Improve the Snort rules download update process.

author: bmeeks8 <bmeeks8@bellsouth.net> 2014-02-18 19:15:45 -0500
committer: bmeeks8 <bmeeks8@bellsouth.net> 2014-02-18 19:15:45 -0500
commit: 0e76f85bf6184d6d18830dba474fcd15fc075a03 (patch)
tree: 5e7dd098d850ccd20c2d567a19459d206440dba5 /config/snort/snort_check_for_rule_updates.php
parent: f39947784f044a819d41916451336b5a827e033d (diff)
download: pfsense-packages-0e76f85bf6184d6d18830dba474fcd15fc075a03.tar.gz
pfsense-packages-0e76f85bf6184d6d18830dba474fcd15fc075a03.tar.bz2
pfsense-packages-0e76f85bf6184d6d18830dba474fcd15fc075a03.zip
1 files changed, 170 insertions, 185 deletions
diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php
index 9a69db1c..0aa397e4 100755
--- a/config/snort/snort_check_for_rule_updates.php
+++ b/config/snort/snort_check_for_rule_updates.php
@@ -78,15 +78,14 @@ else
 /* define checks */
 $oinkid = $config['installedpackages']['snortglobal']['oinkmastercode'];
 $etproid = $config['installedpackages']['snortglobal']['etpro_code'];
-$snortdownload = $config['installedpackages']['snortglobal']['snortdownload'];
-$emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats'];
-$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro'];
-$snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules'];
-$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload'];
-$et_enabled = $config['installedpackages']['snortglobal']['emergingthreats'];
+$snortdownload = $config['installedpackages']['snortglobal']['snortdownload'] == 'on' ? 'on' : 'off';
+$emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats'] == 'on' ? 'on' : 'off';
+$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro'] == 'on' ? 'on' : 'off';
+$snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules'] == 'on' ? 'on' : 'off';
+$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload'] == 'on' ? 'on' : 'off';
 
-/* Working directory for downloaded rules tarballs */
-$tmpfname = "{$snortdir}/tmp/snort_rules_up";
+/* Working directory for downloaded rules tarballs and extraction */
+$tmpfname = "/tmp/snort_rules_up";
 
 /* Grab the Snort binary version programmatically and use it to construct */
 /* the proper Snort VRT rules tarball and md5 filenames. Fallback to a    */
@@ -114,7 +113,6 @@ if ($etpro == "on") {
 	$emergingthreats_url = ETPRO_BASE_DNLD_URL;
 	$emergingthreats_url .= "{$etproid}/snort-" . ET_VERSION . "/";
 	$emergingthreats = "on";
-	$et_enabled= "on";
 	$et_name = "Emerging Threats Pro";
 	$et_md5_remove = ET_DNLD_FILENAME . ".md5";
 	@unlink("{$snortdir}/{$et_md5_remove}");
@@ -371,7 +369,7 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
 /* Start of main code */
 /**********************/
 
-/*  remove old $tmpfname files */
+/*  remove any old $tmpfname files */
 if (is_dir("{$tmpfname}"))
 	exec("/bin/rm -r {$tmpfname}");
 
@@ -429,26 +427,123 @@ if ($emergingthreats == 'on') {
 		$emergingthreats = 'off';
 }
 
