Merge pull request #529 from bmeeks8/master

Snort 2.9.4.6 Pkg. Version 2.6.1 Update and Dashboard Widget-Snort Pkg Version 0.3.5 Update

1 files changed, 60 insertions, 100 deletions

diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index d69f6237..98b80d66 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -47,7 +47,7 @@ global $rebuild_rules;
 
 /* package version */
 $snort_version = "2.9.4.6";
-$pfSense_snort_version = "2.6.0";
+$pfSense_snort_version = "2.6.1";
 $snort_package_version = "Snort {$snort_version} pkg v. {$pfSense_snort_version}";
 
 // Define SNORTDIR and SNORTLIBDIR constants according to FreeBSD version (PBI support or no PBI)
@@ -67,12 +67,9 @@ else {
 
 /* Define some useful constants for Snort */
 define("SNORTLOGDIR", "/var/log/snort");
-define("VRT_DNLD_FILENAME", "snortrules-snapshot-2946.tar.gz");
-define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/");
-define("ET_VERSION", "2.9.0");
 define("ET_DNLD_FILENAME", "emerging.rules.tar.gz");
+define("ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz");
 define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz");
-define("GPLV2_DNLD_URL", "https://s3.amazonaws.com/snort-org/www/rules/community/");
 define("FLOWBITS_FILENAME", "flowbit-required.rules");
 define("ENFORCING_RULES_FILENAME", "snort.rules");
 define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log");
@@ -83,81 +80,6 @@ $rebuild_rules = false;
 if (!is_array($config['installedpackages']['snortglobal']))
 	$config['installedpackages']['snortglobal'] = array();
 
-function snort_get_alias_value($alias) {
-	/***************************************************/
-	/* This function returns the value of the passed   */
-	/* Alias, or an empty string if the value cannot   */
-	/* be determined.                                  */
-	/*                                                 */
-	/* On Entry: $alias ==> Alias to be evaluated      */
-	/*  Returns: Alias value as a string or an empty   */
-	/*           string                                */
-	/***************************************************/
-
-	global $config;
-
-	$entries = array();
-	$tmp = "";
-
-	// If no Aliases are defined in the configuration,
-	// return an empty string.
-	if (empty($config['aliases']))
-		return $tmp;
-
-	// See if we were passed a valid Alias and return
-	// an empty string if not.
-	if (!is_alias($alias))
-		return $tmp;
-
-	// We have a valid Alias, so find its value or 
-	// values and return as a string.
-	return snort_unpack_alias($alias);
-}
-
-function snort_unpack_alias($alias) {
-
-	/**************************************************/
-	/* This function unpacks an Alias to determine    */
-	/* the actual values it represents.  Any nested   */
-	/* Aliases encountered are also unpacked via      */
-	/* recursive calls to this function.              */
-	/*                                                */
-	/* Fully-qualified-domain-name (FQDN) aliases     */
-	/* are detected and resolved via a pfctl() call.  */
-	/**************************************************/
-
-	global $config;
-	$value = "";
-
-	// Find the matching Alias entry in config
-	foreach ($config['aliases']['alias'] as $aliased) {
-		if($aliased['name'] == $alias) {
-			$addr = array();
-			$addr = explode(" ", trim($aliased['address']));
-			foreach ($addr as $a) {
-				if (!is_alias($a) && !empty($a)) {
-					if (is_ipaddr($a) || is_subnet($a) || is_port($a))
-						// If address, subnet or port, we found the final value
-						$value .= $a . " ";
-					elseif (is_hostname($a)) {
-						// Found a FQDN value for this Alias, so resolve it
-						$entries = array();
-						exec("/sbin/pfctl -t " . escapeshellarg($alias) . " -T show", $entries);
-						$value .= trim(implode(" ", $entries));
-					}
-					else
-						continue;
-				}
-				elseif (is_alias($a))
-					// Found a nested Alias, so recursively resolve it
-					$value .= snort_unpack_alias($a) . " ";
-			}
-			return trim($value);
-		}
-	}
-	return $value;
-}
-
 function snort_is_single_addr_alias($alias) {
 	/***************************************************/
 	/* This function evaluates the passed Alias to     */
@@ -172,12 +94,50 @@ function snort_is_single_addr_alias($alias) {
 	/***************************************************/
 
 	/* If spaces in expanded Alias, it's not a single entity */
-	if (strpos(snort_get_alias_value($alias), " ") !== false)
+	if (strpos(trim(filter_expand_alias($alias)), " ") !== false)
 		return false;
 	else
 		return true;
 }
 
