diff options
| author | robiscool <robrob2626@yahoo.com> | 2009-10-28 00:13:49 -0700 |
|---|---|---|
| committer | robiscool <robrob2626@yahoo.com> | 2009-10-28 00:14:36 -0700 |
| commit | 69ad0f23207b89c04872cac32aa77ea6a56d3286 (patch) | |
| tree | e05ca8685b67e465ae36ec6227cb0309bdb72af2 /config | |
| parent | 605ba02a8940e8427f164b8e4aeb83662c409b2c (diff) | |
| download | pfsense-packages-69ad0f23207b89c04872cac32aa77ea6a56d3286.tar.gz pfsense-packages-69ad0f23207b89c04872cac32aa77ea6a56d3286.tar.bz2 pfsense-packages-69ad0f23207b89c04872cac32aa77ea6a56d3286.zip | |
snort-dev, see if snort.xml creates directories
Diffstat (limited to 'config')
| -rw-r--r-- | config/snort-dev/snort.inc | 1620 | ||||
| -rw-r--r-- | config/snort-dev/snort.xml | 102 | ||||
| -rw-r--r-- | config/snort-dev/snort_base_files.inc (renamed from config/snort-dev/snort_base_files.php) | 0 | ||||
| -rw-r--r-- | config/snort-dev/snort_interfaces.php | 158 | ||||
| -rw-r--r-- | config/snort-dev/snort_interfaces_edit.php | 466 | ||||
| -rw-r--r-- | config/snort-dev/snort_interfaces_global.php | 279 |
6 files changed, 2334 insertions, 291 deletions
diff --git a/config/snort-dev/snort.inc b/config/snort-dev/snort.inc new file mode 100644 index 00000000..575192b9 --- /dev/null +++ b/config/snort-dev/snort.inc @@ -0,0 +1,1620 @@ +<?php +/* $Id$ */ +/* + snort.inc + Copyright (C) 2006 Scott Ullrich + part of pfSense + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require_once("pfsense-utils.inc"); + +// Needed on 2.0 because of get_vpns_list() +require_once("filter.inc"); + +/* Allow additional execution time 0 = no limit. */ +ini_set('max_execution_time', '9999'); +ini_set('max_input_time', '9999'); + +/* define oinkid */ +if($config['installedpackages']['snort']) + $oinkid = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; + +function sync_package_snort_reinstall() +{ + global $config; + if(!$config['installedpackages']['snort']) + return; + + /* create snort configuration file */ + create_snort_conf(); + + /* start snort service */ + start_service("snort"); +} +function sync_package_snort() +{ + global $config, $g; + + mwexec("mkdir -p /var/log/snort/"); + + if(!file_exists("/var/log/snort/alert")) + touch("/var/log/snort/alert"); + + /* snort -> advanced features */ + $bpfbufsize = $config['installedpackages']['snortadvanced']['config'][0]['bpfbufsize']; + $bpfmaxbufsize = $config['installedpackages']['snortadvanced']['config'][0]['bpfmaxbufsize']; + $bpfmaxinsns = $config['installedpackages']['snortadvanced']['config'][0]['bpfmaxinsns']; + + /* set the snort performance model */ + if($config['installedpackages']['snort']['config'][0]['performance']) + $snort_performance = $config['installedpackages']['snort']['config'][0]['performance']; + else + $snort_performance = "ac-bnfa"; + + conf_mount_rw(); + /* create a few directories and ensure the sample files are in place */ + exec("/bin/mkdir -p /usr/local/etc/snort"); + exec("/bin/mkdir -p /var/log/snort"); + exec("/bin/mkdir -p /usr/local/etc/snort/rules"); + exec("/bin/rm /usr/local/etc/snort/snort.conf-sample"); + exec("/bin/rm /usr/local/etc/snort/threshold.conf-sample"); + exec("/bin/rm /usr/local/etc/snort/sid-msg.map-sample"); + exec("/bin/rm /usr/local/etc/snort/unicode.map-sample"); + exec("/bin/rm /usr/local/etc/snort/classification.config-sample"); + exec("/bin/rm /usr/local/etc/snort/generators-sample"); + exec("/bin/rm /usr/local/etc/snort/reference.config-sample"); + exec("/bin/rm /usr/local/etc/snort/gen-msg.map-sample"); + exec("/bin/rm /usr/local/etc/snort/sid"); + exec("/bin/rm -f /usr/local/etc/rc.d/snort"); + + $first = 0; + $snortInterfaces = array(); /* -gtm */ + + $if_list = $config['installedpackages']['snort']['config'][0]['iface_array']; + $if_array = split(',', $if_list); + //print_r($if_array); + if($if_array) { + foreach($if_array as $iface) { + $if = convert_friendly_interface_to_real_interface_name($iface); + + if($config['interfaces'][$iface]['ipaddr'] == "pppoe") { + $if = "ng0"; + } + + /* build a list of user specified interfaces -gtm */ + if($if){ + array_push($snortInterfaces, $if); + $first = 1; + } + } + + if (count($snortInterfaces) < 1) { + log_error("Snort will not start. You must select an interface for it to listen on."); + return; + } + } + //print_r($snortInterfaces); + + /* create log directory */ + $start = "/bin/mkdir -p /var/log/snort\n"; + + /* snort advanced features - bpf tuning */ + if($bpfbufsize) + $start .= "sysctl net.bpf.bufsize={$bpfbufsize}\n"; + if($bpfmaxbufsize) + $start .= "sysctl net.bpf.maxbufsize={$bpfmaxbufsize}\n"; + if($bpfmaxinsns) + $start .= "sysctl net.bpf.maxinsns={$bpfmaxinsns}\n"; + + /* go ahead and issue bpf changes */ + if($bpfbufsize) + mwexec_bg("sysctl net.bpf.bufsize={$bpfbufsize}"); + if($bpfmaxbufsize) + mwexec_bg("sysctl net.bpf.maxbufsize={$bpfmaxbufsize}"); + if($bpfmaxinsns) + mwexec_bg("sysctl net.bpf.maxinsns={$bpfmaxinsns}"); + + /* always stop barnyard2 before starting snort -gtm */ + $start .= "/usr/bin/killall barnyard2\n"; + + /* start a snort process for each interface -gtm */ + /* Note the sleep delay. Seems to help getting mult interfaces to start -gtm */ + /* snort start options are; config file, log file, demon, interface, packet flow, alert type, quiet */ + /* TODO; get snort to start under nologin shell */ + foreach($snortInterfaces as $snortIf) + { + $start .= "sleep 4\n"; + $start .= "snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i {$snortIf} -q\n"; + /* define snortbarnyardlog_chk */ + $snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; + if ($snortbarnyardlog_info_chk == on) + $start .= "\nsleep 4;barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D -q\n"; + } + $check_if_snort_runs = "\n\tif [ \"`ls -A /usr/local/etc/snort/rules`\" ] ; then\n\techo \"rules exist\"\n\telse\n\techo \"rules DONT exist\"\n\texit 2\n\tfi \n\n\tif [ \"`pgrep -x snort`\" = \"\" ] ; then\n\t/bin/rm /tmp/snort.sh.pid\n\tfi \n\n\tif [ \"`pgrep -x snort`\" != \"\" ] ; then\n\tlogger -p daemon.info -i -t SnortStartup \"Snort already running...\"\n\t/usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php\n\texit 1\n\tfi\n\n"; + $if_snort_pid = "\nif ls /tmp/snort.sh.pid > /dev/null\nthen\n echo \"snort.sh is running\"\n exit 0\nelse\n echo \"snort.sh is not running\"\nfi\n"; + $echo_snort_sh_pid = "\necho \"snort.sh run\" > /tmp/snort.sh.pid\n"; + $echo_snort_sh_startup_log = "\necho \"snort.sh run\" >> /tmp/snort.sh_startup.log\n"; + $del_old_pids = "\nrm -f /var/run/snort_*\n"; + $sample_before = "BEFORE_MEM=`top | grep Wired | awk '{print \$12}'`\n"; + $sample_after = "\n\tAFTER_MEM=`top | grep Wired | awk '{print \$12}'`\n"; + if ($snort_performance == "ac-bnfa") + $sleep_before_final = "\necho \"Sleeping before final memory sampling...\"\nWAITSECURE=60\n"; + else + $sleep_before_final = "\necho \"Sleeping before final memory sampling...\"\nWAITSECURE=300\n"; + $sleep_before_final .= "while [ \"\$MYSNORTLOG\" = \"\" -a \$WAITSECURE -gt 0 ] ; do\n\tsleep 2\n\tMYSNORTLOG=`/usr/sbin/clog /var/log/system.log | grep snort | tail | grep 'Snort initialization completed successfully'`\n\tWAITSECURE=`expr \$WAITSECURE - 1`\ndone\n"; + $total_used_after = "TOTAL_USAGE=`top | grep snort | grep -v grep | awk '{ print \$6 }'`\n"; + $echo_usage .= $sample_after . "\t" . $total_used_after . "\techo \"Ram free BEFORE starting Snort: \$BEFORE_MEM -- Ram free AFTER starting Snort: \$AFTER_MEM -- Mode " . $snort_performance . " -- Snort memory usage: \$TOTAL_USAGE\" | logger -p daemon.info -i -t SnortStartup\n\n"; + + /* write out rc.d start/stop file */ + write_rcfile(array( + "file" => "snort.sh", + "start" => "{$check_if_snort_runs}{$if_snort_pid}{$echo_snort_sh_pid}{$echo_snort_sh_startup_log}{$del_old_pids}{$sample_before}{$start}{$sleep_before_final}{$echo_usage}", + "stop" => "/usr/bin/killall snort; killall barnyard2" + ) + ); + + /* create snort configuration file */ + create_snort_conf(); + +/* create barnyard2 configuration file */ +$snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; +if ($snortbarnyardlog_info_chk == on) + create_barnyard2_conf(); + + /* snort will not start on install untill setting are set */ +if ($config['installedpackages']['snort']['config'][0]['autorulesupdate7'] != "") { + /* start snort service */ + conf_mount_ro(); + start_service("snort"); + } +} + +/* open barnyard2.conf for writing */ +function create_barnyard2_conf() { + global $bconfig, $bg; + /* write out barnyard2_conf */ + $barnyard2_conf_text = generate_barnyard2_conf(); + $bconf = fopen("/usr/local/etc/barnyard2.conf", "w"); + if(!$bconf) { + log_error("Could not open /usr/local/etc/barnyard2.conf for writing."); + exit; + } + fwrite($bconf, $barnyard2_conf_text); + fclose($bconf); +} +/* open barnyard2.conf for writing" */ +function generate_barnyard2_conf() { + + global $config, $g; + conf_mount_rw(); + +/* define snortbarnyardlog */ +/* TODO add support for the other 5 output plugins */ + +$snortbarnyardlog_database_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_database']; +$snortbarnyardlog_hostname_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_hostname']; +$snortbarnyardlog_interface_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_interface']; + +$barnyard2_conf_text = <<<EOD + +# barnyard2.conf +# barnyard2 can be found at http://www.securixlive.com/barnyard2/index.php + +# Copyright (C) 2006 Robert Zelaya +# part of pfSense +# All rights reserved. + +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: + +# 1. Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. + +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. + +# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. + +# set the appropriate paths to the file(s) your Snort process is using +config reference-map: /usr/local/etc/snort/reference.config +config class-map: /usr/local/etc/snort/classification.config +config gen-msg-map: /usr/local/etc/snort/gen-msg.map +config sid-msg-map: /usr/local/etc/snort/sid-msg.map + +config hostname: $snortbarnyardlog_hostname_info_chk +config interface: $snortbarnyardlog_interface_info_chk + +# Step 2: setup the input plugins +input unified2 + +# database: log to a variety of databases +# output database: log, mysql, user=xxxx password=xxxxxx dbname=xxxx host=xxx.xxx.xxx.xxxx + +$snortbarnyardlog_database_info_chk + +EOD; + + return $barnyard2_conf_text; + +} + +function create_snort_conf() { + global $config, $g; + /* write out snort.conf */ + $snort_conf_text = generate_snort_conf(); + conf_mount_rw(); + $conf = fopen("/usr/local/etc/snort/snort.conf", "w"); + if(!