diff options
author | Ermal <eri@pfsense.org> | 2012-06-12 21:06:59 +0000 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2012-06-12 21:06:59 +0000 |
commit | 2d0407fc77b1ac25bf92b6bda3a35d6b2e970070 (patch) | |
tree | beac2ff2bbafa379ecf45ef78a7071ad03f7e8bf /config/snort | |
parent | 6bb71486a512f80809480104ef43c6df880e46de (diff) | |
download | pfsense-packages-2d0407fc77b1ac25bf92b6bda3a35d6b2e970070.tar.gz pfsense-packages-2d0407fc77b1ac25bf92b6bda3a35d6b2e970070.tar.bz2 pfsense-packages-2d0407fc77b1ac25bf92b6bda3a35d6b2e970070.zip |
Put a single alert file for each instance of snort so it actually works. Also correct blocked page/ For large files this still will bail out
Diffstat (limited to 'config/snort')
-rw-r--r-- | config/snort/snort.inc | 53 | ||||
-rw-r--r-- | config/snort/snort_alerts.php | 67 | ||||
-rw-r--r-- | config/snort/snort_blocked.php | 4 | ||||
-rw-r--r-- | config/snort/snort_interfaces.php | 16 |
4 files changed, 73 insertions, 67 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index eb3fa0e9..2ab4b3eb 100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -262,10 +262,10 @@ function Running_Ck_b($snort_uuid, $if_real, $id) { } function Running_Stop($snort_uuid, $if_real, $id) { - global $config; + global $config, $g; /* if snort.sh crashed this will remove the pid */ - @unlink('/tmp/snort.sh.pid'); + @unlink("{$g['tmp_path']}/snort.sh.pid"); $start_up = exec("/bin/ps -ax | /usr/bin/grep \"R {$snort_uuid}\" | /usr/bin/grep -v grep | /usr/bin/awk '{ print \$1; }'"); $start_upb = exec("/bin/ps -ax | /usr/bin/grep \"snort_{$snort_uuid}_{$if_real}.u2\" | /usr/bin/grep -v grep | /usr/bin/awk '{ print \$1; }'"); @@ -274,6 +274,7 @@ function Running_Stop($snort_uuid, $if_real, $id) { exec("/bin/kill {$start_up}"); exec("/bin/rm /var/log/snort/run/snort_{$if_real}{$snort_uuid}*"); exec("/bin/rm /var/log/snort/snort_{$snort_uuid}_{$if_real}*"); + @unlink("/var/log/snort/alert_{$snort_uuid}"); exec("/bin/rm -r /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); } @@ -292,7 +293,7 @@ function Running_Start($snort_uuid, $if_real, $id) { global $config; /* if snort.sh crashed this will remove the pid */ - @unlink('/tmp/snort.sh.pid'); + @unlink("{$g['tmp_path']}/snort.sh.pid"); $snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable']; if ($snort_info_chk == 'on') @@ -313,6 +314,26 @@ function Running_Start($snort_uuid, $if_real, $id) { sleep(2); // Give time so GUI displays correctly } +function snort_get_friendly_interface($interface) { + + if (function_exists('convert_friendly_interface_to_friendly_descr')) + $iface = convert_friendly_interface_to_friendly_descr($interface); + else { + if (!$interface || ($interface == "wan")) + $iface = "WAN"; + else if(strtolower($interface) == "lan") + $iface = "LAN"; + else if(strtolower($interface) == "pppoe") + $iface = "PPPoE"; + else if(strtolower($interface) == "pptp") + $iface = "PPTP"; + else + $iface = strtoupper($interface); + } + + return $iface; +} + /* get the real iface name of wan */ function snort_get_real_interface($interface) { global $config; @@ -478,30 +499,21 @@ function snort_postinstall() /* create a few directories and ensure the sample files are in place */ if (!is_dir('/usr/local/etc/snort')) exec('/bin/mkdir -p /usr/local/etc/snort/custom_rules'); - if (!is_dir('/usr/local/etc/snort/whitelist')) exec('/bin/mkdir -p /usr/local/etc/snort/whitelist/'); - - if (!is_dir('/var/log/snort/run')) + /* NOTE: the diff between the if check and the exec() extra run is by design */ + if (!is_dir('/var/log/snort')) exec('/bin/mkdir -p /var/log/snort/run'); + else + exec('/bin/rm -r /var/log/snort/*; /bin/mkdir -p /var/log/snort/run'); if (!is_dir('/var/log/snort/barnyard2')) exec('/bin/mkdir -p /var/log/snort/barnyard2'); - if (!is_dir('/usr/local/lib/snort/dynamicrules/')) exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); - if (!file_exists('/var/db/whitelist')) touch('/var/db/whitelist'); - /* if users have old log files delete them */ - if(!file_exists('/var/log/snort/alert')) - touch('/var/log/snort/alert'); - else { - exec('/bin/rm -rf /var/log/snort/*'); - touch('/var/log/snort/alert'); - } - /* rm barnyard2 important */ if (file_exists('/usr/local/bin/barnyard2')) @unlink('/usr/local/bin/barnyard2'); @@ -514,7 +526,6 @@ function snort_postinstall() mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true); */ /* important */ - mwexec('/bin/chmod 660 /var/log/snort/alert', true); mwexec('/bin/chmod 660 /var/db/whitelist', true); mwexec('/bin/chmod -R 660 /usr/local/etc/snort/*', true); mwexec('/bin/chmod -R 660 /tmp/snort*', true); @@ -891,10 +902,6 @@ function sync_snort_package_config() if (!is_dir('/var/log/snort/barnyard2')) exec('/bin/mkdir -p /var/log/snort/barnyard2'); - /* all new files are for the user snort nologin */ - if (!file_exists('/var/log/snort/alert')) - exec('/usr/bin/touch /var/log/snort/alert'); - /* XXX: These are needed if snort is run as snort user mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true); mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true); @@ -1357,9 +1364,9 @@ function generate_snort_conf($id, $if_real, $snort_uuid) /* define snortalertlogtype */ if ($config['installedpackages']['snortglobal']['snortalertlogtype'] == "fast") - $snortalertlogtype_type = "output alert_fast: alert"; + $snortalertlogtype_type = "output alert_fast: alert_{$snort_uuid}"; else - $snortalertlogtype_type = "output alert_full: alert"; + $snortalertlogtype_type = "output alert_full: alert_{$snort_uuid}"; /* define alertsystemlog */ $alertsystemlog_type = ""; diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 53b9e3a2..3094d1a7 100644 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -43,7 +43,13 @@ $snort_load_sortabletable = 'yes'; $snort_load_mootools = 'yes'; $snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype']; -$snort_logfile = '/var/log/snort/alert'; + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +$a_instance = &$config['installedpackages']['snortglobal']['rule']; +$snort_uuid = $a_instance[0]['uuid']; +if ($_POST['instance']) + $snort_uuid = $a_instance[$_POST['instance']]['uuid']; if (is_array($config['installedpackages']['snortglobal']['alertsblocks'])) { $pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh']; @@ -87,10 +93,10 @@ if ($_POST['save']) if ($_GET['action'] == "clear" || $_POST['clear']) { - if(file_exists('/var/log/snort/alert')) + if (file_exists("/var/log/snort/alert_{$snort_uuid}")) { conf_mount_rw(); - @file_put_contents("/var/log/snort/alert", ""); + @file_put_contents("/var/log/snort/alert_{$snort_uuid}", ""); post_delete_logs(); /* XXX: This is needed is snort is run as snort user */ //mwexec('/usr/sbin/chown snort:snort /var/log/snort/*', true); @@ -291,40 +297,45 @@ if ($pconfig['arefresh'] == 'on') <tr> <td> <div id="mainarea2"> - <table class="tabcont" width="100%" border="1" cellspacing="0" - cellpadding="0"> + <table class="tabcont" width="100%" border="1" cellspacing="0" cellpadding="0"> + <form action="/snort/snort_alerts.php" method="post" id="formalert"> <tr> - <td width="22%" colspan="0" class="listtopic">Last <?=$anentries;?> - Alert Entries.</td> - <td width="78%" class="listtopic">Latest Alert Entries Are Listed - First.</td> + <td width="22%" colspan="0" class="listtopic">Last <?=$anentries;?> Alert Entries.</td> + <td width="78%" class="listtopic">Latest Alert Entries Are Listed First.</td> </tr> <tr> + <td width="22%" class="vncell">Instance to inspect</td> + <td width="78%" class="vtable"> + <br/> <select name="instance" id="instance" class="formfld unkown" onChange="document.getElementById('formalert').submit()"> + <?php + foreach ($a_instance as $id => $instance) { + echo "<option value='{$id}'> (" . snort_get_friendly_interface($instance['interface']) . "){$instance['descr']}</option>\n"; + } + ?> + </select><br/> Choose which instance alerts you want to inspect. + </td> + <tr> <td width="22%" class="vncell">Save or Remove Logs</td> <td width="78%" class="vtable"> - <form action="/snort/snort_alerts.php" method="post"><input - name="download" type="submit" class="formbtn" value="Download"> All - log files will be saved. <a href="/snort/snort_alerts.php?action=clear"><input name="delete" type="button" - class="formbtn" value="Clear" - onclick="return confirm('Do you really want to remove all your logs ? All snort rule interfces may have to be restarted.')"