diff options
author | robiscool <robrob2626@yahoo.com> | 2009-09-08 03:15:14 -0700 |
---|---|---|
committer | robiscool <robrob2626@yahoo.com> | 2009-09-08 03:15:14 -0700 |
commit | 8564f82412de9183210e8db7e37afa6066453d4d (patch) | |
tree | 1772d18b058dc42dc64b3d236244d675bbd2c7d9 /config/snort-dev | |
parent | d65a69cda0fe97579f9e2328b62bd856c6a52914 (diff) | |
download | pfsense-packages-8564f82412de9183210e8db7e37afa6066453d4d.tar.gz pfsense-packages-8564f82412de9183210e8db7e37afa6066453d4d.tar.bz2 pfsense-packages-8564f82412de9183210e8db7e37afa6066453d4d.zip |
snort-dev, replace snort2c with spoink, replace snort-mysql with barnyard2, add rule perl scrips, update Gsnort GUI, fix dboot-up issues
Diffstat (limited to 'config/snort-dev')
25 files changed, 5658 insertions, 10 deletions
diff --git a/config/snort-dev/bin/barnyard2 b/config/snort-dev/bin/barnyard2 Binary files differnew file mode 100644 index 00000000..b942e87f --- /dev/null +++ b/config/snort-dev/bin/barnyard2 diff --git a/config/snort-dev/bin/oinkmaster_contrib/README.contrib b/config/snort-dev/bin/oinkmaster_contrib/README.contrib new file mode 100644 index 00000000..6923fa26 --- /dev/null +++ b/config/snort-dev/bin/oinkmaster_contrib/README.contrib @@ -0,0 +1,84 @@ +# $Id: README.contrib,v 1.21 2005/10/18 10:41:20 andreas_o Exp $ # + +------------------------------------------------------------------------------- +* oinkgui.pl by Andreas Östling <andreaso@it.su.se> + + A graphical front-end to Oinkmaster written in Perl/Tk. + See README.gui for complete documentation. +------------------------------------------------------------------------------- + + + +------------------------------------------------------------------------------- +* addsid.pl by Andreas Östling <andreaso@it.su.se> + + A script that parses *.rules in all specified directories and adds a + SID to (active) rules that don't have any. (Actually, rev and classtype + are also added if missing, unless you edit addsid.pl and tune this.) The + script first looks for the current highest SID (even in inactive rules) + and starts at the next one, unless this value is below MIN_SID (defined + inside addsid.pl). By default, this value is set to 1000001 since this + is the lowest SID assigned for local usage. Handles multi-line rules. +------------------------------------------------------------------------------- + + + +------------------------------------------------------------------------------- +* create-sidmap.pl by Andreas Östling <andreaso@it.su.se> + + A script that parses all active rules in *.rules in all specified + directories and creates a SID map. (Like Snort's regen-sidmap, but this + one handles multi-line rules.) Result goes to standard output which can + be redirected to a sid-msg.map file. +------------------------------------------------------------------------------- + + + +------------------------------------------------------------------------------- +* makesidex.pl, originally by Jerry Applebaum but later rewritten by + Andreas Östling <andreaso@it.su.se> to handle multi-line rules and + multiple rules directories. + + It reads *.rules in all specified directories, looks for all disabled + rules and prints a "disablesid <sid> # <msg>" line for each disabled rule. + The output can be appended to oinkmaster.conf. + Useful to new Oinkmaster users. +------------------------------------------------------------------------------- + + + +------------------------------------------------------------------------------- +* addmsg.pl by Andreas Östling <andreaso@it.su.se>: + + A script that will parse your oinkmaster.conf for + localsid/enablesid/disablesid lines and add their rule message as a #comment. + If your oinkmaster.conf looks like this before addmsg.pl has been run: + + disablesid 286 + disablesid 287 + disablesid 288 + + It will look something like this afterward: + + disablesid 286 # POP3 EXPLOIT x86 bsd overflow + disablesid 287 # POP3 EXPLOIT x86 bsd overflow + disablesid 288 # POP3 EXPLOIT x86 linux overflow + + addmsg.pl will not touch lines that already has a comment in them. + It's not able to handle SID lists when written like this: + disablesid 1,2,3, ... + But it should handle them if written like this: + disablesid \ + 1, \ + 2, \ + 3 + + The new config file will be printed to standard output, so you + probably want to redirect the output to a file, for example: + + ./addmsg.pl oinkmaster.conf rules/ > oinkmaster.conf.new + + If oinkmaster.conf.new looks ok, simply rename it to oinkmaster.conf. + Do NOT redirect to the same file you read from, as this will destroy + that file. +------------------------------------------------------------------------------- diff --git a/config/snort-dev/bin/oinkmaster_contrib/addmsg.pl b/config/snort-dev/bin/oinkmaster_contrib/addmsg.pl new file mode 100644 index 00000000..e5866d6f --- /dev/null +++ b/config/snort-dev/bin/oinkmaster_contrib/addmsg.pl @@ -0,0 +1,299 @@ +#!/usr/bin/perl -w + +# $Id: addmsg.pl,v 1.19 2005/12/31 13:42:46 andreas_o Exp $ # + +# Copyright (c) 2004-2006 Andreas Östling <andreaso@it.su.se> +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or +# without modification, are permitted provided that the following +# conditions are met: +# +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# +# 3. Neither the name of the author nor the names of its +# contributors may be used to endorse or promote products +# derived from this software without specific prior written +# permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND +# CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR +# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, +# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +use strict; + +sub get_next_entry($ $ $ $ $ $); +sub parse_singleline_rule($ $ $); + + +my $USAGE = << "RTFM"; + +Parse Oinkmaster configuration file and add the rule's "msg" string as a +#comment for each disablesid/enablesid line. + +Usage: $0 <oinkmaster.conf> <rulesdir> [rulesdir2, ...] + +The new config file will be printed to standard output, so you +probably want to redirect the output to a new file (*NOT* the same +file you used as input, because that will destroy the file!). +For example: + +$0 /etc/oinkmaster.conf /etc/rules/ > oinkmaster.conf.new + +If oinkmaster.conf.new looks ok, simply rename it to /etc/oinkmaster.conf. + +RTFM + + +# Regexp to match the start of a multi-line rule. +# %ACTIONS% will be replaced with content of $config{actions} later. +my $MULTILINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. + '\s.*\\\\\s*\n$'; # '; + +# Regexp to match a single-line rule. +my $SINGLELINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. + '\s.+;\s*\)\s*$'; # '; + + +my $config = shift || die($USAGE); + +my @rulesdirs = @ARGV; +die($USAGE) unless ($#rulesdirs > -1); + +my $verbose = 1; +my (%sidmsgmap, %config); + +$config{rule_actions} = "alert|drop|log|pass|reject|sdrop|activate|dynamic"; + +$SINGLELINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; +$MULTILINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; + + + +# Read in oinkmaster.conf. +open(CONFIG, "<" , "$config") or die("could not open \"$config\" for reading: $!\n"); +my @config = <CONFIG>; +close(CONFIG); + + +# Read in *.rules in all rulesdirs and create %sidmsgmap ($sidmsgmap{sid} = msg). +foreach my $rulesdir (@rulesdirs) { + opendir(RULESDIR, "$rulesdir") or die("could not open \"$rulesdir\": $!\n"); + + while (my $file = readdir(RULESDIR)) { + next unless ($file =~ /\.rules$/); + + open(FILE, "<", "$rulesdir/$file") or die("could not open \"$rulesdir/$file\": $!\n"); + my @file = <FILE>; + close(FILE); + + my ($single, $multi, $nonrule, $msg, $sid); + + while (get_next_entry(\@file, \$single, \$multi, \$nonrule, \$msg, \$sid)) { + $sidmsgmap{$sid} = $msg + if (defined($single)); + } + } +} + + +# Print new oinkmaster.conf. +while ($_ = shift(@config)) { + if (/^\s*(?:disable|enable|local)sid\s+(\d+)\s*$/ || /^\s*(\d+)\s*,\s*\\$/ || /^\s*(\d+)\s*$/) { + my $sid = $1; + my $is_multiline = 0; + chomp; + + if (/\\$/) { + $is_multiline = 1; + s/\\$//; + } + + $_ = sprintf("%-25s", $_); + if (exists($sidmsgmap{$sid})) { + print "$_ # $sidmsgmap{$sid}"; + } else { + print "$_"; + } + print " \\" if ($is_multiline); + print "\n"; + } else { + print; + } +} + + + +# From oinkmaster.pl. +sub get_next_entry($ $ $ $ $ $) +{ + my $arr_ref = shift; + my $single_ref = shift; + my $multi_ref = shift; + my $nonrule_ref = shift; + my $msg_ref = shift; + my $sid_ref = shift; + + undef($$single_ref); + undef($$multi_ref); + undef($$nonrule_ref); + undef($$msg_ref); + undef($$sid_ref); + + my $line = shift(@$arr_ref) || return(0); + my $disabled = 0; + my $broken = 0; + + # Possible beginning of multi-line rule? + if ($line =~ /$MULTILINE_RULE_REGEXP/oi) { + $$single_ref = $line; + $$multi_ref = $line; + + $disabled = 1 if ($line =~ /^\s*#/); + + # Keep on reading as long as line ends with "\". + while (!$broken && $line =~ /\\\s*\n$/) { + + # Remove trailing "\" and newline for single-line version. + $$single_ref =~ s/\\\s*\n//; + + # If there are no more lines, this can not be a valid multi-line rule. + if (!($line = shift(@$arr_ref))) { + + warn("\nWARNING: got EOF while parsing multi-line rule: $$multi_ref\n") + if ($config{verbose}); + + @_ = split(/\n/, $$multi_ref); + + undef($$multi_ref); + undef($$single_ref); + + # First line of broken multi-line rule will be returned as a non-rule line. + $$nonrule_ref = shift(@_) . "\n"; + $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + # The rest is put back to the array again. + foreach $_ (reverse((@_))) { + unshift(@$arr_ref, "$_\n"); + } + + return (1); # return non-rule + } + + # Multi-line continuation. + $$multi_ref .= $line; + + # If there are non-comment lines in the middle of a disabled rule, + # mark the rule as broken to return as non-rule lines. + if ($line !~ /^\s*#/ && $disabled) { + $broken = 1; + } elsif ($line =~ /^\s*#/ && !$disabled) { + # comment line (with trailing slash) in the middle of an active rule - ignore it + } else { + $line =~ s/^\s*#*\s*//; # remove leading # in single-line version + $$single_ref .= $line; + } + + } # while line ends with "\" + + # Single-line version should now be a valid rule. + # If not, it wasn't a valid multi-line rule after all. + if (!$broken && parse_singleline_rule($$single_ref, $msg_ref, $sid_ref)) { + + $$single_ref =~ s/^\s*//; # remove leading whitespaces + $$single_ref =~ s/^#+\s*/#/; # remove whitespaces next to leading # + $$single_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + $$multi_ref =~ s/^\s*//; + $$multi_ref =~ s/\s*\n$/\n/; + $$multi_ref =~ s/^#+\s*/#/; + + return (1); # return multi + } else { + warn("\nWARNING: invalid multi-line rule: $$single_ref\n") + if ($config{verbose} && $$multi_ref !~ /^\s*#/); + + @_ = split(/\n/, $$multi_ref); + + undef($$multi_ref); + undef($$single_ref); + + # First line of broken multi-line rule will be returned as a non-rule line. + $$nonrule_ref = shift(@_) . "\n"; + $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + # The rest is put back to the array again. + foreach $_ (reverse((@_))) { + unshift(@$arr_ref, "$_\n"); + } + + return (1); # return non-rule + } + } elsif (parse_singleline_rule($line, $msg_ref, $sid_ref)) { + $$single_ref = $line; + $$single_ref =~ s/^\s*//; + $$single_ref =~ s/^#+\s*/#/; + $$single_ref =~ s/\s*\n$/\n/; + + return (1); # return single + } else { # non-rule line + + # Do extra check and warn if it *might* be a rule anyway, + # but that we just couldn't parse for some reason. + warn("\nWARNING: line may be a rule but it could not be parsed ". + "(missing sid or msg?): $line\n") + if ($config{verbose} && $line =~ /^\s*alert .+msg\s*:\s*".+"\s*;/); + + $$nonrule_ref = $line; + $$nonrule_ref =~ s/\s*\n$/\n/; + + return (1); # return non-rule + } +} + + + +# From oinkmaster.pl. +sub parse_singleline_rule($ $ $) +{ + my $line = shift; + my $msg_ref = shift; + my $sid_ref = shift; + + if ($line =~ /$SINGLELINE_RULE_REGEXP/oi) { + + if ($line =~ /\bmsg\s*:\s*"(.+?)"\s*;/i) { + $$msg_ref = $1; + } else { + return (0); + } + + if ($line =~ /\bsid\s*:\s*(\d+)\s*;/i) { + $$sid_ref = $1; + } else { + return (0); + } + + return (1); + } + + return (0); +} diff --git a/config/snort-dev/bin/oinkmaster_contrib/addsid.pl b/config/snort-dev/bin/oinkmaster_contrib/addsid.pl new file mode 100644 index 00000000..64255d22 --- /dev/null +++ b/config/snort-dev/bin/oinkmaster_contrib/addsid.pl @@ -0,0 +1,382 @@ +#!/usr/bin/perl -w + +# $Id: addsid.pl,v 1.30 2005/12/31 13:42:46 andreas_o Exp $ # + +# Copyright (c) 2004-2006 Andreas Östling <andreaso@it.su.se> +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or +# without modification, are permitted provided that the following +# conditions are met: +# +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# +# 3. Neither the name of the author nor the names of its +# contributors may be used to endorse or promote products +# derived from this software without specific prior written +# permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND +# CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR +# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, +# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +use strict; + + +sub get_next_entry($ $ $ $ $ $); +sub parse_singleline_rule($ $ $); +sub get_next_available_sid(@); + + +# Set this to the default classtype you want to add, if missing. +# Set to 0 or "" if you don't want to add a classtype. +my $CLASSTYPE = "misc-attack"; + +# If ADD_REV is set to 1, "rev: 1;" will be added to rule if it has no rev. +# Set to 0 if you don't want to add it. +my $ADD_REV = 1; + +# Minimum SID to add. Normally, the next available SID will be used, +# unless it's below this value. Only SIDs >= 1000000 are reserved for +# personal use. +my $MIN_SID = 1000001; + +# Regexp to match the start of a multi-line rule. +# %ACTIONS% will be replaced with content of $config{actions} later. +my $MULTILINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. + '\s.*\\\\\s*\n$'; # '; + +# Regexp to match a single-line rule. +my $SINGLELINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. + '\s.+;\s*\)\s*$'; # '; + + +my $USAGE = << "RTFM"; + +Parse *.rules in one or more directories and add "sid:<sid>;" to +active rules that don't have any "sid" entry, starting with the next +available SID after parsing all rules files (but $MIN_SID at minumum). +Also, "rev:1;" is added to rules without a "rev" entry, and +"classtype:misc-attack;" is added to rules without a "classtype" entry +(edit options at the top of $0 if you want to change this). + +Usage: $0 <rulesdir> [rulesdir2, ...] + +RTFM + + +# Start in verbose mode. +my $verbose = 1; + +my (%all_sids, %active_sids, %config); + +my @rulesdirs = @ARGV; + +die($USAGE) unless ($#rulesdirs > -1); + +$config{rule_actions} = "alert|drop|log|pass|reject|sdrop|activate|dynamic"; + +$SINGLELINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; +$MULTILINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; + + +# Find out the next available SID. +my $next_sid = get_next_available_sid(@rulesdirs); + +# Avoid seeing possible warnings about broken rules twice. +$verbose = 0; + +# Add sid/rev/classtype to active rules that don't have any. +foreach my $dir (@rulesdirs) { + opendir(RULESDIR, "$dir") or die("could not open \"$dir\": $!\n"); + + while (my $file = readdir(RULESDIR)) { + next unless ($file =~ /\.rules$/); + + open(OLDFILE, "$dir/$file") + or die("could not open \"$dir/$file\": $!\n"); + my @file = <OLDFILE>; + close(OLDFILE); + + open(NEWFILE, ">", "$dir/$file") + or die("could not open \"$dir/$file\" for writing: $!\n"); + + my ($single, $multi, $nonrule, $msg, $sid); + while (get_next_entry(\@file, \$single, \$multi, \$nonrule, \$msg, \$sid)) { + + if (defined($nonrule)) { + print NEWFILE "$nonrule"; + next; + } + + $multi = $single unless (defined($multi)); + + # Don't care about inactive rules. + if ($single =~ /^\s*#/) { + print NEWFILE "$multi"; + next; + } + + my $added; + + # Add SID. + if ($single !~ /sid\s*:\s*\d+\s*;/) { + $added .= "SID $next_sid,"; + $multi =~ s/\)\s*\n/sid:$next_sid;)\n/; + $next_sid++; + } + + # Add revision. + if ($ADD_REV && $single !~ /rev\s*:\s*\d+\s*;/) { + $added .= "rev,"; + $multi =~ s/\)\s*\n/rev:1;)\n/; + } + + # Add classtype. + if ($CLASSTYPE && $single !~ /classtype\s*:\s*.+\s*;/) { + $added .= "classtype $CLASSTYPE,"; + $multi =~ s/\)\s*\n/classtype:$CLASSTYPE;)\n/; + } + + if (defined($added)) { + $added =~ s/,$//; + print "Adding $added to rule \"$msg\"\n" + if (defined($added)); + } + + print NEWFILE "$multi"; + } + + close(NEWFILE); + } + + closedir(RULESDIR); +} + + + +# Read in *.rules in given directory and return highest SID. +sub get_next_available_sid(@) +{ + my @dirs = @_; + + foreach my $dir (@dirs) { + opendir(RULESDIR, "$dir") or die("could not open \"$dir\": $!\n"); + + # Only care about *.rules. + while (my $file = readdir(RULESDIR)) { + next unless ($file =~ /\.rules$/); + + open(OLDFILE, "<$dir/$file") or die("could not open \"$dir/$file\": $!\n"); + my @file = <OLDFILE>; + close(OLDFILE); + + my ($single, $multi, $nonrule, $msg, $sid); + + while (get_next_entry(\@file, \$single, \$multi, \$nonrule, \$msg, \$sid)) { + if (defined($single) && defined($sid)) { + $all_sids{$sid}++; + + # If this is an active rule add to %active_sids and + # warn if it already exists. + if ($single =~ /^\s*alert/) { + print STDERR "WARNING: duplicate SID: $sid\n" + if (exists($active_sids{$sid})); + $active_sids{$sid}++ + } + } + } + } + } + + # Sort sids and use highest one + 1, unless it's below MIN_SID. + @_ = sort {$a <=> $b} keys(%all_sids); + my $sid = pop(@_); + + if (!defined($sid)) { + $sid = $MIN_SID + } else { + $sid++; + } + + # If it's below MIN_SID, use MIN_SID instead. + $sid = $MIN_SID if ($sid < $MIN_SID); + + return ($sid) +} + + + +sub get_next_entry($ $ $ $ $ $) +{ + my $arr_ref = shift; + my $single_ref = shift; + my $multi_ref = shift; + my $nonrule_ref = shift; + my $msg_ref = shift; + my $sid_ref = shift; + + undef($$single_ref); + undef($$multi_ref); + undef($$nonrule_ref); + undef($$msg_ref); + undef($$sid_ref); + + my $line = shift(@$arr_ref) || return(0); + my $disabled = 0; + my $broken = 0; + + # Possible beginning of multi-line rule? + if ($line =~ /$MULTILINE_RULE_REGEXP/oi) { + $$single_ref = $line; + $$multi_ref = $line; + + $disabled = 1 if ($line =~ /^\s*#/); + + # Keep on reading as long as line ends with "\". + while (!$broken && $line =~ /\\\s*\n$/) { + + # Remove trailing "\" and newline for single-line version. + $$single_ref =~ s/\\\s*\n//; + + # If there are no more lines, this can not be a valid multi-line rule. + if (!