diff options
| author | robiscool <robrob2626@yahoo.com> | 2009-12-06 23:30:12 -0800 |
|---|---|---|
| committer | robiscool <robrob2626@yahoo.com> | 2009-12-06 23:30:59 -0800 |
| commit | 7438d8fead4428b25ac26d9d62214cc27d3ddf62 (patch) | |
| tree | db235834bf6ace7722d930a43ee9df4eb1e6bfc0 /config/snort-dev | |
| parent | 2394394f99e792ca165d3aae1c54228b5c9edd02 (diff) | |
| download | pfsense-packages-7438d8fead4428b25ac26d9d62214cc27d3ddf62.tar.gz pfsense-packages-7438d8fead4428b25ac26d9d62214cc27d3ddf62.tar.bz2 pfsense-packages-7438d8fead4428b25ac26d9d62214cc27d3ddf62.zip | |
snort-dev, update startup code, removal code, add auto upade file, fix logsys flooding after stops
Diffstat (limited to 'config/snort-dev')
| -rw-r--r-- | config/snort-dev/snort.inc | 82 | ||||
| -rw-r--r-- | config/snort-dev/snort.xml | 19 | ||||
| -rw-r--r-- | config/snort-dev/snort_check_for_rule_updates.php | 745 | ||||
| -rw-r--r-- | config/snort-dev/snort_interfaces.php | 189 |
4 files changed, 983 insertions, 52 deletions
diff --git a/config/snort-dev/snort.inc b/config/snort-dev/snort.inc index 65487703..a514937d 100644 --- a/config/snort-dev/snort.inc +++ b/config/snort-dev/snort.inc @@ -160,6 +160,53 @@ function sync_package_snort_reinstall() conf_mount_ro(); } +/* stop snort interface */ +function stop_snort() +{ + global $config, $g, $id, $if_real, $interface_fake; + + $a_nat = &$config['installedpackages']['snortglobal']['rule']; + $if_real2 = convert_friendly_interface_to_real_interface_name($a_nat[$id]['interface']); + + + $start_up_pre = exec("/bin/cat /var/run/snort_{$if_real2}{$id}{$if_real2}.pid"); + $start_up_s = exec("/usr/bin/top -U snort -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); + $start_up_r = exec("/usr/bin/top -U root -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); + + $start2_upb_pre = exec("/bin/cat /var/run/barnyard2_{$id}{$if_real2}.pid"); + $start2_upb_s = exec("/usr/bin/top -U snort -u | grep barnyard2 | grep {$start2_upb_pre} | awk '{ print $1; }'"); + $start2_upb_r = exec("/usr/bin/top -U root -u | grep barnyard2 | grep {$start2_upb_pre} | awk '{ print $1; }'"); + + if ($start_up_s != "" || $start_up_r != "" || $start2_upb_s != "" || $start2_upb_r != "") + { + if ($start_up_s != "") + { + exec("/bin/kill {$start_up_s}"); + exec("/bin/rm /var/run/snort_$if_real2$id$if_real2*"); + } + + if ($start2_upb_s != "") + { + exec("/bin/kill {$start2_upb_s}"); + exec("/bin/rm /var/run/barnyard2_$id$if_real2*"); + } + + if ($start_up_r != "") + { + exec("/bin/kill {$start_up_r}"); + exec("/bin/rm /var/run/snort_$if_real2$id$if_real2*"); + } + + if ($start2_upb_r != "") + { + exec("/bin/kill {$start2_upb_r}"); + exec("/bin/rm /var/run/barnyard2_$id$if_real2*"); + } + } + +} + + /* make sure this func on writes to files and does not start snort */ function sync_package_snort() { @@ -226,11 +273,12 @@ exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); /* create snort.sh file */ create_snort_sh(); - /* create barnyard2 configuration file */ - $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; - if ($snortbarnyardlog_info_chk == on) - create_barnyard2_conf(); - + /* create barnyard2 configuration file */ + $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; + if ($snortbarnyardlog_info_chk == on) + { + create_barnyard2_conf(); + } } } @@ -337,7 +385,7 @@ rc_start() { sleep 3 AFTER_MEM=`/usr/bin/top | /usr/bin/grep Wired | /usr/bin/awk '{print $2}'` /bin/cp /var/log/system.log /var/log/snort/snort_sys_$if_real.log - /bin/killall syslogd + /usr/bin/killall syslogd /usr/sbin/clog -i -s 262144 /var/log/system.log /bin/cp /var/log/system.log.bk /var/log/system.log /usr/sbin/syslogd -c -ss -f /var/etc/syslog.conf @@ -396,7 +444,7 @@ rc_start_real() { sleep 3 /bin/cp /var/log/system.log /var/log/snort/snort_sys_$id$if_real.log - /bin/killall syslogd + /usr/bin/killall syslogd /usr/sbin/clog -i -s 262144 /var/log/system.log /bin/cp /var/log/system.log.bk /var/log/system.log /usr/sbin/syslogd -c -ss -f /var/etc/syslog.conf @@ -411,19 +459,21 @@ rc_start_real() { rc_stop() { pid_s=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "$id$if_real -c" | /usr/bin/awk '{print \$2;}'` + sleep 3 pid_b=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "snort.u2_$id$if_real" | /usr/bin/awk '{print \$2;}'` if [ \${pid_s} ] ; then /bin/cp /var/log/system.log /var/log/system.log.bk /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort IS running, hard STOP" - /bin/kill \${pid_s}; /bin/kill \${pid_b}; + /bin/kill \${pid_s} + sleep 3 + /bin/kill \${pid_b} /sbin/ifconfig $if_real_wan -promisc /bin/rm /var/run/snort_$if_real$id$if_real.pid /bin/rm /var/run/snort_$if_real$id$if_real.pid.lck - sleep 3 AFTER_MEM=`/usr/bin/top | /usr/bin/grep Wired | /usr/bin/awk '{print $2}'` /bin/cp /var/log/system.log /var/log/snort/snort_sys_$id$if_real.log - /bin/killall syslogd + /usr/bin/killall syslogd /usr/sbin/clog -i -s 262144 /var/log/system.log /bin/cp /var/log/system.log.bk /var/log/system.log /usr/sbin/syslogd -c -ss -f /var/etc/syslog.conf @@ -571,13 +621,13 @@ function snort_deinstall() { remove_text_from_file("/etc/sysctl.conf", "sysctl net.bpf.bufsize=20480"); /* decrease bpf buffers back to 4096, from 20480 */ exec("/sbin/sysctl net.bpf.bufsize=4096"); - exec("/usr/bin/killall snort"); + exec("/usr/usr/bin/killall snort"); sleep(2); - exec("/usr/bin/killall -9 snort"); + exec("/usr/usr/bin/killall -9 snort"); sleep(2); - exec("/usr/bin/killall barnyard2"); + exec("/usr/usr/bin/killall