aboutsummaryrefslogtreecommitdiffstats
path: root/config/snort
diff options
context:
space:
mode:
authorErmal <eri@pfsense.org>2012-06-12 21:06:59 +0000
committerErmal <eri@pfsense.org>2012-06-12 21:06:59 +0000
commit2d0407fc77b1ac25bf92b6bda3a35d6b2e970070 (patch)
treebeac2ff2bbafa379ecf45ef78a7071ad03f7e8bf /config/snort
parent6bb71486a512f80809480104ef43c6df880e46de (diff)
downloadpfsense-packages-2d0407fc77b1ac25bf92b6bda3a35d6b2e970070.tar.gz
pfsense-packages-2d0407fc77b1ac25bf92b6bda3a35d6b2e970070.tar.bz2
pfsense-packages-2d0407fc77b1ac25bf92b6bda3a35d6b2e970070.zip
Put a single alert file for each instance of snort so it actually works. Also correct blocked page/ For large files this still will bail out
Diffstat (limited to 'config/snort')
-rw-r--r--config/snort/snort.inc53
-rw-r--r--config/snort/snort_alerts.php67
-rw-r--r--config/snort/snort_blocked.php4
-rw-r--r--config/snort/snort_interfaces.php16
4 files changed, 73 insertions, 67 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index eb3fa0e9..2ab4b3eb 100644
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -262,10 +262,10 @@ function Running_Ck_b($snort_uuid, $if_real, $id) {
}
function Running_Stop($snort_uuid, $if_real, $id) {
- global $config;
+ global $config, $g;
/* if snort.sh crashed this will remove the pid */
- @unlink('/tmp/snort.sh.pid');
+ @unlink("{$g['tmp_path']}/snort.sh.pid");
$start_up = exec("/bin/ps -ax | /usr/bin/grep \"R {$snort_uuid}\" | /usr/bin/grep -v grep | /usr/bin/awk '{ print \$1; }'");
$start_upb = exec("/bin/ps -ax | /usr/bin/grep \"snort_{$snort_uuid}_{$if_real}.u2\" | /usr/bin/grep -v grep | /usr/bin/awk '{ print \$1; }'");
@@ -274,6 +274,7 @@ function Running_Stop($snort_uuid, $if_real, $id) {
exec("/bin/kill {$start_up}");
exec("/bin/rm /var/log/snort/run/snort_{$if_real}{$snort_uuid}*");
exec("/bin/rm /var/log/snort/snort_{$snort_uuid}_{$if_real}*");
+ @unlink("/var/log/snort/alert_{$snort_uuid}");
exec("/bin/rm -r /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}");
}
@@ -292,7 +293,7 @@ function Running_Start($snort_uuid, $if_real, $id) {
global $config;
/* if snort.sh crashed this will remove the pid */
- @unlink('/tmp/snort.sh.pid');
+ @unlink("{$g['tmp_path']}/snort.sh.pid");
$snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable'];
if ($snort_info_chk == 'on')
@@ -313,6 +314,26 @@ function Running_Start($snort_uuid, $if_real, $id) {
sleep(2); // Give time so GUI displays correctly
}
+function snort_get_friendly_interface($interface) {
+
+ if (function_exists('convert_friendly_interface_to_friendly_descr'))
+ $iface = convert_friendly_interface_to_friendly_descr($interface);
+ else {
+ if (!$interface || ($interface == "wan"))
+ $iface = "WAN";
+ else if(strtolower($interface) == "lan")
+ $iface = "LAN";
+ else if(strtolower($interface) == "pppoe")
+ $iface = "PPPoE";
+ else if(strtolower($interface) == "pptp")
+ $iface = "PPTP";
+ else
+ $iface = strtoupper($interface);
+ }
+
+ return $iface;
+}
+
/* get the real iface name of wan */
function snort_get_real_interface($interface) {
global $config;
@@ -478,30 +499,21 @@ function snort_postinstall()
/* create a few directories and ensure the sample files are in place */
if (!is_dir('/usr/local/etc/snort'))
exec('/bin/mkdir -p /usr/local/etc/snort/custom_rules');
-
if (!is_dir('/usr/local/etc/snort/whitelist'))
exec('/bin/mkdir -p /usr/local/etc/snort/whitelist/');
-
- if (!is_dir('/var/log/snort/run'))
+ /* NOTE: the diff between the if check and the exec() extra run is by design */
+ if (!is_dir('/var/log/snort'))
exec('/bin/mkdir -p /var/log/snort/run');
+ else
+ exec('/bin/rm -r /var/log/snort/*; /bin/mkdir -p /var/log/snort/run');
if (!is_dir('/var/log/snort/barnyard2'))
exec('/bin/mkdir -p /var/log/snort/barnyard2');
-
if (!is_dir('/usr/local/lib/snort/dynamicrules/'))
exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/');
-
if (!file_exists('/var/db/whitelist'))
touch('/var/db/whitelist');
- /* if users have old log files delete them */
