snort-dev, tracking of enabe disable rules after updates, add oinkmaster.pl, improve snorts performance, reduce snorts memory by 52 mb, more info in snort.xml and snort_advanced

author: robiscool <robrob2626@yahoo.com> 2009-09-18 05:28:13 -0700
committer: robiscool <robrob2626@yahoo.com> 2009-09-18 05:28:13 -0700
commit: b6494fa19d1cc638a3ba3a5e7f0c00f1ced89701 (patch)
tree: 391805e96da8c810550e4c306cf2273322fdcdd5 /config/snort-dev/snort_check_for_rule_updates.php
parent: 36dc7987616fafec2af84a531f952128a55cb816 (diff)
download: pfsense-packages-b6494fa19d1cc638a3ba3a5e7f0c00f1ced89701.tar.gz
pfsense-packages-b6494fa19d1cc638a3ba3a5e7f0c00f1ced89701.tar.bz2
pfsense-packages-b6494fa19d1cc638a3ba3a5e7f0c00f1ced89701.zip
1 files changed, 134 insertions, 64 deletions
diff --git a/config/snort-dev/snort_check_for_rule_updates.php b/config/snort-dev/snort_check_for_rule_updates.php
index 0e851165..e14e1bee 100644
--- a/config/snort-dev/snort_check_for_rule_updates.php
+++ b/config/snort-dev/snort_check_for_rule_updates.php
@@ -29,7 +29,8 @@
 
 /* Setup enviroment */
 $tmpfname = "/tmp/snort_rules_up";
-$snortdir = "/usr/local/etc/snort";
+$snortdir = "/usr/local/etc/snort_bkup";
+$snortdir_wan = "/usr/local/etc/snort";
 $snort_filename_md5 = "snortrules-snapshot-2.8.tar.gz.md5";
 $snort_filename = "snortrules-snapshot-2.8.tar.gz";
 $emergingthreats_filename_md5 = "version.txt";
@@ -371,32 +372,107 @@ if ($snort_md5_check_ok != on && $emerg_md5_check_chk_ok != on && $pfsense_md5_c
 if (file_exists("{$snortdir}/rules")) {
     echo "Cleaning the snort Directory...\n";
     echo "removing...\n";
+    exec("/bin/mkdir -p {$snortdir}");
+	exec("/bin/mkdir -p {$snortdir}/rules");
+	exec("/bin/mkdir -p {$snortdir}/signatures");
 	exec("/bin/rm {$snortdir}/*");
 	exec("/bin/rm {$snortdir}/rules/*");
+	exec("/bin/rm {$snortdir_wan}/*");
+	exec("/bin/rm {$snortdir_wan}/rules/*");
     exec("/bin/rm /usr/local/lib/snort/dynamicrules/*");	
 } else {
     echo "Making Snort Directory...\n";
     echo "should be fast...\n";
     exec("/bin/mkdir {$snortdir}");
 	exec("/bin/mkdir {$snortdir}/rules");
-	exec("/bin/rm /usr/local/lib/snort/dynamicrules/*");
+	exec("/bin/rm {$snortdir_wan}/\*");
+	exec("/bin/rm {$snortdir_wan}/rules/*");
+	exec("/bin/rm /usr/local/lib/snort/dynamicrules/\*");
     echo "Done making snort direcory.\n";
   }
 }
 