barnyard2"); sleep(2); - exec("/usr/bin/killall -9 barnyard2"); + exec("/usr/usr/bin/killall -9 barnyard2"); sleep(2); exec("/usr/sbin/pw userdel snort"); exec("/usr/sbin/pw groupdel snort"); @@ -586,8 +636,8 @@ function snort_deinstall() { exec("cd /var/db/pkg && pkg_delete `ls | grep snort`"); exec("cd /var/db/pkg && pkg_delete `ls | grep mysql-client`"); exec("cd /var/db/pkg && pkg_delete `ls | grep libdnet`"); - exec("/usr/bin/killall -9 snort"); - exec("/usr/bin/killall snort"); + exec("/usr/usr/bin/killall -9 snort"); + exec("/usr/usr/bin/killall snort"); /* Remove snort cron entries Ugly code needs smoothness*/ diff --git a/config/snort-dev/snort.xml b/config/snort-dev/snort.xml index cf72a7ca..8d7bee4f 100644 --- a/config/snort-dev/snort.xml +++ b/config/snort-dev/snort.xml @@ -46,8 +46,8 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>Snort</name> - <version>2.8.4.1_5</version> - <title>Services: Snort 2.8.4.1_5 pkg v. 1.8 alpha</title> + <version>2.8.4.1_6</version> + <title>Services: Snort 2.8.4.1_6 pkg v. 1.8 RC1</title> <include_file>/usr/local/pkg/snort/snort.inc</include_file> <menu> <name>Snort</name> @@ -74,6 +74,16 @@ <item>http://www.pfsense.com/packages/config/snort/bin/barnyard2</item> </additional_files_needed> <additional_files_needed> + <prefix>/usr/local/bin/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/bin/oinkmaster_contrib/create-sidmap.pl</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/bin/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/bin/oinkmaster_contrib/oinkmaster.pl</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/pkg/snort/</prefix> <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort-dev/snort_gui.inc</item> @@ -119,6 +129,11 @@ <item>http://www.pfsense.com/packages/config/snort-dev/snort_download_rules.php</item> </additional_files_needed> <additional_files_needed> + <prefix>/usr/local/pkg/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-dev/snort_check_for_rule_updates.php</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort-dev/snort_help_info.php</item> diff --git a/config/snort-dev/snort_check_for_rule_updates.php b/config/snort-dev/snort_check_for_rule_updates.php new file mode 100644 index 00000000..48a2ee73 --- /dev/null +++ b/config/snort-dev/snort_check_for_rule_updates.php @@ -0,0 +1,745 @@ +<?php +/* $Id$ */ +/* + snort_rulesets.php + Copyright (C) 2006 Scott Ullrich + Copyright (C) 2009 Robert Zelaya + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* Setup enviroment */ +$tmpfname = "/tmp/snort_rules_up"; +$snortdir = "/usr/local/etc/snort"; +$snortdir_wan = "/usr/local/etc/snort"; +$snort_filename_md5 = "snortrules-snapshot-2.8.tar.gz.md5"; +$snort_filename = "snortrules-snapshot-2.8.tar.gz"; +$emergingthreats_filename_md5 = "version.txt"; +$emergingthreats_filename = "emerging.rules.tar.gz"; +$pfsense_rules_filename_md5 = "pfsense_rules.tar.gz.md5"; +$pfsense_rules_filename = "pfsense_rules.tar.gz"; + +require_once("config.inc"); +require("/usr/local/pkg/snort/snort.inc"); + +conf_mount_rw(); + +/* Time stamps define */ +$last_md5_download = $config['installedpackages']['snortglobal']['last_md5_download']; +$last_rules_install = $config['installedpackages']['snortglobal']['last_rules_install']; + +$up_date_time = date('l jS \of F Y h:i:s A'); +echo "\n"; +echo "#########################\n"; +echo "$up_date_time\n"; +echo "#########################\n"; +echo "\n\n"; + +exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Checking for needed updates...'"); + +/* Begin main code */ +/* Set user agent to Mozilla */ +ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); +ini_set("memory_limit","125M"); + +/* mark the time update started */ +$config['installedpackages']['snortglobal']['last_md5_download'] = date("Y-M-jS-h:i-A"); + +/* send current buffer */ +ob_flush(); + +/* define oinkid */ +if($config['installedpackages']['snortglobal']) + $config['installedpackages']['snortglobal']['oinkmastercode']; + +/* if missing oinkid exit */ +if($oinkid == "") { + echo "You must obtain an oinkid from snort.org and set its value in the Snort settings tab.\n"; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'You must obtain an oinkid from snort.org and set its value in the Snort settings tab.'"); + exit; +} + +/* premium_subscriber check */ +//unset($config['installedpackages']['snort']['config'][0]['subscriber']); +//write_config(); // Will cause switch back to read-only on nanobsd +//conf_mount_rw(); // Uncomment this if the previous line is uncommented + +$premium_subscriber_chk = $config['installedpackages']['snortglobal']['snortdownload']; + +if ($premium_subscriber_chk == "premium") { + $premium_subscriber = "_s"; +}else{ + $premium_subscriber = ""; +} + +$premium_url_chk = $config['installedpackages']['snortglobal']['snortdownload']; +if ($premium_url_chk == "premium") { + $premium_url = "sub-rules"; +}else{ + $premium_url = "reg-rules"; +} + +/* send current buffer */ +ob_flush(); + +/* remove old $tmpfname files */ +if (file_exists("{$tmpfname}")) { + echo "Removing old tmp files...\n"; + exec("/bin/rm -r {$tmpfname}"); + apc_clear_cache(); +} + +/* Make shure snortdir exits */ +exec("/bin/mkdir -p {$snortdir}"); +exec("/bin/mkdir -p {$snortdir}/rules"); +exec("/bin/mkdir -p {$snortdir}/signatures"); + +/* send current buffer */ +ob_flush(); + +/* If tmp dir does not exist create it */ +if (file_exists($tmpfname)) { + echo "The directory tmp exists...