+function snort_expand_port_range($ports) {
+	/**************************************************/
+	/* This function examines the passed ports string */
+	/* and expands any embedded port ranges into the  */
+	/* individual ports separated by commas.  A port  */
+	/* range is indicated by a colon in the string.   */
+	/*                                                */
+	/* On Entry: $ports ==> string to be evaluated    */
+	/*                      with commas separating    */
+	/*                      the port values.          */
+	/*  Returns: string with any encountered port     */
+	/*           ranges expanded.                     */
+	/**************************************************/
+
+	$value = "";
+
+	// Split the incoming string on the commas
+	$tmp = explode(",", $ports);
+
+	// Look for any included port range and expand it
+	foreach ($tmp as $val) {
+		if (is_portrange($val)) {
+			$start = strtok($val, ":");
+			$end = strtok(":");
+			if ($end !== false) {
+				$val = $start . ",";
+				for ($i = intval($start) + 1; $i < intval($end); $i++)
+					$val .= strval($i) . ",";
+				$val .= $end;
+			}
+		}
+		$value .= $val . ",";
+	}
+
+	// Remove any trailing comma in return value
+	return trim($value, ",");
+}
+
 function snort_get_blocked_ips() {
 	$blocked_ips = "";
 	exec('/sbin/pfctl -t snort2c -T show', $blocked_ips);
@@ -359,7 +319,7 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
 		$vips = $list['vips'];
 		$vpns = $list['vpnips'];
 		if (!empty($list['address']) && is_alias($list['address'])) {
-			$home_net = explode(" ", trim(snort_get_alias_value($list['address'])));
+			$home_net = explode(" ", trim(filter_expand_alias($list['address'])));
 		}
 	}
 
@@ -2701,7 +2661,7 @@ function snort_generate_conf($snortcfg) {
 	$portvardef = "";
 	foreach ($snort_ports as $alias => $avalue) {
 		if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"]))
-			$snort_ports[$alias] = snort_get_alias_value($snortcfg["def_{$alias}"]);
+			$snort_ports[$alias] = trim(filter_expand_alias($snortcfg["def_{$alias}"]));
 		$snort_ports[$alias] = preg_replace('/\s+/', ',', trim($snort_ports[$alias]));
 		$portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n";
 	}
@@ -2749,7 +2709,7 @@ EOD;
 			$http_inspect_server_opts .= " \\\n\tlog_hostname";
 	}
 
-	$http_ports = str_replace(",", " ", $snort_ports['http_ports']);
+	$http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports']));
 
 	/* def http_inspect */
 	$http_inspect = <<<EOD
@@ -2766,8 +2726,8 @@ preprocessor http_inspect_server: server default profile {$http_server_profile}
 EOD;
 
 	/* def ftp_preprocessor */
-	$telnet_ports = str_replace(",", " ", $snort_ports['telnet_ports']);
-	$ftp_ports = str_replace(",", " ", $snort_ports['ftp_ports']);
+	$telnet_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['telnet_ports']));
+	$ftp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ftp_ports']));
 	$ftp_preprocessor = <<<EOD
 # ftp_telnet preprocessor #
 preprocessor ftp_telnet: global \
@@ -2818,7 +2778,7 @@ preprocessor ftp_telnet_protocol: ftp client default \
 	
 EOD;
 
-	$pop_ports = str_replace(",", " ", $snort_ports['pop3_ports']);
+	$pop_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['pop3_ports']));
 	$pop_preproc = <<<EOD
 # POP preprocessor #
 preprocessor pop: \
@@ -2830,7 +2790,7 @@ preprocessor pop: \
 
 EOD;
 
-	$imap_ports = str_replace(",", " ", $snort_ports['imap_ports']);
+	$imap_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['imap_ports']));
 	$imap_preproc = <<<EOD
 # IMAP preprocessor #
 preprocessor imap: \
@@ -2842,7 +2802,7 @@ preprocessor imap: \
 
 EOD;
 
