diff options
author | Ermal <eri@pfsense.org> | 2011-11-11 10:40:30 +0000 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2011-11-11 10:45:15 +0000 |
commit | ec96e569e89ceb3a311cdb05ef85f34beb1ba89d (patch) | |
tree | 8b8707a254f935a9814a3da8780fbffb51474b72 /config/snort | |
parent | 216b9bb43657b4c15376603698bcccf34ecb102c (diff) | |
download | pfsense-packages-ec96e569e89ceb3a311cdb05ef85f34beb1ba89d.tar.gz pfsense-packages-ec96e569e89ceb3a311cdb05ef85f34beb1ba89d.tar.bz2 pfsense-packages-ec96e569e89ceb3a311cdb05ef85f34beb1ba89d.zip |
Remove the mess of config syncing in snort and just provide one function for all. This allows snort to properly start at bootup and restart on ip change.
Diffstat (limited to 'config/snort')
-rw-r--r-- | config/snort/snort.inc | 225 | ||||
-rw-r--r-- | config/snort/snort.xml | 7 | ||||
-rw-r--r-- | config/snort/snort_barnyard.php | 2 | ||||
-rw-r--r-- | config/snort/snort_define_servers.php | 2 | ||||
-rw-r--r-- | config/snort/snort_dynamic_ip_reload.php | 45 | ||||
-rw-r--r-- | config/snort/snort_interfaces.php | 4 | ||||
-rw-r--r-- | config/snort/snort_interfaces_edit.php | 4 | ||||
-rw-r--r-- | config/snort/snort_interfaces_global.php | 2 | ||||
-rw-r--r-- | config/snort/snort_interfaces_whitelist_edit.php | 2 | ||||
-rw-r--r-- | config/snort/snort_preprocessors.php | 2 | ||||
-rw-r--r-- | config/snort/snort_rulesets.php | 2 |
11 files changed, 42 insertions, 255 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 5b5e3dae..5fdc7a8b 100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -592,7 +592,7 @@ function snort_postinstall() if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { update_status(gettext("Saved settings detected...")); update_output_window(gettext("Please wait... rebuilding files...")); - sync_snort_package_empty(); + sync_snort_package_config(); update_output_window(gettext("Finnished Rebuilding files...")); } } @@ -845,135 +845,8 @@ function snort_rules_up_install_cron($should_install) { } } -function sync_snort_package_remove_old() -{ - global $config, $g; - - $snort_dir_scan = '/usr/local/etc/snort'; - - // scan dirm might have to make this into a funtion - $dh_scan = opendir($snort_dir_scan); - while (false !== ($dir_filename = readdir($dh_scan))) { - $list_dir_files[] = $dir_filename; - } - - // find patern in a array, very cool code - class array_ereg { - function array_ereg($pattern) { $this->pattern = $pattern; } - function ereg($string) { - return ereg($this->pattern, $string); - } - } - - $rule_array2 = $config['installedpackages']['snortglobal']['rule']; - foreach ($rule_array2 as $id => $value) { - $result_lan = $value['interface']; - $if_real = snort_get_real_interface($result_lan); - - $snort_rules_list[] = "snort_{$id}{$if_real}"; - } - - $snort_dir_filter = array_filter($list_dir_files, array(new array_ereg("snort_"), 'ereg')); - $snort_dir_filter_search_result = array_diff($snort_dir_filter, $snort_rules_list); - - foreach ($snort_dir_filter_search_result as $value) - exec("/bin/rm -r /usr/local/etc/snort/$value"); - -} - -/* make sure this func on writes to files and does not start snort */ -function sync_snort_package() { - global $config, $g; - - /* all new files are for the user snort nologin */ - if (!is_dir('/var/log/snort')) - exec('/bin/mkdir -p /var/log/snort'); - - if (!is_dir('/var/log/snort/run')) - exec('/bin/mkdir -p /var/log/snort/run'); - - if (!is_dir('/var/log/snort/barnyard2')) - exec('/bin/mkdir -p /var/log/snort/barnyard2'); - - /* all new files are for the user snort nologin */ - if (!file_exists('/var/log/snort/alert')) - exec('/usr/bin/touch /var/log/snort/alert'); - - /* XXX: These are needed if snort is run as snort user - mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true); - mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true); - mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true); - mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true); - mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true); - */ - - /* important */ - mwexec('/bin/chmod 770 /var/db/whitelist', true); - mwexec('/bin/chmod 770 /var/run/snort*', true); - mwexec('/bin/chmod 