aboutsummaryrefslogtreecommitdiffstats
path: root/config/snort
diff options
context:
space:
mode:
authorRenato Botelho <garga@FreeBSD.org>2014-10-20 10:55:49 -0500
committerRenato Botelho <garga@FreeBSD.org>2014-10-20 10:55:49 -0500
commit755f92acd0d789bd8c5fca0e343a631e0049a458 (patch)
tree09f3072f53d72d42bccfa72900f4042bfa937979 /config/snort
parent8177bf04db3ab1b756b36c0fb0f0659e8d85388a (diff)
parent716c1e70b3fd7c1a9bae1dae2dbb975e140851d0 (diff)
downloadpfsense-packages-755f92acd0d789bd8c5fca0e343a631e0049a458.tar.gz
pfsense-packages-755f92acd0d789bd8c5fca0e343a631e0049a458.tar.bz2
pfsense-packages-755f92acd0d789bd8c5fca0e343a631e0049a458.zip
Merge pull request #717 from bmeeks8/snort-2.9.6.2-v3.1.3
Diffstat (limited to 'config/snort')
-rw-r--r--config/snort/disablesid-sample.conf43
-rw-r--r--config/snort/enablesid-sample.conf39
-rw-r--r--config/snort/modifysid-sample.conf23
-rwxr-xr-xconfig/snort/snort.inc1554
-rw-r--r--config/snort/snort.priv.inc3
-rwxr-xr-xconfig/snort/snort.xml44
-rw-r--r--config/snort/snort_alerts.js6
-rwxr-xr-xconfig/snort/snort_alerts.php185
-rw-r--r--config/snort/snort_alerts.widget.php35
-rw-r--r--config/snort/snort_barnyard.php55
-rw-r--r--config/snort/snort_blocked.php24
-rw-r--r--config/snort/snort_check_cron_misc.inc145
-rwxr-xr-xconfig/snort/snort_check_for_rule_updates.php94
-rw-r--r--config/snort/snort_conf_template.inc2
-rwxr-xr-xconfig/snort/snort_define_servers.php8
-rwxr-xr-xconfig/snort/snort_download_updates.php24
-rw-r--r--config/snort/snort_generate_conf.php47
-rw-r--r--config/snort/snort_interface_logs.php253
-rwxr-xr-xconfig/snort/snort_interfaces.php40
-rwxr-xr-xconfig/snort/snort_interfaces_edit.php101
-rw-r--r--config/snort/snort_interfaces_global.php78
-rw-r--r--config/snort/snort_interfaces_suppress.php4
-rw-r--r--config/snort/snort_interfaces_suppress_edit.php8
-rw-r--r--config/snort/snort_ip_list_mgmt.php6
-rw-r--r--config/snort/snort_ip_reputation.php7
-rw-r--r--config/snort/snort_iprep_list_browser.php2
-rw-r--r--config/snort/snort_list_view.php14
-rw-r--r--config/snort/snort_log_mgmt.php416
-rw-r--r--config/snort/snort_migrate_config.php48
-rw-r--r--config/snort/snort_passlist.php6
-rw-r--r--config/snort/snort_passlist_edit.php6
-rw-r--r--config/snort/snort_post_install.php141
-rwxr-xr-xconfig/snort/snort_preprocessors.php5
-rwxr-xr-xconfig/snort/snort_rules.php144
-rw-r--r--config/snort/snort_rules_flowbits.php2
-rwxr-xr-xconfig/snort/snort_rulesets.php179
-rw-r--r--config/snort/snort_sid_mgmt.php597
-rwxr-xr-xconfig/snort/snort_sync.xml21
38 files changed, 3841 insertions, 568 deletions
diff --git a/config/snort/disablesid-sample.conf b/config/snort/disablesid-sample.conf
new file mode 100644
index 00000000..026f4d94
--- /dev/null
+++ b/config/snort/disablesid-sample.conf
@@ -0,0 +1,43 @@
+# example disablesid.conf
+
+# Example of modifying state for individual rules
+# 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010
+
+# Example of modifying state for rule ranges
+# 1:220-1:3264,3:13010-3:13013
+
+# Comments are allowed in this file, and can also be on the same line
+# As the modify state syntax, as long as it is a trailing comment
+# 1:1011 # I Disabled this rule because I could!
+
+# Example of modifying state for MS and cve rules, note the use of the :
+# in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301,
+# and all MS00 and all cve 2000 related sids! These support regular expression
+# matching only after you have specified what you are looking for, i.e.
+# MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular
+# expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below)
+# for this.
+# MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+
+
+# Example of using the pcre: keyword to modify rulestate. the pcre keyword
+# allows for full use of regular expression syntax, you do not need to designate
+# with / and all pcre searches are treated as case insensitive. For more information
+# about regular expression syntax: http://www.regular-expressions.info/
+# The following example modifies state for all MS07 through MS10
+# pcre:MS(0[7-9]|10)-\d+
+# pcre:"Joomla"
+
+# Example of modifying state for specific categories entirely.
+# "snort_" limits to Snort VRT rules, "emerging-" limits to
+# Emerging Threats Open rules, "etpro-" limits to ET-PRO rules.
+# "shellcode" with no prefix would match in any vendor set.
+# snort_web-iis,emerging-shellcode,etpro-imap,shellcode
+
+# Any of the above values can be on a single line or multiple lines, when
+# on a single line they simply need to be separated by a ,
+# 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233
+
+# The modifications in this file are for sample/example purposes only and
+# should not actively be used, you need to modify this file to fit your
+# environment.
+
diff --git a/config/snort/enablesid-sample.conf b/config/snort/enablesid-sample.conf
new file mode 100644
index 00000000..4cccc5dd
--- /dev/null
+++ b/config/snort/enablesid-sample.conf
@@ -0,0 +1,39 @@
+# example enablesid.conf
+
+# Example of modifying state for individual rules
+# 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010
+
+# Example of modifying state for rule ranges
+# 1:220-1:3264,3:13010-3:13013
+
+# Comments are allowed in this file, and can also be on the same line
+# As the modify state syntax, as long as it is a trailing comment
+# 1:1011 # I Disabled this rule because I could!
+
+# Example of modifying state for MS and cve rules, note the use of the :
+# in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301,
+# and all MS00 and all cve 2000 related sids! These support regular expression
+# matching only after you have specified what you are looking for, i.e.
+# MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular
+# expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below)
+# for this.
+# MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+
+
+# Example of using the pcre: keyword to modify rulestate. the pcre keyword
+# allows for full use of regular expression syntax, you do not need to designate
+# with / and all pcre searches are treated as case insensitive. For more information
+# about regular expression syntax: http://www.regular-expressions.info/
+# The following example modifies state for all MS07 through MS10
+# pcre:MS(0[7-9]|10)-\d+
+# pcre:"Joomla"
+
+# Example of modifying state for specific categories entirely.
+# "snort_" limits to Snort VRT rules, "emerging-" limits to
+# Emerging Threats Open rules, "etpro-" limits to ET-PRO rules.
+# "shellcode" with no prefix would match in any vendor set.
+# snort_web-iis,emerging-shellcode,etpro-imap,shellcode
+
+# Any of the above values can be on a single line or multiple lines, when
+# on a single line they simply need to be separated by a ,
+# 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233
+
diff --git a/config/snort/modifysid-sample.conf b/config/snort/modifysid-sample.conf
new file mode 100644
index 00000000..d59f84ba
--- /dev/null
+++ b/config/snort/modifysid-sample.conf
@@ -0,0 +1,23 @@
+# example modifysid.conf
+#
+# formatting is simple
+# <sid or sid list> "what I'm replacing" "what I'm replacing it with"
+#
+# Note that this will only work with GID:1 rules, simply because modifying
+# GID:3 SO stub rules would not actually affect the rule.
+#
+# If you are attempting to change rulestate (enable,disable) from here
+# then you are doing it wrong. Do this from within the respective
+# rulestate modification configuration files.
+
+# the following applies to sid 10010 only and represents what would normally
+# be s/to_client/from_server/
+# 10010 "to_client" "from_server"
+
+# the following would replace HTTP_PORTS with HTTPS_PORTS for ALL GID:1
+# rules
+# "HTTP_PORTS" "HTTPS_PORTS"
+
+# multiple sids can be specified as noted below:
+# 302,429,1821 "\$EXTERNAL_NET" "\$HOME_NET"
+
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index e442755a..3a384dee 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -41,26 +41,26 @@ require_once("pkg-utils.inc");
require_once("filter.inc");
// Snort GUI needs some extra PHP memory space to manipulate large rules arrays
-ini_set("memory_limit", "192M");
+ini_set("memory_limit", "256M");
// Explicitly declare this as global so it works through function call includes
-global $rebuild_rules, $pfSense_snort_version;
+global $g, $config, $rebuild_rules, $pfSense_snort_version;
// Grab the Snort binary version programmatically, but if that fails use a safe default
$snortver = array();
exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver);
/* Used to indicate latest version of this include file has been loaded */
-$pfSense_snort_version = "3.1.2";
+$pfSense_snort_version = "3.1.3";
/* get installed package version for display */
$snort_package_version = "Snort {$config['installedpackages']['package'][get_pkg_id("snort")]['version']}";
// Define SNORTDIR and SNORTLIBDIR constants according to pfSense version
$pfs_version=substr(trim(file_get_contents("/etc/version")),0,3);
-if ($pfs_version < 2.1) {
- define("SNORTDIR", "/usr/local/etc/snort");
- define("SNORTLIBDIR", "/usr/local/lib/snort");
+if ($pfs_version >= 2.2) {
+ define("SNORTDIR", "/usr/pbi/snort-" . php_uname("m") . "/local/etc/snort");
+ define("SNORTLIBDIR", "/usr/pbi/snort-" . php_uname("m") . "/local/lib/snort");
}
else {
define("SNORTDIR", "/usr/pbi/snort-" . php_uname("m") . "/etc/snort");
@@ -69,19 +69,25 @@ else {
/* Define some useful constants for Snort */
/* Be sure to include trailing slash on the URL defines */
-define("SNORTLOGDIR", "/var/log/snort");
+define("SNORTLOGDIR", "{$g['varlog_path']}/snort");
define("SNORT_BIN_VERSION", "2.9.6.2");
-define("ET_DNLD_FILENAME", "emerging.rules.tar.gz");
-define("ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz");
-define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz");
-define("FLOWBITS_FILENAME", "flowbit-required.rules");
-define("ENFORCING_RULES_FILENAME", "snort.rules");
-define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log");
-define("VRT_FILE_PREFIX", "snort_");
-define("GPL_FILE_PREFIX", "GPLv2_");
-define("ET_OPEN_FILE_PREFIX", "emerging-");
-define("ET_PRO_FILE_PREFIX", "etpro-");
-define("IPREP_PATH", "/var/db/snort/iprep/");
+define("SNORT_ET_DNLD_FILENAME", "emerging.rules.tar.gz");
+define("SNORT_ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz");
+define("SNORT_GPLV2_DNLD_FILENAME", "community-rules.tar.gz");
+define("SNORT_ENFORCING_RULES_FILENAME", "snort.rules");
+define("SNORT_RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log");
+define("SNORT_IPREP_PATH", "{$g['vardb_path']}/snort/iprep/");
+define('SNORT_SID_MODS_PATH', "{$g['vardb_path']}/snort/sidmods/");
+if (!defined("FLOWBITS_FILENAME"))
+ define("FLOWBITS_FILENAME", "flowbit-required.rules");
+if (!defined("VRT_FILE_PREFIX"))
+ define("VRT_FILE_PREFIX", "snort_");
+if (!defined("GPL_FILE_PREFIX"))
+ define("GPL_FILE_PREFIX", "GPLv2_");
+if (!defined("ET_OPEN_FILE_PREFIX"))
+ define("ET_OPEN_FILE_PREFIX", "emerging-");
+if (!defined("ET_PRO_FILE_PREFIX"))
+ define("ET_PRO_FILE_PREFIX", "etpro-");
/* Rebuild Rules Flag -- if "true", rebuild enforcing rules and flowbit-rules files */
$rebuild_rules = false;
@@ -307,7 +313,7 @@ function snort_find_list($find_name, $type = 'whitelist') {
}
/* func builds custom whitelists and the HOME_NET variable */
-function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
+function snort_build_list($snortcfg, $listname = "", $whitelist = false, $externallist = false) {
/***********************************************************/
/* The default is to build a HOME_NET variable unless */
@@ -317,9 +323,10 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
global $config, $g, $aliastable, $filterdns;
$home_net = array();
- if ($listname == 'default' || empty($listname)) {
+ if (!$externallist && ($listname == 'default' || empty($listname))) {
$localnet = 'yes'; $wanip = 'yes'; $wangw = 'yes'; $wandns = 'yes'; $vips = 'yes'; $vpns = 'yes';
- } else {
+ }
+ else {
$list = snort_find_list($listname);
if (empty($list))
return $list;
@@ -334,10 +341,12 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
}
/* Always add loopback addresses to HOME_NET and whitelist */
- if (!in_array("127.0.0.1", $home_net))
- $home_net[] = "127.0.0.1";
- if (!in_array("::1", $home_net))
- $home_net[] = "::1";
+ if (!$externallist) {
+ if (!in_array("127.0.0.1", $home_net))
+ $home_net[] = "127.0.0.1";
+ if (!in_array("::1", $home_net))
+ $home_net[] = "::1";
+ }
/********************************************************************/
/* Always put the interface running Snort in HOME_NET and whitelist */
@@ -348,7 +357,7 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
/* though, to prevent locking out the firewall itself. */
/********************************************************************/
$snortip = get_interface_ip($snortcfg['interface']);
- if (!$whitelist || $localnet == 'yes' || empty($localnet)) {
+ if (($externallist && $localnet == 'yes') || (!$externallist && (!$whitelist || $localnet == 'yes' || empty($localnet)))) {
if (is_ipaddr($snortip)) {
if ($snortcfg['interface'] <> "wan") {
$sn = get_interface_subnet($snortcfg['interface']);
@@ -358,15 +367,19 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
}
}
}
- else {
- if (is_ipaddr($snortip)) {
+ elseif (!$externallist && $localnet != 'yes') {
+ if (is_ipaddrv4($snortip)) {
if (!in_array($snortip, $home_net))
$home_net[] = $snortip;
}
}
+ // Grab the IPv6 address if we have one assigned
$snortip = get_interface_ipv6($snortcfg['interface']);
- if (!$whitelist || $localnet == 'yes' || empty($localnet)) {
+ // Trim off the interface designation (e.g., %em1) if present
+ if (strpos($snortip, "%") !== FALSE)
+ $snortip = substr($snortip, 0, strpos($snortip, "%"));
+ if (($externallist && $localnet == 'yes') || (!$externallist && (!$whitelist || $localnet == 'yes' || empty($localnet)))) {
if (is_ipaddrv6($snortip)) {
if ($snortcfg['interface'] <> "wan") {
$sn = get_interface_subnetv6($snortcfg['interface']);
@@ -376,19 +389,16 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
}
}
}
- else {
+ elseif (!$externallist && $localnet != 'yes') {
if (is_ipaddrv6($snortip)) {
- // Trim off the interface designation (e.g., %em1) if present
- if (strpos($snortip, "%") !== FALSE)
- $snortip = substr($snortip, 0, strpos($snortip, "%"));
if (!in_array($snortip, $home_net))
$home_net[] = $snortip;
}
}
- // Add link-local address
+ // Add link-local address if user included locally-attached networks
$snortip = get_interface_linklocal($snortcfg['interface']);
- if (!empty($snortip)) {
+ if (!empty($snortip) && $localnet == 'yes') {
// Trim off the interface designation (e.g., %em1) if present
if (strpos($snortip, "%") !== FALSE)
$snortip = substr($snortip, 0, strpos($snortip, "%"));
@@ -396,7 +406,7 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
$home_net[] = $snortip;
}
- if (!$whitelist || $localnet == 'yes' || empty($localnet)) {
+ if (($externallist && $localnet == 'yes') || (!$externallist && (!$whitelist || $localnet == 'yes' || empty($localnet)))) {
/*************************************************************************/
/* Iterate through the interface list and write out whitelist items and */
/* also compile a HOME_NET list of all the local interfaces for snort. */
@@ -408,7 +418,7 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
if ($int == "wan")
continue;
$subnet = get_interface_ip($int);
- if (is_ipaddr($subnet)) {
+ if (is_ipaddrv4($subnet)) {
$sn = get_interface_subnet($int);
$ip = gen_subnet($subnet, $sn) . "/{$sn}";
if (!in_array($ip, $home_net))
@@ -416,6 +426,9 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
}
$subnet = get_interface_ipv6($int);
+ // Trim off the interface designation (e.g., %em1) if present
+ if (strpos($subnet, "%") !== FALSE)
+ $subnet = substr($subnet, 0, strpos($subnet, "%"));
if (is_ipaddrv6($subnet)) {
$sn = get_interface_subnetv6($int);
$ip = gen_subnetv6($subnet, $sn). "/{$sn}";
@@ -437,20 +450,19 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
if ($wanip == 'yes') {
$ip = get_interface_ip("wan");
- if (is_ipaddr($ip)) {
+ if (is_ipaddrv4($ip)) {
if (!in_array($ip, $home_net))
$home_net[] = $ip;
}
$ip = get_interface_ipv6("wan");
+ // Trim off the interface designation (e.g., %em1) if present
+ if (strpos($ip, "%") !== FALSE)
+ $ip = substr($ip, 0, strpos($ip, "%"));
if (is_ipaddrv6($ip)) {
- // Trim off the interface designation (e.g., %em1) if present
- if (strpos($ip, "%") !== FALSE)
- $ip = substr($ip, 0, strpos($ip, "%"));
if (!in_array($ip, $home_net))
$home_net[] = $ip;
}
-
- // Add link-local address
+ // Explicitly grab the WAN Link-Local address
$snortip = get_interface_linklocal("wan");
if (!empty($snortip)) {
// Trim off the interface designation (e.g., %em1) if present
@@ -464,12 +476,14 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
if ($wangw == 'yes') {
/* Grab the default gateway if set */
$default_gw = exec("/sbin/route -n get default |grep 'gateway:' | /usr/bin/awk '{ print $2 }'");
- if (is_ipaddr($default_gw) && !in_array($default_gw, $home_net))
+ if (is_ipaddrv4($default_gw) && !in_array($default_gw, $home_net))
+ $home_net[] = $default_gw;
+ if (is_ipaddrv6($default_gw) && !in_array($default_gw, $home_net))
$home_net[] = $default_gw;
/* Get any other interface gateway and put in $HOME_NET if not there already */
$gw = get_interface_gateway($snortcfg['interface']);
- if (is_ipaddr($gw) && !in_array($gw, $home_net))
+ if (is_ipaddrv4($gw) && !in_array($gw, $home_net))
$home_net[] = $gw;
$gw = get_interface_gateway_v6($snortcfg['interface']);
// Trim off the interface designation (e.g., %em1) if present
@@ -500,7 +514,7 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) {
}
}
- /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */
+ // Grab a list of vpns enabled - these come back as CIDR mask networks
if ($vpns == 'yes') {
$vpns_list = filter_get_vpns_list();
if (!empty($vpns_list)) {
@@ -542,9 +556,19 @@ function snort_barnyard_stop($snortcfg, $if_real) {
$snort_uuid = $snortcfg['uuid'];
if (isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid")) {
- log_error("[Snort] Barnyard2 STOP for {$snortcfg['descr']}({$if_real})...");
+ log_error("[Snort] Barnyard2 STOP for " . convert_real_interface_to_friendly_descr($if_real) . "({$if_real})...");
killbypid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid");
+
+ // Now wait up to 5 seconds for Barnyard2 to actually stop and clear its PID file
+ $count = 0;
+ do {
+ if (!isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid"))
+ break;
+ sleep(1);
+ $count++;
+ } while ($count < 5);
}
+ unlink_if_exists("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid");
}
function snort_stop($snortcfg, $if_real) {
@@ -552,56 +576,124 @@ function snort_stop($snortcfg, $if_real) {
$snort_uuid = $snortcfg['uuid'];
if (isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) {
- log_error("[Snort] Snort STOP for {$snortcfg['descr']}({$if_real})...");
+ log_error("[Snort] Snort STOP for " . convert_real_interface_to_friendly_descr($if_real) . "({$if_real})...");
killbypid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid");
+
+ // Now wait up to 10 seconds for Snort to actually stop and clear its PID file
+ $count = 0;
+ do {
+ if (!isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid"))
+ break;
+ sleep(1);
+ $count++;
+ } while ($count < 10);
}
+ unlink_if_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid");
snort_barnyard_stop($snortcfg, $if_real);
}
-function snort_barnyard_start($snortcfg, $if_real) {
+function snort_barnyard_start($snortcfg, $if_real, $background=FALSE) {
global $config, $g;
$snortdir = SNORTDIR;
$snortlogdir = SNORTLOGDIR;
$snort_uuid = $snortcfg['uuid'];
- /* define snortbarnyardlog_chk */
- if ($snortcfg['barnyard_enable'] == 'on') {
- log_error("[Snort] Barnyard2 START for {$snortcfg['descr']}({$if_real})...");
- mwexec("/usr/local/bin/barnyard2 -r {$snort_uuid} -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d {$snortlogdir}/snort_{$if_real}{$snort_uuid} -D -q");
+ if ($snortcfg['barnyard_enable'] == 'on' && !isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid")) {
+ log_error("[Snort] Barnyard2 START for " . convert_real_interface_to_friendly_descr($if_real) . "({$if_real})...");
+ if ($background)
+ mwexec_bg("/usr/local/bin/barnyard2 -r {$snort_uuid} -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d {$snortlogdir}/snort_{$if_real}{$snort_uuid} -D -q");
+ else
+ mwexec("/usr/local/bin/barnyard2 -r {$snort_uuid} -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d {$snortlogdir}/snort_{$if_real}{$snort_uuid} -D -q");
}
}
-function snort_start($snortcfg, $if_real) {
+function snort_start($snortcfg, $if_real, $background=FALSE) {
global $config, $g;
$snortdir = SNORTDIR;
$snortlogdir = SNORTLOGDIR;
$snort_uuid = $snortcfg['uuid'];
- if ($snortcfg['enable'] == 'on') {
- log_error("[Snort] Snort START for {$snortcfg['descr']}({$if_real})...");
- mwexec("/usr/local/bin/snort -R {$snort_uuid} -D -q -l {$snortlogdir}/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
+ if ($snortcfg['enable'] == 'on' && !isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) {
+ log_error("[Snort] Snort START for " . convert_real_interface_to_friendly_descr($if_real) . "({$if_real})...");
+ if ($background)
+ mwexec_bg("/usr/local/bin/snort -R {$snort_uuid} -D -q -l {$snortlogdir}/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
+ else
+ mwexec("/usr/local/bin/snort -R {$snort_uuid} -D -q -l {$snortlogdir}/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
+ snort_barnyard_start($snortcfg, $if_real, $background);
}
- else
+}
+
+function snort_start_all_interfaces($background=FALSE) {
+
+ /*************************************************************/
+ /* This function starts all configured and enabled Snort */
+ /* interfaces. */
+ /*************************************************************/
+
+ global $g, $config;
+
+ /* do nothing if no Snort interfaces active */
+ if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ return;
+
+ foreach ($config['installedpackages']['snortglobal']['rule'] as $snortcfg) {
+ if ($snortcfg['enable'] != 'on')
+ continue;
+ snort_start($snortcfg, get_real_interface($snortcfg['interface']), $background);
+ }
+}
+
+function snort_stop_all_interfaces() {
+
+ /*************************************************************/
+ /* This function stops all configured Snort interfaces. */
+ /*************************************************************/
+
+ global $g, $config;
+
+ /* do nothing if no Snort interfaces active */
+ if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ return;
+
+ foreach ($config['installedpackages']['snortglobal']['rule'] as $snortcfg) {
+ snort_stop($snortcfg, get_real_interface($snortcfg['interface']));
+ }
+}
+
+function snort_restart_all_interfaces() {
+
+ /*************************************************************/
+ /* This function stops all configured Snort interfaces and */
+ /* restarts enabled Snort interfaces. */
+ /*************************************************************/
+
+ global $g, $config;
+
+ /* do nothing if no Snort interfaces active */
+ if (!is_array($config['installedpackages']['snortglobal']['rule']))
return;
- snort_barnyard_start($snortcfg, $if_real);
+ snort_stop_all_interfaces();
+ sleep(2);
+ snort_start_all_interfaces(TRUE);
}
-/**************************************************************/
-/* This function sends the passed SIGNAL to the Snort */
-/* instance on the passed interface to cause Snort to reload */
-/* and parse the running configuration without stopping */
-/* packet processing. It also executes the reload as a */
-/* background process and returns control immediately to the */
-/* caller. */
-/* */
-/* $signal = SIGHUP (default) parses and reloads config. */
-/* SIGURG updates Host Attribute Table. */
-/**************************************************************/
function snort_reload_config($snortcfg, $signal="SIGHUP") {
+
+ /*************************************************************/
+ /* This function sends the passed SIGNAL to the Snort */
+ /* instance on the passed interface to cause Snort to */
+ /* reload and parse the running configuration without */
+ /* stopping packet processing. It also executes the */
+ /* the reload as a background process and returns control */
+ /* immediately to the caller. */
+ /* */
+ /* $signal = SIGHUP (default) parses and reloads config. */
+ /* SIGURG updates Host Attribute Table. */
+ /*************************************************************/
global $config, $g;
$snortdir = SNORTDIR;
@@ -613,23 +705,23 @@ function snort_reload_config($snortcfg, $signal="SIGHUP") {
/* can find a valid PID for the process. */
/******************************************************/
if (isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) {
- log_error("[Snort] Snort RELOAD CONFIG for {$snortcfg['descr']} ({$if_real})...");
+ log_error("[Snort] Snort RELOAD CONFIG for " . convert_real_interface_to_friendly_descr($if_real) . "({$if_real})...");
mwexec_bg("/bin/pkill -{$signal} -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid");
}
}
function snort_barnyard_reload_config($snortcfg, $signal="HUP") {
- /**************************************************************/
- /* This function sends the passed SIGNAL to the Barnyard2 */
- /* instance on the passed interface to cause Barnyard to */
- /* reload and parse the running configuration without */
- /* impacting packet processing. It also executes the reload */
- /* as a background process and returns control immediately */
- /* to the caller. */
- /* */
- /* $signal = HUP (default) parses and reloads config. */
- /**************************************************************/
+ /*************************************************************/
+ /* This function sends the passed SIGNAL to the Barnyard2 */
+ /* instance on the passed interface to cause Barnyard to */
+ /* reload and parse the running configuration without */
+ /* impacting packet processing. It also executes the reload */
+ /* as a background process and returns control immediately */
+ /* to the caller. */
+ /* */
+ /* $signal = HUP (default) parses and reloads config. */
+ /*************************************************************/
global $g;
$snortdir = SNORTDIR;
@@ -641,7 +733,7 @@ function snort_barnyard_reload_config($snortcfg, $signal="HUP") {
/* we can find a valid PID for the process. */
/******************************************************/
if (isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid")) {
- log_error("[Snort] Barnyard2 CONFIG RELOAD initiated for {$snortcfg['descr']} ({$if_real})...");
+ log_error("[Snort] Barnyard2 CONFIG RELOAD initiated for " . convert_real_interface_to_friendly_descr($if_real) . "({$if_real})...");
mwexec_bg("/bin/pkill -{$signal} -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid");
}
}
@@ -693,14 +785,79 @@ function snort_Getdirsize($node) {
return substr( $blah, 0, strpos($blah, 9) );
}
+function snort_cron_job_exists($crontask, $match_time=FALSE, $minute="0", $hour="*", $monthday="*", $month="*", $weekday="*", $who="root") {
+
+ /************************************************************
+ * This function iterates the cron[] array in the config *
+ * to determine if the passed $crontask entry exists. It *
+ * returns TRUE if the $crontask already exists, or FALSE *
+ * if there is no match. *
+ * *
+ * The $match_time flag, when set, causes a test of the *
+ * configured task execution times along with the task *
+ * when checking for a match. *
+ * *
+ * We use this to prevent unneccessary config writes if *
+ * the $crontask already exists. *
+ ************************************************************/
+
+ global $config, $g;
+
+ if (!is_array($config['cron']))
+ $config['cron'] = array();
+ if (!is_array($config['cron']['item']))
+ $config['cron']['item'] = array();
+
+ foreach($config['cron']['item'] as $item) {
+ if(strpos($item['command'], $crontask) !== FALSE) {
+ if ($match_time) {
+ if ($item['minute'] != $minute)
+ return FALSE;
+ if ($item['hour'] != $hour)
+ return FALSE;
+ if ($item['mday'] != $monthday)
+ return FALSE;
+ if ($item['month'] != $month)
+ return FALSE;
+ if ($item['wday'] != $weekday)
+ return FALSE;
+ if ($item['who'] != $who)
+ return FALSE;
+ }
+ return TRUE;
+ }
+ }
+ return FALSE;
+}
+
function snort_snortloglimit_install_cron($should_install=TRUE) {
+ // See if simply removing existing "loglimit" job for Snort
+ if ($should_install == FALSE) {
+ if (snort_cron_job_exists("snort/snort_check_cron_misc.inc", FALSE))
+ install_cron_job("snort_check_cron_misc.inc", false);
+ return;
+ }
+
+ // If there are no changes in the cron job command string from the existing job, then exit.
+ if ($should_install && snort_cron_job_exists("/usr/local/pkg/snort/snort_check_cron_misc.inc", TRUE, "*/5"))
+ return;
+
+ // Else install the new or updated cron job
install_cron_job("/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc", $should_install, "*/5");
}
function snort_rm_blocked_install_cron($should_install) {
global $config, $g;
+ // See if simply removing existing "expiretable" job for Snort
+ if ($should_install == FALSE) {
+ if (snort_cron_job_exists("snort2c", FALSE))
+ install_cron_job("snort2c", false);
+ return;
+ }
+
+ // Grab the configured interval from our configuration
$snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked'];
if ($snort_rm_blocked_info_ck == "15m_b") {
@@ -784,13 +941,15 @@ function snort_rm_blocked_install_cron($should_install) {
$snort_rm_blocked_expire = "2419200";
}
- // First remove any existing "expiretable" jobs for Snort.
- install_cron_job("snort2c", false);
+ // Construct the basic cron command task
+ $command = "/usr/bin/nice -n20 /sbin/pfctl -q -t snort2c -T expire {$snort_rm_blocked_expire}";
+
+ // If there are no changes in the cron job command string from the existing job, then exit.
+ if (snort_cron_job_exists($command, TRUE, $snort_rm_blocked_min, $snort_rm_blocked_hr, $snort_rm_blocked_mday, $snort_rm_blocked_month, $snort_rm_blocked_wday, "root"))
+ return;
- // Now either install the new or updated cron job,
- // or return if "rm_blocked" is disabled
+ // Else install the new or updated cron job
if ($should_install) {
- $command = "/usr/bin/nice -n20 /sbin/pfctl -q -t snort2c -T expire {$snort_rm_blocked_expire}";
install_cron_job($command, $should_install, $snort_rm_blocked_min, $snort_rm_blocked_hr, $snort_rm_blocked_mday, $snort_rm_blocked_month, $snort_rm_blocked_wday, "root");
}
}
@@ -799,13 +958,15 @@ function snort_rm_blocked_install_cron($should_install) {
function snort_rules_up_install_cron($should_install) {
global $config, $g;
- // Remove any existing job first
- install_cron_job("snort_check_for_rule_updates.php", false);
-
- // If called with FALSE as argument, then we're done
- if ($should_install == FALSE)
+ // If called with FALSE as argument, then we're removing
+ // the existing job.
+ if ($should_install == FALSE) {
+ if (snort_cron_job_exists("snort_check_for_rule_updates.php", FALSE))
+ install_cron_job("snort_check_for_rule_updates.php", false);
return;
+ }
+ // Grab the configured update interval from our configuration
$snort_rules_up_info_ck = $config['installedpackages']['snortglobal']['autorulesupdate7'];
/* See if a customized start time has been set for rule file updates */
@@ -869,8 +1030,16 @@ function snort_rules_up_install_cron($should_install) {
$snort_rules_up_wday = "*";
}
+ // Construct the basic cron command task
$command = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php";
- install_cron_job($command, $should_install, $snort_rules_up_min, $snort_rules_up_hr, $snort_rules_up_mday, $snort_rules_up_month, $snort_rules_up_wday, "root");
+
+ // If there are no changes in the cron job command string from the existing job, then exit
+ if (snort_cron_job_exists($command, TRUE, $snort_rules_up_min, $snort_rules_up_hr, $snort_rules_up_mday, $snort_rules_up_month, $snort_rules_up_wday, "root"))
+ return;
+
+ // Else install the new or updated cron job
+ if ($should_install)
+ install_cron_job($command, $should_install, $snort_rules_up_min, $snort_rules_up_hr, $snort_rules_up_mday, $snort_rules_up_month, $snort_rules_up_wday, "root");
}
/* Only run when all ifaces needed to sync. Expects filesystem rw */
@@ -881,32 +1050,30 @@ function sync_snort_package_config() {
$snortdir = SNORTDIR;
$rcdir = RCFILEPREFIX;
- conf_mount_rw();
-
/* do not start config build if rules is empty or there are no Snort settings */
if (!is_array($config['installedpackages']['snortglobal']) || !is_array($config['installedpackages']['snortglobal']['rule'])) {
- @unlink("{$rcdir}snort.sh");
- conf_mount_ro();
return;
}
$snortconf = $config['installedpackages']['snortglobal']['rule'];
foreach ($snortconf as $value) {
- $if_real = get_real_interface($value['interface']);
+ /* Skip configuration of any disabled interface */
+ if ($value['enable'] != 'on')
+ continue;
- /* create a snort.conf file for interface */
+ /* create a snort.conf file for interface */
snort_generate_conf($value);
- /* create barnyard2.conf file for interface */
+ /* create barnyard2.conf file for interface */
if ($value['barnyard_enable'] == 'on')
- snort_generate_barnyard2_conf($value, $if_real);
+ snort_generate_barnyard2_conf($value, get_real_interface($value['interface']));
}
- /* create snort bootup file snort.sh only create once */
- snort_create_rc();
-
$snortglob = $config['installedpackages']['snortglobal'];
+ /* create snort bootup file snort.sh */
+ snort_create_rc();
+
snort_snortloglimit_install_cron(true);
/* set the snort block hosts time IMPORTANT */
@@ -915,13 +1082,9 @@ function sync_snort_package_config() {
/* set the snort rules update time */
snort_rules_up_install_cron($snortglob['autorulesupdate7'] != "never_up" ? true : false);
- configure_cron();
-
/* Do not attempt package sync if reinstalling package or booting */
if (!$g['snort_postinstall'] && !$g['booting'])
snort_sync_on_changes();
-
- conf_mount_ro();
}
function snort_build_sid_msg_map($rules_path, $sid_file) {
@@ -1157,11 +1320,11 @@ function snort_load_rules_map($rules_path) {
if (empty($rules_path))
return $map_ref;
- /***************************************************************
+ /************************************************************************************
* Read all the rules into the map array.
* The structure of the map array is:
*
- * map[gid][sid]['rule']['category']['disabled']['action']['flowbits']
+ * map[gid][sid]['rule']['category']['action']['disabled']['managed']['flowbits']
*
* where:
* gid = Generator ID from rule, or 1 if general text
@@ -1169,12 +1332,14 @@ function snort_load_rules_map($rules_path) {
* sid = Signature ID from rule
* rule = Complete rule text
* category = File name of file containing the rule
+ * action = alert, drop, reject or pass
* disabled = 1 if rule is disabled (commented out), 0 if
* rule is enabled
- * action = alert|log|pass|drop|reject|sdrop
+ * managed = 1 if rule is auto-managed by SID MGMT process,
+ * 0 if not auto-managed
* flowbits = Array of applicable flowbits if rule contains
* flowbits options
- ***************************************************************/
+ ************************************************************************************/
/* First check if we were passed a directory, a single file */
/* or an array of filenames to read. Set our $rule_files */
@@ -1661,7 +1826,7 @@ function snort_write_enforcing_rules_file($rule_map, $rule_path) {
/* rules file will be written. */
/************************************************/
- $rule_file = "/" . ENFORCING_RULES_FILENAME;
+ $rule_file = "/" . SNORT_ENFORCING_RULES_FILENAME;
/* See if we were passed a directory or full */
/* filename to write the rules to, and adjust */
@@ -1697,6 +1862,854 @@ function snort_write_enforcing_rules_file($rule_map, $rule_path) {
}
}
+function snort_parse_sidconf_file($sidconf_file) {
+
+ /**********************************************/
+ /* This function loads and processes the file */
+ /* specified by '$sidconf_file'. The file is */
+ /* assumed to contain valid instructions for */
+ /* matching rule SIDs as supported by the */
+ /* Oinkmaster and PulledPork utilities. */
+ /* */
+ /* $sidconf_file ==> full path and name of */
+ /* file to process */
+ /* */
+ /* Returns ==> an array containing */
+ /* SID modifier tokens */
+ /**********************************************/
+
+ $buf = "";
+ $sid_mods = array();
+
+ $fd = fopen("{$sidconf_file}", "r");
+ if ($fd == FALSE) {
+ log_error("[Snort] Failed to open SID MGMT file '{$sidconf_file}' for processing.");
+ return $sid_mods;
+ }
+
+ // Read and parse the conf file line-by-line
+ while (($buf = fgets($fd)) !== FALSE) {
+ $line = array();
+
+ // Skip any lines that may be just spaces.
+ if (trim($buf, " \r\n") == "")
+ continue;
+
+ // Skip line with leading "#" since it's a comment
+ if (preg_match('/^\s*#/', $buf))
+ continue;
+
+ // Trim off any trailing comment
+ $line = explode("#", $buf);
+
+ // Trim leading and trailing spaces plus newline and any carriage returns
+ $buf = trim($line[0], ' \r\n');
+
+ // Now split the SID mod arguments at the commas, if more than one
+ // per line, and add to our $sid_mods array.
+ $line = explode(",", $buf);
+ foreach ($line as $ent)
+ $sid_mods[] = trim($ent);
+ }
+
+ // Close the file, release unneeded memory and return
+ // the array of SID mod tokens parsed from the file.