-/* Untar Snort GPLv2 Community rules file to tmp */
+/* Untar Snort rules file to tmp and install the rules */
+if ($snortdownload == 'on') {
+	if (file_exists("{$tmpfname}/{$snort_filename}")) {
+		/* Currently, only FreeBSD-8-1 and FreeBSD-9-0 precompiled SO rules exist from Snort.org */
+		/* Default to FreeBSD 8.1, and then test for FreeBSD 9.x */
+		$freebsd_version_so = 'FreeBSD-8-1';
+		if (substr(php_uname("r"), 0, 1) == '9')
+			$freebsd_version_so = 'FreeBSD-9-0';
+
+		/* Remove the old Snort rules files */
+		$vrt_prefix = VRT_FILE_PREFIX;
+		array_map('unlink', glob("{$snortdir}/rules/{$vrt_prefix}*.rules"));
+
+		if ($pkg_interface <> "console") {
+			update_status(gettext("Extracting Snort VRT rules..."));
+			update_output_window(gettext("Installing Sourcefire VRT rules..."));
+		}
+		error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, $snort_rules_upd_log);
+		/* extract snort.org rules and add VRT_FILE_PREFIX prefix to all snort.org files */
+		safe_mkdir("{$tmpfname}/snortrules");
+		exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname}/snortrules rules/");
+		$files = glob("{$tmpfname}/snortrules/rules/*.rules");
+		foreach ($files as $file) {
+			$newfile = basename($file);
+			@copy($file, "{$snortdir}/rules/" . VRT_FILE_PREFIX . "{$newfile}");
+		}
+		/* Extract any IP lists */
+		$files = glob("{$tmpfname}/snortrules/rules/*.txt");
+		foreach ($files as $file) {
+			$newfile = basename($file);
+			@copy($file, "{$snortdir}/rules/{$newfile}");
+		}
+		exec("rm -r {$tmpfname}/snortrules");
+		/* Extract the Snort preprocessor rules */
+		if ($pkg_interface <> "console")
+			update_output_window(gettext("Extracting preprocessor rules files..."));
+		exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} preproc_rules/");
+		$files = glob("{$tmpfname}/preproc_rules/*.rules");
+		foreach ($files as $file) {
+			$newfile = basename($file);
+			@copy($file, "{$snortdir}/preproc_rules/{$newfile}");
+		}
+		exec("rm -r {$tmpfname}/preproc_rules");
+		/* extract so rules */
+		if ($pkg_interface <> "console") {
+			update_status(gettext("Extracting Snort VRT Shared Objects rules..."));
+			update_output_window(gettext("Installing precompiled Shared Objects rules for {$freebsd_version_so}..."));
+		}
+		exec("/bin/mkdir -p {$snortlibdir}/dynamicrules/");
+		error_log(gettext("\tUsing Snort VRT precompiled SO rules for {$freebsd_version_so} ...\n"), 3, $snort_rules_upd_log);
+		$snort_arch = php_uname("m");
+		$nosorules = false;
+		if ($snort_arch  == 'i386'){
+			exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/");
+			exec("/bin/cp {$tmpfname}/so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/*.so {$snortlibdir}/dynamicrules/");
+		} elseif ($snort_arch == 'amd64') {
+			exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/");
+			exec("/bin/cp {$tmpfname}/so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/*.so {$snortlibdir}/dynamicrules/");
+		} else
+			$nosorules = true;
+		exec("rm -r {$tmpfname}/so_rules");
+		if ($nosorules == false) {
+			/* extract Shared Object stub rules, rename and copy to the rules folder. */
+			if ($pkg_interface <> "console")
+			        update_status(gettext("Copying Snort VRT Shared Objects rules..."));
+			exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} --exclude precompiled/ --exclude src/ so_rules/");
+			$files = glob("{$tmpfname}/so_rules/*.rules");
+			foreach ($files as $file) {
+				$newfile = basename($file, ".rules");
+				@copy($file, "{$snortdir}/rules/" . VRT_FILE_PREFIX . "{$newfile}.so.rules");
+			}
+			exec("rm -r {$tmpfname}/so_rules");
+		}
+		/* extract base etc files */
+		if ($pkg_interface <> "console") {
+		        update_status(gettext("Extracting Snort VRT config and map files..."));
+			update_output_window(gettext("Copying config and map files..."));
+		}
+		exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} etc/");
+		foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
+			if (file_exists("{$tmpfname}/etc/{$file}"))
+				@copy("{$tmpfname}/etc/{$file}", "{$tmpfname}/VRT_{$file}");
+		}
+		exec("rm -r {$tmpfname}/etc");
+		if (file_exists("{$tmpfname}/{$snort_filename_md5}")) {
+			if ($pkg_interface <> "console")
+				update_status(gettext("Copying md5 signature to snort directory..."));
+			@copy("{$tmpfname}/{$snort_filename_md5}", "{$snortdir}/{$snort_filename_md5}");
+		}
+		if ($pkg_interface <> "console") {
+			update_status(gettext("Extraction of Snort VRT rules completed..."));
+			update_output_window(gettext("Installation of Sourcefire VRT rules completed..."));
+		}
+		error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, $snort_rules_upd_log);
+	}
+}
+
+/* Untar Snort GPLv2 Community rules file to tmp and install the rules */
 if ($snortcommunityrules == 'on') {
-	safe_mkdir("{$snortdir}/tmp/community");
+	safe_mkdir("{$tmpfname}/community");
 	if (file_exists("{$tmpfname}/{$snort_community_rules_filename}")) {
 		if ($pkg_interface <> "console") {
 			update_status(gettext("Extracting Snort GPLv2 Community Rules..."));
 			update_output_window(gettext("Installing Snort GPLv2 Community Rules..."));
 		}
 		error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, $snort_rules_upd_log);
-		exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$snortdir}/tmp/community/");
+		exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$tmpfname}/community/");
 