770 /tmp/snort*', true); - mwexec('/bin/chmod -R 770 /var/log/snort', true); - mwexec('/bin/chmod -R 770 /usr/local/lib/snort', true); - mwexec('/bin/chmod -R 770 /usr/local/etc/snort/', true); -} - -/* only run when a single iface needs to sync */ -function sync_snort_package_all($id, $if_real, $snort_uuid) -{ - global $config, $g; - - /* RedDevil suggested code */ - /* TODO: more testing needs to be done */ - /* may cause voip to fail */ - //exec("/sbin/sysctl net.bpf.bufsize=8388608"); - //exec("/sbin/sysctl net.bpf.maxbufsize=4194304"); - //exec("/sbin/sysctl net.bpf.maxinsns=512"); - //exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); - - conf_mount_rw(); - - /* do not start config build if rules is empty */ - if (!is_array($config['installedpackages']['snortglobal']['rule'])) { - exec('/bin/rm /usr/local/etc/rc.d/snort.sh'); - conf_mount_ro(); - return; - } - if (!is_array($config['installedpackages']['snortglobal']['rule'][$id])) { - conf_mount_ro(); - return; - } - - $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; - $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; - $if_real = snort_get_real_interface($result_lan); - - /* only build whitelist when needed */ - if ($config['installedpackages']['snortglobal']['rule'][$id]['blockoffenders7'] == 'on') - create_snort_whitelist($id, $if_real); - - /* only build threshold when needed */ - if ($config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname'] != 'default') - create_snort_suppress($id, $if_real); - - /* create snort configuration file */ - create_snort_conf($id, $if_real, $snort_uuid); - - /* if rules exist cp rules to each iface */ - create_rules_iface($id, $if_real, $snort_uuid); - - /* create snort bootup file snort.sh only create once */ - create_snort_sh(); - - /* create barnyard2 configuration file */ - if ($config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable'] == 'on') - create_barnyard2_conf($id, $if_real, $snort_uuid); - - sync_snort_package(); - - conf_mount_ro(); -} - /* Only run when all ifaces needed to sync. Expects filesystem rw */ -function sync_snort_package_empty() +function sync_snort_package_config() { global $config, $g; @@ -1015,8 +888,7 @@ function sync_snort_package_empty() create_rules_iface($id, $if_real, $snort_uuid); /* create barnyard2 configuration file */ - $snortbarnyardlog_info_chk = $value['barnyard_enable']; - if ($snortbarnyardlog_info_chk == 'on') + if ($value['barnyard_enable'] == 'on') create_barnyard2_conf($id, $if_real, $snort_uuid); } } @@ -1024,61 +896,39 @@ function sync_snort_package_empty() /* create snort bootup file snort.sh only create once */ create_snort_sh(); - sync_snort_package(); - - conf_mount_ro(); -} - -/* only bootup and ip refresh */ -function sync_snort_package_config() -{ - global $config, $g; - - /* RedDevil suggested code */ - /* TODO: more testing needs to be done */ - /* may cause voip to fail */ - //exec("/sbin/sysctl net.bpf.bufsize=8388608"); - //exec("/sbin/sysctl net.bpf.maxbufsize=4194304"); - //exec("/sbin/sysctl net.bpf.maxinsns=512"); - //exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); - - /* do not start config build if rules is empty */ - if (!is_array($config['installedpackages']['snortglobal']['rule'])) - return; - - conf_mount_rw(); - - foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { - - $result_lan = $value['interface']; - $if_real = snort_get_real_interface($result_lan); - $snort_uuid = $value['uuid']; - - if (!empty($if_real) && !empty($snort_uuid)) { + /* all new files are for the user snort nologin */ + if (!is_dir('/var/log/snort')) + exec('/bin/mkdir -p /var/log/snort'); - /* only build whitelist when needed */ - if ($value['blockoffenders7'] == 'on') - create_snort_whitelist($id, $if_real); + if (!is_dir('/var/log/snort/run')) + exec('/bin/mkdir -p /var/log/snort/run'); - /* only build threshold when needed */ - if ($value['suppresslistname'] != 'default') - create_snort_suppress($id, $if_real); + if (!is_dir('/var/log/snort/barnyard2')) + exec('/bin/mkdir -p /var/log/snort/barnyard2'); - /* create snort configuration file */ - create_snort_conf($id, $if_real, $snort_uuid); + /* all