+ fclose($fd);
+ unset($line, $buf);
+ return $sid_mods;
+}
+
+function snort_sid_mgmt_auto_categories($snortcfg, $log_results = FALSE) {
+
+ /****************************************************/
+ /* This function parses any auto-SID conf files */
+ /* configured for the interface and returns an */
+ /* array of rule categories adjusted from the */
+ /* ['enabled_rulesets'] element in the config for */
+ /* the interface in accordance with the contents */
+ /* of the SID Mgmt conf files. */
+ /* */
+ /* The returned array shows which files should be */
+ /* removed and which should be added to the list */
+ /* used when building the enforcing ruleset. */
+ /* */
+ /* $snortcfg ==> pointer to interface */
+ /* configuration info */
+ /* $log_results ==> [optional] log results to */
+ /* 'sid_changes.log' in the */
+ /* interface directory in */
+ /* /var/log/snort when TRUE */
+ /* */
+ /* Returns ==> array of category file names */
+ /* for the interface. The keys */
+ /* are category file names and */
+ /* the corresponding values show */
+ /* if the file should be added */
+ /* or removed from the enabled */
+ /* rulesets list. */
+ /* */
+ /* Example - */
+ /* $changes[file] = 'enabled' */
+ /* */
+ /****************************************************/
+
+ global $config;
+ $snort_sidmods_dir = SNORT_SID_MODS_PATH;
+ $sid_mods = array();
+ $enables = array();
+ $disables = array();
+
+ // Check if auto-mgmt of SIDs is enabled, exit if not
+ if ($config['installedpackages']['snortglobal']['auto_manage_sids'] != 'on')
+ return array();
+ if (empty($snortcfg['disable_sid_file']) && empty($snortcfg['enable_sid_file']))
+ return array();
+
+ // Configure the interface's logging subdirectory if log results is enabled
+ if ($log_results == TRUE)
+ $log_file = SNORTLOGDIR . "/snort_" . get_real_interface($snortcfg['interface']) . "{$snortcfg['uuid']}/sid_changes.log";
+ else
+ $log_file = NULL;
+
+ // Get the list of currently enabled categories for the interface
+ if (!empty($snortcfg['rulesets']))
+ $enabled_cats = explode("||", $snortcfg['rulesets']);
+
+ if ($log_results == TRUE) {
+ error_log(gettext("********************************************************\n"), 3, $log_file);
+ error_log(gettext("Starting auto RULE CATEGORY management for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) ."\n"), 3, $log_file);
+ error_log(gettext("Start Time: " . date("Y-m-d H:i:s") . "\n"), 3, $log_file);
+ }
+
+ switch ($snortcfg['sid_state_order']) {
+ case "disable_enable":
+ if (!empty($snortcfg['disable_sid_file'])) {
+ if ($log_results == TRUE)
+ error_log(gettext("Processing disable_sid file: {$snortcfg['disable_sid_file']}\n"), 3, $log_file);
+
+ // Attempt to open the 'disable_sid_file' for the interface
+ if (!file_exists("{$snort_sidmods_dir}{$snortcfg['disable_sid_file']}")) {
+ log_error(gettext("[Snort] Error - unable to open 'disable_sid_file' \"{$snortcfg['disable_sid_file']}\" specified for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface'])));
+ if ($log_results == TRUE)
+ error_log(gettext("Unable to open disable_sid file \"{$snortcfg['disable_sid_file']}\".\n"), 3, $log_file);
+ }
+ else
+ $sid_mods = snort_parse_sidconf_file("{$snort_sidmods_dir}{$snortcfg['disable_sid_file']}");
+
+ if (!empty($sid_mods))
+ $disables = snort_get_auto_category_mods($enabled_cats, $sid_mods, "disable", $log_results, $log_file);
+ elseif ($log_results == TRUE && !empty($log_file)) {
+ error_log(gettext("WARNING: no valid SID match tokens found in file \"{$snortcfg['disable_sid_file']}\".\n"), 3, $log_file);
+ }
+ }
+ if (!empty($snortcfg['enable_sid_file'])) {
+ if ($log_results == TRUE)
+ error_log(gettext("Processing enable_sid file: {$snortcfg['enable_sid_file']}\n"), 3, $log_file);
+
+ // Attempt to open the 'enable_sid_file' for the interface
+ if (!file_exists("{$snort_sidmods_dir}{$snortcfg['enable_sid_file']}")) {
+ log_error(gettext("[Snort] Error - unable to open 'enable_sid_file' \"{$snortcfg['enable_sid_file']}\" specified for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface'])));
+ if ($log_results == TRUE)
+ error_log(gettext("Unable to open enable_sid file \"{$snortcfg['enable_sid_file']}\".\n"), 3, $log_file);
+ }
+ else
+ $sid_mods = snort_parse_sidconf_file("{$snort_sidmods_dir}{$snortcfg['enable_sid_file']}");
+
+ if (!empty($sid_mods))
+ $enables = snort_get_auto_category_mods($enabled_cats, $sid_mods, "enable", $log_results, $log_file);
+ elseif ($log_results == TRUE && !empty($log_file)) {
+ error_log(gettext("WARNING: no valid SID match tokens found in file \"{$snortcfg['enable_sid_file']}\".\n"), 3, $log_file);
+ }
+ }
+ break;
+
+ case "enable_disable":
+ if (!empty($snortcfg['enable_sid_file'])) {
+ if ($log_results == TRUE)
+ error_log(gettext("Processing enable_sid file: {$snortcfg['enable_sid_file']}\n"), 3, $log_file);
+
+ // Attempt to open the 'enable_sid_file' for the interface
+ if (!file_exists("{$snort_sidmods_dir}{$snortcfg['enable_sid_file']}")) {
+ log_error(gettext("[Snort] Error - unable to open 'enable_sid_file' \"{$snortcfg['enable_sid_file']}\" specified for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface'])));
+ if ($log_results == TRUE)
+ error_log(gettext("Unable to open enable_sid file \"{$snortcfg['enable_sid_file']}\".\n"), 3, $log_file);
+ }
+ else
+ $sid_mods = snort_parse_sidconf_file("{$snort_sidmods_dir}{$snortcfg['enable_sid_file']}");
+
+ if (!empty($sid_mods))
+ $enables = snort_get_auto_category_mods($enabled_cats, $sid_mods, "enable", $log_results, $log_file);
+ elseif ($log_results == TRUE && !empty($log_file)) {
+ error_log(gettext("WARNING: no valid SID match tokens found in file \"{$snortcfg['enable_sid_file']}\".\n"), 3, $log_file);
+ }
+ }
+ if (!empty($snortcfg['disable_sid_file'])) {
+ if ($log_results == TRUE)
+ error_log(gettext("Processing disable_sid file: {$snortcfg['disable_sid_file']}\n"), 3, $log_file);
+
+ // Attempt to open the 'disable_sid_file' for the interface
+ if (!file_exists("{$snort_sidmods_dir}{$snortcfg['disable_sid_file']}")) {
+ log_error(gettext("[Snort] Error - unable to open 'disable_sid_file' \"{$snortcfg['disable_sid_file']}\" specified for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface'])));
+ if ($log_results == TRUE)
+ error_log(gettext("Unable to open disable_sid file \"{$snortcfg['disable_sid_file']}\".\n"), 3, $log_file);
+ }
+ else
+ $sid_mods = snort_parse_sidconf_file("{$snort_sidmods_dir}{$snortcfg['disable_sid_file']}");
+
+ if (!empty($sid_mods))
+ $disables = snort_get_auto_category_mods($enabled_cats, $sid_mods, "disable", $log_results, $log_file);
+ elseif ($log_results == TRUE && !empty($log_file)) {
+ error_log(gettext("WARNING: no valid SID match tokens found in file \"{$snortcfg['disable_sid_file']}\".\n"), 3, $log_file);
+ }
+ }
+ break;
+
+ default:
+ log_error(gettext("[Snort] Unrecognized 'sid_state_order' value. Skipping auto CATEGORY mgmt step for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface'])));
+ if ($log_results == TRUE) {
+ error_log(gettext("ERROR: unrecognized 'sid_state_order' value. Skipping auto CATEGORY mgmt step for ") . convert_friendly_interface_to_friendly_descr($snortcfg['interface']). ".\n", 3, $log_file);
+ }
+ }
+
+ if ($log_results == TRUE) {
+ error_log(gettext("End Time: " . date("Y-m-d H:i:s") . "\n"), 3, $log_file);
+ error_log(gettext("********************************************************\n\n"), 3, $log_file);
+ }
+
+ // Return the required rule category modifications as an array;
+ return array_merge($enables, $disables);
+}
+
+function snort_get_auto_category_mods($categories, $sid_mods, $action, $log_results = FALSE, $log_file = NULL) {
+
+ /****************************************************/
+ /* This function parses the provided SID mod tokens */
+ /* in $sid_mods and returns an array of category */
+ /* files that must be added ('enabled') or removed */
+ /* ('disabled') from the provided $categories list */
+ /* of enabled rule categories as determined by the */
+ /* content of the SID Mgmt tokens in $sid_mods. */
+ /* */
+ /* The returned array shows which files should be */
+ /* removed and which should be added to the list */
+ /* used when building the enforcing ruleset. */
+ /* */
+ /* $categories ==> array of currently enabled */
+ /* ruleset categories */
+ /* $sid_mods ==> array of SID modification */
+ /* tokens */
+ /* $action ==> modification action for */
+ /* matching category targets: */
+ /* 'enable' or 'disable' */
+ /* $log_results ==> [optional] 'yes' to log */
+ /* results to $log_file */
+ /* $log_file ==> full path and filename of log */
+ /* file to write to */
+ /* */
+ /* Returns ==> array of category file names */
+ /* for the interface. The keys */
+ /* are category file names and */
+ /* the corresponding values show */
+ /* if the file should be added */
+ /* or removed from the enabled */
+ /* rulesets list. */
+ /* */
+ /* Example - */
+ /* $changes[file] = 'enabled' */
+ /* */
+ /****************************************************/
+
+ $snortdir = SNORTDIR;
+ $all_cats = array();
+ $changes = array();
+ $counter = 0;
+ $matchcount = 0;
+
+ // Get a list of all possible categories by loading all rules files
+ foreach (array( VRT_FILE_PREFIX, ET_OPEN_FILE_PREFIX, ET_PRO_FILE_PREFIX, GPL_FILE_PREFIX ) as $prefix) {
+ $files = glob("{$snortdir}/rules/{$prefix}*.rules");
+ foreach ($files as $file)
+ $all_cats[] = basename($file);
+ }
+
+ // Walk the SID mod tokens and decode looking for rule
+ // category enable/disable changes.
+ foreach ($sid_mods as $tok) {
+ $matches = array();
+ // Test the SID token for a GID:SID range and skip if true
+ if (preg_match('/^(\d+):(\d+)-\1:(\d+)/', $tok))
+ continue;
+ // Test the token for a single GID:SID and skip if true
+ elseif (preg_match('/^(\d+):(\d+)$/', $tok))
+ continue;
+ // Test the token for the PCRE: keyword and skip if true
+ elseif (preg_match('/(^pcre\:)(.+)/i', $tok))
+ continue;
+ // Test the token for the MS reference keyword and skip if true
+ elseif (preg_match('/^MS\d+-.+/i', $tok))
+ continue;
+ // Test the token for other keywords delimited with a colon and skip if true
+ elseif (preg_match('/^[a-xA-X]+\:.+/', $tok))
+ continue;
+ // Test the SID token for a rule category name. Anything that
+ // failed to match above is considered a potential category name.
+ elseif (preg_match('/[a-xA-X]+(-|\w).*/', $tok, $matches)) {
+ $counter++;
+ $regex = "/" . preg_quote(trim($matches[0]), '/') . "/i";
+ // Search through the $all_cats array for any matches to the regex
+ $matches = preg_grep($regex, $all_cats);
+
+ // See if any matches are in the $categories array
+ foreach ($matches as $cat) {
+ switch ($action) {
+ case 'enable':
+ if (!isset($changes[$cat])) {
+ $changes[$cat] = 'enabled';
+ if ($log_results == TRUE && !empty($log_file))
+ error_log(gettext(" Enabled rule category: {$cat}\n"), 3, $log_file);
+ $matchcount++;
+ }
+ break;
+
+ case 'disable':
+ if (!isset($changes[$cat])) {
+ $changes[$cat] = 'disabled';
+ if ($log_results == TRUE && !empty($log_file))
+ error_log(gettext(" Disabled rule category: {$cat}\n"), 3, $log_file);
+ $matchcount++;
+ }
+ break;
+
+ default:
+ break;
+ }
+ }
+ }
+ else {
+ if ($log_results == TRUE && !empty($log_file))
+ error_log(gettext("WARNING: unrecognized token '{$tok}' encountered while processing an automatic SID MGMT file.\n"), 3, $log_file);
+ }
+ }
+
+ if ($log_results == TRUE && !empty($log_file)) {
+ error_log(gettext(" Parsed {$counter} potential Rule Categories to match from the list of tokens.\n"), 3, $log_file);
+ error_log(gettext(" " . ucfirst($action) . "d {$matchcount} matching Rule Categories.\n"), 3, $log_file);
+ }
+
+ // Release memory no longer needed
+ unset($all_cats, $matches);
+
+ // Return array of rule category file changes
+ return $changes;
+}
+
+function snort_modify_sid_state(&$rule_map, $sid_mods, $action, $log_results = FALSE, $log_file = NULL) {
+
+ /**********************************************/
+ /* This function walks the provided array of */
+ /* SID modification tokens and locates the */
+ /* target SID or SIDs in the $rule_map array. */
+ /* It then performs the change specified by */
+ /* $action on the target SID or SIDs. */
+ /* */
+ /* $rule_map ==> reference to array of */
+ /* current rules */
+ /* $sid_mods ==> array of SID modification */
+ /* tokens */
+ /* $action ==> modification action for */
+ /* matching SID targets: */
+ /* 'enable' or 'disable' */
+ /* $log_results ==> [optional] 'yes' to log */
+ /* results to $log_file */
+ /* $log_file ==> full path and filename */
+ /* of log file to write to */
+ /* */
+ /* On Return ==> $rule_map array modified */
+ /* by changing state for */
+ /* matching SIDs. */
+ /* */
+ /* Returns a two-dimension */
+ /* array of matching GID:SID */
+ /* pairs. */
+ /**********************************************/
+
+ $sids = array();
+
+ // If no rules in $rule_map or mods in $sid_mods,
+ // then nothing to do.
+ if (empty($rule_map) || empty($sid_mods))
+ return $sids;
+
+ // Validate the action keyword as we only accept
+ // 'enable' and 'disable' as valid.
+ switch ($action) {
+
+ case "enable":
+ break;
+
+ case "disable":
+ break;
+
+ default:
+ log_error(gettext("[Snort] Error - unknown action '{$action}' supplied to snort_modify_sid_state() function...no SIDs modified."));
+ return $sids;
+ }
+
+ // Walk the SID mod tokens and decode each one
+ foreach ($sid_mods as $tok) {
+ $matches = array();
+ // Test the SID token for a GID:SID range
+ if (preg_match('/^(\d+):(\d+)-\1:(\d+)/', $tok, $matches)) {
+ // It was a range, so find all the intervening SIDs
+ $gid = trim($matches[1]);
+ $lsid = trim($matches[2]);
+ $usid = trim($matches[3]);
+ $sids[$gid][$lsid] = $action;
+ while ($lsid < $usid) {
+ $lsid++;
+ $sids[$gid][$lsid] = $action;
+ }
+ }
+ // Test the SID token for a single GID:SID
+ elseif (preg_match('/^(\d+):(\d+)$/', $tok, $matches)) {
+ // It's a single GID:SID, so grab it
+ $sids[$matches[1]][$matches[2]] = $action;
+ }
+ // Test the SID token for the PCRE: keyword
+ elseif (preg_match('/(^pcre\:)(.+)/i', $tok, $matches)) {
+ $regex = '/' . preg_quote($matches[2], '/') . '/i';
+
+ // Now search through the $rule_map in the 'rule'
+ // element for any matches to the regex and get
+ // the GID:SID.
+ foreach ($rule_map as $k1 => $rulem) {
+ foreach ($rulem as $k2 => $v) {
+ if (preg_match($regex, $v['rule'])) {
+ $sids[$k1][$k2] = $action;
+ }
+ }
+ }
+ }
+ // Test the SID token for the MS reference keyword
+ elseif (preg_match('/^MS\d+-.+/i', $tok, $matches)) {
+ $regex = "/" . preg_quote($matches[0], '/') . "/i";
+
+ // Now search through the $rule_map in the 'rule'
+ // element for any matches to the regex and get
+ // the GID:SID.
+ foreach ($rule_map as $k1 => $rulem) {
+ foreach ($rulem as $k2 => $v) {
+ if (preg_match($regex, $v['rule'])) {
+ $sids[$k1][$k2] = $action;
+ }
+ }
+ }
+ }
+ // Test the SID token for other keywords delimited with a colon
+ elseif (preg_match('/^[a-xA-X]+\:.+/', $tok, $matches)) {
+ $regex = "/" . str_replace(':', ",", preg_quote($matches[0], '/')) . "/i";
+
+ // Now search through the $rule_map in the 'rule'
+ // element for any matches to the regex and get
+ // the GID:SID.
+ foreach ($rule_map as $k1 => $rulem) {
+ foreach ($rulem as $k2 => $v) {
+ if (preg_match($regex, $v['rule'])) {
+ $sids[$k1][$k2] = $action;
+ }
+ }
+ }
+ }
+ // Test the SID token for a rule category name. Anything that
+ // failed to match above is considered a potential category name.
+ elseif (preg_match('/[a-xA-X]+(-|\w).*/', $tok, $matches)) {
+ $regex = "/" . preg_quote(trim($matches[0]), '/') . "/i";
+ // Now search through the $rule_map in the 'category'
+ // element for any matches to the regex and get
+ // the GID:SID.
+ foreach ($rule_map as $k1 => $rulem) {
+ foreach ($rulem as $k2 => $v) {
+ if (preg_match($regex, $v['category'] . ".rules")) {
+ $sids[$k1][$k2] = $action;
+ }
+ }
+ }
+ }
+ else {
+ if ($log_results == TRUE && !empty($log_file))
+ error_log(gettext("WARNING: unrecognized token '{$tok}' encountered while processing an automatic SID MGMT file.\n"), 3, $log_file);
+ }
+ }
+
+ // Change state of all the matching GID:SID pairs we found
+ // above in the $rule_map array passed to us.
+ $modcount = $changecount = 0;
+ $counter = count($sids, COUNT_RECURSIVE) - count($sids);
+
+ if ($log_results == TRUE && !empty($log_file))
+ error_log(gettext(" Parsed {$counter} potential SIDs to match from the provided list of tokens.\n"), 3, $log_file);
+
+ foreach (array_keys($sids) as $k1) {
+ foreach (array_keys($sids[$k1]) as $k2) {
+ if (isset($rule_map[$k1][$k2])) {
+ if ($action == 'enable' && $rule_map[$k1][$k2]['disabled'] == 1) {
+ $rule_map[$k1][$k2]['rule'] = ltrim($rule_map[$k1][$k2]['rule'], " \t#");
+ $rule_map[$k1][$k2]['disabled'] = 0;
+ $rule_map[$k1][$k2]['managed'] = 1;
+ $changecount++;
+ $modcount++;
+ }
+ elseif ($action == 'disable' && $rule_map[$k1][$k2]['disabled'] == 0) {
+ $rule_map[$k1][$k2]['rule'] = "# " . $rule_map[$k1][$k2]['rule'];
+ $rule_map[$k1][$k2]['disabled'] = 1;
+ $rule_map[$k1][$k2]['managed'] = 1;
+ $changecount++;
+ $modcount++;
+ }
+ }
+ }
+ }
+
+ if ($log_results == TRUE && !empty($log_file)) {
+ error_log(gettext(" Found {$modcount} matching SIDs in the active rules.\n"), 3, $log_file);
+ error_log(gettext(" Changed state for {$changecount} SIDs to '{$action}d'.\n"), 3, $log_file);
+ }
+
+ // Return the array of matching SIDs
+ return $sids;
+}
+
+function snort_modify_sid_content(&$rule_map, $sid_mods, $log_results = FALSE, $log_file = NULL) {
+
+ /************************************************/
+ /* This function walks the provided array of */
+ /* SID modification tokens and locates the */
+ /* target SID or SIDs in the $rule_map array. */
+ /* It then modifies the content of the target */
+ /* SID or SIDs. Modifications are only valid */
+ /* for normal GID=1 text rules. */
+ /* */
+ /* $rule_map ==> reference to array of */
+ /* current rules */
+ /* $sid_mods ==> array of SID modification */
+ /* tokens */
+ /* $log_results ==> [optional] 'yes' to log */
+ /* results to $log_file */
+ /* $log_file ==> full path and filename */
+ /* of log file to write to */
+ /* */
+ /* On Return ==> $rule_map array modified */
+ /* by changing content for */
+ /* matching SIDs. */
+ /* */
+ /* Returns a two-dimension */
+ /* array of matching */
+ /* GID:SID pairs. */
+ /************************************************/
+
+ $sids = array();
+ $tokencounter = $modcount = $modifiedcount = 0;
+
+ // If no rules in $rule_map or mods in $sid_mods,
+ // then nothing to do.
+ if (empty($rule_map) || empty($sid_mods))
+ return $sids;
+
+ // Walk the SID mod tokens and decode each one
+ foreach ($sid_mods as $tok) {
+ $matches = array();
+ if (preg_match('/([\d+|,|\*]*)\s+"(.+)"\s+"(.*)"/', $tok, $matches)) {
+ $tokencounter++;
+ $sidlist = explode(",", $matches[1]);
+ $from = '/' . preg_quote($matches[2], '/') . '/';
+ $to = $matches[3];
+ $count = 0;
+
+ // Now walk the provided rule map and make the modifications
+ if ($matches[1] == "*") {
+ // If wildcard '*' provided for SID, then check them all
+ foreach ($rule_map[1] as $rulem) {
+ foreach ($rulem as $k2 => $v) {
+ $modcount++;
+ $rule_map[1][$k2]['rule'] = preg_replace($from, $to, $v['rule'], -1, $count);
+ if ($count > 0) {
+ $rule_map[1][$k2]['managed'] = 1;
+ $sids[1][$k2] = 'modify';
+ $modifiedcount++;
+ }
+ }
+ }
+ }
+ else {
+ // Otherwise just check the provided SIDs
+ foreach ($sidlist as $sid) {
+ if (isset($rule_map[1][$sid])) {
+ $modcount++;
+ $rule_map[1][$sid]['rule'] = preg_replace($from, $to, $rule_map[1][$sid]['rule'], -1, $count);
+ if ($count > 0) {
+ $rule_map[1][$sid]['managed'] = 1;
+ $sids[1][$sid] = 'modify';
+ $modifiedcount++;
+ }
+ }
+ }
+ }
+ }
+ else {
+ if ($log_results == TRUE && !empty($log_file))
+ error_log(gettext("WARNING: unrecognized token '{$tok}' encountered while processing an automatic SID MGMT file.\n"), 3, $log_file);
+ }
+ }
+
+ if ($log_results == TRUE && !empty($log_file)) {
+ error_log(gettext(" Parsed {$tokencounter} potential SIDs to match from the provided list of tokens.\n"), 3, $log_file);
+ error_log(gettext(" Found {$modcount} matching SIDs in the active rules.\n"), 3, $log_file);
+ error_log(gettext(" Modified rule text for {$modifiedcount} SIDs.\n"), 3, $log_file);
+ }
+
+ // Return the array of matching SIDs
+ return $sids;
+}
+
+function snort_process_enablesid(&$rule_map, $snortcfg, $log_results = FALSE, $log_file = NULL) {
+
+ /**********************************************/
+ /* This function loads and processes the file */
+ /* specified by 'enable_sid_file' for the */
+ /* interface. The file is assumed to be a */
+ /* valid enablesid.conf file containing */
+ /* instructions for enabling matching rule */
+ /* SIDs. */
+ /* */
+ /* $rule_map ==> reference to array of */
+ /* current rules */
+ /* $snortcfg ==> interface config params */
+ /* $log_results ==> [optional] 'yes' to log */
+ /* results to $log_file */
+ /* $log_file ==> full path and filename */
+ /* of log file to write to */
+ /* */
+ /* On Return ==> suitably modified */
+ /* $rule_map array */
+ /**********************************************/
+
+ $snort_sidmods_dir = SNORT_SID_MODS_PATH;
+ $snortlogdir = SNORTLOGDIR;
+ $sid_mods = array();
+
+ // If no rules in $rule_map, then nothing to do
+ if (empty($rule_map))
+ return;
+
+ // Attempt to open the 'enable_sid_file' for the interface
+ if (!file_exists("{$snort_sidmods_dir}{$snortcfg['enable_sid_file']}")) {
+ log_error(gettext("[Snort] Error - unable to open 'enable_sid_file' \"{$snortcfg['enable_sid_file']}\" specified for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface'])));
+ return;
+ }
+ else
+ $sid_mods = snort_parse_sidconf_file("{$snort_sidmods_dir}{$snortcfg['enable_sid_file']}");
+
+ if (!empty($sid_mods))
+ snort_modify_sid_state($rule_map, $sid_mods, "enable", $log_results, $log_file);
+ elseif ($log_results == TRUE && !empty($log_file)) {
+ error_log(gettext("WARNING: no valid SID match tokens found in file \"{$snortcfg['enable_sid_file']}\".\n"), 3, $log_file);
+ }
+
+ unset($sid_mods);
+}
+
+function snort_process_disablesid(&$rule_map, $snortcfg, $log_results = FALSE, $log_file = NULL) {
+
+ /**********************************************/
+ /* This function loads and processes the file */
+ /* specified by 'disable_sid_file' for the */
+ /* interface. The file is assumed to be a */
+ /* valid disablesid.conf file containing */
+ /* instructions for disabling matching rule */
+ /* SIDs. */
+ /* */
+ /* $rule_map ==> reference to array of */
+ /* current rules */
+ /* $snortcfg ==> interface config params */
+ /* $log_results ==> [optional] 'yes' to log */
+ /* results to $log_file */
+ /* $log_file ==> full path and filename */
+ /* of log file to write to */
+ /* */
+ /* On Return ==> suitably modified */
+ /* $rule_map array */
+ /**********************************************/
+
+ $snort_sidmods_dir = SNORT_SID_MODS_PATH;
+ $snortlogdir = SNORTLOGDIR;
+ $sid_mods = array();
+
+ // If no rules in $rule_map, then nothing to do
+ if (empty($rule_map))
+ return;
+
+ // Attempt to open the 'disable_sid_file' for the interface
+ if (!file_exists("{$snort_sidmods_dir}{$snortcfg['disable_sid_file']}")) {
+ log_error(gettext("[Snort] Error - unable to open 'disable_sid_file' \"{$snortcfg['disable_sid_file']}\" specified for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface'])));
+ return;
+ }
+ else
+ $sid_mods = snort_parse_sidconf_file("{$snort_sidmods_dir}{$snortcfg['disable_sid_file']}");
+
+ if (!empty($sid_mods))
+ snort_modify_sid_state($rule_map, $sid_mods, "disable", $log_results, $log_file);
+ elseif ($log_results == TRUE && !empty($log_file)) {
+ error_log(gettext("WARNING: no valid SID match tokens found in file \"{$snortcfg['disable_sid_file']}\".\n"), 3, $log_file);
+ }
+
+ unset($sid_mods);
+}
+
+function snort_process_modifysid(&$rule_map, $snortcfg, $log_results = FALSE, $log_file = NULL) {
+
+ /**********************************************/
+ /* This function loads and processes the file */
+ /* specified by 'modify_sid_file' for the */
+ /* interface. The file is assumed to be a */
+ /* valid modifysid.conf file containing */
+ /* instructions for modifying matching rule */
+ /* SIDs. */
+ /* */
+ /* $rule_map ==> reference to array of */
+ /* current rules */
+ /* $snortcfg ==> interface config params */
+ /* $log_results ==> [optional] 'yes' to log */
+ /* results to $log_file */
+ /* $log_file ==> full path and filename */
+ /* of log file to write to */
+ /* */
+ /* On Return ==> suitably modified */
+ /* $rule_map array */
+ /**********************************************/
+
+ $snort_sidmods_dir = SNORT_SID_MODS_PATH;
+ $snortlogdir = SNORTLOGDIR;
+ $sid_mods = array();
+
+ // If no rules in $rule_map, then nothing to do
+ if (empty($rule_map))
+ return;
+
+ // Attempt to open the 'modify_sid_file' for the interface
+ if (!file_exists("{$snort_sidmods_dir}{$snortcfg['modify_sid_file']}")) {
+ log_error(gettext("[Snort] Error - unable to open 'modify_sid_file' \"{$snortcfg['modify_sid_file']}\" specified for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface'])));
+ return;
+ }
+ else
+ $sid_mods = snort_parse_sidconf_file("{$snort_sidmods_dir}{$snortcfg['modify_sid_file']}");
+
+ if (!empty($sid_mods))
+ snort_modify_sid_content($rule_map, $sid_mods, $log_results, $log_file);
+ elseif ($log_results == TRUE && !empty($log_file)) {
+ error_log(gettext("WARNING: no valid SID match tokens found in file \"{$snortcfg['modify_sid_file']}\".\n"), 3, $log_file);
+ }
+
+ unset($sid_mods);
+}
+
+function snort_auto_sid_mgmt(&$rule_map, $snortcfg, $log_results = FALSE) {
+
+ /**************************************************/
+ /* This function modifies the rules in the */
+ /* passed rule_map array based on values in the */
+ /* files 'enable_sid_file', 'disable_sid_file' */
+ /* and 'modify_sid_file' for the interface. */
+ /* */
+ /* If auto-mgmt of SIDs is enabled via the */
+ /* settings on the UPDATE RULES tab, then the */
+ /* rules are processed against these settings. */
+ /* */
+ /* $rule_map ==> array of current rules */
+ /* $snortcfg ==> interface config settings */
+ /* $log_results ==> [optional] log results to */
+ /* 'sid_changes.log' in the */
+ /* interface directory in */
+ /* /var/log/snort when TRUE */
+ /* */
+ /* Returns ==> TRUE if rules were changed; */
+ /* otherwise FALSE */
+ /**************************************************/
+
+ global $config;
+ $result = FALSE;
+
+ // Configure the interface's logging subdirectory if log results is enabled
+ if ($log_results == TRUE)
+ $log_file = SNORTLOGDIR . "/snort_" . get_real_interface($snortcfg['interface']) . "{$snortcfg['uuid']}/sid_changes.log";
+ else
+ $log_file = NULL;
+
+ // Check if auto-mgmt of SIDs is enabled and files are specified
+ // for the interface.
+ if ($config['installedpackages']['snortglobal']['auto_manage_sids'] == 'on' &&
+ (!empty($snortcfg['disable_sid_file']) || !empty($snortcfg['enable_sid_file']) ||
+ !empty($snortcfg['modify_sid_file']))) {
+ if ($log_results == TRUE) {
+ error_log(gettext("********************************************************\n"), 3, $log_file);
+ error_log(gettext("Starting auto SID management for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) ."\n"), 3, $log_file);
+ error_log(gettext("Start Time: " . date("Y-m-d H:i:s") . "\n"), 3, $log_file);
+ }
+
+ switch ($snortcfg['sid_state_order']) {
+ case "disable_enable":
+ if (!empty($snortcfg['disable_sid_file'])) {
+ if ($log_results == TRUE)
+ error_log(gettext("Processing disable_sid file: {$snortcfg['disable_sid_file']}\n"), 3, $log_file);
+ snort_process_disablesid($rule_map, $snortcfg, $log_results, $log_file);
+ }
+ if (!empty($snortcfg['enable_sid_file'])) {
+ if ($log_results == TRUE)
+ error_log(gettext("Processing enable_sid file: {$snortcfg['enable_sid_file']}\n"), 3, $log_file);
+ snort_process_enablesid($rule_map, $snortcfg, $log_results, $log_file);
+ }
+ if (!empty($snortcfg['modify_sid_file'])) {
+ if ($log_results == TRUE)
+ error_log(gettext("Processing modify_sid file: {$snortcfg['modify_sid_file']}\n"), 3, $log_file);
+ snort_process_modifysid($rule_map, $snortcfg, $log_results, $log_file);
+ }
+ $result = TRUE;
+ break;
+
+ case "enable_disable":
+ if (!empty($snortcfg['enable_sid_file'])) {
+ if ($log_results == TRUE)
+ error_log(gettext("Processing enable_sid file: {$snortcfg['enable_sid_file']}\n"), 3, $log_file);
+ snort_process_enablesid($rule_map, $snortcfg, $log_results, $log_file);
+ }
+ if (!empty($snortcfg['disable_sid_file'])) {
+ if ($log_results == TRUE)
+ error_log(gettext("Processing disable_sid file: {$snortcfg['disable_sid_file']}\n"), 3, $log_file);
+ snort_process_disablesid($rule_map, $snortcfg, $log_results, $log_file);
+ }
+ if (!empty($snortcfg['modify_sid_file'])) {
+ if ($log_results == TRUE)
+ error_log(gettext("Processing modify_sid file: {$snortcfg['modify_sid_file']}\n"), 3, $log_file);
+ snort_process_modifysid($rule_map, $snortcfg, $log_results, $log_file);
+ }
+ $result = TRUE;
+ break;
+
+ default:
+ log_error(gettext("[Snort] Unrecognized 'sid_state_order' value. Skipping auto SID mgmt step for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface'])));
+ if ($log_results == TRUE) {
+ error_log(gettext("ERROR: unrecognized 'sid_state_order' value. Skipping auto SID mgmt step for ") . convert_friendly_interface_to_friendly_descr($snortcfg['interface']). ".\n", 3, $log_file);
+ }
+ $result = FALSE;
+ }
+
+ if ($log_results == TRUE) {
+ error_log(gettext("End Time: " . date("Y-m-d H:i:s") . "\n"), 3, $log_file);
+ error_log(gettext("********************************************************\n\n"), 3, $log_file);
+ }
+ }
+ return $result;
+}
+
function snort_load_sid_mods($sids) {
/*****************************************/
@@ -1787,31 +2800,24 @@ function snort_create_rc() {
/* after any changes to snort.conf saved in the GUI. */
/*********************************************************/
- global $config, $g, $pfs_version;
+ global $config, $g;
$snortdir = SNORTDIR;
$snortlogdir = SNORTLOGDIR;
$rcdir = RCFILEPREFIX;
- // If no interfaces are configured for Snort, exit
- if (!is_array($config['installedpackages']['snortglobal']['rule']))
- return;
$snortconf = $config['installedpackages']['snortglobal']['rule'];
- if (empty($snortconf))
+
+ // If no interfaces are configured for Snort, exit
+ if (!is_array($snortconf) || count($snortconf) < 1) {
+ unlink_if_exists("{$rcdir}snort.sh");
return;
+ }
// At least one interface is configured, so OK
$start_snort_iface_start = array();
$start_snort_iface_stop = array();
- // If not using PBI package, then make sure Barnyard2 can
- // find the latest MySQL shared libs in /usr/local/lib/mysql
- if ($pfs_version < 2.1) {
- $sql_lib_path = "\n# Ensure MySQL shared libs are in ldconfig search path\n";
- $sql_lib_path .= "/sbin/ldconfig -m /usr/local/lib/mysql";
- $start_snort_iface_start[] = $sql_lib_path;
- }
-
// Loop thru each configured interface and build
// the shell script.
foreach ($snortconf as $value) {
@@ -1823,19 +2829,16 @@ function snort_create_rc() {
$start_barnyard = <<<EOE
+ sleep 2
if [ ! -f {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid ]; then
pid=`/bin/pgrep -fn "barnyard2 -r {$snort_uuid} "`
else
pid=`/bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid`
fi
- if [ ! -z \$pid ]; then
- /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 SOFT RESTART for {$value['descr']}({$snort_uuid}_{$if_real})..."
- /bin/pkill -HUP \$pid
- else
+ if [ -z \$pid ]; then
/usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 START for {$value['descr']}({$snort_uuid}_{$if_real})..."
- /usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d {$snortlogdir}/snort_{$if_real}{$snort_uuid} -D -q
+ /usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d {$snortlogdir}/snort_{$if_real}{$snort_uuid} -D -q > /dev/null 2>&1
fi
-
EOE;
$stop_barnyard2 = <<<EOE
@@ -1851,8 +2854,8 @@ EOE;
break
fi
done
- if [ -f /var/run/barnyard2_{$if_real}{$snort_uuid}.pid ]; then
- /bin/rm /var/run/barnyard2_{$if_real}{$snort_uuid}.pid
+ if [ -f {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid ]; then
+ /bin/rm {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid
fi
else
pid=`/bin/pgrep -fn "barnyard2 -r {$snort_uuid} "`
@@ -1868,7 +2871,6 @@ EOE;
done
fi
fi
-
EOE;
if ($value['barnyard_enable'] == 'on')
$start_barnyard2 = $start_barnyard;
@@ -1877,29 +2879,24 @@ EOE;
$start_snort_iface_start[] = <<<EOE
-###### For Each Iface
- # Start snort and barnyard2
+ # Start snort and barnyard2 for {$value['descr']}
if [ ! -f {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid ]; then
pid=`/bin/pgrep -fn "snort -R {$snort_uuid} "`
else
pid=`/bin/pgrep -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid`
fi
- if [ ! -z \$pid ]; then
- /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort SOFT RESTART for {$value['descr']}({$snort_uuid}_{$if_real})..."
- /bin/pkill -HUP \$pid
- else
+ if [ -z \$pid ]; then
/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort START for {$value['descr']}({$snort_uuid}_{$if_real})..."
- /usr/local/bin/snort -R {$snort_uuid} -D -q -l {$snortlogdir}/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}
+ /usr/local/bin/snort -R {$snort_uuid} -D -q -l {$snortlogdir}/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} > /dev/null 2>&1
fi
- sleep 2
{$start_barnyard2}
-
EOE;
$start_snort_iface_stop[] = <<<EOE
+ # Stop snort and barnyard2 for {$value['descr']}
if [ -f {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid ]; then
pid=`/bin/pgrep -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid`
/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort STOP for {$value['descr']}({$snort_uuid}_{$if_real})..."
@@ -1912,8 +2909,8 @@ EOE;
break
fi
done
- if [ -f /var/run/snort_{$if_real}{$snort_uuid}.pid ]; then
- /bin/rm /var/run/snort_{$if_real}{$snort_uuid}.pid
+ if [ -f {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid ]; then
+ /bin/rm {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid
fi
else
pid=`/bin/pgrep -fn "snort -R {$snort_uuid} "`
@@ -1931,9 +2928,8 @@ EOE;
fi
fi
- sleep 2
+ sleep 1
{$stop_barnyard2}
-
EOE;
}
@@ -1945,11 +2941,18 @@ EOE;
########
# This file was automatically generated
# by the pfSense service handler.
-# Code added to protect from double starts on pfSense bootup
######## Start of main snort.sh
rc_start() {
+
+ ### Lock out other start signals until we are done
+ /usr/bin/touch {$g['varrun_path']}/snort_pkg_starting.lck
{$rc_start}
+
+ ### Remove the lock since we have started all interfaces
+ if [ -f {$g['varrun_path']}/snort_pkg_starting.lck ]; then
+ /bin/rm {$g['varrun_path']}/snort_pkg_starting.lck
+ fi
}
rc_stop() {
@@ -1958,7 +2961,11 @@ rc_stop() {
case $1 in
start)
- rc_start
+ if [ ! -f {$g['varrun_path']}/snort_pkg_starting.lck ]; then
+ rc_start
+ else
+ /usr/bin/logger -p daemon.info -i -t SnortStartup "Ignoring additional START command since Snort is already starting..."
