aboutsummaryrefslogtreecommitdiffstats
path: root/config/snort/snort.inc
diff options
context:
space:
mode:
authorbmeeks8 <bmeeks8@bellsouth.net>2013-04-09 20:10:36 -0400
committerbmeeks8 <bmeeks8@bellsouth.net>2013-04-09 20:10:36 -0400
commit31905aef52131b7067441f8f7902b343a4588f72 (patch)
tree4ebcd588d4877f3a22f8f7d31132203703d554a2 /config/snort/snort.inc
parent6cabee346e055501e39886fb2b3fddbb4799fcdb (diff)
downloadpfsense-packages-31905aef52131b7067441f8f7902b343a4588f72.tar.gz
pfsense-packages-31905aef52131b7067441f8f7902b343a4588f72.tar.bz2
pfsense-packages-31905aef52131b7067441f8f7902b343a4588f72.zip
Update Snort to 2.5.5 - New features and bug fixes
Diffstat (limited to 'config/snort/snort.inc')
-rwxr-xr-xconfig/snort/snort.inc331
1 files changed, 270 insertions, 61 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index 27d0b7e5..d8a7cc19 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -37,17 +37,46 @@ require_once("functions.inc");
// Needed on 2.0 because of filter_get_vpns_list()
require_once("filter.inc");
+// Explicitly declare these as global so they work through function call includes
+global $snort_rules_file, $snort_version, $emerging_threats_version, $snort_rules_upd_log;
+global $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules, $is_postinstall;
+global $snort_community_rules_filename, $snort_community_rules_url, $emergingthreats_filename;
+
/* package version */
$snort_version = "2.9.4.1";
-$pfSense_snort_version = "2.5.4";
+$pfSense_snort_version = "2.5.5";
$snort_package_version = "Snort {$snort_version} pkg v. {$pfSense_snort_version}";
+
+// Define SNORTDIR and SNORTLIBDIR constants according to FreeBSD version (PBI support or no PBI)
+if (floatval(php_uname("r")) >= 8.3) {
+ exec("/usr/local/sbin/pbi_info | grep 'snort-{$snort_version}' | xargs /usr/local/sbin/pbi_info | awk '/Prefix/ {print $2}'",$pbidirarray);
+ $snort_pbidir = "{$pbidirarray[0]}";
+ define("SNORTDIR", "{$snort_pbidir}/etc/snort");
+ define("SNORTLIBDIR", "{$snort_pbidir}/lib/snort");
+}
+else {
+ define("SNORTDIR", "/usr/local/etc/snort");
+ define("SNORTLIBDIR", "/usr/local/lib/snort");
+}
+
+define("SNORTLOGDIR", "/var/log/snort");
+
+/* Important file definitions */
$snort_rules_file = "snortrules-snapshot-2941.tar.gz";
$emerging_threats_version = "2.9.0";
+$emergingthreats_filename = "emerging.rules.tar.gz";
+$snort_community_rules_url = "https://s3.amazonaws.com/snort-org/www/rules/community/";
+$snort_community_rules_filename = "community-rules.tar.gz";
$flowbit_rules_file = "flowbit-required.rules";
$snort_enforcing_rules_file = "snort.rules";
+$snort_rules_upd_log = SNORTLOGDIR;
+$snort_rules_upd_log .= "/snort_rules_update.log";
-define("SNORTDIR", "/usr/local/etc/snort");
-define("SNORTLOGDIR", "/var/log/snort");
+/* Rebuild Rules Flag -- if "on", rebuild enforcing rules and flowbit-rules files */
+$rebuild_rules = "off";
+
+/* Post-install Flag -- normally "false" except during post-install of package */
+$is_postinstall = false;
if (!is_array($config['installedpackages']['snortglobal']))
$config['installedpackages']['snortglobal'] = array();
@@ -427,9 +456,14 @@ function snort_post_delete_logs($snort_uuid = 0) {
}
function snort_postinstall() {
- global $config, $g;
+ global $config, $g, $snort_rules_file, $emerging_threats_version;
+ global $snort_version, $rebuild_rules, $is_postinstall;
$snortdir = SNORTDIR;
+ $snortlibdir = SNORTLIBDIR;
+
+ /* Set flag for post-install in progress */
+ $is_postinstall = true;
/* cleanup default files */
@rename("{$snortdir}/snort.conf-sample", "{$snortdir}/snort.conf");
@@ -440,25 +474,41 @@ function snort_postinstall() {
@rename("{$snortdir}/generators-sample", "{$snortdir}/generators");
@rename("{$snortdir}/reference.config-sample", "{$snortdir}/reference.config");
@rename("{$snortdir}/gen-msg.map-sample", "{$snortdir}/gen-msg.map");
+
+ /* fix up the preprocessor rules filenames from a PBI package install */
