do not start config build if rules is empty */ + if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + exec('/bin/rm /usr/local/etc/rc.d/snort.sh'); + conf_mount_ro(); + return; + } + + foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { + $if_real = snort_get_real_interface($value['interface']); + $snort_uuid = $value['uuid']; + + if ($if_real != '' && $snort_uuid != '') { + + /* only build whitelist when needed */ + if ($value['blockoffenders7'] == 'on') + create_snort_whitelist($id, $if_real); + + /* only build threshold when needed */ + if ($value['suppresslistname'] != 'default') + create_snort_suppress($id, $if_real); + + /* create snort configuration file */ + create_snort_conf($id, $if_real, $snort_uuid); + + /* if rules exist cp rules to each iface */ + create_rules_iface($id, $if_real, $snort_uuid); + + /* create barnyard2 configuration file */ + if ($value['barnyard_enable'] == 'on') + create_barnyard2_conf($id, $if_real, $snort_uuid); + } + } + + /* create snort bootup file snort.sh only create once */ + create_snort_sh(); + + /* all new files are for the user snort nologin */ + if (!is_dir("/var/log/snort/{$snort_uuid}_{$if_real}")) + exec("/bin/mkdir -p /var/log/snort/{$snort_uuid}_{$if_real}"); + + if (!is_dir('/var/log/snort/run')) + exec('/bin/mkdir -p /var/log/snort/run'); + + if (!is_dir("/var/log/snort/barnyard2/{$snort_uuid}_{$if_real}")) + exec("/bin/mkdir -p /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}"); + + /* XXX: These are needed if snort is run as snort user + mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true); + mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true); + mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true); + mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true); + mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true); + */ + + /* important */ + mwexec('/bin/chmod 770 /var/db/whitelist', true); + mwexec('/bin/chmod 770 /var/run/snort*', true); + mwexec('/bin/chmod 770 /tmp/snort*', true); + mwexec('/bin/chmod -R 770 /var/log/snort', true); + mwexec('/bin/chmod -R 770 /usr/local/lib/snort', true); + mwexec('/bin/chmod -R 770 /usr/local/etc/snort/', true); + + conf_mount_ro(); +} + +/* Start of main config files */ + +/* create threshold file */ +function create_snort_suppress($id, $if_real) { + global $config, $g; + + /* make sure dir is there */ + if (!is_dir('/usr/local/etc/snort/suppress')) + exec('/bin/mkdir -p /usr/local/etc/snort/suppress'); + + if (!is_array($config['installedpackages']['snortglobal']['rule'])) + return; + + if ($config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname'] != 'default') { + $whitelist_key_s = find_suppress_key($config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname']); + + /* file name */ + $suppress_file_name = $config['installedpackages']['snortglobal']['suppress']['item'][$whitelist_key_s]['name']; + + /* Message */ + $s_data = '# This file is auto generated by the snort package. Please do not edit this file by hand.' . "\n\n"; + + /* user added arguments */ + $s_data .= str_replace("\r", "", base64_decode($config['installedpackages']['snortglobal']['suppress']['item'][$whitelist_key_s]['suppresspassthru'])); + + /* open snort's whitelist for writing */ + @file_put_contents("/usr/local/etc/snort/suppress/$suppress_file_name", $s_data); + } +} + +function create_snort_whitelist($id, $if_real) { + global $config, $g; + + /* make sure dir is there */ + if (!is_dir('/usr/local/etc/snort/whitelist')) + exec('/bin/mkdir -p /usr/local/etc/snort/whitelist'); + + if ($config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'] == 'default') { + + $w_data = build_base_whitelist('whitelist', 'yes', 'yes', 'yes', 'yes', 'yes', 'no'); + + /* open snort's whitelist for writing */ + @file_put_contents("/usr/local/etc/snort/whitelist/defaultwlist", $w_data); + + } else if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'])) { + $whitelist_key_w = find_whitelist_key($config['installedpackages']['snortglobal']['rule'][$id]['whitelistname']); + + if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) + return; + + $whitelist = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w]; + $w_data = build_base_whitelist($whitelist['snortlisttype'], $whitelist['wanips'], $whitelist['wangateips'], + $whitelist['wandnsips'], $whitelist['vips'], $whitelist['vpnips'], $whitelist_key_w); + + /* open snort's whitelist for writing */ + @file_put_contents("/usr/local/etc/snort/whitelist/" . $config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'], $w_data); + } +} + +function create_snort_homenet($id, $if_real) { + global $config, $g; + + if ($config['installedpackages']['snortglobal']['rule'][$id]['homelistname'] == 'default' || $config['installedpackages']['snortglobal']['rule'][$id]['homelistname'] == '') + return build_base_whitelist('netlist', 'yes', 'yes', 'yes', 'yes', 'yes', 'no'); + else if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['homelistname'])) { + $whitelist_key_h = find_whitelist_key($config['installedpackages']['snortglobal']['rule'][$id]['homelistname']); + + if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) + return; + + $build_netlist_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['snortlisttype']; + $wanip_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wanips']; + $wangw_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wangateips']; + $wandns_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wandnsips']; + $vips_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['vips']; + $vpns_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['vpnips']; + + return build_base_whitelist($build_netlist_h, $wanip_h, $wangw_h, $wandns_h, $vips_h, $vpns_h, $whitelist_key_h); + } +} + +function create_snort_externalnet($id, $if_real) { + global $config, $g; + + if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['externallistname'])) { + $whitelist_key_ex = find_whitelist_key($config['installedpackages']['snortglobal']['rule'][$id]['externallistname']); + + if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) + return; + + $build_netlist_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['snortlisttype']; + $wanip_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wanips']; + $wangw_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wangateips']; + $wandns_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wandnsips']; + $vips_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['vips']; + $vpns_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['vpnips']; + + return