\n"; +} else { + mkdir("{$tmpfname}", 700); +} + +/* download md5 sig from snort.org */ +if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { + echo "md5 temp file exists...\n"; +} else { + echo "Downloading md5 file...\n"; + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5?oink_code={$oinkid}"); +// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5"); + $f = fopen("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5", 'w'); + fwrite($f, $image); + fclose($f); + echo "Done. downloading md5\n"; +} + +/* download md5 sig from emergingthreats.net */ +$emergingthreats_url_chk = $config['installedpackages']['snortglobal']['emergingthreats']; +if ($emergingthreats_url_chk == on) { + echo "Downloading md5 file...\n"; + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://www.emergingthreats.net/version.txt"); +// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/version.txt"); + $f = fopen("{$tmpfname}/version.txt", 'w'); + fwrite($f, $image); + fclose($f); + echo "Done. downloading md5\n"; +} + +/* download md5 sig from pfsense.org */ +if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) { + echo "md5 temp file exists...\n"; +} else { + echo "Downloading pfsense md5 file...\n"; + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5"); +// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz.md5"); + $f = fopen("{$tmpfname}/pfsense_rules.tar.gz.md5", 'w'); + fwrite($f, $image); + fclose($f); + echo "Done. downloading md5\n"; +} + +/* If md5 file is empty wait 15min exit */ +if (0 == filesize("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5")){ + echo "Please wait... You may only check for New Rules every 15 minutes...\n"; + echo "Rules are released every month from snort.org. You may download the Rules at any time.\n"; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Please wait... You may only check for New Rules every 15 minutes...'"); + exit(0); +} + +/* If emergingthreats md5 file is empty wait 15min exit not needed */ + +/* If pfsense md5 file is empty wait 15min exit */ +if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ + echo "Please wait... You may only check for New Pfsense Rules every 15 minutes...\n"; + echo "Rules are released to support Pfsense packages.\n"; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Please wait... You may only check for New Pfsense Rules every 15 minutes...'"); + exit(0); +} + +/* Check if were up to date snort.org */ +if (file_exists("{$snortdir}/snortrules-snapshot-2.8.tar.gz.md5")){ +$md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); +$md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; +$md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); +$md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; +/* Write out time of last sucsessful md5 to cache */ +write_config(); // Will cause switch back to read-only on nanobsd +conf_mount_rw(); +if ($md5_check_new == $md5_check_old) { + echo "Your rules are up to date...\n"; + echo "You may start Snort now, check update.\n"; + $snort_md5_check_ok = on; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your snort rules are up to date...'"); + } +} + +/* Check if were up to date emergingthreats.net */ +$emergingthreats_url_chk = $config['installedpackages']['snortglobal']['emergingthreats']; +if ($emergingthreats_url_chk == on) { +if (file_exists("{$snortdir}/version.txt")){ +$emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/version.txt"); +$emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; +$emerg_md5_check_old_parse = file_get_contents("{$snortdir}/version.txt"); +$emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; +/* Write out time of last sucsessful md5 to cache */ +write_config(); // Will cause switch back to read-only on nanobsd +conf_mount_rw(); +if ($emerg_md5_check_new == $emerg_md5_check_old) { + echo "Your emergingthreats rules are up to date...\n"; + echo "You may start Snort now, check update.\n"; + $emerg_md5_check_chk_ok = on; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your emergingthreats rules are up to date...'"); + } + } +} + +/* Check if were up to date pfsense.org */ +if (file_exists("{$snortdir}/$pfsense_rules_filename_md5")){ +$pfsense_md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); +$pfsense_md5_check_new = `/bin/echo "{$pfsense_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; +$pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); +$pfsense_md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; +if ($pfsense_md5_check_new == $pfsense_md5_check_old) { + $pfsense_md5_check_ok = on; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your pfsense rules are up to date...'"); + } +} + +/* Make Clean Snort Directory emergingthreats not checked */ +if ($snort_md5_check_ok == on && $emergingthreats_url_chk != on) { + update_status(gettext("Cleaning the snort Directory...")); + update_output_window(gettext("removing...")); + exec("/bin/rm {$snortdir}/rules/emerging*"); + exec("/bin/rm {$snortdir}/version.txt"); + exec("/bin/rm {$snortdir_wan}/rules/emerging*"); + exec("/bin/rm {$snortdir_wan}/version.txt"); + echo "Done making cleaning emrg direcory.\n"; +} + +/* Check if were up to date exits */ +if ($snort_md5_check_ok == on && $emerg_md5_check_chk_ok == on && $pfsense_md5_check_ok == on) { + echo "Your emergingthreats rules are up to date...\n"; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your emergingthreats rules are up to date...'"); + exit(0); +} + +if ($snort_md5_check_ok == on && $pfsense_md5_check_ok == on && $emergingthreats_url_chk != on) { + echo "Your pfsense rules are up to date...