+ $preproc_rules = array("decoder.rules", "preprocessor.rules", "sensitive-data.rules");
+ foreach ($preproc_rules as $file) {
+ if (file_exists("{$snortdir}/preproc_rules/{$file}-sample"))
+ @rename("{$snortdir}/preproc_rules/{$file}-sample", "{$snortdir}/preproc_rules/{$file}");
+ }
+
+ /* Remove any previously installed scripts since we rebuild them */
@unlink("{$snortdir}/sid");
@unlink("/usr/local/etc/rc.d/snort");
@unlink("/usr/local/etc/rc.d/barnyard2");
- /* remove example files */
- if (file_exists('/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0'))
- exec('rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*');
-
- if (file_exists('/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so'))
- exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*');
+ /* remove example library files */
+ $files = glob("{$snortlibdir}/dynamicrules/*_example*");
+ foreach ($files as $f)
+ @unlink($f);
+ $files = glob("{$snortlibdir}/dynamicpreprocessor/*_example*");
+ foreach ($files as $f)
+ @unlink($f);
/* remake saved settings */
if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
update_status(gettext("Saved settings detected..."));
- update_output_window(gettext("Please wait... rebuilding files..."));
+ update_output_window(gettext("Please wait... rebuilding installation with saved settings..."));
@include_once("/usr/local/pkg/snort/snort_check_for_rule_updates.php");
+ update_status(gettext("Generating snort.conf configuration file from saved settings..."));
+ $rebuild_rules = "on";
sync_snort_package_config();
- update_output_window(gettext("Finnished Rebuilding files..."));
+ $rebuild_rules = "off";
+ update_output_window(gettext("Finished rebuilding files..."));
}
+
+ /* Done with post-install, so clear flag */
+ $is_postinstall = false;
}
function snort_Getdirsize($node) {
@@ -693,12 +743,15 @@ function snort_rules_up_install_cron($should_install) {
/* Only run when all ifaces needed to sync. Expects filesystem rw */
function sync_snort_package_config() {
- global $config, $g;
+ global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file;
+ global $snort_version, $rebuild_rules;
+
+ $snortdir = SNORTDIR;
conf_mount_rw();
- /* do not start config build if rules is empty */
- if (!is_array($config['installedpackages']['snortglobal']) && !is_array($config['installedpackages']['snortglobal']['rule'])) {
+ /* do not start config build if rules is empty or there are no Snort settings */
+ if (!is_array($config['installedpackages']['snortglobal']) || !is_array($config['installedpackages']['snortglobal']['rule'])) {
exec('/bin/rm /usr/local/etc/rc.d/snort.sh');
conf_mount_ro();
return;
@@ -708,10 +761,10 @@ function sync_snort_package_config() {
foreach ($snortconf as $value) {
$if_real = snort_get_real_interface($value['interface']);
- /* create snort configuration file */
+ /* create a snort.conf file for interface */
snort_generate_conf($value);
- /* create barnyard2 configuration file */
+ /* create barnyard2.conf file for interface */
if ($value['barnyard_enable'] == 'on')
snort_create_barnyard2_conf($value, $if_real);
}
@@ -748,7 +801,7 @@ function snort_build_sid_msg_map($rules_path, $sid_file) {
/* First check if we were passed a directory, a single file */
/* or an array of filenames to read. Set our $rule_files */
/* variable accordingly. If we can't figure it out, return */
- /* an empty rules map array. */
+ /* and don't write a sid_msg_map file. */
if (is_string($rules_path)) {
if (is_dir($rules_path))
$rule_files = glob($rules_path . "*.rules");
@@ -1272,11 +1325,13 @@ function snort_write_flowbit_rules_file($flowbit_rules, $rule_file) {
/* given. */
/************************************************/
+ global $flowbit_rules_file;
+
/* See if we were passed a directory or full */
/* filename to write the rules to, and adjust */
/* the destination argument accordingly. */
if (is_dir($rule_file))
- $rule_file = rtrim($rule_file, '/').'/flowbit-required.rules';