build_base_whitelist($build_netlist_ex, $wanip_ex, $wangw_ex, $wandns_ex, $vips_ex, $vpns_ex, $whitelist_key_ex); + } +} + +/* open snort.sh for writing" */ +function create_snort_sh() +{ + global $config, $g; + + if (!is_array($config['installedpackages']['snortglobal']['rule'])) + return; + + $snortconf =& $config['installedpackages']['snortglobal']['rule']; + + $snort_sh_text3 = array(); + $snort_sh_text4 = array(); + + /* do not start config build if rules is empty */ + if (!empty($snortconf)) { + foreach ($snortconf as $value) { + $snort_uuid = $value['uuid']; + $result_lan = $value['interface']; + $if_real = snort_get_real_interface($result_lan); + + /* define snortbarnyardlog_chk */ + $snortbarnyardlog_info_chk = $value['barnyard_enable']; + + if ($snortbarnyardlog_info_chk == 'on') + $start_barnyard2 = "sleep 4;/usr/local/bin/barnyard2 -f snort.u2 --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/{$snort_uuid}_{$if_real} -D -q"; + + $snort_sh_text3[] = <<<EOE + +###### For Each Iface + +#### Fake start only used on bootup and Pfsense IP changes +#### Only try to restart if snort is running on Iface +if [ "`/bin/pgrep -f 'snort.*R {$snort_uuid}'`" != "" ]; then + snort_pid=`/bin/pgrep -f 'snort.*R {$snort_uuid}'` + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort already running, soft restart" + + #### Restart Iface + /bin/kill -HUP \${snort_pid} + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Soft Reload For {$snort_uuid}_{$if_real}..." +else + # Start snort and barnyard2 + /bin/echo "snort.sh run" > /tmp/snort.sh.pid + /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid + + /usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/{$snort_uuid}_{$if_real} --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} + $start_barnyard2 + + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD START For {$snort_uuid}_{$if_real}..." +fi + +EOE; + + $snort_sh_text4[] = <<<EOF + +pid_s=`/bin/pgrep -f 'snort.*R {$snort_uuid}'` +sleep 3 +pid_b=`/bin/pgrep -f 'barnyard2.*{$snort_uuid}_{$if_real}'` +if [ \${pid_s} ] ; then + + /bin/echo "snort.sh run" > /tmp/snort.sh.pid + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD STOP For {$snort_uuid}_{$if_real}..." + + /bin/kill \${pid_s} + sleep 3 + /bin/kill \${pid_b} + + /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid +fi + +EOF; + } + } + + + $start_snort_iface_start = implode("\n\n", $snort_sh_text3); + $start_snort_iface_stop = implode("\n\n", $snort_sh_text4); + + $snort_sh_text = <<<EOD +#!/bin/sh +######## +# This file was automatically generated +# by the pfSense service handler. +# Code added to protect from double starts on pfSense bootup +######## Begining of Main snort.sh + +rc_start() { + + /bin/echo "snort.sh run" > /tmp/snort.sh.pid + $start_snort_iface_start + /bin/rm /tmp/snort.sh.pid +} + +rc_stop() { + + $start_snort_iface_stop + /bin/rm /tmp/snort.sh.pid + /bin/rm /var/run/snort* + +} + +case $1 in + start) + rc_start + ;; + stop) + rc_stop + ;; + restart) + rc_start + ;; +esac + +EOD; + + /* write out snort.sh */ + $bconf = fopen("/usr/local/etc/rc.d/snort.sh", "w"); + if(!$bconf) { + log_error("Could not open /usr/local/etc/rc.d/snort.sh for writing."); + return; + } + fwrite($bconf, $snort_sh_text); + fclose($bconf); + @chmod("/usr/local/etc/rc.d/snort.sh", 0755); +} + +/* if rules exist copy to new interfaces */ +function create_rules_iface($id, $if_real, $snort_uuid) +{ + global $config, $g; + + $if_rule_dir = "/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"; + $folder_chk = (count(glob("{$if_rule_dir}/rules/*")) === 0) ? 'empty' : 'full'; + + if ($folder_chk == "empty") { + if (!is_dir("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules")) + exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"); + exec("/bin/cp /usr/local/etc/snort/rules/* {$if_rule_dir}/rules"); + if (file_exists("/usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules")) + exec("/bin/cp /usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules {$if_rule_dir}/local_{$snort_uuid}_{$if_real}.rules"); + } +} + +/* open barnyard2.conf for writing */ +function create_barnyard2_conf($id, $if_real, $snort_uuid) { + global $config, $g; + + if (!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf")) + exec("/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); + + if (!file_exists("/var/log/snort/{$snort_uuid}_{$if_real}/barnyard2.waldo")) { + mwexec("/usr/bin/touch /var/log/snort/{$snort_uuid}_{$if_real}/barnyard2.waldo", true); + /* XXX: This is needed if snort is run as snort user */ + //mwexec("/usr/sbin/chown snort:snort /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo", true); + mwexec("/bin/chmod 770 /var/log/snort/{$snort_uuid}_{$if_real}/barnyard2.waldo", true); + } + + $barnyard2_conf_text = generate_barnyard2_conf($id, $if_real, $snort_uuid); + + /* write out barnyard2_conf */ + $bconf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", "w"); + if(!$bconf) { + log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf for writing."); + return; + } + fwrite($bconf, $barnyard2_conf_text); + fclose($bconf); +} + +/* open barnyard2.conf for writing" */ +function generate_barnyard2_conf($id, $if_real, $snort_uuid) { + global $config, $g; + + /* define snortbarnyardlog */ + /* TODO: add support for the other 5 output plugins */ + + $snortbarnyardlog_database_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; + $snortbarnyardlog_hostname_info_chk = exec("/bin/hostname"); + /* user add arguments */ + $snortbarnyardlog_config_pass_thru = str_replace("\r", "", base64_decode($config['installedpackages']['snortglobal']['rule'][$id]['barnconfigpassthru'])); + + $barnyard2_conf_text = <<<EOD + +# barnyard2.conf +# barnyard2 can be found at http://www.securixlive.com/barnyard2/index.php +# +# set the appropriate paths to the file(s) your Snort process is using + +config reference_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config +config classification_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config +config gen_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map +config sid_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/sid-msg.map + +config hostname: $snortbarnyardlog_hostname_info_chk +config interface: {$snort_uuid}_{$if_real} +config decode_data_link +config waldo_file: /var/log/snort/{$snort_uuid}_{$if_real}/barnyard2.waldo + +## START user pass through ## + + {$snortbarnyardlog_config_pass_thru} + +## END user pass through ## + +# Step 2: setup the input plugins +input unified2 + +config logdir: /var/log/snort/{$snort_uuid}_{$if_real} + +# database: log to a variety of databases +# output database: log, mysql, user=xxxx password=xxxxxx dbname=xxxx host=xxx.xxx.xxx.xxxx + + $snortbarnyardlog_database_info_chk + +EOD; + + return $barnyard2_conf_text; +} + +function create_snort_conf($id, $if_real, $snort_uuid) +{ + global $config, $g; + + if (!empty($if_real)&& !empty($snort_uuid)) { + if (!is_dir("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}")) { + exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); + @touch("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf"); + } + + $snort_conf_text = generate_snort_conf($id, $if_real, $snort_uuid); + if (empty($snort_conf_text)) + return; + + /* write out snort.conf */ + $conf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf", "w"); + if(!