diff options
| author | Bill Meeks <bmeeks8@bellsouth.net> | 2013-01-20 01:10:38 -0500 |
|---|---|---|
| committer | Bill Meeks <bmeeks8@bellsouth.net> | 2013-01-20 01:10:38 -0500 |
| commit | e2368b54a0d454f7521618ae97fc361318bc428d (patch) | |
| tree | f935ab7ae148aa0d5943ee36afef14a20e511b1f /config/snort/snort_rulesets.php | |
| parent | 31c3b9fdebbb3c4255c62c411621014f68c144a2 (diff) | |
| download | pfsense-packages-e2368b54a0d454f7521618ae97fc361318bc428d.tar.gz pfsense-packages-e2368b54a0d454f7521618ae97fc361318bc428d.tar.bz2 pfsense-packages-e2368b54a0d454f7521618ae97fc361318bc428d.zip | |
Add IPS policy select, auto-flowbit resolution and bug fixes.
Diffstat (limited to 'config/snort/snort_rulesets.php')
| -rwxr-xr-x[-rw-r--r--] | config/snort/snort_rulesets.php | 220 |
1 files changed, 166 insertions, 54 deletions
diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index cfaa7d18..b9aa2647 100644..100755 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -32,7 +32,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g; +global $g, $flowbit_rules_file; $snortdir = SNORTDIR; @@ -49,44 +49,13 @@ if (is_null($id)) { exit; } -function snort_remove_rules($files, $snortdir, $snort_uuid, $if_real) { - - if (empty($files)) - return; - - conf_mount_rw(); - foreach ($files as $file) { - @unlink("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$file}"); - if (substr($file, -9) == ".so.rules") { - $slib = substr($file, 6, -6); - @unlink("{$snortdir}/snort_{$snort_uuid}_{$if_real}/dynamicrules/{$slib}"); - } - } - conf_mount_ro(); -} - -function snort_copy_rules($files, $snortdir, $snort_uuid, $if_real) { - - if (empty($files)) - return; - - conf_mount_rw(); - foreach ($files as $file) { - if (!file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$file}")) - @copy("{$snortdir}/rules/{$file}", "{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$file}"); - if (substr($file, -9) == ".so.rules") { - $slib = substr($enabled_item, 6, -6); - if (!file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/dynamicrules/{$slib}")) - @copy("/usr/local/lib/snort/dynamicrules/{$file}", "{$snortdir}/snort_{$snort_uuid}_{$if_real}/dynamicrules/{$slib}"); - } - } - conf_mount_ro(); -} - if (isset($id) && $a_nat[$id]) { $pconfig['enable'] = $a_nat[$id]['enable']; $pconfig['interface'] = $a_nat[$id]['interface']; $pconfig['rulesets'] = $a_nat[$id]['rulesets']; + $pconfig['autoflowbitrules'] = $a_nat[$id]['autoflowbitrules']; + $pconfig['ips_policy_enable'] = $a_nat[$id]['ips_policy_enable']; + $pconfig['ips_policy'] = $a_nat[$id]['ips_policy']; } $if_real = snort_get_real_interface($pconfig['interface']); @@ -94,20 +63,60 @@ $snort_uuid = $a_nat[$id]['uuid']; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingdownload = $config['installedpackages']['snortglobal']['emergingthreats']; +if (($snortdownload == 'off') || ($a_nat[$id]['ips_policy_enable'] != 'on')) + $policy_select_disable = "disabled"; + +if ($a_nat[$id]['autoflowbitrules'] == 'on') { + if (file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}")) + $btn_view_flowb_rules = ""; + else + $btn_view_flowb_rules = " disabled"; +} +else + $btn_view_flowb_rules = " disabled"; + +// If a Snort VRT policy is enabled and selected, remove all Snort VRT +// rules from the configured rule sets to allow automatic selection. +if ($a_nat[$id]['ips_policy_enable'] == 'on') { + if (isset($a_nat[$id]['ips_policy'])) { + $disable_vrt_rules = "disabled"; + $enabled_sets = explode("||", $a_nat[$id]['rulesets']); + + foreach ($enabled_sets as $k => $v) { + if (substr($v, 0, 6) == "snort_") + unset($enabled_sets[$k]); + } + $a_nat[$id]['rulesets'] = implode("||", $enabled_sets); + } +} +else + $disable_vrt_rules = ""; + /* alert file */ if ($_POST["Submit"]) { + + if ($_POST['ips_policy_enable'] == "on") + $a_nat[$id]['ips_policy_enable'] = 'on'; + else + $a_nat[$id]['ips_policy_enable'] = 'off'; + + $a_nat[$id]['ips_policy'] = $_POST['ips_policy']; + $enabled_items = ""; if (is_array($_POST['toenable'])) $enabled_items = implode("||", $_POST['toenable']); else $enabled_items = $_POST['toenable']; - $oenabled = explode("||", $a_nat[$id]['rulesets']); - $nenabled = explode("||", $enabled_items); - $tormv = array_diff($oenabled, $nenabled); - snort_remove_rules($tormv, $snortdir, $snort_uuid, $if_real); $a_nat[$id]['rulesets'] = $enabled_items; - snort_copy_rules(explode("||", $enabled_items), $snortdir, $snort_uuid, $if_real); + + if ($_POST['autoflowbits'] == "on") + $a_nat[$id]['autoflowbitrules'] = 'on'; + else { + $a_nat[$id]['autoflowbitrules'] = 'off'; + if (file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}")) + @unlink("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}"); + } write_config(); sync_snort_package_config(); @@ -117,9 +126,6 @@ if ($_POST["Submit"]) { } if ($_POST['unselectall']) { - if (!empty($pconfig['rulesets'])) - snort_remove_rules(explode("||", $pconfig['rulesets']), $snortdir, $snort_uuid, $if_real); - $a_nat[$id]['rulesets'] = ""; write_config(); @@ -141,7 +147,6 @@ if ($_POST['selectall']) { foreach ($files as $file) $rulesets[] = basename($file); } - snort_copy_rules($rulesets, $snortdir, $snort_uuid, $if_real); $a_nat[$id]['rulesets'] = implode("||", $rulesets); @@ -177,6 +182,33 @@ if ($savemsg) { ?