-/*  Copy snort rules  and emergingthreats and pfsense dir to snort dir */
-if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) {
-if (file_exists("{$tmpfname}/rules")) {
-    echo "Copying rules...\n";
+/*  Copy so_rules dir to snort lib dir */
+if ($snort_md5_check_ok != on) {
+if (file_exists("{$tmpfname}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) {
+    echo "Copying so_rules...\n";
     echo "May take a while...\n";
-    exec("/bin/cp {$tmpfname}/rules/* {$snortdir}/rules");
-    echo "Done copping rules.\n";
-    /* Write out time of last sucsessful rule install catch */
-    $config['installedpackages']['snort']['last_rules_install'] = date("Y-M-jS-h:i-A");
-    write_config();
+	sleep(2);
+    exec("`/bin/cp -f {$tmpfname}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/`");
+	exec("/bin/cp {$tmpfname}/so_rules/bad-traffic.rules {$snortdir}/rules/bad-traffic.so.rules");
+	exec("/bin/cp {$tmpfname}/so_rules/chat.rules {$snortdir}/rules/chat.so.rules");
+	exec("/bin/cp {$tmpfname}/so_rules/dos.rules {$snortdir}/rules/dos.so.rules");
+	exec("/bin/cp {$tmpfname}/so_rules/exploit.rules {$snortdir}/rules/exploit.so.rules");
+	exec("/bin/cp {$tmpfname}/so_rules/imap.rules {$snortdir}/rules/imap.so.rules");
+	exec("/bin/cp {$tmpfname}/so_rules/misc.rules {$snortdir}/rules/misc.so.rules");
+	exec("/bin/cp {$tmpfname}/so_rules/multimedia.rules {$snortdir}/rules/multimedia.so.rules");
+	exec("/bin/cp {$tmpfname}/so_rules/netbios.rules {$snortdir}/rules/netbios.so.rules");
+	exec("/bin/cp {$tmpfname}/so_rules/nntp.rules {$snortdir}/rules/nntp.so.rules");
+	exec("/bin/cp {$tmpfname}/so_rules/p2p.rules {$snortdir}/rules/p2p.so.rules");
+	exec("/bin/cp {$tmpfname}/so_rules/smtp.rules {$snortdir}/rules/smtp.so.rules");
+	exec("/bin/cp {$tmpfname}/so_rules/sql.rules {$snortdir}/rules/sql.so.rules");
+	exec("/bin/cp {$tmpfname}/so_rules/web-client.rules {$snortdir}/rules/web-client.so.rules");
+	exec("/bin/cp {$tmpfname}/so_rules/web-misc.rules {$snortdir}/rules/web-misc.so.rules");
+    echo "Done copying so_rules.\n";
 } else {
-    echo "Directory rules does not exists...\n";
-    echo "Error copying rules direcory...\n";
+    echo "Directory so_rules does not exist...\n";
+    echo "Error copping so_rules...\n";
+    exit(0);
+ }
+}
+
+/*  enable disable setting will carry over with updates */
+/*  TODO carry signature changes with the updates */
+if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) {
+
+$enabled_sid_on = $config['installedpackages']['snort']['rule_sid_on'];
+$enabled_sid_on_array = split("\|\|", $enabled_sid_on);
+foreach($enabled_sid_on_array as $enabled_item_on)
+$selected_sid_on_sections .= "enable $enabled_item_on\n";
+
+$enabled_sid_off = $config['installedpackages']['snort']['rule_sid_off'];
+$enabled_sid_off_array = split("\|\|", $enabled_sid_off);
+foreach($enabled_sid_off_array as $enabled_item_off)
+$selected_sid_off_sections .= "disable $enabled_item_off\n";
+
+$snort_sid_text = <<<EOD
+
+###########################################
+#                                         #
+# this is auto generated on snort updates #
+#                                         #
+###########################################
+
+path = /bin:/usr/bin:/usr/local/bin
+
+update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
+
+url = dir:///usr/local/etc/snort_bkup/rules
+
+$selected_sid_on_sections
+
+$selected_sid_off_sections
+
+EOD;
+
+     /* open snort's threshold.conf for writing */
+     $oinkmasterlist = fopen("/usr/local/etc/snort_bkup/oinkmaster.conf", "w");
+
+     fwrite($oinkmasterlist, "$snort_sid_text");
+
+     /* close snort's threshold.conf file */
+     fclose($oinkmasterlist);
+
+}
+
+/*  Copy configs to snort dir */
+if ($snort_md5_check_ok != on) {
+if (file_exists("{$tmpfname}/etc/Makefile.am")) {
+    echo "Copying configs to snort directory...\n";
+    exec("/bin/cp {$tmpfname}/etc/* {$snortdir}");
+} else {
+    echo "The snort configs does not exist...\n";
+    echo "Error copping config...\n";
     exit(0);
  }
 }
@@ -439,18 +515,6 @@ if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) {
  }
 }
 
-/*  Copy configs to snort dir */
-if ($snort_md5_check_ok != on) {
-if (file_exists("{$tmpfname}/etc/Makefile.am")) {
-    echo "Copying configs to snort directory...\n";
-    exec("/bin/cp {$tmpfname}/etc/* {$snortdir}");
-} else {
-    echo "The snort configs does not exist...\n";
-    echo "Error copping config...\n";
-    exit(0);
- }
-}
-
 /*  Copy signatures dir to snort dir */
 if ($snort_md5_check_ok != on) {
 $signature_info_chk = $config['installedpackages']['snort']['config'][0]['signatureinfo'];
@@ -467,51 +531,63 @@ if (file_exists("{$tmpfname}/doc/signatures")) {
   }
  }
 }
- 
-/*  Copy so_rules dir to snort lib dir */
-if ($snort_md5_check_ok != on) {
-if (file_exists("{$tmpfname}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) {
-    echo "Copying so_rules...\n";
+
+/*  Copy snort rules  and emergingthreats and pfsense dir to snort dir */
+if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) {
+if (file_exists("{$tmpfname}/rules")) {
+    echo "Copying rules...\n";
     echo "May take a while...\n";
-	sleep(2);
-    exec("`/bin/cp -f {$tmpfname}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/`");
-	exec("/bin/cp {$tmpfname}/so_rules/bad-traffic.rules {$snortdir}/rules/bad-traffic.so.rules");
-	exec("/bin/cp {$tmpfname}/so_rules/chat.rules {$snortdir}/rules/chat.so.rules");
-	exec("/bin/cp {$tmpfname}/so_rules/dos.rules {$snortdir}/rules/dos.so.rules");
-	exec("/bin/cp {$tmpfname}/so_rules/exploit.rules {$snortdir}/rules/exploit.so.rules");
-	exec("/bin/cp {$tmpfname}/so_rules/imap.rules {$snortdir}/rules/imap.so.rules");
-	exec("/bin/cp {$tmpfname}/so_rules/misc.rules {$snortdir}/rules/misc.so.rules");
-	exec("/bin/cp {$tmpfname}/so_rules/multimedia.rules {$snortdir}/rules/multimedia.so.rules");
-	exec("/bin/cp {$tmpfname}/so_rules/netbios.rules {$snortdir}/rules/netbios.so.rules");
-	exec("/bin/cp {$tmpfname}/so_rules/nntp.rules {$snortdir}/rules/nntp.so.rules");
-	exec("/bin/cp {$tmpfname}/so_rules/p2p.rules {$snortdir}/rules/p2p.so.rules");
-	exec("/bin/cp {$tmpfname}/so_rules/smtp.rules {$snortdir}/rules/smtp.so.rules");
-	exec("/bin/cp {$tmpfname}/so_rules/sql.rules {$snortdir}/rules/sql.so.rules");
-	exec("/bin/cp {$tmpfname}/so_rules/web-client.rules {$snortdir}/rules/web-client.so.rules");
-	exec("/bin/cp {$tmpfname}/so_rules/web-misc.rules {$snortdir}/rules/web-misc.so.rules");
-    echo "Done copying so_rules.\n";
+    exec("/bin/cp {$tmpfname}/rules/* {$snortdir}/rules");
+    echo "Done copping rules.\n";
+    /* Write out time of last sucsessful rule install catch */
+    $config['installedpackages']['snort']['last_rules_install'] = date("Y-M-jS-h:i-A");
+    write_config();
 } else {
-    echo "Directory so_rules does not exist...\n";
-    echo "Error copping so_rules...\n";
+    echo "Directory rules does not exists...\n";
+    echo "Error copying rules direcory...\n";
     exit(0);
  }
 }
 