$conf) { + log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf for writing."); + return -1; + } + fwrite($conf, $snort_conf_text); + fclose($conf); + } +} + +function snort_deinstall() { + global $config, $g; + + /* remove custom sysctl */ + remove_text_from_file("/etc/sysctl.conf", "sysctl net.bpf.bufsize=20480"); + + /* decrease bpf buffers back to 4096, from 20480 */ + exec('/sbin/sysctl net.bpf.bufsize=4096'); + mwexec('/usr/bin/killall snort', true); + sleep(2); + mwexec('/usr/bin/killall -9 snort', true); + sleep(2); + mwexec('/usr/bin/killall barnyard2', true); + sleep(2); + mwexec('/usr/bin/killall -9 barnyard2', true); + sleep(2); + mwexec('/usr/sbin/pw userdel snort; /usr/sbin/pw groupdel snort', true); + mwexec('/bin/rm -rf /usr/local/etc/snort*; /bin/rm -rf /usr/local/pkg/snort*', true); + mwexec('/bin/rm -r /usr/local/bin/barnyard2', true); + mwexec('/bin/rm -rf /usr/local/www/snort; /bin/rm -rf /var/log/snort; /bin/rm -rf /usr/local/lib/snort', true); + + /* Remove snort cron entries Ugly code needs smoothness*/ + if (!function_exists('snort_deinstall_cron')) { + function snort_deinstall_cron($crontask) { + global $config, $g; + + if(!is_array($config['cron']['item'])) + return; + + $x=0; + $is_installed = false; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], $crontask)) { + $is_installed = true; + break; + } + $x++; + } + if ($is_installed == true) + unset($config['cron']['item'][$x]); + } + } + + snort_deinstall_cron("snort2c"); + snort_deinstall_cron("snort_check_for_rule_updates.php"); + snort_deinstall_cron("/usr/local/pkg/snort/snort_check_cron_misc.inc"); + configure_cron(); + + /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */ + /* Keep this as a last step */ + if ($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on') + unset($config['installedpackages']['snortglobal']); +} + +function generate_snort_conf($id, $if_real, $snort_uuid) +{ + global $config, $g, $snort_pfsense_basever; + + if (!is_array($config['installedpackages']['snortglobal']['rule'])) + return; + + $snortcfg =& $config['installedpackages']['snortglobal']['rule'][$id]; + + /* custom home nets */ + $home_net = create_snort_homenet($id, $if_real); + + if ($snortcfg['externallistname'] == 'default') + $external_net = '!$HOME_NET'; + else + $external_net = create_snort_externalnet($id, $if_real); + + /* obtain external interface */ + /* XXX: make multi wan friendly */ + $snort_ext_int = $snortcfg['interface']; + + /* user added arguments */ + $snort_config_pass_thru = str_replace("\r", "", base64_decode($snortcfg['configpassthru'])); + + /* create basic files */ + if (!is_dir("/usr/local/etc/snort/snort/snort_{$snort_uuid}_{$if_real}")) + exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); + + exec("/bin/cp /usr/local/etc/snort/gen-msg.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map"); + exec("/bin/cp /usr/local/etc/snort/classification.config /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config"); + exec("/bin/cp /usr/local/etc/snort/reference.config /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config"); + exec("/bin/cp /usr/local/etc/snort/sid-msg.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/sid-msg.map"); + exec("/bin/cp /usr/local/etc/snort/unicode.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/unicode.map"); + exec("/bin/cp /usr/local/etc/snort/threshold.conf /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/threshold.conf"); + exec("/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); + + if (!is_dir("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules")) + exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"); + + /* define basic log filename */ + $snortunifiedlogbasic_type = ""; + if ($snortcfg['snortunifiedlogbasic'] == "on") + $snortunifiedlogbasic_type = "output unified: filename snort.u1, limit 128"; + + /* + * + * define cvs log filename + * this should be the default instead of alert_full it is much easier to parse + * + */ + $snortalertcvs_type = ""; + if ($snortcfg['snortalertcvs'] == "on") + $snortalertcvs_type = "output alert_csv: /var/log/alert.csv default 128"; + + /* define snortalertlogtype */ + if ($config['installedpackages']['snortglobal']['snortalertlogtype'] == "fast") + $snortalertlogtype_type = "output alert_fast: alert"; + else + $snortalertlogtype_type = "output alert_full: alert"; + + /* define alertsystemlog */ + $alertsystemlog_type = ""; + if ($snortcfg['alertsystemlog'] == "on") + $alertsystemlog_type = "output alert_syslog: log_alert"; + + /* define tcpdumplog */ + $tcpdumplog_type = ""; + if ($snortcfg['tcpdumplog'] == "on") + $tcpdumplog_type = "output log_tcpdump: snort.tcpdump"; + + /* define snortunifiedlog */ + $snortunifiedlog_type = ""; + if ($snortcfg['snortunifiedlog'] == "on") + $snortunifiedlog_type = "output unified2: filename snort.u2, limit 128"; + + /* define spoink */ + $spoink_type = ""; + if ($snortcfg['blockoffenders7'] == "on") { + if ($snortcfg['whitelistname'] == "default") + $spoink_whitelist_name = 'defaultwlist'; + else if (file_exists("/usr/local/etc/snort/whitelist/{$snortcfg['whitelistname']}")) + $spoink_whitelist_name = $snortcfg['whitelistname']; + + $pfkill = ""; + if ($snortcfg['blockoffenderskill'] == "on") + $pfkill = "kill"; + + $spoink_type = "output alert_pf: /usr/local/etc/snort/whitelist/{$spoink_whitelist_name},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}"; + } + + /* define threshold file */ + $threshold_file_name = ""; + if ($snortcfg['suppresslistname'] != 'default') { + if (file_exists("/usr/local/etc/snort/suppress/{$snortcfg['suppresslistname']}")) + $threshold_file_name = "include /usr/local/etc/snort/suppress/{$snortcfg['suppresslistname']}"; + } + + /* define