\n"; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your pfsense rules are up to date...'"); + exit(0); +} + +/* You are Not Up to date, always stop snort when updating rules for low end machines */; +echo "You are NOT up to date...\n"; +echo "Stopping All Snort Package services...\n"; +exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'SNORT RULES ARE OUT OF DATE, UPDATING...'"); +exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Stopping All Snort Package Services...'"); +$chk_if_snort_up = exec("pgrep -x snort"); +if ($chk_if_snort_up != "") { + exec("/usr/bin/touch /tmp/snort_download_halt.pid"); + + /* dont flood the syslog code */ + exec("/bin/cp /var/log/system.log /var/log/system.log.bk"); + sleep(3); + + exec("/usr/bin/killall snort"); + sleep(2); + exec("/usr/bin/killall barnyard2"); + + /* stop syslog flood code */ + exec("/bin/cp /var/log/system.log /var/log/snort/snort_sys_rules_update.log"); + exec("/usr/bin/killall syslogd"); + exec("/usr/sbin/clog -i -s 262144 /var/log/system.log"); + exec("/usr/sbin/syslogd -c -ss -f /var/etc/syslog.conf"); + sleep(2); + exec("/bin/cp /var/log/system.log.bk /var/log/system.log"); + $after_mem = exec("/usr/bin/top | /usr/bin/grep Wired | /usr/bin/awk '{ print $2 }'"); + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'MEM after snort STOP {$after_mem}'"); + +} + +/* download snortrules file */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$snort_filename}")) { + echo "Snortrule tar file exists...\n"; +} else { + echo "There is a new set of Snort rules posted. Downloading...\n"; + echo "May take 4 to 10 min...\n"; + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz?oink_code={$oinkid}"); +// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz"); + $f = fopen("{$tmpfname}/snortrules-snapshot-2.8.tar.gz", 'w'); + fwrite($f, $image); + fclose($f); + echo "Done downloading rules file.\n"; + if (150000 > filesize("{$tmpfname}/$snort_filename")){ + echo "Error with the snort rules download...\n"; + echo "Snort rules file downloaded failed...\n"; + exit(0); + } + } +} + +/* download emergingthreats rules file */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { + echo "Emergingthreats tar file exists...\n"; +} else { + echo "There is a new set of Emergingthreats rules posted. Downloading...\n"; + echo "May take 4 to 10 min...\n"; + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://www.emergingthreats.net/rules/emerging.rules.tar.gz"); +// $image = @file_get_contents("http://www.emergingthreats.net/rules/emerging.rules.tar.gz"); + $f = fopen("{$tmpfname}/emerging.rules.tar.gz", 'w'); + fwrite($f, $image); + fclose($f); + echo "Done downloading Emergingthreats rules file.\n"; + } + } + } + +/* download pfsense rules file */ +if ($pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { + echo "Snortrule tar file exists...\n"; +} else { + + echo "There is a new set of Pfsense rules posted. Downloading...\n"; + echo "May take 4 to 10 min...\n"; + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz"); +// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz"); + $f = fopen("{$tmpfname}/pfsense_rules.tar.gz", 'w'); + fwrite($f, $image); + fclose($f); + echo "Done downloading rules file.\n"; + } +} + +/* Compair md5 sig to file sig */ + +//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +//if ($premium_url_chk == on) { +//$md5 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); +//$file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; +// if ($md5 == $file_md5_ondisk) { +// update_status(gettext("Valid md5 checksum pass...")); +//} else { +// update_status(gettext("The downloaded file does not match the md5 file...P is ON")); +// update_output_window(gettext("Error md5 Mismatch...")); +// exit(0); +// } +//} + +//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +//if ($premium_url_chk != on) { +//$md55 = `/bin/cat {$tmpfname}/{$snort_filename_md5} | /usr/bin/awk '{ print $4 }'`; +//$file_md5_ondisk2 = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; +// if ($md55 == $file_md5_ondisk2) { +// update_status(gettext("Valid md5 checksum pass...")); +//} else { +// update_status(gettext("The downloaded file does not match the md5 file...Not P")); +// update_output_window(gettext("Error md5 Mismatch...")); +// exit(0); +// } +//} + +/* Untar snort rules file individually to help people with low system specs */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$snort_filename}")) { + echo "Extracting rules...\n"; + echo "May take a while...\n"; + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} etc/"); + exec("`/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/*`"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/chat.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/dos.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/exploit.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/imap.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/misc.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/multimedia.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/netbios.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/nntp.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/p2p.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/smtp.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/sql.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-client.