 /* double make shure clean up emerg rules that dont belong */
-if (file_exists("/usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules")) {
+if (file_exists("/usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules")) {
 	apc_clear_cache();
-	exec("/bin/rm /usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules");
-	exec("/bin/rm /usr/local/etc/snort/rules/emerging-botcc.rules");
-	exec("/bin/rm /usr/local/etc/snort/rules/emerging-compromised-BLOCK.rules");
-	exec("/bin/rm /usr/local/etc/snort/rules/emerging-drop-BLOCK.rules");
-	exec("/bin/rm /usr/local/etc/snort/rules/emerging-dshield-BLOCK.rules");
-	exec("/bin/rm /usr/local/etc/snort/rules/emerging-rbn-BLOCK.rules");
-	exec("/bin/rm /usr/local/etc/snort/rules/emerging-tor-BLOCK.rules");
+	exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules");
+	exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc.rules");
+	exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-compromised-BLOCK.rules");
+	exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-drop-BLOCK.rules");
+	exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-dshield-BLOCK.rules");
+	exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-rbn-BLOCK.rules");
+	exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-tor-BLOCK.rules");
 }
 
 if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) {
 	exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so");
-	exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*");
+	exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*");
+}
+
+echo "Updating Alert Messages...\n";
+echo "Please Wait...\n";
+sleep(2);
+exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort_bkup/rules > /usr/local/etc/snort_bkup/gen-msg.map");
+
+/*  Run oinkmaster to snort_wan and cp configs */
+if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) {
+echo "Your enable and disable changes are being applied to your fresh set of rules...\n";
+echo "May take a while...\n";
+
+exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}");
+exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}");
+exec("/bin/cp {$snortdir}/generators {$snortdir_wan}");
+exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}");
+exec("/bin/cp {$snortdir}/sid {$snortdir_wan}");
+exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}");
+exec("/bin/cp {$snortdir}/snort.conf {$snortdir_wan}");
+exec("/bin/cp {$snortdir}/threshold.conf {$snortdir_wan}");
+exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}");
+
+exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort_bkup/oinkmaster.conf -o /usr/local/etc/snort/rules > /usr/local/etc/snort_bkup/oinkmaster.log");
+
 }
 
 /* php code to flush out cache some people are reportting missing files this might help  */
@@ -519,12 +595,6 @@ sleep(5);
 apc_clear_cache();
 exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync");
 
-
-echo "Updating Alert Messages...\n";
-echo "Please Wait...\n";
-sleep(2);
-exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/gen-msg.map");
-
 /* php code finish */
 echo "The Rules update finished...\n";
 echo "You may start snort now...\n";
author	robiscool <robrob2626@yahoo.com>	2009-09-18 05:28:13 -0700
committer	robiscool <robrob2626@yahoo.com>	2009-09-18 05:28:13 -0700
commit	b6494fa19d1cc638a3ba3a5e7f0c00f1ced89701 (patch)
tree	391805e96da8c810550e4c306cf2273322fdcdd5 /config/snort-dev/snort_check_for_rule_updates.php
parent	36dc7987616fafec2af84a531f952128a55cb816 (diff)
download	pfsense-packages-b6494fa19d1cc638a3ba3a5e7f0c00f1ced89701.tar.gz pfsense-packages-b6494fa19d1cc638a3ba3a5e7f0c00f1ced89701.tar.bz2 pfsense-packages-b6494fa19d1cc638a3ba3a5e7f0c00f1ced89701.zip