-		$files = glob("{$snortdir}/tmp/community/community-rules/*.rules");
+		$files = glob("{$tmpfname}/community/community-rules/*.rules");
 		foreach ($files as $file) {
 			$newfile = basename($file);
 			@copy($file, "{$snortdir}/rules/" . GPL_FILE_PREFIX . "{$newfile}");
 		}
                 /* base etc files for Snort GPLv2 Community rules */
 		foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
-			if (file_exists("{$snortdir}/tmp/community/community-rules/{$file}"))
-				@copy("{$snortdir}/tmp/community/community-rules/{$file}", "{$snortdir}/tmp/" . GPL_FILE_PREFIX . "{$file}");
+			if (file_exists("{$tmpfname}/community/community-rules/{$file}"))
+				@copy("{$tmpfname}/community/community-rules/{$file}", "{$tmpfname}/" . GPL_FILE_PREFIX . "{$file}");
 		}
 		/*  Copy snort community md5 sig to snort dir */
 		if (file_exists("{$tmpfname}/{$snort_community_rules_filename_md5}")) {
@@ -461,20 +556,20 @@ if ($snortcommunityrules == 'on') {
 			update_output_window(gettext("Installation of Snort GPLv2 Community Rules file completed..."));
 		}
 		error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, $snort_rules_upd_log);
-		exec("rm -r {$snortdir}/tmp/community");
+		exec("rm -r {$tmpfname}/community");
 	}
 }
 
-/* Untar Emerging Threats rules file to tmp */
+/* Untar Emerging Threats rules file to tmp and install the rules */
 if ($emergingthreats == 'on') {
-	safe_mkdir("{$snortdir}/tmp/emerging");
+	safe_mkdir("{$tmpfname}/emerging");
 	if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) {
 		if ($pkg_interface <> "console") {
 			update_status(gettext("Extracting {$et_name} rules..."));
 			update_output_window(gettext("Installing {$et_name} rules..."));
 		}
 		error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, $snort_rules_upd_log);
-		exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir}/tmp/emerging rules/");
+		exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$tmpfname}/emerging rules/");
 
 		/* Remove the old Emerging Threats rules files */
 		$eto_prefix = ET_OPEN_FILE_PREFIX;
@@ -484,7 +579,7 @@ if ($emergingthreats == 'on') {
 		array_map('unlink', glob("{$snortdir}/rules/{$eto_prefix}*ips.txt"));
 		array_map('unlink', glob("{$snortdir}/rules/{$etpro_prefix}*ips.txt"));
 