+ fi
;;
stop)
rc_stop
@@ -2041,7 +3048,7 @@ function snort_generate_barnyard2_conf($snortcfg, $if_real) {
else
$snortbarnyardlog_output_plugins .= "sensor_name {$snortbarnyard_hostname_info}, ";
if ($snortcfg['barnyard_syslog_local'] == 'on')
- $snortbarnyardlog_output_plugins .= "local, log_facility LOG_AUTH, log_priority LOG_INFO\n\n";
+ $snortbarnyardlog_output_plugins .= "local, log_facility {$snortcfg['barnyard_syslog_facility']}, log_priority {$snortcfg['barnyard_syslog_priority']}\n\n";
else {
$snortbarnyardlog_output_plugins .= "server {$snortcfg['barnyard_syslog_rhost']}, protocol {$snortcfg['barnyard_syslog_proto']}, ";
$snortbarnyardlog_output_plugins .= "port {$snortcfg['barnyard_syslog_dport']}, operation_mode {$snortcfg['barnyard_syslog_opmode']}, ";
@@ -2102,41 +3109,46 @@ function snort_deinstall() {
$snortlibdir = SNORTLIBDIR;
$snortlogdir = SNORTLOGDIR;
$rcdir = RCFILEPREFIX;
- $snort_rules_upd_log = RULES_UPD_LOGFILE;
- $iprep_path = IPREP_PATH;
+ $snort_rules_upd_log = SNORT_RULES_UPD_LOGFILE;
+ $mounted_rw = FALSE;
log_error(gettext("[Snort] Snort package uninstall in progress..."));
+ /* Remove our rc.d startup shell script */
+ unlink_if_exists("{$rcdir}snort_pkg.sh");
+
/* Make sure all active Snort processes are terminated */
/* Log a message only if a running process is detected */
- if (is_service_running("snort"))
+ if (is_process_running("snort")) {
log_error(gettext("[Snort] Snort STOP for all interfaces..."));
+ snort_stop_all_interfaces();
+ }
+ sleep(2);
mwexec('/usr/bin/killall -z snort', true);
sleep(2);
mwexec('/usr/bin/killall -9 snort', true);
sleep(2);
// Delete any leftover snort PID files in /var/run
- unlink_if_exists("/var/run/snort_*.pid");
+ unlink_if_exists("{$g['varrun_path']}/snort_*.pid");
/* Make sure all active Barnyard2 processes are terminated */
/* Log a message only if a running process is detected */
- if (is_service_running("barnyard2"))
+ if (is_process_running("barnyard2"))
log_error(gettext("[Snort] Barnyard2 STOP for all interfaces..."));
mwexec('/usr/bin/killall -z barnyard2', true);
sleep(2);
mwexec('/usr/bin/killall -9 barnyard2', true);
sleep(2);
// Delete any leftover barnyard2 PID files in /var/run
- unlink_if_exists("/var/run/barnyard2_*.pid");
+ unlink_if_exists("{$g['varrun_path']}/barnyard2_*.pid");
- /* Remove the snort user and group */
- mwexec('/usr/sbin/pw userdel snort; /usr/sbin/pw groupdel snort', true);
-
- /* Remove all the Snort cron jobs. */
- install_cron_job("snort2c", false);
- install_cron_job("snort_check_for_rule_updates.php", false);
- install_cron_job("snort_check_cron_misc.inc", false);
- configure_cron();
+ /* Remove all the existing Snort cron jobs. */
+ if (snort_cron_job_exists("snort2c", FALSE))
+ install_cron_job("snort2c", false);
+ if (snort_cron_job_exists("snort_check_for_rule_updates.php", FALSE))
+ install_cron_job("snort_check_for_rule_updates.php", false);
+ if (snort_cron_job_exists("snort_check_cron_misc.inc", FALSE))
+ install_cron_job("snort_check_cron_misc.inc", false);
/* Remove our associated Dashboard widget config. If */
/* "save settings" is enabled, then save old widget */
@@ -2154,7 +3166,6 @@ function snort_deinstall() {
}
}
$config['widgets']['sequence'] = implode(",", $widgetlist);
- write_config("Snort pkg: remove Snort Dashboard Widget on package deinstall.");
}
/* See if we are to clear blocked hosts on uninstall */
@@ -2167,29 +3178,33 @@ function snort_deinstall() {
if ($config['installedpackages']['snortglobal']['clearlogs'] == 'on') {
log_error(gettext("[Snort] Clearing all Snort-related log files..."));
unlink_if_exists("{$snort_rules_upd_log}");
- mwexec("/bin/rm -rf {$snortlogdir}");
+ rmdir_recursive($snortlogdir);
+ }
+
+ /**********************************************************/
+ /* If not already, set Snort conf partition to read-write */
+ /* so we can make changes there */
+ /**********************************************************/
+ if (!is_subsystem_dirty('mount')) {
+ conf_mount_rw();
+ $mounted_rw = TRUE;
}
/**********************************************************/
- /* Test for existence of library backup tarballs in /tmp. */
- /* If these are present, then a package "delete" */
+ /* Test for existence of the snort directory in the PBI */
+ /* path. If not present, then a package "delete" */
/* operation is in progress and we need to wipe out the */
/* configuration files. Otherwise we leave the binary- */
/* side configuration intact since only a GUI files */
/* deinstall and reinstall operation is in progress. */
- /* */
- /* XXX: hopefully a better method presents itself in */
- /* future versions of pfSense. */
/**********************************************************/
- if (file_exists("/tmp/pkg_libs.tgz") || file_exists("/tmp/pkg_bins.tgz")) {
+ if (!is_dir("{$snortdir}")) {
log_error(gettext("[Snort] Package deletion requested... removing all files..."));
- mwexec("/bin/rm -rf {$snortdir}");
- mwexec("/bin/rm -rf {$snortlibdir}/dynamicrules");
- mwexec("/bin/rm -f {$rcdir}snort.sh");
- mwexec("/bin/rm -rf /usr/local/pkg/snort");
- mwexec("/bin/rm -rf /usr/local/www/snort");
- mwexec("/bin/rm -rf /usr/local/etc/snort");
- mwexec("/bin/rm -rf /usr/local/lib/snort");
+ unlink_if_exists("{$rcdir}snort.sh");
+ rmdir_recursive("/usr/local/pkg/snort");
+ rmdir_recursive("/usr/local/www/snort");
+ rmdir_recursive("/usr/local/etc/snort");
+ rmdir_recursive("/usr/local/lib/snort");
}
/* Keep this as a last step */
@@ -2200,10 +3215,17 @@ function snort_deinstall() {
unlink_if_exists("{$snort_rules_upd_log}");
log_error(gettext("[Snort] Flushing <snort2c> firewall table to remove addresses blocked by Snort..."));
mwexec("/sbin/pfctl -t snort2c -T flush");
- mwexec("/bin/rm -rf {$snortlogdir}");
- mwexec("/bin/rm -rf {$iprep_path}");
+ rmdir_recursive("{$snortlogdir}");
+ rmdir_recursive("{$g['vardb_path']}/snort");
log_error(gettext("[Snort] The package has been removed from this system..."));
}
+
+ /**********************************************************/
+ /* We're finished with conf partition mods, return to */
+ /* read-only if we changed it */
+ /**********************************************************/
+ if ($mounted_rw == TRUE)
+ conf_mount_ro();
}
function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
@@ -2221,11 +3243,14 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
/* to be written. */
/***********************************************************/
- global $g, $rebuild_rules;
+ global $g, $config, $rebuild_rules;
$snortdir = SNORTDIR;
$flowbit_rules_file = FLOWBITS_FILENAME;
- $snort_enforcing_rules_file = ENFORCING_RULES_FILENAME;
+ $snort_enforcing_rules_file = SNORT_ENFORCING_RULES_FILENAME;
+ $enabled_files = array();
+ $all_rules = array();
+ $cat_mods = array();
$no_rules_defined = true;
$enabled_rules = array();
@@ -2236,6 +3261,10 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
/* Log a message for rules rebuild in progress */
log_error(gettext("[Snort] Updating rules configuration for: " . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . " ..."));
+ // Get any automatic rule category enable/disable modifications
+ // if auto-SID Mgmt is enabled and conf files exist for the interface.
+ $cat_mods = snort_sid_mgmt_auto_categories($snortcfg, TRUE);
+
/* Enable all, some or none of the SDF rules depending on setting. */
if ($snortcfg['sensitive_data'] == 'on' && $snortcfg['protect_preproc_rules'] != 'on') {
if (file_exists(SNORTDIR."/preproc_rules/sensitive-data.rules")) {
@@ -2262,8 +3291,6 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
/* Only rebuild rules if some are selected or an IPS Policy is enabled */
if (!empty($snortcfg['rulesets']) || $snortcfg['ips_policy_enable'] == 'on') {
- $enabled_files = array();
- $all_rules = array();
$no_rules_defined = false;
/* Load up all the text rules into a Rules Map array. */
@@ -2279,6 +3306,28 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
$enabled_files[$category] = $file;
}
+ // Now adjust the list using any required changes as
+ // determined by auto-SID Mgmt policy files.
+ if (!empty($cat_mods)) {
+ foreach ($cat_mods as $k => $action) {
+ $key = basename($k, ".rules");
+ switch ($action) {
+ case 'enabled':
+ if (!isset($enabled_files[$key]))
+ $enabled_files[$key] = $k;
+ break;
+
+ case 'disabled':
+ if (isset($enabled_files[$key]))
+ unset($enabled_files[$key]);
+ break;
+
+ default:
+ break;
+ }
+ }
+ }
+
/****************************************************/
/* Walk the ALL_RULES map array and copy the rules */
/* matching our selected file categories to the */
@@ -2301,7 +3350,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
}
/* Release memory we no longer need. */
- unset($enabled_files, $rulem, $v);
+ unset($enabled_files, $cat_mods, $rulem, $v);
}
/* Check if a pre-defined Snort VRT policy is selected. If so, */
@@ -2324,7 +3373,9 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
unset($policy_rules, $policy, $p);
}
- /* Process any enablesid or disablesid modifications for the selected rules. */
+ // Process any enablesid or disablesid modifications for the selected rules.
+ // Do the auto-SID managment first, if enabled, then do any manual SID state changes.
+ snort_auto_sid_mgmt($enabled_rules, $snortcfg, TRUE);
snort_modify_sids($enabled_rules, $snortcfg);
/* Check for and disable any rules dependent upon disabled preprocessors if */
@@ -2357,7 +3408,45 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
} else
/* Just put an empty file to always have the file present */
snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}");
- } else {
+ unset($all_rules);
+ }
+ // If no rule categories were enabled, then use auto-SID management if enabled, since it may enable some rules
+ elseif ($config['installedpackages']['snortglobal']['auto_manage_sids'] == 'on' &&
+ (!empty($snortcfg['disable_sid_file']) || !empty($snortcfg['enable_sid_file']) ||
+ !empty($snortcfg['modify_sid_file']))) {
+
+ snort_auto_sid_mgmt($enabled_rules, $snortcfg, TRUE);
+ if (!empty($enabled_rules)) {
+ // Auto-SID management generated some rules, so use them
+ $no_rules_defined = false;
+ snort_modify_sids($enabled_rules, $snortcfg);
+
+ // Write the enforcing rules file to the Snort interface's "rules" directory.
+ snort_write_enforcing_rules_file($enabled_rules, "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}");
+
+ // If auto-flowbit resolution is enabled, generate the dependent flowbits rules file.
+ if ($snortcfg['autoflowbitrules'] == 'on') {
+ log_error('[Snort] Enabling any flowbit-required rules for: ' . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . '...');
+
+ // Load up all rules into a Rules Map array for flowbits assessment
+ $all_rules = snort_load_rules_map("{$snortdir}/rules/");
+ $fbits = snort_resolve_flowbits($all_rules, $enabled_rules);
+
+ // Check for and disable any flowbit-required rules the
+ // user has manually forced to a disabled state.
+ snort_modify_sids($fbits, $snortcfg);
+ snort_write_flowbit_rules_file($fbits, "{$snortcfgdir}/rules/{$flowbit_rules_file}");
+ unset($all_rules, $fbits);
+ } else
+ // Just put an empty file to always have the file present
+ snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}");
+ }
+ else {
+ snort_write_enforcing_rules_file(array(), "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}");
+ snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}");
+ }
+ }
+ else {
/* No regular rules or policy were selected, so just use the decoder and preproc rules */
snort_write_enforcing_rules_file($enabled_rules, "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}");
snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}");
@@ -2564,7 +3653,7 @@ function snort_generate_conf($snortcfg) {
$snortlibdir = SNORTLIBDIR;
$snortlogdir = SNORTLOGDIR;
$flowbit_rules_file = FLOWBITS_FILENAME;
- $snort_enforcing_rules_file = ENFORCING_RULES_FILENAME;
+ $snort_enforcing_rules_file = SNORT_ENFORCING_RULES_FILENAME;
$if_real = get_real_interface($snortcfg['interface']);
$snort_uuid = $snortcfg['uuid'];
@@ -2595,8 +3684,10 @@ function snort_sync_on_changes() {
global $config, $g;
/* Do not attempt a package sync while booting up or installing package */
- if ($g['booting'] || $g['snort_postinstall'])
+ if ($g['booting'] || $g['snort_postinstall']) {
+ log_error("[snort] No xmlrpc sync to CARP targets when booting up or during package reinstallation.");
return;
+ }
if (is_array($config['installedpackages']['snortsync']['config'])){
$snort_sync=$config['installedpackages']['snortsync']['config'][0];
@@ -2642,13 +3733,14 @@ function snort_sync_on_changes() {
else
$syncstartsnort = "OFF";
$sync_to_ip = $sh['varsyncipaddress'];
+ $port = $sh['varsyncport'];
$password = $sh['varsyncpassword'];
if($sh['varsyncusername'])
$username = $sh['varsyncusername'];
else
$username = 'admin';
if($password && $sync_to_ip)
- snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $password, $synctimeout, $syncstartsnort);
+ snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $username, $password, $synctimeout, $syncstartsnort);
}
log_error("[snort] Snort pkg xmlrpc sync completed.");
}
@@ -2656,12 +3748,14 @@ function snort_sync_on_changes() {
}
/* Do the actual XMLRPC sync */
-function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $password, $synctimeout, $syncstartsnort) {
+function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $username, $password, $synctimeout, $syncstartsnort) {
global $config, $g;
/* Do not attempt a package sync while booting up or installing package */
- if ($g['booting'] || $g['snort_postinstall'])
+ if ($g['booting'] || $g['snort_postinstall']) {
+ log_error("[snort] No xmlrpc sync to CARP targets when booting up or during package reinstallation.");
return;
+ }
if(!$username || !$password || !$sync_to_ip) {
log_error("[snort] A required XMLRPC sync parameter (user, host IP or password) is empty ... aborting pkg sync");
@@ -2677,8 +3771,9 @@ function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $passw
$synchronizetoip = $config['system']['webgui']['protocol'];
$synchronizetoip .= "://";
}
- $port = $config['system']['webgui']['port'];
- /* if port is empty lets rely on the protocol selection */
+ if ($port == "")
+ $port = $config['system']['webgui']['port'];
+ /* if port is empty let's rely on the protocol selection */
if($port == "") {
if($config['system']['webgui']['protocol'] == "http")
$port = "80";
@@ -2686,8 +3781,44 @@ function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $passw
$port = "443";
}
$synchronizetoip .= $sync_to_ip;
+ $url = $synchronizetoip;
+
+ /*************************************************/
+ /* Send over any auto-SID management files */
+ /*************************************************/
+ $sid_files = glob(SNORT_SID_MODS_PATH . '*');
+ foreach ($sid_files as $file) {
+ $content = base64_encode(file_get_contents($file));
+ $payload = "@file_put_contents('{$file}', base64_decode('{$content}'));";
+
+ /* assemble xmlrpc payload */
+ $method = 'pfsense.exec_php';
+ $params = array( XML_RPC_encode($password), XML_RPC_encode($payload) );
+
+ log_error("[snort] Snort XMLRPC CARP sync sending auto-SID conf files to {$url}:{$port}.");
+ $msg = new XML_RPC_Message($method, $params);
+ $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
+ $cli->setCredentials($username, $password);
+ $resp = $cli->send($msg, $synctimeout);
+ $error = "";
+ if(!$resp) {
+ $error = "A communications error occurred while attempting Snort XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file);
+ log_error($error);
+ file_notice("sync_settings", $error, "Snort Settings Sync", "");
+ } elseif($resp->faultCode()) {
+ $error = "An error code was received while attempting Snort XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file) . " - Code " . $resp->faultCode() . ": " . $resp->faultString();
+ log_error($error);
+ file_notice("sync_settings", $error, "Snort Settings Sync", "");
+ }
+ }
+
+ if (!empty($sid_files) && $error == "")
+ log_error("[snort] Snort pkg XMLRPC CARP sync auto-SID conf files success with {$url}:{$port} (pfsense.exec_php).");
- /* xml will hold the sections to sync */
+ /**************************************************/
+ /* Send over the <snortglobal> portion of the */
+ /* config.xml. $xml will hold section to sync. */
+ /**************************************************/
$xml = array();
$xml['snortglobal'] = $config['installedpackages']['snortglobal'];
/* assemble xmlrpc payload */
@@ -2696,8 +3827,6 @@ function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $passw
XML_RPC_encode($xml)
);
- /* set a few variables needed for sync code borrowed from filter.inc */
- $url = $synchronizetoip;
log_error("[snort] Beginning Snort pkg configuration XMLRPC sync to {$url}:{$port}.");
$method = 'pfsense.merge_installedpackages_section_xmlrpc';
$msg = new XML_RPC_Message($method, $params);
@@ -2721,18 +3850,19 @@ function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $passw
$downloadrulescmd = "";
if ($syncdownloadrules == "yes") {
$downloadrulescmd = "log_error(gettext(\"[snort] XMLRPC pkg sync: Update of downloaded rule sets requested...\"));\n";
- $downloadrulescmd .= "include_once(\"/usr/local/pkg/snort/snort_check_for_rule_updates.php\");\n";
+ $downloadrulescmd .= "\tinclude_once(\"/usr/local/pkg/snort/snort_check_for_rule_updates.php\");\n";
}
$snortstart = "";
if ($syncstartsnort == "ON") {
- $snortstart = "log_error(gettext(\"[snort] XMLRPC pkg sync: Checking Snort status...\"));\n";
- $snortstart .= "if (!is_process_running(\"snort\")) {\n";
- $snortstart .= "log_error(gettext(\"[snort] XMLRPC pkg sync: Snort not running. Sending a start command...\"));\n";
- $snortstart .= "exec(\"/usr/local/etc/rc.d/snort.sh start 2>&1 &\");\n}\n";
- $snortstart .= "else {log_error(gettext(\"[snort] XMLRPC pkg sync: Snort is running...\"));\n}\n";
+ $snortstart = "log_error(gettext(\"[snort] XMLRPC pkg sync: Starting Snort if not running...\"));\n";
+ $snortstart .= "\tsnort_start_all_interfaces(TRUE);\n";
}
- /* Build a series of commands as a PHP file for the secondary host to execute to load the new settings. */
+ /*************************************************/
+ /* Build a series of commands as a PHP file for */
+ /* the secondary host to execute to load the new */
+ /* settings. */
+ /*************************************************/
$snort_sync_cmd = <<<EOD
<?php
require_once("/usr/local/pkg/snort/snort.inc");
@@ -2747,7 +3877,9 @@ function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $passw
unset(\$g["snort_postinstall"]);
log_error(gettext("[snort] XMLRPC pkg sync: Generating snort.conf file using Master Host settings..."));
\$rebuild_rules = true;
+ conf_mount_rw();
sync_snort_package_config();
+ conf_mount_ro();
\$rebuild_rules = false;
{$snortstart}
log_error(gettext("[snort] XMLRPC pkg sync process on this host is complete..."));
@@ -2758,7 +3890,10 @@ function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $username, $passw
EOD;
- /* First, have the target host write the commands to a PHP file in the /tmp directory */
+ /*************************************************/
+ /* First, have target host write the commands */
+ /* to a PHP file in the /tmp directory. */
+ /*************************************************/
$execcmd = "file_put_contents('/tmp/snort_sync_cmds.php', '{$snort_sync_cmd}');";
/* assemble xmlrpc payload */
@@ -2785,7 +3920,10 @@ EOD;
log_error("[snort] Snort pkg XMLRPC reload configuration success with {$url}:{$port} (pfsense.exec_php).");
}
- /* Now assemble a command to execute the previously sent PHP file in the background */
+ /*************************************************/
+ /* Now assemble a command to execute the */
+ /* previously sent PHP file in the background. */
+ /*************************************************/
$execcmd = "exec(\"/usr/local/bin/php -f '/tmp/snort_sync_cmds.php' > /dev/null 2>&1 &\");";
$params2 = array(
XML_RPC_encode($password),
diff --git a/config/snort/snort.priv.inc b/config/snort/snort.priv.inc
index 9fac78e0..1af0e783 100644
--- a/config/snort/snort.priv.inc
+++ b/config/snort/snort.priv.inc
@@ -37,9 +37,12 @@ $priv_list['page-services-snort']['match'][] = "snort/snort_rulesets.php*";
$priv_list['page-services-snort']['match'][] = "snort/snort_select_alias.php*";
$priv_list['page-services-snort']['match'][] = "snort/snort_stream5_engine.php*";
$priv_list['page-services-snort']['match'][] = "snort/snort_ip_list_mgmt.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_sid_mgmt.php*";
$priv_list['page-services-snort']['match'][] = "snort/snort_ip_reputation.php*";
$priv_list['page-services-snort']['match'][] = "snort/snort_iprep_list_browser.php*";
$priv_list['page-services-snort']['match'][] = "snort/snort_generate_conf.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_interface_logs.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_log_mgmt.php*";
$priv_list['page-services-snort']['match'][] = "widgets/javascript/snort_alerts.js*";
$priv_list['page-services-snort']['match'][] = "widgets/include/widget-snort.inc*";
$priv_list['page-services-snort']['match'][] = "widgets/widgets/snort_alerts.widget.php*";
diff --git a/config/snort/snort.xml b/config/snort/snort.xml
index 663ce4eb..79c2a0c4 100755
--- a/config/snort/snort.xml
+++ b/config/snort/snort.xml
@@ -47,7 +47,7 @@
<faq>Currently there are no FAQ items provided.</faq>
<name>Snort</name>
<version>2.9.6.2</version>
- <title>Services:2.9.6.2 pkg v3.1.2</title>
+ <title>Services:2.9.6.2 pkg v3.1.3</title>
<include_file>/usr/local/pkg/snort/snort.inc</include_file>
<menu>
<name>Snort</name>
@@ -91,6 +91,16 @@
<additional_files_needed>
<prefix>/usr/local/pkg/snort/</prefix>
<chmod>077</chmod>
+ <item>https://packages.pfsense.org/packages/config/snort/snort_service_utils.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/snort/</prefix>
+ <chmod>755</chmod>
+ <item>https://packages.pfsense.org/packages/config/snort/snort_pkg.sh</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/snort/</prefix>
+ <chmod>077</chmod>
<item>https://packages.pfsense.org/packages/config/snort/snort_sync.xml</item>
</additional_files_needed>
<additional_files_needed>
@@ -254,6 +264,21 @@
<item>https://packages.pfsense.org/packages/config/snort/snort_iprep_list_browser.php</item>
</additional_files_needed>
<additional_files_needed>
+ <prefix>/usr/local/www/snort/</prefix>
+ <chmod>077</chmod>
+ <item>https://packages.pfsense.org/packages/config/snort/snort_interface_logs.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/snort/</prefix>
+ <chmod>077</chmod>
+ <item>https://packages.pfsense.org/packages/config/snort/snort_log_mgmt.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/snort/</prefix>
+ <chmod>077</chmod>
+ <item>https://packages.pfsense.org/packages/config/snort/snort_sid_mgmt.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
<prefix>/usr/local/pkg/snort/</prefix>
<chmod>077</chmod>
<item>https://packages.pfsense.org/packages/config/snort/snort_generate_conf.php</item>
@@ -273,13 +298,28 @@
<chmod>0644</chmod>
<item>https://packages.pfsense.org/packages/config/snort/widget-snort.inc</item>
</additional_files_needed>
+ <additional_files_needed>
+ <prefix>/var/db/snort/sidmods/</prefix>
+ <chmod>0644</chmod>
+ <item>https://packages.pfsense.org/packages/config/snort/disablesid-sample.conf</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/var/db/snort/sidmods/</prefix>
+ <chmod>0644</chmod>
+ <item>https://packages.pfsense.org/packages/config/snort/enablesid-sample.conf</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/var/db/snort/sidmods/</prefix>
+ <chmod>0644</chmod>
+ <item>https://packages.pfsense.org/packages/config/snort/modifysid-sample.conf</item>
+ </additional_files_needed>
<fields>
</fields>
<custom_add_php_command>
</custom_add_php_command>
<custom_php_resync_config_command>
<![CDATA[
- if ($GLOBALS['pfSense_snort_version'] == "3.1.2")
+ if ($GLOBALS['pfSense_snort_version'] == "3.1.3")
sync_snort_package_config();
]]>
</custom_php_resync_config_command>
diff --git a/config/snort/snort_alerts.js b/config/snort/snort_alerts.js
index 647eb1b1..8133b928 100644
--- a/config/snort/snort_alerts.js
+++ b/config/snort/snort_alerts.js
@@ -50,11 +50,11 @@ function snort_alerts_fetch_new_events_callback(callback_data) {
for(var x=0; x<data_split.length-1; x++) {
row_split = data_split[x].split("||");
var line = '';
- line = '<td class="' + snortWidgetColClass + '">' + row_split[0] + '<br/>' + row_split[1] + '</td>';
- line += '<td class="' + snortWidgetColClass + '" style="overflow: hidden; text-overflow: ellipsis;" nowrap>';
+ line = '<td class="listMRr">' + row_split[0] + '<br/>' + row_split[1] + '</td>';
+ line += '<td class="listMRr" style="overflow: hidden; text-overflow: ellipsis;" nowrap>';
line += '<div style="display:inline;" title="' + row_split[2] + '">' + row_split[2] + '</div><br/>';
line += '<div style="display:inline;" title="' + row_split[3] + '">' + row_split[3] + '</div></td>';
- line += '<td class="' + snortWidgetColClass + '">' + 'Priority: ' + row_split[4] + ' ' + row_split[5] + '</td>';
+ line += '<td class="listMRr"><div style="display: fixed; display: -webkit-box; -webkit-line-clamp: 2; -webkit-box-orient: vertical; line-height: 1.2em; max-height: 2.4em; overflow: hidden; text-overflow: ellipsis;" title="' + row_split[4] + '">' + row_split[4] + '</div></td>';
new_data_to_add[new_data_to_add.length] = line;
}
snort_alerts_update_div_rows(new_data_to_add);
diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php
index c04f4e31..3f3159a6 100755
--- a/config/snort/snort_alerts.php
+++ b/config/snort/snort_alerts.php
@@ -42,6 +42,7 @@ require_once("/usr/local/pkg/snort/snort.inc");
$snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype'];
$supplist = array();
$snortlogdir = SNORTLOGDIR;
+$filterlogentries = FALSE;
function snort_is_alert_globally_suppressed($list, $gid, $sid) {
@@ -125,7 +126,9 @@ function snort_add_supplist_entry($suppress) {
/* tell Snort to load it, and return true; otherwise return false. */
if ($found_list) {
write_config("Snort pkg: modified Suppress List {$list_name}.");
+ conf_mount_rw();
sync_snort_package_config();
+ conf_mount_ro();
snort_reload_config($a_instance[$instanceid]);
return true;
}
@@ -133,6 +136,32 @@ function snort_add_supplist_entry($suppress) {
return false;
}
+function snort_escape_filter_regex($filtertext) {
+ /* If the caller (user) has not already put a backslash before a slash, to escape it in the regex, */
+ /* then this will do it. Take out any "\/" already there, then turn all ordinary "/" into "\/". */
+ return str_replace('/', '\/', str_replace('\/', '/', $filtertext));
+}
+
+function snort_match_filter_field($flent, $fields) {
+ foreach ($fields as $key => $field) {
+ if ($field == null)
+ continue;
+ if ((strpos($field, '!') === 0)) {
+ $field = substr($field, 1);
+ $field_regex = snort_escape_filter_regex($field);
+ if (@preg_match("/{$field_regex}/i", $flent[$key]))
+ return false;
+ }
+ else {
+ $field_regex = snort_escape_filter_regex($field);
+ if (!@preg_match("/{$field_regex}/i", $flent[$key]))
+ return false;
+ }
+ }
+ return true;
+}
+
+
if (isset($_POST['instance']) && is_numericint($_POST['instance']))
$instanceid = $_POST['instance'];
elseif (isset($_GET['instance']) && is_numericint($_GET['instance']))
@@ -180,6 +209,35 @@ if (isset($_POST['resolve'])) {
}
# --- AJAX REVERSE DNS RESOLVE End ---
+if ($_POST['filterlogentries_submit']) {
+ // Set flag for filtering alert entries
+ $filterlogentries = TRUE;
+
+ // -- IMPORTANT --
+ // Note the order of these fields must match the order decoded from the alerts log
+ $filterfieldsarray = array();
+ $filterfieldsarray[0] = $_POST['filterlogentries_time'] ? $_POST['filterlogentries_time'] : null;
+ $filterfieldsarray[1] = $_POST['filterlogentries_gid'] ? $_POST['filterlogentries_gid'] : null;
+ $filterfieldsarray[2] = $_POST['filterlogentries_sid'] ? $_POST['filterlogentries_sid'] : null;
+ $filterfieldsarray[3] = null;
+ $filterfieldsarray[4] = $_POST['filterlogentries_description'] ? $_POST['filterlogentries_description'] : null;
+ $filterfieldsarray[5] = $_POST['filterlogentries_protocol'] ? $_POST['filterlogentries_protocol'] : null;
+ // Remove any zero-length spaces added to the IP address that could creep in from a copy-paste operation
+ $filterfieldsarray[6] = $_POST['filterlogentries_sourceipaddress'] ? str_replace("\xE2\x80\x8B", "", $_POST['filterlogentries_sourceipaddress']) : null;
+ $filterfieldsarray[7] = $_POST['filterlogentries_sourceport'] ? $_POST['filterlogentries_sourceport'] : null;
+ // Remove any zero-length spaces added to the IP address that could creep in from a copy-paste operation
+ $filterfieldsarray[8] = $_POST['filterlogentries_destinationipaddress'] ? str_replace("\xE2\x80\x8B", "", $_POST['filterlogentries_destinationipaddress']) : null;
+ $filterfieldsarray[9] = $_POST['filterlogentries_destinationport'] ? $_POST['filterlogentries_destinationport'] : null;
+ $filterfieldsarray[10] = null;
+ $filterfieldsarray[11] = $_POST['filterlogentries_classification'] ? $_POST['filterlogentries_classification'] : null;
+ $filterfieldsarray[12] = $_POST['filterlogentries_priority'] ? $_POST['filterlogentries_priority'] : null;
+}
+
+if ($_POST['filterlogentries_clear']) {
+ $filterlogentries = TRUE;
+ $filterfieldsarray = array();
+}
+
if ($_POST['save']) {
if (!is_array($config['installedpackages']['snortglobal']['alertsblocks']))
$config['installedpackages']['snortglobal']['alertsblocks'] = array();
@@ -325,11 +383,11 @@ if ($_POST['delete']) {
}
if ($_POST['download']) {
- $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"');
+ $save_date = date("Y-m-d-H-i-s");
$file_name = "snort_logs_{$save_date}_{$if_real}.tar.gz";
- exec("cd {$snortlogdir}/snort_{$if_real}{$snort_uuid} && /usr/bin/tar -czf /tmp/{$file_name} *");
+ exec("cd {$snortlogdir}/snort_{$if_real}{$snort_uuid} && /usr/bin/tar -czf {$g['tmp_path']}/{$file_name} *");
- if (file_exists("/tmp/{$file_name}")) {
+ if (file_exists("{$g['tmp_path']}/{$file_name}")) {
ob_start(); //important or other posts will fail
if (isset($_SERVER['HTTPS'])) {
header('Pragma: ');
@@ -339,13 +397,13 @@ if ($_POST['download']) {
header("Cache-Control: private, must-revalidate");
}
header("Content-Type: application/octet-stream");
- header("Content-length: " . filesize("/tmp/{$file_name}"));
+ header("Content-length: " . filesize("{$g['tmp_path']}/{$file_name}"));
header("Content-disposition: attachment; filename = {$file_name}");
ob_end_clean(); //important or other post will fail
- readfile("/tmp/{$file_name}");
+ readfile("{$g['tmp_path']}/{$file_name}");
// Clean up the temp file
- @unlink("/tmp/{$file_name}");
+ unlink_if_exists("{$g['tmp_path']}/{$file_name}");
}
else
$savemsg = gettext("An error occurred while creating archive");
@@ -393,7 +451,9 @@ if ($savemsg) {
$tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php");
$tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php");
$tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php");
- $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
+ $tab_array[8] = array(gettext("SID Mgmt"), false, "/snort/snort_sid_mgmt.php");
+ $tab_array[9] = array(gettext("Log Mgmt"), false, "/snort/snort_log_mgmt.php");
+ $tab_array[10] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
display_top_tabs($tab_array, true);
?>
</td></tr>
@@ -440,9 +500,97 @@ if ($savemsg) {
</td>
</tr>
<tr>
+ <td colspan="2" class="listtopic"><?php echo gettext("Alert Log View Filter"); ?></td>
+ </tr>
+ <tr id="filter_enable_row" style="display:<?php if (!$filterlogentries) {echo "table-row;";} else {echo "none;";} ?>">
+ <td width="22%" class="vncell"><?php echo gettext('Alert Log Filter Options'); ?></td>
+ <td width="78%" class="vtable">
+ <input name="show_filter" id="show_filter" type="button" class="formbtns" value="<?=gettext("Show Filter");?>" onclick="enable_showFilter();" />
+ &nbsp;&nbsp;<?=gettext("Click to display advanced filtering options dialog");?>
+ </td>
+ </tr>
+ <tr id="filter_options_row" style="display:<?php if (!$filterlogentries) {echo "none;";} else {echo "table-row;";} ?>">
+ <td colspan="2">
+ <table width="100%" border="0" cellpadding="0" cellspacing="1" summary="action">
+ <tr>
+ <td valign="top">
+ <div align="center"><?=gettext("Date");?></div>
+ <div align="center"><input id="filterlogentries_time" name="filterlogentries_time" class="formfld search" type="text" size="10" value="<?= $filterfieldsarray[0] ?>" /></div>
+ </td>
+ <td valign="top">
+ <div align="center"><?=gettext("Source IP Address");?></div>
+ <div align="center"><input id="filterlogentries_sourceipaddress" name="filterlogentries_sourceipaddress" class="formfld search" type="text" size="28" value="<?= $filterfieldsarray[6] ?>" /></div>
+ </td>
+ <td valign="top">
+ <div align="center"><?=gettext("Source Port");?></div>
+ <div align="center"><input id="filterlogentries_sourceport" name="filterlogentries_sourceport" class="formfld search" type="text" size="5" value="<?= $filterfieldsarray[7] ?>" /></div>
+ </td>
+ <td valign="top">
+ <div align="center"><?=gettext("Description");?></div>
+ <div align="center"><input id="filterlogentries_description" name="filterlogentries_description" class="formfld search" type="text" size="28" value="<?= $filterfieldsarray[4] ?>" /></div>
+ </td>
+ <td valign="top">
+ <div align="center"><?=gettext("GID");?></div>
+ <div align="center"><input id="filterlogentries_gid" name="filterlogentries_gid" class="formfld search" type="text" size="6" value="<?= $filterfieldsarray[1] ?>" /></div>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top">
+ <div align="center"><?=gettext("Priority");?></div>
+ <div align="center"><input id="filterlogentries_priority" name="filterlogentries_priority" class="formfld search" type="text" size="10" value="<?= $filterfieldsarray[12] ?>" /></div>
+ </td>
+ <td valign="top">
+ <div align="center"><?=gettext("Destination IP Address");?></div>
+ <div align="center"><input id="filterlogentries_destinationipaddress" name="filterlogentries_destinationipaddress" class="formfld search" type="text" size="28" value="<?= $filterfieldsarray[8] ?>" /></div>
+ </td>
+ <td valign="top">
+ <div align="center"><?=gettext("Destination Port");?></div>
+ <div align="center"><input id="filterlogentries_destinationport" name="filterlogentries_destinationport" class="formfld search" type="text" size="5" value="<?= $filterfieldsarray[9] ?>" /></div>
+ </td>
+ <td valign="top">
+ <div align="center"><?=gettext("Classification");?></div>
+ <div align="center"><input id="filterlogentries_classification" name="filterlogentries_classification" class="formfld search" type="text" size="28" value="<?= $filterfieldsarray[11] ?>" /></div>
+ </td>
+ <td valign="top">
+ <div align="center"><?=gettext("SID");?></div>
+ <div align="center"><input id="filterlogentries_sid" name="filterlogentries_sid" class="formfld search" type="text" size="6" value="<?= $filterfieldsarray[2] ?>" /></div>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top">
+ <div align="center"><?=gettext("Protocol");?></div>
+ <div align="center"><input id="filterlogentries_protocol" name="filterlogentries_protocol" class="formfld search" type="text" size="10" value="<?= $filterfieldsarray[5] ?>" /></div>
+ </td>
+ <td valign="top">
+ </td>
+ <td valign="top">
+ </td>
+ <td colspan="2" style="vertical-align:bottom">
+ <div align="right"><input id="filterlogentries_submit" name="filterlogentries_submit" type="submit" class="formbtns" value="<?=gettext("Filter");?>" title="<?=gettext("Apply filter"); ?>" />
+ &nbsp;&nbsp;&nbsp;<input id="filterlogentries_clear" name="filterlogentries_clear" type="submit" class="formbtns" value="<?=gettext("Clear");?>" title="<?=gettext("Remove filter");?>" />
+ &nbsp;&nbsp;&nbsp;<input id="filterlogentries_hide" name="filterlogentries_hide" type="button" class="formbtns" value="<?=gettext("Hide");?>" onclick="enable_hideFilter();" title="<?=gettext("Hide filter options");?>" /></div>
+ </td>
+ </tr>
+ <tr>
+ <td colspan="5" style="vertical-align:bottom">
+ &nbsp;<?printf(gettext('Matches %1$s regular expression%2$s.'), '<a target="_blank" href="http://www.php.net/manual/en/book.pcre.php">', '</a>');?>&nbsp;&nbsp;
+ <?=gettext("Precede with exclamation (!) as first character to exclude match.");?>&nbsp;&nbsp;
+ </td>
+ </tr>
+ </table>
+ </td>
+ </tr>
+ <?php if ($filterlogentries) : ?>
+ <tr>
+ <td colspan="2" class="listtopic"><?php printf(gettext("Last %s Alert Entries"), $anentries); ?>&nbsp;&nbsp;
+ <?php echo gettext("(Most recent listed first) ** FILTERED VIEW ** clear filter to see all entries"); ?></td>
+ </tr>
+ <?php else: ?>
+ <tr>
<td colspan="2" class="listtopic"><?php printf(gettext("Last %s Alert Entries"), $anentries); ?>&nbsp;&nbsp;
<?php echo gettext("(Most recent entries are listed first)"); ?></td>
</tr>
+ <?php endif; ?>
<tr>
<td width="100%" colspan="2">
<table id="myTable" style="table-layout: fixed;" width="100%" class="sortable" border="0" cellpadding="0" cellspacing="0">
@@ -477,17 +625,21 @@ if ($savemsg) {
/* make sure alert file exists */
if (file_exists("{$snortlogdir}/snort_{$if_real}{$snort_uuid}/alert")) {
- exec("tail -{$anentries} -r {$snortlogdir}/snort_{$if_real}{$snort_uuid}/alert > /tmp/alert_{$snort_uuid}");
- if (file_exists("/tmp/alert_{$snort_uuid}")) {
+ exec("tail -{$anentries} -r {$snortlogdir}/snort_{$if_real}{$snort_uuid}/alert > {$g['tmp_path']}/alert_{$snort_uuid}");
+ if (file_exists("{$g['tmp_path']}/alert_{$snort_uuid}")) {
$tmpblocked = array_flip(snort_get_blocked_ips());
$counter = 0;
/* 0 1 2 3 4 5 6 7 8 9 10 11 12 */
/* File format timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority */
- $fd = fopen("/tmp/alert_{$snort_uuid}", "r");
+ $fd = fopen("{$g['tmp_path']}/alert_{$snort_uuid}", "r");
while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) {
if(count($fields) < 13)
continue;
+ if ($filterlogentries && !snort_match_filter_field($fields, $filterfieldsarray)) {
+ continue;
+ }
+
/* Time */
$alert_time = substr($fields[0], strpos($fields[0], '-')+1, -8);
/* Date */
@@ -598,7 +750,7 @@ if (file_exists("{$snortlogdir}/snort_{$if_real}{$snort_uuid}/alert")) {
$counter++;
}
fclose($fd);
- @unlink("/tmp/alert_{$snort_uuid}");
+ unlink_if_exists("{$g['tmp_path']}/alert_{$snort_uuid}");
}
}
?>
@@ -629,6 +781,17 @@ function encRuleSig(rulegid,rulesid,srcip,ruledescr) {
document.getElementById("ip").value = srcip;
document.getElementById("descr").value = ruledescr;
}
+
+function enable_showFilter() {
+ document.getElementById("filter_enable_row").style.display="none";
+ document.getElementById("filter_options_row").style.display="table-row";
+}
+
+function enable_hideFilter() {
+ document.getElementById("filter_enable_row").style.display="table-row";
+ document.getElementById("filter_options_row").style.display="none";
+}
+
</script>
<!-- The following AJAX code was borrowed from the diag_logs_filter.php -->
diff --git a/config/snort/snort_alerts.widget.php b/config/snort/snort_alerts.widget.php
index 0700ef2a..552dab61 100644
--- a/config/snort/snort_alerts.widget.php
+++ b/config/snort/snort_alerts.widget.php
@@ -39,19 +39,10 @@ if (!is_array($config['installedpackages']['snortglobal']['rule']))
$config['installedpackages']['snortglobal']['rule'] = array();
$a_instance = &$config['installedpackages']['snortglobal']['rule'];
-// Test pfSense version and set different CSS class variables
-// depending on version. 2.1 offers enhanced CSS styles.
