aboutsummaryrefslogtreecommitdiffstats
path: root/config/snort
diff options
context:
space:
mode:
authorbmeeks8 <bmeeks8@bellsouth.net>2014-09-13 15:26:20 -0400
committerbmeeks8 <bmeeks8@bellsouth.net>2014-09-13 15:26:20 -0400
commite9423bf7fb424aad2474a07a01b5623859ba73ca (patch)
treee496b63cf36f6513da9a65ce3f6629098799316d /config/snort
parent132ee0dc4278e6f5a521259d06c7572bf9258f3e (diff)
downloadpfsense-packages-e9423bf7fb424aad2474a07a01b5623859ba73ca.tar.gz
pfsense-packages-e9423bf7fb424aad2474a07a01b5623859ba73ca.tar.bz2
pfsense-packages-e9423bf7fb424aad2474a07a01b5623859ba73ca.zip
Improve HOME_NET and EXTERNAL_NET generation and allow viewing of results.
Diffstat (limited to 'config/snort')
-rwxr-xr-xconfig/snort/snort.inc64
-rw-r--r--config/snort/snort_generate_conf.php12
-rwxr-xr-xconfig/snort/snort_interfaces_edit.php16
-rw-r--r--config/snort/snort_list_view.php14
4 files changed, 69 insertions, 37 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index c0863333..96ebe28f 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -308,7 +308,7 @@ function snort_find_list($find_name, $type = 'whitelist') {
}
/* func builds custom whitelists and the HOME_NET variable */
-function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
+function snort_build_list($snortcfg, $listname = "", $whitelist = false, $externallist = false) {
/***********************************************************/
/* The default is to build a HOME_NET variable unless */
@@ -318,9 +318,10 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
global $config, $g, $aliastable, $filterdns;
$home_net = array();
- if ($listname == 'default' || empty($listname)) {
+ if (!$externallist && ($listname == 'default' || empty($listname))) {
$localnet = 'yes'; $wanip = 'yes'; $wangw = 'yes'; $wandns = 'yes'; $vips = 'yes'; $vpns = 'yes';
- } else {
+ }
+ else {
$list = snort_find_list($listname);
if (empty($list))
return $list;
@@ -335,10 +336,12 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
}
/* Always add loopback addresses to HOME_NET and whitelist */
- if (!in_array("127.0.0.1", $home_net))
- $home_net[] = "127.0.0.1";
- if (!in_array("::1", $home_net))
- $home_net[] = "::1";
+ if (!$externallist) {
+ if (!in_array("127.0.0.1", $home_net))
+ $home_net[] = "127.0.0.1";
+ if (!in_array("::1", $home_net))
+ $home_net[] = "::1";
+ }
/********************************************************************/
/* Always put the interface running Snort in HOME_NET and whitelist */
@@ -349,7 +352,7 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
/* though, to prevent locking out the firewall itself. */
/********************************************************************/
$snortip = get_interface_ip($snortcfg['interface']);
- if (!$whitelist || $localnet == 'yes' || empty($localnet)) {
+ if (($externallist && $localnet == 'yes') || (!$externallist && (!$whitelis || $localnet == 'yes' || empty($localnet)))) {
if (is_ipaddr($snortip)) {
if ($snortcfg['interface'] <> "wan") {
$sn = get_interface_subnet($snortcfg['interface']);
@@ -359,15 +362,19 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
}
}
}
- else {
- if (is_ipaddr($snortip)) {
+ elseif (!$externallist && $localnet != 'yes') {
+ if (is_ipaddrv4($snortip)) {
if (!in_array($snortip, $home_net))
$home_net[] = $snortip;
}
}
+ // Grab the IPv6 address if we have one assigned
$snortip = get_interface_ipv6($snortcfg['interface']);
- if (!$whitelist || $localnet == 'yes' || empty($localnet)) {
+ // Trim off the interface designation (e.g., %em1) if present
+ if (strpos($snortip, "%") !== FALSE)
+ $snortip = substr($snortip, 0, strpos($snortip, "%"));
+ if (($externallist && $localnet == 'yes') || (!$externallist && (!$whitelist || $localnet == 'yes' || empty($localnet)))) {