($line = shift(@$arr_ref))) { + + warn("\nWARNING: got EOF while parsing multi-line rule: $$multi_ref\n") + if ($config{verbose}); + + @_ = split(/\n/, $$multi_ref); + + undef($$multi_ref); + undef($$single_ref); + + # First line of broken multi-line rule will be returned as a non-rule line. + $$nonrule_ref = shift(@_) . "\n"; + $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + # The rest is put back to the array again. + foreach $_ (reverse((@_))) { + unshift(@$arr_ref, "$_\n"); + } + + return (1); # return non-rule + } + + # Multi-line continuation. + $$multi_ref .= $line; + + # If there are non-comment lines in the middle of a disabled rule, + # mark the rule as broken to return as non-rule lines. + if ($line !~ /^\s*#/ && $disabled) { + $broken = 1; + } elsif ($line =~ /^\s*#/ && !$disabled) { + # comment line (with trailing slash) in the middle of an active rule - ignore it + } else { + $line =~ s/^\s*#*\s*//; # remove leading # in single-line version + $$single_ref .= $line; + } + + } # while line ends with "\" + + # Single-line version should now be a valid rule. + # If not, it wasn't a valid multi-line rule after all. + if (!$broken && parse_singleline_rule($$single_ref, $msg_ref, $sid_ref)) { + + $$single_ref =~ s/^\s*//; # remove leading whitespaces + $$single_ref =~ s/^#+\s*/#/; # remove whitespaces next to leading # + $$single_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + $$multi_ref =~ s/^\s*//; + $$multi_ref =~ s/\s*\n$/\n/; + $$multi_ref =~ s/^#+\s*/#/; + + return (1); # return multi + } else { + warn("\nWARNING: invalid multi-line rule: $$single_ref\n") + if ($config{verbose} && $$multi_ref !~ /^\s*#/); + + @_ = split(/\n/, $$multi_ref); + + undef($$multi_ref); + undef($$single_ref); + + # First line of broken multi-line rule will be returned as a non-rule line. + $$nonrule_ref = shift(@_) . "\n"; + $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + # The rest is put back to the array again. + foreach $_ (reverse((@_))) { + unshift(@$arr_ref, "$_\n"); + } + + return (1); # return non-rule + } + } elsif (parse_singleline_rule($line, $msg_ref, $sid_ref)) { + $$single_ref = $line; + $$single_ref =~ s/^\s*//; + $$single_ref =~ s/^#+\s*/#/; + $$single_ref =~ s/\s*\n$/\n/; + + return (1); # return single + } else { # non-rule line + + # Do extra check and warn if it *might* be a rule anyway, + # but that we just couldn't parse for some reason. + warn("\nWARNING: line may be a rule but it could not be parsed ". + "(missing sid or msg?): $line\n") + if ($config{verbose} && $line =~ /^\s*alert .+msg\s*:\s*".+"\s*;/); + + $$nonrule_ref = $line; + $$nonrule_ref =~ s/\s*\n$/\n/; + + return (1); # return non-rule + } +} + + + +# From oinkmaster.pl except that this version +# has been modified so that the sid is *optional*. +sub parse_singleline_rule($ $ $) +{ + my $line = shift; + my $msg_ref = shift; + my $sid_ref = shift; + + if ($line =~ /$SINGLELINE_RULE_REGEXP/oi) { + + if ($line =~ /\bmsg\s*:\s*"(.+?)"\s*;/i) { + $$msg_ref = $1; + } else { + return (0); + } + + if ($line =~ /\bsid\s*:\s*(\d+)\s*;/i) { + $$sid_ref = $1; +# } else { +# return (0); + } + + return (1); + } + + return (0); +} diff --git a/config/snort-dev/bin/oinkmaster_contrib/create-sidmap.pl b/config/snort-dev/bin/oinkmaster_contrib/create-sidmap.pl new file mode 100644 index 00000000..e1ce12ab --- /dev/null +++ b/config/snort-dev/bin/oinkmaster_contrib/create-sidmap.pl @@ -0,0 +1,280 @@ +#!/usr/bin/perl -w + +# $Id: create-sidmap.pl,v 1.21 2005/12/31 13:42:46 andreas_o Exp $ # + +# Copyright (c) 2004-2006 Andreas Östling <andreaso@it.su.se> +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or +# without modification, are permitted provided that the following +# conditions are met: +# +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# +# 3. Neither the name of the author nor the names of its +# contributors may be used to endorse or promote products +# derived from this software without specific prior written +# permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND +# CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR +# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, +# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +use strict; + +sub get_next_entry($ $ $ $ $ $); +sub parse_singleline_rule($ $ $); + +# Files to ignore. +my %skipfiles = ( + 'deleted.rules' => 1, +); + +# Regexp to match the start of a multi-line rule. +# %ACTIONS% will be replaced with content of $config{actions} later. +my $MULTILINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. + '\s.*\\\\\s*\n$'; # '; + +# Regexp to match a single-line rule. +my $SINGLELINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. + '\s.+;\s*\)\s*$'; # '; + +my $USAGE = << "RTFM"; + +Parse active rules in *.rules in one or more directories and create a SID +map. Result is sent to standard output, which can be redirected to a +sid-msg.map file. + +Usage: $0 <rulesdir> [rulesdir2, ...] + +RTFM + +my $verbose = 1; + +my (%sidmap, %config); + +my @rulesdirs = @ARGV; + +die($USAGE) unless ($#rulesdirs > -1); + +$config{rule_actions} = "alert|drop|log|pass|reject|sdrop|activate|dynamic"; + +$SINGLELINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; +$MULTILINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; + + +# Read in all rules from each rules file (*.rules) in each rules dir. +# into %sidmap. +foreach my $rulesdir (@rulesdirs) { + opendir(RULESDIR, "$rulesdir") or die("could not open \"$rulesdir\": $!\n"); + + while (my $file = readdir(RULESDIR)) { + next unless ($file =~ /\.rules$/); + next if ($skipfiles{$file}); + + open(FILE, "$rulesdir/$file") or die("could not open \"$rulesdir/$file\": $!\n"); + my @file = <FILE>; + close(FILE); + + my ($single, $multi, $nonrule, $msg, $sid); + + while (get_next_entry(\@file, \$single, \$multi, \$nonrule, \$msg, \$sid)) { + if (defined($single)) { + + warn("WARNING: duplicate SID: $sid (discarding old)\n") + if (exists($sidmap{$sid})); + + $sidmap{$sid} = "$sid || $msg"; + + # Print all references. Borrowed from Brian Caswell's regen-sidmap script. + my $ref = $single; + while ($ref =~ s/(.*)reference\s*:\s*([^\;]+)(.*)$/$1 $3/) { + $sidmap{$sid} .= " || $2" + } + + $sidmap{$sid} .= "\n"; + } + } + } +} + +# Print results. +foreach my $sid (sort { $a <=> $b } keys(%sidmap)) { + print "$sidmap{$sid}"; +} + + + +# Same as in oinkmaster.pl. +sub get_next_entry($ $ $ $ $ $) +{ + my $arr_ref = shift; + my $single_ref = shift; + my $multi_ref = shift; + my $nonrule_ref = shift; + my $msg_ref = shift; + my $sid_ref = shift; + + undef($$single_ref); + undef($$multi_ref); + undef($$nonrule_ref); + undef($$msg_ref); + undef($$sid_ref); + + my $line = shift(@$arr_ref) || return(0); + my $disabled = 0; + my $broken = 0; + + # Possible beginning of multi-line rule? + if ($line =~ /$MULTILINE_RULE_REGEXP/oi) { + $$single_ref = $line; + $$multi_ref = $line; + + $disabled = 1 if ($line =~ /^\s*#/); + + # Keep on reading as long as line ends with "\". + while (!$broken && $line =~ /\\\s*\n$/) { + + # Remove trailing "\" and newline for single-line version. + $$single_ref =~ s/\\\s*\n//; + + # If there are no more lines, this can not be a valid multi-line rule. + if (!($line = shift(@$arr_ref))) { + + warn("\nWARNING: got EOF while parsing multi-line rule: $$multi_ref\n") + if ($config{verbose}); + + @_ = split(/\n/, $$multi_ref); + + undef($$multi_ref); + undef($$single_ref); + + # First line of broken multi-line rule will be returned as a non-rule line. + $$nonrule_ref = shift(@_) . "\n"; + $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + # The rest is put back to the array again. + foreach $_ (reverse((@_))) { + unshift(@$arr_ref, "$_\n"); + } + + return (1); # return non-rule + } + + # Multi-line continuation. + $$multi_ref .= $line; + + # If there are non-comment lines in the middle of a disabled rule, + # mark the rule as broken to return as non-rule lines. + if ($line !~ /^\s*#/ && $disabled) { + $broken = 1; + } elsif ($line =~ /^\s*#/ && !$disabled) { + # comment line (with trailing slash) in the middle of an active rule - ignore it + } else { + $line =~ s/^\s*#*\s*//; # remove leading # in single-line version + $$single_ref .= $line; + } + + } # while line ends with "\" + + # Single-line version should now be a valid rule. + # If not, it wasn't a valid multi-line rule after all. + if (!$broken && parse_singleline_rule($$single_ref, $msg_ref, $sid_ref)) { + + $$single_ref =~ s/^\s*//; # remove leading whitespaces + $$single_ref =~ s/^#+\s*/#/; # remove whitespaces next to leading # + $$single_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + $$multi_ref =~ s/^\s*//; + $$multi_ref =~ s/\s*\n$/\n/; + $$multi_ref =~ s/^#+\s*/#/; + + return (1); # return multi + } else { + warn("\nWARNING: invalid multi-line rule: $$single_ref\n") + if ($config{verbose} && $$multi_ref !~ /^\s*#/); + + @_ = split(/\n/, $$multi_ref); + + undef($$multi_ref); + undef($$single_ref); + + # First line of broken multi-line rule will be returned as a non-rule line. + $$nonrule_ref = shift(@_) . "\n"; + $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + # The rest is put back to the array again. + foreach $_ (reverse((@_))) { + unshift(@$arr_ref, "$_\n"); + } + + return (1); # return non-rule + } + } elsif (parse_singleline_rule($line, $msg_ref, $sid_ref)) { + $$single_ref = $line; + $$single_ref =~ s/^\s*//; + $$single_ref =~ s/^#+\s*/#/; + $$single_ref =~ s/\s*\n$/\n/; + + return (1); # return single + } else { # non-rule line + + # Do extra check and warn if it *might* be a rule anyway, + # but that we just couldn't parse for some reason. + warn("\nWARNING: line may be a rule but it could not be parsed ". + "(missing sid or msg?): $line\n") + if ($config{verbose} && $line =~ /^\s*alert .+msg\s*:\s*".+"\s*;/); + + $$nonrule_ref = $line; + $$nonrule_ref =~ s/\s*\n$/\n/; + + return (1); # return non-rule + } +} + + + +# Same as in oinkmaster.pl. +sub parse_singleline_rule($ $ $) +{ + my $line = shift; + my $msg_ref = shift; + my $sid_ref = shift; + + if ($line =~ /$SINGLELINE_RULE_REGEXP/oi) { + + if ($line =~ /\bmsg\s*:\s*"(.+?)"\s*;/i) { + $$msg_ref = $1; + } else { + return (0); + } + + if ($line =~ /\bsid\s*:\s*(\d+)\s*;/i) { + $$sid_ref = $1; + } else { + return (0); + } + + return (1); + } + + return (0); +} diff --git a/config/snort-dev/bin/oinkmaster_contrib/makesidex.pl b/config/snort-dev/bin/oinkmaster_contrib/makesidex.pl new file mode 100644 index 00000000..80354735 --- /dev/null +++ b/config/snort-dev/bin/oinkmaster_contrib/makesidex.pl @@ -0,0 +1,261 @@ +#!/usr/bin/perl -w + +# $Id: makesidex.pl,v 1.11 2005/12/31 13:42:46 andreas_o Exp $ # + +# Copyright (c) 2004-2006 Andreas Östling <andreaso@it.su.se> +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or +# without modification, are permitted provided that the following +# conditions are met: +# +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# +# 3. Neither the name of the author nor the names of its +# contributors may be used to endorse or promote products +# derived from this software without specific prior written +# permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND +# CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR +# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, +# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +use strict; + +sub get_next_entry($ $ $ $ $ $); +sub parse_singleline_rule($ $ $); + + +# Regexp to match the start of a multi-line rule. +# %ACTIONS% will be replaced with content of $config{actions} later. +my $MULTILINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. + '\s.*\\\\\s*\n$'; # '; + +# Regexp to match a single-line rule. +my $SINGLELINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. + '\s.+;\s*\)\s*$'; # '; + +my $USAGE = << "RTFM"; + +Parse *.rules in one or more directories and look for all rules that are +disabled (i.e. begin with "#") and print "disablesid <sid> # <msg>" to +standard output for all those rules. This output can be redirected to a +file, which will be understood by Oinkmaster. + +Usage: $0 <rulesdir> [rulesdir2, ...] + +RTFM + +my $verbose = 1; + +my (%disabled, %config); + +my @rulesdirs = @ARGV; + +die($USAGE) unless ($#rulesdirs > -1); + +$config{rule_actions} = "alert|drop|log|pass|reject|sdrop|activate|dynamic"; + +$SINGLELINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; +$MULTILINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; + +foreach my $rulesdir (@rulesdirs) { + opendir(RULESDIR, "$rulesdir") or die("could not open \"$rulesdir\": $!\n"); + + while (my $file = readdir(RULESDIR)) { + next unless ($file =~ /\.rules$/); + + open(FILE, "$rulesdir/$file") or die("could not open \"$rulesdir/$file\": $!\n"); + my @file = <FILE>; + close(FILE); + + my ($single, $multi, $nonrule, $msg, $sid); + + while (get_next_entry(\@file, \$single, \$multi, \$nonrule, \$msg, \$sid)) { + $single = $multi if (defined($multi)); + $disabled{$sid} = $msg + if (defined($single) && $single =~ /^\s*#/); + } + } +} + +# Print results. +foreach my $sid (sort { $a <=> $b } keys(%disabled)) { + printf("%-25s # %s\n", "disablesid $sid", $disabled{$sid}); +} + + + +# Same as in oinkmaster.pl. +sub get_next_entry($ $ $ $ $ $) +{ + my $arr_ref = shift; + my $single_ref = shift; + my $multi_ref = shift; + my $nonrule_ref = shift; + my $msg_ref = shift; + my $sid_ref = shift; + + undef($$single_ref); + undef($$multi_ref); + undef($$nonrule_ref); + undef($$msg_ref); + undef($$sid_ref); + + my $line = shift(@$arr_ref) || return(0); + my $disabled = 0; + my $broken = 0; + + # Possible beginning of multi-line rule? + if ($line =~ /$MULTILINE_RULE_REGEXP/oi) { + $$single_ref = $line; + $$multi_ref = $line; + + $disabled = 1 if ($line =~ /^\s*#/); + + # Keep on reading as long as line ends with "\". + while (!$broken && $line =~ /\\\s*\n$/) { + + # Remove trailing "\" and newline for single-line version. + $$single_ref =~ s/\\\s*\n//; + + # If there are no more lines, this can not be a valid multi-line rule. + if (!($line = shift(@$arr_ref))) { + + warn("\nWARNING: got EOF while parsing multi-line rule: $$multi_ref\n") + if ($config{verbose}); + + @_ = split(/\n/, $$multi_ref); + + undef($$multi_ref); + undef($$single_ref); + + # First line of broken multi-line rule will be returned as a non-rule line. + $$nonrule_ref = shift(@_) . "\n"; + $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + # The rest is put back to the array again. + foreach $_ (reverse((@_))) { + unshift(@$arr_ref, "$_\n"); + } + + return (1); # return non-rule + } + + # Multi-line continuation. + $$multi_ref .= $line; + + # If there are non-comment lines in the middle of a disabled rule, + # mark the rule as broken to return as non-rule lines. + if ($line !~ /^\s*#/ && $disabled) { + $broken = 1; + } elsif ($line =~ /^\s*#/ && !$disabled) { + # comment line (with trailing slash) in the middle of an active rule - ignore it + } else { + $line =~ s/^\s*#*\s*//; # remove leading # in single-line version + $$single_ref .= $line; + } + + } # while line ends with "\" + + # Single-line version should now be a valid rule. + # If not, it wasn't a valid multi-line rule after all. + if (!$broken && parse_singleline_rule($$single_ref, $msg_ref, $sid_ref)) { + + $$single_ref =~ s/^\s*//; # remove leading whitespaces + $$single_ref =~ s/^#+\s*/#/; # remove whitespaces next to leading # + $$single_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + $$multi_ref =~ s/^\s*//; + $$multi_ref =~ s/\s*\n$/\n/; + $$multi_ref =~ s/^#+\s*/#/; + + return (1); # return multi + } else { + warn("\nWARNING: invalid multi-line rule: $$single_ref\n") + if ($config{verbose} && $$multi_ref !~ /^\s*#/); + + @_ = split(/\n/, $$multi_ref); + + undef($$multi_ref); + undef($$single_ref); + + # First line of broken multi-line rule will be returned as a non-rule line. + $$nonrule_ref = shift(@_) . "\n"; + $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces + + # The rest is put back to the array again. + foreach $_ (reverse((@_))) { + unshift(@$arr_ref, "$_\n"); + } + + return (1); # return non-rule + } + } elsif (parse_singleline_rule($line, $msg_ref, $sid_ref)) { + $$single_ref = $line; + $$single_ref =~ s/^\s*//; + $$single_ref =~ s/^#+\s*/#/; + $$single_ref =~ s/\s*\n$/\n/; + + return (1); # return single + } else { # non-rule line + + # Do extra check and warn if it *might* be a rule anyway, + # but that we just couldn't parse for some reason. + warn("\nWARNING: line may be a rule but it could not be parsed ". + "(missing sid or msg?): $line\n") + if ($config{verbose} && $line =~ /^\s*alert .+msg\s*:\s*".+"\s*;/); + + $$nonrule_ref = $line; + $$nonrule_ref =~ s/\s*\n$/\n/; + + return (1); # return non-rule + } +} + + + +# Same as in oinkmaster.pl. +sub parse_singleline_rule($ $ $) +{ + my $line = shift; + my $msg_ref = shift; + my $sid_ref = shift; + + if ($line =~ /$SINGLELINE_RULE_REGEXP/oi) { + + if ($line =~ /\bmsg\s*:\s*"(.+?)"\s*;/i) { + $$msg_ref = $1; + } else { + return (0); + } + + if ($line =~ /\bsid\s*:\s*(\d+)\s*;/i) { + $$sid_ref = $1; + } else { + return (0); + } + + return (1); + } + + return (0); +} diff --git a/config/snort-dev/bin/oinkmaster_contrib/oinkgui.pl b/config/snort-dev/bin/oinkmaster_contrib/oinkgui.pl new file mode 100644 index 00000000..4e96f7db --- /dev/null +++ b/config/snort-dev/bin/oinkmaster_contrib/oinkgui.pl @@ -0,0 +1,1046 @@ +#!/usr/bin/perl -w + +# $Id: oinkgui.pl,v 1.52 2005/12/31 13:42:46 andreas_o Exp $ # + +# Copyright (c) 2004-2006 Andreas Östling <andreaso@it.su.se> +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or +# without modification, are permitted provided that the following +# conditions are met: +# +# 1. Redistributions of source code must retain the above +# copyright notice, this list of conditions and the following +# disclaimer. +# +# 2. Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# +# 3. Neither the name of the author nor the names of its +# contributors may be used to endorse or promote products +# derived from this software without specific prior written +# permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND +# CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR +# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, +# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +use 5.006001; + +use strict; +use File::Spec; +use Tk; +use Tk::Balloon; +use Tk::BrowseEntry; +use Tk::FileSelect; +use Tk::NoteBook; +use Tk::ROText; + +use constant CSIDL_DRIVES => 17; + +sub update_rules(); +sub clear_messages(); +sub create_cmdline($); +sub fileDialog($ $ $ $); +sub load_config(); +sub save_config(); +sub save_messages(); +sub update_file_label_color($ $ $); +sub create_fileSelectFrame($ $ $ $ $ $); +sub create_checkbutton($ $ $); +sub create_radiobutton($ $ $); +sub create_actionbutton($ $ $); +sub execute_oinkmaster(@); +sub logmsg($ $); + + +my $version = 'Oinkmaster GUI v1.1'; + +my @oinkmaster_conf = qw( + /etc/oinkmaster.conf + /usr/local/etc/oinkmaster.conf +); + +# List of URLs that will show up in the URL BrowseEntry. +my @urls = qw( + http://www.bleedingsnort.com/bleeding.rules.tar.gz + http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules.tar.gz + http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-CURRENT.tar.gz + http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.3.tar.gz +); + +my %color = ( + background => 'Bisque3', + button => 'Bisque2', + label => 'Bisque1', + notebook_bg => 'Bisque2', + notebook_inact => 'Bisque3', + file_label_ok => '#00e000', + file_label_not_ok => 'red', + out_frame_fg => 'white', + out_frame_bg => 'black', + entry_bg => 'white', + button_active => 'white', + button_bg => 'Bisque4', +); + +my %config = ( + animate => 1, + careful => 0, + enable_all => 0, + check_removed => 0, + output_mode => 'normal', + diff_mode => 'detailed', + perl => $^X, + oinkmaster => "", + oinkmaster_conf => "", + outdir => "", + url => "", + varfile => "", + backupdir => "", + editor => "", +); + +my %help = ( + + # File locations. + oinkscript => 'Location of the executable Oinkmaster script (oinkmaster.pl).', + oinkconf => 'The Oinkmaster configuration file to use.', + outdir => 'Where to put the new rules. This should be the directory where you '. + 'store your current rules.', + + url => 'Alternate location of rules archive to download/copy. '. + 'Leave empty to use the location set in oinkmaster.conf.', + varfile => 'Variables that exist in downloaded snort.conf but not in '. + 'this file will be added to it. Leave empty to skip.', + backupdir => 'Directory to put tarball of old rules before overwriting them. '. + 'Leave empty to skip backup.', + editor => 'Full path to editor to execute when pressing the "edit" button '. + '(wordpad is recommended on Windows). ', + + # Checkbuttons. + careful => 'In careful mode, Oinkmaster will just check for changes, '. + 'not update anything.', + enable => 'Some rules may be commented out by default (for a reason!). '. + 'This option will make Oinkmaster enable those.', + removed => 'Check for rules files that exist in the output directory but not '. + 'in the downloaded rules archive.', + + # Action buttons. + clear => 'Clear current output messages.', + save => 'Save current output messages to file.', + exit => 'Exit the GUI.', + update => 'Execute Oinkmaster to update the rules.', + test => 'Test current Oinkmaster configuration. ' . + 'If there are no fatal errors, you are ready to update the rules.', + version => 'Request version information from Oinkmaster.', +); + + +my $gui_config_file = ""; +my $use_fileop = 0; + + +#### MAIN #### + +select STDERR; +$| = 1; +select STDOUT; +$| = 1; + +# Find out if can use Win32::FileOp. +if ($^O eq 'MSWin32') { + BEGIN { $^W = 0 } + $use_fileop = 1 if (eval "require Win32::FileOp"); +} + +# Find out which oinkmaster.pl file to default to. +foreach my $dir (File::Spec->path()) { + my $file = "$dir/oinkmaster"; + if (-f "$file" && (-x "$file" || $^O eq 'MSWin32')) { + $config{oinkmaster} = $file; + last; + } elsif (-f "$file.pl" && (-x "$file" || $^O eq 'MSWin32')) { + $config{oinkmaster} = "$file.pl"; + last; + } +} + +# Find out which oinkmaster config file to default to. +foreach my $file (@oinkmaster_conf) { + if (-e "$file") { + $config{oinkmaster_conf} = $file; + last; + } +} + +# Find out where the GUI config file is (it's not required). +if ($ENV{HOME}) { + $gui_config_file = "$ENV{HOME}/.oinkguirc" +} elsif ($ENV{HOMEDRIVE} && $ENV{HOMEPATH}) { + $gui_config_file = "$ENV{HOMEDRIVE}$ENV{HOMEPATH}\\.oinkguirc"; +} + + +# Create main window. +my $main = MainWindow->new( + -background => "$color{background}", + -title => "$version", +); + + +# Create scrolled frame with output messages. +my $out_frame = $main->Scrolled('ROText', + -setgrid => 'true', + -scrollbars => 'e', + -background => $color{out_frame_bg}, + -foreground => $color{out_frame_fg}, +); + + +my $help_label = $main->Label( + -relief => 'groove', + -background => "$color{label}", +); + +my $balloon = $main->Balloon( + -statusbar => $help_label, +); + + +# Create notebook. +my $notebook = $main->NoteBook( + -ipadx => 6, + -ipady => 6, + -background => $color{notebook_bg}, + -inactivebackground => $color{notebook_inact}, + -backpagecolor => $color{background}, +); + + +# Create tab with required files/dirs. +my $req_tab = $notebook->add("required", + -label => "Required files and directories", + -underline => 0, +); + +$req_tab->configure(-bg => "$color{notebook_inact}"); + + +# Create frame with oinkmaster.pl location. +my $filetypes = [ + ['Oinkmaster script', 'oinkmaster.pl'], + ['All files', '*' ] +]; + +my $oinkscript_frame = + create_fileSelectFrame($req_tab, "oinkmaster.pl", 'EXECFILE', + \$config{oinkmaster}, 'NOEDIT', $filetypes); + +$balloon->attach($oinkscript_frame, -statusmsg => $help{oinkscript}); + + +# Create frame with oinkmaster.conf location. +$filetypes = [ + ['configuration files', '.conf'], + ['All files', '*' ] +]; + +my $oinkconf_frame = + create_fileSelectFrame($req_tab, "oinkmaster.conf", 'ROFILE', + \$config{oinkmaster_conf}, 'EDIT', $filetypes); + +$balloon->attach($oinkconf_frame, -statusmsg => $help{oinkconf}); + + +# Create frame with output directory. +my $outdir_frame = + create_fileSelectFrame($req_tab, "output directory", 'WRDIR', + \$config{outdir}, 'NOEDIT', undef); + +$balloon->attach($outdir_frame, -statusmsg => $help{outdir}); + + + +# Create tab with optional files/dirs. +my $opt_tab = $notebook->add("optional", + -label => "Optional files and directories", + -underline => 0, +); + +$opt_tab->configure(-bg => "$color{notebook_inact}"); + +# Create frame with alternate URL location. +$filetypes = [ + ['compressed tar files', '.tar.gz'] +]; + +my $url_frame = + create_fileSelectFrame($opt_tab, "Alternate URL", 'URL', + \$config{url}, 'NOEDIT', $filetypes); + +$balloon->attach($url_frame, -statusmsg => $help{url}); + + +# Create frame with variable file. +$filetypes = [ + ['Snort configuration files', ['.conf', '.config']], + ['All files', '*' ] +]; + +my $varfile_frame = + create_fileSelectFrame($opt_tab, "Variable file", 'WRFILE', + \$config{varfile}, 'EDIT', $filetypes); + +$balloon->attach($varfile_frame, -statusmsg => $help{varfile}); + + +# Create frame with backup dir location. +my $backupdir_frame = + create_fileSelectFrame($opt_tab, "Backup directory", 'WRDIR', + \$config{backupdir}, 'NOEDIT', undef); + +$balloon->attach($backupdir_frame, -statusmsg => $help{backupdir}); + + +# Create frame with editor location. +$filetypes = [ + ['executable files', ['.exe']], + ['All files', '*' ] +]; + +my $editor_frame = + create_fileSelectFrame($opt_tab, "Editor", 'EXECFILE', + \$config{editor}, 'NOEDIT', $filetypes); + +$balloon->attach($editor_frame, -statusmsg => $help{editor}); + + + +$notebook->pack( + -expand => 'no', + -fill => 'x', + -padx => '5', + -pady => '5', + -side => 'top' +); + + +# Create the frame to the left. +my $left_frame = $main->Frame( + -background => "$color{label}", + -border => '2', +)->pack( + -side => 'left', + -fill => 'y', +); + + +# Create "GUI settings" label. +$left_frame->Label( + -text => "GUI settings:", + -background => "$color{label}", +)->pack( + -side => 'top', + -fill => 'x', +); + + +create_actionbutton($left_frame, "Load saved settings", \&load_config); +create_actionbutton($left_frame, "Save current settings", \&save_config); + + +# Create "options" label at the top of the left frame. +$left_frame->Label( + -text => "Options:", + -background => "$color{label}", +)->pack(-side => 'top', + -fill => 'x', +); + + +# Create checkbuttons in the left frame. +$balloon->attach( + create_checkbutton($left_frame, "Careful mode", \$config{careful}), + -statusmsg => $help{careful} +); + +$balloon->attach( + create_checkbutton($left_frame, "Enable all", \$config{enable_all}), + -statusmsg => $help{enable} +); + +$balloon->attach( + create_checkbutton($left_frame, "Check for removed files", \$config{check_removed}), + -statusmsg => $help{removed} +); + + +# Create "mode" label. +$left_frame->Label( + -text => "Output mode:", + -background => "$color{label}", +)->pack( + -side => 'top', + -fill => 'x', +); + +# Create mode radiobuttons in the left frame. +create_radiobutton($left_frame, "super-quiet", \$config{output_mode}); +create_radiobutton($left_frame, "quiet", \$config{output_mode}); +create_radiobutton($left_frame, "normal", \$config{output_mode}); +create_radiobutton($left_frame, "verbose", \$config{output_mode}); + +# Create "Diff mode" label. +$left_frame->Label( + -text => "Diff mode:", + -background => "$color{label}", +)->pack( + -side => 'top', + -fill => 'x', +); + +create_radiobutton($left_frame, "detailed", \$config{diff_mode}); +create_radiobutton($left_frame, "summarized", \$config{diff_mode}); +create_radiobutton($left_frame, "remove common", \$config{diff_mode}); + + +# Create "activity messages" label. +$main->Label( + -text => "Output messages:", + -width => '130', + -background => "$color{label}", +)->pack( + -side => 'top', + -fill => 'x', +); + + + +# Pack output frame. +$out_frame->pack( + -expand => 'yes', + -fill => 'both', +); + + +# Pack help label below output window. +$help_label->pack( + -fill => 'x', +); + + +# Create "actions" label. +$left_frame->Label( + -text => "Actions:", + -background => "$color{label}", +)->pack( + -side => 'top', + -fill => 'x', +); + + +# Create action buttons. + +$balloon->attach( + create_actionbutton($left_frame, "Update rules!", \&update_rules), + -statusmsg => $help{update} +); + +$balloon->attach( + create_actionbutton($left_frame, "Clear output messages", \&clear_messages), + -statusmsg => $help{clear} +); + +$balloon->attach( + create_actionbutton($left_frame, "Save output messages", \&save_messages), + -statusmsg => $help{save} +); + +$balloon->attach( + create_actionbutton($left_frame, "Exit", \&exit), + -statusmsg => $help{exit} +); + + + +# Make the mousewheel scroll the output window. Taken from Mastering Perl/Tk. +if ($^O eq 'MSWin32') { + $out_frame->bind('<MouseWheel>' => + [ sub { $_[0]->yview('scroll', -($_[1] / 120) * 3, 'units')}, + Ev('D') ] + ); +} else { + $out_frame->bind('<4>' => sub { + $_[0]->yview('scroll', -3, 'units') unless $Tk::strictMotif; + }); + + $out_frame->bind('<5>' => sub { + $_[0]->yview('scroll', +3, 'units') unless $Tk::strictMotif; + }); +} + + + +# Now the fun begins. +if ($config{animate}) { + foreach (split(//, "Welcome to $version")) { + logmsg("$_", 'MISC'); + $out_frame->after(5); + } +} else { + logmsg("Welcome to $version", 'MISC'); +} + +logmsg("\n\n", 'MISC'); + +# Load gui settings into %config. +load_config(); + + +# Warn if any required file/directory is not set. +logmsg("No oinkmaster.pl set, please select one above!\n\n", 'ERROR') + if ($config{oinkmaster} !~ /\S/); + +logmsg("No oinkmaster configuration file set, please select one above!\n\n", 'ERROR') + if ($config{oinkmaster_conf} !~ /\S/); + +logmsg("Output directory is not set, please select one above!\n\n", 'ERROR') + if ($config{outdir} !~ /\S/); + + +MainLoop; + + + +#### END #### + + + +sub fileDialog($ $ $ $) +{ + my $var_ref = shift; + my $title = shift; + my $type = shift; + my $filetypes = shift; + my $dirname; + + if ($type eq 'WRDIR') { + if ($use_fileop) { + $dirname = Win32::FileOp::BrowseForFolder("title", CSIDL_DRIVES); + } else { + my $fs = $main->FileSelect(); + $fs->configure(-verify => ['-d', '-w'], -title => $title); + $dirname = $fs->Show; + } + $$var_ref = $dirname if ($dirname); + } elsif ($type eq 'EXECFILE' || $type eq 'ROFILE' || $type eq 'WRFILE' || $type eq 'URL') { + my $filename = $main->getOpenFile(-title => $title, -filetypes => $filetypes); + $$var_ref = $filename if ($filename); + } elsif ($type eq 'SAVEFILE') { + my $filename = $main->getSaveFile(-title => $title, -filetypes => $filetypes); + $$var_ref = $filename if ($filename); + } else { + logmsg("Unknown type ($type)\n", 'ERROR'); + } +} + + + +sub update_file_label_color($ $ $) +{ + my $label = shift; + my $filename = shift; + my $type = shift; + + $filename =~ s/^\s+//; + $filename =~ s/\s+$//; + + unless ($filename) { + $label->configure(-background => $color{file_label_not_ok}); + return (1); + } + + if ($type eq "URL") { + if ($filename =~ /^(?:http|ftp|scp):\/\/.+\.tar\.gz$/) { + $label->configure(-background => $color{file_label_ok}); + } elsif ($filename =~ /^(?:file:\/\/)*(.+\.tar\.gz)$/) { + my $file = $1; + if (-f "$file" && -r "$file") { + $label->configure(-background => $color{file_label_ok}); + } else { + $label->configure(-background => $color{file_label_not_ok}); + } + } else { + $label->configure(-background => $color{file_label_not_ok}); + } + } elsif ($type eq "ROFILE") { + if (-f "$filename" && -r "$filename") { + $label->configure(-background => $color{file_label_ok}); + } else { + $label->configure(-background => $color{file_label_not_ok}); + } + } elsif ($type eq "EXECFILE") { + if (-f "$filename" && (-x "$filename" || $^O eq 'MSWin32')) { + $label->configure(-background => $color{file_label_ok}); + } else { + $label->configure(-background => $color{file_label_not_ok}); + } + } elsif ($type eq "WRFILE") { + if (-f "$filename" && -w "$filename") { + $label->configure(-background => $color{file_label_ok}); + } else { + $label->configure(-background => $color{file_label_not_ok}); + } + } elsif ($type eq "WRDIR") { + if (-d "$filename" && -w "$filename") { + $label->configure(-background => $color{file_label_ok}); + } else { + $label->configure(-background => $color{file_label_not_ok}); + } + } else { + print STDERR "incorrect type ($type)\n"; + exit; + } + + return (1); +} + + + +sub create_checkbutton($ $ $) +{ + my $frame = shift; + my $name = shift; + my $var_ref = shift; + + my $button = $frame->Checkbutton( + -text => $name, + -background => $color{button}, + -activebackground => $color{button_active}, + -highlightbackground => $color{button_bg}, + -variable => $var_ref, + -relief => 'raise', + -anchor => 'w', + )->pack( + -fill => 'x', + -side => 'top', + -pady => '1', + ); + + return ($button); +} + + + +sub create_actionbutton($ $ $) +{ + my $frame = shift; + my $name = shift; + my $func_ref = shift; + + my $button = $frame->Button( + -text => $name, + -command => sub { + &$func_ref; + $out_frame->focus; + }, + -background => $color{button}, + -activebackground => $color{button_active}, + -highlightbackground => $color{button_bg}, + )->pack( + -fill => 'x', + ); + + return ($button); +} + + + +sub create_radiobutton($ $ $) +{ + my $frame = shift; + my $name = shift; + my $mode_ref = shift; + + my $button = $frame->Radiobutton( + -text => $name, + -highlightbackground => $color{button_bg}, + -background => $color{button}, + -activebackground => $color{button_active}, + -variable => $mode_ref, + -relief => 'raised', + -anchor => 'w', + -value => $name, + )->pack( + -side => 'top', + -pady => '1', + -fill => 'x', + ); + + return ($button); +} + + + +# Create <label><entry><browsebutton> in given frame. +sub create_fileSelectFrame($ $ $ $ $ $) +{ + my $win = shift; + my $name = shift; + my $type = shift; # FILE|DIR|URL + my $var_ref = shift; + my $edtype = shift; # EDIT|NOEDIT + my $filetypes = shift; + + # Create frame. + my $frame = $win->Frame( + -bg => $color{background}, + )->pack( + -padx => '2', + -pady => '2', + -fill => 'x' + ); + + # Create label. + my $label = $frame->Label( + -text => $name, + -width => '16', + -relief => 'raised', + -background => "$color{file_label_not_ok}", + )->pack( + -side => 'left' + ); + + my $entry; + + if ($type eq 'URL') { + $entry = $frame->BrowseEntry( + -textvariable => $var_ref, + -background => $color{entry_bg}, + -width => '80', + -choices => \@urls, + -validate => 'key', + -validatecommand => sub { update_file_label_color($label, $_[0], $type) }, + )->pack( + -side => 'left', + -expand => 'yes', + -fill => 'x' + ); + } else { + $entry = $frame->Entry( + -textvariable => $var_ref, + -background => $color{entry_bg}, + -width => '80', + -validate => 'key', + -validatecommand => sub { update_file_label_color($label, $_[0], $type) }, + )->pack( + -side => 'left', + -expand => 'yes', + -fill => 'x' + ); + } + + # Create edit-button if file is ediable. + if ($edtype eq 'EDIT') { + my $edit_but = $frame->Button( + -text => "Edit", + -background => "$color{button}", + -command => sub { + unless (-e "$$var_ref") { + logmsg("Select an existing file first!\n\n", 'ERROR'); + return; + } + + if ($config{editor}) { + $main->Busy(-recurse => 1); + logmsg("Launching " . $config{editor} . + ", close it to continue the GUI.\n\n", 'MISC'); + sleep(2); + system($config{editor}, $$var_ref); # MainLoop will be put on hold... + $main->Unbusy; + } else { + logmsg("No editor set\n\n", 'ERROR'); + } + } + )->pack( + -side => 'left', + ); + } + + # Create browse-button. + my $but = $frame->Button( + -text => "browse ...", + -background => $color{button}, + -command => sub { + fileDialog($var_ref, $name, $type, $filetypes); + } + )->pack( + -side => 'left', + ); + + return ($frame); +} + + + +sub logmsg($ $) +{ + my $text = shift; + my $type = shift; + + return unless (defined($text)); + + $out_frame->tag(qw(configure OUTPUT -foreground grey)); + $out_frame->tag(qw(configure ERROR -foreground red)); + $out_frame->tag(qw(configure MISC -foreground white)); + $out_frame->tag(qw(configure EXEC -foreground bisque2)); + + $out_frame->insert('end', "$text", "$type"); + $out_frame->see('end'); + $out_frame->update; +} + + + + +sub execute_oinkmaster(@) +{ + my @cmd = @_; + my @obfuscated_cmd; + + # Obfuscate possible password in url. + foreach my $line (@cmd) { + if ($line =~ /^(\S+:\/\/.+?):.+?@(.+)/) { + push(@obfuscated_cmd, "$1:*password*\@$2"); + } else { + push(@obfuscated_cmd, $line); + } + } + + logmsg("@obfuscated_cmd:\n", 'EXEC'); + + $main->Busy(-recurse => 1); + + if ($^O eq 'MSWin32') { + open(OINK, "@cmd 2>&1|"); + while (<OINK>) { + logmsg($_, 'OUTPUT'); + } + close(OINK); + } else { + if (open(OINK,"-|")) { + while (<OINK>) { + logmsg($_, 'OUTPUT'); + } + } else { + open(STDERR, '>&STDOUT'); + exec(@cmd); + } + close(OINK); + } + + $main->Unbusy; + logmsg("done.\n\n", 'EXEC'); +} + + + +sub clear_messages() +{ + $out_frame->delete('1.0','end'); + $out_frame->update; +} + + + +sub save_messages() +{ + my $text = $out_frame->get('1.0', 'end'); + my $title = 'Save output messages'; + my $filename; + + my $filetypes = [ + ['Log files', ['.log', '.txt']], + ['All files', '*' ] + ]; + + + if (length($text) > 1) { + fileDialog(\$filename, $title, 'SAVEFILE', $filetypes); + if (defined($filename)) { + + unless (open(LOG, ">", "$filename")) { + logmsg("Could not open $filename for writing: $!\n\n", 'ERROR'); + return; + } + + print LOG $text; + close(LOG); + logmsg("Successfully saved output messages to $filename\n\n", 'MISC'); + } + + } else { + logmsg("Nothing to save.