></a> - <span class="red"><strong>Warning:</strong></span> all log files - will be deleted.</form> + <input name="download" type="submit" class="formbtn" value="Download"> All + log files will be saved. <a href="/snort/snort_alerts.php?action=clear"> + <input name="delete" type="button" class="formbtn" value="Clear" + onclick="return confirm('Do you really want to remove all instance logs?')"></a> + <span class="red"><strong>Warning:</strong></span> all log files will be deleted. </td> </tr> <tr> <td width="22%" class="vncell">Auto Refresh and Log View</td> <td width="78%" class="vtable"> - <form action="/snort/snort_alerts.php" method="post"><input - name="save" type="submit" class="formbtn" value="Save"> Refresh <input - name="arefresh" type="checkbox" value="on" + <input name="save" type="submit" class="formbtn" value="Save"> + Refresh <input name="arefresh" type="checkbox" value="on" <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['arefresh']=="on") echo "checked"; ?>> - <strong>Default</strong> is <strong>ON</strong>. <input - name="alertnumber" type="text" class="formfld" id="alertnumber" - size="5" value="<?=htmlspecialchars($anentries);?>"> Enter the - number of log entries to view. <strong>Default</strong> is <strong>250</strong>. - </form> + <strong>Default</strong> is <strong>ON</strong>. + <input name="alertnumber" type="text" class="formfld" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>"> + Enter the number of log entries to view. <strong>Default</strong> is <strong>250</strong>. </td> </tr> + </form> </table> </div> </td> @@ -370,16 +381,16 @@ if ($pconfig['arefresh'] == 'on') <?php /* make sure alert file exists */ - if(!file_exists('/var/log/snort/alert')) - exec('/usr/bin/touch /var/log/snort/alert'); + if (!file_exists("/var/log/snort/alert_{$snort_uuid}")) + exec("/usr/bin/touch /var/log/snort/alert_{$snort_uuid}"); $logent = $anentries; /* detect the alert file type */ if ($snortalertlogt == 'full') - $alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents('/var/log/snort/alert')))); + $alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents("/var/log/snort/alert_{$snort_uuid}")))); else - $alerts_array = array_reverse(array_filter(split("\n", file_get_contents('/var/log/snort/alert')))); + $alerts_array = array_reverse(array_filter(split("\n", file_get_contents("/var/log/snort/alert_{$snort_uuid}")))); diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index 11e7cae6..932e0983 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -295,8 +295,9 @@ if ($pconfig['brefresh'] == 'on') /* set the arrays */ exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache'); - $alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents('/var/log/snort/alert')))); $blocked_ips_array = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.cache')))); + foreach (glob("/var/log/snort/alert_*") as $alert) { + $alerts_array = array_reverse(explode("\n\n", file_get_contents("{$alert}"))); $logent = $bnentries; @@ -395,6 +396,7 @@ if ($pconfig['brefresh'] == 'on') </tr>\n"; } } + } echo '</table>' . "\n"; diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php index 9174c24f..86a9aff6 100644 --- a/config/snort/snort_interfaces.php +++ b/config/snort/snort_interfaces.php @@ -30,7 +30,6 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* TODO: redo check if snort is up */ $nocsrf = true; require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort_gui.inc"); @@ -243,20 +242,7 @@ enable JavaScript to view this content id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> <?php - if (function_exists('convert_friendly_interface_to_friendly_descr')) - echo convert_friendly_interface_to_friendly_descr($natent['interface']); - else { - if (!$natent['interface'] || ($natent['interface'] == "wan")) - echo "WAN"; - else if(strtolower($natent['interface']) == "lan") - echo "LAN"; - else if(strtolower($natent['interface']) == "pppoe") - echo "PPPoE"; - else if(strtolower($natent['interface']) == "pptp") - echo "PPTP"; - else - echo strtoupper($natent['interface']); - } + echo snort_get_friendly_interface($natent['interface']); ?></td> <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" |