$conf) { + log_error("Could not open /usr/local/etc/snort/snort.conf for writing."); + exit; + } + fwrite($conf, $snort_conf_text); + fclose($conf); + conf_mount_ro(); +} + +function snort_deinstall() { + + global $config, $g; + + /* remove custom sysctl */ + remove_text_from_file("/etc/sysctl.conf", "sysctl net.bpf.bufsize=20480"); + /* decrease bpf buffers back to 4096, from 20480 */ + exec("/sbin/sysctl net.bpf.bufsize=4096"); + exec("/usr/bin/killall snort"); + sleep(5); + exec("/usr/bin/killall -9 snort"); + exec("rm -f /usr/local/etc/rc.d/snort*"); + exec("rm -rf /usr/local/etc/snort*"); + exec("cd /var/db/pkg && pkg_delete `ls | grep snort`"); + exec("cd /var/db/pkg && pkg_delete `ls | grep mysql-client`"); + exec("cd /var/db/pkg && pkg_delete `ls | grep libdnet`"); + exec("/usr/bin/killall -9 snort"); + exec("/usr/bin/killall snort"); + + /* Remove snort cron entries Ugly code needs smoothness*/ + + function snort_rm_blocked_deinstall_cron($should_install) { + global $config, $g; + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort2c")) { + $is_installed = true; + break; + } + $x++; + } + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + } + configure_cron(); + } + } + + function snort_rules_up_deinstall_cron($should_install) { + global $config, $g; + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort_check_for_rule_updates.php")) { + $is_installed = true; + break; + } + $x++; + } + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + } + configure_cron(); + } + } + +snort_rm_blocked_deinstall_cron(""); +snort_rules_up_deinstall_cron(""); + + + /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */ + /* Keep this as a last step */ + unset($config['installedpackages']['snort']['config'][0]['autorulesupdate7']); + unset($config['installedpackages']['snort']['config'][0]['rm_blocked']); + write_config(); + +} + +function generate_snort_conf() { + + global $config, $g; + conf_mount_rw(); + /* obtain external interface */ + /* XXX: make multi wan friendly */ + $snort_ext_int = $config['installedpackages']['snort']['config'][0]['iface_array'][0]; + + $snort_config_pass_thru = $config['installedpackages']['snortadvanced']['config'][0]['configpassthru']; + +/* define snortalertlogtype */ +$snortalertlogtype = $config['installedpackages']['snortadvanced']['config'][0]['snortalertlogtype']; +if ($snortalertlogtype == fast) + $snortalertlogtype_type = "output alert_fast: alert"; +else + $snortalertlogtype_type = "output alert_full: alert"; + +/* define alertsystemlog */ +$alertsystemlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['alertsystemlog']; +if ($alertsystemlog_info_chk == on) + $alertsystemlog_type = "output alert_syslog: log_alert"; + +/* define tcpdumplog */ +$tcpdumplog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['tcpdumplog']; +if ($tcpdumplog_info_chk == on) + $tcpdumplog_type = "output log_tcpdump: snorttcpd.log"; + +/* define snortbarnyardlog_chk */ +$snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; +if ($snortbarnyardlog_info_chk == on) + $snortbarnyardlog_type = "barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D"; + +/* define snortunifiedlog */ +$snortunifiedlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortunifiedlog']; +if ($snortunifiedlog_info_chk == on) + $snortunifiedlog_type = "output unified2: filename snort.u2, limit 128"; + +/* define spoink */ +$spoink_info_chk = $config['installedpackages']['snort']['config'][0]['blockoffenders7']; +if ($spoink_info_chk == on) + $spoink_type = "output alert_pf: /var/db/whitelist,snort2c"; + + /* define servers and ports snortdefservers */ + +/* def DNS_SERVSERS */ +$def_dns_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_dns_servers']; +if ($def_dns_servers_info_chk == "") + $def_dns_servers_type = "\$HOME_NET"; +else + $def_dns_servers_type = "$def_dns_servers_info_chk"; + +/* def DNS_PORTS */ +$def_dns_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_dns_ports']; +if ($def_dns_ports_info_chk == "") + $def_dns_ports_type = "53"; +else + $def_dns_ports_type = "$def_dns_ports_info_chk"; + +/* def SMTP_SERVSERS */ +$def_smtp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_smtp_servers']; +if ($def_smtp_servers_info_chk == "") + $def_smtp_servers_type = "\$HOME_NET"; +else + $def_smtp_servers_type = "$def_smtp_servers_info_chk"; + +/* def SMTP_PORTS */ +$def_smtp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_smtp_ports']; +if ($def_smtp_ports_info_chk == "") + $def_smtp_ports_type = "25"; +else + $def_smtp_ports_type = "$def_smtp_ports_info_chk"; + +/* def MAIL_PORTS */ +$def_mail_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_mail_ports']; +if ($def_mail_ports_info_chk == "") + $def_mail_ports_type = "25,143,465,691"; +else + $def_mail_ports_type = "$def_mail_ports_info_chk"; + +/* def HTTP_SERVSERS */ +$def_http_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_http_servers']; +if ($def_http_servers_info_chk == "") + $def_http_servers_type = "\$HOME_NET"; +else + $def_http_servers_type = "$def_http_servers_info_chk"; + +/* def WWW_SERVSERS */ +$def_www_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_www_servers']; +if ($def_www_servers_info_chk == "") + $def_www_servers_type = "\$HOME_NET"; +else + $def_www_servers_type = "$def_www_servers_info_chk"; + +/* def HTTP_PORTS */ +$def_http_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_http_ports']; +if ($def_http_ports_info_chk == "") + $def_http_ports_type = "80"; +else + $def_http_ports_type = "$def_http_ports_info_chk"; + +/* def SQL_SERVSERS */ +$def_sql_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sql_servers']; +if ($def_sql_servers_info_chk == "") + $def_sql_servers_type = "\$HOME_NET"; +else + $def_sql_servers_type = "$def_sql_servers_info_chk"; + +/* def ORACLE_PORTS */ +$def_oracle_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_oracle_ports']; +if ($def_oracle_ports_info_chk == "") + $def_oracle_ports_type = "1521"; +else + $def_oracle_ports_type = "$def_oracle_ports_info_chk"; + +/* def MSSQL_PORTS */ +$def_mssql_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_mssql_ports']; +if ($def_mssql_ports_info_chk == "") + $def_mssql_ports_type = "1433"; +else + $def_mssql_ports_type = "$def_mssql_ports_info_chk"; + +/* def TELNET_SERVSERS */ +$def_telnet_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_telnet_servers']; +if ($def_telnet_servers_info_chk == "") + $def_telnet_servers_type = "\$HOME_NET"; +else + $def_telnet_servers_type = "$def_telnet_servers_info_chk"; + +/* def TELNET_PORTS */ +$def_telnet_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_telnet_ports']; +if ($def_telnet_ports_info_chk == "") + $def_telnet_ports_type = "23"; +else + $def_telnet_ports_type = "$def_telnet_ports_info_chk"; + +/* def SNMP_SERVSERS */ +$def_snmp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_snmp_servers']; +if ($def_snmp_servers_info_chk == "") + $def_snmp_servers_type = "\$HOME_NET"; +else + $def_snmp_servers_type = "$def_snmp_servers_info_chk"; + +/* def SNMP_PORTS */ +$def_snmp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_snmp_ports']; +if ($def_snmp_ports_info_chk == "") + $def_snmp_ports_type = "161"; +else + $def_snmp_ports_type = "$def_snmp_ports_info_chk"; + +/* def FTP_SERVSERS */ +$def_ftp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ftp_servers']; +if ($def_ftp_servers_info_chk == "") + $def_ftp_servers_type = "\$HOME_NET"; +else + $def_ftp_servers_type = "$def_ftp_servers_info_chk"; + +/* def FTP_PORTS */ +$def_ftp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ftp_ports']; +if ($def_ftp_ports_info_chk == "") + $def_ftp_ports_type = "21"; +else + $def_ftp_ports_type = "$def_ftp_ports_info_chk"; + +/* def SSH_SERVSERS */ +$def_ssh_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssh_servers']; +if ($def_ssh_servers_info_chk == "") + $def_ssh_servers_type = "\$HOME_NET"; +else + $def_ssh_servers_type = "$def_ssh_servers_info_chk"; + +/* if user has defined a custom ssh port, use it */ +if($config['system']['ssh']['port']) + $ssh_port = $config['system']['ssh']['port']; +else + $ssh_port = "22"; + +/* def SSH_PORTS */ +$def_ssh_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssh_ports']; +if ($def_ssh_ports_info_chk == "") + $def_ssh_ports_type = "{$ssh_port}"; +else + $def_ssh_ports_type = "$def_ssh_ports_info_chk"; + +/* def POP_SERVSERS */ +$def_pop_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop_servers']; +if ($def_pop_servers_info_chk == "") + $def_pop_servers_type = "\$HOME_NET"; +else + $def_pop_servers_type = "$def_pop_servers_info_chk"; + +/* def POP2_PORTS */ +$def_pop2_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop2_ports']; +if ($def_pop2_ports_info_chk == "") + $def_pop2_ports_type = "109"; +else + $def_pop2_ports_type = "$def_pop2_ports_info_chk"; + +/* def POP3_PORTS */ +$def_pop3_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop3_ports']; +if ($def_pop3_ports_info_chk == "") + $def_pop3_ports_type = "110"; +else + $def_pop3_ports_type = "$def_pop3_ports_info_chk"; + +/* def IMAP_SERVSERS */ +$def_imap_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_imap_servers']; +if ($def_imap_servers_info_chk == "") + $def_imap_servers_type = "\$HOME_NET"; +else + $def_imap_servers_type = "$def_imap_servers_info_chk"; + +/* def IMAP_PORTS */ +$def_imap_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_imap_ports']; +if ($def_imap_ports_info_chk == "") + $def_imap_ports_type = "143"; +else + $def_imap_ports_type = "$def_imap_ports_info_chk"; + +/* def SIP_PROXY_IP */ +$def_sip_proxy_ip_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sip_proxy_ip']; +if ($def_sip_proxy_ip_info_chk == "") + $def_sip_proxy_ip_type = "\$HOME_NET"; +else + $def_sip_proxy_ip_type = "$def_sip_proxy_ip_info_chk"; + +/* def SIP_PROXY_PORTS */ +$def_sip_proxy_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sip_proxy_ports']; +if ($def_sip_proxy_ports_info_chk == "") + $def_sip_proxy_ports_type = "5060:5090,16384:32768"; +else + $def_sip_proxy_ports_type = "$def_sip_proxy_ports_info_chk"; + +/* def AUTH_PORTS */ +$def_auth_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_auth_ports']; +if ($def_auth_ports_info_chk == "") + $def_auth_ports_type = "113"; +else + $def_auth_ports_type = "$def_auth_ports_info_chk"; + +/* def FINGER_PORTS */ +$def_finger_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_finger_ports']; +if ($def_finger_ports_info_chk == "") + $def_finger_ports_type = "79"; +else + $def_finger_ports_type = "$def_finger_ports_info_chk"; + +/* def IRC_PORTS */ +$def_irc_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_irc_ports']; +if ($def_irc_ports_info_chk == "") + $def_irc_ports_type = "6665,6666,6667,6668,6669,7000"; +else + $def_irc_ports_type = "$def_irc_ports_info_chk"; + +/* def NNTP_PORTS */ +$def_nntp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_nntp_ports']; +if ($def_nntp_ports_info_chk == "") + $def_nntp_ports_type = "119"; +else + $def_nntp_ports_type = "$def_nntp_ports_info_chk"; + +/* def RLOGIN_PORTS */ +$def_rlogin_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_rlogin_ports']; +if ($def_rlogin_ports_info_chk == "") + $def_rlogin_ports_type = "513"; +else + $def_rlogin_ports_type = "$def_rlogin_ports_info_chk"; + +/* def RSH_PORTS */ +$def_rsh_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_rsh_ports']; +if ($def_rsh_ports_info_chk == "") + $def_rsh_ports_type = "514"; +else + $def_rsh_ports_type = "$def_rsh_ports_info_chk"; + +/* def SSL_PORTS */ +$def_ssl_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssl_ports']; +if ($def_ssl_ports_info_chk == "") + $def_ssl_ports_type = "25,443,465,636,993,995"; +else + $def_ssl_ports_type = "$def_ssl_ports_info_chk"; + + /* add auto update scripts to /etc/crontab */ +// $text_ww = "*/60\t* \t 1\t *\t *\t root\t /usr/bin/nice -n20 /usr/local/pkg/snort_check_for_rule_updates.php"; +// $filenamea = "/etc/crontab"; +// remove_text_from_file($filenamea, $text_ww); +// add_text_to_file($filenamea, $text_ww); +// exec("killall -HUP cron"); */ + + /* should we install a automatic update crontab entry? */ + $automaticrulesupdate = $config['installedpackages']['snort']['config'][0]['automaticrulesupdate']; + + /* if user is on pppoe, we really want to use ng0 interface */ + if($config['interfaces'][$snort_ext_int]['ipaddr'] == "pppoe") + $snort_ext_int = "ng0"; + + /* set the snort performance model */ + if($config['installedpackages']['snort']['config'][0]['performance']) + $snort_performance = $config['installedpackages']['snort']['config'][0]['performance']; + else + $snort_performance = "ac-bnfa"; + + /* set the snort block hosts time IMPORTANT snort has trouble installing if snort_rm_blocked_info_ck != "" */ + $snort_rm_blocked_info_ck = $config['installedpackages']['snort']['config'][0]['rm_blocked']; + if ($snort_rm_blocked_info_ck == "never_b") + $snort_rm_blocked_false = ""; + else + $snort_rm_blocked_false = "true"; + +if ($snort_rm_blocked_info_ck != "") { +function snort_rm_blocked_install_cron($should_install) { + global $config, $g; + + if ($g['booting']==true) + return; + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort2c")) { + $is_installed = true; + break; + } + $x++; + } + $snort_rm_blocked_info_ck = $config['installedpackages']['snort']['config'][0]['rm_blocked']; + if ($snort_rm_blocked_info_ck == "1h_b") { + $snort_rm_blocked_min = "*/5"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "3600"; + } + if ($snort_rm_blocked_info_ck == "3h_b") { + $snort_rm_blocked_min = "*/15"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "10800"; + } + if ($snort_rm_blocked_info_ck == "6h_b") { + $snort_rm_blocked_min = "*/30"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "21600"; + } + if ($snort_rm_blocked_info_ck == "12h_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/1"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "43200"; + } + if ($snort_rm_blocked_info_ck == "1d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/2"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "86400"; + } + if ($snort_rm_blocked_info_ck == "4d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/8"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "345600"; + } + if ($snort_rm_blocked_info_ck == "7d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/14"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "604800"; + } + if ($snort_rm_blocked_info_ck == "28d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "0"; + $snort_rm_blocked_mday = "*/2"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "2419200"; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "$snort_rm_blocked_min"; + $cron_item['hour'] = "$snort_rm_blocked_hr"; + $cron_item['mday'] = "$snort_rm_blocked_mday"; + $cron_item['month'] = "$snort_rm_blocked_month"; + $cron_item['wday'] = "$snort_rm_blocked_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; + $config['cron']['item'][] = $cron_item; + write_config("Installed 15 minute filter reload for Time Based Rules"); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + } + configure_cron(); + } + break; + } + } + snort_rm_blocked_install_cron(""); + snort_rm_blocked_install_cron($snort_rm_blocked_false); +} + + /* set the snort rules update time */ + $snort_rules_up_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; + if ($snort_rules_up_info_ck == "never_up") + $snort_rules_up_false = ""; + else + $snort_rules_up_false = "true"; + +if ($snort_rules_up_info_ck != "") { +function snort_rules_up_install_cron($should_install) { + global $config, $g; + + if ($g['booting']==true) + return; + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort_check_for_rule_updates.php")) { + $is_installed = true; + break; + } + $x++; + } + $snort_rules_up_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; + if ($snort_rules_up_info_ck == "6h_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "*/6"; + $snort_rules_up_mday = "*"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "12h_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "*/12"; + $snort_rules_up_mday = "*"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "1d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/1"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "4d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/4"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "7d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/7"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "28d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/28"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "$snort_rules_up_min"; + $cron_item['hour'] = "$snort_rules_up_hr"; + $cron_item['mday'] = "$snort_rules_up_mday"; + $cron_item['month'] = "$snort_rules_up_month"; + $cron_item['wday'] = "$snort_rules_up_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort_check_for_rule_updates.php >> /usr/local/etc/snort_bkup/snort_update.log"; + $config['cron']['item'][] = $cron_item; + write_config("Installed 15 minute filter reload for Time Based Rules"); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + } + configure_cron(); + } + break; + } + } + snort_rules_up_install_cron(""); + snort_rules_up_install_cron($snort_rules_up_false); +} + + /* open snort2c's whitelist for writing */ + $whitelist = fopen("/var/db/whitelist", "w"); + if(!$whitelist) { + log_error("Could not open /var/db/whitelist for writing."); + return; + } + + /* build an interface array list */ + $int_array = array('lan'); + for ($j = 1; isset ($config['interfaces']['opt' . $j]); $j++) + if(isset($config['interfaces']['opt' . $j]['enable'])) + if(!$config['interfaces']['opt' . $j]['gateway']) + $int_array[] = "opt{$j}"; + + /* iterate through interface list and write out whitelist items + * and also compile a home_net list for snort. + */ + foreach($int_array as $int) { + /* calculate interface subnet information */ + $ifcfg = &$config['interfaces'][$int]; + $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']); + $subnetmask = gen_subnet_mask($ifcfg['subnet']); + if($subnet == "pppoe" or $subnet == "dhcp") { + $subnet = find_interface_ip("ng0"); + if($subnet) + $home_net .= "{$subnet} "; + } else { + if ($subnet) + if($ifcfg['subnet']) + $home_net .= "{$subnet}/{$ifcfg['subnet']} "; + } + } + + /* add all WAN ips to the whitelist */ + $wan_if = get_real_wan_interface(); + $ip = find_interface_ip($wan_if); + if($ip) + $home_net .= "{$ip} "; + + /* Add Gateway on WAN interface to whitelist (For RRD graphs) */ + $int = convert_friendly_interface_to_real_interface_name("WAN"); + $gw = get_interface_gateway($int); + if($gw) + $home_net .= "{$gw} "; + + /* Add DNS server for WAN interface to whitelist */ + $dns_servers = get_dns_servers(); + foreach($dns_servers as $dns) { + if($dns) + $home_net .= "{$dns} "; + } + + /* Add loopback to whitelist (ftphelper) */ + $home_net .= "127.0.0.1 "; + + /* iterate all vips and add to whitelist */ + if($config['virtualip']) + foreach($config['virtualip']['vip'] as $vip) + if($vip['subnet']) + $home_net .= $vip['subnet'] . " "; + + if($config['installedpackages']['snortwhitelist']) + foreach($config['installedpackages']['snortwhitelist']['config'] as $snort) + if($snort['ip']) + $home_net .= $snort['ip'] . " "; + + /* write out whitelist, convert spaces to carriage returns */ + $whitelist_home_net = str_replace(" ", " ", $home_net); + $whitelist_home_net = str_replace(" ", "\n", $home_net); + + /* make $home_net presentable to snort */ + $home_net = trim($home_net); + $home_net = str_replace(" ", ",", $home_net); + $home_net = "[{$home_net}]"; + + /* foreach through whitelist, writing out to file */ + $whitelist_split = split("\n", $whitelist_home_net); + foreach($whitelist_split as $wl) + if(trim($wl)) + fwrite($whitelist, trim($wl) . "\n"); + + /* should we whitelist vpns? */ + $whitelistvpns = $config['installedpackages']['snort']['config'][0]['whitelistvpns']; + + /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */ + if($whitelistvpns) { + $vpns_list = get_vpns_list(); + $whitelist_vpns = split(" ", $vpns_list); + foreach($whitelist_vpns as $wl) + if(trim($wl)) + fwrite($whitelist, trim($wl) . "\n"); + } + + /* close file */ + fclose($whitelist); + + /* open snort's threshold.conf for writing */ + $threshlist = fopen("/usr/local/etc/snort/threshold.conf", "w"); + if(!