if (is_ipaddrv6($snortip)) {
if ($snortcfg['interface'] <> "wan") {
$sn = get_interface_subnetv6($snortcfg['interface']);
@@ -377,19 +384,16 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
}
}
}
- else {
+ elseif (!$externallist && $localnet != 'yes') {
if (is_ipaddrv6($snortip)) {
- // Trim off the interface designation (e.g., %em1) if present
- if (strpos($snortip, "%") !== FALSE)
- $snortip = substr($snortip, 0, strpos($snortip, "%"));
if (!in_array($snortip, $home_net))
$home_net[] = $snortip;
}
}
- // Add link-local address
+ // Add link-local address if user included locally-attached networks
$snortip = get_interface_linklocal($snortcfg['interface']);
- if (!empty($snortip)) {
+ if (!empty($snortip) && $localnet == 'yes') {
// Trim off the interface designation (e.g., %em1) if present
if (strpos($snortip, "%") !== FALSE)
$snortip = substr($snortip, 0, strpos($snortip, "%"));
@@ -397,7 +401,7 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
$home_net[] = $snortip;
}
- if (!$whitelist || $localnet == 'yes' || empty($localnet)) {
+ if (($$externallist && $localnet == 'yes') || (!$externallist && (!$whitelist || $localnet == 'yes' || empty($localnet)))) {
/*************************************************************************/
/* Iterate through the interface list and write out whitelist items and */
/* also compile a HOME_NET list of all the local interfaces for snort. */
@@ -409,7 +413,7 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
if ($int == "wan")
continue;
$subnet = get_interface_ip($int);
- if (is_ipaddr($subnet)) {
+ if (is_ipaddrv4($subnet)) {
$sn = get_interface_subnet($int);
$ip = gen_subnet($subnet, $sn) . "/{$sn}";
if (!in_array($ip, $home_net))
@@ -417,6 +421,9 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
}
$subnet = get_interface_ipv6($int);
+ // Trim off the interface designation (e.g., %em1) if present
+ if (strpos($subnet, "%") !== FALSE)
+ $subnet = substr($subnet, 0, strpos($subnet, "%"));
if (is_ipaddrv6($subnet)) {
$sn = get_interface_subnetv6($int);
$ip = gen_subnetv6($subnet, $sn). "/{$sn}";
@@ -438,20 +445,19 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
if ($wanip == 'yes') {
$ip = get_interface_ip("wan");
- if (is_ipaddr($ip)) {
+ if (is_ipaddrv4($ip)) {
if (!in_array($ip, $home_net))
$home_net[] = $ip;
}
$ip = get_interface_ipv6("wan");
+ // Trim off the interface designation (e.g., %em1) if present
+ if (strpos($ip, "%") !== FALSE)
+ $ip = substr($ip, 0, strpos($ip, "%"));
if (is_ipaddrv6($ip)) {
- // Trim off the interface designation (e.g., %em1) if present
- if (strpos($ip, "%") !== FALSE)
- $ip = substr($ip, 0, strpos($ip, "%"));
if (!in_array($ip, $home_net))
$home_net[] = $ip;
}
-
- // Add link-local address
+ // Explicitly grab the WAN Link-Local address
$snortip = get_interface_linklocal("wan");
if (!empty($snortip)) {
// Trim off the interface designation (e.g., %em1) if present
@@ -465,12 +471,14 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
if ($wangw == 'yes') {
/* Grab the default gateway if set */
$default_gw = exec("/sbin/route -n get default |grep 'gateway:' | /usr/bin/awk '{ print $2 }'");
- if (is_ipaddr($default_gw) && !in_array($default_gw, $home_net))
+ if (is_ipaddrv4($default_gw) && !in_array($default_gw, $home_net))
+ $home_net[] = $default_gw;
+ if (is_ipaddrv6($default_gw) && !in_array($default_gw, $home_net))
$home_net[] = $default_gw;
/* Get any other interface gateway and put in $HOME_NET if not there already */
$gw = get_interface_gateway($snortcfg['interface']);
- if (is_ipaddr($gw) && !in_array($gw, $home_net))
+ if (is_ipaddrv4($gw) && !in_array($gw, $home_net))
$home_net[] = $gw;