+ $rule_file = rtrim($rule_file, '/')."/{$flowbit_rules_file}";
if (empty($flowbit_rules)) {
@file_put_contents($rule_file, "");
@@ -1363,7 +1418,7 @@ function snort_write_enforcing_rules_file($rule_map, $rule_path) {
global $snort_enforcing_rules_file;
- $rule_file = "/snort.rules";
+ $rule_file = "/{$snort_enforcing_rules_file}";
/* See if we were passed a directory or full */
/* filename to write the rules to, and adjust */
@@ -1584,6 +1639,7 @@ case $1 in
rc_stop
;;
restart)
+ rc_stop
rc_start
;;
esac
@@ -1642,7 +1698,7 @@ function snort_generate_barnyard2_conf($snortcfg, $if_real) {
config reference_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/reference.config
config classification_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/classification.config
config gen_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/gen-msg.map
-config sid_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/sid-msg.map
+config sid_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/sid-msg.map
config hostname: $snortbarnyardlog_hostname_info_chk
config interface: {$if_real}
@@ -1671,12 +1727,13 @@ EOD;
}
function snort_deinstall() {
- global $config, $g;
+
+ global $config, $g, $snort_rules_upd_log;
$snortdir = SNORTDIR;
- $snortlogdir = SNORTLOGDIR;
+ $snortlibdir = SNORTLIBDIR;
- /* decrease bpf buffers back to 4096, from 20480 */
+ /* Make sure all active Snort processes are terminated */
mwexec('/usr/bin/killall snort', true);
sleep(2);
mwexec('/usr/bin/killall -9 snort', true);
@@ -1685,9 +1742,11 @@ function snort_deinstall() {
sleep(2);
mwexec('/usr/bin/killall -9 barnyard2', true);
sleep(2);
+
+ /* Remove the snort user and group */
mwexec('/usr/sbin/pw userdel snort; /usr/sbin/pw groupdel snort', true);
- /* Remove snort cron entries Ugly code needs smoothness*/
+ /* Remove snort cron entries Ugly code needs smoothness */
if (!function_exists('snort_deinstall_cron')) {
function snort_deinstall_cron($crontask) {
global $config, $g;
@@ -1709,22 +1768,49 @@ function snort_deinstall() {
}
}
- mwexec("/bin/rm {$snortdir}/*.md5; /bin/rm -r {$snortdir}/snort_*");
+ /* Remove all the Snort cron jobs. */
snort_deinstall_cron("snort2c");
snort_deinstall_cron("snort_check_for_rule_updates.php");
snort_deinstall_cron("snort_check_cron_misc.inc");
configure_cron();
+ /**********************************************************/
+ /* Test for existence of library backup tarballs in /tmp. */
+ /* If these are present, then a package "delete" */
+ /* operation is in progress and we need to wipe out the */
+ /* configuration files. Otherwise we leave the binary- */
+ /* side configuration intact since only a GUI files */
+ /* deinstall and reinstall operation is in progress. */
+ /* */
+ /* XXX: hopefully a better method presents itself in */
+ /* future versions of pfSense. */
+ /**********************************************************/
+ if (file_exists("/tmp/pkg_libs.tgz") || file_exists("/tmp/pkg_bins.tgz")) {
+ mwexec("/bin/rm -rf {$snortdir}");
+ mwexec("/bin/rm -rf {$snortlibdir}/dynamicrules");
+ }
+
/* Keep this as a last step */
- if ($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on')
+ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on') {
unset($config['installedpackages']['snortglobal']);
+ @unlink("{$snort_rules_upd_log}");
+ }
}
function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
- global $snort_enforcing_rules_file, $flowbit_rules_file;
+
+ global $snort_enforcing_rules_file, $flowbit_rules_file, $rebuild_rules;
$snortdir = SNORTDIR;
+ /* If there is no reason to rebuild the rules, exit to save time. */
+ if ($rebuild_rules == "off")
+ return;
+
+ /* Log a message for rules rebuild in progress */
+ log_error(gettext("Updating rules configuration for: " . snort_get_friendly_interface($snortcfg['interface']) . " ..."));
+
+ /* Only rebuild rules if some are selected or an IPS Policy is enabled */
if (!empty($snortcfg['rulesets']) || $snortcfg['ips_policy_enable'] == 'on') {