$threshlist) { + log_error("Could not open /usr/local/etc/snort/threshold.conf for writing."); + return; + } + + /* list all entries to new lines */ + if($config['installedpackages']['snortthreshold']) + foreach($config['installedpackages']['snortthreshold']['config'] as $snortthreshlist) + if($snortthreshlist['threshrule']) + $snortthreshlist_r .= $snortthreshlist['threshrule'] . "\n"; + + + /* foreach through threshlist, writing out to file */ + $threshlist_split = split("\n", $snortthreshlist_r); + foreach($threshlist_split as $wl) + if(trim($wl)) + fwrite($threshlist, trim($wl) . "\n"); + + /* close snort's threshold.conf file */ + fclose($threshlist); + + /* generate rule sections to load */ + $enabled_rulesets = $config['installedpackages']['snort']['rulesets']; + if($enabled_rulesets) { + $selected_rules_sections = ""; + $enabled_rulesets_array = split("\|\|", $enabled_rulesets); + foreach($enabled_rulesets_array as $enabled_item) + $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n"; + } + + conf_mount_ro(); + + /* build snort configuration file */ + /* TODO; feed back from pfsense users to reduce false positives */ + $snort_conf_text = <<<EOD + +# snort configuration file +# generated by the pfSense +# package manager system +# see /usr/local/pkg/snort.inc +# for more information +# snort.conf +# Snort can be found at http://www.snort.org/ + +# Copyright (C) 2006 Robert Zelaya +# part of pfSense +# All rights reserved. + +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: + +# 1. Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. + +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. + +# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. + +######################### + # +# Define Local Network # + # +######################### + +var HOME_NET {$home_net} +var EXTERNAL_NET !\$HOME_NET + +################### + # +# Define Servers # + # +################### + +var DNS_SERVERS [{$def_dns_servers_type}] +var SMTP_SERVERS [{$def_smtp_servers_type}] +var HTTP_SERVERS [{$def_http_servers_type}] +var SQL_SERVERS [{$def_sql_servers_type}] +var TELNET_SERVERS [{$def_telnet_servers_type}] +var SNMP_SERVERS [{$def_snmp_servers_type}] +var FTP_SERVERS [{$def_ftp_servers_type}] +var SSH_SERVERS [{$def_ssh_servers_type}] +var POP_SERVERS [{$def_pop_servers_type}] +var IMAP_SERVERS [{$def_imap_servers_type}] +var RPC_SERVERS \$HOME_NET +var WWW_SERVERS [{$def_www_servers_type}] +var SIP_PROXY_IP [{$def_sip_proxy_ip_type}] +var AIM_SERVERS \ +[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] + +######################## + # +# Define Server Ports # + # +######################## + +portvar HTTP_PORTS [{$def_http_ports_type}] +portvar SHELLCODE_PORTS !80 +portvar ORACLE_PORTS [{$def_oracle_ports_type}] +portvar AUTH_PORTS [{$def_auth_ports_type}] +portvar DNS_PORTS [{$def_dns_ports_type}] +portvar FINGER_PORTS [{$def_finger_ports_type}] +portvar FTP_PORTS [{$def_ftp_ports_type}] +portvar IMAP_PORTS [{$def_imap_ports_type}] +portvar IRC_PORTS [{$def_irc_ports_type}] +portvar MSSQL_PORTS [{$def_mssql_ports_type}] +portvar NNTP_PORTS [{$def_nntp_ports_type}] +portvar POP2_PORTS [{$def_pop2_ports_type}] +portvar POP3_PORTS [{$def_pop3_ports_type}] +portvar SUNRPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779] +portvar RLOGIN_PORTS [{$def_rlogin_ports_type}] +portvar RSH_PORTS [{$def_rsh_ports_type}] +portvar SMB_PORTS [139,445] +portvar SMTP_PORTS [{$def_smtp_ports_type}] +portvar SNMP_PORTS [{$def_snmp_ports_type}] +portvar SSH_PORTS [{$def_ssh_ports_type}] +portvar TELNET_PORTS [{$def_telnet_ports_type}] +portvar MAIL_PORTS [{$def_mail_ports_type}] +portvar SSL_PORTS [{$def_ssl_ports_type}] +portvar SIP_PROXY_PORTS [{$def_sip_proxy_ports_type}] + +# DCERPC NCACN-IP-TCP +portvar DCERPC_NCACN_IP_TCP [139,445] +portvar DCERPC_NCADG_IP_UDP [138,1024:] +portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:] +portvar DCERPC_NCACN_UDP_LONG [135,1024:] +portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:] +portvar DCERPC_NCACN_TCP [2103,2105,2107] +portvar DCERPC_BRIGHTSTORE [6503,6504] + +##################### + # +# Define Rule Paths # + # +##################### + +var RULE_PATH /usr/local/etc/snort/rules +# var PREPROC_RULE_PATH ./preproc_rules + +################################ + # +# Configure the snort decoder # + # +################################ + +config checksum_mode: all +config disable_decode_alerts +config disable_tcpopt_experimental_alerts +config disable_tcpopt_obsolete_alerts +config disable_ttcp_alerts +config disable_tcpopt_alerts +config disable_ipopt_alerts +config disable_decode_drops + +################################### + # +# Configure the detection engine # +# Use lower memory models # + # +################################### + +config detection: search-method {$snort_performance} +config detection: max_queue_events 5 +config event_queue: max_queue 8 log 3 order_events content_length + +#Configure dynamic loaded libraries +dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor/ +dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so +dynamicdetection directory /usr/local/lib/snort/dynamicrules/ + +################### + # +# Flow and stream # + # +################### + +preprocessor frag3_global: max_frags 8192 +preprocessor frag3_engine: policy windows +preprocessor frag3_engine: policy linux +preprocessor frag3_engine: policy first +preprocessor frag3_engine: policy bsd detect_anomalies + +preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ +track_udp yes, track_icmp yes +preprocessor stream5_tcp: bind_to any, policy windows +preprocessor stream5_tcp: bind_to any, policy linux +preprocessor stream5_tcp: bind_to any, policy vista +preprocessor stream5_tcp: bind_to any, policy macos +preprocessor stream5_tcp: policy BSD, ports both all, use_static_footprint_sizes +preprocessor stream5_udp +preprocessor stream5_icmp + +########################## + # +# NEW # +# Performance Statistics # + # +########################## + +preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 10000 + +################# + # +# HTTP Inspect # + # +################# + +preprocessor http_inspect: global iis_unicode_map unicode.map 1252 + +preprocessor http_inspect_server: server default \ + ports { 80 8080 } \ + no_alerts \ + non_strict \ + non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ + flow_depth 0 \ + apache_whitespace yes \ + directory no \ + iis_backslash no \ + u_encode yes \ + ascii yes \ + chunk_length 500000 \ + bare_byte yes \ + double_decode yes \ + iis_unicode yes \ + iis_delimiter yes \ + multi_slash no + +################## + # +# Other preprocs # + # +################## + +preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 +preprocessor bo + +##################### + # +# ftp preprocessor # + # +##################### + +preprocessor ftp_telnet: global \ +inspection_type stateless + +preprocessor ftp_telnet_protocol: telnet \ + normalize \ + ayt_attack_thresh 200 + +preprocessor ftp_telnet_protocol: \ + ftp server default \ + def_max_param_len 100 \ + ports { 21 } \ + ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \ + ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \ + ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ + ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ + ftp_cmds { FEAT CEL CMD MACB } \ + ftp_cmds { MDTM REST SIZE MLST MLSD } \ + ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ + alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ + alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \ + alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \ + alt_max_param_len 256 { RNTO CWD } \ + alt_max_param_len 400 { PORT } \ + alt_max_param_len 512 { SIZE } \ + chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \ + chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \ + chk_str_fmt { LIST NLST SITE SYST STAT HELP } \ + chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \ + chk_str_fmt { FEAT CEL CMD } \ + chk_str_fmt { MDTM REST SIZE MLST MLSD } \ + chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ + cmd_validity MODE < char ASBCZ > \ + cmd_validity STRU < char FRP > \ + cmd_validity ALLO < int [ char R int ] > \ + cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ + cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ + cmd_validity PORT < host_port > + +preprocessor ftp_telnet_protocol: ftp client default \ + max_resp_len 256 \ + bounce yes \ + telnet_cmds yes + +##################### + # +# SMTP preprocessor # + # +##################### + +preprocessor SMTP: \ + ports { 25 465 691 } \ + inspection_type stateful \ + normalize cmds \ + valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \ +CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \ +PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + max_header_line_len 1000 \ + max_response_line_len 512 \ + alt_max_command_line_len 260 { MAIL } \ + alt_max_command_line_len 300 { RCPT } \ + alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ + alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ + alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ + alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ + alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + xlink2state { enable } + +################ + # +# sf Portscan # + # +################ + +preprocessor sfportscan: scan_type { all } \ + proto { all } \ + memcap { 10000000 } \ + sense_level { medium } \ + ignore_scanners { \$HOME_NET } + +############################ + # +# OLD # +# preprocessor dcerpc: \ # +# autodetect \ # +# max_frag_size 3000 \ # +# memcap 100000 # + # +############################ + +############### + # +# NEW # +# DCE/RPC 2 # + # +############### + +preprocessor dcerpc2: memcap 102400, events [smb, co, cl] +preprocessor dcerpc2_server: default, policy WinXP, \ + detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ + autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ + smb_max_chain 3 + +#################### + # +# DNS preprocessor # + # +#################### + +preprocessor dns: \ + ports { 53 } \ + enable_rdata_overflow + +############################## + # +# NEW # +# Ignore SSL and Encryption # + # +############################## + +preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 }, trustservers, noinspect_encrypted + +##################### + # +# Snort Output Logs # + # +##################### + +$snortalertlogtype_type +$alertsystemlog_type +$tcpdumplog_type +$snortmysqllog_info_chk +$snortunifiedlog_type +$spoink_type + +################# + # +# Misc Includes # + # +################# + +include /usr/local/etc/snort/reference.config +include /usr/local/etc/snort/classification.config +include /usr/local/etc/snort/threshold.conf + +# Snort user pass through configuration +{$snort_config_pass_thru} + +################### + # +# Rules Selection # + # +################### + +{$selected_rules_sections} + +EOD; + + return $snort_conf_text; +} + +/* check downloaded text from snort.org to make sure that an error did not occur + * for example, if you are not a premium subscriber you can only download rules + * so often, etc. + */ +function check_for_common_errors($filename) { + global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); + $contents = file_get_contents($filename); + if(stristr($contents, "You don't have permission")) { + if(!