$gw = get_interface_gateway_v6($snortcfg['interface']);
// Trim off the interface designation (e.g., %em1) if present
@@ -501,7 +509,7 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
}
}
- /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */
+ // Grab a list of vpns enabled - these come back as CIDR mask networks
if ($vpns == 'yes') {
$vpns_list = filter_get_vpns_list();
if (!empty($vpns_list)) {
diff --git a/config/snort/snort_generate_conf.php b/config/snort/snort_generate_conf.php
index a5cc08d0..e3b38301 100644
--- a/config/snort/snort_generate_conf.php
+++ b/config/snort/snort_generate_conf.php
@@ -41,11 +41,17 @@
/* Custom home nets */
$home_net_list = snort_build_list($snortcfg, $snortcfg['homelistname']);
$home_net = implode(",", $home_net_list);
-
-$external_net = '!$HOME_NET';
+$home_net = trim($home_net);
+$external_net = "";
if (!empty($snortcfg['externallistname']) && $snortcfg['externallistname'] != 'default') {
- $external_net_list = snort_build_list($snortcfg, $snortcfg['externallistname']);
+ $external_net_list = snort_build_list($snortcfg, $snortcfg['externallistname'], false, true);
$external_net = implode(",", $external_net_list);
+ $external_net = "[" . trim($external_net) . "]";
+}
+else {
+ foreach ($home_net_list as $ip)
+ $external_net .= "!{$ip},";
+ $external_net = trim($external_net, ', ');
}
/* User added custom configuration arguments */
diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php
index d59a927b..a49d6198 100755
--- a/config/snort/snort_interfaces_edit.php
+++ b/config/snort/snort_interfaces_edit.php
@@ -690,13 +690,17 @@ include_once("head.inc");
}
}
?>
- </select>&nbsp;&nbsp;
- <span class="vexpl"><?php echo gettext("Choose the External Net you want this interface " .
- "to use."); ?></span>&nbsp;<br/><br/>
+ </select>
+ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type="button" class="formbtns" value="View List"
+ onclick="viewList('<?=$id;?>','externallistname','externalnet')" id="btnExternalNet"
+ title="<?php echo gettext("Click to view currently selected External Net contents"); ?>"/>
+ <br/>
+ <?php echo gettext("Choose the External Net you want this interface " .
+ "to use."); ?>&nbsp;<br/><br/>
<span class="red"><?php echo gettext("Note:"); ?></span>&nbsp;<?php echo gettext("Default " .
- "External Net is networks that are not Home Net."); ?><br/>
- <span class="red"><?php echo gettext("Hint:"); ?></span>&nbsp;<?php echo gettext("Most users should leave this " .
- "setting at default. Create an Alias for custom External Net settings."); ?><br/>
+ "External Net is networks that are not Home Net. Most users should leave this setting at default."); ?><br/>
+ <span class="red"><?php echo gettext("Hint:"); ?></span>&nbsp;
+ <?php echo gettext("Create a Pass List and add an Alias to it, and then assign the Pass List here for custom External Net settings."); ?><br/>
</td>
</tr>
<tr>
diff --git a/config/snort/snort_list_view.php b/config/snort/snort_list_view.php
index 8c3d0134..54f4d7f1 100644
--- a/config/snort/snort_list_view.php
+++ b/config/snort/snort_list_view.php
@@ -66,6 +66,20 @@ if (isset($id) && isset($wlist)) {
$contents = str_replace("\r", "", base64_decode($list['suppresspassthru']));
$title = "Suppress List";
}
+ elseif ($type == "externalnet") {
+ if ($wlist == "default") {
+ $list = snort_build_list($a_rule, $a_rule['homelistname']);
+ $contents = "";
+ foreach ($list as $ip)
+ $contents .= "!{$ip}\n";
+ $contents = trim($contents, "\n");
+ }
+ else {
+ $list = snort_build_list($a_rule, $wlist, false, true);
+ $contents = implode("\n", $list);
+ }
+ $title = "EXTERNAL_NET";
+ }
else
$contents = gettext("\n\nERROR -- Requested List Type entity is not valid!");
}