\n\n", 'ERROR'); + } +} + + + +sub update_rules() +{ + my @cmd; + + create_cmdline(\@cmd) || return; + clear_messages(); + execute_oinkmaster(@cmd); +} + + + +sub create_cmdline($) +{ + my $cmd_ref = shift; + + my $oinkmaster = $config{oinkmaster}; + my $oinkmaster_conf = $config{oinkmaster_conf}; + my $outdir = $config{outdir}; + my $varfile = $config{varfile}; + my $url = $config{url}; + my $backupdir = $config{backupdir}; + + # Assume file:// if url prefix is missing. + if ($url) { + $url = "file://$url" unless ($url =~ /(?:http|ftp|file|scp):\/\//); + if ($url =~ /.+<oinkcode>.+/) { + logmsg("You must replace <oinkcode> with your real oinkcode, see the FAQ!\n\n", 'ERROR'); + return (0); + } + } + + $oinkmaster = File::Spec->rel2abs($oinkmaster) + if ($oinkmaster); + + $outdir = File::Spec->canonpath("$outdir"); + $backupdir = File::Spec->canonpath("$backupdir"); + + # Clean leading/trailing whitespaces. + foreach my $var_ref (\$oinkmaster, \$oinkmaster_conf, \$outdir, + \$varfile, \$url, \$backupdir) { + $$var_ref =~ s/^\s+//; + $$var_ref =~ s/\s+$//; + } + + unless ($config{oinkmaster} && -f "$config{oinkmaster}" && + (-x "$config{oinkmaster}" || $^O eq 'MSWin32')) { + logmsg("Location of oinkmaster.pl is not set correctly!\n\n", 'ERROR'); + return; + } + + unless ($oinkmaster_conf && -f "$oinkmaster_conf") { + logmsg("Location of configuration file is not set correctlyy!\n\n", 'ERROR'); + return (0); + } + + unless ($outdir && -d "$outdir") { + logmsg("Output directory is not set correctly!\n\n", 'ERROR'); + return (0); + } + + # Add leading/trailing "" if win32. + foreach my $var_ref (\$oinkmaster, \$oinkmaster_conf, \$outdir, + \$varfile, \$url, \$backupdir) { + if ($^O eq 'MSWin32' && $$var_ref) { + $$var_ref = "\"$$var_ref\""; + } + } + + push(@$cmd_ref, + "$config{perl}", "$oinkmaster", + "-C", "$oinkmaster_conf", + "-o", "$outdir"); + + push(@$cmd_ref, "-c") if ($config{careful}); + push(@$cmd_ref, "-e") if ($config{enable_all}); + push(@$cmd_ref, "-r") if ($config{check_removed}); + push(@$cmd_ref, "-q") if ($config{output_mode} eq "quiet"); + push(@$cmd_ref, "-Q") if ($config{output_mode} eq "super-quiet"); + push(@$cmd_ref, "-v") if ($config{output_mode} eq "verbose"); + push(@$cmd_ref, "-m") if ($config{diff_mode} eq "remove common"); + push(@$cmd_ref, "-s") if ($config{diff_mode} eq "summarized"); + push(@$cmd_ref, "-U", "$varfile") if ($varfile); + push(@$cmd_ref, "-b", "$backupdir") if ($backupdir); + + push(@$cmd_ref, "-u", "$url") + if ($url); + + return (1); +} + + + +# Load $config file into %config hash. +sub load_config() +{ + unless (defined($gui_config_file) && $gui_config_file) { + logmsg("Unable to determine config file location, is your \$HOME set?\n\n", 'ERROR'); + return; + } + + unless (-e "$gui_config_file") { + logmsg("$gui_config_file does not exist, keeping current/default settings\n\n", 'MISC'); + return; + } + + unless (open(RC, "<", "$gui_config_file")) { + logmsg("Could not open $gui_config_file for reading: $!\n\n", 'ERROR'); + return; + } + + while (<RC>) { + next unless (/^(\S+)=(.*)/); + $config{$1} = $2; + } + + close(RC); + logmsg("Successfully loaded GUI settings from $gui_config_file\n\n", 'MISC'); +} + + + +# Save %config into file $config. +sub save_config() +{ + unless (defined($gui_config_file) && $gui_config_file) { + logmsg("Unable to determine config file location, is your \$HOME set?\n\n", 'ERROR'); + return; + } + + unless (open(RC, ">", "$gui_config_file")) { + logmsg("Could not open $gui_config_file for writing: $!\n\n", 'ERROR'); + return; + } + + print RC "# Automatically created by Oinkgui. ". + "Do not edit directly unless you have to.\n"; + + foreach my $option (sort(keys(%config))) { + print RC "$option=$config{$option}\n"; + } + + close(RC); + logmsg("Successfully saved current GUI settings to $gui_config_file\n\n", 'MISC'); +} diff --git a/config/snort-dev/bin/snort2c b/config/snort-dev/bin/snort2c Binary files differnew file mode 100644 index 00000000..fdc91ac8 --- /dev/null +++ b/config/snort-dev/bin/snort2c diff --git a/config/snort-dev/pfsense_rules/pfsense_rules.tar.gz.md5 b/config/snort-dev/pfsense_rules/pfsense_rules.tar.gz.md5 new file mode 100644 index 00000000..97a55e1d --- /dev/null +++ b/config/snort-dev/pfsense_rules/pfsense_rules.tar.gz.md5 @@ -0,0 +1 @@ +101
\ No newline at end of file diff --git a/config/snort-dev/pfsense_rules/rules/pfsense-voip.rules b/config/snort-dev/pfsense_rules/rules/pfsense-voip.rules new file mode 100644 index 00000000..3142c0b6 --- /dev/null +++ b/config/snort-dev/pfsense_rules/rules/pfsense-voip.rules @@ -0,0 +1,11 @@ +alert ip any any -> $HOME_NET $SIP_PROXY_PORTS (msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; threshold: type both , track by_src, count 30, seconds 3; sid:5000004; rev:1;) +# Excessive number of SIP 4xx Responses Does not work +#### alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; pcre:"/^SIP\/2.0 4\d{2}"; threshold: type both, track by_src, count 100, seconds 60; sid:5000008; rev:1;) +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Ghost call attack"; content:"SIP/2.0 180"; depth:11; threshold: type both, track by_src, count 100, seconds 60; sid:5000009; rev:1;) + +# Rule for alerting of INVITE flood attack: +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; sid:5000002; rev:1;) +# Rule for alerting of REGISTER flood attack: +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"REGISTER message flooding"; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; sid:5000005; rev:1;) +# Threshold rule for unauthorized responses: +alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; sid:5000008; rev:1;) diff --git a/config/snort-dev/snort.inc b/config/snort-dev/snort.inc index 884f0883..ca640551 100644 --- a/config/snort-dev/snort.inc +++ b/config/snort-dev/snort.inc @@ -138,7 +138,7 @@ function sync_package_snort() mwexec_bg("sysctl net.bpf.maxinsns={$bpfmaxinsns}"); /* always stop snort2c before starting snort -gtm */ - $start .= "/usr/bin/killall snort2c\n"; + $start .= "/usr/bin/killall barnyard2\n"; /* start a snort process for each interface -gtm */ /* Note the sleep delay. Seems to help getting mult interfaces to start -gtm */ @@ -148,24 +148,33 @@ function sync_package_snort() { $start .= "sleep 8\n"; $start .= "snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i {$snortIf} -q\n"; + + /* define snortbarnyardlog_chk */ + $snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; + if ($snortbarnyardlog_info_chk == on) + $start .= "\nsleep 4;barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D -q\n"; } - /* if block offenders is checked, start snort2c */ - if($_POST['blockoffenders']) { - $start .= "\nsleep 8\n"; - $start .= "snort2c -w /var/db/whitelist -a /var/log/snort/alert\n"; - } - +// /* if block offenders is checked, start snort2c */ +// if($_POST['blockoffenders']) { +// $start .= "\nsleep 8\n"; +// $start .= "snort2c -w /var/db/whitelist -a /var/log/snort/alert\n"; +// } + + $if_snort_pid = "\nif ls /tmp/snort.sh.pid > /dev/null\nthen\n echo \"snort.sh is running\"\n exit 0\nelse\n echo \"snort.sh is not running\"\nfi\n"; + $echo_snort_sh_pid = "\necho \"snort.sh run\" > /tmp/snort.sh.pid\n"; + $echo_snort_sh_startup_log = "\necho \"snort.sh run\" >> /tmp/snort.sh_startup.log\n"; $sample_before = "\nBEFORE_MEM=`top | grep Free | grep Wired | awk '{print \$10}'`\n"; $sample_after = "\nAFTER_MEM=`top | grep Free | grep Wired | awk '{print \$10}'`\n"; $sleep_before_final = "\necho \"Sleeping before final memory sampling...\"\nsleep 17"; $total_free_after = "\nTOTAL_USAGE=`top | grep snort | grep -v grep | awk '{ print \$6 }'`\n"; $echo_usage = "\necho \"Ram free BEFORE starting Snort: \${BEFORE_MEM} -- Ram free AFTER starting Snort: \${AFTER_MEM}\" -- Mode {$snort_performance} -- Snort memory usage: \$TOTAL_USAGE | logger -p daemon.info -i -t SnortStartup\n"; + $rm_snort_sh_pid = "\nrm /tmp/snort.sh.pid\n"; /* write out rc.d start/stop file */ write_rcfile(array( "file" => "snort.sh", - "start" => "{$sample_before}{$start}{$sleep_before_final}{$sample_after}{$echo_usage}", + "start" => "{$if_snort_pid}{$echo_snort_sh_pid}{$echo_snort_sh_startup_log}{$sample_before}{$start}{$sleep_before_final}{$sample_after}{$echo_usage}{$rm_snort_sh_pid}", "stop" => "/usr/bin/killall snort; killall snort2c" ) ); @@ -173,11 +182,72 @@ function sync_package_snort() /* create snort configuration file */ create_snort_conf(); +/* create barnyard2 configuration file */ +$snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; +if ($snortbarnyardlog_info_chk == on) + create_barnyard2_conf(); + + /* start snort service */ conf_mount_ro(); start_service("snort"); } +/* open barnyard2.conf for writing */ +function create_barnyard2_conf() { + global $bconfig, $bg; + /* write out barnyard2_conf */ + $barnyard2_conf_text = generate_barnyard2_conf(); +// conf_mount_rw(); + $bconf = fopen("/usr/local/etc/barnyard2.conf", "w"); + if(!$bconf) { + log_error("Could not open /usr/local/etc/barnyard2.conf for writing."); + exit; + } + fwrite($bconf, $barnyard2_conf_text); + fclose($bconf); +// conf_mount_ro(); +} + +/* open barnyard2.conf for writing" */ +function generate_barnyard2_conf() { + + global $config, $g; + conf_mount_rw(); + +/* define snortbarnyardlog */ +$snortbarnyardlog_database_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_database']; + +$barnyard2_conf_text = <<<EOD + + Copyright (C) 2006 Scott Ullrich + part of pfSense + All rights reserved. + +# set the appropriate paths to the file(s) your Snort process is using +config reference-map: /usr/local/etc/snort/reference.config +config class-map: /usr/local/etc/snort/classification.config +config gen-msg-map: /usr/local/etc/snort/gen-msg.map +config sid-msg-map: /usr/local/etc/snort/sid-msg.map + +config hostname: pfsense.local +config interface: vr0 + +# Step 2: setup the input plugins +input unified2 + +# database: log to a variety of databases +# output database: log, mysql, user=snort password=snort123 dbname=snort host=192.168.1.22 + +$snortbarnyardlog_database_info_chk + +EOD; + + return $barnyard2_conf_text; + +} + + function create_snort_conf() { global $config, $g; /* write out snort.conf */ @@ -241,14 +311,21 @@ $tcpdumplog_info_chk = $config['installedpackages']['snortadvanced']['config'][0 if ($tcpdumplog_info_chk == on) $tcpdumplog_type = "output log_tcpdump: snorttcpd.log"; -/* define snortmysqllog */ -$snortmysqllog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortmysqllog']; +/* define snortbarnyardlog_chk */ +$snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; +if ($snortbarnyardlog_info_chk == on) + $snortbarnyardlog_type = "barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D"; /* define snortunifiedlog */ $snortunifiedlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortunifiedlog']; if ($snortunifiedlog_info_chk == on) $snortunifiedlog_type = "output unified2: filename snort.u2, limit 128"; +/* define spoink */ +$spoink_info_chk = $config['installedpackages']['snort']['config'][0]['blockoffenders7']; +if ($spoink_info_chk == on) + $spoink_type = "output alert_pf: /var/db/whitelist,snort2c"; + /* define servers and ports snortdefservers */ /* def DNS_SERVSERS */ @@ -964,6 +1041,7 @@ $alertsystemlog_type $tcpdumplog_type $snortmysqllog_info_chk $snortunifiedlog_type +$spoink_type ################# # diff --git a/config/snort-dev/snort.xml b/config/snort-dev/snort.xml new file mode 100644 index 00000000..c5e1f397 --- /dev/null +++ b/config/snort-dev/snort.xml @@ -0,0 +1,297 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfsense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>Snort</name> + <version>2.8.4.1</version> + <title>Services: Snort 2.8.4.1 pkg v. 1.5</title> + <include_file>/usr/local/pkg/snort.inc</include_file> + <menu> + <name>Snort</name> + <tooltiptext>Setup snort specific settings</tooltiptext> + <section>Services</section> + <url>/pkg_edit.php?xml=snort.xml&id=0</url> + </menu> + <service> + <name>snort</name> + <rcfile>snort.sh</rcfile> + <executable>snort</executable> + </service> + <tabs> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=snort.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Update Rules</text> + <url>/snort_download_rules.php</url> + </tab> + <tab> + <text>Categories</text> + <url>/snort_rulesets.php</url> + </tab> + <tab> + <text>Rules</text> + <url>/snort_rules.php</url> + </tab> + <tab> + <text>Servers</text> + <url>/pkg_edit.php?xml=snort_define_servers.xml&id=0</url> + </tab> + <tab> + <text>Blocked</text> + <url>/snort_blocked.php</url> + </tab> + <tab> + <text>Whitelist</text> + <url>/pkg.php?xml=snort_whitelist.xml</url> + </tab> + <tab> + <text>Threshold</text> + <url>/pkg.php?xml=snort_threshold.xml</url> + </tab> + <tab> + <text>Alerts</text> + <url>/snort_alerts.php</url> + </tab> + <tab> + <text>Advanced</text> + <url>/pkg_edit.php?xml=snort_advanced.xml&id=0</url> + </tab> + </tabs> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/bin/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/bin/snort2c</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/bin/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/bin/mons2c</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_download_rules.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_rules.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_rules_edit.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_rulesets.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_whitelist.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_blocked.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_check_for_rule_updates.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_alerts.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_dynamic_ip_reload.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_advanced.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_define_servers.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_threshold.xml</item> + </additional_files_needed> + <fields> + <field> + <fielddescr>Interface</fielddescr> + <fieldname>iface_array</fieldname> + <description>Select the interface(s) Snort will listen on.</description> + <type>interfaces_selection</type> + <size>3</size> + <value>lan</value> + <multiple>true</multiple> + </field> + <field> + <fielddescr>Performance</fielddescr> + <fieldname>performance</fieldname> + <description>ac method is the fastest startup but consumes a lot more memory. acs/ac-banded and ac-sparsebands/mwm/lowmem methods use quite a bit less. ac-sparsebands is recommended.</description> + <type>select</type> + <options> + <option> + <name>ac-bnfa</name> + <value>ac-bnfa</value> + </option> + <option> + <name>lowmem</name> + <value>lowmem</value> + </option> + <option> + <name>ac-std</name> + <value>ac-std</value> + </option> + <option> + <name>ac</name> + <value>ac</value> + </option> + <option> + <name>ac-banded</name> + <value>ac-banded</value> + </option> + <option> + <name>ac-sparsebands</name> + <value>ac-sparsebands</value> + </option> + <option> + <name>acs</name> + <value>acs</value> + </option> + </options> + </field> + <field> + <fielddescr>Oinkmaster code</fielddescr> + <fieldname>oinkmastercode</fieldname> + <description>Obtain a snort.org Oinkmaster code and paste here.</description> + <type>input</type> + <size>60</size> + <value></value> + </field> + <field> + <fielddescr>Snort.org subscriber</fielddescr> + <fieldname>subscriber</fieldname> + <description>Check this box if you are a Snort.org subscriber (premium rules).</description> + <type>checkbox</type> + <size>60</size> + </field> + <field> + <fielddescr>Block offenders</fielddescr> + <fieldname>blockoffenders7</fieldname> + <description>Checking this option will automatically block hosts that generate a snort alert.</description> + <type>checkbox</type> + <size>60</size> + </field> + <field> + <fielddescr>Update rules automatically</fielddescr> + <fieldname>automaticrulesupdate</fieldname> + <description>Checking this option will automatically check for and update rules once a week from snort.org.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Whitelist VPNs automatically</fielddescr> + <fieldname>whitelistvpns</fieldname> + <description>Checking this option will install whitelists for all VPNs.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Convert Snort alerts urls to clickable links</fielddescr> + <fieldname>clickablalerteurls</fieldname> + <description>Checking this option will automatically convert URLs in the Snort alerts tab to clickable links.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Associate events on Blocked tab</fielddescr> + <fieldname>associatealertip</fieldname> + <description>Checking this option will automatically associate the blocked reason from the snort alerts file.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Sync Snort configuration to secondary cluster members</fielddescr> + <fieldname>syncxmlrpc</fieldname> + <description>Checking this option will automatically sync the snort configuration via XMLRPC to CARP cluster members.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Install emergingthreats rules.</fielddescr> + <fieldname>emergingthreats</fieldname> + <description>Emerging Threats is an open source community that produces fastest moving and diverse Snort Rules.</description> + <type>checkbox</type> + </field> + </fields> + <custom_add_php_command> + </custom_add_php_command> + <custom_php_resync_config_command> + sync_package_snort(); + </custom_php_resync_config_command> + <custom_php_install_command> + sync_package_snort_reinstall(); + </custom_php_install_command> + <custom_php_deinstall_command> + snort_deinstall(); + </custom_php_deinstall_command> +</packagegui> diff --git a/config/snort-dev/snort_advanced.xml b/config/snort-dev/snort_advanced.xml new file mode 100644 index 00000000..c98610a4 --- /dev/null +++ b/config/snort-dev/snort_advanced.xml @@ -0,0 +1,180 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>SnortAdvanced</name> + <version>none</version> + <title>Services: Snort Advanced</title> + <include_file>/usr/local/pkg/snort.inc</include_file> + <tabs> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=snort.xml&id=0</url> + </tab> + <tab> + <text>Update Rules</text> + <url>/snort_download_rules.php</url> + </tab> + <tab> + <text>Categories</text> + <url>/snort_rulesets.php</url> + </tab> + <tab> + <text>Rules</text> + <url>/snort_rules.php</url> + </tab> + <tab> + <text>Servers</text> + <url>/pkg_edit.php?xml=snort_define_servers.xml&id=0</url> + </tab> + <tab> + <text>Blocked</text> + <url>/snort_blocked.php</url> + </tab> + <tab> + <text>Whitelist</text> + <url>/pkg.php?xml=snort_whitelist.xml</url> + </tab> + <tab> + <text>Threshold</text> + <url>/pkg.php?xml=snort_threshold.xml</url> + </tab> + <tab> + <text>Alerts</text> + <url>/snort_alerts.php</url> + </tab> + <tab> + <text>Advanced</text> + <url>/pkg_edit.php?xml=snort_advanced.xml&id=0</url> + <active/> + </tab> + </tabs> + <fields> + <field> + <fielddescr>BPF Buffer size</fielddescr> + <fieldname>bpfbufsize</fieldname> + <description>Changing this option adjusts the system BPF buffer size. Leave blank if you do not know what this does. Default is 1024.