-		$files = glob("{$snortdir}/tmp/emerging/rules/*.rules");
+		$files = glob("{$tmpfname}/emerging/rules/*.rules");
 		foreach ($files as $file) {
 			$newfile = basename($file);
 			if ($etpro == "on")
@@ -493,7 +588,7 @@ if ($emergingthreats == 'on') {
 				@copy($file, "{$snortdir}/rules/{$newfile}");
 		}
 		/* IP lists for Emerging Threats rules */
-		$files = glob("{$snortdir}/tmp/emerging/rules/*ips.txt");
+		$files = glob("{$tmpfname}/emerging/rules/*ips.txt");
 		foreach ($files as $file) {
 			$newfile = basename($file);
 			if ($etpro == "on")
@@ -503,8 +598,8 @@ if ($emergingthreats == 'on') {
 		}
                 /* base etc files for Emerging Threats rules */
 		foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
-			if (file_exists("{$snortdir}/tmp/emerging/rules/{$file}"))
-				@copy("{$snortdir}/tmp/emerging/rules/{$file}", "{$snortdir}/tmp/ET_{$file}");
+			if (file_exists("{$tmpfname}/emerging/rules/{$file}"))
+				@copy("{$tmpfname}/emerging/rules/{$file}", "{$tmpfname}/ET_{$file}");
 		}
 