- if(!file_exists('/var/log/snort/alert'))
- touch('/var/log/snort/alert');
- else {
- exec('/bin/rm -rf /var/log/snort/*');
- touch('/var/log/snort/alert');
- }
-
/* rm barnyard2 important */
if (file_exists('/usr/local/bin/barnyard2'))
@unlink('/usr/local/bin/barnyard2');
@@ -514,7 +526,6 @@ function snort_postinstall()
mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true);
*/
/* important */
- mwexec('/bin/chmod 660 /var/log/snort/alert', true);
mwexec('/bin/chmod 660 /var/db/whitelist', true);
mwexec('/bin/chmod -R 660 /usr/local/etc/snort/*', true);
mwexec('/bin/chmod -R 660 /tmp/snort*', true);
@@ -891,10 +902,6 @@ function sync_snort_package_config()
if (!is_dir('/var/log/snort/barnyard2'))
exec('/bin/mkdir -p /var/log/snort/barnyard2');
- /* all new files are for the user snort nologin */
- if (!file_exists('/var/log/snort/alert'))
- exec('/usr/bin/touch /var/log/snort/alert');
-
/* XXX: These are needed if snort is run as snort user
mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true);
mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true);
@@ -1357,9 +1364,9 @@ function generate_snort_conf($id, $if_real, $snort_uuid)
/* define snortalertlogtype */
if ($config['installedpackages']['snortglobal']['snortalertlogtype'] == "fast")
- $snortalertlogtype_type = "output alert_fast: alert";
+ $snortalertlogtype_type = "output alert_fast: alert_{$snort_uuid}";
else
- $snortalertlogtype_type = "output alert_full: alert";
+ $snortalertlogtype_type = "output alert_full: alert_{$snort_uuid}";
/* define alertsystemlog */
$alertsystemlog_type = "";
diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php
index 53b9e3a2..3094d1a7 100644
--- a/config/snort/snort_alerts.php
+++ b/config/snort/snort_alerts.php
@@ -43,7 +43,13 @@ $snort_load_sortabletable = 'yes';
$snort_load_mootools = 'yes';
$snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype'];
-$snort_logfile = '/var/log/snort/alert';
+
+if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ $config['installedpackages']['snortglobal']['rule'] = array();
+$a_instance = &$config['installedpackages']['snortglobal']['rule'];
+$snort_uuid = $a_instance[0]['uuid'];
+if ($_POST['instance'])
+ $snort_uuid = $a_instance[$_POST['instance']]['uuid'];
if (is_array($config['installedpackages']['snortglobal']['alertsblocks'])) {
$pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh'];
@@ -87,10 +93,10 @@ if ($_POST['save'])
if ($_GET['action'] == "clear" || $_POST['clear'])
{
- if(file_exists('/var/log/snort/alert'))
+ if (file_exists("/var/log/snort/alert_{$snort_uuid}"))
{
conf_mount_rw();
- @file_put_contents("/var/log/snort/alert", "");
+ @file_put_contents("/var/log/snort/alert_{$snort_uuid}", "");
post_delete_logs();
/* XXX: This is needed is snort is run as snort user */
//mwexec('/usr/sbin/chown snort:snort /var/log/snort/*', true);
@@ -291,40 +297,45 @@ if ($pconfig['arefresh'] == 'on')
<tr>
<td>
<div id="mainarea2">
- <table class="tabcont" width="100%" border="1" cellspacing="0"
- cellpadding="0">
+ <table class="tabcont" width="100%" border="1" cellspacing="0" cellpadding="0">
+ <form action="/snort/snort_alerts.php" method="post" id="formalert">
<tr>
- <td width="22%" colspan="0" class="listtopic">Last <?=$anentries;?>
- Alert Entries.</td>
- <td width="78%" class="listtopic">Latest Alert Entries Are Listed
- First.</td>
+ <td width="22%" colspan="0" class="listtopic">Last <?=$anentries;?> Alert Entries.</td>
+ <td width="78%" class="listtopic">Latest Alert Entries Are Listed First.</td>
</tr>
<tr>
+ <td width="22%" class="vncell">Instance to inspect</td>
+ <td width="78%" class="vtable">
+ <br/> <select name="instance" id="instance" class="formfld unkown" onChange="document.getElementById('formalert').submit()">
+ <?php
+ foreach ($a_instance as $id => $instance) {
+ echo "<option value='{$id}'> (" . snort_get_friendly_interface($instance['interface']) . "){$instance['descr']}</option>\n";
+ }
+ ?>
+ </select><br/> Choose which instance alerts you want to inspect.