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-misc.rules/"); + echo "Done extracting Rules.\n"; +} else { + echo "The Download rules file missing...\n"; + echo "Error rules extracting failed...\n"; + exit(0); + } +} + +/* Untar emergingthreats rules to tmp */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { + echo "Extracting rules...\n"; + echo "May take a while...\n"; + exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir} rules/"); + } + } +} + +/* Untar Pfsense rules to tmp */ +if ($pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { + echo "Extracting Pfsense rules...\n"; + echo "May take a while...\n"; + exec("/usr/bin/tar xzf {$tmpfname}/{$pfsense_rules_filename} -C {$snortdir} rules/"); + } +} + +/* Untar snort signatures */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$snort_filename}")) { +$signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; +if ($premium_url_chk == on) { + echo "Extracting Signatures...\n"; + echo "May take a while...\n"; + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); + echo "Done extracting Signatures.\n"; + } + } +} + +/* Make Clean Snort Directory */ +//if ($snort_md5_check_ok != on && $emerg_md5_check_chk_ok != on && $pfsense_md5_check_ok != on) { +//if (file_exists("{$snortdir}/rules")) { +// update_status(gettext("Cleaning the snort Directory...")); +// update_output_window(gettext("removing...")); +// exec("/bin/mkdir -p {$snortdir}"); +// exec("/bin/mkdir -p {$snortdir}/rules"); +// exec("/bin/mkdir -p {$snortdir}/signatures"); +// exec("/bin/rm {$snortdir}/*"); +// exec("/bin/rm {$snortdir}/rules/*"); +// exec("/bin/rm {$snortdir_wan}/*"); +// exec("/bin/rm {$snortdir_wan}/rules/*"); + +// exec("/bin/rm /usr/local/lib/snort/dynamicrules/*"); +//} else { +// update_status(gettext("Making Snort Directory...")); +// update_output_window(gettext("should be fast...")); +// exec("/bin/mkdir -p {$snortdir}"); +// exec("/bin/mkdir -p {$snortdir}/rules"); +// exec("/bin/rm {$snortdir_wan}/*"); +// exec("/bin/rm {$snortdir_wan}/rules/*"); +// exec("/bin/rm /usr/local/lib/snort/dynamicrules/\*"); +// update_status(gettext("Done making snort direcory.")); +// } +//} + +/* Copy so_rules dir to snort lib dir */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { + echo "Copying so_rules...\n"; + echo "May take a while...\n"; + exec("`/bin/cp -f {$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/`"); + exec("/bin/cp {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/bad-traffic.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/chat.rules {$snortdir}/rules/chat.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/dos.rules {$snortdir}/rules/dos.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/exploit.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/imap.rules {$snortdir}/rules/imap.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/misc.rules {$snortdir}/rules/misc.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/multimedia.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/netbios.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/nntp.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/p2p.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/smtp.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/sql.rules {$snortdir}/rules/sql.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/web-client.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/web.misc.rules {$snortdir}/rules/web.misc.so.rules"); + exec("/bin/rm -r {$snortdir}/so_rules"); + echo "Done copying so_rules.\n"; +} else { + echo "Directory so_rules does not exist...\n"; + echo "Error copying so_rules...\n"; + exit(0); + } +} + +/* Copy configs to snort dir */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$snortdir}/etc/Makefile.am")) { + echo "Copying configs to snort directory...\n"; + exec("/bin/cp {$snortdir}/etc/* {$snortdir}"); + exec("/bin/rm -r {$snortdir}/etc"); + +} else { + echo "The snort config does not exist...\n"; + echo "Error copying config...\n"; + exit(0); + } +} + +/* Copy md5 sig to snort dir */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/$snort_filename_md5")) { + echo "Copying md5 sig to snort directory...\n"; + exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); +} else { + echo "The md5 file does not exist...\n"; + echo "Error copying config...\n"; + exit(0); + } +} + +/* Copy emergingthreats md5 sig to snort dir */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) { + echo "Copying md5 sig to snort directory...\n"; + exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); +} else { + echo "The emergingthreats md5 file does not exist...\n"; + echo "Error copying config...\n"; + exit(0); + } + } +} + +/* Copy Pfsense md5 sig to snort dir */ +if ($pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) { + echo "Copying Pfsense md5 sig to snort directory...\n"; + exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5"); +} else { + echo "The Pfsense md5 file does not exist...\n"; + echo "Error copying config...\n"; + exit(0); + } +} + +/* Copy signatures dir to snort dir */ +if ($snort_md5_check_ok != on) { +$signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; +if ($premium_url_chk == on) { +if (file_exists("{$snortdir}/doc/signatures")) { + echo "Copying signatures...\n"; + echo "May take a while...\n"; + exec("/bin/mv -f {$snortdir}/doc/signatures {$snortdir}/signatures"); + exec("/bin/rm -r {$snortdir}/doc/signatures"); + echo "Done copying signatures.