servers and ports snortdefservers */ + /* def DNS_SERVSERS */ + $def_dns_servers_info_chk = $snortcfg['def_dns_servers']; + if ($def_dns_servers_info_chk == "") + $def_dns_servers_type = "\$HOME_NET"; + else + $def_dns_servers_type = "$def_dns_servers_info_chk"; + + /* def DNS_PORTS */ + $def_dns_ports_info_chk = $snortcfg['def_dns_ports']; + if ($def_dns_ports_info_chk == "") + $def_dns_ports_type = "53"; + else + $def_dns_ports_type = "$def_dns_ports_info_chk"; + + /* def SMTP_SERVSERS */ + $def_smtp_servers_info_chk = $snortcfg['def_smtp_servers']; + if ($def_smtp_servers_info_chk == "") + $def_smtp_servers_type = "\$HOME_NET"; + else + $def_smtp_servers_type = "$def_smtp_servers_info_chk"; + + /* def SMTP_PORTS */ + $def_smtp_ports_info_chk = $snortcfg['def_smtp_ports']; + if ($def_smtp_ports_info_chk == "") + $def_smtp_ports_type = "25"; + else + $def_smtp_ports_type = "$def_smtp_ports_info_chk"; + + /* def MAIL_PORTS */ + $def_mail_ports_info_chk = $snortcfg['def_mail_ports']; + if ($def_mail_ports_info_chk == "") + $def_mail_ports_type = "25,143,465,691"; + else + $def_mail_ports_type = "$def_mail_ports_info_chk"; + + /* def HTTP_SERVSERS */ + $def_http_servers_info_chk = $snortcfg['def_http_servers']; + if ($def_http_servers_info_chk == "") + $def_http_servers_type = "\$HOME_NET"; + else + $def_http_servers_type = "$def_http_servers_info_chk"; + + /* def WWW_SERVSERS */ + $def_www_servers_info_chk = $snortcfg['def_www_servers']; + if ($def_www_servers_info_chk == "") + $def_www_servers_type = "\$HOME_NET"; + else + $def_www_servers_type = "$def_www_servers_info_chk"; + + /* def HTTP_PORTS */ + $def_http_ports_info_chk = $snortcfg['def_http_ports']; + if ($def_http_ports_info_chk == "") + $def_http_ports_type = "80"; + else + $def_http_ports_type = "$def_http_ports_info_chk"; + + /* def SQL_SERVSERS */ + $def_sql_servers_info_chk = $snortcfg['def_sql_servers']; + if ($def_sql_servers_info_chk == "") + $def_sql_servers_type = "\$HOME_NET"; + else + $def_sql_servers_type = "$def_sql_servers_info_chk"; + + /* def ORACLE_PORTS */ + $def_oracle_ports_info_chk = $snortcfg['def_oracle_ports']; + if ($def_oracle_ports_info_chk == "") + $def_oracle_ports_type = "1521"; + else + $def_oracle_ports_type = "$def_oracle_ports_info_chk"; + + /* def MSSQL_PORTS */ + $def_mssql_ports_info_chk = $snortcfg['def_mssql_ports']; + if ($def_mssql_ports_info_chk == "") + $def_mssql_ports_type = "1433"; + else + $def_mssql_ports_type = "$def_mssql_ports_info_chk"; + + /* def TELNET_SERVSERS */ + $def_telnet_servers_info_chk = $snortcfg['def_telnet_servers']; + if ($def_telnet_servers_info_chk == "") + $def_telnet_servers_type = "\$HOME_NET"; + else + $def_telnet_servers_type = "$def_telnet_servers_info_chk"; + + /* def TELNET_PORTS */ + $def_telnet_ports_info_chk = $snortcfg['def_telnet_ports']; + if ($def_telnet_ports_info_chk == "") + $def_telnet_ports_type = "23"; + else + $def_telnet_ports_type = "$def_telnet_ports_info_chk"; + + /* def SNMP_SERVSERS */ + $def_snmp_servers_info_chk = $snortcfg['def_snmp_servers']; + if ($def_snmp_servers_info_chk == "") + $def_snmp_servers_type = "\$HOME_NET"; + else + $def_snmp_servers_type = "$def_snmp_servers_info_chk"; + + /* def SNMP_PORTS */ + $def_snmp_ports_info_chk = $snortcfg['def_snmp_ports']; + if ($def_snmp_ports_info_chk == "") + $def_snmp_ports_type = "161"; + else + $def_snmp_ports_type = "$def_snmp_ports_info_chk"; + + /* def FTP_SERVSERS */ + $def_ftp_servers_info_chk = $snortcfg['def_ftp_servers']; + if ($def_ftp_servers_info_chk == "") + $def_ftp_servers_type = "\$HOME_NET"; + else + $def_ftp_servers_type = "$def_ftp_servers_info_chk"; + + /* def FTP_PORTS */ + $def_ftp_ports_info_chk = $snortcfg['def_ftp_ports']; + if ($def_ftp_ports_info_chk == "") + $def_ftp_ports_type = "21"; + else + $def_ftp_ports_type = "$def_ftp_ports_info_chk"; + + /* def SSH_SERVSERS */ + $def_ssh_servers_info_chk = $snortcfg['def_ssh_servers']; + if ($def_ssh_servers_info_chk == "") + $def_ssh_servers_type = "\$HOME_NET"; + else + $def_ssh_servers_type = "$def_ssh_servers_info_chk"; + + /* if user has defined a custom ssh port, use it */ + if(isset($config['system']['ssh']['port'])) + $ssh_port = $config['system']['ssh']['port']; + else + $ssh_port = "22"; + + /* def SSH_PORTS */ + $def_ssh_ports_info_chk = $snortcfg['def_ssh_ports']; + if ($def_ssh_ports_info_chk == "") + $def_ssh_ports_type = "{$ssh_port}"; + else + $def_ssh_ports_type = "$def_ssh_ports_info_chk"; + + /* def POP_SERVSERS */ + $def_pop_servers_info_chk = $snortcfg['def_pop_servers']; + if ($def_pop_servers_info_chk == "") + $def_pop_servers_type = "\$HOME_NET"; + else + $def_pop_servers_type = "$def_pop_servers_info_chk"; + + /* def POP2_PORTS */ + $def_pop2_ports_info_chk = $snortcfg['def_pop2_ports']; + if ($def_pop2_ports_info_chk == "") + $def_pop2_ports_type = "109"; + else + $def_pop2_ports_type = "$def_pop2_ports_info_chk"; + + /* def POP3_PORTS */ + $def_pop3_ports_info_chk = $snortcfg['def_pop3_ports']; + if ($def_pop3_ports_info_chk == "") + $def_pop3_ports_type = "110"; + else + $def_pop3_ports_type = "$def_pop3_ports_info_chk"; + + /* def IMAP_SERVSERS */ + $def_imap_servers_info_chk = $snortcfg['def_imap_servers']; + if ($def_imap_servers_info_chk == "") + $def_imap_servers_type = "\$HOME_NET"; + else + $def_imap_servers_type = "$def_imap_servers_info_chk"; + + /* def IMAP_PORTS */ + $def_imap_ports_info_chk = $snortcfg['def_imap_ports']; + if ($def_imap_ports_info_chk == "") + $def_imap_ports_type = "143"; + else + $def_imap_ports_type = "$def_imap_ports_info_chk"; + + /* def SIP_PROXY_IP */ + $def_sip_proxy_ip_info_chk = $snortcfg['def_sip_proxy_ip']; + if ($def_sip_proxy_ip_info_chk == "") + $def_sip_proxy_ip_type = "\$HOME_NET"; + else + $def_sip_proxy_ip_type = "$def_sip_proxy_ip_info_chk"; + + /* def SIP_PROXY_PORTS */ + $def_sip_proxy_ports_info_chk = $snortcfg['def_sip_proxy_ports']; + if ($def_sip_proxy_ports_info_chk == "") + $def_sip_proxy_ports_type = "5060:5090,16384:32768"; + else + $def_sip_proxy_ports_type = "$def_sip_proxy_ports_info_chk"; + + /* def SIP_SERVERS */ + $def_sip_servers_info_chk = $snortcfg['def_sip_servers']; + if ($def_sip_servers_info_chk == "") + $def_sip_servers_type = "\$HOME_NET"; + else + $def_sip_servers_type = "$def_sip_servers_info_chk"; + + /* def SIP_PORTS */ + $def_sip_ports_info_chk = $snortcfg['def_sip_ports']; + if ($def_sip_ports_info_chk == "") + $def_sip_ports_type = "5060:5090,16384:32768"; + else + $def_sip_ports_type = "$def_sip_ports_info_chk"; + + /* def AUTH_PORTS */ + $def_auth_ports_info_chk = $snortcfg['def_auth_ports']; + if ($def_auth_ports_info_chk == "") + $def_auth_ports_type = "113"; + else + $def_auth_ports_type = "$def_auth_ports_info_chk"; + + /* def FINGER_PORTS */ + $def_finger_ports_info_chk = $snortcfg['def_finger_ports']; + if ($def_finger_ports_info_chk == "") + $def_finger_ports_type = "79"; + else + $def_finger_ports_type = "$def_finger_ports_info_chk"; + + /* def IRC_PORTS */ + $def_irc_ports_info_chk = $snortcfg['def_irc_ports']; + if ($def_irc_ports_info_chk == "") + $def_irc_ports_type = "6665,6666,6667,6668,6669,7000"; + else + $def_irc_ports_type = "$def_irc_ports_info_chk"; + + /* def NNTP_PORTS */ + $def_nntp_ports_info_chk = $snortcfg['def_nntp_ports']; + if ($def_nntp_ports_info_chk == "") + $def_nntp_ports_type = "119"; + else + $def_nntp_ports_type = "$def_nntp_ports_info_chk"; + + /* def RLOGIN_PORTS */ + $def_rlogin_ports_info_chk = $snortcfg['def_rlogin_ports']; + if ($def_rlogin_ports_info_chk == "") + $def_rlogin_ports_type = "513"; + else + $def_rlogin_ports_type = "$def_rlogin_ports_info_chk"; + + /* def RSH_PORTS */ + $def_rsh_ports_info_chk = $snortcfg['def_rsh_ports']; + if ($def_rsh_ports_info_chk == "") + $def_rsh_ports_type = "514"; + else + $def_rsh_ports_type = "$def_rsh_ports_info_chk"; + + /* def SSL_PORTS */ + $def_ssl_ports_info_chk = $snortcfg['def_ssl_ports']; + if ($def_ssl_ports_info_chk == "") + $def_ssl_ports_type = "443,465,563,636,989,990,992,993,994,995"; + else + $def_ssl_ports_type = "$def_ssl_ports_info_chk"; + + /* if user is on pppoe, we really want to use ng0 interface */ + if ($snort_pfsense_basever == 'yes' && $snort_ext_int == "wan") + $snort_ext_int = get_real_wan_interface(); + + /* set the snort performance model */ + if($snortcfg['performance']) + $snort_performance = $snortcfg['performance']; + else + $snort_performance = "ac-bnfa"; + + + /* generate rule sections to load */ + $enabled_rulesets = $snortcfg['rulesets']; + $selected_rules_sections = ""; + if (!empty($enabled_rulesets)) { + $enabled_rulesets_array = split("\|\|", $enabled_rulesets); + foreach($enabled_rulesets_array as $enabled_item) + $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n"; + } + + ///////////////////////////// + + /* preprocessor code */ + + /* def perform_stat */ + $snort_perform_stat = <<<EOD + +########################## + # +# NEW # +# Performance Statistics # + # +########################## + +preprocessor perfmonitor: time 300 file /var/log/snort/{$snort_uuid}_{$if_real}/snort.stats pktcnt 10000 + +EOD; + + $def_perform_stat_info_chk = $snortcfg['perform_stat']; + if ($def_perform_stat_info_chk == "on") + $def_perform_stat_type = "$snort_perform_stat"; + else + $def_perform_stat_type = ""; + + $def_flow_depth_info_chk = $snortcfg['flow_depth']; + if (empty($def_flow_depth_info_chk)) + $def_flow_depth_type = '0'; + else + $def_flow_depth_type = $snortcfg['flow_depth']; + + /* def http_inspect */ + $snort_http_inspect = <<<EOD + +################# + # +# HTTP Inspect # + # +################# + +preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 + +# TODO: pfsense GUI needed for ports +preprocessor http_inspect_server: server default \ + http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \ + ports { 80 8080 } \ + non_strict \ + non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ + flow_depth {$def_flow_depth_type} \ + apache_whitespace no \ + directory no \ + iis_backslash no \ + u_encode yes \ + extended_response_inspection \ + inspect_gzip \ + normalize_utf \ + unlimited_decompress \ + ascii no \ + chunk_length 500000 \ + bare_byte yes \ + double_decode yes \ + iis_unicode no \ + iis_delimiter no \ + multi_slash no \ + server_flow_depth 0 \ + client_flow_depth 0 \ + post_depth 65495 \ + oversize_dir_length 500 \ + max_header_length 750 \ + max_headers 100 \ + max_spaces 0 \ + small_chunk_length { 10 5 } \ + enable_cookie \ + normalize_javascript \ + utf_8 no \ + webroot no + +EOD; + + $def_http_inspect_info_chk = $snortcfg['http_inspect']; + if ($def_http_inspect_info_chk == "on") + $def_http_inspect_type = "$snort_http_inspect"; + else + $def_http_inspect_type = ""; + + /* def other_preprocs */ + $snort_other_preprocs = <<<EOD + +################## + # +# Other preprocs # + # +################## + +preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 +preprocessor bo + +EOD; + + $def_other_preprocs_info_chk = $snortcfg['other_preprocs']; + if ($def_other_preprocs_info_chk == "on") + $def_other_preprocs_type = "$snort_other_preprocs"; + else + $def_other_preprocs_type = ""; + + /* def ftp_preprocessor */ + $snort_ftp_preprocessor = <<<EOD + +##################### + # +# ftp preprocessor # + # +##################### + +preprocessor ftp_telnet: global \ + inspection_type stateful \ + encrypted_traffic no + +preprocessor ftp_telnet_protocol: telnet \ + normalize \ + ayt_attack_thresh 200 \ + detect_anomalies + +preprocessor ftp_telnet_protocol: \ + ftp server default \ + def_max_param_len 100 \ + # TODO add pfsense GUI + ports { 21 } \ + telnet_cmds yes \ + ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \ + ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \ + ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \ + ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \ + ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \ + ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \ + ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \ + ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \ + ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \ + ftp_cmds { XSEN XSHA1 XSHA256 } \ + alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \ + alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \ + alt_max_param_len 256 { CWD RNTO } \ + alt_max_param_len 400 { PORT } \ + alt_max_param_len 512 { SIZE } \ + chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \ + chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \ + chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \ + chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \ + chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \ + chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \ + chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \ + chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \ + cmd_validity ALLO < int [ char R int ] > \ + cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \ + cmd_validity MACB < string > \ + cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ + cmd_validity MODE < char ASBCZ > \ + cmd_validity PORT < host_port > \ + cmd_validity PROT < char CSEP > \ + cmd_validity STRU < char FRPO [ string ] > \ + cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > + +preprocessor ftp_telnet_protocol: ftp client default \ + max_resp_len 256 \ + bounce yes \ + telnet_cmds yes + +EOD; + + $def_ftp_preprocessor_info_chk = $snortcfg['ftp_preprocessor']; + if ($def_ftp_preprocessor_info_chk == "on") + $def_ftp_preprocessor_type = "$snort_ftp_preprocessor"; + else + $def_ftp_preprocessor_type = ""; + + /* def smtp_preprocessor */ + $snort_smtp_preprocessor = <<<EOD + +##################### + # +# SMTP preprocessor # + # +##################### + +# TODO add pfsense GUI +preprocessor SMTP: ports { 25 465 691 } \ + inspection_type stateful \ + b64_decode_depth 0 \ + qp_decode_depth 0 \ + bitenc_decode_depth 0 \ + uu_decode_depth 0 \ + log_mailfrom \ + log_rcptto \ + log_filename \ + log_email_hdrs \ + normalize cmds \ + normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \ + normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \ + normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \ + normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \ + max_command_line_len 512 \ + max_header_line_len 1000 \ + max_response_line_len 512 \ + alt_max_command_line_len 260 { MAIL } \ + alt_max_command_line_len 300 { RCPT } \ + alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ + alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ + alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \ + valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \ + valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \ + valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \ + valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \ + xlink2state { enabled } + +EOD; + + $def_smtp_preprocessor_info_chk = $snortcfg['smtp_preprocessor']; + if ($def_smtp_preprocessor_info_chk == "on") + $def_smtp_preprocessor_type = "$snort_smtp_preprocessor"; + else + $def_smtp_preprocessor_type = ""; + + /* def sf_portscan */ + $snort_sf_portscan = <<<EOD + +################ + # +# sf Portscan # + # +################ + +preprocessor sfportscan: scan_type { all } \ + proto { all } \ + memcap { 10000000 } \ + sense_level { medium } \ + ignore_scanners { \$HOME_NET } + +EOD; + + $def_sf_portscan_info_chk = $snortcfg['sf_portscan']; + if ($def_sf_portscan_info_chk == "on") + $def_sf_portscan_type = "$snort_sf_portscan"; + else + $def_sf_portscan_type = ""; + + /* def dce_rpc_2 */ + $snort_dce_rpc_2 = <<<EOD + +############### + # +# NEW # +# DCE/RPC 2 # + # +############### + +preprocessor dcerpc2: memcap 102400, events [smb, co, cl] +preprocessor dcerpc2_server: default, policy WinXP, \ + detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ + autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ + smb_max_chain 3, \ + smb_invalid_shares ["C$", "D$", "ADMIN$"] + +EOD; + + $def_dce_rpc_2_info_chk = $snortcfg['dce_rpc_2']; + if ($def_dce_rpc_2_info_chk == "on") + $def_dce_rpc_2_type = "$snort_dce_rpc_2"; + else + $def_dce_rpc_2_type = ""; + + /* def dns_preprocessor */ + $snort_dns_preprocessor = <<<EOD + +#################### + # +# DNS preprocessor # + # +#################### + +# TODO add pfsense GUI +preprocessor dns: \ + ports { 53 } \ + enable_rdata_overflow + +EOD; + + $def_dns_preprocessor_info_chk = $snortcfg['dns_preprocessor']; + if ($def_dns_preprocessor_info_chk == "on") + $def_dns_preprocessor_type = "$snort_dns_preprocessor"; + else + $def_dns_preprocessor_type = ""; + + /* def SSL_PORTS IGNORE */ + $def_ssl_ports_ignore_info_chk = $snortcfg['def_ssl_ports_ignore']; + if ($def_ssl_ports_ignore_info_chk == "") + $def_ssl_ports_ignore_type = "443 465 563 636 989 990 992 993 994 995"; + else + $def_ssl_ports_ignore_type = "$def_ssl_ports_ignore_info_chk"; + + /* stream5 queued settings */ + + + $def_max_queued_bytes_info_chk = $snortcfg['max_queued_bytes']; + if ($def_max_queued_bytes_info_chk == '') + $def_max_queued_bytes_type = ''; + else + $def_max_queued_bytes_type = ' max_queued_bytes ' . $snortcfg['max_queued_bytes'] . ','; + + $def_max_queued_segs_info_chk = $snortcfg['max_queued_segs']; + if ($def_max_queued_segs_info_chk == '') + $def_max_queued_segs_type = ''; + else + $def_max_queued_segs_type = ' max_queued_segs ' . $snortcfg['max_queued_segs'] . ','; + + $snort_preprocessor_decoder_rules = ""; + if (file_exists("/usr/local/etc/snort/preproc_rules/preprocessor.rules")) + $snort_preprocessor_decoder_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; + if (file_exists("/usr/local/etc/snort/preproc_rules/decoder.rules")) + $snort_preprocessor_decoder_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; + + /* build snort configuration file */ + $snort_conf_text = <<<EOD + +############################################################################## +# # +# snort configuration file generated by the pfSense package manager system # +# see /usr/local/pkg/snort.inc # # +# for snort ver. 2.9.2.3 # +# more information Snort can be found at http://www.snort.org/ # +# # +############################################################################## + +######################### + # +# Define Local Network # + # +######################### + +# TODO: bug, auto gen is adding extra 127.0.0.1 +ipvar HOME_NET {$home_net} +ipvar EXTERNAL_NET {$external_net} + +################### + # +# Define Servers # + # +################### + +ipvar DNS_SERVERS [{$def_dns_servers_type}] +ipvar SMTP_SERVERS [{$def_smtp_servers_type}] +ipvar HTTP_SERVERS [{$def_http_servers_type}] +ipvar SQL_SERVERS [{$def_sql_servers_type}] +ipvar TELNET_SERVERS [{$def_telnet_servers_type}] +ipvar FTP_SERVERS [{$def_ftp_servers_type}] +ipvar SSH_SERVERS [{$def_ssh_servers_type}] +ipvar SIP_PROXY_IP [{$def_sip_proxy_ip_type}] +ipvar SIP_SERVERS [{$def_sip_servers_type}] +ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] +# def below may have been removed +ipvar POP_SERVERS [{$def_pop_servers_type}] +ipvar IMAP_SERVERS [{$def_imap_servers_type}] +ipvar RPC_SERVERS [\$HOME_NET] +ipvar WWW_SERVERS [{$def_www_servers_type}] +ipvar SNMP_SERVERS [{$def_snmp_servers_type}] + + +######################## + # +# Define Server Ports # + # +######################## + +portvar HTTP_PORTS [{$def_http_ports_type}] +portvar SHELLCODE_PORTS !80 +portvar ORACLE_PORTS [{$def_oracle_ports_type}] +portvar FTP_PORTS [{$def_ftp_ports_type}] +portvar SSH_PORTS [{$def_ssh_ports_type}] +portvar SIP_PORTS [{$def_sip_ports_type}] +### Below ports need new gui ### +portvar FILE_DATA_PORTS [\$HTTP_PORTS,110,143] +portvar