> +<script language="javascript" type="text/javascript"> +function popup(url) +{ + params = 'width='+screen.width; + params += ', height='+screen.height; + params += ', top=0, left=0' + params += ', fullscreen=yes'; + + newwin=window.open(url,'windowname4', params); + if (window.focus) {newwin.focus()} + return false; +} +function enable_change() +{ + var endis = !(document.iform.ips_policy_enable.checked); + document.iform.ips_policy.disabled=endis; + + for (var i = 0; i < document.iform.elements.length; i++) { + if (document.iform.elements[i].type == 'checkbox') { + var str = document.iform.elements[i].value; + if (str.substr(0,6) == "snort_") + document.iform.elements[i].disabled = !(endis); + } + } +} +</script> + <form action="snort_rulesets.php" method="post" name="iform" id="iform"> <input type="hidden" name="id" id="id" value="<?=$id;?>" /> <table width="99%" border="0" cellpadding="0" cellspacing="0"> @@ -205,7 +237,7 @@ if ($savemsg) { <tr> <td> <?php printf(gettext("# The rules directory is empty. %s/rules"), $snortdir); ?> <br/> - <?php echo gettext("Please go to the updates page to download/fetch the rules configured."); ?> + <?php echo gettext("Please go to the Updates tab to download/fetch the rules configured."); ?> </td> </tr> <?php else: @@ -221,18 +253,90 @@ if ($savemsg) { <table id="sortabletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> - <td colspan="6" class="listtopic"><?php echo gettext("Check the rulesets that you would like Snort to load at startup."); ?><br/><br/></td> + <td colspan="6" class="listtopic"><?php echo gettext("Automatic flowbit resolution"); ?><br/></td> + </tr> + <tr> + <td colspan="6" valign="center" class="listn"> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td width="15%" class="listn"><?php echo gettext("Resolve Flowbits"); ?></td> + <td width="85%"><input name="autoflowbits" id="autoflowbitrules" type="checkbox" value="on" <?php if ($a_nat[$id]['autoflowbitrules'] == "on") echo "checked"; ?>/></td> + </tr> + <tr> + <td width="15%" class="vncell"> </td> + <td width="85%" class="vtable"> + <?php echo gettext("If ticked, Snort will examine the enabled rules in your chosen " . + "rule categories for checked flowbits. Any rules that set these dependent flowbits will " . + "be automatically enabled and added to the list of files in the interface rules directory."); ?><br/><br/></td> + </tr> + <tr> + <td width="15%" class="listn"><?php echo gettext("Auto Flowbit Rules"); ?></td> + <td width="85%"><input type="button" class="formbtn" value="View" onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$flowbit_rules_file;?>')" <?php echo $btn_view_flowb_rules; ?>/></td> + </tr> + <tr> + <td width="15%"> </td> + <td width="85%"> + <?php echo gettext("Click to view auto-enabled rules required to satisfy flowbit " . + "dependencies from the selected rule categories below. Auto-enabled rules generating unwanted alerts " . + "should have their GID:SID added to the Suppression List for the interface."); ?><br/><br/></td> + </tr> + </table> + </td> + </tr> + <tr> + <td colspan="6" class="listtopic"><?php echo gettext("Snort IPS Policy Selection"); ?><br/></td> + </tr> + <tr> + <td colspan="6" valign="center" class="listn"> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td width="15%" class="listn"><?php echo gettext("Use IPS Policy"); ?></td> + <td width="85%"><input name="ips_policy_enable" id="ips_policy_enable" type="checkbox" value="on" <?php if ($a_nat[$id]['ips_policy_enable'] == "on") echo "checked"; ?> + <?php if ($snortdownload == "off") echo "disabled" ?> onClick="enable_change()"/></td> + </tr> + <tr> + <td width="15%" class="vncell"> </td> + <td width="85%" class="vtable"> + <?php echo gettext("If ticked, Snort will use rules from the pre-defined IPS policy " . + "selected below. You must be using the Snort VRT rules to use this option."); ?