-$pfs_version=substr(trim(file_get_contents("/etc/version")),0,3);
-if ($pfs_version > '2.0') {
- $alertRowEvenClass = "listMReven";
- $alertRowOddClass = "listMRodd";
- $alertColClass = "listMRr";
-}
-else {
- $alertRowEvenClass = "listr";
- $alertRowOddClass = "listr";
- $alertColClass = "listr";
-}
+// Set some CSS class variables
+$alertRowEvenClass = "listMReven";
+$alertRowOddClass = "listMRodd";
+$alertColClass = "listMRr";
/* check if Snort widget alert display lines value is set */
$snort_nentries = $config['widgets']['widget_snort_display_lines'];
@@ -93,7 +84,7 @@ if (isset($_GET['getNewAlerts'])) {
$counter = 0;
foreach ($s_alerts as $a) {
$response .= $a['instanceid'] . " " . $a['dateonly'] . "||" . $a['timeonly'] . "||" . $a['src'] . "||";
- $response .= $a['dst'] . "||" . $a['priority'] . "||" . $a['category'] . "\n";
+ $response .= $a['dst'] . "||" . $a['msg'] . "\n";
$counter++;
if($counter >= $snort_nentries)
break;
@@ -165,8 +156,7 @@ function snort_widget_get_alerts() {
// Add the DST PORT if not null
if (!empty($fields[9]))
$snort_alerts[$counter]['dst'] .= ":" . trim($fields[9]);
- $snort_alerts[$counter]['priority'] = trim($fields[12]);
- $snort_alerts[$counter]['category'] = trim($fields[11]);
+ $snort_alerts[$counter]['msg'] = trim($fields[4]);
$counter++;
};
fclose($fd);
@@ -205,7 +195,7 @@ function snort_widget_get_alerts() {
<tr>
<th class="widgetsubheader"><?=gettext("IF/Date");?></th>
<th class="widgetsubheader"><?=gettext("Src/Dst Address");?></th>
- <th class="widgetsubheader"><?=gettext("Classification");?></th>
+ <th class="widgetsubheader"><?=gettext("Description");?></th>
</tr>
</thead>
<tbody id="snort-alert-entries">
@@ -216,9 +206,9 @@ function snort_widget_get_alerts() {
foreach ($snort_alerts as $alert) {
$alertRowClass = $counter % 2 ? $alertRowEvenClass : $alertRowOddClass;
echo(" <tr class='" . $alertRowClass . "'>
- <td class='" . $alertColClass . "'>" . $alert['instanceid'] . "&nbsp;" . $alert['dateonly'] . "<br/>" . $alert['timeonly'] . "</td>
- <td class='" . $alertColClass . "' style='overflow: hidden; text-overflow: ellipsis;' nowrap><div style='display:inline;' title='" . $alert['src'] . "'>" . $alert['src'] . "</div><br/><div style='display:inline;' title='" . $alert['dst'] . "'>" . $alert['dst'] . "</div></td>
- <td class='" . $alertColClass . "'>Priority: " . $alert['priority'] . " " . $alert['category'] . "</td></tr>");
+ <td class='listMRr'>" . $alert['instanceid'] . "&nbsp;" . $alert['dateonly'] . "<br/>" . $alert['timeonly'] . "</td>
+ <td class='listMRr' style='overflow: hidden; text-overflow: ellipsis;' nowrap><div style='display:inline;' title='" . $alert['src'] . "'>" . $alert['src'] . "</div><br/><div style='display:inline;' title='" . $alert['dst'] . "'>" . $alert['dst'] . "</div></td>
+ <td class='listMRr'><div style='display: fixed; display: -webkit-box; -webkit-line-clamp: 2; -webkit-box-orient: vertical; line-height: 1.2em; max-height: 2.4em; overflow: hidden; text-overflow: ellipsis;' title='{$alert['msg']}'>" . $alert['msg'] . "</div></td></tr>");
$counter++;
if($counter >= $snort_nentries)
break;
@@ -233,9 +223,8 @@ function snort_widget_get_alerts() {
<!-- needed in the snort_alerts.js file code -->
var snortupdateDelay = 10000; // update every 10 seconds
var snort_nentries = <?=$snort_nentries;?>; // number of alerts to display (5 is default)
- var snortWidgetRowEvenClass = "<?=$alertRowEvenClass;?>"; // allows alternating background on 2.1 and higher
- var snortWidgetRowOddClass = "<?=$alertRowOddClass;?>"; // allows alternating background on 2.1 and higher
- var snortWidgetColClass = "<?=$alertColClass;?>"; // sets column CSS style (different on 2.1 and higher)
+ var snortWidgetRowEvenClass = "<?=$alertRowEvenClass;?>"; // allows alternating background
+ var snortWidgetRowOddClass = "<?=$alertRowOddClass;?>"; // allows alternating background
<!-- needed to display the widget settings menu -->
selectIntLink = "snort_alerts-configure";
diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php
index 902c1637..b3e3723e 100644
--- a/config/snort/snort_barnyard.php
+++ b/config/snort/snort_barnyard.php
@@ -57,8 +57,8 @@ $retentions = array( '0' => gettext('KEEP ALL'), '24' => gettext('1 DAY'), '168'
'720' => gettext('30 DAYS'), '1080' => gettext("45 DAYS"), '2160' => gettext('90 DAYS'), '4320' => gettext('180 DAYS'),
'8766' => gettext('1 YEAR'), '26298' => gettext("3 YEARS") );
-$log_sizes = array( '0' => gettext('NO LIMIT'), '8' => gettext('8 MB'), '16' => gettext('16 MB'), '32' => gettext('32 MB'),
- '64' => gettext('64 MB'), '128' => gettext('128 MB'), '256' => gettext('256 MB') );
+$log_sizes = array( '0' => gettext('NO LIMIT'), '128K' => '128 KB', '256K' => '256 KB', '512K' => '512 KB', '1M' => '1 MB', '4M' => '4 MB', '8M' => gettext('8 MB'),
+ '16M' => gettext('16 MB'), '32M' => gettext('32 MB'), '64M' => gettext('64 MB'), '128M' => gettext('128 MB'), '256M' => gettext('256 MB') );
if (isset($id) && $a_nat[$id]) {
$pconfig = $a_nat[$id];
@@ -69,7 +69,7 @@ if (isset($id) && $a_nat[$id]) {
if (empty($a_nat[$id]['barnyard_show_year']))
$pconfig['barnyard_show_year'] = "on";
if (empty($a_nat[$id]['unified2_log_limit']))
- $pconfig['unified2_log_limit'] = "32";
+ $pconfig['unified2_log_limit'] = "128K";
if (empty($a_nat[$id]['barnyard_archive_enable']))
$pconfig['barnyard_archive_enable'] = "on";
if (empty($a_nat[$id]['u2_archived_log_retention']))
@@ -91,6 +91,30 @@ if (isset($id) && $a_nat[$id]) {
}
if ($_POST['save']) {
+
+ // If disabling Barnyard2 on the interface, stop any
+ // currently running instance, then save the disabled
+ // state and exit.
+ if ($_POST['barnyard_enable'] != 'on') {
+ $a_nat[$id]['barnyard_enable'] = 'off';
+ write_config("Snort pkg: modified Barnyard2 settings.");
+ touch("{$g['varrun_path']}/barnyard2_{$uuid}.disabled");
+ snort_barnyard_stop($a_nat[$id], get_real_interface($a_nat[$id]['interface']));
+
+ // No need to rebuild rules for Barnyard2 changes
+ $rebuild_rules = false;
+ conf_mount_rw();
+ sync_snort_package_config();
+ conf_mount_ro();
+ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
+ header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
+ header( 'Cache-Control: no-store, no-cache, must-revalidate' );
+ header( 'Cache-Control: post-check=0, pre-check=0', false );
+ header( 'Pragma: no-cache' );
+ header("Location: /snort/snort_barnyard.php");
+ exit;
+ }
+
// Check that at least one output plugin is enabled
if ($_POST['barnyard_mysql_enable'] != 'on' && $_POST['barnyard_syslog_enable'] != 'on' &&
$_POST['barnyard_bro_ids_enable'] != 'on' && $_POST['barnyard_enable'] == "on")
@@ -106,6 +130,12 @@ if ($_POST['save']) {
$input_errors[] = gettext("You must provide a DB user login name when logging to a MySQL database.");
}
+ // Validate Sensor Name contains no spaces
+ if ($_POST['barnyard_enable'] == 'on') {
+ if (!empty($_POST['barnyard_sensor_name']) && strpos($_POST['barnyard_sensor_name'], " ") !== FALSE)
+ $input_errors[] = gettext("The value for 'Sensor Name' cannot contain spaces.");
+ }
+
// Validate inputs if syslog output enabled
if ($_POST['barnyard_syslog_enable'] == 'on' && $_POST['barnyard_enable'] == "on") {
if ($_POST['barnyard_log_vlan_events'] == 'on' || $_POST['barnyard_log_mpls_events'] == 'on')
@@ -161,14 +191,16 @@ if ($_POST['save']) {
if ($_POST['barnyard_syslog_priority']) $natent['barnyard_syslog_priority'] = $_POST['barnyard_syslog_priority']; else $natent['barnyard_syslog_priority'] = 'LOG_INFO';
if ($_POST['barnyard_bro_ids_rhost']) $natent['barnyard_bro_ids_rhost'] = $_POST['barnyard_bro_ids_rhost']; else unset($natent['barnyard_bro_ids_rhost']);
if ($_POST['barnyard_bro_ids_dport']) $natent['barnyard_bro_ids_dport'] = $_POST['barnyard_bro_ids_dport']; else $natent['barnyard_bro_ids_dport'] = '47760';
- if ($_POST['barnconfigpassthru']) $natent['barnconfigpassthru'] = base64_encode($_POST['barnconfigpassthru']); else unset($natent['barnconfigpassthru']);
+ if ($_POST['barnconfigpassthru']) $natent['barnconfigpassthru'] = base64_encode(str_replace("\r\n", "\n", $_POST['barnconfigpassthru'])); else unset($natent['barnconfigpassthru']);
$a_nat[$id] = $natent;
write_config("Snort pkg: modified Barnyard2 settings.");
// No need to rebuild rules for Barnyard2 changes
$rebuild_rules = false;
+ conf_mount_rw();
sync_snort_package_config();
+ conf_mount_ro();
// If disabling Barnyard2 on the interface, stop any
// currently running instance. If an instance is
@@ -230,7 +262,9 @@ include_once("head.inc");
$tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php");
$tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php");
$tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php");
- $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
+ $tab_array[8] = array(gettext("SID Mgmt"), false, "/snort/snort_sid_mgmt.php");
+ $tab_array[9] = array(gettext("Log Mgmt"), false, "/snort/snort_log_mgmt.php");
+ $tab_array[10] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
display_top_tabs($tab_array, true);
echo '</td></tr>';
echo '<tr><td>';
@@ -243,6 +277,7 @@ include_once("head.inc");
$tab_array[] = array($menu_iface . gettext("Preprocs"), false, "/snort/snort_preprocessors.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("Barnyard2"), true, "/snort/snort_barnyard.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("IP Rep"), false, "/snort/snort_ip_reputation.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Logs"), false, "/snort/snort_interface_logs.php?id={$id}");
display_top_tabs($tab_array, true);
?>
</td></tr>
@@ -275,7 +310,7 @@ include_once("head.inc");
<?php if ($k == $pconfig['unified2_log_limit']) echo "selected"; ?>>
<?=htmlspecialchars($p);?></option>
<?php endforeach; ?>
- </select>&nbsp;<?php echo gettext("Choose a Unified2 Log file size limit in megabytes (MB). Default is "); ?><strong><?=gettext("32 MB.");?></strong><br/><br/>
+ </select>&nbsp;<?php echo gettext("Choose a Unified2 Log file size limit. Default is "); ?><strong><?=gettext("128 KB.");?></strong><br/><br/>
<?php echo gettext("This sets the maximum size for a Unified2 Log file before it is rotated and a new one created."); ?>
</td>
</tr>
@@ -418,7 +453,7 @@ include_once("head.inc");
<input name="barnyard_syslog_local" type="checkbox" value="on" <?php if ($pconfig['barnyard_syslog_local'] == "on") echo "checked"; ?>
onClick="toggle_local_syslog()"/>
<?php echo gettext("Enable logging of alerts to the local system only"); ?><br/>
- <?php echo gettext("This will send alert data to the local system only and overrides the host, port, protocol, facility and priority values below."); ?></td>
+ <?php echo gettext("This will send alert data to the local system only and overrides the host, port, and protocol values below."); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Remote Host"); ?></td>
@@ -461,7 +496,7 @@ include_once("head.inc");
echo "<option value='{$facility}'{$selected}>" . $facility . "</option>\n";
}
?></select>&nbsp;&nbsp;
- <?php echo gettext("Select Syslog Facility to use for remote reporting. Default is ") . "<strong>" . gettext("LOG_USER") . "</strong>."; ?>
+ <?php echo gettext("Select Syslog Facility to use for reporting. Default is ") . "<strong>" . gettext("LOG_USER") . "</strong>."; ?>
</td>
</tr>
<tr>
@@ -477,7 +512,7 @@ include_once("head.inc");
echo "<option value='{$priority}'{$selected}>" . $priority . "</option>\n";
}
?></select>&nbsp;&nbsp;
- <?php echo gettext("Select Syslog Priority (Level) to use for remote reporting. Default is ") . "<strong>" . gettext("LOG_INFO") . "</strong>."; ?>
+ <?php echo gettext("Select Syslog Priority (Level) to use for reporting. Default is ") . "<strong>" . gettext("LOG_INFO") . "</strong>."; ?>
</td>
</tr>
</tbody>
@@ -583,8 +618,6 @@ function toggle_local_syslog() {
document.iform.barnyard_syslog_dport.disabled = endis;
document.iform.barnyard_syslog_proto_udp.disabled = endis;
document.iform.barnyard_syslog_proto_tcp.disabled = endis;
- document.iform.barnyard_syslog_facility.disabled = endis;
- document.iform.barnyard_syslog_priority.disabled = endis;
}
}
diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php
index 087724e3..39119210 100644
--- a/config/snort/snort_blocked.php
+++ b/config/snort/snort_blocked.php
@@ -89,22 +89,22 @@ if ($_POST['download'])
exec('/sbin/pfctl -t snort2c -T show', $blocked_ips_array_save);
/* build the list */
if (is_array($blocked_ips_array_save) && count($blocked_ips_array_save) > 0) {
- $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"');
+ $save_date = date("Y-m-d-H-i-s");
$file_name = "snort_blocked_{$save_date}.tar.gz";
- exec('/bin/mkdir -p /tmp/snort_blocked');
- file_put_contents("/tmp/snort_blocked/snort_block.pf", "");
+ safe_mkdir("{$g['tmp_path']}/snort_blocked");
+ file_put_contents("{$g['tmp_path']}/snort_blocked/snort_block.pf", "");
foreach($blocked_ips_array_save as $counter => $fileline) {
if (empty($fileline))
continue;
$fileline = trim($fileline, " \n\t");
- file_put_contents("/tmp/snort_blocked/snort_block.pf", "{$fileline}\n", FILE_APPEND);
+ file_put_contents("{$g['tmp_path']}/snort_blocked/snort_block.pf", "{$fileline}\n", FILE_APPEND);
}
// Create a tar gzip archive of blocked host IP addresses
- exec("/usr/bin/tar -czf /tmp/{$file_name} -C/tmp/snort_blocked snort_block.pf");
+ exec("/usr/bin/tar -czf {$g['tmp_path']}/{$file_name} -C{$g['tmp_path']}/snort_blocked snort_block.pf");
// If we successfully created the archive, send it to the browser.
- if(file_exists("/tmp/{$file_name}")) {
+ if(file_exists("{$g['tmp_path']}/{$file_name}")) {
ob_start(); //important or other posts will fail
if (isset($_SERVER['HTTPS'])) {
header('Pragma: ');
@@ -114,14 +114,14 @@ if ($_POST['download'])
header("Cache-Control: private, must-revalidate");
}
header("Content-Type: application/octet-stream");
- header("Content-length: " . filesize("/tmp/{$file_name}"));
+ header("Content-length: " . filesize("{$g['tmp_path']}/{$file_name}"));
header("Content-disposition: attachment; filename = {$file_name}");
ob_end_clean(); //important or other post will fail
- readfile("/tmp/{$file_name}");
+ readfile("{$g['tmp_path']}/{$file_name}");
// Clean up the temp files and directory
- @unlink("/tmp/{$file_name}");
- exec("/bin/rm -fr /tmp/snort_blocked");
+ unlink_if_exists("{$g['tmp_path']}/{$file_name}");
+ rmdir_recursive("{$g['tmp_path']}/snort_blocked");
} else
$savemsg = gettext("An error occurred while creating archive");
} else
@@ -183,7 +183,9 @@ if ($savemsg) {
$tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php");
$tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php");
$tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php");
- $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
+ $tab_array[8] = array(gettext("SID Mgmt"), false, "/snort/snort_sid_mgmt.php");
+ $tab_array[9] = array(gettext("Log Mgmt"), false, "/snort/snort_log_mgmt.php");
+ $tab_array[10] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
display_top_tabs($tab_array, true);
?>
</td>
diff --git a/config/snort/snort_check_cron_misc.inc b/config/snort/snort_check_cron_misc.inc
index 9a1c7833..b39d8d1c 100644
--- a/config/snort/snort_check_cron_misc.inc
+++ b/config/snort/snort_check_cron_misc.inc
@@ -33,6 +33,7 @@
require_once("/usr/local/pkg/snort/snort.inc");
$snortlogdir = SNORTLOGDIR;
+global $g, $config;
function snort_check_dir_size_limit($snortloglimitsize) {
@@ -56,9 +57,9 @@ function snort_check_dir_size_limit($snortloglimitsize) {
conf_mount_rw();
// Truncate the Rules Update Log file if it exists
- if (file_exists(RULES_UPD_LOGFILE)) {
+ if (file_exists(SNORT_RULES_UPD_LOGFILE)) {
log_error(gettext("[Snort] Truncating the Rules Update Log file..."));
- @file_put_contents(RULES_UPD_LOGFILE, "");
+ @file_put_contents(SNORT_RULES_UPD_LOGFILE, "");
}
// Clean-up the logs for each configured Snort instance
@@ -74,6 +75,16 @@ function snort_check_dir_size_limit($snortloglimitsize) {
@file_put_contents("{$snort_log_dir}/alert", "");
}
+ // Cleanup any rotated perfmon stats logs
+ $files = array();
+ $list = glob("{$snort_log_dir}/*");
+ foreach ($list as $file) {
+ if (preg_match('/(^\d{4}-\d{2}-\d{2}[\.]?[\d+]?)/', basename($file), $matches))
+ $files[] = $snort_log_dir . "/" . $matches[1];
+ }
+ foreach ($files as $file)
+ unlink_if_exists($file);
+
// This is needed if snort is run as snort user
mwexec('/bin/chmod 660 {$snort_log_dir}/*', true);
@@ -88,6 +99,56 @@ function snort_check_dir_size_limit($snortloglimitsize) {
}
}
+function snort_check_rotate_log($log_file, $log_limit, $retention) {
+
+ /********************************************************
+ * This function checks the passed log file against *
+ * the passed size limit and rotates the log file if *
+ * necessary. It also checks the age of previously *
+ * rotated logs and removes those older than the *
+ * rentention parameter. *
+ * *
+ * On Entry: $log_file -> full pathname/filename of *
+ * log file to check *
+ * $log_limit -> size of file in bytes to *
+ * trigger rotation. Zero *
+ * means no rotation. *
+ * $retention -> retention period in hours *
+ * for rotated logs. Zero *
+ * means never remove. *
+ ********************************************************/
+
+ // Check the current log to see if it needs rotating.
+ // If it does, rotate it and put the current time
+ // on the end of the filename as UNIX timestamp.
+ if (!file_exists($log_file))
+ return;
+ if (($log_limit > 0) && (filesize($log_file) >= $log_limit)) {
+ $newfile = $log_file . "." . strval(time());
+ try {
+ copy($log_file, $newfile);
+ file_put_contents($log_file, "");
+ } catch (Exception $e) {
+ log_error("[Snort] Failed to rotate file '{$log_file}' -- error was {$e->getMessage()}");
+ }
+ }
+
+ // Check previously rotated logs to see if time to
+ // delete any older than the retention period.
+ // Rotated logs have a UNIX timestamp appended to
+ // filename.
+ if ($retention > 0) {
+ $now = time();
+ $rotated_files = glob("{$log_file}.*");
+ foreach ($rotated_files as $file) {
+ if (($now - filemtime($file)) > ($retention * 3600))
+ unlink_if_exists($file);
+ }
+ unset($rotated_files);
+ }
+}
+
+
/*************************
* Start of main code *
*************************/
@@ -96,27 +157,77 @@ function snort_check_dir_size_limit($snortloglimitsize) {
if ($g['booting'] == true)
return;
+$logs = array ();
+
+// Build an array of files to check and limits to check them against from our saved configuration
+$logs['sid_changes.log']['limit'] = $config['installedpackages']['snortglobal']['sid_changes_log_limit_size'];
+$logs['sid_changes.log']['retention'] = $config['installedpackages']['snortglobal']['sid_changes_log_retention'];
+
// If no interfaces defined, there is nothing to clean up
if (!is_array($config['installedpackages']['snortglobal']['rule']))
return;
-// Check unified2 archived log retention in the interface logging directories if enabled
-foreach ($config['installedpackages']['snortglobal']['rule'] as $value) {
- $if_real = get_real_interface($value['interface']);
- $snort_log_dir = SNORTLOGDIR . "/snort_{$if_real}{$value['uuid']}";
- if (is_dir("{$snort_log_dir}/barnyard2/archive") && $value['u2_archived_log_retention'] > 0) {
- $now = time();
- $files = glob("{$snort_log_dir}/barnyard2/archive/snort_{$value['uuid']}_{$if_real}.u2.*");
- $prune_count = 0;
- foreach ($files as $f) {
- if (($now - filemtime($f)) > ($value['u2_archived_log_retention'] * 3600)) {
- $prune_count++;
- unlink_if_exists($f);
+// Check log limits and retention in the interface logging directories if enabled
+if ($config['installedpackages']['snortglobal']['enable_log_mgmt'] == 'on') {
+ foreach ($config['installedpackages']['snortglobal']['rule'] as $value) {
+ $if_real = get_real_interface($value['interface']);
+ $snort_log_dir = SNORTLOGDIR . "/snort_{$if_real}{$value['uuid']}";
+ foreach ($logs as $k => $p) {
+ snort_check_rotate_log("{$snort_log_dir}/{$k}", $p['limit']*1024, $p['retention']);
+ }
+
+ // Prune aged-out event packet capture files if any exist
+ if ($config['installedpackages']['snortglobal']['event_pkts_log_retention'] > 0) {
+ $now = time();
+ $rotated_files = glob("{$snort_log_dir}/snort.log.*");
+ $prune_count = 0;
+ foreach ($rotated_files as $file) {
+ if (($now - filemtime($file)) > ($config['installedpackages']['snortglobal']['event_pkts_log_retention'] * 3600)) {
+ $prune_count++;
+ unlink_if_exists($file);
+ }
+ }
+ unset($rotated_files);
+ if ($prune_count > 0)
+ log_error(gettext("[Snort] Alert pcap file cleanup job removed {$prune_count} pcap file(s) from {$snort_log_dir}/..."));
+ }
+
+ // Prune any aged-out Barnyard2 archived logs if any exist
+ if (is_dir("{$snort_log_dir}/barnyard2/archive") && $value['u2_archived_log_retention'] > 0) {
+ $now = time();
+ $files = glob("{$snort_log_dir}/barnyard2/archive/snort_{$value['uuid']}_{$if_real}.u2.*");
+ $prune_count = 0;
+ foreach ($files as $f) {
+ if (($now - filemtime($f)) > ($value['u2_archived_log_retention'] * 3600)) {
+ $prune_count++;
+ unlink_if_exists($f);
+ }
+ }
+ unset($files);
+ if ($prune_count > 0)
+ log_error(gettext("[Snort] Barnyard2 archived logs cleanup job removed {$prune_count} file(s) from {$snort_log_dir}/barnyard2/archive/..."));
+ }
+
+ // Prune aged-out perfmon stats logs if any exist
+ if ($config['installedpackages']['snortglobal']['stats_log_retention'] > 0) {
+ $now = time();
+ $files = array();
+ $list = glob("{$snort_log_dir}/*");
+ foreach ($list as $file) {
+ if (preg_match('/(^\d{4}-\d{2}-\d{2}[\.]?[\d+]?)/', basename($file), $matches))
+ $files[] = $snort_log_dir . "/" . $matches[1];
+ }
+ $prune_count = 0;
+ foreach ($files as $f) {
+ if (($now - filemtime($f)) > ($config['installedpackages']['snortglobal']['stats_log_retention'] * 3600)) {
+ $prune_count++;
+ unlink_if_exists($f);
+ }
}
+ unset($list, $files);
+ if ($prune_count > 0)
+ log_error(gettext("[Snort] perfmon stats logs cleanup job removed {$prune_count} file(s) from {$snort_log_dir}/..."));
}
- unset($files);
- if ($prune_count > 0)
- log_error(gettext("[Snort] Barnyard2 archived logs cleanup job removed {$prune_count} file(s) from {$snort_log_dir}/barnyard2/archive/..."));
}
}
diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php
index 9d8d15d5..fc78cf28 100755
--- a/config/snort/snort_check_for_rule_updates.php
+++ b/config/snort/snort_check_for_rule_updates.php
@@ -46,16 +46,16 @@ if (!defined("ET_BASE_DNLD_URL"))
define("ET_BASE_DNLD_URL", "http://rules.emergingthreats.net/");
if (!defined("ETPRO_BASE_DNLD_URL"))
define("ETPRO_BASE_DNLD_URL", "https://rules.emergingthreatspro.com/");
-if (!defined("ET_DNLD_FILENAME"))
- define("ET_DNLD_FILENAME", "emerging.rules.tar.gz");
-if (!defined("ETPRO_DNLD_FILENAME"))
- define("ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz");
-if (!defined("GPLV2_DNLD_FILENAME"))
- define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz");
+if (!defined("SNORT_ET_DNLD_FILENAME"))
+ define("SNORT_ET_DNLD_FILENAME", "emerging.rules.tar.gz");
+if (!defined("SNORT_ETPRO_DNLD_FILENAME"))
+ define("SNORT_ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz");
+if (!defined("SNORT_GPLV2_DNLD_FILENAME"))
+ define("SNORT_GPLV2_DNLD_FILENAME", "community-rules.tar.gz");
if (!defined("GPLV2_DNLD_URL"))
define("GPLV2_DNLD_URL", "https://s3.amazonaws.com/snort-org/www/rules/community/");
-if (!defined("RULES_UPD_LOGFILE"))
- define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log");
+if (!defined("SNORT_RULES_UPD_LOGFILE"))
+ define("SNORT_RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log");
if (!defined("VRT_FILE_PREFIX"))
define("VRT_FILE_PREFIX", "snort_");
if (!defined("GPL_FILE_PREFIX"))
@@ -64,14 +64,15 @@ if (!defined("ET_OPEN_FILE_PREFIX"))
define("ET_OPEN_FILE_PREFIX", "emerging-");
if (!defined("ET_PRO_FILE_PREFIX"))
define("ET_PRO_FILE_PREFIX", "etpro-");
-if (!defined("IPREP_PATH"))
- define("IPREP_PATH", "/var/db/snort/iprep/");
+if (!defined("SNORT_IPREP_PATH"))
+ define("SNORT_IPREP_PATH", "{$g['vardb_path']}/snort/iprep/");
$snortdir = SNORTDIR;
$snortlibdir = SNORTLIBDIR;
$snortlogdir = SNORTLOGDIR;
-$snortiprepdir = IPREP_PATH;
-$snort_rules_upd_log = RULES_UPD_LOGFILE;
+$snortiprepdir = SNORT_IPREP_PATH;
+$snort_rules_upd_log = SNORT_RULES_UPD_LOGFILE;
+$mounted_rw = FALSE;
/* Save the state of $pkg_interface so we can restore it */
$pkg_interface_orig = $pkg_interface;
@@ -90,7 +91,7 @@ $snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommuni
$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload'] == 'on' ? 'on' : 'off';
/* Working directory for downloaded rules tarballs and extraction */
-$tmpfname = "/tmp/snort_rules_up";
+$tmpfname = "{$g['tmp_path']}/snort_rules_up";
/* Grab the Snort binary version programmatically and use it to construct */
/* the proper Snort VRT rules tarball and md5 filenames. Fallback to a */
@@ -108,35 +109,38 @@ $snort_filename = "snortrules-snapshot-{$snortver[0]}.tar.gz";
$snort_filename_md5 = "{$snort_filename}.md5";
$snort_rule_url = VRT_DNLD_URL;
-/* Mount the Snort conf directories R/W so we can modify files there */
-conf_mount_rw();
+/* Mount the Snort conf directories R/W, if not already, so we can modify files there */
+if (!is_subsystem_dirty('mount')) {
+ conf_mount_rw();
+ $mounted_rw = TRUE;
+}
/* Set up Emerging Threats rules filenames and URL */
if ($etpro == "on") {
- $emergingthreats_filename = ETPRO_DNLD_FILENAME;
- $emergingthreats_filename_md5 = ETPRO_DNLD_FILENAME . ".md5";
+ $emergingthreats_filename = SNORT_ETPRO_DNLD_FILENAME;
+ $emergingthreats_filename_md5 = SNORT_ETPRO_DNLD_FILENAME . ".md5";
$emergingthreats_url = ETPRO_BASE_DNLD_URL;
$emergingthreats_url .= "{$etproid}/snort-" . ET_VERSION . "/";
$emergingthreats = "on";
$et_name = "Emerging Threats Pro";
- $et_md5_remove = ET_DNLD_FILENAME . ".md5";
- @unlink("{$snortdir}/{$et_md5_remove}");
+ $et_md5_remove = SNORT_ET_DNLD_FILENAME . ".md5";
+ unlink_if_exists("{$snortdir}/{$et_md5_remove}");
}
else {
- $emergingthreats_filename = ET_DNLD_FILENAME;
- $emergingthreats_filename_md5 = ET_DNLD_FILENAME . ".md5";
+ $emergingthreats_filename = SNORT_ET_DNLD_FILENAME;
+ $emergingthreats_filename_md5 = SNORT_ET_DNLD_FILENAME . ".md5";
$emergingthreats_url = ET_BASE_DNLD_URL;
// If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules
$emergingthreats_url .= $vrt_enabled == "on" ? "open-nogpl/" : "open/";
$emergingthreats_url .= "snort-" . ET_VERSION . "/";
$et_name = "Emerging Threats Open";
- $et_md5_remove = ETPRO_DNLD_FILENAME . ".md5";
- @unlink("{$snortdir}/{$et_md5_remove}");
+ $et_md5_remove = SNORT_ETPRO_DNLD_FILENAME . ".md5";
+ unlink_if_exists("{$snortdir}/{$et_md5_remove}");
}
/* Snort GPLv2 Community Rules filenames and URL */
-$snort_community_rules_filename = GPLV2_DNLD_FILENAME;
-$snort_community_rules_filename_md5 = GPLV2_DNLD_FILENAME . ".md5";
+$snort_community_rules_filename = SNORT_GPLV2_DNLD_FILENAME;
+$snort_community_rules_filename_md5 = SNORT_GPLV2_DNLD_FILENAME . ".md5";
$snort_community_rules_url = GPLV2_DNLD_URL;
function snort_download_file_url($url, $file_out) {
@@ -213,7 +217,9 @@ function snort_download_file_url($url, $file_out) {
curl_setopt($ch, CURLOPT_FILE, $fout);
// NOTE: required to suppress errors from XMLRPC due to progress bar output
- if ($g['snort_sync_in_progress'])
+ // and to prevent useless spam from rules update cron job execution. This
+ // prevents progress bar output during package sync and rules update cron task.