$console_mode) { + update_all_status("An error occured while downloading {$filename}."); + hide_progress_bar_status(); + } else { + log_error("An error occured. Scroll down to inspect it's contents."); + echo "An error occured. Scroll down to inspect it's contents."; + } + if(!$console_mode) { + update_output_window(strip_tags("$contents")); + } else { + $contents = strip_tags($contents); + log_error("Error downloading snort rules: {$contents}"); + echo "Error downloading snort rules: {$contents}"; + } + scroll_down_to_bottom_of_page(); + exit; + } +} + +/* force browser to scroll all the way down */ +function scroll_down_to_bottom_of_page() { + global $snort_filename, $console_mode; + ob_flush(); + if(!$console_mode) + echo "\n<script type=\"text/javascript\">parent.scrollTo(0,1500);\n</script>"; +} + +/* ensure downloaded file looks sane */ +function verify_downloaded_file($filename) { + global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); + if(filesize($filename)<9500) { + if(!$console_mode) { + update_all_status("Checking {$filename}..."); + check_for_common_errors($filename); + } + } + update_all_status("Verifying {$filename}..."); + if(!file_exists($filename)) { + if(!$console_mode) { + update_all_status("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."); + hide_progress_bar_status(); + } else { + log_error("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."); + echo "Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."; + } + exit; + } + update_all_status("Verifyied {$filename}."); +} + +/* extract rules */ +function extract_snort_rules_md5($tmpfname) { + global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); + if(!$console_mode) { + $static_output = gettext("Extracting snort rules..."); + update_all_status($static_output); + } + if(!is_dir("/usr/local/etc/snort/rules/")) + mkdir("/usr/local/etc/snort/rules/"); + $cmd = "/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C /usr/local/etc/snort/ rules/"; + $handle = popen("{$cmd} 2>&1", 'r'); + while(!feof($handle)) { + $buffer = fgets($handle); + update_output_window($buffer); + } + pclose($handle); + + if(!$console_mode) { + $static_output = gettext("Snort rules extracted."); + update_all_status($static_output); + } else { + log_error("Snort rules extracted."); + echo "Snort rules extracted."; + } +} + +/* verify MD5 against downloaded item */ +function verify_snort_rules_md5($tmpfname) { + global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); + if(!$console_mode) { + $static_output = gettext("Verifying md5 signature..."); + update_all_status($static_output); + } + + $md555 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); + $md5 = `/bin/echo "{$md555}" | /usr/bin/awk '{ print $4 }'`; + $file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; + if($md5 == $file_md5_ondisk) { + if(!$console_mode) { + $static_output = gettext("snort rules: md5 signature of rules mismatch."); + update_all_status($static_output); + hide_progress_bar_status(); + } else { + log_error("snort rules: md5 signature of rules mismatch."); + echo "snort rules: md5 signature of rules mismatch."; + } + exit; + } +} + +/* hide progress bar */ +function hide_progress_bar_status() { + global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); + if(!$console_mode) + echo "\n<script type=\"text/javascript\">document.progressbar.style.visibility='hidden';\n</script>"; +} + +/* unhide progress bar */ +function unhide_progress_bar_status() { + global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); + if(!$console_mode) + echo "\n<script type=\"text/javascript\">document.progressbar.style.visibility='visible';\n</script>"; +} + +/* update both top and bottom text box during an operation */ +function update_all_status($status) { + global $snort_filename, $snort_filename_md5, $console_mode; + ob_flush(); + if(!$console_mode) { + update_status($status); + update_output_window($status); + } +} + +/* obtain alert description for an ip address */ +function get_snort_alert($ip) { + global $snort_alert_file_split, $snort_config; + if(!file_exists("/var/log/snort/alert")) + return; + if(!$snort_config) + $snort_config = read_snort_config_cache(); + if($snort_config[$ip]) + return $snort_config[$ip]; + if(!$snort_alert_file_split) + $snort_alert_file_split = split("\n", file_get_contents("/var/log/snort/alert")); + foreach($snort_alert_file_split as $fileline) { + if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) + $alert_title = $matches[2]; + if (preg_match("/(\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)/", $fileline, $matches)) + $alert_ip = $matches[0]; + if($alert_ip == $ip) { + if(!$snort_config[$ip]) + $snort_config[$ip] = $alert_title; + return $alert_title; + } + } + return "n/a"; +} + +function make_clickable($buffer) { + global $config, $g; + /* if clickable urls is disabled, simply return buffer back to caller */ + $clickablalerteurls = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; + if(!$clickablalerteurls) + return $buffer; + $buffer = eregi_replace("(^|[ \n\r\t])((http(s?)://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $buffer); + $buffer = eregi_replace("(^|[ \n\r\t])((ftp://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $buffer); + $buffer = eregi_replace("([a-z_-][a-z0-9\._-]*@[a-z0-9_-]+(\.[a-z0-9_-]+)+)","<a href=\"mailto:\\1\">\\1</a>", $buffer); + $buffer = eregi_replace("(^|[ \n\r\t])(www\.([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"http://\\2\" target=\"_blank\">\\2</a>", $buffer); + $buffer = eregi_replace("(^|[ \n\r\t])(ftp\.([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"ftp://\\2\" target=\"_blank\">\\2</a>", $buffer); + + return $buffer; +} + +function read_snort_config_cache() { + global $g, $config, $snort_config; + if($snort_config) + return $snort_config; + if(file_exists($g['tmp_path'] . '/snort_config.cache')) { + $snort_config = unserialize(file_get_contents($g['tmp_path'] . '/snort_config.cache')); + return $snort_config; + } + return; +} + +function write_snort_config_cache($snort_config) { + global $g, $config; + conf_mount_rw(); + $configcache = fopen($g['tmp_path'] . '/snort_config.cache', "w"); + if(!$configcache) { + log_error("Could not open {$g['tmp_path']}/snort_config.cache for writing."); + return false; + } + fwrite($configcache, serialize($snort_config)); + fclose($configcache); + conf_mount_ro(); + return true; +} + +function snort_advanced() { + global $g, $config; + sync_package_snort(); +} + +function snort_define_servers() { + global $g, $config; + sync_package_snort(); +} + +?> diff --git a/config/snort-dev/snort.xml b/config/snort-dev/snort.xml new file mode 100644 index 00000000..e96ccdf7 --- /dev/null +++ b/config/snort-dev/snort.xml @@ -0,0 +1,102 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfsense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>Snort</name> + <version>2.8.4.1_5</version> + <title>Services: Snort 2.8.4.1_5 pkg v. 1.7 alpha</title> + <include_file>/usr/local/pkg/snort.inc</include_file> + <menu> + <name>Snort</name> + <tooltiptext>Setup snort specific settings</tooltiptext> + <section>Services</section> + <url>/snort/snort_interfaces.php</url> + </menu> + <service> + <name>snort</name> + <rcfile>snort.sh</rcfile> + <executable>snort</executable> + <description>Snort is the most widely deployed IDS/IPS technology worldwide..</description> + </service> + <tabs> + </tabs> + <additional_files_needed> + <prefix>/usr/local/pkg/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-dev/snort_base_files.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-dev/snort.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-dev/snort_interfaces.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-dev/snort_interfaces_edit.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-dev/snort_interfaces_global.php</item> + </additional_files_needed> + <fields> + </fields> + <custom_php_resync_config_command> + </custom_php_resync_config_command> + <custom_add_php_command> + </custom_add_php_command> + <custom_php_install_command> + </custom_php_install_command> + <custom_php_deinstall_command> + snort_deinstall(); + </custom_php_deinstall_command> +</packagegui>
\ No newline at end of file diff --git a/config/snort-dev/snort_base_files.php b/config/snort-dev/snort_base_files.inc index 1bc9cea0..1bc9cea0 100644 --- a/config/snort-dev/snort_base_files.php +++ b/config/snort-dev/snort_base_files.inc diff --git a/config/snort-dev/snort_interfaces.php b/config/snort-dev/snort_interfaces.php index 065ec0dc..773b6f9a 100644 --- a/config/snort-dev/snort_interfaces.php +++ b/config/snort-dev/snort_interfaces.php @@ -3,7 +3,6 @@ /*
snort_interfaces.php
Copyright (C) 2004 Scott Ullrich
- Copyright (C) 2004 Robert Zelaya
All rights reserved.
