diff options
author | bmeeks8 <bmeeks8@bellsouth.net> | 2014-09-13 15:26:20 -0400 |
---|---|---|
committer | bmeeks8 <bmeeks8@bellsouth.net> | 2014-09-13 15:26:20 -0400 |
commit | e9423bf7fb424aad2474a07a01b5623859ba73ca (patch) | |
tree | e496b63cf36f6513da9a65ce3f6629098799316d /config/snort | |
parent | 132ee0dc4278e6f5a521259d06c7572bf9258f3e (diff) | |
download | pfsense-packages-e9423bf7fb424aad2474a07a01b5623859ba73ca.tar.gz pfsense-packages-e9423bf7fb424aad2474a07a01b5623859ba73ca.tar.bz2 pfsense-packages-e9423bf7fb424aad2474a07a01b5623859ba73ca.zip |
Improve HOME_NET and EXTERNAL_NET generation and allow viewing of results.
Diffstat (limited to 'config/snort')
-rwxr-xr-x | config/snort/snort.inc | 64 | ||||
-rw-r--r-- | config/snort/snort_generate_conf.php | 12 | ||||
-rwxr-xr-x | config/snort/snort_interfaces_edit.php | 16 | ||||
-rw-r--r-- | config/snort/snort_list_view.php | 14 |
4 files changed, 69 insertions, 37 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index c0863333..96ebe28f 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -308,7 +308,7 @@ function snort_find_list($find_name, $type = 'whitelist') { } /* func builds custom whitelists and the HOME_NET variable */ -function snort_build_list($snortcfg, $listname = "", $whitelist = false) { +function snort_build_list($snortcfg, $listname = "", $whitelist = false, $externallist = false) { /***********************************************************/ /* The default is to build a HOME_NET variable unless */ @@ -318,9 +318,10 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { global $config, $g, $aliastable, $filterdns; $home_net = array(); - if ($listname == 'default' || empty($listname)) { + if (!$externallist && ($listname == 'default' || empty($listname))) { $localnet = 'yes'; $wanip = 'yes'; $wangw = 'yes'; $wandns = 'yes'; $vips = 'yes'; $vpns = 'yes'; - } else { + } + else { $list = snort_find_list($listname); if (empty($list)) return $list; @@ -335,10 +336,12 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { } /* Always add loopback addresses to HOME_NET and whitelist */ - if (!in_array("127.0.0.1", $home_net)) - $home_net[] = "127.0.0.1"; - if (!in_array("::1", $home_net)) - $home_net[] = "::1"; + if (!$externallist) { + if (!in_array("127.0.0.1", $home_net)) + $home_net[] = "127.0.0.1"; + if (!in_array("::1", $home_net)) + $home_net[] = "::1"; + } /********************************************************************/ /* Always put the interface running Snort in HOME_NET and whitelist */ @@ -349,7 +352,7 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { /* though, to prevent locking out the firewall itself. */ /********************************************************************/ $snortip = get_interface_ip($snortcfg['interface']); - if (!$whitelist || $localnet == 'yes' || empty($localnet)) { + if (($externallist && $localnet == 'yes') || (!$externallist && (!$whitelis || $localnet == 'yes' || empty($localnet)))) { if (is_ipaddr($snortip)) { if ($snortcfg['interface'] <> "wan") { $sn = get_interface_subnet($snortcfg['interface']); @@ -359,15 +362,19 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { } } } - else { - if (is_ipaddr($snortip)) { + elseif (!$externallist && $localnet != 'yes') { + if (is_ipaddrv4($snortip)) { if (!in_array($snortip, $home_net)) $home_net[] = $snortip; } } + // Grab the IPv6 address if we have one assigned $snortip = get_interface_ipv6($snortcfg['interface']); - if (!$whitelist || $localnet == 'yes' || empty($localnet)) { + // Trim off the interface designation (e.g., %em1) if present + if (strpos($snortip, "%") !== FALSE) + $snortip = substr($snortip, 0, strpos($snortip, "%")); + if (($externallist && $localnet == 'yes') || (!