 		/*  Copy emergingthreats md5 sig to snort dir */
@@ -518,116 +613,7 @@ if ($emergingthreats == 'on') {
 			update_output_window(gettext("Installation of {$et_name} rules completed..."));
 		}
 		error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, $snort_rules_upd_log);
-		exec("rm -r {$snortdir}/tmp/emerging");
-	}
-}
-
-/* Untar Snort rules file to tmp */
-if ($snortdownload == 'on') {
-	if (file_exists("{$tmpfname}/{$snort_filename}")) {
-		/* Currently, only FreeBSD-8-1 and FreeBSD-9-0 precompiled SO rules exist from Snort.org */
-		/* Default to FreeBSD 8.1, and then test for FreeBSD 9.x */
-		$freebsd_version_so = 'FreeBSD-8-1';
-		if (substr(php_uname("r"), 0, 1) == '9')
-			$freebsd_version_so = 'FreeBSD-9-0';
-
-		/* Remove the old Snort rules files */
-		$vrt_prefix = VRT_FILE_PREFIX;
-		array_map('unlink', glob("{$snortdir}/rules/{$vrt_prefix}*.rules"));
-
-		if ($pkg_interface <> "console") {
-			update_status(gettext("Extracting Snort VRT rules..."));
-			update_output_window(gettext("Installing Sourcefire VRT rules..."));
-		}
-		error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, $snort_rules_upd_log);
-		/* extract snort.org rules and add prefix to all snort.org files */
-		safe_mkdir("{$snortdir}/tmp/snortrules");
-		exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp/snortrules rules/");
-		$files = glob("{$snortdir}/tmp/snortrules/rules/*.rules");
-		foreach ($files as $file) {
-			$newfile = basename($file);
-			@copy($file, "{$snortdir}/rules/" . VRT_FILE_PREFIX . "{$newfile}");
-		}
-		/* IP lists */
-		$files = glob("{$snortdir}/tmp/snortrules/rules/*.txt");
-		foreach ($files as $file) {
-			$newfile = basename($file);
-			@copy($file, "{$snortdir}/rules/{$newfile}");
-		}
-		exec("rm -r {$snortdir}/tmp/snortrules");
-		/* extract so rules */
-		if ($pkg_interface <> "console") {
-			update_status(gettext("Extracting Snort VRT Shared Objects rules..."));
-			update_output_window(gettext("Installing precompiled Shared Objects rules for {$freebsd_version_so}..."));
-		}
-		exec("/bin/mkdir -p {$snortlibdir}/dynamicrules/");
-		error_log(gettext("\tUsing Snort VRT precompiled SO rules for {$freebsd_version_so} ...\n"), 3, $snort_rules_upd_log);
-		$snort_arch = php_uname("m");
-		$nosorules = false;
-		if ($snort_arch  == 'i386'){
-			exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/");
-			exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/*.so {$snortlibdir}/dynamicrules/");
-		} elseif ($snort_arch == 'amd64') {
-			exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/");
-			exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/*.so {$snortlibdir}/dynamicrules/");
-		} else
-			$nosorules = true;
-		exec("rm -r {$snortdir}/tmp/so_rules");
-		if ($nosorules == false) {
-			/* extract so stub rules, rename and copy to the rules folder. */
-			if ($pkg_interface <> "console")
-			        update_status(gettext("Copying Snort VRT Shared Objects rules..."));
-			exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp --exclude precompiled/ --exclude src/ so_rules/");
-			$files = glob("{$snortdir}/tmp/so_rules/*.rules");
-			foreach ($files as $file) {
-				$newfile = basename($file, ".rules");
-				@copy($file, "{$snortdir}/rules/" . VRT_FILE_PREFIX . "{$newfile}.so.rules");
-			}
-			exec("rm -r {$snortdir}/tmp/so_rules");
-		}
-		/* extract base etc files */
-		if ($pkg_interface <> "console") {
-		        update_status(gettext("Extracting Snort VRT config and map files..."));
-			update_output_window(gettext("Copying config and map files..."));
-		}
-		exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp etc/");
-		foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
-			if (file_exists("{$snortdir}/tmp/etc/{$file}"))
-				@copy("{$snortdir}/tmp/etc/{$file}", "{$snortdir}/tmp/VRT_{$file}");
-		}
-		exec("rm -r {$snortdir}/tmp/etc");
-		/* Untar snort signatures */
-		$signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo'];
-		if ($premium_url_chk == 'on') {
-			if ($pkg_interface <> "console")
-				update_status(gettext("Extracting Snort VRT Signatures..."));
-			exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/");
-			if ($pkg_interface <> "console")
-				update_status(gettext("Done extracting Signatures."));
-
-			if (is_dir("{$snortdir}/doc/signatures")) {
-				if ($pkg_interface <> "console")
-					update_status(gettext("Copying Snort VRT signatures..."));
-				exec("/bin/cp -r {$snortdir}/doc/signatures {$snortdir}/signatures");
-				if ($pkg_interface <> "console")
-					update_status(gettext("Done copying signatures."));
-			}
-		}
-		/* Extract the Snort preprocessor rules */
-		if ($pkg_interface <> "console")
-			update_output_window(gettext("Extracting preprocessor rules files..."));
-		exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp preproc_rules/");
-
-		if (file_exists("{$tmpfname}/{$snort_filename_md5}")) {
-			if ($pkg_interface <> "console")
-				update_status(gettext("Copying md5 signature to snort directory..."));
-			@copy("{$tmpfname}/{$snort_filename_md5}", "{$snortdir}/{$snort_filename_md5}");
-		}
-		if ($pkg_interface <> "console") {
-			update_status(gettext("Extraction of Snort VRT rules completed..."));
-			update_output_window(gettext("Installation of Sourcefire VRT rules completed..."));
-		}
-		error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, $snort_rules_upd_log);
+		exec("rm -r {$tmpfname}/emerging");
 	}
 }
 
@@ -636,28 +622,22 @@ function snort_apply_customizations($snortcfg, $if_real) {
 	global $vrt_enabled;
 	$snortdir = SNORTDIR;
 
-	/* Update the Preprocessor rules for the master configuration and for the interface if Snort VRT rules are in use. */
-	if ($vrt_enabled == 'on') {
-		exec("/bin/mkdir -p {$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/preproc_rules");
-		$preproc_files = glob("{$snortdir}/tmp/preproc_rules/*.rules");
+	/* Update the Preprocessor rules from the master configuration for the interface if Snort */
+	/* VRT rules are in use and the interface's preprocessor rules are not protected.         */
+	if ($vrt_enabled == 'on' && $snortcfg['protect_preproc_rules'] != 'on') {
+		$preproc_files = glob("{$snortdir}/preproc_rules/*.rules");
 		foreach ($preproc_files as $file) {
 			$newfile = basename($file);
-			@copy($file, "{$snortdir}/preproc_rules/{$newfile}"); 
-			/* Check if customized preprocessor rule protection is enabled for interface before overwriting them. */
-			if ($snortcfg['protect_preproc_rules'] <> 'on')
-				@copy($file, "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/preproc_rules/{$newfile}");
+			@copy($file, "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/preproc_rules/{$newfile}");
 		}
 	}
-	else {
-		exec("/bin/mkdir -p {$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/preproc_rules");
-	}
 
 	snort_prepare_rule_files($snortcfg, "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}");
 