</description> + <type>input</type> + </field> + <field> + <fielddescr>Maximum BPF buffer size</fielddescr> + <fieldname>bpfmaxbufsize</fieldname> + <description>Changing this option adjusts the system maximum BPF buffer size. Leave blank if you do not know what this does. Default is 524288. This value should never be set above hardware cache size. The best (optimal size) is 50% - 80% of the hardware cache size.</description> + <type>input</type> + </field> + <field> + <fielddescr>Maximum BPF inserts</fielddescr> + <fieldname>bpfmaxinsns</fieldname> + <description>Changing this option adjusts the system maximum BPF insert size. Leave blank if you do not know what this does. Default is 512.</description> + <type>input</type> + </field> + <field> + <fielddescr>Advanced configuration pass through</fielddescr> + <fieldname>configpassthru</fieldname> + <description>Add items to here will be automatically inserted into the running snort configuration</description> + <type>textarea</type> + <cols>40</cols> + <rows>5</rows> + </field> + <field> + <fielddescr>Snort signature info files.</fielddescr> + <fieldname>signatureinfo</fieldname> + <description>Snort signature info files will be installed during updates. At leats 500 mb of memory is needed.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Alerts Tab logging type.</fielddescr> + <fieldname>snortalertlogtype</fieldname> + <description>Please choose the type of Alert logging you will like see in the Alerts Tab. The options are Full descriptions or Fast short descriptions</description> + <type>select</type> + <options> + <option> + <name>fast</name> + <value>fast</value> + </option> + <option> + <name>full</name> + <value>full</value> + </option> + </options> + </field> + <field> + <fielddescr>Send alerts to main System logs.</fielddescr> + <fieldname>alertsystemlog</fieldname> + <description>Snort will send Alerts to the Pfsense system logs.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Log to a Tcpdump file.</fielddescr> + <fieldname>tcpdumplog</fieldname> + <description>Snort will log packets to a tcpdump-formatted file. The file then can be analyzed by a wireshark type of application. WARNING: File may become large.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Enable Barnyard2.</fielddescr> + <fieldname>snortbarnyardlog</fieldname> + <description>This will enable barnyard2 in the snort package. You will also have to set the database credentials.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Barnyard2 Log Mysql Database.</fielddescr> + <fieldname>snortbarnyardlog_database</fieldname> + <description>Example: output database: log, mysql, dbname=snort user=snort host=localhost password=xyz</description> + <type>input</type> + <size>101</size> + <value></value> + </field> + <field> + <fielddescr>Log Alerts to a snort unified file.</fielddescr> + <fieldname>snortunifiedlog</fieldname> + <description>Snort will log Alerts to a file in the UNIFIED format.</description> + <type>checkbox</type> + </field> + </fields> + <custom_php_deinstall_command> + snort_advanced(); + </custom_php_deinstall_command> +</packagegui> diff --git a/config/snort-dev/snort_alerts.php b/config/snort-dev/snort_alerts.php new file mode 100644 index 00000000..f463c0b9 --- /dev/null +++ b/config/snort-dev/snort_alerts.php @@ -0,0 +1,122 @@ +<?php +/* $Id$ */ +/* + snort_alerts.php + part of pfSense + + Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>. + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("globals.inc"); +require("guiconfig.inc"); +require("/usr/local/pkg/snort.inc"); + +$snort_logfile = "{$g['varlog_path']}/snort/alert"; + +$nentries = $config['syslog']['nentries']; +if (!$nentries) + $nentries = 50; + +if ($_POST['clear']) { + exec("killall syslogd"); + exec("rm {$snort_logfile}; touch {$snort_logfile}"); + system_syslogd_start(); + exec("/usr/bin/killall -HUP snort"); + exec("/usr/bin/killall snort2c"); + if ($config['installedpackages']['snort']['config'][0]['blockoffenders'] == 'on') + exec("/usr/local/bin/snort2c -w /var/db/whitelist -a /var/log/snort/alert"); +} + +$pgtitle = "Services: Snort: Snort Alerts"; +include("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<?php +if(!$pgtitle_output) + echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; +?> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td> +<?php + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"),false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), true, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + display_top_tabs($tab_array); +?> + </td></tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> + <tr> + <td colspan="2" class="listtopic"> + Last <?=$nentries;?> Snort Alert entries</td> + </tr> + <?php dump_log_file($snort_logfile, $nentries); ?> + <tr><td><br><form action="snort_alerts.php" method="post"> + <input name="clear" type="submit" class="formbtn" value="Clear log"></td></tr> + </table> + </div> + </form> + </td> + </tr> +</table> +<?php include("fend.inc"); ?> +<meta http-equiv="refresh" content="60;url=<?php print $_SERVER['SCRIPT_NAME']; ?>"> +</body> +</html> +<!-- <?php echo $snort_logfile; ?> --> + +<?php + +function dump_log_file($logfile, $tail, $withorig = true, $grepfor = "", $grepinvert = "") { + global $g, $config; + $logarr = ""; + exec("cat {$logfile} | /usr/bin/tail -n {$tail}", $logarr); + foreach ($logarr as $logent) { + if(!logent) + continue; + $ww_logent = $logent; + $ww_logent = str_replace("[", " [ ", $ww_logent); + $ww_logent = str_replace("]", " ] ", $ww_logent); + echo "<tr valign=\"top\">\n"; + echo "<td colspan=\"2\" class=\"listr\">" . make_clickable($ww_logent) . " </td>\n"; + echo "</tr>\n"; + } +} + +?>
\ No newline at end of file diff --git a/config/snort-dev/snort_blocked.php b/config/snort-dev/snort_blocked.php new file mode 100644 index 00000000..42048eff --- /dev/null +++ b/config/snort-dev/snort_blocked.php @@ -0,0 +1,143 @@ +<?php +/* $Id$ */ +/* + snort_blocked.php + Copyright (C) 2006 Scott Ullrich + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); +require("/usr/local/pkg/snort.inc"); + +if($_POST['todelete'] or $_GET['todelete']) { + if($_POST['todelete']) + $ip = $_POST['todelete']; + if($_GET['todelete']) + $ip = $_GET['todelete']; + exec("/sbin/pfctl -t snort2c -T delete {$ip}"); +} + +$pgtitle = "Snort: Snort Blocked"; +include("head.inc"); + +?> + +<body link="#000000" vlink="#000000" alink="#000000"> +<?php include("fbegin.inc"); ?> + +<?php +if(!$pgtitle_output) + echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; +?> + +<form action="snort_rulesets.php" method="post" name="iform" id="iform"> +<script src="/row_toggle.js" type="text/javascript"></script> +<script src="/javascript/sorttable.js" type="text/javascript"></script> +<?php if ($savemsg) print_info_box($savemsg); ?> +<table width="99%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> +<?php + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), true, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + display_top_tabs($tab_array); +?> + </td> + </tr> + <tr> + <td> + <div id="mainarea"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <table id="sortabletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr id="frheader"> + <td width="5%" class="listhdrr">Remove</td> + <td class="listhdrr">IP</td> + <td class="listhdrr">Alert Description</td> + </tr> +<?php + + $associatealertip = $config['installedpackages']['snort']['config'][0]['associatealertip']; + $ips = `/sbin/pfctl -t snort2c -T show`; + $ips_array = split("\n", $ips); + $counter = 0; + foreach($ips_array as $ip) { + if(!$ip) + continue; + $ww_ip = str_replace(" ", "", $ip); + $counter++; + if($associatealertip) + $alert_description = get_snort_alert($ww_ip); + else + $alert_description = ""; + echo "\n<tr>"; + echo "\n<td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($ww_ip)) . "'>"; + echo "\n<img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"./themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td>"; + echo "\n<td> {$ww_ip}</td>"; + echo "\n<td> {$alert_description}<!-- |{$ww_ip}| get_snort_alert($ww_ip); --></td>"; + echo "\n</tr>"; + } + echo "\n<tr><td colspan='3'> </td></tr>"; + if($counter < 1) + echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">There are currently no items being blocked by snort.</td></tr>"; + else + echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter} items listed.</td></tr>"; + +?> + + </table> + </td> + </tr> + </table> + </div> + </td> + </tr> +</table> + +</form> + +<p> + +This page lists hosts that have been blocked by Snort. Hosts are automatically deleted every 60 minutes. +<?php include("fend.inc"); ?> + +</body> +</html> + +<?php + +/* write out snort cache */ +write_snort_config_cache($snort_config); + +?>
\ No newline at end of file diff --git a/config/snort-dev/snort_check_for_rule_updates.php b/config/snort-dev/snort_check_for_rule_updates.php new file mode 100644 index 00000000..90df3bc7 --- /dev/null +++ b/config/snort-dev/snort_check_for_rule_updates.php @@ -0,0 +1,125 @@ +#!/usr/local/bin/php -f +<?php + +/* $Id$ */ +/* + snort_check_for_rule_updates.php + Copyright (C) 2006 Scott Ullrich + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +$console_mode = true; + +require_once("config.inc"); +require_once("functions.inc"); +require_once("/usr/local/pkg/snort.inc"); +require_once("service-utils.inc"); + +/* check to see if carp settings exist, and get a handle */ +if($config['installedpackages']['carpsettings']) { + $carp = &$config['installedpackages']['carpsettings']['config'][0]; + $password = $carp['password']; +} + +/* if we are not a CARP cluster master, sleep for a random + * amount of time allowing for other members to download the configuration + */ +if(!$password) { + $sleepietime = rand(5,700); + sleep($sleepietime); +} + +$last_ruleset_download = $config['installedpackages']['snort']['last_ruleset_download']; +ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); +$text = file_get_contents("http://www.snort.org/pub-bin/downloads.cgi"); +if (preg_match_all("/.*RELEASED\: (.*)\</", $text, $matches)) + $last_update_date = trim($matches[1][0]); +$date1ts = strtotime($last_update_date); +$date2ts = strtotime($last_ruleset_download); +/* is there a newer ruleset available? */ +if($date1ts > $date2ts or !$last_ruleset_download) { + log_error("There is a new set of Snort rules posted. Downloading..."); + if(!$oinkid) { + log_error("Oinkid is not defined. We cannot automatically update the ruleset."); + echo "Oinkid is not defined. We cannot automatically update the ruleset."; + exit; + } + echo "Downloading snort rule updates..."; + /* setup some variables */ + $premium_subscriber = ""; + + /* Snort version */ + $snort_version = "2.8"; + + /* Are we using the premium subscriber subscription? */ + if($config['installedpackages']['snortadvanced']['config'][0]['subscriber']) { + // http://www.snort.org/pub-bin/downloads.cgi/Download/sub_rules/snortrules-snapshot-CURRENT_s.tar.gz.md5 + $premium_subscriber = "_s"; + $snort_download_prefix = "http://www.snort.org/pub-bin/oinkmaster.cgi"; + } else { + // http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_os/snortrules-snapshot-CURRENT.tar.gz.md5 + $premium_subscriber = ""; + $snort_download_prefix = "http://www.snort.org/pub-bin/oinkmaster.cgi"; + } + + /* Set snort rules download filename */ + $snort_filename = "snortrules-snapshot-{$snort_version}{$premium_subscriber}.tar.gz"; + $snort_filename_md5 = "snortrules-snapshot-{$snort_version}{$premium_subscriber}.tar.gz.md5"; + + /* multi user system, request new filename and create directory */ + $tmpfname = tempnam("/tmp", "snortRules"); + exec("/bin/rm -rf {$tmpfname};/bin/mkdir -p {$tmpfname}"); + + /* download snort rules */ + exec("fetch -q -o {$tmpfname}/{$snort_filename} $dl"); + verify_downloaded_file($tmpfname . "/{$snort_filename}"); + + /* download snort rules md5 file */ + $static_output = gettext("Downloading current snort rules md5... "); + exec("fetch -q -o {$tmpfname}/{$snort_filename_md5} $dl_md5"); + verify_downloaded_file($tmpfname . "/{$snort_filename_md5}"); + + /* verify downloaded rules signature */ + verify_snort_rules_md5($tmpfname); + + /* extract rules */ + extract_snort_rules_md5($tmpfname); + + $config['installedpackages']['snort']['last_ruleset_download'] = date("Y-m-d"); + write_config(); + + stop_service("snort"); + sleep(2); + start_service("snort"); + + /* cleanup temporary directory */ + exec("/bin/rm -rf {$tmpfname};"); + echo "Rules are now up to date.\n"; + log_error("Snort rules updated. New version: {$last_update_date}."); +} else { + echo "Rules are up to date.\n"; + log_error("Snort rules are up to date. Not updating."); +} + +?>
\ No newline at end of file diff --git a/config/snort-dev/snort_define_servers.xml b/config/snort-dev/snort_define_servers.xml new file mode 100644 index 00000000..7df880d0 --- /dev/null +++ b/config/snort-dev/snort_define_servers.xml @@ -0,0 +1,364 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>SnortDefServers</name> + <version>none</version> + <title>Services: Snort Define Servers</title> + <include_file>/usr/local/pkg/snort.inc</include_file> + <tabs> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=snort.xml&id=0</url> + </tab> + <tab> + <text>Update Rules</text> + <url>/snort_download_rules.php</url> + </tab> + <tab> + <text>Categories</text> + <url>/snort_rulesets.php</url> + </tab> + <tab> + <text>Rules</text> + <url>/snort_rules.php</url> + </tab> + <tab> + <text>Servers</text> + <url>/pkg_edit.php?xml=snort_define_servers.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Blocked</text> + <url>/snort_blocked.php</url> + </tab> + <tab> + <text>Whitelist</text> + <url>/pkg.php?xml=snort_whitelist.xml</url> + </tab> + <tab> + <text>Threshold</text> + <url>/pkg.php?xml=snort_threshold.xml</url> + </tab> + <tab> + <text>Alerts</text> + <url>/snort_alerts.php</url> + </tab> + <tab> + <text>Advanced</text> + <url>/pkg_edit.php?xml=snort_advanced.xml&id=0</url> + </tab> + </tabs> + <fields> + <field> + <fielddescr>Define DNS_SERVERS</fielddescr> + <fieldname>def_dns_servers</fieldname> + <description>Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.</description> + <type>input</type> + <size>101</size> + <value></value> + </field> + <field> + <fielddescr>Define DNS_PORTS</fielddescr> + <fieldname>def_dns_ports</fieldname> + <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 53.</description> + <type>input</type> + <size>43</size> + <value></value> + </field> + <field> + <fielddescr>Define SMTP_SERVERS</fielddescr> + <fieldname>def_smtp_servers</fieldname> + <description>Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.</description> + <type>input</type> + <size>101</size> + <value></value> + </field> + <field> + <fielddescr>Define SMTP_PORTS</fielddescr> + <fieldname>def_smtp_ports</fieldname> + <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 25.</description> + <type>input</type> + <size>43</size> + <value></value> + </field> + <field> + <fielddescr>Define Mail_Ports</fielddescr> + <fieldname>def_mail_ports</fieldname> + <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 25,143,465,691.</description> + <type>input</type> + <size>43</size> + <value></value> + </field> + <field> + <fielddescr>Define HTTP_SERVERS</fielddescr> + <fieldname>def_http_servers</fieldname> + <description>Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.</description> + <type>input</type> + <size>101</size> + <value></value> + </field> + <field> + <fielddescr>Define WWW_SERVERS</fielddescr> + <fieldname>def_www_servers</fieldname> + <description>Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.</description> + <type>input</type> + <size>101</size> + <value></value> + </field> + <field> + <fielddescr>Define HTTP_PORTS</fielddescr> + <fieldname>def_http_ports</fieldname> + <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 80.</description> + <type>input</type> + <size>43</size> + <value></value> + </field> + <field> + <fielddescr>Define SQL_SERVERS</fielddescr> + <fieldname>def_sql_servers</fieldname> + <description>Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.</description> + <type>input</type> + <size>101</size> + <value></value> + </field> + <field> + <fielddescr>Define ORACLE_PORTS</fielddescr> + <fieldname>def_oracle_ports</fieldname> + <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 1521.</description> + <type>input</type> + <size>43</size> + <value></value> + </field> + <field> + <fielddescr>Define MSSQL_PORTS</fielddescr> + <fieldname>def_mssql_ports</fieldname> + <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 1433.</description> + <type>input</type> + <size>43</size> + <value></value> + </field> + <field> + <fielddescr>Define TELNET_SERVERS</fielddescr> + <fieldname>def_telnet_servers</fieldname> + <description>Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.</description> + <type>input</type> + <size>101</size> + <value></value> + </field> + <field> + <fielddescr>Define TELNET_PORTS</fielddescr> + <fieldname>def_telnet_ports</fieldname> + <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 23.</description> + <type>input</type> + <size>43</size> + <value></value> + </field> + <field> + <fielddescr>Define SNMP_SERVERS</fielddescr> + <fieldname>def_snmp_servers</fieldname> + <description>Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.</description> + <type>input</type> + <size>101</size> + <value></value> + </field> + <field> + <fielddescr>Define SNMP_PORTS</fielddescr> + <fieldname>def_snmp_ports</fieldname> + <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 161.</description> + <type>input</type> + <size>43</size> + <value></value> + </field> + <field> + <fielddescr>Define FTP_SERVERS</fielddescr> + <fieldname>def_ftp_servers</fieldname> + <description>Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.</description> + <type>input</type> + <size>101</size> + <value></value> + </field> + <field> + <fielddescr>Define FTP_PORTS</fielddescr> + <fieldname>def_ftp_ports</fieldname> + <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 21.</description> + <type>input</type> + <size>43</size> + <value></value> + </field> + <field> + <fielddescr>Define SSH_SERVERS</fielddescr> + <fieldname>def_ssh_servers</fieldname> + <description>Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.