aboutsummaryrefslogtreecommitdiffstats
path: root/config/snort
diff options
context:
space:
mode:
authorbmeeks8 <bmeeks8@bellsouth.net>2013-04-13 18:40:58 -0400
committerbmeeks8 <bmeeks8@bellsouth.net>2013-04-13 18:40:58 -0400
commitce8aeffa537a6fcdf277924cf12ac519d363a397 (patch)
treec6db725ddd0582a2df4ddfa2cbf4314987a6b5f2 /config/snort
parent545a02ea3951d37c3e3c0463d3a6564674b37865 (diff)
downloadpfsense-packages-ce8aeffa537a6fcdf277924cf12ac519d363a397.tar.gz
pfsense-packages-ce8aeffa537a6fcdf277924cf12ac519d363a397.tar.bz2
pfsense-packages-ce8aeffa537a6fcdf277924cf12ac519d363a397.zip
Fix logic bug in rule updates (triggered by unique conditions).
Diffstat (limited to 'config/snort')
-rwxr-xr-xconfig/snort/snort.inc16
-rwxr-xr-xconfig/snort/snort_check_for_rule_updates.php52
2 files changed, 39 insertions, 29 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index 6bf73f24..ff822085 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -911,11 +911,19 @@ function snort_merge_reference_configs($cfg_in, $cfg_out) {
/* Sort the new reference map. */
uksort($outMap,'strnatcasecmp');
+ /**********************************************************/
+ /* Do NOT write an empty references.config file, just */
+ /* exit instead. */
+ /**********************************************************/
+ if (empty($outMap))
+ return false;
+
/* Format and write it to the supplied output file. */
$format = "config reference: %-12s %s\n";
foreach ($outMap as $key=>$value)
$outMap[$key] = sprintf($format, $key, $value);
@file_put_contents($cfg_out, array_values($outMap));
+ return true;
}
function snort_merge_classification_configs($cfg_in, $cfg_out) {
@@ -948,11 +956,19 @@ function snort_merge_classification_configs($cfg_in, $cfg_out) {
/* Sort the new classification map. */
uksort($outMap,'strnatcasecmp');
+ /**********************************************************/
+ /* Do NOT write an empty classification.config file, just */
+ /* exit instead. */
+ /**********************************************************/
+ if (empty($outMap))
+ return false;
+
/* Format and write it to the supplied output file. */
$format = "config classification: %s,%s\n";
foreach ($outMap as $key=>$value)
$outMap[$key] = sprintf($format, $key, $value);
@file_put_contents($cfg_out, array_values($outMap));
+ return true;
}
function snort_load_rules_map($rules_path) {
diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php
index 740dc591..cd0a09e6 100755
--- a/config/snort/snort_check_for_rule_updates.php
+++ b/config/snort/snort_check_for_rule_updates.php
@@ -456,10 +456,10 @@ function snort_apply_customizations($snortcfg, $if_real) {
snort_prepare_rule_files($snortcfg, "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}");
/* Copy the master config and map files to the interface directory */
- @copy("{$snortdir}/tmp/classification.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/classification.config");
- @copy("{$snortdir}/tmp/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map");
- @copy("{$snortdir}/tmp/reference.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/reference.config");
- @copy("{$snortdir}/tmp/unicode.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/unicode.map");
+ @copy("{$snortdir}/classification.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/classification.config");
+ @copy("{$snortdir}/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map");
+ @copy("{$snortdir}/reference.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/reference.config");
+ @copy("{$snortdir}/unicode.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/unicode.map");
}
if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules == 'on') {
@@ -470,42 +470,36 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
/* Determine which config and map file set to use for the master copy. */
/* If the Snort VRT rules are not enabled, then use Emerging Threats. */
if (($vrt_enabled == 'off') && ($et_enabled == 'on')) {
- foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
- if (file_exists("{$snortdir}/tmp/ET_{$file}"))
- @rename("{$snortdir}/tmp/ET_{$file}", "{$snortdir}/tmp/{$file}");
- }
+ $cfgs = glob("{$snortdir}/tmp/*reference.config");
+ $cfgs[] = "{$snortdir}/reference.config";
+ snort_merge_reference_configs($cfgs, "{$snortdir}/reference.config");
+ $cfgs = glob("{$snortdir}/tmp/*classification.config");
+ $cfgs[] = "{$snortdir}/classification.config";
+ snort_merge_classification_configs($cfgs, "{$snortdir}/classification.config");
}
elseif (($vrt_enabled == 'on') && ($et_enabled == 'off')) {
foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
if (file_exists("{$snortdir}/tmp/VRT_{$file}"))
- @rename("{$snortdir}/tmp/VRT_{$file}", "{$snortdir}/tmp/{$file}");
+ @copy("{$snortdir}/tmp/VRT_{$file}", "{$snortdir}/{$file}");
}
}
elseif (($vrt_enabled == 'on') && ($et_enabled == 'on')) {
- /* Both VRT and ET rules are enabled, so build combined */
- /* reference.config and classification.config files. */
- $cfgs = glob("{$snortdir}/tmp/*reference.config");
- snort_merge_reference_configs($cfgs, "{$snortdir}/tmp/reference.config");
- $cfgs = glob("{$snortdir}/tmp/*classification.config");
- snort_merge_classification_configs($cfgs, "{$snortdir}/tmp/classification.config");
-
+ /* Both VRT and ET rules are enabled, so build combined */
+ /* reference.config and classification.config files, but */
+ /* only if we downloaded both rule sets. Otherwise we */
+ /* risk creating an incomplete file. */
+ $cfgs = glob("{$snortdir}/tmp/*reference.config");
+ $cfgs[] = "{$snortdir}/reference.config";
+ snort_merge_reference_configs($cfgs, "{$snortdir}/reference.config");
+ $cfgs = glob("{$snortdir}/tmp/*classification.config");
+ $cfgs[] = "{$snortdir}/classification.config";
+ snort_merge_classification_configs($cfgs, "{$snortdir}/classification.config");
/* Use the unicode.map and gen-msg.map files from VRT rules. */
if (file_exists("{$snortdir}/tmp/VRT_unicode.map"))
- @rename("{$snortdir}/tmp/VRT_unicode.map", "{$snortdir}/tmp/gen-msg.map");
+ @copy("{$snortdir}/tmp/VRT_unicode.map", "{$snortdir}/unicode.map");
if (file_exists("{$snortdir}/tmp/VRT_gen-msg.map"))
- @rename("{$snortdir}/tmp/VRT_gen-msg.map", "{$snortdir}/tmp/gen-msg.map");
+ @copy("{$snortdir}/tmp/VRT_gen-msg.map", "{$snortdir}/gen-msg.map");
}
- else {
- /* Just Snort GPLv2 Community Rules may be enabled, so make sure required */
- /* default config files are present in the rules extraction tmp working */
- /* directory. Only copy missing files not captured in logic above. */
-
- $snort_files = array("gen-msg.map", "classification.config", "reference.config", "unicode.map");
- foreach ($snort_files as $file) {
- if (file_exists("{$snortdir}/{$file}") && !file_exists("{$snortdir}/tmp/{$file}"))
- @copy("{$snortdir}/{$file}", "{$snortdir}/tmp/{$file}");
- }
- }
/* Start the rules rebuild proccess for each configured interface */
if (is_array($config['installedpackages']['snortglobal']['rule'])) {