 	/* Copy the master config and map files to the interface directory */
 	@copy("{$snortdir}/classification.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/classification.config");
-	@copy("{$snortdir}/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map");
 	@copy("{$snortdir}/reference.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/reference.config");
+	@copy("{$snortdir}/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map");
 	@copy("{$snortdir}/unicode.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/unicode.map");
 }
 
@@ -667,45 +647,37 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
 		update_status(gettext('Copying new config and map files...'));
 	error_log(gettext("\tCopying new config and map files...\n"), 3, $snort_rules_upd_log);
 
-        /* Determine which config and map file set to use for the master copy. */
-        /* If the Snort VRT rules are not enabled, then use Emerging Threats.  */
-        if (($vrt_enabled == 'off') && ($et_enabled == 'on')) {
-		$cfgs = glob("{$snortdir}/tmp/*reference.config");
-		$cfgs[] = "{$snortdir}/reference.config";
-		snort_merge_reference_configs($cfgs, "{$snortdir}/reference.config");
-		$cfgs = glob("{$snortdir}/tmp/*classification.config");
-		$cfgs[] = "{$snortdir}/classification.config";
-		snort_merge_classification_configs($cfgs, "{$snortdir}/classification.config");
-		/* Use the unicode.map and gen-msg.map files from ET rules. */
-		if (file_exists("{$snortdir}/tmp/ET_unicode.map"))
-			@copy("{$snortdir}/tmp/ET_unicode.map", "{$snortdir}/unicode.map");
-		if (file_exists("{$snortdir}/tmp/ET_gen-msg.map"))
-			@copy("{$snortdir}/tmp/ET_gen-msg.map", "{$snortdir}/gen-msg.map");
-        }
-        elseif (($vrt_enabled == 'on') && ($et_enabled == 'off')) {
-		foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
-			if (file_exists("{$snortdir}/tmp/VRT_{$file}"))
-				@copy("{$snortdir}/tmp/VRT_{$file}", "{$snortdir}/{$file}");
-                }
-        }
-        elseif (($vrt_enabled == 'on') && ($et_enabled == 'on')) {
-		/* Both VRT and ET rules are enabled, so build combined  */
-		/* reference.config and classification.config files.     */
-		$cfgs = glob("{$snortdir}/tmp/*reference.config");
-		$cfgs[] = "{$snortdir}/reference.config";
-		snort_merge_reference_configs($cfgs, "{$snortdir}/reference.config");
-		$cfgs = glob("{$snortdir}/tmp/*classification.config");
-		$cfgs[] = "{$snortdir}/classification.config";
-		snort_merge_classification_configs($cfgs, "{$snortdir}/classification.config");
-		/* Use the unicode.map and gen-msg.map files from VRT rules. */
-		if (file_exists("{$snortdir}/tmp/VRT_unicode.map"))
-			@copy("{$snortdir}/tmp/VRT_unicode.map", "{$snortdir}/unicode.map");
-		if (file_exists("{$snortdir}/tmp/VRT_gen-msg.map"))
-			@copy("{$snortdir}/tmp/VRT_gen-msg.map", "{$snortdir}/gen-msg.map");
-        }
+	/******************************************************************/
+	/* Build the classification.config and reference.config files     */
+	/* using the ones from all the downloaded rules plus the default  */
+	/* files installed with Snort.                                    */
+	/******************************************************************/
+	$cfgs = glob("{$tmpfname}/*reference.config");
+	$cfgs[] = "{$snortdir}/reference.config";
+	snort_merge_reference_configs($cfgs, "{$snortdir}/reference.config");
+	$cfgs = glob("{$tmpfname}/*classification.config");
+	$cfgs[] = "{$snortdir}/classification.config";
+	snort_merge_classification_configs($cfgs, "{$snortdir}/classification.config");
+
+	/*******************************************************************/
+        /* Determine which map files set to use for the master copy.  If   */
+        /* the Snort VRT rules are not enabled, then use Emerging Threats  */
+	/* or Snort Community Rules, in that order, if either is enabled.  */
+	/*******************************************************************/
+	if ($snortdownload == 'on')
+		$prefix = "VRT_";
+	elseif ($emergingthreats == 'on')
+		$prefix = "ET_";
+	elseif ($snortcommunityrules == 'on')
+		$prefix = GPL_FILE_PREFIX;
+	if (file_exists("{$tmpfname}/{$prefix}unicode.map"))
+		@copy("{$tmpfname}/{$prefix}unicode.map", "{$snortdir}/unicode.map");
+	if (file_exists("{$tmpfname}/{$prefix}gen-msg.map"))
+		@copy("{$tmpfname}/{$prefix}gen-msg.map", "{$snortdir}/gen-msg.map");
 