</description> + <type>input</type> + <size>101</size> + <value></value> + </field> + <field> + <fielddescr>Define SSH_PORTS</fielddescr> + <fieldname>def_ssh_ports</fieldname> + <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is Pfsense SSH port.</description> + <type>input</type> + <size>43</size> + <value></value> + </field> + <field> + <fielddescr>Define POP_SERVERS</fielddescr> + <fieldname>def_pop_servers</fieldname> + <description>Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.</description> + <type>input</type> + <size>101</size> + <value></value> + </field> + <field> + <fielddescr>Define POP2_PORTS</fielddescr> + <fieldname>def_pop2_ports</fieldname> + <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 109.</description> + <type>input</type> + <size>43</size> + <value></value> + </field> + <field> + <fielddescr>Define POP3_PORTS</fielddescr> + <fieldname>def_pop3_ports</fieldname> + <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 110.</description> + <type>input</type> + <size>43</size> + <value></value> + </field> + <field> + <fielddescr>Define IMAP_SERVERS</fielddescr> + <fieldname>def_imap_servers</fieldname> + <description>Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.</description> + <type>input</type> + <size>101</size> + <value></value> + </field> + <field> + <fielddescr>Define IMAP_PORTS</fielddescr> + <fieldname>def_imap_ports</fieldname> + <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 143.</description> + <type>input</type> + <size>43</size> + <value></value> + </field> + <field> + <fielddescr>Define SIP_PROXY_IP</fielddescr> + <fieldname>def_sip_proxy_ip</fieldname> + <description>Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.</description> + <type>input</type> + <size>101</size> + <value></value> + </field> + <field> + <fielddescr>Define SIP_PROXY_PORTS</fielddescr> + <fieldname>def_sip_proxy_ports</fieldname> + <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 5060:5090,16384:32768.</description> + <type>input</type> + <size>43</size> + <value></value> + </field> + <field> + <fielddescr>Define AUTH_PORTS</fielddescr> + <fieldname>def_auth_ports</fieldname> + <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 113.</description> + <type>input</type> + <size>43</size> + <value></value> + </field> + <field> + <fielddescr>Define FINGER_PORTS</fielddescr> + <fieldname>def_finger_ports</fieldname> + <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 79.</description> + <type>input</type> + <size>43</size> + <value></value> + </field> + <field> + <fielddescr>Define IRC_PORTS</fielddescr> + <fieldname>def_irc_ports</fieldname> + <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 6665,6666,6667,6668,6669,7000.</description> + <type>input</type> + <size>43</size> + <value></value> + </field> + <field> + <fielddescr>Define NNTP_PORTS</fielddescr> + <fieldname>def_nntp_ports</fieldname> + <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 119.</description> + <type>input</type> + <size>43</size> + <value></value> + </field> + <field> + <fielddescr>Define RLOGIN_PORTS</fielddescr> + <fieldname>def_rlogin_ports</fieldname> + <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 513.</description> + <type>input</type> + <size>43</size> + <value></value> + </field> + <field> + <fielddescr>Define RSH_PORTS</fielddescr> + <fieldname>def_rsh_ports</fieldname> + <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 514.</description> + <type>input</type> + <size>43</size> + <value></value> + </field> + <field> + <fielddescr>Define SSL_PORTS</fielddescr> + <fieldname>def_ssl_ports</fieldname> + <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 25,443,465,636,993,995.</description> + <type>input</type> + <size>43</size> + <value></value> + </field> + </fields> + <custom_php_deinstall_command> + snort_define_servers(); + </custom_php_deinstall_command> +</packagegui> diff --git a/config/snort-dev/snort_download_rules.php b/config/snort-dev/snort_download_rules.php new file mode 100644 index 00000000..d653f424 --- /dev/null +++ b/config/snort-dev/snort_download_rules.php @@ -0,0 +1,672 @@ +<?php +/* $Id$ */ +/* + snort_rulesets.php + Copyright (C) 2006 Scott Ullrich + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* Setup enviroment */ +$tmpfname = "/tmp/snort_rules_up"; +$snortdir = "/usr/local/etc/snort"; +$snort_filename_md5 = "snortrules-snapshot-2.8.tar.gz.md5"; +$snort_filename = "snortrules-snapshot-2.8.tar.gz"; +$emergingthreats_filename_md5 = "version.txt"; +$emergingthreats_filename = "emerging.rules.tar.gz"; +$pfsense_rules_filename_md5 = "pfsense_rules.tar.gz.md5"; +$pfsense_rules_filename = "pfsense_rules.tar.gz"; + +require_once("guiconfig.inc"); +require_once("functions.inc"); +require_once("service-utils.inc"); +require("/usr/local/pkg/snort.inc"); + +$pgtitle = "Services: Snort: Update Rules"; + +include("/usr/local/www/head.inc"); + +?> + +<script src="/javascript/scriptaculous/prototype.js" type="text/javascript"></script> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + +<?php include("/usr/local/www/fbegin.inc"); ?> + +<?php +if(!$pgtitle_output) + echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; +?> + +<form action="snort_download_rules.php" method="post"> +<div id="inputerrors"></div> + +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> +<?php + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), true, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + display_top_tabs($tab_array); +?> + </td> + </tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td align="center" valign="top"> + <!-- progress bar --> + <table id="progholder" width='420' style='border-collapse: collapse; border: 1px solid #000000;' cellpadding='2' cellspacing='2'> + <tr> + <td> + <img border='0' src='./themes/<?= $g['theme']; ?>/images/misc/progress_bar.gif' width='280' height='23' name='progressbar' id='progressbar' alt='' /> + </td> + </tr> + </table> + <br /> + <!-- status box --> + <textarea cols="60" rows="2" name="status" id="status" wrap="hard"> + <?=gettext("Initializing...");?> + </textarea> + <!-- command output box --> + <textarea cols="60" rows="2" name="output" id="output" wrap="hard"> + </textarea> + </td> + </tr> + </table> + </div> + </td> + </tr> +</table> +</form> + +<?php include("fend.inc");?> + +<?php + + +/* Begin main code */ +/* Set user agent to Mozilla */ +ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); +ini_set("memory_limit","125M"); + +/* send current buffer */ +ob_flush(); + +/* define oinkid */ +if($config['installedpackages']['snort']) + $oinkid = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; + +/* if missing oinkid exit */ +if(!$oinkid) { + $static_output = gettext("You must obtain an oinkid from snort.org and set its value in the Snort settings tab."); + update_all_status($static_output); + hide_progress_bar_status(); + exit; +} + +/* premium_subscriber check */ +//unset($config['installedpackages']['snort']['config'][0]['subscriber']); +//write_config(); +$premium_subscriber_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; + +if ($premium_subscriber_chk === on) { + $premium_subscriber = "_s"; +}else{ + $premium_subscriber = ""; +} + +$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +if ($premium_url_chk === on) { + $premium_url = "sub-rules"; +}else{ + $premium_url = "reg-rules"; +} + +/* hide progress bar */ +hide_progress_bar_status(); + +/* send current buffer */ +ob_flush(); + +/* remove old $tmpfname files */ +if (file_exists("{$tmpfname}")) { + update_status(gettext("Removing old tmp files...")); + exec("/bin/rm -r {$tmpfname}"); + apc_clear_cache(); +} + +/* send current buffer */ +ob_flush(); + +/* If tmp dir does not exist create it */ +if (file_exists($tmpfname)) { + update_status(gettext("The directory tmp exists...")); +} else { + mkdir("{$tmpfname}", 700); +} + +/* unhide progress bar and lets end this party */ +unhide_progress_bar_status(); + +/* download md5 sig from snort.org */ +if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { + update_status(gettext("md5 temp file exists...")); +} else { + update_status(gettext("Downloading md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5?oink_code={$oinkid}"); +// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5"); + $f = fopen("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5", 'w'); + fwrite($f, $image); + fclose($f); + update_status(gettext("Done. downloading md5")); +} + +/* download md5 sig from emergingthreats.net */ +$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; +if ($emergingthreats_url_chk == on) { + update_status(gettext("Downloading md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://www.emergingthreats.net/version.txt"); +// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/version.txt"); + $f = fopen("{$tmpfname}/version.txt", 'w'); + fwrite($f, $image); + fclose($f); + update_status(gettext("Done. downloading md5")); +} + +/* download md5 sig from pfsense.org */ +if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) { + update_status(gettext("md5 temp file exists...")); +} else { + update_status(gettext("Downloading pfsense md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5"); +// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz.md5"); + $f = fopen("{$tmpfname}/pfsense_rules.tar.gz.md5", 'w'); + fwrite($f, $image); + fclose($f); + update_status(gettext("Done. downloading md5")); +} + +/* Time stamps define */ +$last_md5_download = $config['installedpackages']['snort']['last_md5_download']; +$last_rules_install = $config['installedpackages']['snort']['last_rules_install']; + +/* If md5 file is empty wait 15min exit */ +if (0 == filesize("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5")){ + update_status(gettext("Please wait... You may only check for New Rules every 15 minutes...")); + update_output_window(gettext("Rules are released every month from snort.org. You may download the Rules at any time.")); + hide_progress_bar_status(); + /* Display last time of sucsessful md5 check from cache */ + echo "\n<p align=center><b>You last checked for updates: </b>{$last_md5_download}</p>\n"; + echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n"; + echo "\n\n</body>\n</html>\n"; + exit(0); +} + +/* If emergingthreats md5 file is empty wait 15min exit not needed */ + +/* If pfsense md5 file is empty wait 15min exit */ +if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ + update_status(gettext("Please wait... You may only check for New Pfsense Rules every 15 minutes...")); + update_output_window(gettext("Rules are released to support Pfsense packages.")); + hide_progress_bar_status(); + /* Display last time of sucsessful md5 check from cache */ + echo "\n<p align=center><b>You last checked for updates: </b>{$last_md5_download}</p>\n"; + echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n"; + echo "\n\n</body>\n</html>\n"; + exit(0); +} + +/* Check if were up to date snort.org */ +if (file_exists("{$snortdir}/snortrules-snapshot-2.8.tar.gz.md5")){ +$md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); +$md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; +$md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); +$md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; +/* Write out time of last sucsessful md5 to cache */ +$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); +write_config(); +if ($md5_check_new == $md5_check_old) { + update_status(gettext("Your rules are up to date...")); + update_output_window(gettext("You may start Snort now, check update.")); + hide_progress_bar_status(); + /* Timestamps to html */ + echo "\n<p align=center><b>You last checked for updates: </b>{$last_md5_download}</p>\n"; + echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n"; +// echo "P is this code {$premium_subscriber}"; + echo "\n\n</body>\n</html>\n"; + $snort_md5_check_ok = on; + } +} + +/* Check if were up to date emergingthreats.net */ +$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; +if ($emergingthreats_url_chk == on) { +if (file_exists("{$snortdir}/version.txt")){ +$emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/version.txt"); +$emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; +$emerg_md5_check_old_parse = file_get_contents("{$snortdir}/version.txt"); +$emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; +/* Write out time of last sucsessful md5 to cache */ +$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); +write_config(); +if ($emerg_md5_check_new == $emerg_md5_check_old) { + update_status(gettext("Your emergingthreats rules are up to date...")); + update_output_window(gettext("You may start Snort now, check update.")); + hide_progress_bar_status(); + $emerg_md5_check_chk_ok = on; + /* Timestamps to html */ +// echo "\n<p align=center><b>You last checked for updates: </b>{$last_md5_download}</p>\n"; +// echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n"; + } + } +} + +/* Check if were up to date pfsense.org */ +if (file_exists("{$snortdir}/$pfsense_rules_filename_md5")){ +$pfsense_md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); +$pfsense_md5_check_new = `/bin/echo "{$pfsense_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; +$pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); +$pfsense_md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; +if ($pfsense_md5_check_new == $pfsense_md5_check_old) { + $pfsense_md5_check_ok = on; + } +} + +/* Make Clean Snort Directory emergingthreats not checked */ +if ($snort_md5_check_ok == on && $emergingthreats_url_chk != on) { + update_status(gettext("Cleaning the snort Directory...")); + update_output_window(gettext("removing...")); + exec("/bin/rm {$snortdir}/rules/emerging*"); + exec("/bin/rm {$snortdir}/version.txt"); + update_status(gettext("Done making cleaning emrg direcory.")); +} + +/* Check if were up to date exits */ +if ($snort_md5_check_ok == on && $emerg_md5_check_chk_ok == on && $pfsense_md5_check_ok == on) { + update_status(gettext("Your rules are up to date...")); + update_output_window(gettext("You may start Snort now...")); + exit(0); +} + +if ($snort_md5_check_ok == on && $pfsense_md5_check_ok == on && $emergingthreats_url_chk != on) { + update_status(gettext("Your rules are up to date...")); + update_output_window(gettext("You may start Snort now...")); + exit(0); +} + +/* "You are Not Up to date */; +update_status(gettext("You are NOT up to date...")); + update_output_window(gettext("Stopping Snort service...")); +stop_service("snort"); +sleep(2); +// start_service("snort"); + +/* download snortrules file */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$snort_filename}")) { + update_status(gettext("Snortrule tar file exists...")); +} else { + unhide_progress_bar_status(); + update_status(gettext("There is a new set of Snort rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); +// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz", $tmpfname . "/{$snort_filename}", "read_body_firmware"); + download_file_with_progress_bar("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz?oink_code={$oinkid}", $tmpfname . "/{$snort_filename}", "read_body_firmware"); + update_all_status($static_output); + update_status(gettext("Done downloading rules file.")); + if (150000 > filesize("{$tmpfname}/$snort_filename")){ + update_status(gettext("Error with the snort rules download...")); + update_output_window(gettext("Snort rules file downloaded failed...")); + exit(0); + } + } +} + +/* download emergingthreats rules file */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { + update_status(gettext("Emergingthreats tar file exists...")); +} else { + update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); +// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware"); + download_file_with_progress_bar("http://www.emergingthreats.net/rules/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware"); + update_all_status($static_output); + update_status(gettext("Done downloading Emergingthreats rules file.")); + } + } + } + +/* download pfsense rules file */ +if ($pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { + update_status(gettext("Snortrule tar file exists...")); +} else { + unhide_progress_bar_status(); + update_status(gettext("There is a new set of Pfsense rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); +// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz", $tmpfname . "/{$pfsense_rules_filename}", "read_body_firmware"); + download_file_with_progress_bar("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz", $tmpfname . "/{$pfsense_rules_filename}", "read_body_firmware"); + update_all_status($static_output); + update_status(gettext("Done downloading rules file.")); + } +} + +/* Compair md5 sig to file sig */ + +//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +//if ($premium_url_chk == on) { +//$md5 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); +//$file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; +// if ($md5 == $file_md5_ondisk) { +// update_status(gettext("Valid md5 checksum pass...")); +//} else { +// update_status(gettext("The downloaded file does not match the md5 file...P is ON")); +// update_output_window(gettext("Error md5 Mismatch...")); +// exit(0); +// } +//} + +//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +//if ($premium_url_chk != on) { +//$md55 = `/bin/cat {$tmpfname}/{$snort_filename_md5} | /usr/bin/awk '{ print $4 }'`; +//$file_md5_ondisk2 = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; +// if ($md55 == $file_md5_ondisk2) { +// update_status(gettext("Valid md5 checksum pass...")); +//} else { +// update_status(gettext("The downloaded file does not match the md5 file...Not P")); +// update_output_window(gettext("Error md5 Mismatch...")); +// exit(0); +// } +//} + +/* Untar snort rules file individually to help people with low system specs */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$snort_filename}")) { + update_status(gettext("Extracting rules...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} etc/"); + exec("`/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/*`"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/bad-traffic.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/chat.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/dos.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/exploit.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/imap.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/misc.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/multimedia.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/netbios.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/nntp.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/p2p.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/smtp.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/sql.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/web-client.