originally part of m0n0wall (http://m0n0.ch/wall)
@@ -33,11 +32,12 @@ */
require("guiconfig.inc");
+require("/usr/local/pkg/snort_misc.inc");
-if (!is_array($config['installedpackages']['snortglobal']))
- $config['installedpackages']['snortglobal'] = array();
+if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ $config['installedpackages']['snortglobal']['rule'] = array();
-$a_nat = &$config['installedpackages']['snortglobal'];
+$a_nat = &$config['installedpackages']['snortglobal']['rule'];
/* if a custom message has been passed along, lets process it */
if ($_GET['savemsg'])
@@ -85,7 +85,7 @@ if (isset($_POST['del_x'])) { }
write_config();
touch($d_natconfdirty_path);
- header("Services: snort_interfaces.php");
+ header("Location: snort_interfaces.php");
exit;
}
@@ -128,38 +128,54 @@ if (isset($_POST['del_x'])) { $a_nat = $a_nat_new;
write_config();
touch($d_natconfdirty_path);
- header("Services: snort_interfaces.php");
+ header("Location: snort_interfaces.php");
exit;
}
}
-$pgtitle = "Services: Snort 2.8.4.1_5 pkg v. 1.7";
+$pgtitle = "Services: Snort Interfaces";
include("head.inc");
?>
<body link="#000000" vlink="#000000" alink="#000000">
<?php include("fbegin.inc"); ?>
<p class="pgtitle"><?=$pgtitle?></font></p>
+<style type="text/css">
+.alert {
+ position:absolute;
+ top:10px;
+ left:0px;
+ width:94%;
+background:#FCE9C0;
+background-position: 15px;
+border-top:2px solid #DBAC48;
+border-bottom:2px solid #DBAC48;
+padding: 15px 10px 50% 50px;
+}
+</style>
+<noscript><div class="alert" ALIGN=CENTER><img src="/themes/nervecenter/images/icons/icon_alert.gif"/><strong>Please enable JavaScript to view this content</CENTER></div></noscript>
+
<form action="snort_interfaces.php" method="post" name="iform">
<script type="text/javascript" language="javascript" src="row_toggle.js">
</script>
<?php if (file_exists($d_natconfdirty_path)): ?><p>
<?php
if($savemsg)
- print_info_box_np("{$savemsg}<br>The NAT configuration has been changed.<br>You must apply the changes in order for them to take effect.");
+ print_info_box_np2("{$savemsg}<br>The Snort configuration has been changed.<br>You must apply the changes in order for them to take effect.");
else
- print_info_box_np("The NAT configuration has been changed.<br>You must apply the changes in order for them to take effect.");
+ print_info_box_np2("The Snort configuration has been changed.<br>You must apply the changes in order for them to take effect.");
?>
<?php endif; ?>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr><td>
<?php
- $tab_array = array();
- $tab_array[] = array("Interfaces", true, "snort_interfaces.php");
- $tab_array[] = array("Global Settings", false, "snort_interfaces.php");
- $tab_array[] = array("Rules Update", false, "firewall_nat_1to1.php");
+ $tab_array = array();
+ $tab_array[] = array("Snort Interfaces", true, "snort_interfaces.php");
+ $tab_array[] = array("Global Settings", false, "snort_interfaces_global.php");
+ $tab_array[] = array("Rule Updates", false, "firewall_nat_1to1.php");
$tab_array[] = array("Alerts", false, "firewall_nat_out.php");
$tab_array[] = array("Blocked", false, "firewall_nat_out.php");
+ $tab_array[] = array("Whitelists", false, "firewall_nat_out.php");
$tab_array[] = array("Help & Info", false, "firewall_nat_out.php");
display_top_tabs($tab_array);
?>
@@ -170,19 +186,18 @@ include("head.inc"); <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
<tr id="frheader">
<td width="3%" class="list"> </td>
- <td width="3%" class="list"> </td>
- <td width="5%" class="listhdrr">If</td>
- <td width="5%" class="listhdrr">Inline</td>
- <td width="5%" class="listhdrr">Inline port</td>
- <td width="15%" class="listhdrr">Inline port range</td>
- <td width="5%" class="listhdrr">Block Hosts</td>
- <td width="5%" class="listhdrr">Barnyard2</td>
- <td width="15%" class="listhdr">Description</td>
- <td width="5%" class="list">
+ <td width="1%" class="list"> </td>
+ <td width="10%" class="listhdrr">If</td>
+ <td width="10%" class="listhdrr">Snort</td>
+ <td width="10%" class="listhdrr">Snort</td>
+ <td width="10%" class="listhdrr">Block Hosts</td>
+ <td width="10%" class="listhdrr">Barnyard2</td>
+ <td width="50%" class="listhdr">Description</td>
+ <td width="3%" class="list">
<table border="0" cellspacing="0" cellpadding="1">
<tr>
<td width="17"></td>
- <td><a href="/snort_interfaces_edit.php"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td>
+ <td><a href="snort_interfaces_edit.php"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td>
</tr>
</table>
</td>
@@ -206,43 +221,52 @@ include("head.inc"); ?>
</td>
<td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';">
- <?=strtoupper($natent['protocol']);?>
- </td>
- <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';">
- <?php
- list($beginport, $endport) = split("-", $natent['external-port']);
- if ((!$endport) || ($beginport == $endport)) {
- echo $beginport;
- if ($wkports[$beginport])
- echo " (" . $wkports[$beginport] . ")";
- else
- echo " ";
- } else
- echo $beginport . " - " . $endport;
+ <?php
+ $check_blockoffenders_info = $config['installedpackages']['snortglobal']['rule'][$nnats]['blockoffenders7'];
+ if ($check_blockoffenders_info == "on")
+ {
+ $check_blockoffenders = enabled;
+ } else {
+ $check_blockoffenders = disabled;
+ }
?>
+ <?=strtoupper($check_blockoffenders);?>
</td>
<td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';">
- <?=$natent['target'];?>
- <?php if ($natent['external-address'])
- echo "<br>(ext.: " . $natent['external-address'] . ")";
- else
- echo "<br>(ext.: " . find_interface_ip(convert_friendly_interface_to_real_interface_name($natent['interface'])) . ")";
- ?>
+ <?php
+ $check_blockoffenders_info = $config['installedpackages']['snortglobal']['rule'][$nnats]['blockoffenders7'];
+ if ($check_blockoffenders_info == "on")
+ {
+ $check_blockoffenders = enabled;
+ } else {
+ $check_blockoffenders = disabled;
+ }
+ ?>
+ <?=strtoupper($check_blockoffenders);?>
</td>
<td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';">
- <?php if ((!$endport) || ($beginport == $endport)) {
- echo $natent['local-port'];
- if ($wkports[$natent['local-port']])
- echo " (" . $wkports[$natent['local-port']] . ")";
- else
- echo " ";
- } else
- echo $natent['local-port'] . " - " .
- ($natent['local-port']+$endport-$beginport);
+ <?php
+ $check_blockoffenders_info = $config['installedpackages']['snortglobal']['rule'][$nnats]['blockoffenders7'];
+ if ($check_blockoffenders_info == "on")
+ {
+ $check_blockoffenders = enabled;
+ } else {
+ $check_blockoffenders = disabled;
+ }
?>
+ <?=strtoupper($check_blockoffenders);?>
</td>
<td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';">
- <?=strtoupper($natent['protocol']);?>
+ <?php
+ $check_snortbarnyardlog_info = $config['installedpackages']['snortglobal']['rule'][$nnats]['snortbarnyardlog'];
+ if ($check_snortbarnyardlog_info == "on")
+ {
+ $check_snortbarnyardlog = enabled;
+ } else {
+ $check_snortbarnyardlog = disabled;
+ }
+ ?>
+ <?=strtoupper($check_snortbarnyardlog);?>
</td>
<td class="listbg" onClick="fr_toggle(<?=$nnats;?>)" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';">
<font color="#ffffff">
@@ -253,10 +277,6 @@ include("head.inc"); <tr>
<td><a href="snort_interfaces_edit.php?id=<?=$i;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0" title="edit rule"></a></td>
</tr>
- <tr>
- <td><input onmouseover="fr_insline(<?=$nnats;?>, true)" onmouseout="fr_insline(<?=$nnats;?>, false)" name="move_<?=$i;?>" src="/themes/<?= $g['theme']; ?>/images/icons/icon_left.gif" title="move selected rules before this rule" height="17" type="image" width="17" border="0"></td>
- <td><a href="snort_interfaces_edit.php?dup=<?=$i;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="add a new nat based on this one" width="17" height="17" border="0"></a></td>
- </tr>
</table>
</tr>
<?php $i++; $nnats++; endforeach; ?>
@@ -265,25 +285,31 @@ include("head.inc"); <td class="list" valign="middle" nowrap>
<table border="0" cellspacing="0" cellpadding="1">
<tr>
- <td><?php if ($nnats == 0): ?><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_left_d.gif" width="17" height="17" title="move selected mappings to end" border="0"><?php else: ?><input name="move_<?=$i;?>" type="image" src="/themes/<?= $g['theme']; ?>/images/icons/icon_left.gif" width="17" height="17" title="move selected mappings to end" border="0"><?php endif; ?></td>
- <td><a href="snort_interfaces_edit.php"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td>
+ <td><?php if ($nnats == 0): ?><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" width="17" height="17" title="delete selected rules" border="0"><?php else: ?><input name="del" type="image" src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" title="delete selected mappings" onclick="return confirm('Do you really want to delete the selected Snort Rule?')"><?php endif; ?></td>
</tr>
- <tr>
- <td><?php if ($nnats == 0): ?><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" width="17" height="17" title="delete selected rules" border="0"><?php else: ?><input name="del" type="image" src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" title="delete selected mappings" onclick="return confirm('Do you really want to delete the selected mappings?')"><?php endif; ?></td>
- </tr>
</table>
- </td>
+ </td>
</tr>
</table>
</div>
</td>
</tr>
</table>
- <td class="tabcont" colspan="3">
- <p><span class="vexpl"><span class="red"><strong>Note:<br></strong></span>Snort Inline mode is disabled and in private testing. Snort Inline release target is pfSense 2.0.</span></p>
- </td>
-
+<br>
+ <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
+ <td width="100%"><span class="vexpl"><span class="red"><strong>Note:</strong></span>
+ <br>
+ This is the <strong>Snort Interfaces Menu</strong> where you can see an over view of all your interface settings.
