diff options
author | Ermal Luçi <eri@pfsense.org> | 2011-08-02 00:26:30 +0200 |
---|---|---|
committer | Ermal Luçi <eri@pfsense.org> | 2011-08-02 00:26:30 +0200 |
commit | c8b7c369d1b391fc687e4ad09ee156dbec37043a (patch) | |
tree | c2f7ef99c8b82a22077469956e0fac7808a61cb6 /config/snort/snort_check_for_rule_updates.php | |
parent | 2778501ec22f98415311d2d22eca9515fd1d5d93 (diff) | |
download | pfsense-packages-c8b7c369d1b391fc687e4ad09ee156dbec37043a.tar.gz pfsense-packages-c8b7c369d1b391fc687e4ad09ee156dbec37043a.tar.bz2 pfsense-packages-c8b7c369d1b391fc687e4ad09ee156dbec37043a.zip |
First pass of sanitizing this code. Some more QA is needed to make sure what is selected is actually applied behind
Diffstat (limited to 'config/snort/snort_check_for_rule_updates.php')
-rw-r--r-- | config/snort/snort_check_for_rule_updates.php | 87 |
1 files changed, 27 insertions, 60 deletions
diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index f9975ce8..4f87f1f9 100644 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -40,18 +40,20 @@ require_once("/usr/local/pkg/snort/snort.inc"); function read_header2($ch, $string) { global $file_size, $fout; + $length = strlen($string); $regs = ""; ereg("(Content-Length:) (.*)", $string, $regs); - if($regs[2] <> "") { + if($regs[2] <> "") $file_size = intval($regs[2]); - } + ob_flush(); return $length; } function read_body2($ch, $string) { global $fout, $file_size, $downloaded, $sendto, $static_status, $static_output, $lastseen, $pkg_interface; + $length = strlen($string); $downloaded += intval($length); $downloadProgress = round(100 * (1 - $downloaded / $file_size), 0); @@ -77,6 +79,7 @@ function read_body2($ch, $string) { function read_body_firmware($ch, $string) { global $fout, $file_size, $downloaded, $counter, $version, $latest_version, $current_installed_pfsense_version; + $length = strlen($string); $downloaded += intval($length); $downloadProgress = round(100 * (1 - $downloaded / $file_size), 0); @@ -101,6 +104,7 @@ function read_body_firmware($ch, $string) { function download_file_with_progress_bar2($url_file, $destination_file, $readbody = 'read_body') { global $ch, $fout, $file_size, $downloaded; + $file_size = 1; $downloaded = 1; /* open destination file */ @@ -173,13 +177,6 @@ echo "\n\n"; exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Checking for needed updates...'"); -/* Begin main code */ -conf_mount_rw(); - -if (!file_exists('/usr/local/etc/snort/tmp')) { - exec('/bin/mkdir -p /usr/local/etc/snort/tmp'); -} - /* Set user agent to Mozilla */ ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); ini_set("memory_limit","150M"); @@ -191,12 +188,8 @@ $config['installedpackages']['snortglobal']['last_md5_download'] = date("Y-M-jS- ob_flush(); conf_mount_rw(); -/* send current buffer */ -ob_flush(); -conf_mount_rw(); - /* remove old $tmpfname files */ -if (file_exists("{$tmpfname}")) { +if (is_dir("{$tmpfname}")) { echo 'Removing old tmp files...' . "\n"; exec("/bin/rm -r {$tmpfname}"); apc_clear_cache(); @@ -208,22 +201,17 @@ exec("/bin/mkdir -p {$snortdir}/rules"); exec("/bin/mkdir -p {$snortdir}/signatures"); exec("/bin/mkdir -p /usr/local/lib/snort/dynamicrules/"); -/* send current buffer */ -ob_flush(); -conf_mount_rw(); - /* If tmp dir does not exist create it */ -if (file_exists($tmpfname)) { +if (is_dir($tmpfname)) echo 'The directory tmp exists...' . "\n"; -} else { - mkdir("{$tmpfname}", 700); -} +else + @mkdir("{$tmpfname}", 700); /* download md5 sig from snort.org */ if ($snortdownload == 'on') { if (file_exists("{$tmpfname}/{$snort_filename_md5}") && - filesize("{$tmpfname}/{$snort_filename_md5}") > 0) { + filesize("{$tmpfname}/{$snort_filename_md5}") > 0) { echo 'snort.org md5 temp file exists...' . "\n"; } else { echo 'Downloading snort.org md5 file...' . "\n"; @@ -271,7 +259,7 @@ if ($snortdownload == 'on') echo 'Please wait... You may only check for New Rules every 15 minutes...' . "\n"; echo 'Rules are released every month from snort.org. You may download the Rules at any time.' . "\n"; conf_mount_ro(); - exit(0); + return; } } @@ -282,7 +270,7 @@ if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ echo 'Please wait... You may only check for New Pfsense Rules every 15 minutes...' . "\n"; echo 'Rules are released to support Pfsense packages.' . "\n"; conf_mount_ro(); - exit(0); + return; } /* Check if were up to date snort.org */ @@ -294,9 +282,6 @@ if ($snortdownload == 'on') $md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; $md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); $md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; - /* Write out time of last sucsessful md5 to cache */ - write_config(); // Will cause switch back to read-only on nanobsd - conf_mount_rw(); if ($md5_check_new == $md5_check_old) { echo 'Your rules are up to date...' . "\n"; @@ -315,14 +300,8 @@ if ($emergingthreats == "on") $emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; $emerg_md5_check_old_parse = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}"); $emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; - /* Write out time of last sucsessful md5 to cache */ - // Will cause switch back to read-only on nanobsd - write_config(); - conf_mount_rw(); if ($emerg_md5_check_new == $emerg_md5_check_old) - { $emerg_md5_check_ok = on; - } } } @@ -334,13 +313,8 @@ if (file_exists("{$snortdir}/pfsense_rules.tar.gz.md5")) $pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/pfsense_rules.tar.gz.md5"); $pfsense_md5_check_old = `/bin/echo "{$pfsense_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; /* Write out time of last sucsessful md5 to cache */ - // Will cause switch back to read-only on nanobsd - write_config(); - conf_mount_rw(); if ($pfsense_md5_check_new == $pfsense_md5_check_old) - { $pfsense_md5_check_ok = on; - } } /* Check if were up to date is so, exit */ @@ -352,7 +326,7 @@ if ($snortdownload == 'on' && $emergingthreats == 'on') echo 'All your rules are up to date...' . "\n"; echo 'You may start Snort now...' . "\n"; conf_mount_ro(); - exit(0); + return; } } @@ -363,7 +337,7 @@ if ($snortdownload == 'on' && $emergingthreats == 'off') echo 'Your snort.org rules are up to date...' . "\n"; echo 'You may start Snort now...' . "\n"; conf_mount_ro(); - exit(0); + return; } } @@ -374,7 +348,7 @@ if ($snortdownload == 'off' && $emergingthreats == 'on') echo 'Your Emergingthreats rules are up to date...' . "\n"; echo 'You may start Snort now...' . "\n"; conf_mount_ro(); - exit(0); + return; } } @@ -397,14 +371,13 @@ if ($snortdownload == 'on') } else { echo 'There is a new set of Snort.org rules posted. Downloading...' . "\n"; echo 'May take 4 to 10 min...' . "\n"; - conf_mount_rw(); download_file_with_progress_bar2("http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename}", $tmpfname . "/{$snort_filename}", "read_body_firmware"); echo 'Done downloading rules file.' . "\n"; if (150000 > filesize("{$tmpfname}/$snort_filename")){ echo 'Error with the snort rules download...' . "\n"; echo 'Snort rules file downloaded failed...' . "\n"; conf_mount_ro(); - exit(0); + return; } } } @@ -477,7 +450,7 @@ if ($snortdownload == 'on') { $freebsd_version_so = 'FreeBSD-7-2'; }else{ - $freebsd_version_so = 'FreeBSD-8-0'; + $freebsd_version_so = 'FreeBSD-8-1'; } echo 'Extracting Snort.org rules...' . "\n"; @@ -686,13 +659,11 @@ exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/r /* open oinkmaster_conf for writing" function */ function oinkmaster_conf($id, $if_real, $iface_uuid) { - global $config, $g, $id, $if_real, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; - conf_mount_rw(); /* enable disable setting will carry over with updates */ /* TODO carry signature changes with the updates */ - if ($snort_md5_check_ok != on || $emerg_md5_check_ok != on || $pfsense_md5_check_ok != on) { + if ($snort_md5_check_ok != 'on' || $emerg_md5_check_ok != 'on' || $pfsense_md5_check_ok != 'on') { if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'])) { $enabled_sid_on = $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']; @@ -744,11 +715,9 @@ EOD; /* TODO add per interface settings here */ function oinkmaster_run($id, $if_real, $iface_uuid) { - global $config, $g, $id, $if_real, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; - conf_mount_rw(); - if ($snort_md5_check_ok != on || $emerg_md5_check_ok != on || $pfsense_md5_check_ok != on) + if ($snort_md5_check_ok != 'on' || $emerg_md5_check_ok != 'on' || $pfsense_md5_check_ok != 'on') { if ($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'] == '' && $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'] == '') @@ -783,19 +752,15 @@ function oinkmaster_run($id, $if_real, $iface_uuid) /* Start the proccess for every interface rule */ /* TODO: try to make the code smother */ - -if (!empty($config['installedpackages']['snortglobal']['rule'])) +if (is_array($config['installedpackages']['snortglobal']['rule'])) { $rule_array = $config['installedpackages']['snortglobal']['rule']; - $id = -1; - foreach ($rule_array as $value) { + foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { - $id += 1; - - $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + $result_lan = $value['interface']; $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); - $iface_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; + $iface_uuid = $value['uuid']; /* make oinkmaster.conf for each interface rule */ oinkmaster_conf($id, $if_real, $iface_uuid); @@ -810,9 +775,11 @@ if (!empty($config['installedpackages']['snortglobal']['rule'])) /* mark the time update finnished */ $config['installedpackages']['snortglobal']['last_rules_install'] = date("Y-M-jS-h:i-A"); +write_config(); /* XXX */ +conf_mount_rw(); /* remove old $tmpfname files */ -if (file_exists('/usr/local/etc/snort/tmp')) +if (is_dir('/usr/local/etc/snort/tmp')) { echo 'Cleaning up...' . "\n"; exec("/bin/rm -r /usr/local/etc/snort/tmp/snort_rules_up"); |