diff options
author | bmeeks8 <bmeeks8@bellsouth.net> | 2013-04-13 18:40:58 -0400 |
---|---|---|
committer | bmeeks8 <bmeeks8@bellsouth.net> | 2013-04-13 18:40:58 -0400 |
commit | ce8aeffa537a6fcdf277924cf12ac519d363a397 (patch) | |
tree | c6db725ddd0582a2df4ddfa2cbf4314987a6b5f2 /config/snort | |
parent | 545a02ea3951d37c3e3c0463d3a6564674b37865 (diff) | |
download | pfsense-packages-ce8aeffa537a6fcdf277924cf12ac519d363a397.tar.gz pfsense-packages-ce8aeffa537a6fcdf277924cf12ac519d363a397.tar.bz2 pfsense-packages-ce8aeffa537a6fcdf277924cf12ac519d363a397.zip |
Fix logic bug in rule updates (triggered by unique conditions).
Diffstat (limited to 'config/snort')
-rwxr-xr-x | config/snort/snort.inc | 16 | ||||
-rwxr-xr-x | config/snort/snort_check_for_rule_updates.php | 52 |
2 files changed, 39 insertions, 29 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 6bf73f24..ff822085 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -911,11 +911,19 @@ function snort_merge_reference_configs($cfg_in, $cfg_out) { /* Sort the new reference map. */ uksort($outMap,'strnatcasecmp'); + /**********************************************************/ + /* Do NOT write an empty references.config file, just */ + /* exit instead. */ + /**********************************************************/ + if (empty($outMap)) + return false; + /* Format and write it to the supplied output file. */ $format = "config reference: %-12s %s\n"; foreach ($outMap as $key=>$value) $outMap[$key] = sprintf($format, $key, $value); @file_put_contents($cfg_out, array_values($outMap)); + return true; } function snort_merge_classification_configs($cfg_in, $cfg_out) { @@ -948,11 +956,19 @@ function snort_merge_classification_configs($cfg_in, $cfg_out) { /* Sort the new classification map. */ uksort($outMap,'strnatcasecmp'); + /**********************************************************/ + /* Do NOT write an empty classification.config file, just */ + /* exit instead. */ + /**********************************************************/ + if (empty($outMap)) + return false; + /* Format and write it to the supplied output file. */ $format = "config classification: %s,%s\n"; foreach ($outMap as $key=>$value) $outMap[$key] = sprintf($format, $key, $value); @file_put_contents($cfg_out, array_values($outMap)); + return true; } function snort_load_rules_map($rules_path) { diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 740dc591..cd0a09e6 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -456,10 +456,10 @@ function snort_apply_customizations($snortcfg, $if_real) { snort_prepare_rule_files($snortcfg, "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}"); /* Copy the master config and map files to the interface directory */ - @copy("{$snortdir}/tmp/classification.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/classification.config"); - @copy("{$snortdir}/tmp/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map"); - @copy("{$snortdir}/tmp/reference.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/reference.config"); - @copy("{$snortdir}/tmp/unicode.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/unicode.map"); + @copy("{$snortdir}/classification.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/classification.config"); + @copy("{$snortdir}/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map"); + @copy("{$snortdir}/reference.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/reference.config"); + @copy("{$snortdir}/unicode.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/unicode.map"); } if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules == 'on') { @@ -470,42 +470,36 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = /* Determine which config and map file set to use for the master copy. */ /* If the Snort VRT rules are not enabled, then use Emerging Threats. */ if (($vrt_enabled == 'off') && ($et_enabled == 'on')) { - foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { - if (file_exists("{$snortdir}/tmp/ET_{$file}")) - @rename("{$snortdir}/tmp/ET_{$file}", "{$snortdir}/tmp/{$file}"); - } + $cfgs = glob("{$snortdir}/tmp/*reference.config"); + $cfgs[] = "{$snortdir}/reference.config"; + snort_merge_reference_configs($cfgs, "{$snortdir}/reference.config"); + $cfgs = glob("{$snortdir}/tmp/*classification.config"); + $cfgs[] = "{$snortdir}/classification.config"; + snort_merge_classification_configs($cfgs, "{$snortdir}/classification.config"); } elseif (($vrt_enabled == 'on') && ($et_enabled == 'off')) { foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { if (file_exists("{$snortdir}/tmp/VRT_{$file}")) - @rename("{$snortdir}/tmp/VRT_{$file}", "{$snortdir}/tmp/{$file}"); + @copy("{$snortdir}/tmp/VRT_{$file}", "{$snortdir}/{$file}"); } } elseif (($vrt_enabled == 'on') && ($et_enabled == 'on')) { - /* Both VRT and ET rules are enabled, so build combined */ - /* reference.config and classification.config files. */ - $cfgs = glob("{$snortdir}/tmp/*reference.config"); - snort_merge_reference_configs($cfgs, "{$snortdir}/tmp/reference.config"); - $cfgs = glob("{$snortdir}/tmp/*classification.config"); - snort_merge_classification_configs($cfgs, "{$snortdir}/tmp/classification.config"); - + /* Both VRT and ET rules are enabled, so build combined */ + /* reference.config and classification.config files, but */ + /* only if we downloaded both rule sets. Otherwise we */ + /* risk creating an incomplete file. */ + $cfgs = glob("{$snortdir}/tmp/*reference.config"); + $cfgs[] = "{$snortdir}/reference.config"; + snort_merge_reference_configs($cfgs, "{$snortdir}/reference.config"); + $cfgs = glob("{$snortdir}/tmp/*classification.config"); + $cfgs[] = "{$snortdir}/classification.config"; + snort_merge_classification_configs($cfgs, "{$snortdir}/classification.config"); /* Use the unicode.map and gen-msg.map files from VRT rules. */ if (file_exists("{$snortdir}/tmp/VRT_unicode.map")) - @rename("{$snortdir}/tmp/VRT_unicode.map", "{$snortdir}/tmp/gen-msg.map"); + @copy("{$snortdir}/tmp/VRT_unicode.map", "{$snortdir}/unicode.map"); if (file_exists("{$snortdir}/tmp/VRT_gen-msg.map")) - @rename("{$snortdir}/tmp/VRT_gen-msg.map", "{$snortdir}/tmp/gen-msg.map"); + @copy("{$snortdir}/tmp/VRT_gen-msg.map", "{$snortdir}/gen-msg.map"); } - else { - /* Just Snort GPLv2 Community Rules may be enabled, so make sure required */ - /* default config files are present in the rules extraction tmp working */ - /* directory. Only copy missing files not captured in logic above. */ - - $snort_files = array("gen-msg.map", "classification.config", "reference.config", "unicode.map"); - foreach ($snort_files as $file) { - if (file_exists("{$snortdir}/{$file}") && !file_exists("{$snortdir}/tmp/{$file}")) - @copy("{$snortdir}/{$file}", "{$snortdir}/tmp/{$file}"); - } - } /* Start the rules rebuild proccess for each configured interface */ if (is_array($config['installedpackages']['snortglobal']['rule'])) { |