+ <br>
+ Please edit the <strong>Global Settings </strong> tab befor adding an interface.
+ <br><br>
+ Click on the <strong>Plus Icon</strong> to add a interface.
+ <br>
+ Click on the <strong>Edit Icon</strong> to edit interface settings.
+</td>
+ </table>
+
<?php
if ($pkg['tabs'] <> "") {
echo "</td></tr></table>";
diff --git a/config/snort-dev/snort_interfaces_edit.php b/config/snort-dev/snort_interfaces_edit.php index 4ee9203e..49f40638 100644 --- a/config/snort-dev/snort_interfaces_edit.php +++ b/config/snort-dev/snort_interfaces_edit.php @@ -1,11 +1,11 @@ <?php /* $Id$ */ /* - firewall_nat_edit.php + snort_interfaces.php part of m0n0wall (http://m0n0.ch/wall) Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. - Copyright (C) 2003-2004 Robert Zelaya + Copyright (C) 2008-2009 Robert Zelaya. All rights reserved. Redistribution and use in source and binary forms, with or without @@ -48,14 +48,17 @@ if (isset($_GET['dup'])) { } if (isset($id) && $a_nat[$id]) { - $pconfig['proto'] = $a_nat[$id]['protocol']; - list($pconfig['beginport'],$pconfig['endport']) = explode("-", $a_nat[$id]['external-port']); - $pconfig['localip'] = $a_nat[$id]['target']; - $pconfig['localbeginport'] = $a_nat[$id]['local-port']; - $pconfig['descr'] = $a_nat[$id]['descr']; + + $pconfig['enable'] = $a_nat[$id]['enable']; $pconfig['interface'] = $a_nat[$id]['interface']; - $pconfig['block'] = isset($a_nat[$id]['block']); - $pconfig['inline'] = isset($a_nat[$id]['inline']); + $pconfig['descr'] = $a_nat[$id]['descr']; + $pconfig['performance'] = $a_nat[$id]['performance']; + $pconfig['blockoffenders7'] = $a_nat[$id]['blockoffenders7']; + $pconfig['snortalertlogtype'] = $a_nat[$id]['snortalertlogtype']; + $pconfig['alertsystemlog'] = $a_nat[$id]['alertsystemlog']; + $pconfig['tcpdumplog'] = $a_nat[$id]['tcpdumplog']; + $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; + if (!$pconfig['interface']) $pconfig['interface'] = "wan"; } else { @@ -67,65 +70,49 @@ if (isset($_GET['dup'])) if ($_POST) { - if ($_POST['beginport_cust'] && !$_POST['beginport']) - $_POST['beginport'] = $_POST['beginport_cust']; - if ($_POST['endport_cust'] && !$_POST['endport']) - $_POST['endport'] = $_POST['endport_cust']; - if ($_POST['localbeginport_cust'] && !$_POST['localbeginport']) - $_POST['localbeginport'] = $_POST['localbeginport_cust']; - - if (!$_POST['endport']) - $_POST['endport'] = $_POST['beginport']; - /* Make beginning port end port if not defined and endport is */ - if (!$_POST['beginport'] && $_POST['endport']) - $_POST['beginport'] = $_POST['endport']; - - unset($input_errors); - $pconfig = $_POST; - /* input validation */ - if(strtoupper($_POST['proto']) == "TCP" or strtoupper($_POST['proto']) == "UDP" or strtoupper($_POST['proto']) == "TCP/UDP") { - $reqdfields = explode(" ", "interface proto beginport endport localip localbeginport"); - $reqdfieldsn = explode(",", "Interface,Protocol,External port from,External port to,NAT IP,Local port"); - } else { - $reqdfields = explode(" ", "interface proto localip"); - $reqdfieldsn = explode(",", "Interface,Protocol,NAT IP"); - } +// if(strtoupper($_POST['proto']) == "TCP" or strtoupper($_POST['proto']) == "UDP" or strtoupper($_POST['proto']) == "TCP/UDP") { +// $reqdfields = explode(" ", "interface proto beginport endport localip localbeginport"); +// $reqdfieldsn = explode(",", "Interface,Protocol,External port from,External port to,NAT IP,Local port"); +// } else { +// $reqdfields = explode(" ", "interface proto localip"); +// $reqdfieldsn = explode(",", "Interface,Protocol,NAT IP"); +// } - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); +// do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); // if (($_POST['localip'] && !is_ipaddroralias($_POST['localip']))) { -// $input_errors[] = "\"{$_POST['localip']}\" is not valid subnet address."; +// $input_errors[] = "\"{$_POST['localip']}\" is not valid NAT IP address or host alias."; // } /* only validate the ports if the protocol is TCP, UDP or TCP/UDP */ - if(strtoupper($_POST['proto']) == "TCP" or strtoupper($_POST['proto']) == "UDP" or strtoupper($_POST['proto']) == "TCP/UDP") { +// if(strtoupper($_POST['proto']) == "TCP" or strtoupper($_POST['proto']) == "UDP" or strtoupper($_POST['proto']) == "TCP/UDP") { - if (($_POST['beginport'] && !is_ipaddroralias($_POST['beginport']) && !is_port($_POST['beginport']))) { - $input_errors[] = "The start port must be an integer between 1 and 65535."; - } +// if (($_POST['beginport'] && !is_ipaddroralias($_POST['beginport']) && !is_port($_POST['beginport']))) { +// $input_errors[] = "The start port must be an integer between 1 and 65535."; +// } - if (($_POST['endport'] && !is_ipaddroralias($_POST['endport']) && !is_port($_POST['endport']))) { - $input_errors[] = "The end port must be an integer between 1 and 65535."; - } +// if (($_POST['endport'] && !is_ipaddroralias($_POST['endport']) && !is_port($_POST['endport']))) { +// $input_errors[] = "The end port must be an integer between 1 and 65535."; +// } - if (($_POST['localbeginport'] && !is_ipaddroralias($_POST['localbeginport']) && !is_port($_POST['localbeginport']))) { - $input_errors[] = "The local port must be an integer between 1 and 65535."; - } +// if (($_POST['localbeginport'] && !is_ipaddroralias($_POST['localbeginport']) && !is_port($_POST['localbeginport']))) { +// $input_errors[] = "The local port must be an integer between 1 and 65535."; +// } - if ($_POST['beginport'] > $_POST['endport']) { +// if ($_POST['beginport'] > $_POST['endport']) { /* swap */ - $tmp = $_POST['endport']; - $_POST['endport'] = $_POST['beginport']; - $_POST['beginport'] = $tmp; - } +// $tmp = $_POST['endport']; +// $_POST['endport'] = $_POST['beginport']; +// $_POST['beginport'] = $tmp; +// } - if (!$input_errors) { - if (($_POST['endport'] - $_POST['beginport'] + $_POST['localbeginport']) > 65535) - $input_errors[] = "The target port range must be an integer between 1 and 65535."; - } +// if (!$input_errors) { +// if (($_POST['endport'] - $_POST['beginport'] + $_POST['localbeginport']) > 65535) +// $input_errors[] = "The target port range must be an integer between 1 and 65535."; +// } - } +// } /* check for overlaps */ foreach ($a_nat as $natent) { @@ -133,48 +120,21 @@ if ($_POST) { continue; if ($natent['interface'] != $_POST['interface']) continue; - if ($natent['external-address'] != $_POST['extaddr']) - continue; - if (($natent['proto'] != $_POST['proto']) && ($natent['proto'] != "tcp/udp") && ($_POST['proto'] != "tcp/udp")) - continue; - - list($begp,$endp) = explode("-", $natent['external-port']); - if (!$endp) - $endp = $begp; - - if (!( (($_POST['beginport'] < $begp) && ($_POST['endport'] < $begp)) - || (($_POST['beginport'] > $endp) && ($_POST['endport'] > $endp)))) { - - $input_errors[] = "The external port range overlaps with an existing entry."; - break; - } } +/* if no errors write to conf */ if (!$input_errors) { $natent = array(); - if ($_POST['extaddr']) - $natent['external-address'] = $_POST['extaddr']; - $natent['protocol'] = $_POST['proto']; - - if ($_POST['beginport'] == $_POST['endport']) - $natent['external-port'] = $_POST['beginport']; - else - $natent['external-port'] = $_POST['beginport'] . "-" . $_POST['endport']; - - $natent['target'] = $_POST['localip']; - $natent['local-port'] = $_POST['localbeginport']; - $natent['interface'] = $_POST['interface']; + $natent['enable'] = $_POST['enable'] ? on : off; + /* if option is diabled add a default answer */ + $natent['interface'] = $_POST['interface'] ? $_POST['interface'] : $pconfig['interface']; $natent['descr'] = $_POST['descr']; - - if($_POST['block'] == "yes") - $natent['block'] = true; - else - unset($natent['block']); - - if($_POST['inline'] == "yes") - $natent['inline'] = true; - else - unset($natent['inline']); + $natent['performance'] = $_POST['performance']; + $natent['blockoffenders7'] = $_POST['blockoffenders7'] ? on : off; + $natent['snortalertlogtype'] = $_POST['snortalertlogtype']; + $natent['alertsystemlog'] = $_POST['alertsystemlog'] ? on : off; + $natent['tcpdumplog'] = $_POST['tcpdumplog'] ? on : off; + $natent['flow_depth'] = $_POST['flow_depth']; if (isset($id) && $a_nat[$id]) $a_nat[$id] = $natent; @@ -183,7 +143,9 @@ if ($_POST) { array_splice($a_nat, $after+1, 0, array($natent)); else $a_nat[] = $natent; - } + } + + touch($d_natconfdirty_path); write_config(); @@ -192,21 +154,66 @@ if ($_POST) { } } -$pgtitle = "Services: Snort Interfaces"; +$pgtitle = "Services: Snort Interfaces Edit"; include("head.inc"); ?