new files are for the user snort nologin */ + if (!file_exists('/var/log/snort/alert')) + exec('/usr/bin/touch /var/log/snort/alert'); - /* create barnyard2 configuration file */ - if ($value['barnyard_enable'] == 'on') - create_barnyard2_conf($id, $if_real, $snort_uuid); - } - } + /* XXX: These are needed if snort is run as snort user + mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true); + mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true); + mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true); + mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true); + mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true); + */ - sync_snort_package(); + /* important */ + mwexec('/bin/chmod 770 /var/db/whitelist', true); + mwexec('/bin/chmod 770 /var/run/snort*', true); + mwexec('/bin/chmod 770 /tmp/snort*', true); + mwexec('/bin/chmod -R 770 /var/log/snort', true); + mwexec('/bin/chmod -R 770 /usr/local/lib/snort', true); + mwexec('/bin/chmod -R 770 /usr/local/etc/snort/', true); conf_mount_ro(); } - /* Start of main config files */ /* create threshold file */ @@ -1214,8 +1064,8 @@ function create_snort_sh() #### Fake start only used on bootup and Pfsense IP changes #### Only try to restart if snort is running on Iface -if [ "`/bin/ps -auwx | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/grep -v grep | /usr/bin/awk '{print $2;}'`" != "" ]; then - snort_pid=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/awk '{print $2;}'` +if [ "`/bin/ps -ax | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/grep -v grep | /usr/bin/awk '{print $1;}'`" != "" ]; then + snort_pid=`/bin/ps -ax | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/grep -v grep | /usr/bin/awk '{print $1;}'` /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort already running, soft restart" #### Restart Iface @@ -1236,9 +1086,9 @@ EOE; $snort_sh_text4[] = <<<EOF -pid_s=`/bin/ps -auwx | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/grep -v grep | /usr/bin/awk '{print \$2;}'` +pid_s=`/bin/ps -ax | /usr/bin/grep "R {$snort_uuid}" | /usr/bin/grep -v grep | /usr/bin/awk '{print \$1;}'` sleep 3 -pid_b=`/bin/ps -auwx | /usr/bin/grep "snort_{$snort_uuid}_{$if_real}.u2" | /usr/bin/grep -v grep | /usr/bin/awk '{print \$2;}'` +pid_b=`/bin/ps -ax | /usr/bin/grep "snort_{$snort_uuid}_{$if_real}.u2" | /usr/bin/grep -v grep | /usr/bin/awk '{print \$1;}'` if [ \${pid_s} ] ; then /bin/echo "snort.sh run" > /tmp/snort.sh.pid @@ -1270,26 +1120,13 @@ EOF; rc_start() { /bin/echo "snort.sh run" > /tmp/snort.sh.pid - - #### Remake the configs on boot Important! - /usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php & - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Startup files Sync..." - $start_snort_iface_start - /bin/rm /tmp/snort.sh.pid } rc_stop() { - #### Check for double starts, Pfsense has problems with that - if /bin/ls /tmp/snort.sh.pid > /dev/null ; then - /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" - exit 0 - fi - $start_snort_iface_stop - /bin/rm /tmp/snort.sh.pid /bin/rm /var/run/snort* diff --git a/config/snort/snort.xml b/config/snort/snort.xml index c80bf672..2365bbea 100644 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -95,11 +95,6 @@ <item>http://www.pfsense.com/packages/config/snort/bin/oinkmaster_contrib/snort_rename.pl</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/pf/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_dynamic_ip_reload.php</item> - </additional_files_needed> - <additional_files_needed> <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort/snort_alerts.php</item> @@ -199,7 +194,7 @@ <custom_add_php_command> </custom_add_php_command> <custom_php_resync_config_command> - sync_snort_package(); + sync_snort_package_config(); </custom_php_resync_config_command> <custom_php_install_command> snort_postinstall(); diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php index c4ac1292..b647c007 100644 --- a/config/snort/snort_barnyard.php +++ b/config/snort/snort_barnyard.php @@ -115,7 +115,7 @@ if ($_POST) { } write_config(); - sync_snort_package_all($id, $if_real, $snort_uuid); + sync_snort_package_config(); /* after