><br/> + <?php echo gettext("Selecting this option disables manual selection of Snort VRT categories in the list below, " . + "although Emerging Threats categories may still be selected if enabled on the Global Settings tab. " . + "These will be added to the pre-defined Snort IPS policy rules from the Snort VRT."); ?><br><br/></td> + </tr> + <tr> + <td width="15%" class="listn"><?php echo gettext("IPS Policy"); ?></td> + <td width="85%"><select name="ips_policy" class="formselect" <?=$policy_select_disable?> > + <option value="connectivity" <?php if ($pconfig['ips_policy'] == "connected") echo "selected"; ?>><?php echo gettext("Connectivity"); ?></option> + <option value="balanced" <?php if ($pconfig['ips_policy'] == "balanced") echo "selected"; ?>><?php echo gettext("Balanced"); ?></option> + <option value="security" <?php if ($pconfig['ips_policy'] == "security") echo "selected"; ?>><?php echo gettext("Security"); ?></option> + </select> + </td> + </tr> + <tr> + <td width="15%"> </td> + <td width="85%"> + <?php echo gettext("Snort IPS policies are: Connectivity, Balanced or Security. " . + "Connectivity blocks most major threats with few or no false positives. Balanced is a good starter policy. It " . + "is speedy, has good base coverage level, and covers most threats of the day. It includes all rules in Connectivity. " . + "Security is a stringent policy. It contains everything in the first two plus policy-type rules such as Flash in an Excel file."); ?><br/><br/></td> + </tr> + </table> + </td> + </tr> + <tr> + <td colspan="6" class="listtopic"><?php echo gettext("Check the rulesets that you would like Snort to load at startup."); ?><br/></td> </tr> <tr> - <td colspan="2" valign="center"><br/><input value="Save" type="submit" name="Submit" id="Submit" /><br/<br/></td> - <td colspan="2" valign="center"><br/><input value="Select All" type="submit" name="selectall" id="selectall" /><br/<br/></td> - <td colspan="2" valign="center"><br/><input value="Unselect All" type="submit" name="unselectall" id="selectall" /><br/<br/></td> + <td colspan="1" align="middle" valign="center"><br/><input value="Select All" type="submit" name="selectall" id="selectall" /><br/></td> + <td colspan="1" align="middle" valign="center"><br/><input value="Unselect All" type="submit" name="unselectall" id="selectall" /><br/></td> + <td colspan="1" align="middle" valign="center"><br/><input value="Save" class="formbtn" type="submit" name="Submit" id="Submit" /></td> + <td colspan="3" valign="center"><?php echo gettext("Click to save changes and auto-resolve flowbit rules (if option is selected above)"); ?><br/></td> </tr> <tr> <td colspan="6"> </td> </tr> <tr id="frheader"> <?php if ($emergingdownload == 'on'): ?> <td width="5%" class="listhdrr"><?php echo gettext("Enabled"); ?></td> - <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Emerging Threats.');?></td> + <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Emerging Threats');?></td> <?php else: ?> <td colspan="2" width="30%" class="listhdrr"><?php echo gettext("Emerging rules have not been enabled"); ?></td> <?php endif; ?> @@ -302,7 +406,9 @@ if ($savemsg) { $file = $snortrules[$j]; echo "<td class='listr' width='5%' align=\"center\" valign=\"top\">"; if(is_array($enabled_rulesets_array)) { - if(in_array($file, $enabled_rulesets_array)) + if (!empty($disable_vrt_rules)) + $CHECKED = $disable_vrt_rules; + elseif(in_array($file, $enabled_rulesets_array)) $CHECKED = " checked=\"checked\""; else $CHECKED = ""; @@ -311,7 +417,7 @@ if ($savemsg) { echo " \n<input type='checkbox' name='toenable[]' value='{$file}' {$CHECKED} />\n"; echo "</td>\n"; echo "<td class='listr' width='25%' >\n"; - if (empty($CHECKED)) + if (empty($CHECKED) || $CHECKED == "disabled") echo $file; else echo "<a href='snort_rules.php?id={$id}&openruleset=" . urlencode($file) . "'>{$file}</a>\n"; @@ -322,7 +428,9 @@ if ($savemsg) { $file = $snortsorules[$j]; echo "<td class='listr' width='5%' align=\"center\" valign=\"top\">"; if(is_array($enabled_rulesets_array)) { - if(in_array($file, $enabled_rulesets_array)) + if (!empty($disable_vrt_rules)) + $CHECKED = $disable_vrt_rules; + elseif(in_array($file, $enabled_rulesets_array)) $CHECKED = " checked=\"checked\""; else $CHECKED = ""; @@ -342,8 +450,12 @@ if ($savemsg) { </td> </tr> <tr> -<td colspan="6"> </td> +<td colspan="6" class="vtable"> <br/></td> </tr> + <tr> + <td colspan="2" align="middle" valign="center"><br/><input value="Save" type="submit" name="Submit" id="Submit" class="formbtn" /></td> + <td colspan="4" valign="center"> <br><br/></td> + </tr> <?php endif; ?> </table> </div> |