$enabled_rules = array();
$enabled_files = array();
@@ -1741,16 +1827,6 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
$enabled_rules = snort_load_rules_map($enabled_files);
}
- /* Remove any existing rules files (except custom rules) prior to building a new set. */
- foreach (glob("{$snortcfgdir}/rules/*.rules") as $file) {
- $tmpfile = basename($file);
- if (in_array("{$snortdir}/rules/{$tmpfile}", $enabled_files))
- continue;
- if ($tmpfile != "custom.rules" && $tmpfile != $flowbit_rules_file &&
- $tmpfile != $snort_enforcing_rules_file)
- @unlink($file);
- }
-
/* Check if a pre-defined Snort VRT policy is selected. If so, */
/* add all the VRT policy rules to our enforcing rule set. */
if (!empty($snortcfg['ips_policy'])) {
@@ -1773,9 +1849,12 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
/* Process any enablesid or disablesid modifications for the selected rules. */
snort_modify_sids($enabled_rules, $snortcfg);
- /* Check for and disable any rules dependent upon disabled preprocessors. */
- log_error('Checking for and disabling any rules dependent upon disabled preprocessors for ' . snort_get_friendly_interface($snortcfg['interface']) . '...');
- snort_filter_preproc_rules($snortcfg, $enabled_rules);
+ /* Check for and disable any rules dependent upon disabled preprocessors if */
+ /* this option is enabled for the interface. */
+ if ($snortcfg['preproc_auto_rule_disable'] == "on") {
+ log_error('Auto-disabling rules dependent on disabled preprocessors for ' . snort_get_friendly_interface($snortcfg['interface']) . '...');
+ snort_filter_preproc_rules($snortcfg, $enabled_rules);
+ }
/* Write the enforcing rules file to the Snort interface's "rules" directory. */
snort_write_enforcing_rules_file($enabled_rules, "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}");
@@ -1783,9 +1862,19 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
/* If auto-flowbit resolution is enabled, generate the dependent flowbits rules file. */
if ($snortcfg['autoflowbitrules'] == 'on') {
- log_error('Resolving and auto-enabling flowbit required rules for ' . snort_get_friendly_interface($snortcfg['interface']) . '...');
+ log_error('Resolving and auto-enabling any flowbit-required rules for ' . snort_get_friendly_interface($snortcfg['interface']) . '...');
$enabled_files[] = "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}";
- snort_write_flowbit_rules_file(snort_resolve_flowbits($enabled_files), "{$snortcfgdir}/rules/{$flowbit_rules_file}");
+ $fbits = snort_resolve_flowbits($enabled_files);
+
+ /* Check for and disable any flowbit-required rules dependent upon */
+ /* disabled preprocessors if this option is enabled for the interface. */
+ if ($snortcfg['preproc_auto_rule_disable'] == "on") {
+ log_error('Auto-disabling flowbit-required rules dependent on disabled preprocessors for ' . snort_get_friendly_interface($snortcfg['interface']) . '...');
+ snort_filter_preproc_rules($snortcfg, $fbits, true);
+ }
+ snort_filter_preproc_rules($snortcfg, $fbits, true);
+ snort_write_flowbit_rules_file($fbits, "{$snortcfgdir}/rules/{$flowbit_rules_file}");
+ unset($fbits);
} else
/* Just put an empty file to always have the file present */
snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}");
@@ -1803,10 +1892,11 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
/* Build a new sid-msg.map file from the enabled */
/* rules and copy it to the interface directory. */
+ log_error(gettext("Building new sig-msg.map file for " . snort_get_friendly_interface($snortcfg['interface']) . "..."));
snort_build_sid_msg_map("{$snortcfgdir}/rules/", "{$snortcfgdir}/sid-msg.map");
}
-function snort_filter_preproc_rules($snortcfg, &$active_rules) {
+function snort_filter_preproc_rules($snortcfg, &$active_rules, $persist_log = false) {
/**************************************************/
/* This function checks the $active_rules array */
@@ -1819,11 +1909,22 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) {