+ if ($g['snort_sync_in_progress'] || $pkg_interface == "console")
curl_setopt($ch, CURLOPT_HEADER, false);
else {
curl_setopt($ch, CURLOPT_HEADERFUNCTION, 'read_header');
@@ -409,7 +415,7 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
/* remove any old $tmpfname files */
if (is_dir("{$tmpfname}"))
- exec("/bin/rm -rf {$tmpfname}");
+ rmdir_recursive($tmpfname);
/* Make sure required snortdirs exsist */
safe_mkdir("{$snortdir}/rules");
@@ -423,7 +429,7 @@ safe_mkdir("{$snortiprepdir}");
/* See if we need to automatically clear the Update Log based on 1024K size limit */
if (file_exists($snort_rules_upd_log)) {
if (1048576 < filesize($snort_rules_upd_log))
- @unlink("{$snort_rules_upd_log}");
+ unlink_if_exists("{$snort_rules_upd_log}");
}
/* Log start time for this rules update */
@@ -529,7 +535,7 @@ if ($snortdownload == 'on') {
exec("/bin/cp {$tmpfname}/so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/*.so {$snortlibdir}/dynamicrules/");
} else
$nosorules = true;
- exec("rm -rf {$tmpfname}/so_rules");
+ rmdir_recursive("{$tmpfname}/so_rules/");
if ($nosorules == false) {
/* extract Shared Object stub rules, rename and copy to the rules folder. */
if ($pkg_interface <> "console")
@@ -540,7 +546,7 @@ if ($snortdownload == 'on') {
$newfile = basename($file, ".rules");
@copy($file, "{$snortdir}/rules/" . VRT_FILE_PREFIX . "{$newfile}.so.rules");
}
- exec("rm -rf {$tmpfname}/so_rules");
+ rmdir_recursive("{$tmpfname}/so_rules/");
}
/* extract base etc files */
if ($pkg_interface <> "console") {
@@ -598,7 +604,7 @@ if ($snortcommunityrules == 'on') {
update_output_window(gettext("Installation of Snort GPLv2 Community Rules file completed..."));
}
error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, $snort_rules_upd_log);
- exec("rm -rf {$tmpfname}/community");
+ rmdir_recursive("{$tmpfname}/community/");
}
}
@@ -634,11 +640,11 @@ if ($emergingthreats == 'on') {
foreach ($files as $file) {
$newfile = basename($file);
if ($etpro == "on") {
- @copy($file, IPREP_PATH . ET_PRO_FILE_PREFIX . "{$newfile}");
+ @copy($file, SNORT_IPREP_PATH . ET_PRO_FILE_PREFIX . "{$newfile}");
@copy($file, "{$snortdir}/rules/" . ET_PRO_FILE_PREFIX . "{$newfile}");
}
else {
- @copy($file, IPREP_PATH . ET_OPEN_FILE_PREFIX . "{$newfile}");
+ @copy($file, SNORT_IPREP_PATH . ET_OPEN_FILE_PREFIX . "{$newfile}");
@copy($file, "{$snortdir}/rules/" . ET_OPEN_FILE_PREFIX . "{$newfile}");
}
}
@@ -659,7 +665,7 @@ if ($emergingthreats == 'on') {
update_output_window(gettext("Installation of {$et_name} rules completed..."));
}
error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, $snort_rules_upd_log);
- exec("rm -rf {$tmpfname}/emerging");
+ rmdir_recursive("{$tmpfname}/emerging/");
}
}
@@ -670,7 +676,7 @@ function snort_apply_customizations($snortcfg, $if_real) {
/* Update the Preprocessor rules from the master configuration for the interface if Snort */
/* VRT rules are in use and the interface's preprocessor rules are not protected. */
- if ($vrt_enabled == 'on' && $snortcfg['protect_preproc_rules'] != 'on') {
+ if ($vrt_enabled == 'on' && ($snortcfg['protect_preproc_rules'] != 'on' || $g['snort_postinstall'])) {
$preproc_files = glob("{$snortdir}/preproc_rules/*.rules");
foreach ($preproc_files as $file) {
$newfile = basename($file);
@@ -776,14 +782,17 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
/* Clear the rebuild rules flag. */
$rebuild_rules = false;
- /* Restart snort if already running and we are not rebooting to pick up the new rules. */
- if (is_process_running("snort") && !$g['booting']) {
+ /* Restart snort if running, and not in post-install, so as to pick up the new rules. */
+ if (!$g['snort_postinstall'] && is_service_running("snort") && count($config['installedpackages']['snortglobal']['rule']) > 0) {
if ($pkg_interface <> "console") {
update_status(gettext('Restarting Snort to activate the new set of rules...'));
update_output_window(gettext("Please wait ... restarting Snort will take some time..."));
}
error_log(gettext("\tRestarting Snort to activate the new set of rules...\n"), 3, $snort_rules_upd_log);
- restart_service("snort");
+ touch("{$g['varrun_path']}/snort_pkg_starting.lck");
+ snort_start_all_interfaces(TRUE);
+ sleep(3);
+ unlink_if_exists("{$g['varrun_path']}/snort_pkg_starting.lck");
if ($pkg_interface <> "console")
update_output_window(gettext("Snort has restarted with your new set of rules..."));
log_error(gettext("[Snort] Snort has restarted with your new set of rules..."));
@@ -797,14 +806,17 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
/* remove $tmpfname files */
if (is_dir("{$tmpfname}")) {
- exec("/bin/rm -rf {$tmpfname}");
+ rmdir_recursive($tmpfname);
}
if ($pkg_interface <> "console")
update_status(gettext("The Rules update has finished..."));
log_error(gettext("[Snort] The Rules update has finished."));
error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, $snort_rules_upd_log);
-conf_mount_ro();
+
+/* Remount filesystem read-only if we changed it in this module */
+if ($mounted_rw == TRUE)
+ conf_mount_ro();
/* Restore the state of $pkg_interface */
$pkg_interface = $pkg_interface_orig;
@@ -815,5 +827,5 @@ if ($update_errors)
else
$config['installedpackages']['snortglobal']['last_rule_upd_status'] = gettext("success");
$config['installedpackages']['snortglobal']['last_rule_upd_time'] = time();
-write_config("Snort pkg: updated status for updated rules package(s) check.");
+write_config("Snort pkg: updated status for updated rules package(s) check.", FALSE);
?>
diff --git a/config/snort/snort_conf_template.inc b/config/snort/snort_conf_template.inc
index be4791af..e1b11acc 100644
--- a/config/snort/snort_conf_template.inc
+++ b/config/snort/snort_conf_template.inc
@@ -89,7 +89,7 @@ dynamicdetection directory {$snort_dirs['dynamicrules']}
{$host_attrib_config}
# Snort Output Logs #
-output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority
+output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority {$alert_log_limit_size}
{$alertsystemlog_type}
{$snortunifiedlog_type}
{$spoink_type}
diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php
index 98a98fd9..ee463ac9 100755
--- a/config/snort/snort_define_servers.php
+++ b/config/snort/snort_define_servers.php
@@ -100,9 +100,6 @@ $pconfig = $a_nat[$id];
$if_real = get_real_interface($pconfig['interface']);
$snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid'];
-/* alert file */
-$d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty";
-
if ($_POST['save']) {
$natent = array();
@@ -191,7 +188,9 @@ if ($savemsg)
$tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php");
$tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php");
$tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php");
- $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
+ $tab_array[8] = array(gettext("SID Mgmt"), false, "/snort/snort_sid_mgmt.php");
+ $tab_array[9] = array(gettext("Log Mgmt"), false, "/snort/snort_log_mgmt.php");
+ $tab_array[10] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
display_top_tabs($tab_array, true);
echo '</td></tr>';
echo '<tr><td class="tabnavtbl">';
@@ -204,6 +203,7 @@ if ($savemsg)
$tab_array[] = array($menu_iface . gettext("Preprocs"), false, "/snort/snort_preprocessors.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("IP Rep"), false, "/snort/snort_ip_reputation.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Logs"), false, "/snort/snort_interface_logs.php?id={$id}");
display_top_tabs($tab_array, true);
?>
</td></tr>
diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php
index ff05bdfd..e74a9ce6 100755
--- a/config/snort/snort_download_updates.php
+++ b/config/snort/snort_download_updates.php
@@ -38,7 +38,7 @@ require_once("/usr/local/pkg/snort/snort.inc");
/* Define some locally required variables from Snort constants */
$snortdir = SNORTDIR;
-$snort_rules_upd_log = RULES_UPD_LOGFILE;
+$snort_rules_upd_log = SNORT_RULES_UPD_LOGFILE;
/* Grab the Snort binary version programmatically and */
/* use it to construct the proper Snort VRT rules */
@@ -51,7 +51,7 @@ if (empty($snortver[0]))
$snortver[0] = str_replace(".", "", $snortver[0]);
$snort_rules_file = "snortrules-snapshot-{$snortver[0]}.tar.gz";
-$snort_community_rules_filename = GPLV2_DNLD_FILENAME;
+$snort_community_rules_filename = SNORT_GPLV2_DNLD_FILENAME;
$snortdownload = $config['installedpackages']['snortglobal']['snortdownload'];
$emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats'];
@@ -69,11 +69,11 @@ else
$last_rule_upd_status = gettext("Unknown");
if ($etpro == "on") {
- $emergingthreats_filename = ETPRO_DNLD_FILENAME;
+ $emergingthreats_filename = SNORT_ETPRO_DNLD_FILENAME;
$et_name = "Emerging Threats Pro Rules";
}
else {
- $emergingthreats_filename = ET_DNLD_FILENAME;
+ $emergingthreats_filename = SNORT_ET_DNLD_FILENAME;
$et_name = "Emerging Threats Open Rules";
}
@@ -119,8 +119,7 @@ if (file_exists("{$snortdir}/{$snort_community_rules_filename}.md5") && $snortco
/* Check for postback to see if we should clear the update log file. */
if (isset($_POST['clear'])) {
- if (file_exists("{$snort_rules_upd_log}"))
- mwexec("/bin/rm -f {$snort_rules_upd_log}");
+ unlink_if_exists($snort_rules_upd_log);
}
if (isset($_POST['check'])) {
@@ -133,12 +132,9 @@ if ($_POST['force']) {
conf_mount_rw();
// Remove the existing MD5 signature files to force a download
- if (file_exists("{$snortdir}/{$emergingthreats_filename}.md5"))
- @unlink("{$snortdir}/{$emergingthreats_filename}.md5");
- if (file_exists("{$snortdir}/{$snort_community_rules_filename}.md5"))
- @unlink("{$snortdir}/{$snort_community_rules_filename}.md5");
- if (file_exists("{$snortdir}/{$snort_rules_file}.md5"))
- @unlink("{$snortdir}/{$snort_rules_file}.md5");
+ unlink_if_exists("{$snortdir}/{$emergingthreats_filename}.md5");
+ unlink_if_exists("{$snortdir}/{$snort_community_rules_filename}.md5");
+ unlink_if_exists("{$snortdir}/{$snort_rules_file}.md5");
// Revert file system to R/O.
conf_mount_ro();
@@ -184,7 +180,9 @@ include_once("head.inc");
$tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php");
$tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php");
$tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php");
- $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
+ $tab_array[8] = array(gettext("SID Mgmt"), false, "/snort/snort_sid_mgmt.php");
+ $tab_array[9] = array(gettext("Log Mgmt"), false, "/snort/snort_log_mgmt.php");
+ $tab_array[10] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
display_top_tabs($tab_array, true);
?>
</td></tr>
diff --git a/config/snort/snort_generate_conf.php b/config/snort/snort_generate_conf.php
index c67ab3d6..fb5c750f 100644
--- a/config/snort/snort_generate_conf.php
+++ b/config/snort/snort_generate_conf.php
@@ -41,11 +41,17 @@
/* Custom home nets */
$home_net_list = snort_build_list($snortcfg, $snortcfg['homelistname']);
$home_net = implode(",", $home_net_list);
-
-$external_net = '!$HOME_NET';
+$home_net = trim($home_net);
+$external_net = "";
if (!empty($snortcfg['externallistname']) && $snortcfg['externallistname'] != 'default') {
- $external_net_list = snort_build_list($snortcfg, $snortcfg['externallistname']);
+ $external_net_list = snort_build_list($snortcfg, $snortcfg['externallistname'], false, true);
$external_net = implode(",", $external_net_list);
+ $external_net = "[" . trim($external_net) . "]";
+}
+else {
+ foreach ($home_net_list as $ip)
+ $external_net .= "!{$ip},";
+ $external_net = trim($external_net, ', ');
}
/* User added custom configuration arguments */
@@ -87,10 +93,25 @@ foreach ($snort_files as $file) {
}
}
+/* define alert log limit */
+if (!empty($config['installedpackages']['snortglobal']['alert_log_limit_size']) && $config['installedpackages']['snortglobal']['alert_log_limit_size'] != "0")
+ $alert_log_limit_size = $config['installedpackages']['snortglobal']['alert_log_limit_size'] . "K";
+else
+ $alert_log_limit_size = "";
+
/* define alertsystemlog */
$alertsystemlog_type = "";
-if ($snortcfg['alertsystemlog'] == "on")
- $alertsystemlog_type = "output alert_syslog: log_alert";
+if ($snortcfg['alertsystemlog'] == "on") {
+ $alertsystemlog_type = "output alert_syslog: ";
+ if (!empty($snortcfg['alertsystemlog_facility']))
+ $alertsystemlog_type .= strtoupper($snortcfg['alertsystemlog_facility']) . " ";
+ else
+ $alertsystemlog_type .= "LOG_AUTH ";
+ if (!empty($snortcfg['alertsystemlog_priority']))
+ $alertsystemlog_type .= strtoupper($snortcfg['alertsystemlog_priority']) . " ";
+ else
+ $alertsystemlog_type .= "LOG_ALERT ";
+}
/* define snortunifiedlog */
$snortunifiedlog_type = "";
@@ -98,7 +119,7 @@ if ($snortcfg['barnyard_enable'] == "on") {
if (isset($snortcfg['unified2_log_limit']))
$u2_log_limit = "limit {$snortcfg['unified2_log_limit']}";
else
- $u2_log_limit = "limit 128";
+ $u2_log_limit = "limit 128K";
$snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, {$u2_log_limit}";
if ($snortcfg['barnyard_log_vlan_events'] == 'on')
@@ -192,9 +213,13 @@ $stream5_ports_both .= "\t 55555 56712";
/* def perform_stat */
+if (!empty($config['installedpackages']['snortglobal']['stats_log_limit_size']) && $config['installedpackages']['snortglobal']['stats_log_limit_size'] != "0")
+ $stats_log_limit = "max_file_size " . $config['installedpackages']['snortglobal']['stats_log_limit_size'] * 1000;
+else
+ $stats_log_limit = "";
$perform_stat = <<<EOD
# Performance Statistics #
-preprocessor perfmonitor: time 300 file {$snortlogdir}/snort_{$if_real}{$snort_uuid}/{$if_real}.stats pktcnt 10000
+preprocessor perfmonitor: time 300 file {$snortlogdir}/snort_{$if_real}{$snort_uuid}/{$if_real}.stats pktcnt 10000 {$stats_log_limit}
EOD;
@@ -827,11 +852,11 @@ if (is_array($snortcfg['blist_files']['item'])) {
$bIsFirst = TRUE;
foreach ($snortcfg['blist_files']['item'] as $blist) {
if ($bIsFirst) {
- $blist_files .= "blacklist " . IPREP_PATH . $blist;
+ $blist_files .= "blacklist " . SNORT_IPREP_PATH . $blist;
$bIsFirst = FALSE;
}
else
- $blist_files .= ", \\ \n\tblacklist " . IPREP_PATH . $blist;
+ $blist_files .= ", \\ \n\tblacklist " . SNORT_IPREP_PATH . $blist;
}
}
if (is_array($snortcfg['wlist_files']['item'])) {
@@ -839,11 +864,11 @@ if (is_array($snortcfg['wlist_files']['item'])) {
$bIsFirst = TRUE;
foreach ($snortcfg['wlist_files']['item'] as $wlist) {
if ($bIsFirst) {
- $wlist_files .= "whitelist " . IPREP_PATH . $wlist;
+ $wlist_files .= "whitelist " . SNORT_IPREP_PATH . $wlist;
$bIsFirst = FALSE;
}
else
- $wlist_files .= ", \\ \n\twhitelist " . IPREP_PATH . $wlist;
+ $wlist_files .= ", \\ \n\twhitelist " . SNORT_IPREP_PATH . $wlist;
}
}
if (!empty($blist_files))
diff --git a/config/snort/snort_interface_logs.php b/config/snort/snort_interface_logs.php
new file mode 100644
index 00000000..ba8215ca
--- /dev/null
+++ b/config/snort/snort_interface_logs.php
@@ -0,0 +1,253 @@
+<?php
+/*
+ * snort_interface_logs.php
+ *
+ * Portions of this code are based on original work done for the
+ * Snort package for pfSense from the following contributors:
+ *
+ * Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>.
+ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ * Copyright (C) 2006 Scott Ullrich
+ * Copyright (C) 2009 Robert Zelaya Sr. Developer
+ * Copyright (C) 2012 Ermal Luci
+ * Copyright (C) 2014 Bill Meeks
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require_once("guiconfig.inc");
+require_once("/usr/local/pkg/snort/snort.inc");
+
+if (isset($_POST['id']) && is_numericint($_POST['id']))
+ $id = $_POST['id'];
+elseif (isset($_GET['id']) && is_numericint($_GET['id']))
+ $id = htmlspecialchars($_GET['id']);
+if (empty($id))
+ $id = 0;
+
+if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ $config['installedpackages']['snortglobal']['rule'] = array();
+$a_instance = $config['installedpackages']['snortglobal']['rule'];
+$snort_uuid = $a_instance[$id]['uuid'];
+$if_real = get_real_interface($a_instance[$id]['interface']);
+
+// Construct a pointer to the instance's logging subdirectory
+$snortlogdir = SNORTLOGDIR . "/snort_{$if_real}{$snort_uuid}/";
+
+// Limit all file access to just the currently selected interface's logging subdirectory
+$logfile = htmlspecialchars($snortlogdir . basename($_POST['file']));
+
+if ($_POST['action'] == 'load') {
+ if(!is_file($logfile)) {
+ echo "|3|" . gettext("Log file does not exist or that logging feature is not enabled") . ".|";
+ }
+ else {
+ $data = file_get_contents($logfile);
+ if($data === false) {
+ echo "|1|" . gettext("Failed to read log file") . ".|";
+ } else {
+ $data = base64_encode($data);
+ echo "|0|{$logfile}|{$data}|";
+ }
+ }
+ exit;
+}
+
+$if_friendly = convert_friendly_interface_to_friendly_descr($a_instance[$id]['interface']);
+$pgtitle = gettext("Snort: {$if_friendly} Logs");
+include_once("head.inc");
+
+?>
+
+<body link="#000000" vlink="#000000" alink="#000000">
+
+<?php
+include_once("fbegin.inc");
+if ($input_errors) {
+ print_input_errors($input_errors);
+}
+
+?>
+<script type="text/javascript" src="/javascript/base64.js"></script>
+<script type="text/javascript">
+ function loadFile() {
+ jQuery("#fileStatus").html("<?=gettext("Loading file"); ?> ...");
+ jQuery("#fileStatusBox").show(250);
+ jQuery("#filePathBox").show(250);
+ jQuery("#fbTarget").html("");
+
+ jQuery.ajax(
+ "<?=$_SERVER['SCRIPT_NAME'];?>", {
+ type: 'POST',
+ data: "id=" + jQuery("#id").val() + "&action=load&file=" + jQuery("#logFile").val(),
+ complete: loadComplete
+ }
+ );
+ }
+
+ function loadComplete(req) {
+ jQuery("#fileContent").show(250);
+ var values = req.responseText.split("|");
+ values.shift(); values.pop();
+
+ if(values.shift() == "0") {
+ var file = values.shift();
+ var fileContent = Base64.decode(values.join("|"));
+ jQuery("#fileStatus").html("<?=gettext("File successfully loaded"); ?>.");
+ jQuery("#fbTarget").html(file);
+ jQuery("#fileRefreshBtn").show();
+ jQuery("#fileContent").prop("disabled", false);
+ jQuery("#fileContent").val(fileContent);
+ }
+ else {
+ jQuery("#fileStatus").html(values[0]);
+ jQuery("#fbTarget").html("");
+ jQuery("#fileRefreshBtn").hide();
+ jQuery("#fileContent").val("");
+ jQuery("#fileContent").prop("disabled", true);
+ }
+ }
+
+</script>
+
+<form action="/snort/snort_interface_logs.php" method="post" id="formbrowse">
+<input type="hidden" id="id" value="<?=$id;?>"/>
+<?php if ($savemsg) print_info_box($savemsg); ?>
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tbody>
+ <tr><td>
+ <?php
+ $tab_array = array();
+ $tab_array[0] = array(gettext("Snort Interfaces"), true, "/snort/snort_interfaces.php");
+ $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php");
+ $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php");
+ $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php?instance={$id}");
+ $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php");
+ $tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php");
+ $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php");
+ $tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php");
+ $tab_array[8] = array(gettext("SID Mgmt"), false, "/snort/snort_sid_mgmt.php");
+ $tab_array[9] = array(gettext("Log Mgmt"), false, "/snort/snort_log_mgmt.php");
+ $tab_array[10] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
+ display_top_tabs($tab_array, true);
+ echo '</td></tr>';
+ echo '<tr><td>';
+ $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface ");
+ $tab_array = array();
+ $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Preprocs"), false, "/snort/snort_preprocessors.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("IP Rep"), false, "/snort/snort_ip_reputation.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Logs"), true, "/snort/snort_interface_logs.php?id={$id}");
+ display_top_tabs($tab_array, true);
+ ?>
+ </td>
+ </tr>
+ <tr>
+ <td><div id="mainarea">
+ <table id="maintable" class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="6">
+ <tbody>
+ <tr>
+ <td colspan="2" class="listtopic"><?php echo gettext("Log File Selections"); ?></td>
+ </tr>
+ <tr>
+ <td width="22%" class="vncell"><?php echo gettext('Log File to View'); ?></td>
+ <td width="78%" class="vtable">
+ <select name="logFile" id="logFile" class="formselect" onChange="loadFile();">
+ <?php
+ $logs = array( "alert", "{$if_real}.stats" , "sid_changes.log" );
+ foreach ($logs as $log) {
+ $selected = "";
+ if ($log == basename($logfile))
+ $selected = "selected";
+ echo "<option value='{$snortlogdir}{$log}' {$selected}>" . $log . "</option>\n";
+ }
+ ?>
+ </select>&nbsp;&nbsp;<?php echo gettext('Choose which log you want to view.'); ?>
+ </td>
+ </tr>
+ <tr>
+ <td colspan="2" class="listtopic"><?php echo gettext("Log File Contents"); ?></td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <table width="100%">
+ <tbody>
+ <tr>
+ <td width="75%">
+ <div style="display:none; " id="fileStatusBox">
+ <div class="list" style="padding-left:15px;">
+ <strong id="fileStatus"></strong>
+ </div>
+ </div>
+ <div style="padding-left:15px; display:none;" id="filePathBox">
+ <strong><?=gettext("Log File Path"); ?>:</strong>
+ <div class="list" style="display:inline;" id="fbTarget"></div>
+ </div>
+ </td>
+ <td align="right">
+ <div style="padding-right:15px; display:none;" id="fileRefreshBtn">
+ <input type="button" name="refresh" id="refresh" value="Refresh" class="formbtn" onclick="loadFile();" title="<?=gettext("Refresh current display");?>" />
+ </div>
+ </td>
+ </tr>
+ </tbody>
+ </table>
+ </td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <table width="100%">
+ <tbody>
+ <tr>
+ <td valign="top" class="label">
+ <div style="background:#eeeeee;" id="fileOutput">
+ <textarea id="fileContent" name="fileContent" style="width:100%;" rows="30" wrap="off" disabled></textarea>
+ </div>
+ </td>
+ </tr>
+ </tbody>
+ </table>
+ </td>
+ </tr>
+ </tbody>
+ </table>
+ </div>
+ </td>
+ </tr>
+ </tbody>
+</table>
+</form>
+
+<?php if(empty($_POST['file'])): ?>
+<script type="text/javascript">
+ document.getElementById("logFile").selectedIndex=-1;
+</script>
+<?php endif; ?>
+
+<?php include("fend.inc"); ?>
+</body>
+</html>
diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php
index 8b2ca2bb..38471ef0 100755
--- a/config/snort/snort_interfaces.php
+++ b/config/snort/snort_interfaces.php
@@ -56,13 +56,12 @@ if (isset($_POST['del_x'])) {
$if_real = get_real_interface($a_nat[$rulei]['interface']);
$snort_uuid = $a_nat[$rulei]['uuid'];
snort_stop($a_nat[$rulei], $if_real);
- exec("/bin/rm -r {$snortlogdir}/snort_{$if_real}{$snort_uuid}");
- exec("/bin/rm -r {$snortdir}/snort_{$snort_uuid}_{$if_real}");
+ rmdir_recursive("{$snortlogdir}/snort_{$if_real}{$snort_uuid}");
+ rmdir_recursive("{$snortdir}/snort_{$snort_uuid}_{$if_real}");
// Finally delete the interface's config entry entirely
unset($a_nat[$rulei]);
}
- conf_mount_ro();
/* If all the Snort interfaces are removed, then unset the interfaces config array. */
if (empty($a_nat))
@@ -70,18 +69,9 @@ if (isset($_POST['del_x'])) {
write_config("Snort pkg: deleted one or more Snort interfaces.");
sleep(2);
-
- /* if there are no ifaces remaining do not create snort.sh */
- if (!empty($config['installedpackages']['snortglobal']['rule']))
- snort_create_rc();
- else {
- conf_mount_rw();
- @unlink("{$rcdir}snort.sh");
- conf_mount_ro();
- }
-
+ conf_mount_rw();
sync_snort_package_config();
-
+ conf_mount_ro();
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
header( 'Cache-Control: no-store, no-cache, must-revalidate' );
@@ -100,11 +90,13 @@ if ($_POST['bartoggle'] && is_numericint($_POST['id'])) {
$if_friendly = convert_friendly_interface_to_friendly_descr($snortcfg['interface']);
if (!snort_is_running($snortcfg['uuid'], $if_real, 'barnyard2')) {
- log_error("Toggle (barnyard starting) for {$if_friendly}({$snortcfg['descr']})...");
+ log_error("Toggle (barnyard starting) for {$if_friendly}({$if_real})...");
+ conf_mount_rw();
sync_snort_package_config();
+ conf_mount_ro();
snort_barnyard_start($snortcfg, $if_real);
} else {
- log_error("Toggle (barnyard stopping) for {$if_friendly}({$snortcfg['descr']})...");
+ log_error("Toggle (barnyard stopping) for {$if_friendly}({$if_real})...");
snort_barnyard_stop($snortcfg, $if_real);
}
sleep(3); // So the GUI reports correctly
@@ -117,14 +109,16 @@ if ($_POST['toggle'] && is_numericint($_POST['id'])) {
$if_friendly = convert_friendly_interface_to_friendly_descr($snortcfg['interface']);
if (snort_is_running($snortcfg['uuid'], $if_real)) {
- log_error("Toggle (snort stopping) for {$if_friendly}({$snortcfg['descr']})...");
+ log_error("Toggle (snort stopping) for {$if_friendly}({$if_real})...");
snort_stop($snortcfg, $if_real);
} else {
- log_error("Toggle (snort starting) for {$if_friendly}({$snortcfg['descr']})...");
+ log_error("Toggle (snort starting) for {$if_friendly}({$if_real})...");
/* set flag to rebuild interface rules before starting Snort */
$rebuild_rules = true;
+ conf_mount_rw();
sync_snort_package_config();
+ conf_mount_ro();
$rebuild_rules = false;
snort_start($snortcfg, $if_real);
}
@@ -164,7 +158,9 @@ include_once("fbegin.inc");
$tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php");
$tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php");
$tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php");
- $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
+ $tab_array[8] = array(gettext("SID Mgmt"), false, "/snort/snort_sid_mgmt.php");
+ $tab_array[9] = array(gettext("Log Mgmt"), false, "/snort/snort_log_mgmt.php");
+ $tab_array[10] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
display_top_tabs($tab_array, true);
?>
</td>
@@ -255,9 +251,11 @@ include_once("fbegin.inc");
$no_rules = true;
if (isset($natent['customrules']) && !empty($natent['customrules']))
$no_rules = false;
- if (isset($natent['rulesets']) && !empty($natent['rulesets']))
+ elseif (isset($natent['rulesets']) && !empty($natent['rulesets']))
+ $no_rules = false;
+ elseif (isset($natent['ips_policy']) && !empty($natent['ips_policy']))
$no_rules = false;
- if (isset($natent['ips_policy']) && !empty($natent['ips_policy']))
+ elseif ($config['installedpackages']['snortglobal']['auto_manage_sids'] == 'on' && !empty($natent['enable_sid_file']))
$no_rules = false;
/* Do not display the "no rules" warning if interface disabled */
if ($natent['enable'] == "off")
diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php
index fb573a73..14b54b34 100755
--- a/config/snort/snort_interfaces_edit.php
+++ b/config/snort/snort_interfaces_edit.php
@@ -32,7 +32,7 @@
require_once("guiconfig.inc");
require_once("/usr/local/pkg/snort/snort.inc");
-global $g, $rebuild_rules;
+global $g, $config, $rebuild_rules;
$snortdir = SNORTDIR;
$snortlogdir = SNORTLOGDIR;
@@ -96,7 +96,7 @@ elseif (isset($id) && !isset($a_rule[$id])) {
foreach ($ifaces as $i) {
if (!in_array($i, $ifrules)) {
$pconfig['interface'] = $i;
- $pconfig['descr'] = strtoupper($i);
+ $pconfig['descr'] = convert_friendly_interface_to_friendly_descr($i);
$pconfig['enable'] = 'on';
break;
}
@@ -113,6 +113,10 @@ if (empty($pconfig['blockoffendersip']))
$pconfig['blockoffendersip'] = "both";
if (empty($pconfig['performance']))
$pconfig['performance'] = "ac-bnfa";
+if (empty($pconfig['alertsystemlog_facility']))
+ $pconfig['alertsystemlog_facility'] = "log_auth";
+if (empty($pconfig['alertsystemlog_priority']))
+ $pconfig['alertsystemlog_priority'] = "log_alert";
// See if creating a new interface by duplicating an existing one
if (strcasecmp($action, 'dup') == 0) {
@@ -126,7 +130,7 @@ if (strcasecmp($action, 'dup') == 0) {
if (!in_array($i, $ifrules)) {
$pconfig['interface'] = $i;
$pconfig['enable'] = 'on';
- $pconfig['descr'] = strtoupper($i);
+ $pconfig['descr'] = convert_friendly_interface_to_friendly_descr($i);
break;
}
}
@@ -161,10 +165,14 @@ if ($_POST["save"] && !$input_errors) {
// save the change, and exit.
if ($_POST['enable'] != 'on') {
$a_rule[$id]['enable'] = $_POST['enable'] ? 'on' : 'off';
+ touch("{$g['varrun_path']}/snort_{$a_rule[$id]['uuid']}.disabled");
+ touch("{$g['varrun_path']}/barnyard2_{$a_rule[$id]['uuid']}.disabled");
snort_stop($a_rule[$id], get_real_interface($a_rule[$id]['interface']));
write_config("Snort pkg: modified interface configuration for {$a_rule[$id]['interface']}.");
$rebuild_rules = false;
+ conf_mount_rw();
sync_snort_package_config();
+ conf_mount_ro();
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
header( 'Cache-Control: no-store, no-cache, must-revalidate' );
@@ -193,7 +201,7 @@ if ($_POST["save"] && !$input_errors) {
if ($_POST['suppresslistname'] && ($_POST['suppresslistname'] <> $natent['suppresslistname']))
$snort_reload = true;
- if ($_POST['descr']) $natent['descr'] = $_POST['descr']; else $natent['descr'] = strtoupper($natent['interface']);
+ if ($_POST['descr']) $natent['descr'] = $_POST['descr']; else $natent['descr'] = convert_friendly_interface_to_friendly_descr($natent['interface']);
if ($_POST['performance']) $natent['performance'] = $_POST['performance']; else unset($natent['performance']);
/* if post = on use on off or rewrite the conf */
if ($_POST['blockoffenders7'] == "on") $natent['blockoffenders7'] = 'on'; else $natent['blockoffenders7'] = 'off';
@@ -206,7 +214,9 @@ if ($_POST["save"] && !$input_errors) {
if ($_POST['externallistname']) $natent['externallistname'] = $_POST['externallistname']; else unset($natent['externallistname']);
if ($_POST['suppresslistname']) $natent['suppresslistname'] = $_POST['suppresslistname']; else unset($natent['suppresslistname']);
if ($_POST['alertsystemlog'] == "on") { $natent['alertsystemlog'] = 'on'; }else{ $natent['alertsystemlog'] = 'off'; }
- if ($_POST['configpassthru']) $natent['configpassthru'] = base64_encode($_POST['configpassthru']); else unset($natent['configpassthru']);
+ if ($_POST['alertsystemlog_facility']) $natent['alertsystemlog_facility'] = $_POST['alertsystemlog_facility'];
+ if ($_POST['alertsystemlog_priority']) $natent['alertsystemlog_priority'] = $_POST['alertsystemlog_priority'];
+ if ($_POST['configpassthru']) $natent['configpassthru'] = base64_encode(str_replace("\r\n", "\n", $_POST['configpassthru'])); else unset($natent['configpassthru']);
if ($_POST['cksumcheck']) $natent['cksumcheck'] = 'on'; else $natent['cksumcheck'] = 'off';
if ($_POST['fpm_split_any_any'] == "on") { $natent['fpm_split_any_any'] = 'on'; }else{ $natent['fpm_split_any_any'] = 'off'; }
if ($_POST['fpm_search_optimize'] == "on") { $natent['fpm_search_optimize'] = 'on'; }else{ $natent['fpm_search_optimize'] = 'off'; }
@@ -223,9 +233,9 @@ if ($_POST["save"] && !$input_errors) {
}
else
$snort_start = false;
- exec("mv -f {$snortlogdir}/snort_{$oif_real}{$a_rule[$id]['uuid']} {$snortlogdir}/snort_{$if_real}{$a_rule[$id]['uuid']}");
+ @rename("{$snortlogdir}/snort_{$oif_real}{$a_rule[$id]['uuid']}", "{$snortlogdir}/snort_{$if_real}{$a_rule[$id]['uuid']}");
conf_mount_rw();
- exec("mv -f {$snortdir}/snort_{$a_rule[$id]['uuid']}_{$oif_real} {$snortdir}/snort_{$a_rule[$id]['uuid']}_{$if_real}");
+ @rename("{$snortdir}/snort_{$a_rule[$id]['uuid']}_{$oif_real}", "{$snortdir}/snort_{$a_rule[$id]['uuid']}_{$if_real}");
conf_mount_ro();
}
$a_rule[$id] = $natent;
@@ -234,6 +244,9 @@ if ($_POST["save"] && !$input_errors) {
// Duplicating a new interface, so set flag to build new rules
$rebuild_rules = true;
+ // Duplicating an interface, so need to generate a new UUID for the cloned interface
+ $natent['uuid'] = snort_generate_id();
+
// Add the new duplicated interface configuration to the [rule] array in config
$a_rule[] = $natent;
}
@@ -352,6 +365,8 @@ if ($_POST["save"] && !$input_errors) {
if (!is_array($natent['stream5_tcp_engine']['item']))
$natent['stream5_tcp_engine']['item'] = array();
$natent['stream5_tcp_engine']['item'][] = $stream5_eng;
+ $natent['alertsystemlog_facility'] = "log_auth";
+ $natent['alertsystemlog_priority'] = "log_alert";
$a_rule[] = $natent;
}
@@ -364,11 +379,14 @@ if ($_POST["save"] && !$input_errors) {
write_config("Snort pkg: modified interface configuration for {$natent['interface']}.");
/* Update snort.conf and snort.sh files for this interface */
+ conf_mount_rw();
sync_snort_package_config();
+ conf_mount_ro();
/* See if we need to restart Snort after an interface re-assignment */
- if ($snort_start == true)
+ if ($snort_start == true) {
snort_start($natent, $if_real);
+ }
/*******************************************************/
/* Signal Snort to reload configuration if we changed */
@@ -424,7 +442,9 @@ include_once("head.inc");
$tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php");
$tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php");
$tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php");
- $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
+ $tab_array[8] = array(gettext("SID Mgmt"), false, "/snort/snort_sid_mgmt.php");
+ $tab_array[9] = array(gettext("Log Mgmt"), false, "/snort/snort_log_mgmt.php");
+ $tab_array[10] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
display_top_tabs($tab_array, true);
echo '</td></tr>';
echo '<tr><td class="tabnavtbl">';
@@ -437,6 +457,7 @@ include_once("head.inc");
$tab_array[] = array($menu_iface . gettext("Preprocs"), false, "/snort/snort_preprocessors.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("IP Rep"), false, "/snort/snort_ip_reputation.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Logs"), false, "/snort/snort_interface_logs.php?id={$id}");
display_top_tabs($tab_array, true);
?>
</td></tr>
@@ -483,9 +504,44 @@ include_once("head.inc");
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Send Alerts to System Logs"); ?></td>
- <td width="78%" class="vtable"><input name="alertsystemlog" type="checkbox" value="on" <?php if ($pconfig['alertsystemlog'] == "on") echo "checked"; ?>/>
+ <td width="78%" class="vtable"><input name="alertsystemlog" type="checkbox" value="on" onclick="toggle_system_log();" <?php if ($pconfig['alertsystemlog'] == "on") echo " checked"; ?>/>
<?php echo gettext("Snort will send Alerts to the firewall's system logs."); ?></td>
</tr>
+ <tbody id="alertsystemlog_rows">
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("System Log Facility"); ?></td>
+ <td width="78%" class="vtable">
+ <select name="alertsystemlog_facility" id="alertsystemlog_facility" class="formselect">
+ <?php
+ $log_facility = array( "log_auth", "log_authpriv", "log_daemon", "log_user", "log_local0", "log_local1",
+ "log_local2", "log_local3", "log_local4", "log_local5", "log_local6", "log_local7" );
+ foreach ($log_facility as $facility) {
+ $selected = "";
+ if ($facility == $pconfig['alertsystemlog_facility'])
+ $selected = " selected";
+ echo "<option value='{$facility}'{$selected}>" . $facility . "</option>\n";
+ }
+ ?></select>&nbsp;&nbsp;
+ <?php echo gettext("Select system log Facility to use for reporting. Default is ") . "<strong>" . gettext("log_auth") . "</strong>."; ?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("System Log Priority"); ?></td>
+ <td width="78%" class="vtable">
+ <select name="alertsystemlog_priority" id="alertsystemlog_priority" class="formselect">
+ <?php
+ $log_priority = array( "log_emerg", "log_crit", "log_alert", "log_err", "log_warning", "log_notice", "log_info", "log_debug" );
+ foreach ($log_priority as $priority) {
+ $selected = "";
+ if ($priority == $pconfig['alertsystemlog_priority'])
+ $selected = " selected";
+ echo "<option value='{$priority}'{$selected}>" . $priority . "</option>\n";
+ }
+ ?></select>&nbsp;&nbsp;
+ <?php echo gettext("Select system log Priority (Level) to use for reporting. Default is ") . "<strong>" . gettext("log_alert") . "</strong>."; ?>
+ </td>
+ </tr>
+ </tbody>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Block Offenders"); ?></td>
<td width="78%" class="vtable">
@@ -641,13 +697,17 @@ include_once("head.inc");
}
}
?>
- </select>&nbsp;&nbsp;
- <span class="vexpl"><?php echo gettext("Choose the External Net you want this interface " .
- "to use."); ?></span>&nbsp;<br/><br/>
+ </select>
+ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type="button" class="formbtns" value="View List"
+ onclick="viewList('<?=$id;?>','externallistname','externalnet')" id="btnExternalNet"
+ title="<?php echo gettext("Click to view currently selected External Net contents"); ?>"/>
+ <br/>
+ <?php echo gettext("Choose the External Net you want this interface " .
+ "to use."); ?>&nbsp;<br/><br/>
<span class="red"><?php echo gettext("Note:"); ?></span>&nbsp;<?php echo gettext("Default " .
- "External Net is networks that are not Home Net."); ?><br/>
- <span class="red"><?php echo gettext("Hint:"); ?></span>&nbsp;<?php echo gettext("Most users should leave this " .
- "setting at default. Create an Alias for custom External Net settings."); ?><br/>
+ "External Net is networks that are not Home Net. Most users should leave this setting at default."); ?><br/>
+ <span class="red"><?php echo gettext("Hint:"); ?></span>&nbsp;
+ <?php echo gettext("Create a Pass List and add an Alias to it, and then assign the Pass List here for custom External Net settings."); ?><br/>
</td>
</tr>
<tr>
@@ -745,6 +805,14 @@ function enable_blockoffenders() {
document.iform.btnWhitelist.disabled=endis;
}
+function toggle_system_log() {
+ var endis = !(document.iform.alertsystemlog.checked);
+ if (endis)
+ document.getElementById("alertsystemlog_rows").style.display="none";
+ else
+ document.getElementById("alertsystemlog_rows").style.display="";
+}
+
function enable_change(enable_change) {
endis = !(document.iform.enable.checked || enable_change);
// make sure a default answer is called if this is invoked.