click go to this page */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index ddb1e378..e3238ef7 100644 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -159,7 +159,7 @@ if ($_POST) { write_config(); - sync_snort_package_all($id, $if_real, $snort_uuid); + sync_snort_package_config(); /* after click go to this page */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); diff --git a/config/snort/snort_dynamic_ip_reload.php b/config/snort/snort_dynamic_ip_reload.php deleted file mode 100644 index 66bc505c..00000000 --- a/config/snort/snort_dynamic_ip_reload.php +++ /dev/null @@ -1,45 +0,0 @@ -<?php - -/* $Id$ */ -/* - snort_dynamic_ip_reload.php - Copyright (C) 2009 Robert Zeleya - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ - -/* NOTE: this file gets included from the pfSense filter.inc plugin process */ -/* NOTE: file location /usr/local/pkg/pf, all files in pf dir get exec on filter reloads */ - -require_once("/usr/local/pkg/snort/snort.inc"); - -if (file_exists('/var/run/snort_dynamic_ip_reload.dirty')) { - exit(); -} - -exec('/usr/bin/touch /var/run/snort_dynamic_ip_reload.dirty'); - -sync_snort_package_config(); -@unlink("/var/run/snort_dynamic_ip_reload.dirty"); - -?> diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php index b00b107e..9174c24f 100644 --- a/config/snort/snort_interfaces.php +++ b/config/snort/snort_interfaces.php @@ -75,7 +75,7 @@ if (isset($_POST['del_x'])) { conf_mount_ro(); } - sync_snort_package_empty(); + sync_snort_package_config(); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); @@ -98,7 +98,7 @@ if ($_GET['act'] == 'toggle' && is_numeric($id)) { /* Log Iface stop */ exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Toggle for {$snort_uuid}_{$if_real}...'"); - sync_snort_package_all($id, $if_real, $snort_uuid); + sync_snort_package_config(); $tester2 = Running_Ck($snort_uuid, $if_real, $id); diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index 77f6cea7..b1a091e7 100644 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -284,7 +284,7 @@ if (isset($_GET['dup'])) write_config(); - sync_snort_package_all($id, $if_real, $snort_uuid); + sync_snort_package_config(); sleep(1); /* if snort.sh crashed this will remove the pid */ @@ -303,7 +303,7 @@ if (isset($_GET['dup'])) if ($_POST["Submit2"]) { - sync_snort_package_all($id, $if_real, $snort_uuid); + sync_snort_package_config(); sleep(1); Running_Start($snort_uuid, $if_real, $id); diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php index 9a47bb24..57fec1f1 100644 --- a/config/snort/snort_interfaces_global.php +++ b/config/snort/snort_interfaces_global.php @@ -103,7 +103,7 @@ if (!$input_errors) { write_config(); /* create whitelist and homenet file then sync files */ - sync_snort_package_empty(); + sync_snort_package_config(); /* forces page to reload new settings */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); diff --git a/config/snort/snort_interfaces_whitelist_edit.php b/config/snort/snort_interfaces_whitelist_edit.php index 03ba1df8..fe3c54a5 100644 --- a/config/snort/snort_interfaces_whitelist_edit.php +++ b/config/snort/snort_interfaces_whitelist_edit.php @@ -184,7 +184,7 @@ if ($_POST['submit']) { write_config(); /* create whitelist and homenet file then sync files */ - sync_snort_package_empty(); + sync_snort_package_config(); header("Location: /snort/snort_interfaces_whitelist.php"); exit; diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index c5c7a4a8..7f89d433 100644 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -113,7 +113,7 @@ if ($_POST) { write_config(); $if_real = snort_get_real_interface($pconfig['interface']); - sync_snort_package_all($id, $if_real, $snort_uuid); + sync_snort_package_config(); /* after click go to this page */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index e0bdd882..9e3853f5 100644 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -149,7 +149,7 @@ if ($_POST["Submit"]) { $a_nat[$id]['rulesets'] = $enabled_items; write_config(); - sync_snort_package_all($id, $if_real, $iface_uuid); + sync_snort_package_config(); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); |