/* the interface */
/* $active_rules -> rules_map array of enabled */
/* rules for the interface */
+ /* */
+ /* NOTE: This feature must be enabled in the GUI */
+ /* by the user. Use of this feature can */
+ /* severely degrade Snort's ability to */
+ /* detect threats by disabling potentially */
+ /* crucial detection rules. */
/**************************************************/
global $config;
- if (empty($active_rules))
+ $snortlogdir = SNORTLOGDIR;
+ $disabled_count = 0;
+ $log_msg = array();
+
+ /* Check if no rules or if this option is disabled */
+ if (empty($active_rules) || $snortcfg['preproc_auto_rule_disable'] <> 'on')
return;
/***************************************************
@@ -1833,8 +1934,20 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) {
* IMPORTANT -- Keep this part of the code current *
* with changes to preprocessor rule options in *
* Snort VRT rules. *
+ * *
+ * *
+ * Format of array is: *
+ * "rule_option" => "dependent_preprocessor" *
+ * *
+ * Last Update: 04/05/2013 *
+ * *
+ * Added: http_inspect content modifiers and *
+ * various "service" metadata values. *
+ * *
***************************************************/
$rule_opts_preprocs = array("ssl_version:" => "ssl_preproc","ssl_state:" => "ssl_preproc",
+ "service ssl" => "ssl_preproc", "service ftp" => "ftp_preprocessor",
+ "service telnet" => "ftp_preprocessor", "service dns" => "dns_preprocessor",
"dce_iface:" => "dce_rpc_2", "dce_opnum:" => "dce_rpc_2",
"dce_stub_data;" => "dce_rpc_2", "sd_pattern:" => "sensitive_data",
"sip_method:" => "sip_preproc", "sip_stat_code:" => "sip_preproc",
@@ -1843,7 +1956,16 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) {
"gtp_version:" => "gtp_preproc", "modbus_func:" => "modbus_preproc",
"modbus_unit:" => "modbus_preproc", "modbus_data;" => "modbus_preproc",
"dnp3_func:" => "dnp3_preproc", "dnp3_obj:" => "dnp3_preproc",
- "dnp3_ind:" => "dnp3_preproc", "dnp3_data;" => "dnp3_preproc");
+ "dnp3_ind:" => "dnp3_preproc", "dnp3_data;" => "dnp3_preproc",
+ "http_client_body;" => "http_inspect", "http_cookie;" => "http_inspect",
+ "http_raw_cookie;" => "http_inspect", "http_header;" => "http_inspect",
+ "http_raw_header;" => "http_inspect", "http_method;" => "http_inspect",
+ "http_uri;" => "http_inspect", "http_raw_uri;" => "http_inspect",
+ "http_stat_code;" => "http_inspect", "http_stat_msg;" => "http_inspect",
+ "uricontent:" => "http_inspect", "urilen:" => "http_inspect",
+ "http_encode;" => "http_inspect", "service http" => "http_inspect",
+ "service imap" => "imap_preproc", "service pop2" => "pop_preproc",
+ "service pop3" => "pop_preproc", "service smtp" => "smtp_preprocessor");
/***************************************************
* Iterate the enabled rules, and check for rule *
@@ -1855,32 +1977,94 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) {
***************************************************/
foreach ($active_rules as $k1 => $rulem) {
foreach ($rulem as $k2 => $v) {
+
/* If rule is already disabled, skip it. */
if ($v['disabled'] == 1)
continue;
+
foreach ($rule_opts_preprocs as $opt => $preproc) {
- $pcre = "/\s*\b" . $opt . "/i";
+ $pcre = "/\s*\b" . preg_quote($opt) . "/i";
if (($snortcfg[$preproc] != 'on') && preg_match($pcre, $v['rule'])) {
$active_rules[$k1][$k2]['rule'] = "# " . $v['rule'];
$active_rules[$k1][$k2]['disabled'] = 1;
+ $disabled_count++;
+
+ /* Accumulate auto-disabled rules for logging */
+ $tmp = $active_rules[$k1][$k2]['category'] . " ";
+ $tmp .= "{$k1}:{$k2} Preproc: {$preproc} Param: {$opt}";
+ $log_msg[] = $tmp;
break;
}
}
}
}
+
+ /***************************************************************/
+ /* If we are persisting the log from the last pass, then open */
+ /* the log file in append mode. Otherwise open in overwrite */
+ /* to clear the log in case we have zero disabled rules. */
+ /* */
+ /* Typically "persist log" mode is used on the second pass */