$externallist && (!$whitelist || $localnet == 'yes' || empty($localnet)))) { if (is_ipaddrv6($snortip)) { if ($snortcfg['interface'] <> "wan") { $sn = get_interface_subnetv6($snortcfg['interface']); @@ -377,19 +384,16 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { } } } - else { + elseif (!$externallist && $localnet != 'yes') { if (is_ipaddrv6($snortip)) { - // Trim off the interface designation (e.g., %em1) if present - if (strpos($snortip, "%") !== FALSE) - $snortip = substr($snortip, 0, strpos($snortip, "%")); if (!in_array($snortip, $home_net)) $home_net[] = $snortip; } } - // Add link-local address + // Add link-local address if user included locally-attached networks $snortip = get_interface_linklocal($snortcfg['interface']); - if (!empty($snortip)) { + if (!empty($snortip) && $localnet == 'yes') { // Trim off the interface designation (e.g., %em1) if present if (strpos($snortip, "%") !== FALSE) $snortip = substr($snortip, 0, strpos($snortip, "%")); @@ -397,7 +401,7 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { $home_net[] = $snortip; } - if (!$whitelist || $localnet == 'yes' || empty($localnet)) { + if (($$externallist && $localnet == 'yes') || (!$externallist && (!$whitelist || $localnet == 'yes' || empty($localnet)))) { /*************************************************************************/ /* Iterate through the interface list and write out whitelist items and */ /* also compile a HOME_NET list of all the local interfaces for snort. */ @@ -409,7 +413,7 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { if ($int == "wan") continue; $subnet = get_interface_ip($int); - if (is_ipaddr($subnet)) { + if (is_ipaddrv4($subnet)) { $sn = get_interface_subnet($int); $ip = gen_subnet($subnet, $sn) . "/{$sn}"; if (!in_array($ip, $home_net)) @@ -417,6 +421,9 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { } $subnet = get_interface_ipv6($int); + // Trim off the interface designation (e.g., %em1) if present + if (strpos($subnet, "%") !== FALSE) + $subnet = substr($subnet, 0, strpos($subnet, "%")); if (is_ipaddrv6($subnet)) { $sn = get_interface_subnetv6($int); $ip = gen_subnetv6($subnet, $sn). "/{$sn}"; @@ -438,20 +445,19 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { if ($wanip == 'yes') { $ip = get_interface_ip("wan"); - if (is_ipaddr($ip)) { + if (is_ipaddrv4($ip)) { if (!in_array($ip, $home_net)) $home_net[] = $ip; } $ip = get_interface_ipv6("wan"); + // Trim off the interface designation (e.g., %em1) if present + if (strpos($ip, "%") !== FALSE) + $ip = substr($ip, 0, strpos($ip, "%")); if (is_ipaddrv6($ip)) { - // Trim off the interface designation (e.g., %em1) if present - if (strpos($ip, "%") !== FALSE) - $ip = substr($ip, 0, strpos($ip, "%")); if (!in_array($ip, $home_net)) $home_net[] = $ip; } - - // Add link-local address + // Explicitly grab the WAN Link-Local address $snortip = get_interface_linklocal("wan"); if (!empty($snortip)) { // Trim off the interface designation (e.g., %em1) if present @@ -465,12 +471,14 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { if ($wangw == 'yes') { /* Grab the default gateway if set */ $default_gw = exec("/sbin/route -n get default |grep 'gateway:' | /usr/bin/awk '{ print $2 }'"); - if (is_ipaddr($default_gw) && !in_array($default_gw, $home_net)) + if (is_ipaddrv4($default_gw) && !in_array($default_gw, $home_net)) + $home_net[] = $default_gw; + if (is_ipaddrv6($default_gw) && !in_array($default_gw, $home_net)) $home_net[] = $default_gw; /* Get any other interface gateway and put in $HOME_NET if not there already */ $gw = get_interface_gateway($snortcfg['interface']); - if (is_ipaddr($gw) && !in_array($gw, $home_net)) + if (is_ipaddrv4($gw) && !in_array($gw, $home_net)) $home_net[] = $gw; $gw = get_interface_gateway_v6($snortcfg['interface']); // Trim off the interface designation (e.g., %em1) if present @@ -501,7 +509,7 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { } } - /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */ + // Grab a list of vpns enabled - these come back as CIDR mask networks if ($vpns == 'yes') { $vpns_list = filter_get_vpns_list(); if (!empty($vpns_list)) { diff --git a/config/snort/snort_generate_conf.php b/config/snort/snort_generate_conf.php index a5cc08d0..e3b38301 100644 --- a/config/snort/snort_generate_conf.php +++ b/config/snort/snort_generate_conf.php @@ -41,11 +41,17 @@ /* Custom home nets */ $home_net_list = snort_build_list($snortcfg, $snortcfg['homelistname']); $home_net = implode(",", $home_net_list); - -$external_net = '!$HOME_NET'; +$home_net = trim($home_net); +$external_net = ""; if (!empty($snortcfg['externallistname']) && $snortcfg['externallistname'] != 'default') { - $external_net_list = snort_build_list($snortcfg, $snortcfg['externallistname']); + $external_net_list = snort_build_list($snortcfg, $snortcfg['externallistname'], false, true); $external_net = implode(",", $external_net_list); + $external_net = "[" . trim($external_net) . "]"; +} +else { + foreach ($home_net_list as $ip) + $external_net .= "!{$ip},"; + $external_net = trim($external_net, ', '); } /* User added custom configuration arguments */ diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index d59a927b..a49d6198 100755 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -690,13 +690,17 @@ include_once("head.inc"); } } ?> - </select> - <span class="vexpl"><?php echo gettext("Choose the External Net you want this interface " . - "to use."); ?></span> <br/><br/> + </select> + <input type="button" class="formbtns" value="View List" + onclick="viewList('<?=$id;?>','externallistname','externalnet')" id="btnExternalNet" + title="<?php echo gettext("Click to view currently selected External Net contents"); ?>"/> + <br/> + <?php echo gettext("Choose the External Net you want this interface " . + "to use."); ?> <br/><br/> <span class="red"><?php echo gettext("Note:"); ?></span> <?php echo gettext("Default " . - "External Net is networks that are not Home Net."); ?><br/> - <span class="red"><?php echo gettext("Hint:"); ?></span> <?php echo gettext("Most users should leave this " . - "setting at default. Create an Alias for custom External Net settings."); ?><br/> + "External Net is networks that are not Home Net. Most users should leave this setting at default."); ?><br/> + <span class="red"><?php echo gettext("Hint:"); ?></span> + <?php echo gettext("Create a Pass List and add an Alias to it, and then assign the Pass List here for custom External Net settings."); ?><br/> </td> </tr> <tr> diff --git a/config/snort/snort_list_view.php b/config/snort/snort_list_view.php index 8c3d0134..54f4d7f1 100644 --- a/config/snort/snort_list_view.php +++ b/config/snort/snort_list_view.php @@ -66,6 +66,20 @@ if (isset($id) && isset($wlist)) { $contents = str_replace("\r", "", base64_decode($list['suppresspassthru'])); $title = "Suppress List"; } + elseif ($type == "externalnet") { + if ($wlist == "default") { + $list = snort_build_list($a_rule, $a_rule['homelistname']); + $contents = ""; + foreach ($list as $ip) + $contents .= "!{$ip}\n"; + $contents = trim($contents, "\n"); + } + else { + $list = snort_build_list($a_rule, $wlist, false, true); + $contents = implode("\n", $list); + } + $title = "EXTERNAL_NET"; + } else $contents = gettext("\n\nERROR -- Requested List Type entity is not valid!"); } |