@@ -799,6 +867,7 @@ function viewList(id, elemID, elemType) {
enable_change(false);
enable_blockoffenders();
+toggle_system_log();
//-->
</script>
diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php
index 195e1a5e..fb36d192 100644
--- a/config/snort/snort_interfaces_global.php
+++ b/config/snort/snort_interfaces_global.php
@@ -49,18 +49,13 @@ $pconfig['etpro_code'] = $config['installedpackages']['snortglobal']['etpro_code
$pconfig['emergingthreats'] = $config['installedpackages']['snortglobal']['emergingthreats'] == "on" ? 'on' : 'off';
$pconfig['emergingthreats_pro'] = $config['installedpackages']['snortglobal']['emergingthreats_pro'] == "on" ? 'on' : 'off';
$pconfig['rm_blocked'] = $config['installedpackages']['snortglobal']['rm_blocked'];
-$pconfig['snortloglimit'] = $config['installedpackages']['snortglobal']['snortloglimit'];
-$pconfig['snortloglimitsize'] = $config['installedpackages']['snortglobal']['snortloglimitsize'];
$pconfig['autorulesupdate7'] = $config['installedpackages']['snortglobal']['autorulesupdate7'];
$pconfig['rule_update_starttime'] = $config['installedpackages']['snortglobal']['rule_update_starttime'];
$pconfig['forcekeepsettings'] = $config['installedpackages']['snortglobal']['forcekeepsettings'] == "on" ? 'on' : 'off';
$pconfig['snortcommunityrules'] = $config['installedpackages']['snortglobal']['snortcommunityrules'] == "on" ? 'on' : 'off';
-$pconfig['clearlogs'] = $config['installedpackages']['snortglobal']['clearlogs'] == "on" ? 'on' : 'off';
$pconfig['clearblocks'] = $config['installedpackages']['snortglobal']['clearblocks'] == "on" ? 'on' : 'off';
/* Set sensible values for any empty default params */
-if (empty($pconfig['snortloglimit']))
- $pconfig['snortloglimit'] = 'on';
if (!isset($pconfig['rule_update_starttime']))
$pconfig['rule_update_starttime'] = '00:05';
if (!isset($config['installedpackages']['snortglobal']['forcekeepsettings']))
@@ -85,7 +80,6 @@ if (!$input_errors) {
$config['installedpackages']['snortglobal']['snortcommunityrules'] = $_POST['snortcommunityrules'] ? 'on' : 'off';
$config['installedpackages']['snortglobal']['emergingthreats'] = $_POST['emergingthreats'] ? 'on' : 'off';
$config['installedpackages']['snortglobal']['emergingthreats_pro'] = $_POST['emergingthreats_pro'] ? 'on' : 'off';
- $config['installedpackages']['snortglobal']['clearlogs'] = $_POST['clearlogs'] ? 'on' : 'off';
$config['installedpackages']['snortglobal']['clearblocks'] = $_POST['clearblocks'] ? 'on' : 'off';
// If any rule sets are being turned off, then remove them
@@ -127,31 +121,26 @@ if (!$input_errors) {
$config['installedpackages']['snortglobal']['etpro_code'] = $_POST['etpro_code'];
$config['installedpackages']['snortglobal']['rm_blocked'] = $_POST['rm_blocked'];
- if ($_POST['snortloglimitsize']) {
- $config['installedpackages']['snortglobal']['snortloglimit'] = $_POST['snortloglimit'];
- $config['installedpackages']['snortglobal']['snortloglimitsize'] = $_POST['snortloglimitsize'];
- } else {
- $config['installedpackages']['snortglobal']['snortloglimit'] = 'on';
-
- /* code will set limit to 21% of slice that is unused */
- $snortloglimitDSKsize = round(exec('df -k /var | grep -v "Filesystem" | awk \'{print $4}\'') * .22 / 1024);
- $config['installedpackages']['snortglobal']['snortloglimitsize'] = $snortloglimitDSKsize;
- }
$config['installedpackages']['snortglobal']['autorulesupdate7'] = $_POST['autorulesupdate7'];
/* Check and adjust format of Rule Update Starttime string to add colon and leading zero if necessary */
- $pos = strpos($_POST['rule_update_starttime'], ":");
- if ($pos === false) {
- $tmp = str_pad($_POST['rule_update_starttime'], 4, "0", STR_PAD_LEFT);
- $_POST['rule_update_starttime'] = substr($tmp, 0, 2) . ":" . substr($tmp, -2);
+ if ($_POST['rule_update_starttime']) {
+ $pos = strpos($_POST['rule_update_starttime'], ":");
+ if ($pos === false) {
+ $tmp = str_pad($_POST['rule_update_starttime'], 4, "0", STR_PAD_LEFT);
+ $_POST['rule_update_starttime'] = substr($tmp, 0, 2) . ":" . substr($tmp, -2);
+ }
+ $config['installedpackages']['snortglobal']['rule_update_starttime'] = str_pad($_POST['rule_update_starttime'], 4, "0", STR_PAD_LEFT);
}
- $config['installedpackages']['snortglobal']['rule_update_starttime'] = str_pad($_POST['rule_update_starttime'], 4, "0", STR_PAD_LEFT);
+
$config['installedpackages']['snortglobal']['forcekeepsettings'] = $_POST['forcekeepsettings'] ? 'on' : 'off';
$retval = 0;
- /* create whitelist and homenet file then sync files */
+ /* create whitelist and homenet file, then sync files */
+ conf_mount_rw();
sync_snort_package_config();
+ conf_mount_ro();
write_config("Snort pkg: modified global settings.");
@@ -198,7 +187,9 @@ if ($input_errors)
$tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php");
$tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php");
$tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php");
- $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
+ $tab_array[8] = array(gettext("SID Mgmt"), false, "/snort/snort_sid_mgmt.php");
+ $tab_array[9] = array(gettext("Log Mgmt"), false, "/snort/snort_log_mgmt.php");
+ $tab_array[10] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
display_top_tabs($tab_array, true);
?>
</td></tr>
@@ -323,45 +314,12 @@ if ($input_errors)
<?php echo gettext("Enter the rule update start time in 24-hour format (HH:MM). ") . "<strong>" .
gettext("Default") . "&nbsp;</strong>" . gettext("is ") . "<strong>" . gettext("00:05") . "</strong></span>"; ?>.<br/><br/>
<?php echo gettext("Rules will update at the interval chosen above starting at the time specified here. For example, using the default " .
- "start time of 00:03 and choosing 12 Hours for the interval, the rules will update at 00:05 and 12:05 each day."); ?></td>
+ "start time of 00:05 and choosing 12 Hours for the interval, the rules will update at 00:05 and 12:05 each day."); ?></td>
</tr>
<tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Settings"); ?></td>
</tr>
<tr>
-<?php $snortlogCurrentDSKsize = round(exec('df -k /var | grep -v "Filesystem" | awk \'{print $4}\'') / 1024); ?>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Log Directory Size " .
- "Limit"); ?><br/><br/>
- <br/>
- <br/>
- <span class="red"><strong><?php echo gettext("Note:"); ?></strong></span><br/>
- <?php echo gettext("Available space is"); ?> <strong><?php echo $snortlogCurrentDSKsize; ?>&nbsp;MB</strong></td>
- <td width="78%" class="vtable">
- <table cellpadding="0" cellspacing="0">
- <tr>
- <td colspan="2"><input name="snortloglimit" type="radio" id="snortloglimit" value="on"
- <?php if($pconfig['snortloglimit']=='on') echo 'checked'; ?>><span class="vexpl">
- <strong><?php echo gettext("Enable"); ?></strong> <?php echo gettext("directory size limit"); ?> (<strong><?php echo gettext("Default"); ?></strong>)</span></td>
- </tr>
- <tr>
- <td colspan="2"><input name="snortloglimit" type="radio" id="snortloglimit" value="off"
- <?php if($pconfig['snortloglimit']=='off') echo 'checked'; ?>> <span class="vexpl"><strong><?php echo gettext("Disable"); ?></strong>
- <?php echo gettext("directory size limit"); ?></span><br/>
- <br/>
- <span class="red"><strong><?php echo gettext("Warning:"); ?></strong></span> <?php echo gettext("Nanobsd " .
- "should use no more than 10MB of space."); ?></td>
- </tr>
- </table>
- <table width="100%" border="0" cellpadding="2" cellspacing="0">
- <tr>
- <td class="vexpl"><?php echo gettext("Size in ") . "<strong>" . gettext("MB:") . "</strong>";?>&nbsp;
- <input name="snortloglimitsize" type="text" class="formfld unknown" id="snortloglimitsize" size="10" value="<?=htmlspecialchars($pconfig['snortloglimitsize']);?>">
- &nbsp;<?php echo gettext("Default is ") . "<strong>" . gettext("20%") . "</strong>" . gettext(" of available space.");?></td>
- </tr>
- </table>
- </td>
-</tr>
-<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Remove Blocked Hosts Interval"); ?></td>
<td width="78%" class="vtable">
<select name="rm_blocked" class="formselect" id="rm_blocked">
@@ -383,12 +341,6 @@ if ($input_errors)
<?php echo gettext("All blocked hosts added by Snort will be removed during package deinstallation."); ?></td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Remove Snort Log Files After Deinstall"); ?></td>
- <td width="78%" class="vtable"><input name="clearlogs" id="clearlogs" type="checkbox" value="yes"
- <?php if ($config['installedpackages']['snortglobal']['clearlogs']=="on") echo " checked"; ?>/>&nbsp;
- <?php echo gettext("All Snort log files will be removed during package deinstallation."); ?></td>
-</tr>
-<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Keep Snort Settings After Deinstall"); ?></td>
<td width="78%" class="vtable"><input name="forcekeepsettings"
id="forcekeepsettings" type="checkbox" value="yes"
diff --git a/config/snort/snort_interfaces_suppress.php b/config/snort/snort_interfaces_suppress.php
index ecbd04a7..fd47eed8 100644
--- a/config/snort/snort_interfaces_suppress.php
+++ b/config/snort/snort_interfaces_suppress.php
@@ -114,7 +114,9 @@ if ($savemsg)
$tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php");
$tab_array[6] = array(gettext("Suppress"), true, "/snort/snort_interfaces_suppress.php");
$tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php");
- $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
+ $tab_array[8] = array(gettext("SID Mgmt"), false, "/snort/snort_sid_mgmt.php");
+ $tab_array[9] = array(gettext("Log Mgmt"), false, "/snort/snort_log_mgmt.php");
+ $tab_array[10] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
display_top_tabs($tab_array, true);
?>
</td>
diff --git a/config/snort/snort_interfaces_suppress_edit.php b/config/snort/snort_interfaces_suppress_edit.php
index ec4d9116..a861fb7e 100644
--- a/config/snort/snort_interfaces_suppress_edit.php
+++ b/config/snort/snort_interfaces_suppress_edit.php
@@ -121,7 +121,7 @@ if ($_POST['save']) {
$s_list['descr'] = mb_convert_encoding($_POST['descr'],"HTML-ENTITIES","auto");
if ($_POST['suppresspassthru']) {
$s_list['suppresspassthru'] = str_replace("&#8203;", "", $s_list['suppresspassthru']);
- $s_list['suppresspassthru'] = base64_encode($_POST['suppresspassthru']);
+ $s_list['suppresspassthru'] = base64_encode(str_replace("\r\n", "\n", $_POST['suppresspassthru']));
}
if (isset($id) && $a_suppress[$id])
@@ -130,7 +130,9 @@ if ($_POST['save']) {
$a_suppress[] = $s_list;
write_config("Snort pkg: modified Suppress List {$s_list['name']}.");
+ conf_mount_rw();
sync_snort_package_config();
+ conf_mount_ro();
header("Location: /snort/snort_interfaces_suppress.php");
exit;
@@ -166,7 +168,9 @@ if ($savemsg)
$tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php");
$tab_array[6] = array(gettext("Suppress"), true, "/snort/snort_interfaces_suppress.php");
$tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php");
- $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
+ $tab_array[8] = array(gettext("SID Mgmt"), false, "/snort/snort_sid_mgmt.php");
+ $tab_array[9] = array(gettext("Log Mgmt"), false, "/snort/snort_log_mgmt.php");
+ $tab_array[10] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
display_top_tabs($tab_array, true);
?>
</td></tr>
diff --git a/config/snort/snort_ip_list_mgmt.php b/config/snort/snort_ip_list_mgmt.php
index ae4a1032..8311ea1c 100644
--- a/config/snort/snort_ip_list_mgmt.php
+++ b/config/snort/snort_ip_list_mgmt.php
@@ -43,7 +43,7 @@ if (!is_array($config['installedpackages']['snortglobal']['rule']))
// Hard-code the path where IP Lists are stored
// and disregard any user-supplied path element.
-$iprep_path = IPREP_PATH;
+$iprep_path = SNORT_IPREP_PATH;
// Set default to not show IP List editor controls
$iplist_edit_style = "display: none;";
@@ -163,7 +163,9 @@ if ($savemsg)
$tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php");
$tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php");
$tab_array[7] = array(gettext("IP Lists"), true, "/snort/snort_ip_list_mgmt.php");
- $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
+ $tab_array[8] = array(gettext("SID Mgmt"), false, "/snort/snort_sid_mgmt.php");
+ $tab_array[9] = array(gettext("Log Mgmt"), false, "/snort/snort_log_mgmt.php");
+ $tab_array[10] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
display_top_tabs($tab_array, true);
?>
</td>
diff --git a/config/snort/snort_ip_reputation.php b/config/snort/snort_ip_reputation.php
index c3536e89..891f3773 100644
--- a/config/snort/snort_ip_reputation.php
+++ b/config/snort/snort_ip_reputation.php
@@ -56,7 +56,7 @@ if (!is_array($config['installedpackages']['snortglobal']['rule'][$id]['blist_fi
$a_nat = &$config['installedpackages']['snortglobal']['rule'];
$pconfig = $a_nat[$id];
-$iprep_path = IPREP_PATH;
+$iprep_path = SNORT_IPREP_PATH;
$if_real = get_real_interface($a_nat[$id]['interface']);
$snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid'];
@@ -216,7 +216,9 @@ if ($savemsg)
$tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php");
$tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php");
$tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php");
- $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
+ $tab_array[8] = array(gettext("SID Mgmt"), false, "/snort/snort_sid_mgmt.php");
+ $tab_array[9] = array(gettext("Log Mgmt"), false, "/snort/snort_log_mgmt.php");
+ $tab_array[10] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
display_top_tabs($tab_array, true);
echo '</td></tr>';
echo '<tr><td class="tabnavtbl">';
@@ -229,6 +231,7 @@ if ($savemsg)
$tab_array[] = array($menu_iface . gettext("Preprocs"), false, "/snort/snort_preprocessors.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("IP Rep"), true, "/snort/snort_ip_reputation.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Logs"), false, "/snort/snort_interface_logs.php?id={$id}");
display_top_tabs($tab_array, true);
?>
</td>
diff --git a/config/snort/snort_iprep_list_browser.php b/config/snort/snort_iprep_list_browser.php
index 3e4d6b6a..a13a2d37 100644
--- a/config/snort/snort_iprep_list_browser.php
+++ b/config/snort/snort_iprep_list_browser.php
@@ -23,7 +23,7 @@ function get_content($dir) {
return $files;
}
-$path = IPREP_PATH;
+$path = SNORT_IPREP_PATH;
$container = htmlspecialchars($_GET['container']);
$target = htmlspecialchars($_GET['target']);
diff --git a/config/snort/snort_list_view.php b/config/snort/snort_list_view.php
index 8c3d0134..54f4d7f1 100644
--- a/config/snort/snort_list_view.php
+++ b/config/snort/snort_list_view.php
@@ -66,6 +66,20 @@ if (isset($id) && isset($wlist)) {
$contents = str_replace("\r", "", base64_decode($list['suppresspassthru']));
$title = "Suppress List";
}
+ elseif ($type == "externalnet") {
+ if ($wlist == "default") {
+ $list = snort_build_list($a_rule, $a_rule['homelistname']);
+ $contents = "";
+ foreach ($list as $ip)
+ $contents .= "!{$ip}\n";
+ $contents = trim($contents, "\n");
+ }
+ else {
+ $list = snort_build_list($a_rule, $wlist, false, true);
+ $contents = implode("\n", $list);
+ }
+ $title = "EXTERNAL_NET";
+ }
else
$contents = gettext("\n\nERROR -- Requested List Type entity is not valid!");
}
diff --git a/config/snort/snort_log_mgmt.php b/config/snort/snort_log_mgmt.php
new file mode 100644
index 00000000..0e38afc2
--- /dev/null
+++ b/config/snort/snort_log_mgmt.php
@@ -0,0 +1,416 @@
+<?php
+/*
+ * snort_log_mgmt.php
+ *
+ * Portions of this code are based on original work done for the
+ * Snort package for pfSense from the following contributors:
+ *
+ * Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>.
+ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ * Copyright (C) 2006 Scott Ullrich
+ * Copyright (C) 2009 Robert Zelaya Sr. Developer
+ * Copyright (C) 2012 Ermal Luci
+ * Copyright (C) 2014 Bill Meeks
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("/usr/local/pkg/snort/snort.inc");
+
+global $g;
+
+$snortdir = SNORTDIR;
+
+$pconfig = array();
+
+// Grab saved settings from configuration
+$pconfig['enable_log_mgmt'] = $config['installedpackages']['snortglobal']['enable_log_mgmt'] == 'on' ? 'on' : 'off';
+$pconfig['clearlogs'] = $config['installedpackages']['snortglobal']['clearlogs'];
+$pconfig['snortloglimit'] = $config['installedpackages']['snortglobal']['snortloglimit'];
+$pconfig['snortloglimitsize'] = $config['installedpackages']['snortglobal']['snortloglimitsize'];
+$pconfig['alert_log_limit_size'] = $config['installedpackages']['snortglobal']['alert_log_limit_size'];
+$pconfig['alert_log_retention'] = $config['installedpackages']['snortglobal']['alert_log_retention'];
+$pconfig['stats_log_limit_size'] = $config['installedpackages']['snortglobal']['stats_log_limit_size'];
+$pconfig['stats_log_retention'] = $config['installedpackages']['snortglobal']['stats_log_retention'];
+$pconfig['sid_changes_log_limit_size'] = $config['installedpackages']['snortglobal']['sid_changes_log_limit_size'];
+$pconfig['sid_changes_log_retention'] = $config['installedpackages']['snortglobal']['sid_changes_log_retention'];
+$pconfig['event_pkts_log_limit_size'] = '0';
+$pconfig['event_pkts_log_retention'] = $config['installedpackages']['snortglobal']['event_pkts_log_retention'];
+
+// Load up some arrays with selection values (we use these later).
+// The keys in the $retentions array are the retention period
+// converted to hours. The keys in the $log_sizes array are
+// the file size limits in KB.
+$retentions = array( '0' => gettext('KEEP ALL'), '24' => gettext('1 DAY'), '168' => gettext('7 DAYS'), '336' => gettext('14 DAYS'),
+ '720' => gettext('30 DAYS'), '1080' => gettext("45 DAYS"), '2160' => gettext('90 DAYS'), '4320' => gettext('180 DAYS'),
+ '8766' => gettext('1 YEAR'), '26298' => gettext("3 YEARS") );
+$log_sizes = array( '0' => gettext('NO LIMIT'), '50' => gettext('50 KB'), '150' => gettext('150 KB'), '250' => gettext('250 KB'),
+ '500' => gettext('500 KB'), '750' => gettext('750 KB'), '1000' => gettext('1 MB'), '2000' => gettext('2 MB'),
+ '5000' => gettext("5 MB"), '10000' => gettext("10 MB") );
+
+// Set sensible defaults for any unset parameters
+if (empty($pconfig['snortloglimit']))
+ $pconfig['snortloglimit'] = 'on';
+if (empty($pconfig['snortloglimitsize'])) {
+ // Set limit to 20% of slice that is unused */
+ $pconfig['snortloglimitsize'] = round(exec('df -k /var | grep -v "Filesystem" | awk \'{print $4}\'') * .20 / 1024);
+}
+
+// Set default retention periods for rotated logs
+if (!isset($pconfig['alert_log_retention']))
+ $pconfig['alert_log_retention'] = "336";
+if (!isset($pconfig['stats_log_retention']))
+ $pconfig['stats_log_retention'] = "168";
+if (!isset($pconfig['sid_changes_log_retention']))
+ $pconfig['sid_changes_log_retention'] = "336";
+if (!isset($pconfig['event_pkts_log_retention']))
+ $pconfig['event_pkts_log_retention'] = "336";
+
+// Set default log file size limits
+if (!isset($pconfig['alert_log_limit_size']))
+ $pconfig['alert_log_limit_size'] = "500";
+if (!isset($pconfig['stats_log_limit_size']))
+ $pconfig['stats_log_limit_size'] = "500";
+if (!isset($pconfig['sid_changes_log_limit_size']))
+ $pconfig['sid_changes_log_limit_size'] = "250";
+
+if ($_POST['ResetAll']) {
+
+ // Reset all settings to their defaults
+ $pconfig['alert_log_retention'] = "336";
+ $pconfig['stats_log_retention'] = "168";
+ $pconfig['sid_changes_log_retention'] = "336";
+ $pconfig['event_pkts_log_retention'] = "336";
+
+ $pconfig['alert_log_limit_size'] = "500";
+ $pconfig['stats_log_limit_size'] = "500";
+ $pconfig['sid_changes_log_limit_size'] = "250";
+ $pconfig['event_pkts_log_limit_size'] = "0";
+
+ /* Log a message at the top of the page to inform the user */
+ $savemsg = gettext("All log management settings on this page have been reset to their defaults. Click APPLY if you wish to keep these new settings.");
+}
+
+if ($_POST["save"] || $_POST['apply']) {
+ if ($_POST['enable_log_mgmt'] != 'on') {
+ $config['installedpackages']['snortglobal']['enable_log_mgmt'] = $_POST['enable_log_mgmt'] ? 'on' :'off';
+ write_config("Snort pkg: saved updated configuration for LOGS MGMT.");
+ conf_mount_rw();
+ sync_snort_package_config();
+ conf_mount_ro();
+
+ /* forces page to reload new settings */
+ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
+ header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
+ header( 'Cache-Control: no-store, no-cache, must-revalidate' );
+ header( 'Cache-Control: post-check=0, pre-check=0', false );
+ header( 'Pragma: no-cache' );
+ header("Location: /snort/snort_log_mgmt.php");
+ exit;
+ }
+
+ if ($_POST['snortloglimit'] == 'on') {
+ if (!is_numericint($_POST['snortloglimitsize']) || $_POST['snortloglimitsize'] < 1)
+ $input_errors[] = gettext("The 'Log Directory Size Limit' must be an integer value greater than zero.");
+ }
+
+ if (!$input_errors) {
+ $config['installedpackages']['snortglobal']['enable_log_mgmt'] = $_POST['enable_log_mgmt'] ? 'on' :'off';
+ $config['installedpackages']['snortglobal']['clearlogs'] = $_POST['clearlogs'] ? 'on' : 'off';
+ $config['installedpackages']['snortglobal']['snortloglimit'] = $_POST['snortloglimit'];
+ $config['installedpackages']['snortglobal']['snortloglimitsize'] = $_POST['snortloglimitsize'];
+ $config['installedpackages']['snortglobal']['alert_log_limit_size'] = $_POST['alert_log_limit_size'];
+ $config['installedpackages']['snortglobal']['alert_log_retention'] = $_POST['alert_log_retention'];
+ $config['installedpackages']['snortglobal']['stats_log_limit_size'] = $_POST['stats_log_limit_size'];
+ $config['installedpackages']['snortglobal']['stats_log_retention'] = $_POST['stats_log_retention'];
+ $config['installedpackages']['snortglobal']['sid_changes_log_limit_size'] = $_POST['sid_changes_log_limit_size'];
+ $config['installedpackages']['snortglobal']['sid_changes_log_retention'] = $_POST['sid_changes_log_retention'];
+ $config['installedpackages']['snortglobal']['event_pkts_log_limit_size'] = $_POST['event_pkts_log_limit_size'];
+ $config['installedpackages']['snortglobal']['event_pkts_log_retention'] = $_POST['event_pkts_log_retention'];
+
+ write_config("Snort pkg: saved updated configuration for LOGS MGMT.");
+ conf_mount_rw();
+ sync_snort_package_config();
+ conf_mount_ro();
+
+ /* forces page to reload new settings */
+ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
+ header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
+ header( 'Cache-Control: no-store, no-cache, must-revalidate' );
+ header( 'Cache-Control: post-check=0, pre-check=0', false );
+ header( 'Pragma: no-cache' );
+ header("Location: /snort/snort_log_mgmt.php");
+ exit;
+ }
+}
+
+$pgtitle = gettext("Snort: Log Management");
+include_once("head.inc");
+
+?>
+
+<body link="#000000" vlink="#000000" alink="#000000">
+
+<?php
+include_once("fbegin.inc");
+
+/* Display Alert message, under form tag or no refresh */
+if ($input_errors)
+ print_input_errors($input_errors);
+?>
+
+<form action="snort_log_mgmt.php" method="post" enctype="multipart/form-data" name="iform" id="iform">
+
+<?php
+if ($savemsg) {
+ /* Display save message */
+ print_info_box($savemsg);
+}
+?>
+
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+<tr><td>
+<?php
+ $tab_array = array();
+ $tab_array[0] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php");
+ $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php");
+ $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php");
+ $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php");
+ $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php");
+ $tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php");
+ $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php");
+ $tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php");
+ $tab_array[8] = array(gettext("SID Mgmt"), false, "/snort/snort_sid_mgmt.php");
+ $tab_array[9] = array(gettext("Log Mgmt"), true, "/snort/snort_log_mgmt.php");
+ $tab_array[10] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
+ display_top_tabs($tab_array, true);
+?>
+</td></tr>
+<tr>
+ <td>
+ <div id="mainarea">
+ <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
+<tr>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Settings"); ?></td>
+</tr>
+<tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Remove Snort Log Files During Package Uninstall"); ?></td>
+ <td width="78%" class="vtable"><input name="clearlogs" id="clearlogs" type="checkbox" value="yes"
+ <?php if ($config['installedpackages']['snortglobal']['clearlogs']=="on") echo " checked"; ?>/>&nbsp;
+ <?php echo gettext("Snort log files will be removed when the Snort package is uninstalled."); ?></td>
+</tr>
+<tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Auto Log Management"); ?></td>
+ <td width="78%" class="vtable"><input name="enable_log_mgmt" id="enable_log_mgmt" type="checkbox" value="on"
+ <?php if ($config['installedpackages']['snortglobal']['enable_log_mgmt']=="on") echo " checked"; ?> onClick="enable_change();"/>&nbsp;
+ <?php echo gettext("Enable automatic unattended management of Snort logs using parameters specified below."); ?><br/>
+ <span class="red"><strong><?=gettext("Note: ") . "</strong></span>" . gettext("This must be be enabled in order to set Log Size and Retention Limits below.");?>
+ </td>
+</tr>
+<tr>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Logs Directory Size Limit"); ?></td>
+</tr>
+<tr>
+<?php $snortlogCurrentDSKsize = round(exec('df -k /var | grep -v "Filesystem" | awk \'{print $4}\'') / 1024); ?>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Log Directory Size " .
+ "Limit"); ?><br/><br/><br/><br/><br/><br/><br/>
+ <span class="red"><strong><?php echo gettext("Note:"); ?></strong></span><br/>
+ <?php echo gettext("Available space is"); ?> <strong><?php echo $snortlogCurrentDSKsize; ?>&nbsp;MB</strong></td>
+ <td width="78%" class="vtable">
+ <table cellpadding="0" cellspacing="0">
+ <tr>
+ <td colspan="2" class="vexpl"><input name="snortloglimit" type="radio" id="snortloglimit_on" value="on"
+ <?php if($pconfig['snortloglimit']=='on') echo 'checked'; ?> onClick="enable_change_dirSize();"/>
+ &nbsp;<strong><?php echo gettext("Enable"); ?></strong> <?php echo gettext("directory size limit"); ?> (<strong><?php echo gettext("Default"); ?></strong>)</td>
+ </tr>
+ <tr>
+ <td colspan="2" class="vexpl"><input name="snortloglimit" type="radio" id="snortloglimit_off" value="off"
+ <?php if($pconfig['snortloglimit']=='off') echo 'checked'; ?> onClick="enable_change_dirSize();"/>
+ &nbsp;<strong><?php echo gettext("Disable"); ?></strong>
+ <?php echo gettext("directory size limit"); ?><br/>
+ <br/><span class="red"><strong><?=gettext("Note: ");?></strong></span><?=gettext("this setting imposes a hard-limit on the combined log directory size of all Snort interfaces. ") .
+ gettext("When the size limit set is reached, rotated logs for all interfaces will be removed, and any active logs pruned to zero-length.");?>
+ <br/><br/>
+ <span class="red"><strong><?php echo gettext("Warning:"); ?></strong></span> <?php echo gettext("NanoBSD " .
+ "should use no more than 10MB of space."); ?></td>
+ </tr>
+ </table>
+ <table width="100%" border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td class="vexpl"><?php echo gettext("Size in ") . "<strong>" . gettext("MB:") . "</strong>";?>&nbsp;
+ <input name="snortloglimitsize" type="text" class="formfld unknown" id="snortloglimitsize" size="10" value="<?=htmlspecialchars($pconfig['snortloglimitsize']);?>"/>
+ &nbsp;<?php echo gettext("Default is ") . "<strong>" . gettext("20%") . "</strong>" . gettext(" of available space.");?></td>
+ </tr>
+ </table>
+ </td>
+</tr>
+<tr>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Log Size and Retention Limits"); ?></td>
+</tr>
+<tr>
+ <td class="vncell" valign="top" width="22%"><?php echo gettext("Text Log Settings");?></td>
+ <td class="vtable" width="78%">
+ <table width="100%" border="0" cellpadding="2" cellspacing="0">
+ <colgroup>
+ <col style="width: 15%;">
+ <col style="width: 18%;">
+ <col style="width: 18%;">
+ <col>
+ </colgroup>
+ <thead>
+ <tr>
+ <th class="listhdrr"><?=gettext("Log Name");?></th>
+ <th class="listhdrr"><?=gettext("Max Size");?></th>
+ <th class="listhdrr"><?=gettext("Retention");?></th>
+ <th class="listhdrr"><?=gettext("Log Description");?></th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td class="listbg">alert</td>
+ <td class="listr" align="center"><select name="alert_log_limit_size" class="formselect" id="alert_log_limit_size">
+ <?php foreach ($log_sizes as $k => $l): ?>
+ <option value="<?=$k;?>"
+ <?php if ($k == $pconfig['alert_log_limit_size']) echo " selected"; ?>>
+ <?=htmlspecialchars($l);?></option>
+ <?php endforeach; ?>
+ </select>
+ </td>
+ <td class="listr" align="center"><select name="alert_log_retention" class="formselect" id="alert_log_retention">
+ <?php foreach ($retentions as $k => $p): ?>
+ <option value="<?=$k;?>"
+ <?php if ($k == $pconfig['alert_log_retention']) echo " selected"; ?>>
+ <?=htmlspecialchars($p);?></option>
+ <?php endforeach; ?>
+ </select>
+ </td>
+ <td class="listbg"><?=gettext("Snort alerts and event details");?></td>
+ </tr>
+
+ <tr>
+ <td class="listbg">event pcaps</td>
+ <td class="listr" align="center"><select name="event_pkts_log_limit_size" class="formselect" id="event_pkts_log_limit_size">
+ <option value="0" selected>NO LIMIT</option>
+ </select>
+ </td>
+ <td class="listr" align="center"><select name="event_pkts_log_retention" class="formselect" id="event_pkts_log_retention">
+ <?php foreach ($retentions as $k => $p): ?>
+ <option value="<?=$k;?>"
+ <?php if ($k == $pconfig['event_pkts_log_retention']) echo " selected"; ?>>
+ <?=htmlspecialchars($p);?></option>
+ <?php endforeach; ?>
+ </select>
+ </td>
+ <td class="listbg"><?=gettext("Snort alert related packet captures");?></td>
+ </tr>
+
+ <tr>
+ <td class="listbg">sid_changes</td>
+ <td class="listr" align="center"><select name="sid_changes_log_limit_size" class="formselect" id="sid_changes_log_limit_size">
+ <?php foreach ($log_sizes as $k => $l): ?>
+ <option value="<?=$k;?>"
+ <?php if ($k == $pconfig['sid_changes_log_limit_size']) echo "selected"; ?>>
+ <?=htmlspecialchars($l);?></option>
+ <?php endforeach; ?>
+ </select>
+ </td>
+ <td class="listr" align="center"><select name="sid_changes_log_retention" class="formselect" id="sid_changes_log_retention">
+ <?php foreach ($retentions as $k => $p): ?>
+ <option value="<?=$k;?>"
+ <?php if ($k == $pconfig['sid_changes_log_retention']) echo " selected"; ?>>
+ <?=htmlspecialchars($p);?></option>
+ <?php endforeach; ?>
+ </select>
+ </td>
+ <td class="listbg"><?=gettext("SID changes made by SID Mgmt conf files");?></td>
+ </tr>
+ <tr>
+ <td class="listbg">stats</td>
+ <td class="listr" align="center"><select name="stats_log_limit_size" class="formselect" id="stats_log_limit_size">
+ <?php foreach ($log_sizes as $k => $l): ?>
+ <option value="<?=$k;?>"
+ <?php if ($k == $pconfig['stats_log_limit_size']) echo " selected"; ?>>
+ <?=htmlspecialchars($l);?></option>
+ <?php endforeach; ?>
+ </select>
+ </td>
+ <td class="listr" align="center"><select name="stats_log_retention" class="formselect" id="stats_log_retention">
+ <?php foreach ($retentions as $k => $p): ?>
+ <option value="<?=$k;?>"
+ <?php if ($k == $pconfig['stats_log_retention']) echo " selected"; ?>>
+ <?=htmlspecialchars($p);?></option>
+ <?php endforeach; ?>
+ </select>
+ </td>
+ <td class="listbg"><?=gettext("Snort performance statistics");?></td>
+ </tr>
+ </tbody>
+ </table>
+ <br/><?=gettext("Settings will be ignored for any log in the list above not enabled on the Interface Settings tab. ") .
+ gettext("When a log reaches the Max Size limit, it will be rotated and tagged with a timestamp. The Retention period determines ") .
+ gettext("how long rotated logs are kept before they are automatically deleted.");?>
+ </td>
+</tr>
+<tr>
+ <td width="22%"></td>
+ <td width="78%" class="vexpl"><input name="save" type="submit" class="formbtn" value="Save"/>
+ &nbsp;&nbsp;&nbsp;&nbsp;<input name="ResetAll" type="submit" class="formbtn" value="Reset" title="<?php echo
+ gettext("Reset all settings to defaults") . "\" onclick=\"return confirm('" .
+ gettext("WARNING: This will reset ALL Log Management settings to their defaults. Click OK to continue or CANCEL to quit.") .