\n"; +} else { + echo "Directory signatures exist...\n"; + echo "Error copying signature...\n"; + exit(0); + } + } +} + +/* double make shure cleanup emerg rules that dont belong */ +if (file_exists("/usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules")) { + apc_clear_cache(); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-botcc.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-compromised-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-drop-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-dshield-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-rbn-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-tor-BLOCK.rules"); +} + +if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) { + exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so"); + exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*"); +} + +/* make shure default rules are in the right format */ +exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); +exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); +exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); + +/* create a msg-map for snort */ +echo "Updating Alert Messages...\n"; +echo "Please Wait...\n"; +exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/sid-msg.map"); + + +////////////////// + +/* Start the proccess for every interface rule */ +/* TODO: try to make the code smother */ + +if (!empty($config['installedpackages']['snortglobal']['rule'])) { + +$rule_array = $config['installedpackages']['snortglobal']['rule']; +$id = -1; +foreach ($rule_array as $value) { + +$id += 1; + +$result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; +$if_real = convert_friendly_interface_to_real_interface_name($result_lan); + + /* make oinkmaster.conf for each interface rule */ + oinkmaster_conf(); + + /* run oinkmaster for each interface rule */ + oinkmaster_run(); + + } +} + +/* open oinkmaster_conf for writing" function */ +function oinkmaster_conf() { + + global $config, $g, $id, $if_real, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_chk_ok, $pfsense_md5_check_ok; + +/* enable disable setting will carry over with updates */ +/* TODO carry signature changes with the updates */ +if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { + +if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'])) { +$enabled_sid_on = $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']; +$enabled_sid_on_array = split('\|\|', $enabled_sid_on); +foreach($enabled_sid_on_array as $enabled_item_on) +$selected_sid_on_sections .= "$enabled_item_on\n"; + } + +if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { +$enabled_sid_off = $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off']; +$enabled_sid_off_array = split('\|\|', $enabled_sid_off); +foreach($enabled_sid_off_array as $enabled_item_off) +$selected_sid_off_sections .= "$enabled_item_off\n"; + } + +$snort_sid_text = <<<EOD + +########################################### +# # +# this is auto generated on snort updates # +# # +########################################### + +path = /bin:/usr/bin:/usr/local/bin + +update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ + +url = dir:///usr/local/etc/snort/rules + +$selected_sid_on_sections + +$selected_sid_off_sections + +EOD; + + /* open snort's oinkmaster.conf for writing */ + $oinkmasterlist = fopen("/usr/local/etc/snort/oinkmaster_$if_real.conf", "w"); + + fwrite($oinkmasterlist, "$snort_sid_text"); + + /* close snort's oinkmaster.conf file */ + fclose($oinkmasterlist); + + } +} + +/* Run oinkmaster to snort_wan and cp configs */ +/* If oinkmaster is not needed cp rules normally */ +/* TODO add per interface settings here */ +function oinkmaster_run() { + + global $config, $g, $id, $if_real, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_chk_ok, $pfsense_md5_check_ok; + +if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { + + if (empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']) || empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { + echo "Your first set of rules are being copied...\n"; + echo "May take a while...\n"; + exec("/bin/echo \"test {$snortdir} {$snortdir_wan} $id$if_real\" > /root/debug"); + exec("/bin/cp {$snortdir}/rules/\* {$snortdir_wan}/snort_$id$if_real/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}/snort_$id$if_real"); + +} else { + echo "Your enable and disable changes are being applied to your fresh set of rules...\n"; + echo "May take a while...\n"; + exec("/bin/echo \"test2 {$snortdir} {$snortdir_wan} $id$if_real\" > /root/debug"); + exec("/bin/cp {$snortdir}/rules/\* {$snortdir_wan}/snort_$id$if_real/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}/snort_$id$if_real"); + + /* oinkmaster.pl will convert saved changes for the new updates then we have to change #alert to # alert for the gui */ + /* might have to add a sleep for 3sec for flash drives or old drives */ + exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort/oinkmaster_$id$if_real.conf -o /usr/local/etc/snort/snort_$id$if_real/rules > /usr/local/etc/snort/oinkmaster_$id$if_real.log"); + + } + } +} + +////////////// + +/* mark the time update finnished */ +$config['installedpackages']['snortglobal']['last_rules_install'] = date("Y-M-jS-h:i-A"); + +/* remove old $tmpfname files */ +if (file_exists("{$tmpfname}")) { + echo "Cleaning up...