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/web-misc.rules/"); + update_status(gettext("Done extracting Rules.")); +} else { + update_status(gettext("The Download rules file missing...")); + update_output_window(gettext("Error rules extracting failed...")); + exit(0); + } +} + +/* Untar emergingthreats rules to tmp */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { + update_status(gettext("Extracting rules...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$tmpfname} rules/"); + } + } +} + +/* Untar Pfsense rules to tmp */ +if ($pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { + update_status(gettext("Extracting Pfsense rules...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$pfsense_rules_filename} -C {$tmpfname} rules/"); + } +} + +/* Untar snort signatures */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$snort_filename}")) { +$signature_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['signatureinfo']; +if ($premium_url_chk == on) { + update_status(gettext("Extracting Signatures...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} doc/signatures/"); + update_status(gettext("Done extracting Signatures.")); + } + } +} + +/* Make Clean Snort Directory */ +if ($snort_md5_check_ok != on && $emerg_md5_check_chk_ok != on && $pfsense_md5_check_ok != on) { +if (file_exists("{$snortdir}/rules")) { + update_status(gettext("Cleaning the snort Directory...")); + update_output_window(gettext("removing...")); + exec("/bin/rm {$snortdir}/*"); + exec("/bin/rm {$snortdir}/rules/*"); + exec("/bin/rm /usr/local/lib/snort/dynamicrules/*"); +} else { + update_status(gettext("Making Snort Directory...")); + update_output_window(gettext("should be fast...")); + exec("/bin/mkdir {$snortdir}"); + exec("/bin/mkdir {$snortdir}/rules"); + exec("/bin/rm /usr/local/lib/snort/dynamicrules/*"); + update_status(gettext("Done making snort direcory.")); + } +} + +/* Copy snort rules and emergingthreats and pfsense dir to snort dir */ +if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/rules")) { + update_status(gettext("Copying rules...")); + update_output_window(gettext("May take a while...")); + exec("/bin/cp {$tmpfname}/rules/* {$snortdir}/rules"); + update_status(gettext("Done copping rules.")); + /* Write out time of last sucsessful rule install catch */ + $config['installedpackages']['snort']['last_rules_install'] = date("Y-M-jS-h:i-A"); + write_config(); +} else { + update_status(gettext("Directory rules does not exists...")); + update_output_window(gettext("Error copying rules direcory...")); + exit(0); + } +} + +/* Copy md5 sig to snort dir */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/$snort_filename_md5")) { + update_status(gettext("Copying md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); +} else { + update_status(gettext("The md5 file does not exist...")); + update_output_window(gettext("Error copping config...")); + exit(0); + } +} + +/* Copy emergingthreats md5 sig to snort dir */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) { + update_status(gettext("Copying md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); +} else { + update_status(gettext("The emergingthreats md5 file does not exist...")); + update_output_window(gettext("Error copping config...")); + exit(0); + } + } +} + +/* Copy Pfsense md5 sig to snort dir */ +if ($pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) { + update_status(gettext("Copying Pfsense md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5"); +} else { + update_status(gettext("The Pfsense md5 file does not exist...")); + update_output_window(gettext("Error copping config...")); + exit(0); + } +} + +/* Copy configs to snort dir */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/etc/Makefile.am")) { + update_status(gettext("Copying configs to snort directory...")); + exec("/bin/cp {$tmpfname}/etc/* {$snortdir}"); +} else { + update_status(gettext("The snort configs does not exist...")); + update_output_window(gettext("Error copping config...")); + exit(0); + } +} + +/* Copy signatures dir to snort dir */ +if ($snort_md5_check_ok != on) { +$signature_info_chk = $config['installedpackages']['snort']['config'][0]['signatureinfo']; +if ($premium_url_chk == on) { +if (file_exists("{$tmpfname}/doc/signatures")) { + update_status(gettext("Copying signatures...")); + update_output_window(gettext("May take a while...")); + exec("/bin/mv -f {$tmpfname}/doc/signatures {$snortdir}/signatures"); + update_status(gettext("Done copying signatures.")); +} else { + update_status(gettext("Directory signatures exist...")); + update_output_window(gettext("Error copping signature...")); + exit(0); + } + } +} + +/* Copy so_rules dir to snort lib dir */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { + update_status(gettext("Copying so_rules...")); + update_output_window(gettext("May take a while...")); + exec("`/bin/cp -f {$tmpfname}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/`"); + exec("/bin/cp {$tmpfname}/so_rules/bad-traffic.rules {$snortdir}/rules/bad-traffic.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/chat.rules {$snortdir}/rules/chat.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/dos.rules {$snortdir}/rules/dos.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/exploit.rules {$snortdir}/rules/exploit.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/imap.rules {$snortdir}/rules/imap.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/misc.rules {$snortdir}/rules/misc.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/multimedia.rules {$snortdir}/rules/multimedia.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/netbios.rules {$snortdir}/rules/netbios.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/nntp.rules {$snortdir}/rules/nntp.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/p2p.rules {$snortdir}/rules/p2p.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/smtp.rules {$snortdir}/rules/smtp.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/sql.rules {$snortdir}/rules/sql.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/web-client.rules {$snortdir}/rules/web-client.so.rules"); + exec("/bin/cp {$tmpfname}/so_rules/web.misc.rules {$snortdir}/rules/web.misc.so.rules"); + update_status(gettext("Done copying so_rules.")); +} else { + update_status(gettext("Directory so_rules does not exist...")); + update_output_window(gettext("Error copping so_rules...")); + exit(0); + } +} + +/* double make shure clean up emerg rules that dont belong */ +if (file_exists("/usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules")) { + apc_clear_cache(); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-botcc.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-compromised-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-drop-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-dshield-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-rbn-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-tor-BLOCK.rules"); +} + +if (file_exists("/usr/local/lib/snort/dynamicrules//lib_sfdynamic_example_rule.so")) { + exec("/bin/rm /usr/local/lib/snort/dynamicrules//lib_sfdynamic_example_rule.so"); + exec("/bin/rm /usr/local/lib/snort/dynamicrules//lib_sfdynamic_example*"); +} + +/* php code to flush out cache some people are reportting missing files this might help */ +sleep(5); +apc_clear_cache(); +exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync"); + +/* php code finish */ +update_status(gettext("The Rules update finished...")); +update_output_window(gettext("You may start snort now...")); + +/* hide progress bar and lets end this party */ +hide_progress_bar_status(); + +?> + +<?php + +function read_body_firmware($ch, $string) { + global $fout, $file_size, $downloaded, $counter, $version, $latest_version, $current_installed_pfsense_version; + $length = strlen($string); + $downloaded += intval($length); + $downloadProgress = round(100 * (1 - $downloaded / $file_size), 0); + $downloadProgress = 100 - $downloadProgress; + $a = $file_size; + $b = $downloaded; + $c = $downloadProgress; + $text = " Snort download in progress\\n"; + $text .= "----------------------------------------------------\\n"; + $text .= " Downloaded : {$b}\\n"; + $text .= "----------------------------------------------------\\n"; + $counter++; + if($counter > 150) { + update_output_window($text); + update_progress_bar($downloadProgress); + flush(); + $counter = 0; + } + fwrite($fout, $string); + return $length; +} + +?> + +</body> +</html> diff --git a/config/snort-dev/snort_dynamic_ip_reload.php b/config/snort-dev/snort_dynamic_ip_reload.php new file mode 100644 index 00000000..dbd6d015 --- /dev/null +++ b/config/snort-dev/snort_dynamic_ip_reload.php @@ -0,0 +1,46 @@ +<?php + +/* $Id$ */ +/* + snort_dynamic_ip_reload.php + Copyright (C) 2006 Scott Ullrich + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* NOTE: this file gets included from the pfSense filter.inc plugin process */ + +require_once("/usr/local/pkg/snort.inc"); +require_once("service-utils.inc"); +require_once("config.inc"); + + +if($config['interfaces']['wan']['ipaddr'] == "pppoe" or + $config['interfaces']['wan']['ipaddr'] == "dhcp") { + create_snort_conf(); + mwexec("/sbin/pfctl -t snort2c -T flush"); + exec("killall -HUP snort"); + exec("/usr/bin/killall snort2c; snort2c -w /var/db/whitelist -a /var/log/snort/alert"); +} + +?>
\ No newline at end of file diff --git a/config/snort-dev/snort_rules.php b/config/snort-dev/snort_rules.php new file mode 100644 index 00000000..76413727 --- /dev/null +++ b/config/snort-dev/snort_rules.php @@ -0,0 +1,511 @@ +<?php +/* $Id$ */ +/* + edit_snortrule.php + Copyright (C) 2004, 2005 Scott Ullrich + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +require("guiconfig.inc"); + +if(!is_dir("/usr/local/etc/snort/rules")) + Header("Location: snort_download_rules.php"); + +function get_middle($source, $beginning, $ending, $init_pos) { + $beginning_pos = strpos($source, $beginning, $init_pos); + $middle_pos = $beginning_pos + strlen($beginning); + $ending_pos = strpos($source, $ending, $beginning_pos); + $middle = substr($source, $middle_pos, $ending_pos - $middle_pos); + return $middle; +} + +function write_rule_file($content_changed, $received_file) +{ + //read snort file with writing enabled + $filehandle = fopen($received_file, "w"); + + //delimiter for each new rule is a new line + $delimiter = "\n"; + + //implode the array back into a string for writing purposes + $fullfile = implode($delimiter, $content_changed); + + //write data to file + fwrite($filehandle, $fullfile); + + //close file handle + fclose($filehandle); + +} + +function load_rule_file($incoming_file) +{ + + //read snort file + $filehandle = fopen($incoming_file, "r"); + + //read file into string, and get filesize + $contents = fread($filehandle, filesize($incoming_file)); + + //close handler + fclose ($filehandle); + + //string for populating category select + $currentruleset = substr($file, 27); + + //delimiter for each new rule is a new line + $delimiter = "\n"; + + //split the contents of the string file into an array using the delimiter + $splitcontents = explode($delimiter, $contents); + + return $splitcontents; + +} + +$ruledir = "/usr/local/etc/snort/rules/"; +$dh = opendir($ruledir); + +$message_reload = "The Snort rule configuration has been changed.<br>You must apply the changes in order for them to take effect."; + +while (false !== ($filename = readdir($dh))) +{ + //only populate this array if its a rule file + $isrulefile = strstr($filename, ".rules"); + if ($isrulefile !== false) + { + $files[] = $filename; + } +} + +sort($files); + +if ($_GET['openruleset']) +{ + $file = $_GET['openruleset']; +} +else +{ + $file = $ruledir.$files[0]; + +} + +//Load the rule file +$splitcontents = load_rule_file($file); + +if ($_POST) +{ + if (!$_POST['apply']) { + //retrieve POST data + $post_lineid = $_POST['lineid']; + $post_enabled = $_POST['enabled']; + $post_src = $_POST['src']; + $post_srcport = $_POST['srcport']; + $post_dest = $_POST['dest']; + $post_destport = $_POST['destport']; + + //clean up any white spaces insert by accident + $post_src = str_replace(" ", "", $post_src); + $post_srcport = str_replace(" ", "", $post_srcport); + $post_dest = str_replace(" ", "", $post_dest); + $post_destport = str_replace(" ", "", $post_destport); + + //copy rule contents from array into string + $tempstring = $splitcontents[$post_lineid]; + + //search string + $findme = "# alert"; //find string for disabled alerts + + //find if alert is disabled + $disabled = strstr($tempstring, $findme); + + //if find alert is false, then rule is disabled + if ($disabled !== false) + { + //has rule been enabled + if ($post_enabled == "yes") + { + //move counter up 1, so we do not retrieve the # in the rule_content array + $tempstring = str_replace("# alert", "alert", $tempstring); + $counter2 = 1; + } + else + { + //rule is staying disabled + $counter2 = 2; + } + } + else + { + //has rule been disabled + if ($post_enabled != "yes") + { + //move counter up 1, so we do not retrieve the # in the rule_content array + $tempstring = str_replace("alert", "# alert", $tempstring); + $counter2 = 2; + } + else + { + //rule is staying enabled + $counter2 = 1; + } + } + + //explode rule contents into an array, (delimiter is space) + $rule_content = explode(' ', $tempstring); + + //insert new values + $counter2++; + $rule_content[$counter2] = $post_src;//source location + $counter2++; + $rule_content[$counter2] = $post_srcport;//source port location + $counter2 = $counter2+2; + $rule_content[$counter2] = $post_dest;//destination location + $counter2++; + $rule_content[$counter2] = $post_destport;//destination port location + + //implode the array back into string + $tempstring = implode(' ', $rule_content); + + //copy string into file array for writing + $splitcontents[$post_lineid] = $tempstring; + + //write the new .rules file + write_rule_file($splitcontents, $file); + + //once file has been written, reload file + $splitcontents = load_rule_file($file); + + $stopMsg = true; + } + + if ($_POST['apply']) { + stop_service("snort"); + sleep(2); + start_service("snort"); + $savemsg = "The snort rules selections have been saved. Restarting Snort."; + $stopMsg = false; + } + +} +else if ($_GET['act'] == "toggle") +{ + $toggleid = $_GET['id']; + + //copy rule contents from array into string + $tempstring = $splitcontents[$toggleid]; + + //explode rule contents into an array, (delimiter is space) + $rule_content = explode(' ', $tempstring); + + //search string + $findme = "# alert"; //find string for disabled alerts + + //find if alert is disabled + $disabled = strstr($tempstring, $findme); + + //if find alert is false, then rule is disabled + if ($disabled !== false) + { + //rule has been enabled + //move counter up 1, so we do not retrieve the # in the rule_content array + $tempstring = str_replace("# alert", "alert", $tempstring); + + } + else + { + //has rule been disabled + //move counter up 1, so we do not retrieve the # in the rule_content array + $tempstring = str_replace("alert", "# alert", $tempstring); + + } + + //copy string into array for writing + $splitcontents[$toggleid] = $tempstring; + + //write the new .rules file + write_rule_file($splitcontents, $file); + + //once file has been written, reload file + $splitcontents = load_rule_file($file); + + $stopMsg = true; +} + + +$pgtitle = "Snort: Rules"; +require("guiconfig.inc"); +include("head.inc"); +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<?php +if(!$pgtitle_output) + echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; +?> +<form action="snort_rules.php" method="post" name="iform" id="iform"> +<?php if ($savemsg){print_info_box($savemsg);} else if ($stopMsg){print_info_box_np($message_reload);}?> +<br> +</form> +<script type="text/javascript" language="javascript" src="row_toggle.js"> + <script src="/javascript/sorttable.js" type="text/javascript"> +</script> + +<script language="javascript" type="text/javascript"> +<!-- +function go() +{ + var agt=navigator.userAgent.toLowerCase(); + if (agt.indexOf("msie") != -1) { + box = document.forms.selectbox; + } else { + box = document.forms[1].selectbox; + } + destination = box.options[box.selectedIndex].value; + if (destination) + location.href = destination; +} +// --> +</script> + +<table width="99%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> +<?php + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), true, "/snort_rules.php"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + display_top_tabs($tab_array); +?> + </td> + </tr> + <tr> + <td> + <div id="mainarea"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <table id="ruletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr id="frheader"> + <td width="3%" class="list"> </td> + <td width="5%" class="listhdr">SID</td> + <td width="6%" class="listhdrr">Proto</td> + <td width="15%" class="listhdrr">Source</td> + <td width="10%" class="listhdrr">Port</td> + <td width="15%" class="listhdrr">Destination</td> + <td width="10%" class="listhdrr">Port</td> + <td width="32%" class="listhdrr">Message</td> + + </tr> + <tr> + <?php + + echo "<br>Category: "; + + //string for populating category select + $currentruleset = substr($file, 27); + ?> + <form name="forms"> + <select name="selectbox" class="formfld" onChange="go()"> + <?php + $i=0; + foreach ($files as $value) + { + $selectedruleset = ""; + if ($files[$i] === $currentruleset) + $selectedruleset = "selected"; + ?> + <option value="?&openruleset=<?=$ruledir;?><?=$files[$i];?>" <?=$selectedruleset;?>><?=$files[$i];?></option>" + <?php + $i++; + + } + ?> + </select> + </form> + </tr> + <?php + + $counter = 0; + $printcounter = 0; + + foreach ( $splitcontents as $value ) + { + + $counter++; + $disabled = "False"; + $comments = "False"; + + $tempstring = $splitcontents[$counter]; + $findme = "# alert"; //find string for disabled alerts + + //find alert + $disabled_pos = strstr($tempstring, $findme); + + + //do soemthing, this rule is enabled + $counter2 = 1; + + //retrieve sid value + $sid = get_middle($tempstring, 'sid:', ';', 0); + + //check to see if the sid is numberical + $is_sid_num = is_numeric($sid); + + //if SID is numerical, proceed + if ($is_sid_num) + { + + //if find alert is false, then rule is disabled + if ($disabled_pos !== false){ + $counter2 = $counter2+1; + $textss = "<span class=\"gray\">"; + $textse = "</span>"; + $iconb = "icon_block_d.gif"; + } + else + { + $textss = $textse = ""; + $iconb = "icon_block.gif"; + } + + $rule_content = explode(' ', $tempstring); + + $protocol = $rule_content[$counter2];//protocol location + $counter2++; + $source = $rule_content[$counter2];//source location + $counter2++; + $source_port = $rule_content[$counter2];//source port location + $counter2 = $counter2+2; + $destination = $rule_content[$counter2];//destination location + $counter2++; + $destination_port = $rule_content[$counter2];//destination port location + + $message = get_middle($tempstring, 'msg:"', '";', 0); + + echo "<tr>"; + echo "<td class=\"listt\">"; + echo $textss; + ?> + <a href="?&openruleset=<?=$file;?>&act=toggle&id=<?=$counter;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/<?=$iconb;?>" width="11" height="11" border="0" title="click to toggle enabled/disabled status"></a> + <?php + echo $textse; + echo "</td>"; + + + echo "<td class=\"listlr\">"; + echo $textss; + echo $sid; + echo $textse; + echo "</td>"; + + echo "<td class=\"listlr\">"; + echo $textss; + echo $protocol; + $printcounter++; + echo $textse; + echo "</td>"; + echo "<td class=\"listlr\">"; + echo $textss; + echo $source; + echo $textse; + echo "</td>"; + echo "<td class=\"listlr\">"; + echo $textss; + echo $source_port; + echo $textse; + echo "</td>"; + echo "<td class=\"listlr\">"; + echo $textss; + echo $destination; + echo $textse; + echo "</td>"; + echo "<td class=\"listlr\">"; + echo $textss; + echo $destination_port; + echo $textse; + echo "</td>"; + ?> + <td class="listbg"><font color="white"> + <?php + echo $textss; + echo $message; + echo $textse; + echo "</td>"; + ?> + <td valign="middle" nowrap class="list"> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td><a href="snort_rules_edit.php?openruleset=<?=$file;?>&id=<?=$counter;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit rule" width="17" height="17" border="0"></a></td> + </tr> + </table> + </td> + <?php + } + } + echo " "; + echo "There are "; + echo $printcounter; + echo " rules in this category. <br><br>"; + ?> + </table> + </td> + </tr> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> + <tr> + <td width="16"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" width="11" height="11"></td> + <td>Rule Enabled</td> + </tr> + <tr> + <td><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_block_d.gif" width="11" height="11"></td> + <td nowrap>Rule Disabled</td> + + + </tr> + <tr> + <td colspan="10"> + <p> + <!--<strong><span class="red">Warning:<br> + </span></strong>Editing these r</p>--> + </td> + </tr> + </table> + </table> + + </td> + </tr> +</table> + + +<?php include("fend.inc"); ?> +</div></body> +</html>