+ /* when flowbit-required rules are being assessed after the */
+ /* primary enforcing rules have been evaluated. */
+ /***************************************************************/
+ $iface = snort_get_friendly_interface($snortcfg['interface']);
+ $file = "{$snortlogdir}/{$iface}_disabled_preproc_rules.log";
+ if ($persist_log)
+ $fp = fopen($file, 'a');
+ else
+ $fp = fopen($file, 'w');
+
+ /***************************************************/
+ /* Log a warning if we auto-disabled any rules */
+ /* just so the user is aware protection is less */
+ /* than optimal with the preprocessors disabled. */
+ /***************************************************/
+ if ($disabled_count > 0) {
+ log_error(gettext("Warning: auto-disabled {$disabled_count} rules due to disabled preprocessor dependencies."));
+ natcasesort($log_msg);
+ if ($fp) {
+ /* Only write the header when not persisting the log */
+ if (!$persist_log) {
+ @fwrite($fp, "#\n# Run Time: " . date("Y-m-d H:i:s") . "\n#\n");
+ @fwrite($fp, "#\n# These rules were auto-disabled because they contain options or operators\n");
+ @fwrite($fp, "# dependent on preprocessors that are currently NOT ENABLED on the Preprocessors\n");
+ @fwrite($fp, "# tab. Without these dependent preprocessors enabled, Snort would fail to start\n");
+ @fwrite($fp, "# if the rules listed below were enabled. Therefore the listed rules have been\n");
+ @fwrite($fp, "# automatically disabled. This behavior is controlled by the Auto-Rule Disable\n");
+ @fwrite($fp, "# feature on the Preprocessors tab.\n#\n");
+ @fwrite($fp, "# WARNING: Using the auto-disable rule feature is not recommended because it can\n");
+ @fwrite($fp, "# significantly reduce the threat detection capabilities of Snort!\n#\n");
+ @fwrite($fp, "# Log Format is: RULE CATEGORY GID:SID PREPROC METADATA/CONTENT PARAMETER\n#\n");
+ }
+ foreach ($log_msg as $m) {
+ @fwrite($fp, $m . "\n");
+ }
+ }
+ log_error(gettext("See '{$file}' for list of auto-disabled rules."));
+ unset($log_msg);
+ }
+ if ($fp)
+ fclose($fp);
}
function snort_generate_conf($snortcfg) {
- global $config, $g;
+
+ global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules;
$snortdir = SNORTDIR;
+ $snortlibdir = SNORTLIBDIR;
$snortlogdir = SNORTLOGDIR;
- $flowbit_rules_file = "flowbit-required.rules";
- $snort_enforcing_rules_file = "snort.rules";
if (!is_array($config['installedpackages']['snortglobal']['rule']))
return;
+ /* See if we should protect and not modify the preprocessor rules files */
+ if (!empty($snortcfg['protect_preproc_rules']))
+ $protect_preproc_rules = $snortcfg['protect_preproc_rules'];
+ else
+ $protect_preproc_rules = "off";
+
$if_real = snort_get_real_interface($snortcfg['interface']);
$snort_uuid = $snortcfg['uuid'];
$snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}";
@@ -1903,8 +2087,8 @@ function snort_generate_conf($snortcfg) {
"{$snortlogdir}/snort_{$if_real}{$snort_uuid}",
"{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2",
"{$snortcfgdir}/preproc_rules",
- "dynamicrules" => "/usr/local/lib/snort/dynamicrules",
- "dynamicengine" => "/usr/local/lib/snort/dynamicengine",
+ "dynamicrules" => "{$snortlibdir}/dynamicrules",
+ "dynamicengine" => "{$snortlibdir}/dynamicengine",
"dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor"
);
foreach ($snort_dirs as $dir) {
@@ -1912,13 +2096,24 @@ function snort_generate_conf($snortcfg) {
safe_mkdir($dir);
}
+ /********************************************************************/
+ /* For fail-safe on an initial startup following installation, and */
+ /* before a rules update has occurred, copy the default config */
+ /* files to the interface directory. If files already exist in */
+ /* the interface directory, or they are newer, that means a rule */
+ /* update has been done and we should leave the customized files */
+ /* put in place by the rules update process. */
+ /********************************************************************/