 	/* Start the rules rebuild proccess for each configured interface */
-	if (is_array($config['installedpackages']['snortglobal']['rule'])) {
+	if (is_array($config['installedpackages']['snortglobal']['rule']) &&
+	    !empty($config['installedpackages']['snortglobal']['rule'])) {
 
 		/* Set the flag to force rule rebuilds since we downloaded new rules,    */
 		/* except when in post-install mode.  Post-install does its own rebuild. */
@@ -722,6 +694,19 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
 				update_status(gettext($tmp));
 				update_output_window(gettext("Please wait while Snort interface files are being updated..."));
 			}
+
+			// Make sure the interface subdirectory and required sub-directories exists.
+			// We need to re-create them during a pkg reinstall for the intial rules set
+			// download and configuration done as part of restoring saved settings.
+			if (!is_dir("{$snortdir}/snort_{$value['uuid']}_{$if_real}"))
+				safe_mkdir("{$snortdir}/snort_{$value['uuid']}_{$if_real}");
+			if (!is_dir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/rules"))
+				safe_mkdir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/rules");
+			if (!is_dir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/preproc_rules"))
+				safe_mkdir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/preproc_rules");
+			if (!is_dir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/dynamicpreprocessor"))
+				safe_mkdir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/dynamicpreprocessor");
+
 			snort_apply_customizations($value, $if_real);
 
 			/*  Log a message in Update Log if protecting customized preprocessor rules. */
@@ -745,10 +730,10 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
 	$rebuild_rules = false;
 
 	/*  remove old $tmpfname files */
-	if (is_dir("{$snortdir}/tmp")) {
+	if (is_dir("{$tmpfname}")) {
 		if ($pkg_interface <> "console")
 			update_status(gettext("Cleaning up after rules extraction..."));
-		exec("/bin/rm -r {$snortdir}/tmp");
+		exec("/bin/rm -r {$tmpfname}");
 	}
 
 	/* Restart snort if already running and we are not rebooting to pick up the new rules. */
author	bmeeks8 <bmeeks8@bellsouth.net>	2014-02-18 19:15:45 -0500
committer	bmeeks8 <bmeeks8@bellsouth.net>	2014-02-18 19:15:45 -0500
commit	0e76f85bf6184d6d18830dba474fcd15fc075a03 (patch)
tree	5e7dd098d850ccd20c2d567a19459d206440dba5 /config/snort/snort_check_for_rule_updates.php
parent	f39947784f044a819d41916451336b5a827e033d (diff)
download	pfsense-packages-0e76f85bf6184d6d18830dba474fcd15fc075a03.tar.gz pfsense-packages-0e76f85bf6184d6d18830dba474fcd15fc075a03.tar.bz2 pfsense-packages-0e76f85bf6184d6d18830dba474fcd15fc075a03.zip