-	$smtp_ports = str_replace(",", " ", $snort_ports['mail_ports']);
+	$smtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['mail_ports']));
 	/* def smtp_preprocessor */
 	$smtp_preprocessor = <<<EOD
 # SMTP preprocessor #
@@ -2894,7 +2854,7 @@ EOD;
 		$sf_pscan_sense_level = $snortcfg['pscan_sense_level'];
 	$sf_pscan_ignore_scanners = "\$HOME_NET";
 	if (!empty($snortcfg['pscan_ignore_scanners']) && is_alias($snortcfg['pscan_ignore_scanners'])) {
-		$sf_pscan_ignore_scanners = snort_get_alias_value($snortcfg['pscan_ignore_scanners']);
+		$sf_pscan_ignore_scanners = trim(filter_expand_alias($snortcfg['pscan_ignore_scanners']));
 		$sf_pscan_ignore_scanners = preg_replace('/\s+/', ',', trim($sf_pscan_ignore_scanners));
 	}
 	
@@ -2909,7 +2869,7 @@ preprocessor sfportscan: scan_type { {$sf_pscan_type} } \
 EOD;
 
 	/* def ssh_preproc */
-	$ssh_ports = str_replace(",", " ", $snort_ports['ssh_ports']);
+	$ssh_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssh_ports']));
 	$ssh_preproc = <<<EOD
 # SSH preprocessor #
 preprocessor ssh: server_ports { {$ssh_ports} } \
@@ -2923,7 +2883,7 @@ preprocessor ssh: server_ports { {$ssh_ports} } \
 EOD;
 
 	/* def other_preprocs */
-	$sun_rpc_ports = str_replace(",", " ", $snort_ports['sun_rpc_ports']);
+	$sun_rpc_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sun_rpc_ports']));
 	$other_preprocs = <<<EOD
 # Other preprocs #
 preprocessor rpc_decode: {$sun_rpc_ports} no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete
@@ -2944,7 +2904,7 @@ preprocessor dcerpc2_server: default, policy WinXP, \
 	
 EOD;
 
-	$sip_ports = str_replace(",", " ", $snort_ports['sip_ports']);
+	$sip_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sip_ports']));
 	$sip_preproc = <<<EOD
 # SIP preprocessor #
 preprocessor sip: max_sessions 40000, \
@@ -2982,7 +2942,7 @@ preprocessor sip: max_sessions 40000, \
 
 EOD;
 
-	$dns_ports = str_replace(",", " ", $snort_ports['dns_ports']);
+	$dns_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['dns_ports']));
 	/* def dns_preprocessor */
 	$dns_preprocessor = <<<EOD
 # DNS preprocessor #
@@ -2993,7 +2953,7 @@ preprocessor dns: \
 EOD;
 
 	/* def dnp3_preprocessor */
-	$dnp3_ports = str_replace(",", " ", $snort_ports['DNP3_PORTS']);
+	$dnp3_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['DNP3_PORTS']));
 	$dnp3_preproc = <<<EOD
 # DNP3 preprocessor #
 preprocessor dnp3: \
@@ -3004,7 +2964,7 @@ preprocessor dnp3: \
 EOD;
 
 	/* def modbus_preprocessor */
-	$modbus_ports = str_replace(",", " ", $snort_ports['MODBUS_PORTS']);
+	$modbus_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['MODBUS_PORTS']));
 	$modbus_preproc = <<<EOD
 # Modbus preprocessor #
 preprocessor modbus: \
@@ -3013,7 +2973,7 @@ preprocessor modbus: \
 EOD;
 
 	/* def gtp_preprocessor */
-	$gtp_ports = str_replace(",", " ", $snort_ports['GTP_PORTS']);
+	$gtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['GTP_PORTS']));
 	$gtp_preproc = <<<EOD
 # GTP preprocessor #
 preprocessor gtp: ports { {$gtp_ports} }
@@ -3021,7 +2981,7 @@ preprocessor gtp: ports { {$gtp_ports} }
 EOD;
 
 	/* def ssl_preprocessor */
-	$ssl_ports = str_replace(",", " ", $snort_ports['ssl_ports']);
+	$ssl_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssl_ports']));
 	$ssl_preproc = <<<EOD
 # SSL preprocessor #
 preprocessor ssl: \
@@ -3058,8 +3018,8 @@ EOD;
 	$vardef = "";
 	foreach ($snort_servers as $alias => $avalue) {
 		if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) {
-			$avalue = snort_get_alias_value($snortcfg["def_{$alias}"]);
-			$avalue = str_replace(" ", ",", trim($avalue));
+			$avalue = trim(filter_expand_alias($snortcfg["def_{$alias}"]));
+			$avalue = preg_replace('/\s+/', ',', trim($avalue));
 		}
 		$vardef .= "var " . strtoupper($alias) . " [{$avalue}]\n";
 	}