$snort_files = array("gen-msg.map", "classification.config", "reference.config",
"sid-msg.map", "unicode.map", "threshold.conf", "preproc_rules/preprocessor.rules",
"preproc_rules/decoder.rules", "preproc_rules/sensitive-data.rules"
);
foreach ($snort_files as $file) {
- if (file_exists("{$snortdir}/{$file}"))
- @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}");
+ if (file_exists("{$snortdir}/{$file}")) {
+ $ftime = filemtime("{$snortdir}/{$file}");
+ if (!file_exists("{$snortcfgdir}/{$file}") || ($ftime > filemtime("{$snortcfgdir}/{$file}")))
+ @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}");
+ }
}
/* define alertsystemlog */
@@ -2012,7 +2207,7 @@ EOD;
if ((!empty($snortcfg['client_flow_depth'])) || ($snortcfg['client_flow_depth'] == '0'))
$def_client_flow_depth_type = $snortcfg['client_flow_depth'];
- if ($snortcfg['noalert_http_inspect'] == 'on')
+ if ($snortcfg['noalert_http_inspect'] == 'on' || empty($snortcfg['noalert_http_inspect']))
$noalert_http_inspect = "no_alerts ";
else
$noalert_http_inspect = "";
@@ -2257,6 +2452,16 @@ EOD;
if (!empty($snortcfg['stream5_mem_cap']))
$def_stream5_mem_cap = ", memcap {$snortcfg['stream5_mem_cap']}";
+ /* Default the HTTP_INSPECT preprocessor to "on" if not set. */
+ /* The preprocessor is required by hundreds of Snort rules, */
+ /* and without it Snort may not start and/or the number of */
+ /* rules required to be disabled reduces Snort's capability. */
+ /* Alerts from the HTTP_INSPECT preprocessor default to "off" */
+ /* unless a specific value has been set by the user. */
+ /**************************************************************/
+ if (empty($snortcfg['http_inspect']))
+ $snortcfg['http_inspect'] = 'on';
+
/* define servers and ports snortdefservers */
$snort_servers = array (
"dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET",
@@ -2295,8 +2500,8 @@ EOD;
if (!empty($snort_preproc_libs[$preproc])) {
$preproclib = "libsf_" . $snort_preproc_libs[$preproc];
if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) {
- if (file_exists("/usr/local/lib/snort/dynamicpreprocessor/{$preproclib}.so")) {
- @copy("/usr/local/lib/snort/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so");
+ if (file_exists("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so")) {
+ @copy("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so");
$snort_preprocessors .= $$preproc;
$snort_preprocessors .= "\n";
} else
@@ -2318,22 +2523,26 @@ EOD;
if (file_exists("{$snortcfgdir}/classification.config"))
$snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n";
if (is_dir("{$snortcfgdir}/preproc_rules")) {
- if ($snortcfg['sensitive_data'] == 'on') {
+ if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") {
$sedcmd = '/^#alert.*classtype:sdf/s/^#//';
if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules"))
$snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n";
} else
$sedcmd = '/^alert.*classtype:sdf/s/^/#/';
if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") &&
- file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules")) {
+ file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "off") {
@file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd);
mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules");
mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules");
@unlink("{$g['tmp_path']}/sedcmd");
-
$snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n";
$snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n";
- } else {
+ } else if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") &&
+ file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "on") {
+ $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n";
+ $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n";
+ }
+ else {
$snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n";
log_error("Seems preprocessor/decoder rules are missing, enabling autogeneration of them");
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-20 10:19:42 +0000