\ No newline at end of file diff --git a/config/snort-dev/snort_rules_edit.php b/config/snort-dev/snort_rules_edit.php new file mode 100644 index 00000000..cbabce73 --- /dev/null +++ b/config/snort-dev/snort_rules_edit.php @@ -0,0 +1,207 @@ +<?php +/* $Id$ */ +/* + snort_rules_edit.php + Copyright (C) 2004, 2005 Scott Ullrich + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +function get_middle($source, $beginning, $ending, $init_pos) { + $beginning_pos = strpos($source, $beginning, $init_pos); + $middle_pos = $beginning_pos + strlen($beginning); + $ending_pos = strpos($source, $ending, $beginning_pos); + $middle = substr($source, $middle_pos, $ending_pos - $middle_pos); + return $middle; +} + + +$file = $_GET['openruleset']; + +//read snort file +$filehandle = fopen($file, "r"); + +//get rule id +$lineid = $_GET['id']; + +//read file into string, and get filesize +$contents = fread($filehandle, filesize($file)); + +//close handler +fclose ($filehandle); + +//delimiter for each new rule is a new line +$delimiter = "\n"; + +//split the contents of the string file into an array using the delimiter +$splitcontents = explode($delimiter, $contents); + +//copy rule contents from array into string +$tempstring = $splitcontents[$lineid]; + +//explode rule contents into an array, (delimiter is space) +$rule_content = explode(' ', $tempstring); + +//search string +$findme = "# alert"; //find string for disabled alerts + +//find if alert is disabled +$disabled = strstr($tempstring, $findme); + +//get sid +$sid = get_middle($tempstring, 'sid:', ';', 0); + + +//if find alert is false, then rule is disabled +if ($disabled !== false) +{ + //move counter up 1, so we do not retrieve the # in the rule_content array + $counter2 = 2; +} +else +{ + $counter2 = 1; +} + + +$protocol = $rule_content[$counter2];//protocol location +$counter2++; +$source = $rule_content[$counter2];//source location +$counter2++; +$source_port = $rule_content[$counter2];//source port location +$counter2++; +$direction = $rule_content[$counter2]; +$counter2++; +$destination = $rule_content[$counter2];//destination location +$counter2++; +$destination_port = $rule_content[$counter2];//destination port location +$message = get_middle($tempstring, 'msg:"', '";', 0); + +$content = get_middle($tempstring, 'content:"', '";', 0); +$classtype = get_middle($tempstring, 'classtype:', ';', 0); +$revision = get_middle($tempstring, 'rev:', ';',0); + +$pgtitle = "Snort: Edit Rule"; +require("guiconfig.inc"); +include("head.inc"); +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + +<?php include("fbegin.inc"); ?> +<?php +if(!$pgtitle_output) + echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; +?> +<table width="99%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> +<?php + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), true, "/snort_rules.php?openruleset=/usr/local/etc/snort/rules/attack-responses.rules"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + display_top_tabs($tab_array); +?> + </td> + </tr> + <tr> + <td> + <div id="mainarea"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <form action="snort_rules.php?openruleset=<?=$file;?>&id=<?=$lineid;?>" target="" method="post" name="editform" id="editform"> + <table id="edittable" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="listhdr" width="10%">Enabled: </td> + <td class="listlr" width="30%"><input name="enabled" type="checkbox" id="enabled" value="yes" <?php if ($disabled === false) echo "checked";?>></td> + </tr> + <tr> + <td class="listhdr" width="10%">SID: </td> + <td class="listlr" width="30%"><?php echo $sid; ?></td> + </tr> + <tr> + <td class="listhdr" width="10%">Protocol: </td> + <td class="listlr" width="30%"><?php echo $protocol; ?></td> + </tr> + <tr> + <td class="listhdr" width="10%">Source: </td> + <td class="listlr" width="30%"><input name="src" type="text" id="src" size="20" value="<?php echo $source;?>"></td> + </tr> + <tr> + <td class="listhdr" width="10%">Source Port: </td> + <td class="listlr" width="30%"><input name="srcport" type="text" id="srcport" size="20" value="<?php echo $source_port;?>"></td> + </tr> + <tr> + <td class="listhdr" width="10%">Direction:</td> + <td class="listlr" width="30%"><?php echo $direction;?></td> + </tr> + <tr> + <td class="listhdr" width="10%">Destination:</td> + <td class="listlr" width="30%"><input name="dest" type="text" id="dest" size="20" value="<?php echo $destination;?>"></td> + </tr> + <tr> + <td class="listhdr" width="10%">Destination Port: </td> + <td class="listlr" width="30%"><input name="destport" type="text" id="destport" size="20" value="<?php echo $destination_port;?>"></td> + </tr> + <tr> + <td class="listhdr" width="10%">Message: </td> + <td class="listlr" width="30%"><?php echo $message; ?></td> + </tr> + <tr> + <td class="listhdr" width="10%">Content: </td> + <td class="listlr" width="30%"><?php echo $content; ?></td> + </tr> + <tr> + <td class="listhdr" width="10%">Classtype: </td> + <td class="listlr" width="30%"><?php echo $classtype; ?></td> + </tr> + <tr> + <td class="listhdr" width="10%">Revision: </td> + <td class="listlr" width="30%"><?php echo $revision; ?></td> + </tr> + <tr><td> </td></tr> + <tr> + <td><input name="lineid" type="hidden" value="<?=$lineid;?>"></td> + <td><input class="formbtn" value="Save" type="submit" name="editsave" id="editsave">   <input type="button" class="formbtn" value="Cancel" onclick="history.back()"></td> + </tr> + </table> + </form> + </td> + </tr> + </table> + </td> +</tr> +</table> + +<?php include("fend.inc"); ?> +</div></body> +</html>
\ No newline at end of file diff --git a/config/snort-dev/snort_rulesets.php b/config/snort-dev/snort_rulesets.php new file mode 100644 index 00000000..4f16eadd --- /dev/null +++ b/config/snort-dev/snort_rulesets.php @@ -0,0 +1,167 @@ +<?php +/* $Id$ */ +/* + snort_rulesets.php + Copyright (C) 2006 Scott Ullrich + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +if(!is_dir("/usr/local/etc/snort/rules")) + Header("Location: snort_download_rules.php"); + +require("guiconfig.inc"); +require_once("service-utils.inc"); +require("/usr/local/pkg/snort.inc"); + +if($_POST) { + $enabled_items = ""; + $isfirst = true; + foreach($_POST['toenable'] as $toenable) { + if(!$isfirst) + $enabled_items .= "||"; + $enabled_items .= "{$toenable}"; + $isfirst = false; + } + $config['installedpackages']['snort']['rulesets'] = $enabled_items; + write_config(); + stop_service("snort"); + create_snort_conf(); + sleep(2); + start_service("snort"); + $savemsg = "The snort ruleset selections have been saved."; +} + +$enabled_rulesets = $config['installedpackages']['snort']['rulesets']; +if($enabled_rulesets) + $enabled_rulesets_array = split("\|\|", $enabled_rulesets); + +$pgtitle = "Snort: Categories"; +include("head.inc"); + +?> + +<body link="#000000" vlink="#000000" alink="#000000"> +<?php include("fbegin.inc"); ?> + +<?php +if(!$pgtitle_output) + echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; +?> + +<form action="snort_rulesets.php" method="post" name="iform" id="iform"> +<script src="/row_toggle.js" type="text/javascript"></script> +<script src="/javascript/sorttable.js" type="text/javascript"></script> +<?php if ($savemsg) print_info_box($savemsg); ?> +<table width="99%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> +<?php + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), true, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + display_top_tabs($tab_array); +?> + </td> + </tr> + <tr> + <td> + <div id="mainarea"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <table id="sortabletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr id="frheader"> + <td width="5%" class="listhdrr">Enabled</td> + <td class="listhdrr">Ruleset: Rules that end with "so.rules" are shared object rules.</td> + <!-- <td class="listhdrr">Description</td> --> + </tr> +<?php + $dir = "/usr/local/etc/snort/rules/"; + $dh = opendir($dir); + while (false !== ($filename = readdir($dh))) { + $files[] = $filename; + } + sort($files); + foreach($files as $file) { + if(!stristr($file, ".rules")) + continue; + echo "<tr>"; + echo "<td align=\"center\" valign=\"top\">"; + if(is_array($enabled_rulesets_array)) + if(in_array($file, $enabled_rulesets_array)) { + $CHECKED = " checked=\"checked\""; + } else { + $CHECKED = ""; + } + else + $CHECKED = ""; + echo " <input type='checkbox' name='toenable[]' value='$file' {$CHECKED} />"; + echo "</td>"; + echo "<td>"; + echo "<a href='snort_rules.php?openruleset=/usr/local/etc/snort/rules/" . urlencode($file) . "'>{$file}</a>"; + echo "</td>"; + //echo "<td>"; + //echo "description"; + //echo "</td>"; + } + +?> + </table> + </td> + </tr> + <tr><td> </td></tr> + <tr><td>Check the rulesets that you would like Snort to load at startup.</td></tr> + <tr><td> </td></tr> + <tr><td><input value="Save" type="submit" name="save" id="save" /></td></tr> + </table> + </div> + </td> + </tr> +</table> + +</form> + +<p><b>NOTE:</b> You can click on a ruleset name to edit the ruleset. + +<?php include("fend.inc"); ?> + +</body> +</html> + +<?php + + function get_snort_rule_file_description($filename) { + $filetext = file_get_contents($filename); + + } + +?>
\ No newline at end of file diff --git a/config/snort-dev/snort_threshold.xml b/config/snort-dev/snort_threshold.xml new file mode 100644 index 00000000..f9075d3d --- /dev/null +++ b/config/snort-dev/snort_threshold.xml @@ -0,0 +1,129 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>snort-threshold</name> + <version>0.1.0</version> + <title>Snort: Alert Thresholding and Suppression</title> + <include_file>/usr/local/pkg/snort.inc</include_file> + <!-- Menu is where this packages menu will appear --> + <tabs> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=snort.xml&id=0</url> + </tab> + <tab> + <text>Update Rules</text> + <url>/snort_download_rules.php</url> + </tab> + <tab> + <text>Categories</text> + <url>/snort_rulesets.php</url> + </tab> + <tab> + <text>Rules</text> + <url>/snort_rules.php</url> + </tab> + <tab> + <text>Servers</text> + <url>/pkg_edit.php?xml=snort_define_servers.xml&id=0</url> + </tab> + <tab> + <text>Blocked</text> + <url>/snort_blocked.php</url> + </tab> + <tab> + <text>Whitelist</text> + <url>/pkg.php?xml=snort_whitelist.xml</url> + </tab> + <tab> + <text>Threshold</text> + <url>/pkg.php?xml=snort_threshold.xml</url> + <active/> + </tab> + <tab> + <text>Alerts</text> + <url>/snort_alerts.php</url> + </tab> + <tab> + <text>Advanced</text> + <url>/pkg_edit.php?xml=snort_advanced.xml&id=0</url> + </tab> + </tabs> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>Thresholding or Suppression Rule</fielddescr> + <fieldname>threshrule</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <fielddescr>Thresholding or Suppression Rule</fielddescr> + <fieldname>threshrule</fieldname> + <description>Enter the Rule. Example; "suppress gen_id 125, sig_id 4" or "threshold gen_id 1, sig_id 1851, type limit, track by_src, count 1, seconds 60"</description> + <type>input</type> + <size>40</size> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description>Enter the description for this item</description> + <type>input</type> + <size>60</size> + </field> + </fields> + <custom_php_command_before_form> + </custom_php_command_before_form> + <custom_delete_php_command> + </custom_delete_php_command> + <custom_php_resync_config_command> + create_snort_conf(); + </custom_php_resync_config_command> +</packagegui>
\ No newline at end of file diff --git a/config/snort-dev/snort_whitelist.xml b/config/snort-dev/snort_whitelist.xml new file mode 100644 index 00000000..42769e4e --- /dev/null +++ b/config/snort-dev/snort_whitelist.xml @@ -0,0 +1,129 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>snort-whitelist</name> + <version>0.1.0</version> + <title>Snort: Whitelist</title> + <include_file>/usr/local/pkg/snort.inc</include_file> + <!-- Menu is where this packages menu will appear --> + <tabs> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=snort.xml&id=0</url> + </tab> + <tab> + <text>Update Rules</text> + <url>/snort_download_rules.php</url> + </tab> + <tab> + <text>Categories</text> + <url>/snort_rulesets.php</url> + </tab> + <tab> + <text>Rules</text> + <url>/snort_rules.php</url> + </tab> + <tab> + <text>Servers</text> + <url>/pkg_edit.php?xml=snort_define_servers.xml&id=0</url> + </tab> + <tab> + <text>Blocked</text> + <url>/snort_blocked.php</url> + </tab> + <tab> + <text>Whitelist</text> + <url>/pkg.php?xml=snort_whitelist.xml</url> + <active/> + </tab> + <tab> + <text>Threshold</text> + <url>/pkg.php?xml=snort_threshold.xml</url> + </tab> + <tab> + <text>Alerts</text> + <url>/snort_alerts.php</url> + </tab> + <tab> + <text>Advanced</text> + <url>/pkg_edit.php?xml=snort_advanced.xml&id=0</url> + </tab> + </tabs> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>Whitelisted IP</fielddescr> + <fieldname>ip</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <fielddescr>Whitelisted IP</fielddescr> + <fieldname>ip</fieldname> + <description>Enter the IP or network to whitelist from snort blocking. Network items should be expressed in CIDR notation. Example: 0.0.0.0/24 or 0.0.0.0/32</description> + <type>input</type> + <size>40</size> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description>Enter the description for this item</description> + <type>input</type> + <size>60</size> + </field> + </fields> + <custom_php_command_before_form> + </custom_php_command_before_form> + <custom_delete_php_command> + </custom_delete_php_command> + <custom_php_resync_config_command> + create_snort_conf(); + </custom_php_resync_config_command> +</packagegui>
\ No newline at end of file diff --git a/config/snort-dev/snort_xmlrpc_sync.php b/config/snort-dev/snort_xmlrpc_sync.php new file mode 100644 index 00000000..db8b3f3e --- /dev/null +++ b/config/snort-dev/snort_xmlrpc_sync.php @@ -0,0 +1,114 @@ +<?php + +/* $Id$ */ +/* + snort_xmlrpc_sync.php + Copyright (C) 2006 Scott Ullrich + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* NOTE: this file gets included from the pfSense filter.inc plugin process */ + +require_once("/usr/local/pkg/snort.inc"); +require_once("service-utils.inc"); + +if(!$config) { + log_error("\$config is not enabled!!"); +} else { + if(!$g['booting']) + snort_do_xmlrpc_sync(); +} + +function snort_do_xmlrpc_sync() { + + return; /* need to fix the bug which whipes out carp sync settings, etc */ + + global $config, $g; + $syncxmlrpc = $config['installedpackages']['snort']['config'][0]['syncxmlrpc']; + /* option enabled? */ + if(!$syncxmlrpc) + return; + + $carp = &$config['installedpackages']['carpsettings']['config'][0]; + $password = $carp['password']; + + if(!$carp['synchronizetoip']) + return; + + log_error("[SNORT] snort_xmlrpc_sync.php is starting."); + $xmlrpc_sync_neighbor = $carp['synchronizetoip']; + if($config['system']['webgui']['protocol'] != "") { + $synchronizetoip = $config['system']['webgui']['protocol']; + $synchronizetoip .= "://"; + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if($port == "") { + if($config['system']['webgui']['protocol'] == "http") { + $port = "80"; + } else { + $port = "443"; + } + } + $synchronizetoip .= $carp['synchronizetoip']; + + /* xml will hold the sections to sync */ + $xml = array(); + $xml['installedpackages']['snort'] = &$config['installedpackages']['snort']; + $xml['installedpackages']['snortwhitelist'] = &$config['installedpackages']['snortwhitelist']; + + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($xml) + ); + + /* set a few variables needed for sync code borrowed from filter.inc */ + $url = $synchronizetoip; + $method = 'pfsense.restore_config_section'; + + /* Sync! */ + log_error("Beginning Snort XMLRPC sync to {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials('admin', $password); + if($g['debug']) + $cli->setDebug(1); + /* send our XMLRPC message and timeout after 240 seconds */ + $resp = $cli->send($msg, "999"); + if(!$resp) { + $error = "A communications error occured while attempting Snort XMLRPC sync with {$url}:{$port}."; + log_error($error); + file_notice("sync_settings", $error, "Snort Settings Sync", ""); + } elseif($resp->faultCode()) { + $error = "An error code was received while attempting Snort XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "Snort Settings Sync", ""); + } else { + log_error("Snort XMLRPC sync successfully completed with {$url}:{$port}."); + } + log_error("[SNORT] snort_xmlrpc_sync.php is ending."); +} + +?>
\ No newline at end of file |