+ "');\""; ?>/><br/>
+ <br/><span class="red"><strong><?php echo gettext("Note:");?></strong>&nbsp;
+ </span><?php echo gettext("Changing any settings on this page will affect all Snort-configured interfaces.");?></td>
+</tr>
+ </table>
+</div><br/>
+</td></tr>
+</table>
+</form>
+
+<script language="JavaScript">
+function enable_change() {
+ var endis = !(document.iform.enable_log_mgmt.checked);
+ document.iform.alert_log_limit_size.disabled = endis;
+ document.iform.alert_log_retention.disabled = endis;
+ document.iform.stats_log_limit_size.disabled = endis;
+ document.iform.stats_log_retention.disabled = endis;
+ document.iform.sid_changes_log_retention.disabled = endis;
+ document.iform.sid_changes_log_limit_size.disabled = endis;
+ document.iform.event_pkts_log_limit_size.disabled = endis;
+ document.iform.event_pkts_log_retention.disabled = endis;
+}
+
+function enable_change_dirSize() {
+ var endis = !(document.getElementById('snortloglimit_on').checked);
+ document.getElementById('snortloglimitsize').disabled = endis;
+}
+
+enable_change();
+enable_change_dirSize();
+</script>
+
+<?php include("fend.inc"); ?>
+
+</body>
+</html>
diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php
index af02261f..9569c475 100644
--- a/config/snort/snort_migrate_config.php
+++ b/config/snort/snort_migrate_config.php
@@ -70,6 +70,30 @@ if (empty($config['installedpackages']['snortglobal']['snort_config_ver']) &&
$updated_cfg = true;
}
+/**********************************************************/
+/* Create new Auto SID Mgmt settings if not set */
+/**********************************************************/
+ if (empty($config['installedpackages']['snortglobal']['auto_manage_sids'])) {
+ $config['installedpackages']['snortglobal']['auto_manage_sids'] = "off";
+ $updated_cfg = true;
+ }
+
+/**********************************************************/
+/* Create new LOG MGMT settings if not set */
+/**********************************************************/
+ if (empty($config['installedpackages']['snortglobal']['enable_log_mgmt'])) {
+ $config['installedpackages']['snortglobal']['enable_log_mgmt'] = "on";
+ $config['installedpackages']['snortglobal']['alert_log_limit_size'] = "500";
+ $config['installedpackages']['snortglobal']['alert_log_retention'] = "336";
+ $config['installedpackages']['snortglobal']['event_pkts_log_limit_size'] = "0";
+ $config['installedpackages']['snortglobal']['event_pkts_log_retention'] = "336";
+ $config['installedpackages']['snortglobal']['sid_changes_log_limit_size'] = "250";
+ $config['installedpackages']['snortglobal']['sid_changes_log_retention'] = "336";
+ $config['installedpackages']['snortglobal']['stats_log_limit_size'] = "500";
+ $config['installedpackages']['snortglobal']['stats_log_retention'] = "168";
+ $updated_cfg = true;
+}
+
foreach ($rule as &$r) {
// Initialize arrays for supported preprocessors if necessary
if (!is_array($r['frag3_engine']['item']))
@@ -344,7 +368,7 @@ foreach ($rule as &$r) {
// Since Barnyard2 was enabled, configure the new archived log settings
$pconfig['u2_archived_log_retention'] = '168';
$pconfig['barnyard_archive_enable'] = 'on';
- $pconfig['unified2_log_limit'] = '32';
+ $pconfig['unified2_log_limit'] = '32M';
$updated_cfg = true;
}
@@ -410,23 +434,23 @@ foreach ($rule as &$r) {
$pconfig['smtp_max_mime_mem'] = "838860";
$updated_cfg = true;
}
- if (empty($pconfig['smtp_b64_decode_depth'])) {
+ if (empty($pconfig['smtp_b64_decode_depth']) && $pconfig['smtp_b64_decode_depth'] != "0") {
$pconfig['smtp_b64_decode_depth'] = "0";
$updated_cfg = true;
}
- if (empty($pconfig['smtp_qp_decode_depth'])) {
+ if (empty($pconfig['smtp_qp_decode_depth']) && $pconfig['smtp_qp_decode_depth'] != "0") {
$pconfig['smtp_qp_decode_depth'] = "0";
$updated_cfg = true;
}
- if (empty($pconfig['smtp_bitenc_decode_depth'])) {
+ if (empty($pconfig['smtp_bitenc_decode_depth']) && $pconfig['smtp_bitenc_decode_depth'] != "0") {
$pconfig['smtp_bitenc_decode_depth'] = "0";
$updated_cfg = true;
}
- if (empty($pconfig['smtp_uu_decode_depth'])) {
+ if (empty($pconfig['smtp_uu_decode_depth']) && $pconfig['smtp_uu_decode_depth'] != "0") {
$pconfig['smtp_uu_decode_depth'] = "0";
$updated_cfg = true;
}
- if (empty($pconfig['smtp_email_hdrs_log_depth']) && $pconfig['smtp_email_hdrs_log_depth'] != '0') {
+ if (empty($pconfig['smtp_email_hdrs_log_depth'])) {
$pconfig['smtp_email_hdrs_log_depth'] = "1464";
$updated_cfg = true;
}
@@ -451,17 +475,23 @@ foreach ($rule as &$r) {
$updated_cfg = true;
}
+ // Migrate any BY2 limit for unified2 logs to new format
+ if (!empty($pconfig['unified2_log_limit']) &&
+ !preg_match('/^\d+[g|k|m|G|K|M]/', $pconfig['unified2_log_limit'])) {
+ $pconfig['unified2_log_limit'] .= "M";
+ $updated_cfg = true;
+ }
+
// Save the new configuration data into the $config array pointer
$r = $pconfig;
}
// Release reference to final array element
unset($r);
-// Write out the new configuration to disk if we changed anything
+// Log a message if we changed anything
if ($updated_cfg) {
- $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.1.2";
+ $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.1.3";
log_error("[Snort] Saving configuration settings in new format...");
- write_config("Snort pkg: migrate existing settings to new format as part of package upgrade.");
log_error("[Snort] Settings successfully migrated to new configuration format...");
}
else
diff --git a/config/snort/snort_passlist.php b/config/snort/snort_passlist.php
index 2cac9cd4..965f22d7 100644
--- a/config/snort/snort_passlist.php
+++ b/config/snort/snort_passlist.php
@@ -86,7 +86,9 @@ if ($_POST['del'] && is_numericint($_POST['list_id'])) {
if (!$input_errors) {
unset($a_passlist[$_POST['list_id']]);
write_config("Snort pkg: deleted PASS LIST.");
+ conf_mount_rw();
sync_snort_package_config();
+ conf_mount_ro();
header("Location: /snort/snort_passlist.php");
exit;
}
@@ -125,7 +127,9 @@ if ($savemsg) {
$tab_array[5] = array(gettext("Pass Lists"), true, "/snort/snort_passlist.php");
$tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php");
$tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php");
- $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
+ $tab_array[8] = array(gettext("SID Mgmt"), false, "/snort/snort_sid_mgmt.php");
+ $tab_array[9] = array(gettext("Log Mgmt"), false, "/snort/snort_log_mgmt.php");
+ $tab_array[10] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
display_top_tabs($tab_array, true);
?>
</td>
diff --git a/config/snort/snort_passlist_edit.php b/config/snort/snort_passlist_edit.php
index d5b89877..9f95adb4 100644
--- a/config/snort/snort_passlist_edit.php
+++ b/config/snort/snort_passlist_edit.php
@@ -181,7 +181,9 @@ if ($_POST['save']) {
write_config("Snort pkg: modified PASS LIST {$p_list['name']}.");
/* create pass list and homenet file, then sync files */
+ conf_mount_rw();
sync_snort_package_config();
+ conf_mount_ro();
header("Location: /snort/snort_passlist.php");
exit;
@@ -219,7 +221,9 @@ if ($savemsg)
$tab_array[5] = array(gettext("Pass Lists"), true, "/snort/snort_passlist.php");
$tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php");
$tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php");
- $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
+ $tab_array[8] = array(gettext("SID Mgmt"), false, "/snort/snort_sid_mgmt.php");
+ $tab_array[9] = array(gettext("Log Mgmt"), false, "/snort/snort_log_mgmt.php");
+ $tab_array[10] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
display_top_tabs($tab_array,true);
?>
</td>
diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php
index c1be72cc..c295b881 100644
--- a/config/snort/snort_post_install.php
+++ b/config/snort/snort_post_install.php
@@ -5,7 +5,7 @@
* Copyright (C) 2006 Scott Ullrich
* Copyright (C) 2009-2010 Robert Zelaya
* Copyright (C) 2011-2012 Ermal Luci
- * Copyright (C) 2013 Bill Meeks
+ * Copyright (C) 2013-2014 Bill Meeks
* part of pfSense
* All rights reserved.
*
@@ -44,9 +44,35 @@ require_once("/usr/local/pkg/snort/snort.inc");
global $config, $g, $rebuild_rules, $pkg_interface, $snort_gui_include;
+/****************************************
+ * Define any new constants here that *
+ * may not be yet defined in the old *
+ * "snort.inc" include file that might *
+ * be cached and used by the package *
+ * manager installation code. *
+ * *
+ * This is a hack to work around the *
+ * fact the old version of suricata.inc *
+ * is cached and used instead of the *
+ * updated version icluded with the *
+ * updated GUI package. *
+ ****************************************/
+if (!defined('SNORT_SID_MODS_PATH'))
+ define('SNORT_SID_MODS_PATH', "{$g['vardb_path']}/snort/sidmods/");
+
+if (!defined('SNORT_ENFORCING_RULES_FILENAME'))
+ define("SNORT_ENFORCING_RULES_FILENAME", "snort.rules");
+
+/****************************************
+ * End of PHP caching workaround *
+ ****************************************/
+
$snortdir = SNORTDIR;
+$snortlogdir = SNORTLOGDIR;
$snortlibdir = SNORTLIBDIR;
$rcdir = RCFILEPREFIX;
+$flowbit_rules_file = FLOWBITS_FILENAME;
+$snort_enforcing_rules_file = SNORT_ENFORCING_RULES_FILENAME;
/* Hard kill any running Snort processes that may have been started by any */
/* of the pfSense scripts such as check_reload_status() or rc.start_packages */
@@ -54,20 +80,20 @@ if(is_process_running("snort")) {
exec("/usr/bin/killall -z snort");
sleep(2);
// Delete any leftover snort PID files in /var/run
- unlink_if_exists("/var/run/snort_*.pid");
+ unlink_if_exists("{$g['varrun_path']}/snort_*.pid");
}
// Hard kill any running Barnyard2 processes
if(is_process_running("barnyard")) {
exec("/usr/bin/killall -z barnyard2");
sleep(2);
// Delete any leftover barnyard2 PID files in /var/run
- unlink_if_exists("/var/run/barnyard2_*.pid");
+ unlink_if_exists("{$g['varrun_path']}/barnyard2_*.pid");
}
/* Set flag for post-install in progress */
$g['snort_postinstall'] = true;
-/* Set Snort conf partition to read-write so we can make changes there */
+/* Set conf partition to read-write so we can make changes there */
conf_mount_rw();
/* cleanup default files */
@@ -89,13 +115,14 @@ foreach ($preproc_rules as $file) {
}
/* Remove any previously installed scripts since we rebuild them */
-@unlink("{$snortdir}/sid");
-@unlink("{$rcdir}snort.sh");
-@unlink("{$rcdir}barnyard2");
+unlink_if_exists("{$snortdir}/sid");
+unlink_if_exists("{$rcdir}snort.sh");
+unlink_if_exists("{$rcdir}barnyard2");
/* Create required log and db directories in /var */
safe_mkdir(SNORTLOGDIR);
-safe_mkdir(IPREP_PATH);
+safe_mkdir(SNORT_IPREP_PATH);
+safe_mkdir(SNORT_SID_MODS_PATH);
/* If installed, absorb the Snort Dashboard Widget into this package */
/* by removing it as a separately installed package. */
@@ -104,7 +131,6 @@ if ($pkgid >= 0) {
log_error(gettext("[Snort] Removing legacy 'Dashboard Widget: Snort' package because the widget is now part of the Snort package."));
unset($config['installedpackages']['package'][$pkgid]);
unlink_if_exists("/usr/local/pkg/widget-snort.xml");
- write_config("Snort pkg: removed legacy Snort Dashboard Widget.");
}
/* Define a default Dashboard Widget Container for Snort */
@@ -114,29 +140,87 @@ $snort_widget_container = "snort_alerts-container:col2:close";
if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
log_error(gettext("[Snort] Saved settings detected... rebuilding installation with saved settings..."));
update_status(gettext("Saved settings detected..."));
+
+ /****************************************************************/
+ /* Do test and fix for duplicate UUIDs if this install was */
+ /* impacted by the DUP (clone) bug that generated a duplicate */
+ /* UUID for the cloned interface. */
+ /****************************************************************/
+ if (count($config['installedpackages']['snortglobal']['rule']) > 0) {
+ $uuids = array();
+ $fixed_duplicate = FALSE;
+ $snortconf = &$config['installedpackages']['snortglobal']['rule'];
+ foreach ($snortconf as &$snortcfg) {
+ // Check for and fix a duplicate UUID
+ $if_real = get_real_interface($snortcfg['interface']);
+ if (!isset($uuids[$snortcfg['uuid']])) {
+ $uuids[$snortcfg['uuid']] = $if_real;
+ continue;
+ }
+ else {
+ // Found a duplicate UUID, so generate a
+ // new one for the affected interface.
+ $old_uuid = $snortcfg['uuid'];
+ $new_uuid = snort_generate_id();
+ if (file_exists("{$snortlogdir}snort_{$if_real}{$old_uuid}/"))
+ @rename("{$snortlogdir}snort_{$if_real}{$old_uuid}/", "{$snortlogdir}snort_{$if_real}{$new_uuid}/");
+ $snortcfg['uuid'] = $new_uuid;
+ $uuids[$new_uuid] = $if_real;
+ log_error(gettext("[Snort] updated UUID for interface " . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . " from {$old_uuid} to {$new_uuid}."));
+ $fixed_duplicate = TRUE;
+ }
+ }
+ unset($uuids);
+ }
+ /****************************************************************/
+ /* End of duplicate UUID bug fix. */
+ /****************************************************************/
+
/* Do one-time settings migration for new multi-engine configurations */
update_output_window(gettext("Please wait... migrating settings to new configuration..."));
include('/usr/local/pkg/snort/snort_migrate_config.php');
update_output_window(gettext("Please wait... rebuilding installation with saved settings..."));
log_error(gettext("[Snort] Downloading and updating configured rule types..."));
- update_output_window(gettext("Please wait... downloading and updating configured rule types..."));
+ update_output_window(gettext("Please wait... downloading and updating configured rule sets..."));
if ($pkg_interface <> "console")
$snort_gui_include = true;
include('/usr/local/pkg/snort/snort_check_for_rule_updates.php');
update_status(gettext("Generating snort.conf configuration file from saved settings..."));
$rebuild_rules = true;
+ conf_mount_rw();
/* Create the snort.conf files for each enabled interface */
$snortconf = $config['installedpackages']['snortglobal']['rule'];
- foreach ($snortconf as $value) {
- $if_real = get_real_interface($value['interface']);
+ foreach ($snortconf as $snortcfg) {
+ $if_real = get_real_interface($snortcfg['interface']);
+ $snort_uuid = $snortcfg['uuid'];
+ $snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}";
+ update_output_window(gettext("Generating configuration for " . convert_friendly_interface_to_friendly_descr($snortcfg['interface']) . "..."));
- /* create a snort.conf file for interface */
- snort_generate_conf($value);
+ // Pull in the PHP code that generates the snort.conf file
+ // variables that will be substituted further down below.
+ include("/usr/local/pkg/snort/snort_generate_conf.php");
- /* create barnyard2.conf file for interface */
- if ($value['barnyard_enable'] == 'on')
- snort_generate_barnyard2_conf($value, $if_real);
+ // Pull in the boilerplate template for the snort.conf
+ // configuration file. The contents of the template along
+ // with substituted variables are stored in $snort_conf_text
+ // (which is defined in the included file).
+ include("/usr/local/pkg/snort/snort_conf_template.inc");
+
+ // Now write out the conf file using $snort_conf_text contents
+ @file_put_contents("{$snortcfgdir}/snort.conf", $snort_conf_text);
+ unset($snort_conf_text);
+
+ // Create the actual rules files and save them in the interface directory
+ snort_prepare_rule_files($snortcfg, $snortcfgdir);
+
+ // Clean up variables we no longer need and free memory
+ unset($snort_conf_text, $selected_rules_sections, $suppress_file_name, $snort_misc_include_rules, $spoink_type, $snortunifiedlog_type, $alertsystemlog_type);
+ unset($home_net, $external_net, $ipvardef, $portvardef);
+
+ // Create barnyard2.conf file for interface
+ if ($snortcfg['barnyard_enable'] == 'on')
+ snort_generate_barnyard2_conf($snortcfg, $if_real);
}
/* create snort bootup file snort.sh */
@@ -147,25 +231,26 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
snort_rm_blocked_install_cron($config['installedpackages']['snortglobal']['rm_blocked'] != "never_b" ? true : false);
snort_rules_up_install_cron($config['installedpackages']['snortglobal']['autorulesupdate7'] != "never_up" ? true : false);
- /* Add the recurring jobs created above to crontab */
- configure_cron();
-
/* Restore the last Snort Dashboard Widget setting if none is set */
if (!empty($config['installedpackages']['snortglobal']['dashboard_widget']) &&
stristr($config['widgets']['sequence'], "snort_alerts-container") === FALSE)
$config['widgets']['sequence'] .= "," . $config['installedpackages']['snortglobal']['dashboard_widget'];
$rebuild_rules = false;
- update_output_window(gettext("Finished rebuilding Snort configuration files..."));
+ if ($pkg_interface <> "console")
+ update_output_window(gettext("Finished rebuilding Snort configuration files..."));
log_error(gettext("[Snort] Finished rebuilding installation from saved settings..."));
/* Only try to start Snort if not in reboot */
if (!($g['booting'])) {
- update_status(gettext("Starting Snort using rebuilt configuration..."));
- update_output_window(gettext("Please wait... while Snort is started..."));
- log_error(gettext("[Snort] Starting Snort using rebuilt configuration..."));
- mwexec_bg("{$rcdir}snort.sh start");
- update_output_window(gettext("Snort is starting using the rebuilt configuration..."));
+ if ($pkg_interface <> "console") {
+ update_status(gettext("Starting Snort using rebuilt configuration..."));
+ update_output_window(gettext("Please wait while Snort is started..."));
+ mwexec("{$rcdir}snort.sh start");
+ update_output_window(gettext("Snort has been started using the rebuilt configuration..."));
+ }
+ else
+ mwexec_bg("{$rcdir}snort.sh start");
}
}
@@ -178,8 +263,8 @@ if (stristr($config['widgets']['sequence'], "snort_alerts-container") === FALSE)
$config['widgets']['sequence'] .= ",{$snort_widget_container}";
/* Update Snort package version in configuration */
-$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.1.2";
-write_config("Snort pkg: post-install configuration saved.");
+$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.1.3";
+write_config("Snort pkg v3.1.3: post-install configuration saved.");
/* Done with post-install, so clear flag */
unset($g['snort_postinstall']);
diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php
index 133c0513..cb2af543 100755
--- a/config/snort/snort_preprocessors.php
+++ b/config/snort/snort_preprocessors.php
@@ -650,7 +650,9 @@ if ($savemsg) {
$tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php");
$tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php");
$tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php");
- $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
+ $tab_array[8] = array(gettext("SID Mgmt"), false, "/snort/snort_sid_mgmt.php");
+ $tab_array[9] = array(gettext("Log Mgmt"), false, "/snort/snort_log_mgmt.php");
+ $tab_array[10] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
display_top_tabs($tab_array, true);
echo '</td></tr>';
echo '<tr><td>';
@@ -663,6 +665,7 @@ if ($savemsg) {
$tab_array[] = array($menu_iface . gettext("Preprocs"), true, "/snort/snort_preprocessors.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("IP Rep"), false, "/snort/snort_ip_reputation.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Logs"), false, "/snort/snort_interface_logs.php?id={$id}");
display_top_tabs($tab_array, true);
?>
</td></tr>
diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php
index 8d9aa6ba..681c691f 100755
--- a/config/snort/snort_rules.php
+++ b/config/snort/snort_rules.php
@@ -109,6 +109,29 @@ $categories[] = "custom.rules";
$categories[] = "decoder.rules";
$categories[] = "preprocessor.rules";
$categories[] = "sensitive-data.rules";
+
+// Get any automatic rule category enable/disable modifications
+// if auto-SID Mgmt is enabled, and adjust the available rulesets
+// in the CATEGORY drop-down box as necessary.
+$cat_mods = snort_sid_mgmt_auto_categories($a_rule[$id], FALSE);
+foreach ($cat_mods as $k => $v) {
+ switch ($v) {
+ case 'disabled':
+ if (($key = array_search($k, $categories)) !== FALSE)
+ unset($categories[$key]);
+ break;
+
+ case 'enabled':
+ if (!in_array($k, $categories))
+ $categories[] = $k;
+ break;
+
+ default:
+ break;
+ }
+}
+
+// Add any enabled IPS-Policy and Auto-Flowbits File
if (!empty($a_rule[$id]['ips_policy']))
$categories[] = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']);
if ($a_rule[$id]['autoflowbitrules'] == 'on')
@@ -146,6 +169,9 @@ if ($currentruleset != 'custom.rules') {
$input_errors[] = gettext("{$currentruleset} seems to be missing!!! Please verify rules files have been downloaded, then go to the Categories tab and save the rule set again.");
}
+/* Process the current category rules through any auto SID MGMT changes if enabled */
+snort_auto_sid_mgmt($rules_map, $a_rule[$id], FALSE);
+
/* Load up our enablesid and disablesid arrays with enabled or disabled SIDs */
$enablesid = snort_load_sid_mods($a_rule[$id]['rule_sid_on']);
$disablesid = snort_load_sid_mods($a_rule[$id]['rule_sid_off']);
@@ -356,11 +382,14 @@ elseif ($_POST['clear']) {
conf_mount_ro();
$rebuild_rules = false;
$pconfig['customrules'] = '';
+
+ // Sync to configured CARP slaves if any are enabled
+ snort_sync_on_changes();
}
elseif ($_POST['save']) {
$pconfig['customrules'] = $_POST['customrules'];
if ($_POST['customrules'])
- $a_rule[$id]['customrules'] = base64_encode($_POST['customrules']);
+ $a_rule[$id]['customrules'] = base64_encode(str_replace("\r\n", "\n", $_POST['customrules']));
else
unset($a_rule[$id]['customrules']);
write_config("Snort pkg: save modified custom rules for {$a_rule[$id]['interface']}.");
@@ -388,6 +417,9 @@ elseif ($_POST['save']) {
}
clear_subsystem_dirty('snort_rules');
+
+ // Sync to configured CARP slaves if any are enabled
+ snort_sync_on_changes();
}
else if ($_POST['apply']) {
/* Save new configuration */
@@ -408,6 +440,9 @@ else if ($_POST['apply']) {
// We have saved changes and done a soft restart, so clear "dirty" flag
clear_subsystem_dirty('snort_rules');
+
+ // Sync to configured CARP slaves if any are enabled
+ snort_sync_on_changes();
}
include_once("head.inc");
@@ -453,7 +488,9 @@ if ($savemsg) {
$tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php");
$tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php");
$tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php");
- $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
+ $tab_array[8] = array(gettext("SID Mgmt"), false, "/snort/snort_sid_mgmt.php");
+ $tab_array[9] = array(gettext("Log Mgmt"), false, "/snort/snort_log_mgmt.php");
+ $tab_array[10] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
display_top_tabs($tab_array,true);
echo '</td></tr>';
echo '<tr><td class="tabnavtbl">';
@@ -466,6 +503,7 @@ if ($savemsg) {
$tab_array[] = array($menu_iface . gettext("Preprocs"), false, "/snort/snort_preprocessors.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("IP Rep"), false, "/snort/snort_ip_reputation.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Logs"), false, "/snort/snort_interface_logs.php?id={$id}");
display_top_tabs($tab_array, true);
?>
</td></tr>
@@ -614,17 +652,35 @@ if ($savemsg) {
</thead>
<tbody>
<?php
- $counter = $enable_cnt = $disable_cnt = 0;
+ $counter = $enable_cnt = $disable_cnt = $user_enable_cnt = $user_disable_cnt = $managed_count = 0;
foreach ($rules_map as $k1 => $rulem) {
foreach ($rulem as $k2 => $v) {
$sid = $k2;
$gid = $k1;
-
- if (isset($disablesid[$gid][$sid])) {
+ $ruleset = $currentruleset;
+ $style = "";
+
+ if ($v['managed'] == 1) {
+ if ($v['disabled'] == 1) {
+ $textss = "<span class=\"gray\">";
+ $textse = "</span>";
+ $style= "style=\"opacity: 0.4; filter: alpha(opacity=40);\"";
+ $title = gettext("Auto-disabled by settings on SID Mgmt tab");
+ }
+ else {
+ $textss = $textse = "";
+ $ruleset = "suricata.rules";
+ $title = gettext("Auto-managed by settings on SID Mgmt tab");
+ }
+ $iconb = "icon_advanced.gif";
+ $managed_count++;
+ }
+ elseif (isset($disablesid[$gid][$sid])) {
$textss = "<span class=\"gray\">";
$textse = "</span>";
$iconb = "icon_reject_d.gif";
$disable_cnt++;
+ $user_disable_cnt++;
$title = gettext("Disabled by user. Click to toggle to enabled state");
}
elseif (($v['disabled'] == 1) && (!isset($enablesid[$gid][$sid]))) {
@@ -638,6 +694,7 @@ if ($savemsg) {
$textss = $textse = "";
$iconb = "icon_reject.gif";
$enable_cnt++;
+ $user_enable_cnt++;
$title = gettext("Enabled by user. Click to toggle to disabled state");
}
else {
@@ -668,12 +725,18 @@ if ($savemsg) {
$message = snort_get_msg($v['rule']); // description field
$sid_tooltip = gettext("View the raw text for this rule");
- echo "<tr><td class=\"listt\" align=\"left\" valign=\"middle\">{$textss}
- <a id=\"rule_{$gid}_{$sid}\" href=''><input type=\"image\" onClick=\"document.getElementById('sid').value='{$sid}';
- document.getElementById('gid').value='{$gid}';\"
- src=\"../themes/{$g['theme']}/images/icons/{$iconb}\" width=\"11\" height=\"11\" border=\"0\"
- title='{$title}' name=\"toggle[]\"/></a>{$textse}
- </td>
+ echo "<tr><td class=\"listt\" style=\"align:center;\" valign=\"middle\">{$textss}";
+ if ($v['managed'] == 1) {
+ echo "<img {$style} src=\"../themes/{$g['theme']}/images/icons/{$iconb}\" width=\"11\" height=\"11\" border=\"0\"
+ title='{$title}'/>{$textse}";
+ }
+ else {
+ echo "<a id=\"rule_{$gid}_{$sid}\" href='#'><input type=\"image\" onClick=\"document.getElementById('sid').value='{$sid}';
+ document.getElementById('gid').value='{$gid}';\"
+ src=\"../themes/{$g['theme']}/images/icons/{$iconb}\" width=\"11\" height=\"11\" border=\"0\"
+ title='{$title}' name=\"toggle[]\"/></a>{$textse}";
+ }
+ echo "</td>
<td class=\"listr\" align=\"center\" ondblclick=\"wopen('snort_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
{$textss}{$gid}{$textse}
</td>
@@ -734,16 +797,35 @@ if ($savemsg) {
</thead>
<tbody>
<?php
- $counter = $enable_cnt = $disable_cnt = 0;
+ $counter = $enable_cnt = $disable_cnt = $user_enable_cnt = $user_disable_cnt = $managed_count = 0;
foreach ($rules_map as $k1 => $rulem) {
foreach ($rulem as $k2 => $v) {
+ $ruleset = $currentruleset;
+ $style = "";
$sid = snort_get_sid($v['rule']);
$gid = snort_get_gid($v['rule']);
- if (isset($disablesid[$gid][$sid])) {
+
+ if ($v['managed'] == 1) {
+ if ($v['disabled'] == 1) {
+ $textss = "<span class=\"gray\">";
+ $textse = "</span>";
+ $style= "style=\"opacity: 0.4; filter: alpha(opacity=40);\"";
+ $title = gettext("Auto-disabled by settings on SID Mgmt tab");
+ }
+ else {
+ $textss = $textse = "";
+ $ruleset = "suricata.rules";
+ $title = gettext("Auto-managed by settings on SID Mgmt tab");
+ }
+ $iconb = "icon_advanced.gif";
+ $managed_count++;
+ }
+ elseif (isset($disablesid[$gid][$sid])) {
$textss = "<span class=\"gray\">";
$textse = "</span>";
$iconb = "icon_reject_d.gif";
$disable_cnt++;
+ $user_disable_cnt++;
$title = gettext("Disabled by user. Click to toggle to enabled state");
}
elseif (($v['disabled'] == 1) && (!isset($enablesid[$gid][$sid]))) {
@@ -757,6 +839,7 @@ if ($savemsg) {
$textss = $textse = "";
$iconb = "icon_reject.gif";
$enable_cnt++;
+ $user_enable_cnt++;
$title = gettext("Enabled by user. Click to toggle to disabled state");
}
else {
@@ -777,12 +860,18 @@ if ($savemsg) {
else
$policy = "none";
- echo "<tr><td class=\"listt\" align=\"left\" valign=\"middle\">{$textss}
- <input type=\"image\" onClick=\"document.getElementById('sid').value='{$sid}';
- document.getElementById('gid').value='{$gid}';\"
- src=\"../themes/{$g['theme']}/images/icons/{$iconb}\" width=\"11\" height=\"11\" border=\"0\"
- title='{$title}' name=\"toggle[]\"/>{$textse}
- </td>
+ echo "<tr><td class=\"listt\" style=\"align:center;\" valign=\"middle\">{$textss}";
+ if ($v['managed'] == 1) {
+ echo "<img {$style} src=\"../themes/{$g['theme']}/images/icons/{$iconb}\" width=\"11\" height=\"11\" border=\"0\"
+ title='{$title}'/>{$textse}";
+ }
+ else {
+ echo "<a id=\"rule_{$gid}_{$sid}\" href='#'><input type=\"image\" onClick=\"document.getElementById('sid').value='{$sid}';
+ document.getElementById('gid').value='{$gid}';\"
+ src=\"../themes/{$g['theme']}/images/icons/{$iconb}\" width=\"11\" height=\"11\" border=\"0\"
+ title='{$title}' name=\"toggle[]\"/></a>{$textse}";
+ }
+ echo "</td>
<td class=\"listr\" align=\"center\" ondblclick=\"wopen('snort_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
{$textss}{$gid}{$textse}
</td>
@@ -824,7 +913,10 @@ if ($savemsg) {
<strong><?php echo gettext("--- Category Rules Summary ---") . "</strong><br/>" .
gettext("Total Rules: {$counter}") . "&nbsp;&nbsp;&nbsp;&nbsp;" .
gettext("Enabled: {$enable_cnt}") . "&nbsp;&nbsp;&nbsp;&nbsp;" .
- gettext("Disabled: {$disable_cnt}"); ?></td>
+ gettext("Disabled: {$disable_cnt}") . "&nbsp;&nbsp;&nbsp;&nbsp;" .
+ gettext("User Enabled: {$user_enable_cnt}") . "&nbsp;&nbsp;&nbsp;&nbsp;" .
+ gettext("User Disabled: {$user_disable_cnt}") . "&nbsp;&nbsp;&nbsp;&nbsp;" .
+ gettext("Auto-Managed: {$managed_count}"); ?></td>
</tr>
<tr>
<td width="16"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_block.gif"
@@ -846,6 +938,18 @@ if ($savemsg) {
width="11" height="11"></td>
<td nowrap><?php echo gettext("Rule changed to Disabled by user"); ?></td>
</tr>
+ <?php if (!empty($cat_mods)): ?>
+ <tr>
+ <td width="16"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_advanced.gif"
+ width="11" height="11"></td>
+ <td nowrap><?php echo gettext("Rule auto-enabled by files configured on SID Mgmt tab"); ?></td>
+ </tr>
+ <tr>
+ <td width="16"><img style="opacity: 0.4; filter: alpha(opacity=40);" src="../themes/<?= $g['theme']; ?>/images/icons/icon_advanced.gif"
+ width="11" height="11"></td>
+ <td nowrap><?php echo gettext("Rule auto-disabled by files configured on SID Mgmt tab"); ?></td>
+ </tr>
+ <?php endif; ?>
</table>
</td>
</tr>
diff --git a/config/snort/snort_rules_flowbits.php b/config/snort/snort_rules_flowbits.php
index cbb7b631..fff7a13c 100644
--- a/config/snort/snort_rules_flowbits.php
+++ b/config/snort/snort_rules_flowbits.php
@@ -127,7 +127,9 @@ if ($_POST['addsuppress'] && is_numeric($_POST['sid']) && is_numeric($_POST['gid
if ($found_list) {
write_config("Snort pkg: modified Suppress List for {$a_nat[$id]['interface']}.");
$rebuild_rules = false;
+ conf_mount_rw();
sync_snort_package_config();
+ conf_mount_ro();
snort_reload_config($a_nat[$id]);
$savemsg = gettext("An entry to suppress the Alert for 'gen_id {$_POST['gid']}, sig_id {$_POST['sid']}' has been added to Suppress List '{$a_nat[$id]['suppresslistname']}'.");
}
diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php
index 59fe6eef..c29b1810 100755
--- a/config/snort/snort_rulesets.php
+++ b/config/snort/snort_rulesets.php
@@ -57,8 +57,11 @@ if (isset($id) && $a_nat[$id]) {
$pconfig['enable'] = $a_nat[$id]['enable'];
$pconfig['interface'] = $a_nat[$id]['interface'];
$pconfig['rulesets'] = $a_nat[$id]['rulesets'];
- $pconfig['autoflowbitrules'] = $a_nat[$id]['autoflowbitrules'];
- $pconfig['ips_policy_enable'] = $a_nat[$id]['ips_policy_enable'];
+ if (empty($a_nat[$id]['autoflowbitrules']))
+ $pconfig['autoflowbitrules'] = 'on';
+ else
+ $pconfig['autoflowbitrules'] = $a_nat[$id]['autoflowbitrules'] == 'on' ? 'on' : 'off';;
+ $pconfig['ips_policy_enable'] = $a_nat[$id]['ips_policy_enable'] == 'on' ? 'on' : 'off';;
$pconfig['ips_policy'] = $a_nat[$id]['ips_policy'];
}
@@ -93,17 +96,6 @@ if (!file_exists("{$snortdir}/rules/" . GPL_FILE_PREFIX . "community.rules"))
if (($snortdownload == 'off') || ($a_nat[$id]['ips_policy_enable'] != 'on'))
$policy_select_disable = "disabled";
-if ($a_nat[$id]['autoflowbitrules'] == 'on') {
- if (file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}") &&
- filesize("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}") > 0) {
- $btn_view_flowb_rules = " title=\"" . gettext("View flowbit-required rules") . "\"";
- }
- else
- $btn_view_flowb_rules = " disabled";
-}
-else
- $btn_view_flowb_rules = " disabled";
-
// If a Snort VRT policy is enabled and selected, remove all Snort VRT
// rules from the configured rule sets to allow automatic selection.
if ($a_nat[$id]['ips_policy_enable'] == 'on') {
@@ -150,7 +142,7 @@ if ($_POST["save"]) {
else {
$a_nat[$id]['autoflowbitrules'] = 'off';
if (file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}"))
- @unlink("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}");
+ unlink_if_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}");
}
write_config("Snort pkg: save enabled rule categories for {$a_nat[$id]['interface']}.");
@@ -172,6 +164,9 @@ if ($_POST["save"]) {
$enabled_rulesets_array = explode("||", $enabled_items);
if (snort_is_running($snort_uuid, $if_real))
$savemsg = gettext("Snort is 'live-reloading' the new rule set.");
+
+ // Sync to configured CARP slaves if any are enabled
+ snort_sync_on_changes();
}
if ($_POST['unselectall']) {
@@ -192,13 +187,26 @@ if ($_POST['unselectall']) {
$enabled_rulesets_array = array();
$savemsg = gettext("All rule categories have been de-selected. ");
- if ($a_nat[$id]['ips_policy_enable'] = 'on')
+ if ($pconfig['ips_policy_enable'] == 'on')
$savemsg .= gettext("Only the rules included in the selected IPS Policy will be used.");
else
$savemsg .= gettext("There currently are no inspection rules enabled for this Snort instance!");
}
if ($_POST['selectall']) {
+ if ($_POST['ips_policy_enable'] == "on") {
+ $a_nat[$id]['ips_policy_enable'] = 'on';
+ $a_nat[$id]['ips_policy'] = $_POST['ips_policy'];
+ }
+ else {
+ $a_nat[$id]['ips_policy_enable'] = 'off';
+ unset($a_nat[$id]['ips_policy']);
+ }
+
+ $pconfig['autoflowbits'] = $_POST['autoflowbits'];
+ $pconfig['ips_policy_enable'] = $_POST['ips_policy_enable'];
+ $pconfig['ips_policy'] = $_POST['ips_policy'];
+
$enabled_rulesets_array = array();
if ($emergingdownload == 'on') {
@@ -226,6 +234,22 @@ if ($_POST['selectall']) {
}
}
+// Get any automatic rule category enable/disable modifications
+// if auto-SID Mgmt is enabled.
+$cat_mods = snort_sid_mgmt_auto_categories($a_nat[$id], FALSE);
+
+// Enable the VIEW button for auto-flowbits file if we have a valid flowbits file
+if ($a_nat[$id]['autoflowbitrules'] == 'on') {
+ if (file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}") &&
+ filesize("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}") > 0) {
+ $btn_view_flowb_rules = " title=\"" . gettext("View flowbit-required rules") . "\"";
+ }
+ else
+ $btn_view_flowb_rules = " disabled";
+}
+else
+ $btn_view_flowb_rules = " disabled";
+
$if_friendly = convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface']);
$pgtitle = gettext("Snort: Interface {$if_friendly} - Categories");
include_once("head.inc");
@@ -261,7 +285,9 @@ if ($savemsg) {
$tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php");
$tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php");
$tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php");
- $tab_array[8] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
+ $tab_array[8] = array(gettext("SID Mgmt"), false, "/snort/snort_sid_mgmt.php");
+ $tab_array[9] = array(gettext("Log Mgmt"), false, "/snort/snort_log_mgmt.php");
+ $tab_array[10] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
display_top_tabs($tab_array, true);
echo '</td></tr>';
echo '<tr><td class="tabnavtbl">';
@@ -274,6 +300,7 @@ if ($savemsg) {
$tab_array[] = array($menu_iface . gettext("Preprocs"), false, "/snort/snort_preprocessors.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("IP Rep"), false, "/snort/snort_ip_reputation.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Logs"), false, "/snort/snort_interface_logs.php?id={$id}");
display_top_tabs($tab_array, true);
?>
</td></tr>
@@ -318,7 +345,7 @@ if ($savemsg) {
<tr>
<td width="15%" class="listn"><?php echo gettext("Resolve Flowbits"); ?></td>
<td width="85%"><input name="autoflowbits" id="autoflowbitrules" type="checkbox" value="on"
- <?php if ($a_nat[$id]['autoflowbitrules'] == "on" || empty($a_nat[$id]['autoflowbitrules'])) echo "checked"; ?>/>
+ <?php if ($pconfig['autoflowbitrules'] == "on") echo "checked"; ?>/>
&nbsp;&nbsp;<span class="vexpl"><?php echo gettext("If checked, Snort will auto-enable rules required for checked flowbits. ");
echo gettext("The Default is "); ?><strong><?php echo gettext("Checked."); ?></strong></span></td>
</tr>
@@ -344,21 +371,21 @@ if ($savemsg) {
</td>
</tr>
<tr>
- <td colspan="6" class="listtopic"><?php echo gettext("Snort IPS Policy selection"); ?><br/></td>
+ <td colspan="6" class="listtopic"><?php echo gettext("Snort VRT IPS Policy selection"); ?><br/></td>
</tr>
<tr>
<td colspan="6" valign="center" class="listn">
<table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
<td width="15%" class="listn"><?php echo gettext("Use IPS Policy"); ?></td>
- <td width="85%"><input name="ips_policy_enable" id="ips_policy_enable" type="checkbox" value="on" <?php if ($a_nat[$id]['ips_policy_enable'] == "on") echo "checked"; ?>
- <?php if ($snortdownload == "off") echo "disabled" ?> onClick="enable_change()"/>&nbsp;&nbsp;<span class="vexpl">
+ <td width="85%"><input name="ips_policy_enable" id="ips_policy_enable" type="checkbox" value="on" <?php if ($pconfig['ips_policy_enable'] == "on") echo "checked "; ?>
+ <?php if ($snortdownload == "off") echo "disabled " ?> onClick="enable_change()"/>&nbsp;&nbsp;<span class="vexpl">
<?php echo gettext("If checked, Snort will use rules from one of three pre-defined IPS policies."); ?></span></td>
</tr>
<tr>
<td width="15%" class="vncell" id="ips_col1">&nbsp;</td>
<td width="85%" class="vtable" id="ips_col2">
- <?php echo "<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" . gettext("You must be using the Snort VRT rules to use this option."); ?>
+ <?php echo "<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" . gettext("You must enable download of the Snort VRT rules to enable and use this option."); ?>
<?php echo gettext("Selecting this option disables manual selection of Snort VRT categories in the list below, " .
"although Emerging Threats categories may still be selected if enabled on the Global Settings tab. " .