+ </td>
+ <tr>
<td width="22%" class="vncell">Save or Remove Logs</td>
<td width="78%" class="vtable">
- <form action="/snort/snort_alerts.php" method="post"><input
- name="download" type="submit" class="formbtn" value="Download"> All
- log files will be saved. <a href="/snort/snort_alerts.php?action=clear"><input name="delete" type="button"
- class="formbtn" value="Clear"
- onclick="return confirm('Do you really want to remove all your logs ? All snort rule interfces may have to be restarted.')"></a>
- <span class="red"><strong>Warning:</strong></span> all log files
- will be deleted.</form>
+ <input name="download" type="submit" class="formbtn" value="Download"> All
+ log files will be saved. <a href="/snort/snort_alerts.php?action=clear">
+ <input name="delete" type="button" class="formbtn" value="Clear"
+ onclick="return confirm('Do you really want to remove all instance logs?')"></a>
+ <span class="red"><strong>Warning:</strong></span> all log files will be deleted.
</td>
</tr>
<tr>
<td width="22%" class="vncell">Auto Refresh and Log View</td>
<td width="78%" class="vtable">
- <form action="/snort/snort_alerts.php" method="post"><input
- name="save" type="submit" class="formbtn" value="Save"> Refresh <input
- name="arefresh" type="checkbox" value="on"
+ <input name="save" type="submit" class="formbtn" value="Save">
+ Refresh <input name="arefresh" type="checkbox" value="on"
<?php if ($config['installedpackages']['snortglobal']['alertsblocks']['arefresh']=="on") echo "checked"; ?>>
- <strong>Default</strong> is <strong>ON</strong>. <input
- name="alertnumber" type="text" class="formfld" id="alertnumber"
- size="5" value="<?=htmlspecialchars($anentries);?>"> Enter the
- number of log entries to view. <strong>Default</strong> is <strong>250</strong>.
- </form>
+ <strong>Default</strong> is <strong>ON</strong>.
+ <input name="alertnumber" type="text" class="formfld" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>">
+ Enter the number of log entries to view. <strong>Default</strong> is <strong>250</strong>.
</td>
</tr>
+ </form>
</table>
</div>
</td>
@@ -370,16 +381,16 @@ if ($pconfig['arefresh'] == 'on')
<?php
/* make sure alert file exists */
- if(!file_exists('/var/log/snort/alert'))
- exec('/usr/bin/touch /var/log/snort/alert');
+ if (!file_exists("/var/log/snort/alert_{$snort_uuid}"))
+ exec("/usr/bin/touch /var/log/snort/alert_{$snort_uuid}");
$logent = $anentries;
/* detect the alert file type */
if ($snortalertlogt == 'full')
- $alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents('/var/log/snort/alert'))));
+ $alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents("/var/log/snort/alert_{$snort_uuid}"))));
else
- $alerts_array = array_reverse(array_filter(split("\n", file_get_contents('/var/log/snort/alert'))));
+ $alerts_array = array_reverse(array_filter(split("\n", file_get_contents("/var/log/snort/alert_{$snort_uuid}"))));
diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php
index 11e7cae6..932e0983 100644
--- a/config/snort/snort_blocked.php
+++ b/config/snort/snort_blocked.php
@@ -295,8 +295,9 @@ if ($pconfig['brefresh'] == 'on')
/* set the arrays */
exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache');
- $alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents('/var/log/snort/alert'))));
$blocked_ips_array = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.cache'))));
+ foreach (glob("/var/log/snort/alert_*") as $alert) {
+ $alerts_array = array_reverse(explode("\n\n", file_get_contents("{$alert}")));
$logent = $bnentries;
@@ -395,6 +396,7 @@ if ($pconfig['brefresh'] == 'on')
</tr>\n";
}
}
+ }
echo '</table>' . "\n";
diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php
index 9174c24f..86a9aff6 100644
--- a/config/snort/snort_interfaces.php
+++ b/config/snort/snort_interfaces.php
@@ -30,7 +30,6 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/
-/* TODO: redo check if snort is up */
$nocsrf = true;
require_once("guiconfig.inc");
require_once("/usr/local/pkg/snort/snort_gui.inc");
@@ -243,20 +242,7 @@ enable JavaScript to view this content
id="frd<?=$nnats;?>"
ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';">
<?php
- if (function_exists('convert_friendly_interface_to_friendly_descr'))
- echo convert_friendly_interface_to_friendly_descr($natent['interface']);
- else {
- if (!$natent['interface'] || ($natent['interface'] == "wan"))
- echo "WAN";
- else if(strtolower($natent['interface']) == "lan")
- echo "LAN";
- else if(strtolower($natent['interface']) == "pppoe")
- echo "PPPoE";
- else if(strtolower($natent['interface']) == "pptp")
- echo "PPTP";
- else
- echo strtoupper($natent['interface']);
- }
+ echo snort_get_friendly_interface($natent['interface']);
?></td>
<td class="listr" onClick="fr_toggle(<?=$nnats;?>)"
id="frd<?=$nnats;?>"