GTP_PORTS [2123,2152,3386] +portvar MODBUS_PORTS [502] +portvar DNP3_PORTS [20000] +# These ports may have been removed left here so no custom rules break +portvar AUTH_PORTS [{$def_auth_ports_type}] +portvar DNS_PORTS [{$def_dns_ports_type}] +portvar FINGER_PORTS [{$def_finger_ports_type}] +portvar IMAP_PORTS [{$def_imap_ports_type}] +portvar IRC_PORTS [{$def_irc_ports_type}] +portvar MSSQL_PORTS [{$def_mssql_ports_type}] +portvar NNTP_PORTS [{$def_nntp_ports_type}] +portvar POP2_PORTS [{$def_pop2_ports_type}] +portvar POP3_PORTS [{$def_pop3_ports_type}] +portvar SUNRPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779] +portvar RLOGIN_PORTS [{$def_rlogin_ports_type}] +portvar RSH_PORTS [{$def_rsh_ports_type}] +portvar SMB_PORTS [139,445] +portvar SMTP_PORTS [{$def_smtp_ports_type}] +portvar SNMP_PORTS [{$def_snmp_ports_type}] +portvar TELNET_PORTS [{$def_telnet_ports_type}] +portvar MAIL_PORTS [{$def_mail_ports_type}] +portvar SSL_PORTS [{$def_sip_proxy_ports_type}] +portvar SIP_PROXY_PORTS [{$def_sip_ports_type}] + +# These ports may have been removed left here so no custom rules break +# DCERPC NCACN-IP-TCP +portvar DCERPC_NCACN_IP_TCP [139,445] +portvar DCERPC_NCADG_IP_UDP [138,1024:] +portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:] +portvar DCERPC_NCACN_UDP_LONG [135,1024:] +portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:] +portvar DCERPC_NCACN_TCP [2103,2105,2107] +portvar DCERPC_BRIGHTSTORE [6503,6504] + + +##################### + # +# Define Rule Paths # + # +##################### + +var RULE_PATH /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules +var PREPROC_RULE_PATH /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/preproc_rules +var SO_RULE_PATH /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/so_rules + +############################################################# +# # +# reputation preprocessor, ALWAYS USE FULL PATHS, BUG 89986 # +# # +############################################################# + +#var WHITE_LIST_PATH ../rules +#var BLACK_LIST_PATH ../rules + +################################ + # +# Configure the snort decoder # + # +################################ + +config checksum_mode: all +config disable_decode_alerts +config disable_tcpopt_experimental_alerts +config disable_tcpopt_obsolete_alerts +config disable_ttcp_alerts +config disable_tcpopt_alerts +config disable_tcpopt_ttcp_alerts +config disable_ipopt_alerts +config disable_decode_drops + +################ The following is for inline mode tunning ################ + +# config enable_decode_oversized_alerts +# config enable_decode_oversized_drops +# config flowbits_size: 64 + +#### make sure I enable gui for this ########## +# config ignore_ports: tcp 21 6667:6671 1356 # +# config ignore_ports: udp 1:17 53 # +############################################### + +# Configure active response for non inline +# config response: eth0 attempts 2 + +# Configure DAQ related options for inline mode +# +# config daq: <type> +# config daq_dir: <dir> +# config daq_mode: <mode> +# config daq_var: <var> +# +# <type> ::= pcap | afpacket | dump | nfq | ipq | ipfw +# <mode> ::= read-file | passive | inline +# <var> ::= arbitrary <name>=<value passed to DAQ +# <dir> ::= path as to where to look for DAQ module so's + +## gui needed for pfsense ## +# config daq: afpacket + +############################################################# + +######################################## +# Configure specific UID and GID +# to run snort as after dropping privs +# +# config set_gid: +# config set_uid: +######################################## + +######################################## +# +# Configure default snaplen. Snort +# defaults to MTU of in use interface +# +# config snaplen: +# +# TODO: gui needed for pfsense +# +######################################## + +################################################################ +# +# Configure default bpf_file to use for filtering what traffic +# reaches snort. options (-F) +# +# config bpf_file: +# +# TODO: gui needed for pfsense +# +############################################################### + +##################################################################### +# +# Configure default log directory for snort to log to. options (-l) +# +# config logdir: +# +##################################################################### + +################################### + # +# Configure the detection engine # +# Use lower memory models # + # +################################### + +# TODO: gui needed for pfsense +# Configure PCRE match limitations +config pcre_match_limit: 3500 +config pcre_match_limit_recursion: 1500 + +############################################################################# +# # +# Configure the detection engine # +# Use lower memory models for pfsense # +# # +# # +# Notes # +# # +# ac, ac-q, ac-bnfa, ac-bnfa-q, lowmem, lowmem-q # +# ac-split shorthand for search-method ac, split-any-any, intel-cpm,ac-nq, # +# ac-bnfa-nq This is the default search method if none is specified. # +# lowmem-nq, ac-std, acs, ac-banded, ac-sparsebands # +# # +############################################################################# + +config detection: search-method {$snort_performance} search-optimize max-pattern-len 20 +config event_queue: max_queue 8 log 3 order_events content_length + +################################################### +# Configure GTP if it is to be used +#################################################### + +# TODO: gui needed for pfsense +# config enable_gtp + +################################################### +# Per packet and rule latency enforcement, README.ppm +################################################### + +# Per Packet latency configuration +#config ppm: max-pkt-time 250, \ +# fastpath-expensive-packets, \ +# pkt-log + +# Per Rule latency configuration +#config ppm: max-rule-time 200, \ +# threshold 3, \ +# suspend-expensive-rules, \ +# suspend-timeout 20, \ +# rule-log alert + +################################################### +# Configure Perf Profiling for debugging, README.PerfProfiling +################################################### + +#config profile_rules: print all, sort avg_ticks +#config profile_preprocs: print all, sort avg_ticks + +################################################### +# Configure protocol aware flushing. README.stream5 +################################################### +config paf_max: 16000 + +################################################## +# Configure dynamic loaded libraries +################################################## + +dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor +dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so +dynamicdetection directory /usr/local/lib/snort/dynamicrules + +################### + # +# Flow and stream # + # +################### + +# TODO: gui needed for pfsense +# GTP Control Channle Preprocessor, README.GTP +preprocessor gtp: ports { 2123 3386 2152 } + +#################################################### +# Inline packet normalization, README.normalize +# Does nothing in IDS mode +# +# preprocessor normalize_ip4 +# preprocessor normalize_tcp: ips ecn stream +# preprocessor normalize_icmp4 +# preprocessor normalize_ip6 +# preprocessor normalize_icmp6 +#################################################### + +# this tuning ,may need testing +preprocessor frag3_global: max_frags 65536 +preprocessor frag3_engine: policy bsd detect_anomalies + +preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp yes, max_tcp 262144, max_udp 131072, max_active_responses 2, min_response_seconds 5 + +preprocessor stream5_tcp: policy BSD, ports both all, timeout 180, {$def_max_queued_bytes_type}{$def_max_queued_segs_type} +preprocessor stream5_udp: timeout 180 +preprocessor stream5_icmp: + + {$def_perform_stat_type} + + {$def_http_inspect_type} + + {$def_other_preprocs_type} + + {$def_ftp_preprocessor_type} + + {$def_smtp_preprocessor_type} + + {$def_sf_portscan_type} + +######################## + # +# ARP spoof detection. # + # +######################## + +# preprocessor arpspoof +# preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 + +########################## + # +# SSH anomaly detection # + # +########################## + +preprocessor ssh: server_ports { 22 } \ + autodetect \ + max_client_bytes 19600 \ + max_encrypted_packets 20 \ + max_server_version_len 100 \ + enable_respoverflow enable_ssh1crc32 \ + enable_srvoverflow enable_protomismatch + + + {$def_dce_rpc_2_type} + + {$def_dns_preprocessor_type} + +############################## + # +# NEW # +# Ignore SSL and Encryption # + # +############################## + +preprocessor ssl: ports { {$def_ssl_ports_ignore_type} }, trustservers, noinspect_encrypted + + +########################################################### + # +# SDF sensitive data preprocessor, README.sensitive_data # + # +########################################################### + +# TODO: add pfsense GUI +preprocessor sensitive_data: alert_threshold 20 + +############################################################# + # +# SIP Session Initiation Protocol preprocessor, README.sip # + # +############################################################# + +# TODO: add pfsense GUI +preprocessor sip: max_sessions 40000, \ + ports { 5060 5061 5600 }, \ + methods { invite \ + cancel \ + ack \ + bye \ + register \ + options \ + refer \ + subscribe \ + update \ + join \ + info \ + message \ + notify \ + benotify \ + do \ + qauth \ + sprack \ + publish \ + service \ + unsubscribe \ + prack }, \ + max_uri_len 512, \ + max_call_id_len 80, \ + max_requestName_len 20, \ + max_from_len 256, \ + max_to_len 256, \ + max_via_len 1024, \ + max_contact_len 512, \ + max_content_len 2048 + +################################## + # +# IMAP preprocessor, README.imap # + # +################################## + +# TODO: add pfsense GUI +preprocessor imap: \ + ports { 143 } \ + b64_decode_depth 0 \ + qp_decode_depth 0 \ + bitenc_decode_depth 0 \ + uu_decode_depth 0 + +################################## + # +# POP preprocessor, README.pop # + # +################################## + +# TODO: add pfsense GUI +preprocessor pop: \ + ports { 110 } \ + b64_decode_depth 0 \ + qp_decode_depth 0 \ + bitenc_decode_depth 0 \ + uu_decode_depth 0 + +####################################### + # +# Modbus preprocessor, README.modbus # +# Used for SCADA # + # +####################################### + +# TODO: add pfsense GUI +preprocessor modbus: ports { 502 } + + +############################################### + # +# DNP3 preprocessor, EADME.dnp3 # + # +############################################### + +# TODO: add pfsense GUI +preprocessor dnp3: ports { 20000 } \ + memcap 262144 \ + check_crc + +############################################### + # +# Reputation preprocessor, README.reputation # + # +############################################### + +#preprocessor reputation: \ +# memcap 500, \ +# priority whitelist, \ +# nested_ip inner, \ +# whitelist \$WHITE_LIST_PATH/white_list.rules, \ +# blacklist \$BLACK_LIST_PATH/black_list.rules + + +##################### + # +# Snort Output Logs # + # +##################### + +$snortalertlogtype_type +$alertsystemlog_type +$tcpdumplog_type +$snortunifiedlogbasic_type +$snortunifiedlog_type +$snortalertcvs_type +$spoink_type + +################# + # +# Misc Includes # + # +################# + +include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config +include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config +{$snort_preprocessor_decoder_rules} + +$threshold_file_name + +# Snort user pass through configuration +{$snort_config_pass_thru} + +################### + # +# Rules Selection # + # +################### + + {$selected_rules_sections} + +EOD; + + return $snort_conf_text; +} + +/* hide progress bar */ +function hide_progress_bar_status() { + global $snort_filename, $snort_filename_md5, $console_mode; + + ob_flush(); + if(!$console_mode) + echo "\n<script type=\"text/javascript\">document.progressbar.style.visibility='hidden';\n</script>"; +} + +/* unhide progress bar */ +function unhide_progress_bar_status() { + global $snort_filename, $snort_filename_md5, $console_mode; + + ob_flush(); + if(!$console_mode) + echo "\n<script type=\"text/javascript\">document.progressbar.style.visibility='visible';\n</script>"; +} + +/* update both top and bottom text box during an operation */ +function update_all_status($status) { + global $snort_filename, $snort_filename_md5, $console_mode; + + ob_flush(); + if(!$console_mode) { + update_status($status); + update_output_window($status); + } +} + +######## new + +// returns array that matches pattern, option to replace objects in matches +function snortScanDirFilter($arrayList, $pattmatch, $pattreplace, $pattreplacewith) +{ + foreach ( $arrayList as $val ) + { + if (preg_match($pattmatch, $val, $matches)) { + if ($pattreplace != '') { + $matches2 = preg_replace($pattreplace, $pattreplacewith, $matches[0]); + $filterDirList[] = $matches2; + }else{ + $filterDirList[] = $matches[0]; + } + } + } + return $filterDirList; +} + +?> |