"These will be added to the pre-defined Snort IPS policy rules from the Snort VRT."); ?><br/></td>
@@ -389,14 +416,25 @@ if ($savemsg) {
</tr>
<tr>
<td colspan="6">
- <table width=90% align="center" border="0" cellpadding="2" cellspacing="0">
- <tr height="45px">
- <td valign="middle"><input value="Select All" class="formbtns" type="submit" name="selectall" id="selectall" title="<?php echo gettext("Add all categories to enforcing rules"); ?>"/></td>
- <td valign="middle"><input value="Unselect All" class="formbtns" type="submit" name="unselectall" id="unselectall" title="<?php echo gettext("Remove categories all from enforcing rules"); ?>"/></td>
- <td valign="middle"><input value=" Save " class="formbtns" type="submit" name="save" id="save" title="<?php echo gettext("Save changes to enforcing rules and rebuild"); ?>"/></td>
- <td valign="middle"><span class="vexpl"><?php echo gettext("Click to save changes and auto-resolve flowbit rules (if option is selected above)"); ?></span></td>
+ <table width="95%" style="margin-left: auto; margin-right: auto;" border="0" cellpadding="2" cellspacing="0">
+ <tbody>
+ <tr height="32px">
+ <td style="vertical-align: middle;"><input value="Select All" class="formbtns" type="submit" name="selectall" id="selectall" title="<?php echo gettext("Add all to enforcing rules"); ?>"/></td>
+ <td style="vertical-align: middle;"><input value="Unselect All" class="formbtns" type="submit" name="unselectall" id="unselectall" title="<?php echo gettext("Remove all from enforcing rules"); ?>"/></td>
+ <td style="vertical-align: middle;"><input value=" Save " class="formbtns" type="submit" name="save" id="save" title="<?php echo gettext("Save changes to enforcing rules and rebuild"); ?>"/></td>
+ <td style="vertical-align: middle;"><span class="vexpl"><?php echo gettext("Click to save changes and auto-resolve flowbit rules (if option is selected above)"); ?></span></td>
+ </tr>
+ <?php if (!empty($cat_mods)): ?>
+ <tr height="20px">
+ <td colspan="4" style="vertical-align: middle;"><img style="vertical-align: text-top;" src="../themes/<?=$g['theme'];?>/images/icons/icon_advanced.gif" width="11" height="11" border="0" />
+ <?=gettext("- Category is auto-enabled by SID Mgmt conf files");?>&nbsp;&nbsp;&nbsp;
+ <img style="opacity: 0.4; filter: alpha(opacity=40); vertical-align: text-top;" src="../themes/<?=$g['theme'];?>/images/icons/icon_advanced.gif" width="11" height="11" border="0" />
+ <?=gettext("- Category is auto-disabled by SID Mgmt conf files");?></td>
</tr>
+ <?php endif; ?>
+ </tbody>
</table>
+ </td>
</tr>
<?php if ($no_community_files)
$msg_community = "NOTE: Snort Community Rules have not been downloaded. Perform a Rules Update to enable them.";
@@ -405,26 +443,38 @@ if ($savemsg) {
$community_rules_file = GPL_FILE_PREFIX . "community.rules";
?>
<?php if ($snortcommunitydownload == 'on'): ?>
- <tr id="frheader">
+ <tr>
<td width="5%" class="listhdrr"><?php echo gettext("Enabled"); ?></td>
<td colspan="5" class="listhdrr"><?php echo gettext('Ruleset: Snort GPLv2 Community Rules');?></td>
</tr>
- <?php if (in_array($community_rules_file, $enabled_rulesets_array)): ?>
+ <?php if (isset($cat_mods[$community_rules_file])): ?>
+ <?php if ($cat_mods[$community_rules_file] == 'enabled') : ?>
+ <tr>
+ <td width="5%" class="listr" style="text-align: center;">
+ <img src="../themes/<?=$g['theme'];?>/images/icons/icon_advanced.gif" width="11" height="11" border="0" title="<?=gettext("Auto-managed by settings on SID Mgmt tab");?>" /></td>
+ <td colspan="5" class="listr"><a href='suricata_rules.php?id=<?=$id;?>&openruleset=<?=$community_rules_file;?>'><?=gettext("{$msg_community}");?></a></td>
+ </tr>
+ <?php else: ?>
+ <tr>
+ <td width="5%" class="listr" style="text-align: center;">
+ <img style="opacity: 0.4; filter: alpha(opacity=40);" src="../themes/<?=$g['theme'];?>/images/icons/icon_advanced.gif" width="11" height="11" border="0" title="<?=gettext("Auto-managed by settings on SID Mgmt tab");?>" /></td>
+ <td colspan="5" class="listr"><?=gettext("{$msg_community}"); ?></td>
+ </tr>
+ <?php endif; ?>
+ <?php elseif (in_array($community_rules_file, $enabled_rulesets_array)): ?>
<tr>
- <td width="5" class="listr" align="center" valign="top">
+ <td width="5%" class="listr" style="text-align: center;">
<input type="checkbox" name="toenable[]" value="<?=$community_rules_file;?>" checked="checked"/></td>
- <td colspan="5" class="listr"><a href='snort_rules.php?id=<?=$id;?>&openruleset=<?=$community_rules_file;?>'><?php echo gettext("{$msg_community}"); ?></a></td>
+ <td colspan="5" class="listr"><a href='suricata_rules.php?id=<?=$id;?>&openruleset=<?=$community_rules_file;?>'><?php echo gettext("{$msg_community}"); ?></a></td>
</tr>
<?php else: ?>
<tr>
- <td width="5" class="listr" align="center" valign="top">
+ <td width="5%" class="listr" style="text-align: center;">
<input type="checkbox" name="toenable[]" value="<?=$community_rules_file;?>" <?php if ($snortcommunitydownload == 'off') echo "disabled"; ?>/></td>
<td colspan="5" class="listr"><?php echo gettext("{$msg_community}"); ?></td>
</tr>
-
<?php endif; ?>
<?php endif; ?>
-
<?php if ($no_emerging_files && ($emergingdownload == 'on' || $etpro == 'on'))
$msg_emerging = "have not been downloaded.";
else
@@ -434,7 +484,7 @@ if ($savemsg) {
else
$msg_snort = "are not enabled.";
?>
- <tr id="frheader">
+ <tr>
<?php if ($emergingdownload == 'on' && !$no_emerging_files): ?>
<td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td>
<td width="25%" class="listhdrr"><?php echo gettext('Ruleset: ET Open Rules');?></td>
@@ -489,15 +539,28 @@ if ($savemsg) {
echo "<tr>\n";
if (!empty($emergingrules[$j])) {
$file = $emergingrules[$j];
- echo "<td width='5%' class='listr' align=\"center\" valign=\"top\">";
+ echo "<td width='5%' class='listr' align=\"center\">";
if(is_array($enabled_rulesets_array)) {
- if(in_array($file, $enabled_rulesets_array))
+ if(in_array($file, $enabled_rulesets_array) && !isset($cat_mods[$file]))
$CHECKED = " checked=\"checked\"";
else
$CHECKED = "";
} else
$CHECKED = "";
- echo " \n<input type='checkbox' name='toenable[]' value='$file' {$CHECKED} />\n";
+ if (isset($cat_mods[$file])) {
+ if (in_array($file, $enabled_rulesets_array))
+ echo "<input type='hidden' name='toenable[]' value='{$file}' />\n";
+ if ($cat_mods[$file] == 'enabled') {
+ $CHECKED = "enabled";
+ echo " \n<img src=\"../themes/{$g['theme']}/images/icons/icon_advanced.gif\" width=\"11\" height=\"11\" border=\"0\" title=\"" . gettext("Auto-enabled by settings on SID Mgmt tab") . "\" />\n";
+ }
+ else {
+ echo " \n<img style=\"opacity: 0.4; filter: alpha(opacity=40);\" src=\"../themes/{$g['theme']}/images/icons/icon_advanced.gif\" width=\"11\" height=\"11\" border=\"0\" title=\"" . gettext("Auto-disabled by settings on SID Mgmt tab") . "\" />\n";
+ }
+ }
+ else {
+ echo " \n<input type='checkbox' name='toenable[]' value='{$file}' {$CHECKED} />\n";
+ }
echo "</td>\n";
echo "<td class='listr' width='25%' >\n";
if (empty($CHECKED))
@@ -510,17 +573,30 @@ if ($savemsg) {
if (!empty($snortrules[$j])) {
$file = $snortrules[$j];
- echo "<td class='listr' width='5%' align=\"center\" valign=\"top\">";
+ echo "<td class='listr' width='5%' align=\"center\">";
if(is_array($enabled_rulesets_array)) {
if (!empty($disable_vrt_rules))
$CHECKED = $disable_vrt_rules;
- elseif(in_array($file, $enabled_rulesets_array))
+ elseif(in_array($file, $enabled_rulesets_array) && !isset($cat_mods[$file]))
$CHECKED = " checked=\"checked\"";
else
$CHECKED = "";
} else
$CHECKED = "";
- echo " \n<input type='checkbox' name='toenable[]' value='{$file}' {$CHECKED} />\n";
+ if (isset($cat_mods[$file])) {
+ if (in_array($file, $enabled_rulesets_array))
+ echo "<input type='hidden' name='toenable[]' value='{$file}' />\n";
+ if ($cat_mods[$file] == 'enabled') {
+ $CHECKED = "enabled";
+ echo " \n<img src=\"../themes/{$g['theme']}/images/icons/icon_advanced.gif\" width=\"11\" height=\"11\" border=\"0\" title=\"" . gettext("Auto-enabled by settings on SID Mgmt tab") . "\" />\n";
+ }
+ else {
+ echo " \n<img style=\"opacity: 0.4; filter: alpha(opacity=40);\" src=\"../themes/{$g['theme']}/images/icons/icon_advanced.gif\" width=\"11\" height=\"11\" border=\"0\" title=\"" . gettext("Auto-disabled by settings on SID Mgmt tab") . "\" />\n";
+ }
+ }
+ else {
+ echo " \n<input type='checkbox' name='toenable[]' value='{$file}' {$CHECKED} />\n";
+ }
echo "</td>\n";
echo "<td class='listr' width='25%' >\n";
if (empty($CHECKED) || $CHECKED == "disabled")
@@ -530,22 +606,39 @@ if ($savemsg) {
echo "</td>\n";
} else
echo "<td class='listbggrey' width='30%' colspan='2'><br/></td>\n";
+
if (!empty($snortsorules[$j])) {
$file = $snortsorules[$j];
echo "<td class='listr' width='5%' align=\"center\" valign=\"top\">";
if(is_array($enabled_rulesets_array)) {
if (!empty($disable_vrt_rules))
$CHECKED = $disable_vrt_rules;
- elseif(in_array($file, $enabled_rulesets_array))
+ elseif(in_array($file, $enabled_rulesets_array) && !isset($cat_mods[$file]))
$CHECKED = " checked=\"checked\"";
else
$CHECKED = "";
} else
$CHECKED = "";
- echo " \n<input type='checkbox' name='toenable[]' value='{$file}' {$CHECKED} />\n";
+ if (isset($cat_mods[$file])) {
+ if (in_array($file, $enabled_rulesets_array))
+ echo "<input type='hidden' name='toenable[]' value='{$file}' />\n";
+ if ($cat_mods[$file] == 'enabled') {
+ $CHECKED = "enabled";
+ echo " \n<img src=\"../themes/{$g['theme']}/images/icons/icon_advanced.gif\" width=\"11\" height=\"11\" border=\"0\" title=\"" . gettext("Auto-enabled by settings on SID Mgmt tab") . "\" />\n";
+ }
+ else {
+ echo " \n<img style=\"opacity: 0.4; filter: alpha(opacity=40);\" src=\"../themes/{$g['theme']}/images/icons/icon_advanced.gif\" width=\"11\" height=\"11\" border=\"0\" title=\"" . gettext("Auto-disabled by settings on SID Mgmt tab") . "\" />\n";
+ }
+ }
+ else {
+ echo " \n<input type='checkbox' name='toenable[]' value='{$file}' {$CHECKED} />\n";
+ }
echo "</td>\n";
echo "<td class='listr' width='25%' >\n";
+ if (empty($CHECKED) || $CHECKED == "disabled")
echo $file;
+ else
+ echo "<a href='snort_rules.php?id={$id}&openruleset=" . urlencode($file) . "'>{$file}</a>\n";
echo "</td>\n";
} else
echo "<td class='listbggrey' width='30%' colspan='2'><br/></td>\n";
diff --git a/config/snort/snort_sid_mgmt.php b/config/snort/snort_sid_mgmt.php
new file mode 100644
index 00000000..ea1a5b99
--- /dev/null
+++ b/config/snort/snort_sid_mgmt.php
@@ -0,0 +1,597 @@
+<?php
+/*
+ * snort_sid_mgmt.php
+ *
+ * Portions of this code are based on original work done for the
+ * Snort package for pfSense from the following contributors:
+ *
+ * Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>.
+ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ * Copyright (C) 2006 Scott Ullrich
+ * Copyright (C) 2009 Robert Zelaya Sr. Developer
+ * Copyright (C) 2012 Ermal Luci
+ * Copyright (C) 2014 Bill Meeks
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("/usr/local/pkg/snort/snort.inc");
+
+global $g, $config, $rebuild_rules;
+
+$snortdir = SNORTDIR;
+$pconfig = array();
+
+// Grab saved settings from configuration
+if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ $config['installedpackages']['snortglobal']['rule'] = array();
+$a_nat = &$config['installedpackages']['snortglobal']['rule'];
+
+$pconfig['auto_manage_sids'] = $config['installedpackages']['snortglobal']['auto_manage_sids'];
+
+// Hard-code the path where SID Mods Lists are stored
+// and disregard any user-supplied path element.
+$sidmods_path = SNORT_SID_MODS_PATH;
+
+// Set default to not show SID modification lists editor controls
+$sidmodlist_edit_style = "display: none;";
+
+if (!empty($_POST))
+ $pconfig = $_POST;
+
+function snort_is_sidmodslist_active($sidlist) {
+
+ /*****************************************************
+ * This function checks all the configured Snort *
+ * interfaces to see if the passed SID Mods List is *
+ * used by an interface. *
+ * *
+ * Returns: TRUE if List is in use *
+ * FALSE if List is not in use *
+ *****************************************************/
+
+ global $g, $config;
+
+ if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ return FALSE;
+
+ foreach ($config['installedpackages']['snortglobal']['rule'] as $rule) {
+ if ($rule['enable_sid_file'] == $sidlist) {
+ return TRUE;
+ }
+ if ($rule['disable_sid_file'] == $sidlist) {
+ return TRUE;
+ }
+ if ($rule['modify_sid_file'] == $sidlist) {
+ return TRUE;
+ }
+ }
+ return FALSE;
+}
+
+if (isset($_POST['upload'])) {
+ if ($_FILES["sidmods_fileup"]["error"] == UPLOAD_ERR_OK) {
+ $tmp_name = $_FILES["sidmods_fileup"]["tmp_name"];
+ $name = basename($_FILES["sidmods_fileup"]["name"]);
+ move_uploaded_file($tmp_name, "{$sidmods_path}{$name}");
+ }
+ else
+ $input_errors[] = gettext("Failed to upload file {$_FILES["sidmods_fileup"]["name"]}");
+}
+
+if (isset($_POST['sidlist_delete']) && isset($_POST['sidlist_fname'])) {
+ if (!snort_is_sidmodslist_active(basename($_POST['sidlist_fname'])))
+ unlink_if_exists($sidmods_path . basename($_POST['sidlist_fname']));
+ else
+ $input_errors[] = gettext("This SID Mods List is currently assigned to an interface and cannot be deleted.");
+}
+
+if (isset($_POST['sidlist_edit']) && isset($_POST['sidlist_fname'])) {
+ $file = $sidmods_path . basename($_POST['sidlist_fname']);
+ $data = file_get_contents($file);
+ if ($data !== FALSE) {
+ $sidmodlist_data = htmlspecialchars($data);
+ $sidmodlist_edit_style = "display: table-row-group;";
+ $sidmodlist_name = basename($_POST['sidlist_fname']);
+ unset($data);
+ }
+ else {
+ $input_errors[] = gettext("An error occurred reading the file.");
+ }
+}
+
+if (isset($_POST['save']) && isset($_POST['sidlist_data'])) {
+ if (strlen(basename($_POST['sidlist_name'])) > 0) {
+ $file = $sidmods_path . basename($_POST['sidlist_name']);
+ $data = str_replace("\r\n", "\n", $_POST['sidlist_data']);
+ file_put_contents($file, $data);
+ unset($data);
+ }
+ else {
+ $input_errors[] = gettext("You must provide a valid filename for the SID Mods List.");
+ $sidmodlist_edit_style = "display: table-row-group;";
+ }
+}
+
+if (isset($_POST['save_auto_sid_conf'])) {
+ $config['installedpackages']['snortglobal']['auto_manage_sids'] = $pconfig['auto_manage_sids'] ? "on" : "off";
+
+ // Grab the SID Mods config for the interfaces from the form's controls array
+ foreach ($_POST['sid_state_order'] as $k => $v) {
+ $a_nat[$k]['sid_state_order'] = $v;
+ }
+ foreach ($_POST['enable_sid_file'] as $k => $v) {
+ if ($v == "None") {
+ unset($a_nat[$k]['enable_sid_file']);
+ continue;
+ }
+ $a_nat[$k]['enable_sid_file'] = $v;
+ }
+ foreach ($_POST['disable_sid_file'] as $k => $v) {
+ if ($v == "None") {
+ unset($a_nat[$k]['disable_sid_file']);
+ continue;
+ }
+ $a_nat[$k]['disable_sid_file'] = $v;
+ }
+ foreach ($_POST['modify_sid_file'] as $k => $v) {
+ if ($v == "None") {
+ unset($a_nat[$k]['modify_sid_file']);
+ continue;
+ }
+ $a_nat[$k]['modify_sid_file'] = $v;
+ }
+
+ // Write the new configuration
+ write_config("Snort pkg: updated automatic SID management settings.");
+
+ $intf_msg = "";
+
+ // If any interfaces were marked for restart, then do it
+ if (is_array($_POST['torestart'])) {
+ foreach ($_POST['torestart'] as $k) {
+ // Update the snort.conf file and
+ // rebuild rules for this interface.
+ $rebuild_rules = true;
+ conf_mount_rw();
+ snort_generate_conf($a_nat[$k]);
+ conf_mount_ro();
+ $rebuild_rules = false;
+
+ // Signal Snort to "live reload" the rules
+ snort_reload_config($a_nat[$k]);
+
+ $intf_msg .= convert_friendly_interface_to_friendly_descr($a_nat[$k]['interface']) . ", ";
+ }
+ $savemsg = gettext("Changes were applied to these interfaces: " . trim($intf_msg, ' ,') . " and Snort signaled to live-load the new rules.");
+
+ // Sync to configured CARP slaves if any are enabled
+ snort_sync_on_changes();
+ }
+}
+
+if (isset($_POST['sidlist_dnload']) && isset($_POST['sidlist_fname'])) {
+ $file = $sidmods_path . basename($_POST['sidlist_fname']);
+ if (file_exists($file)) {
+ ob_start(); //important or other posts will fail
+ if (isset($_SERVER['HTTPS'])) {
+ header('Pragma: ');
+ header('Cache-Control: ');
+ } else {
+ header("Pragma: private");
+ header("Cache-Control: private, must-revalidate");
+ }
+ header("Content-Type: application/octet-stream");
+ header("Content-length: " . filesize($file));
+ header("Content-disposition: attachment; filename = " . basename($file));
+ ob_end_clean(); //important or other post will fail
+ readfile($file);
+ }
+ else
+ $savemsg = gettext("Unable to locate the file specified!");
+}
+
+if (isset($_POST['sidlist_dnload_all_x'])) {
+ $save_date = date("Y-m-d-H-i-s");
+ $file_name = "snort_sid_conf_files_{$save_date}.tar.gz";
+ exec("cd {$sidmods_path} && /usr/bin/tar -czf {$g['tmp_path']}/{$file_name} *");
+
+ if (file_exists("{$g['tmp_path']}/{$file_name}")) {
+ ob_start(); //important or other posts will fail
+ if (isset($_SERVER['HTTPS'])) {
+ header('Pragma: ');
+ header('Cache-Control: ');
+ } else {
+ header("Pragma: private");
+ header("Cache-Control: private, must-revalidate");
+ }
+ header("Content-Type: application/octet-stream");
+ header("Content-length: " . filesize("{$g['tmp_path']}/{$file_name}"));
+ header("Content-disposition: attachment; filename = {$file_name}");
+ ob_end_clean(); //important or other post will fail
+ readfile("{$g['tmp_path']}/{$file_name}");
+
+ // Clean up the temp file
+ unlink_if_exists("{$g['tmp_path']}/{$file_name}");
+ }
+ else
+ $savemsg = gettext("An error occurred while creating the gzip archive!");
+}
+
+// Get all files in the SID Mods Lists sub-directory as an array
+// Leave this as the last thing before spewing the page HTML
+// so we can pick up any changes made to files in code above.
+$sidmodfiles = return_dir_as_array($sidmods_path);
+$sidmodselections = array_merge(Array( "None" ), $sidmodfiles);
+
+$pgtitle = gettext("Snort: SID Management");
+include_once("head.inc");
+
+?>
+
+<body link="#000000" vlink="#000000" alink="#000000">
+
+<?php
+include_once("fbegin.inc");
+
+/* Display Alert message, under form tag or no refresh */
+if ($input_errors)
+ print_input_errors($input_errors);
+?>
+
+<form action="snort_sid_mgmt.php" method="post" enctype="multipart/form-data" name="iform" id="iform">
+<input type="hidden" name="MAX_FILE_SIZE" value="100000000" />
+<input type="hidden" name="sidlist_fname" id="sidlist_fname" value=""/>
+
+<?php
+if ($savemsg) {
+ /* Display save message */
+ print_info_box($savemsg);
+}
+?>
+
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tbody>
+ <tr><td>
+ <?php
+ $tab_array = array();
+ $tab_array[0] = array(gettext("Snort Interfaces"), false, "/snort/snort_interfaces.php");
+ $tab_array[1] = array(gettext("Global Settings"), false, "/snort/snort_interfaces_global.php");
+ $tab_array[2] = array(gettext("Updates"), false, "/snort/snort_download_updates.php");
+ $tab_array[3] = array(gettext("Alerts"), false, "/snort/snort_alerts.php");
+ $tab_array[4] = array(gettext("Blocked"), false, "/snort/snort_blocked.php");
+ $tab_array[5] = array(gettext("Pass Lists"), false, "/snort/snort_passlist.php");
+ $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php");
+ $tab_array[7] = array(gettext("IP Lists"), false, "/snort/snort_ip_list_mgmt.php");
+ $tab_array[8] = array(gettext("SID Mgmt"), true, "/snort/snort_sid_mgmt.php");
+ $tab_array[9] = array(gettext("Log Mgmt"), false, "/snort/snort_log_mgmt.php");
+ $tab_array[10] = array(gettext("Sync"), false, "/pkg_edit.php?xml=snort/snort_sync.xml");
+ display_top_tabs($tab_array, true);
+ ?>
+ </td></tr>
+ <tr><td>
+ <div id="mainarea">
+ <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
+ <tbody>
+ <tr>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Settings"); ?></td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Automatic SID State Management"); ?></td>
+ <td width="78%" class="vtable"><input type="checkbox" id="auto_manage_sids" name="auto_manage_sids" value="on"
+ <?php if ($pconfig['auto_manage_sids'] == 'on') echo " checked"; ?> onclick="enable_sid_conf();" />&nbsp;<?=gettext("Enable automatic management of rule state ") .
+ gettext("and content using configuration files. Default is ") . "<strong>" . gettext("Not Checked") . "</strong>";?>.<br/><br/>
+ <?=gettext("Snort will automatically enable/disable/modify text rules upon each update using criteria specified in configuration files. ") .
+ gettext("The supported configuration file format is the same as that used in the PulledPork and Oinkmaster enablesid.conf, disablesid.conf and ") .
+ gettext("modifysid.conf files. You can either upload existing files or create your own."); ?>
+ </td>
+ </tr>
+ </tbody>
+ <tbody id="sid_conf_rows">
+ <tr>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("SID Management Configuration Files"); ?></td>
+ </tr>
+ <tr>
+ <td colspan="2" class="vtable" align="center" >
+ <table width="100%" border="0" cellpadding="4" cellspacing="0">
+ <tbody id="uploader" style="display: none;">
+ <tr>
+ <td class="list"><br/><?php echo gettext("Click BROWSE to select a file to import, and then click UPLOAD. Click CLOSE to quit."); ?></td>
+ </tr>
+ <tr>
+ <td class="list"><input type="file" name="sidmods_fileup" id="sidmods_fileup" class="formfld file" size="50" />
+ &nbsp;&nbsp;<input type="submit" name="upload" id="upload" value="<?=gettext("Upload");?>"
+ title="<?=gettext("Upload selected SID mods list to firewall");?>"/>&nbsp;&nbsp;<input type="button"
+ value="<?=gettext("Close");?>" onClick="document.getElementById('uploader').style.display='none';" /><br/></td>
+ <td class="list"></td>
+ </tr>
+ </tbody>
+ <tbody>
+ <tr>
+ <td>
+ <table id="maintable" width="100%" border="0" cellpadding="4" cellspacing="0">
+ <colgroup>
+ <col style="width: 45%;">
+ <col style="width: 25%;">
+ <col style="width: 15%;">
+ <col style="width: 15%;">
+ </colgroup>
+ <thead>
+ <tr>
+ <th class="listhdrr"><?php echo gettext("SID Mods List File Name"); ?></th>
+ <th class="listhdrr"><?php echo gettext("Last Modified Time"); ?></th>
+ <th class="listhdrr"><?php echo gettext("File Size"); ?></th>
+ <th class="list" align="left"><img style="cursor:pointer;" name="sidlist_new" id="sidlist_new"
+ src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17"
+ height="17" border="0" title="<?php echo gettext('Create a new SID Mods List');?>"
+ onClick="document.getElementById('sidlist_data').value=''; document.getElementById('sidlist_name').value=''; document.getElementById('sidlist_editor').style.display='table-row-group'; document.getElementById('sidlist_name').focus();" />
+ <img style="cursor:pointer;" name="sidlist_import" id="sidlist_import"
+ onClick="document.getElementById('uploader').style.display='table-row-group';"
+ src="../themes/<?= $g['theme']; ?>/images/icons/icon_import_alias.gif" width="17"
+ height="17" border="0" title="<?php echo gettext('Import/Upload a SID Mods List');?>"/>
+ <input type="image" name="sidlist_dnload_all" id="sidlist_dnload_all"
+ src="../tree/page-file_play.gif" width="16" height="16" border="0"
+ title="<?php echo gettext('Download all SID Mods List files in a single gzip archive');?>"/>
+ </th>
+ </tr>
+ </thead>
+ <tbody>
+ <?php foreach ($sidmodfiles as $file): ?>
+ <tr>
+ <td class="listr"><?php echo gettext($file); ?></td>
+ <td class="listr"><?=date('M-d Y g:i a', filemtime("{$sidmods_path}{$file}")); ?></td>
+ <td class="listr"><?=format_bytes(filesize("{$sidmods_path}{$file}")); ?> </td>
+ <td class="list"><input type="image" name="sidlist_edit[]" id="sidlist_edit[]"
+ onClick="document.getElementById('sidlist_fname').value='<?=$file;?>';"
+ src="../themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17"
+ height="17" border="0" title="<?php echo gettext('Edit this SID Mods List');?>"/>
+ <input type="image" name="sidlist_delete[]" id="sidlist_delete[]"
+ onClick="document.getElementById('sidlist_fname').value='<?=$file;?>';
+ return confirm('<?=gettext("Are you sure you want to permanently delete this file? Click OK to continue or CANCEL to quit.");?>');"
+ src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17"
+ height="17" border="0" title="<?php echo gettext('Delete this SID Mods List');?>"/>
+ <input type="image" name="sidlist_dnload[]" id="sidlist_dnload[]"
+ onClick="document.getElementById('sidlist_fname').value='<?=$file;?>';"
+ src="../tree/page-file_play.gif" width="16" height="16" border="0"
+ title="<?php echo gettext('Download this SID Mods List file');?>"/>
+ </td>
+ </tr>
+ <?php endforeach; ?>
+ </tbody>
+ <tbody id="sidlist_editor" style="<?=$sidmodlist_edit_style;?>">
+ <tr>
+ <td colspan="4">&nbsp;</td>
+ </tr>
+ <tr>
+ <td colspan="4"><strong><?=gettext("File Name: ");?></strong><input type="text" size="45" class="formfld file" id="sidlist_name" name="sidlist_name" value="<?=$sidmodlist_name;?>" />
+ &nbsp;&nbsp;<input type="submit" id="save" name="save" value="<?=gettext(" Save ");?>" title="<?=gettext("Save changes and close editor");?>" />
+ &nbsp;&nbsp;<input type="button" id="cancel" name="cancel" value="<?=gettext("Cancel");?>" onClick="document.getElementById('sidlist_editor').style.display='none';"
+ title="<?=gettext("Abandon changes and quit editor");?>" /></td>
+ </tr>
+ <tr>
+ <td colspan="4">&nbsp;</td>
+ </tr>
+ <tr>
+ <td colspan="4"><textarea wrap="off" cols="80" rows="20" name="sidlist_data" id="sidlist_data"
+ style="width:95%; height:100%;"><?=$sidmodlist_data;?></textarea>
+ </td>
+ </tr>
+ </tbody>
+ <tbody>
+ <tr>
+ <td colspan="3" class="vexpl"><br/><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span>
+ <br/><?php echo gettext("SID Mods Lists are stored as local files on the firewall and their contents are " .
+ "not saved as part of the firewall configuration file."); ?></td>
+ <td class="list"></td>
+ </tr>
+ <tr>
+ <td colspan="3" class="vexpl"><br/><strong><?php echo gettext("File List Controls:"); ?></strong><br/><br/>
+ &nbsp;&nbsp;<img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0" />
+ &nbsp;<?=gettext("Opens the editor window to create a new SID Mods List. You must provide a valid filename before saving.");?><br/>
+ &nbsp;&nbsp;<img src="../themes/<?= $g['theme']; ?>/images/icons/icon_import_alias.gif" width="17" height="17" border="0" />
+ &nbsp;<?=gettext("Opens the file upload control for uploading a new SID Mods List from your local machine.");?><br/>
+ &nbsp;&nbsp;<img src="../themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0" />
+ &nbsp;<?=gettext("Opens the SID Mods List in a text edit control for viewing or editing its contents.");?><br/>
+ &nbsp;&nbsp;<img src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" />
+ &nbsp;<?=gettext("Deletes the SID Mods List from the file system after confirmation.");?><br/>
+ &nbsp;&nbsp;<img src="../tree/page-file_play.gif" width="16" height="16" border="0" />
+ &nbsp;<?=gettext("Downloads the SID Mods List file to your local machine.");?><br/>
+ </td>
+ <td class="list"></td>
+ </tr>
+ </tbody>
+ </table>
+ </td>
+ </tr>
+ </tbody>
+ </table>
+ </td>
+ </tr>
+ <tr>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Interface SID Management File Assignments"); ?></td>
+ </tr>
+ <tr>
+ <td colspan="2" class="vtable" align="center" >
+ <table width="100%" border="0" cellpadding="2" cellspacing="0">
+ <tbody>
+ <tr>
+ <td>
+ <table width="100%" border="0" cellpadding="0" cellspacing="0">
+ <colgroup>
+ <col width="4%" align="center">
+ <col width="20" align="center">
+ <col width="16%" align="center">
+ <col width="20%" align="center">
+ <col width="20%" align="center">
+ <col width="20%" align="center">
+ </colgroup>
+ <thead>
+ <tr>
+ <th class="listhdrr"><?=gettext("Rebuild"); ?></th>
+ <th class="listhdrr"><?=gettext("Interface"); ?></th>
+ <th class="listhdrr"><?=gettext("SID State Order"); ?></th>
+ <th class="listhdrr"><?=gettext("Enable SID File"); ?></th>
+ <th class="listhdrr"><?=gettext("Disable SID File"); ?></th>
+ <th class="listhdrr"><?=gettext("Modify SID File"); ?></th>
+ </tr>
+ </thead>
+ <tbody>
+ <?php foreach ($a_nat as $k => $natent): ?>
+ <tr>
+ <td class="listr" align="center">
+ <input type="checkbox" name="torestart[]" id="torestart[]" value="<?=$k;?>" title="<?=gettext("Apply new configuration and rebuild rules for this interface when saving");?>" />
+ </td>
+ <td class="listbg"><?=convert_friendly_interface_to_friendly_descr($natent['interface']); ?></td>
+ <td class="listr" align="center">
+ <select name="sid_state_order[<?=$k?>]" class="formselect" id="sid_state_order[<?=$k?>]">
+ <?php
+ foreach (array("disable_enable" => "Disable, Enable", "enable_disable" => "Enable, Disable") as $key => $order) {
+ if ($key == $natent['sid_state_order'])
+ echo "<option value='{$key}' selected>";
+ else
+ echo "<option value='{$key}'>";
+ echo htmlspecialchars($order) . '</option>';
+ }
+ ?>
+ </select>
+ </td>
+ <td class="listr" align="center">
+ <select name="enable_sid_file[<?=$k?>]" class="formselect" id="enable_sid_file[<?=$k?>]">
+ <?php
+ foreach ($sidmodselections as $choice) {
+ if ($choice == $natent['enable_sid_file'])
+ echo "<option value='{$choice}' selected>";
+ else
+ echo "<option value='{$choice}'>";
+ echo htmlspecialchars(gettext($choice)) . '</option>';
+ }
+ ?>
+ </select>
+ </td>
+ <td class="listr" align="center">
+ <select name="disable_sid_file[<?=$k?>]" class="formselect" id="disable_sid_file[<?=$k?>]">
+ <?php
+ foreach ($sidmodselections as $choice) {
+ if ($choice == $natent['disable_sid_file'])
+ echo "<option value='{$choice}' selected>";
+ else
+ echo "<option value='{$choice}'>";
+ echo htmlspecialchars(gettext($choice)) . '</option>';
+ }
+ ?>
+ </select>
+ </td>
+ <td class="listr" align="center">
+ <select name="modify_sid_file[<?=$k?>]" class="formselect" id="modify_sid_file[<?=$k?>]">
+ <?php
+ foreach ($sidmodselections as $choice) {
+ if ($choice == $natent['modify_sid_file'])
+ echo "<option value='{$choice}' selected>";
+ else
+ echo "<option value='{$choice}'>";
+ echo htmlspecialchars(gettext($choice)) . '</option>';
+ }
+ ?>
+ </select>
+ </td>
+ </tr>
+ <?php endforeach; ?>
+ </tbody>
+ </table>
+ </td>
+ </tr>
+ <tr>
+ <td class="vexpl">&nbsp;
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <table width="100%" cellpadding="2" cellspacing="2" border="0">
+ <tbody>
+ <tr>
+ <td colspan="2" class="vexpl" style="text-align: bottom;"><strong><span class="red"><?=gettext("Notes:");?></span></strong></td>
+ </tr>
+ <tr>
+ <td class="vexpl" style="vertical-align: top;"><?=gettext("1.");?></td>
+ <td class="vexpl"><?=gettext("Check the box beside an interface to immediately apply new auto-SID management ") .
+ gettext("changes and signal Snort to live-load the new rules for the interface when clicking SAVE; ") .
+ gettext("otherwise only the new file assignments will be saved.");?>
+ </td>
+ </tr>
+ <tr>
+ <td class="vexpl" style="vertical-align: top;"><?=gettext("2.");?></td>
+ <td class="vexpl"><?=gettext("SID State Order controls the order in which enable and disable state modifications are performed. ") .
+ gettext("An example would be to disable an entire category and later enable only a rule or two from it. In this case you would ") .
+ gettext("choose 'disable,enable' for the State Order. Note that the last action performed takes priority.");?>
+ </td>
+ </tr>
+ <tr>
+ <td class="vexpl" style="vertical-align: top;"><?=gettext("3.");?></td>
+ <td class="vexpl"><?=gettext("The Enable SID File, Disable SID File and Modify SID File controls specify which rule modification ") .
+ gettext("files are run automatically for the interface. Setting a file control to 'None' disables that modification. ") .
+ gettext("Setting all file controls for an interface to 'None' disables automatic SID state management for the interface.");?>
+ </td>
+ </tr>
+ </tbody>
+ </table>
+ </td>
+ </tr>
+ </tbody>
+ </table>
+ </td>
+ </tr>
+ </tbody>
+ <tbody>
+ <tr>
+ <td colspan="2" class="vexpl" align="center"><input type="submit" id="save_auto_sid_conf" name="save_auto_sid_conf" class="formbtn" value="<?=gettext("Save");?>" title="<?=gettext("Save SID Management configuration");?>" />
+ &nbsp;&nbsp;<?=gettext("Remember to save changes before exiting this page"); ?>
+ </td>
+ </tr>
+ </tbody>
+ </table>
+ </div>
+ </td></tr>
+ </tbody>
+</table>
+</form>
+
+
+<?php include("fend.inc"); ?>
+<script type="text/javascript">
+
+function enable_sid_conf() {
+ var endis = !document.iform.auto_manage_sids.checked;
+ if (endis) {
+ document.getElementById("sid_conf_rows").style.display = "none";
+ }
+ else {
+ document.getElementById("sid_conf_rows").style.display = "";
+ }
+}
+
+enable_sid_conf();
+
+</script>
+</body>
+</html>
diff --git a/config/snort/snort_sync.xml b/config/snort/snort_sync.xml
index 2b9594ea..f3db2ce9 100755
--- a/config/snort/snort_sync.xml
+++ b/config/snort/snort_sync.xml
@@ -53,39 +53,58 @@ POSSIBILITY OF SUCH DAMAGE.
<tab>
<text>Snort Interfaces</text>
<url>/snort/snort_interfaces.php</url>
+ <no_drop_down/>
</tab>
<tab>
<text>Global Settings</text>
<url>/snort/snort_interfaces_global.php</url>
+ <no_drop_down/>
</tab>
<tab>
<text>Updates</text>
<url>/snort/snort_download_updates.php</url>
+ <no_drop_down/>
</tab>
<tab>
<text>Alerts</text>
<url>/snort/snort_alerts.php</url>
+ <no_drop_down/>
</tab>
<tab>
<text>Blocked</text>
<url>/snort/snort_blocked.php</url>
+ <no_drop_down/>
</tab>
<tab>
<text>Pass Lists</text>
<url>/snort/snort_passlist.php</url>
+ <no_drop_down/>
</tab>
<tab>
<text>Suppress</text>
<url>/snort/snort_interfaces_suppress.php</url>
+ <no_drop_down/>
</tab>
<tab>
<text>IP Lists</text>
<url>/snort/snort_ip_list_mgmt.php</url>
+ <no_drop_down/>
+ </tab>
+ <tab>
+ <text>SID Mgmt</text>
+ <url>/snort/snort_sid_mgmt.php</url>
+ <no_drop_down/>
+ </tab>
+ <tab>
+ <text>Log Mgmt</text>
+ <url>/snort/snort_log_mgmt.php</url>
+ <no_drop_down/>
</tab>
<tab>
<text>Sync</text>
<url>/pkg_edit.php?xml=snort/snort_sync.xml</url>
<active/>
+ <no_drop_down/>
</tab>
</tabs>
<fields>
@@ -188,6 +207,6 @@ POSSIBILITY OF SUCH DAMAGE.
<custom_delete_php_command>
</custom_delete_php_command>
<custom_php_resync_config_command>
- write_config();snort_sync_on_changes();
+ write_config("Snort pkg: saved changes to XMLRPC sync configuration.");snort_sync_on_changes();
</custom_php_resync_config_command>
</packagegui>