\n"; + exec("/bin/rm -r /tmp/snort_rules_up"); +// apc_clear_cache(); +} + +/* php code to flush out cache some people are reportting missing files this might help */ +sleep(2); +apc_clear_cache(); +exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync"); + +/* if snort is running hardrestart, if snort is not running do nothing */ +if (file_exists("/tmp/snort_download_halt.pid")) { + exec("/bin/sh /usr/local/etc/rc.d/snort* start"); + start_service("snort"); + echo "The Rules update finished...\n"; + echo "Snort has restarted with your new set of rules...\n"; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'SNORT RULE UPDATE FINNISHED...'"); + exec("/bin/rm /tmp/snort_download_halt.pid"); +} else { + echo "The Rules update finished...\n"; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'SNORT RULE UPDATE FINNISHED...'"); +} + +conf_mount_ro(); + +?> diff --git a/config/snort-dev/snort_interfaces.php b/config/snort-dev/snort_interfaces.php index 1c97f944..f358e6c6 100644 --- a/config/snort-dev/snort_interfaces.php +++ b/config/snort-dev/snort_interfaces.php @@ -84,26 +84,84 @@ if (isset($_POST['del_x'])) { $snort_pid = exec("/bin/ps -auwx | grep -v grep | grep \"$if_real -c\" | awk '{print $2;}'"); - if ($snort_pid != "") { - exec("/bin/sh /usr/local/etc/rc.d/snort_{$rulei}{$if_real}.sh stop"); - } + if ($snort_pid != "") + { + + $start_up_pre = exec("/bin/cat /var/run/snort_{$if_real}{$rulei}{$if_real}.pid"); + $start_up_s = exec("/usr/bin/top -U snort -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); + $start_up_r = exec("/usr/bin/top -U root -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); + + $start2_upb_pre = exec("/bin/cat /var/run/barnyard2_{$rulei}{$if_real}.pid"); + $start2_upb_s = exec("/usr/bin/top -U snort -u | grep barnyard2 | grep {$start2_upb_pre} | awk '{ print $1; }'"); + $start2_upb_r = exec("/usr/bin/top -U root -u | grep barnyard2 | grep {$start2_upb_pre} | awk '{ print $1; }'"); + + + if ($start_up_s != "" || $start_up_r != "" || $start2_upb_s != "" || $start2_upb_r != "") + { + + /* dont flood the syslog code */ + exec("/bin/cp /var/log/system.log /var/log/system.log.bk"); + sleep(3); + + + /* remove only running instances */ + if ($start_up_s != "") + { + exec("/bin/kill {$start_up_s}"); + exec("/bin/rm /var/run/snort_$if_real$rulei$if_real*"); + } + + if ($start2_upb_s != "") + { + exec("/bin/kill {$start2_upb_s}"); + exec("/bin/rm /var/run/barnyard2_$rulei$if_real*"); + } + + if ($start_up_r != "") + { + exec("/bin/kill {$start_up_r}"); + exec("/bin/rm /var/run/snort_$if_real$rulei$if_real*"); + } + + if ($start2_upb_r != "") + { + exec("/bin/kill {$start2_upb_r}"); + exec("/bin/rm /var/run/barnyard2_$rulei$if_real*"); + } + + /* stop syslog flood code */ + $if_real_wan_rulei = $a_nat[$rulei]['interface']; + $if_real_wan_rulei2 = convert_friendly_interface_to_real_interface_name2($if_real_wan_rulei); + exec("/sbin/ifconfig $if_real_wan_rulei2 -promisc"); + exec("/bin/cp /var/log/system.log /var/log/snort/snort_sys_$rulei$if_real.log"); + exec("/usr/bin/killall syslogd"); + exec("/usr/sbin/clog -i -s 262144 /var/log/system.log"); + exec("/usr/sbin/syslogd -c -ss -f /var/etc/syslog.conf"); + sleep(2); + exec("/bin/cp /var/log/system.log.bk /var/log/system.log"); + $after_mem = exec("/usr/bin/top | /usr/bin/grep Wired | /usr/bin/awk '{ print $2 }'"); + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'MEM after {$rulei}{$if_real} STOP {$after_mem}'"); + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule removed for {$rulei}{$if_real}...'"); + + } - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup \"Interface Rule remove for {$rulei}{$if_real}...\""); + } + exec("/bin/rm -r /usr/local/etc/snort/snort_$rulei$if_real"); exec("/bin/rm /usr/local/etc/rc.d/snort_$rulei$if_real.sh"); - exec("/bin/rm /var/log/snort/snort.u2_$rulei$if_real\*"); - exec("/bin/echo \"$snort_pid\" >> /usr/local/etc/rc.d/debug"); + exec("/bin/rm /var/log/snort/snort.u2_$rulei$if_real*"); unset($a_nat[$rulei]); } write_config(); - touch($d_natconfdirty_path); + // touch($d_natconfdirty_path); header("Location: /snort/snort_interfaces.php"); exit; } } else { + /* yuck - IE won't send value attributes for image buttons, while Mozilla does - so we use .x/.y to find move button clicks instead... */ unset($movebtn); foreach ($_POST as $pn => $pd) { @@ -143,26 +201,81 @@ if (isset($_POST['del_x'])) { write_config(); touch($d_natconfdirty_path); header("Location: snort_interfaces.php"); + exit; } } /* start/stop snort */ -if ($_GET['act'] == "toggle" && $_GET['id'] != "") { +if ($_GET['act'] == "toggle" && $_GET['id'] != "") +{ + $if_real2 = convert_friendly_interface_to_real_interface_name($a_nat[$id]['interface']); - $snort_pid2 = exec("/bin/ps -auwx | grep -v grep | grep \"$if_real2 -c\" | awk '{print $2;}'"); - if ($snort_pid2 != "") { - exec("/bin/sh /usr/local/etc/rc.d/snort_{$id}{$if_real2}.sh stop"); - header("Location: snort_interfaces.php"); + + $start_up_pre = exec("/bin/cat /var/run/snort_{$if_real2}{$id}{$if_real2}.pid"); + $start_up_s = exec("/usr/bin/top -U snort -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); + $start_up_r = exec("/usr/bin/top -U root -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); + + $start2_upb_pre = exec("/bin/cat /var/run/barnyard2_{$id}{$if_real2}.pid"); + $start2_upb_s = exec("/usr/bin/top -U snort -u | grep barnyard2 | grep {$start2_upb_pre} | awk '{ print $1; }'"); + $start2_upb_r = exec("/usr/bin/top -U root -u | grep barnyard2 | grep {$start2_upb_pre} | awk '{ print $1; }'"); + + if ($start_up_s != "" || $start_up_r != "" || $start2_upb_s != "" || $start2_upb_r != "") + { + + /* stop syslog flood code */ + exec("/bin/cp /var/log/system.log /var/log/system.log.bk"); + sleep(3); + + if ($start_up_s != "") + { + exec("/bin/kill {$start_up_s}"); + exec("/bin/rm /var/run/snort_$if_real2$id$if_real2*"); + } + + if ($start2_upb_s != "") + { + exec("/bin/kill {$start2_upb_s}"); + exec("/bin/rm /var/run/barnyard2_$id$if_real2*"); + } + + if ($start_up_r != "") + { + exec("/bin/kill {$start_up_r}"); + exec("/bin/rm /var/run/snort_$if_real2$id$if_real2*"); + } + + if ($start2_upb_r != "") + { + exec("/bin/kill {$start2_upb_r}"); + exec("/bin/rm /var/run/barnyard2_$id$if_real2*"); + } + + /* stop syslog flood code */ + $if_real_wan_id = $a_nat[$id]['interface']; + $if_real_wan_id2 = convert_friendly_interface_to_real_interface_name2($if_real_wan_id); + exec("/sbin/ifconfig $if_real_wan_id2 -promisc"); + exec("/bin/cp /var/log/system.log /var/log/snort/snort_sys_$id$if_real2.log"); + exec("/usr/bin/killall syslogd"); + exec("/usr/sbin/clog -i -s 262144 /var/log/system.log"); + exec("/usr/sbin/syslogd -c -ss -f /var/etc/syslog.conf"); + sleep(2); + exec("/bin/cp /var/log/system.log.bk /var/log/system.log"); + $after_mem2 = exec("/usr/bin/top | /usr/bin/grep Wired | /usr/bin/awk '{ print $2 }'"); + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'MEM after {$id}{$if_real2} STOP {$after_mem2}'"); + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule STOP for {$id}{$if_real2}...'"); + + header("Location: snort_interfaces.php"); }else{ sync_package_snort(); exec("/bin/sh /usr/local/etc/rc.d/snort_{$id}{$if_real2}.sh start"); header("Location: snort_interfaces.php"); } + } -$pgtitle = "Services: Snort 2.8.4.1_6 pkg v. 1.8 RC1"; +$pgtitle = "Services: Snort 2.8.4.1_6 pkg v. 1.8 RC2"; include("head.inc"); ?> @@ -193,8 +306,8 @@ padding: 15px 10px 50% 50px; padding-bottom: 4px; } .listbg3 { - border-right: 1px solid #777777; - border-bottom: 1px solid #777777; + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; font-size: 11px; background-color: #777777; color: #000; @@ -204,7 +317,7 @@ padding: 15px 10px 50% 50px; padding-bottom: 4px; } </style> -<noscript><div class="alert" ALIGN=CENTER><img src="/themes/nervecenter/images/icons/icon_alert.gif"/><strong>Please enable JavaScript to view this content</CENTER></div></noscript> +<noscript><div class="alert" ALIGN=CENTER><img src="../themes/nervecenter/images/icons/icon_alert.gif"/><strong>Please enable JavaScript to view this content</CENTER></div></noscript> <form action="snort_interfaces.php" method="post" name="iform"> <script type="text/javascript" language="javascript" src="row_toggle.js"> @@ -258,14 +371,19 @@ padding: 15px 10px 50% 50px; <?php /* convert fake interfaces to real and check if iface is up */ $if_real = convert_friendly_interface_to_real_interface_name($natent['interface']); - $color_up = exec("/bin/ps -auwx | grep -v grep | grep \"{$nnats}{$if_real} -c\" | awk '{print $2;}'"); - If ($color_up != "") { + + $color_up_pre = exec("/bin/cat /var/run/snort_{$if_real}{$nnats}{$if_real}.pid"); + $color_up_s = exec("/usr/bin/top -U snort -u | grep snort | grep {$color_up_pre}"); + $color_up_r = exec("/usr/bin/top -U root -u | grep snort | grep {$color_up_pre}"); + if ($color_up_s != "" || $color_up_r != "") { $class_color_up = "listbg2"; $iconfn = "block"; }else{ $class_color_up = "listbg"; $iconfn = "pass"; - } + } + + ?> <td class="listt"><a href="?act=toggle&id=<?=$i;?>"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_<?=$iconfn;?>.gif" width="13" height="13" border="0" title="click to toggle start/stop snort"></a><input type="checkbox" id="frc<?=$nnats;?>" name="rule[]" value="<?=$i;?>" onClick="fr_bgcolor('<?=$nnats;?>')" style="margin: 0; padding: 0; width: 7px; height: 7px;"></td> <td class="listt" align="center"></td> @@ -318,27 +436,30 @@ padding: 15px 10px 50% 50px; ?> <?=strtoupper($check_blockoffenders);?> </td> - <?php - /* convert fake interfaces to real and check if iface is up */ - $if_real2 = convert_friendly_interface_to_real_interface_name($natent['interface']); - $color_up_b = exec("/bin/ps -auwx | grep -v grep | grep \"snort.u2_{$nnats}{$if_real2}\" | awk '{print $2;}'"); - If ($color_up_b != "") { - $class_color_up_bb = "listbg2"; - }else{ - $class_color_up_bb = "listbg"; - } - ?> - <td class="<?=$class_color_up_bb;?>" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> <?php + + $color2_udp_pre = exec("/bin/cat /var/run/barnyard2_{$nnats}{$if_real}.pid"); + + $color2_upb_s = exec("/usr/bin/top -U snort -u | grep barnyard2 | grep {$color2_udp_pre}"); + $color2_upb_r = exec("/usr/bin/top -U root -u | grep barnyard2 | grep {$color2_udp_pre}"); + if ($color2_upb_s != "" || $color2_upb_r != "") { + $class_color_upb = "listbg2"; + }else{ + $class_color_upb = "listbg"; + } + + ?> + <td class="<?=$class_color_upb;?>" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> + <?php $check_snortbarnyardlog_info = $config['installedpackages']['snortglobal']['rule'][$nnats]['barnyard_enable']; if ($check_snortbarnyardlog_info == "on") { - $check_snortbarnyardlog = enabled; - } else { - $check_snortbarnyardlog = disabled; + $check_snortbarnyardlog = strtoupper(enabled); + }else{ + $check_snortbarnyardlog = strtoupper(disabled); } ?> - <?=strtoupper($check_snortbarnyardlog);?> + <?php echo "$check_snortbarnyardlog";?> </td> <td class="listbg3" onClick="fr_toggle(<?=$nnats;?>)" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> <font color="#ffffff"> |