> - <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php +include("fbegin.inc"); +?> +<style type="text/css"> +.alert { + position:absolute; + top:10px; + left:0px; + width:94%; +background:#FCE9C0; +background-position: 15px; +border-top:2px solid #DBAC48; +border-bottom:2px solid #DBAC48; +padding: 15px 10px 85% 50px; +} +</style> +<noscript><div class="alert" ALIGN=CENTER><img src="/themes/nervecenter/images/icons/icon_alert.gif"/><strong>Please enable JavaScript to view this content</CENTER></div></noscript> +<script language="JavaScript"> +<!-- + +function enable_change(enable_change) { + endis = !(document.iform.enable.checked || enable_change); + // make shure a default answer is called if this is envoked. + endis2 = (document.iform.enable); + <?php -include("fbegin.inc"); ?> +/* make shure all the settings exist or function hide will not work */ +/* if $id is emty allow if and discr to be open */ +if($id != "") +{ +echo " + document.iform.interface.disabled = endis2; + document.iform.descr.disabled = endis;\n"; +} +?> + document.iform.flow_depth.disabled = endis; + document.iform.performance.disabled = endis; + document.iform.blockoffenders7.disabled = endis; + document.iform.snortalertlogtype.disabled = endis; + document.iform.alertsystemlog.disabled = endis; + document.iform.tcpdumplog.disabled = endis; +} +//--> +</script> <p class="pgtitle"><?=$pgtitle?></p> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php if ($input_errors) print_input_errors($input_errors); ?> - <form action="snort_interfaces_edit.php" method="post" name="iform" id="iform"> - <tr><td> +<?php if ($savemsg) print_info_box($savemsg); ?> +<form action="snort_interfaces_edit.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td class="tabnavtbl"> <?php - if($id != "") { - +if($id != "") +{ + /* get the interface name */ $first = 0; $snortInterfaces = array(); /* -gtm */ @@ -234,28 +241,75 @@ include("fbegin.inc"); ?> return; } } + + /* do for the selected interface */ foreach($snortInterfaces as $snortIf) - - $tab_array = array(); - $tab_array[] = array("Interfaces", false, "snort_interfaces.php"); - $tab_array[] = array("Settings", false, "/pkg_edit.php?xml=snort/snort_{$snortIf}/snort_{$snortIf}.xml&id=0"); - $tab_array[] = array("Categories", false, "snort/snort_{$snortIf}/snort_rulesets_{$snortIf}.php"); - $tab_array[] = array("Rules", false, "snort/snort_{$snortIf}/snort_rules_{$snortIf}.php"); - $tab_array[] = array("Servers", false, "/pkg_edit.php?xml=snort/snort_{$snortIf}/snort_define_servers_{$snortIf}.xml&id=0"); - $tab_array[] = array("Threshold", false, "/pkg.php?xml=snort/snort_{$snortIf}/snort_threshold_{$snortIf}.xml"); - $tab_array[] = array("Barnyard2", false, "/pkg_edit.php?xml=snort/snort_{$snortIf}/snort_barnyard2_{$snortIf}.xml&id=0"); - display_top_tabs($tab_array); - - } + { + + /* if base directories dont exist create them */ + if(!file_exists("/usr/local/pkg/snort/snort_{$snortIf}_{$id}/")) + { + exec("/bin/mkdir -p /usr/local/pkg/snort/snort_{$snortIf}_{$id}/"); + if(!file_exists("/usr/local/www/snort/snort_{$snortIf}_{$id}/")) + exec("/bin/mkdir -p /usr/local/www/snort/snort_{$snortIf}_{$id}/"); + } + + $tab_array = array(); + $tab_array[] = array("Snort Interfaces", false, "/snort_interfaces.php"); + $tab_array[] = array("If Settings", true, "/snort_interfaces_edit.php"); + $tab_array[] = array("Categories", false, "/snort/snort_{$snortIf}_{$id}/snort_rulesets_{$snortIf}_{$id}.php"); + $tab_array[] = array("Rules", false, "/snort/snort_{$snortIf}_{$id}/snort_rules_{$snortIf}_{$id}.php"); + $tab_array[] = array("Servers", false, "/pkg_edit.php?xml=snort/snort_{$snortIf}_{$id}/snort_define_servers_{$snortIf}_{$id}.xml&id=0"); + $tab_array[] = array("Barnyard2", false, "/pkg_edit.php?xml=snort/snort_{$snortIf}_{$id}/snort_barnyard2_{$snortIf}_{$id}.xml&id=0"); + $tab_array[] = array("Barnyard2", false, "/pkg_edit.php?xml=snort/snort_{$snortIf}_{$id}/snort_barnyard2_{$snortIf}_{$id}.xml&id=0"); + $tab_array[] = array("Barnyard2", false, "/pkg_edit.php?xml=snort/snort_{$snortIf}_{$id}/snort_barnyard2_{$snortIf}_{$id}.xml&id=0"); + display_top_tabs($tab_array); + } +} ?> - </td></tr> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> +</td> +</tr> + <tr> + <td class="tabcont"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <?php + if($id == "") + { + echo " + <tr> + <td width=\"22%\" valign=\"top\"> </td> + <td width=\"78%\"><span class=\"vexpl\"><span class=\"red\"><strong>Note:</strong></span><br> + You will be redirected to the Snort Interfaces Menu to aprove changes.<br> + After approval, interface options will be made available. + <br><br> + Please select a interface and a description. + </td> + </tr>\n"; + } + ?> + <tr> + <td width="22%" valign="top" class="vtable"> </td> + <td width="78%" class="vtable"> + <?php + // <input name="enable" type="checkbox" value="yes" checked onClick="enable_change(false)"> + // care with spaces + if ($pconfig['enable'] == "on") + $checked = checked; + if($id != "") + { + $onclick_enable = "onClick=\"enable_change(false)\">"; + } + echo " + <input name=\"enable\" type=\"checkbox\" value=\"yes\" $checked $onclick_enable + <strong>Enable Interface</strong></td>\n\n"; + ?> + </tr> + <tr> <td width="22%" valign="top" class="vncellreq">Interface</td> <td width="78%" class="vtable"> <select name="interface" class="formfld"> <?php - $interfaces = array('wan' => 'WAN', 'lan' => 'LAN'); + $interfaces = array('wan' => 'WAN', 'lan' => 'LAN', 'pptp' => 'PPTP', 'pppoe' => 'PPPOE'); for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { $interfaces['opt' . $i] = $config['interfaces']['opt' . $i]['descr']; } @@ -268,133 +322,95 @@ include("fbegin.inc"); ?> <span class="vexpl">Choose which interface this rule applies to.<br> Hint: in most cases, you'll want to use WAN here.</span></td> </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Block all offenders</td> - <td width="78%" class="vtable"> - <input type="checkbox" value="yes" name="block"<?php if($pconfig['block']) echo " CHECKED"; ?>><br> - HINT: Block all offenders that trigger an alert on the selected interface. - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Enable Inline Mode</td> - <td width="78%" class="vtable"> - <input type="checkbox" value="yes" name="inline"<?php if($pconfig['inline']) echo " CHECKED"; ?>><br> - HINT: This will enable Snort Inline mode on the selected interafce. - </td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Inline listening port </td> - <td width="78%" class="vtable"> - <select name="localbeginport" class="formfld" onChange="ext_change();check_for_aliases();"> - <option value="">(other)</option> - <?php $bfound = 0; foreach ($wkports as $wkport => $wkportdesc): ?> - <?php endforeach; ?> - </select> <input onChange="check_for_aliases();" autocomplete='off' class="formfldalias" name="localbeginport_cust" id="localbeginport_cust" type="text" size="5" value="<?php if (!$bfound) echo $pconfig['localbeginport']; ?>"> - <br> - <span class="vexpl">Specify the port Snort Inline should lissten on.<br> - Hint: Never enter a port that is already being used by the system.</span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Inline Divert Protocol</td> - <td width="78%" class="vtable"> - <select name="proto" class="formfld" onChange="proto_change(); check_for_aliases();"> - <?php $protocols = explode(" ", "TCP UDP TCP/UDP GRE ESP All"); foreach ($protocols as $proto): ?> - <option value="<?=strtolower($proto);?>" <?php if (strtolower($proto) == $pconfig['proto']) echo "selected"; ?>><?=htmlspecialchars($proto);?></option> - <?php endforeach; ?> - </select> <br> <span class="vexpl">Choose which IP protocol Snort Inline should divert.<br> - Hint: in most cases, you should specify <em>All</em> here.</span></td> - </tr> <tr> - <td width="22%" valign="top" class="vncellreq">Inline Divert External port range </td> - <td width="78%" class="vtable"> - <table border="0" cellspacing="0" cellpadding="0"> - <tr> - <td>from: </td> - <td><select name="beginport" class="formfld" onChange="ext_rep_change(); ext_change(); check_for_aliases();"> - <option value="">(other)</option> - <?php $bfound = 0; foreach ($wkports as $wkport => $wkportdesc): ?> - <option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['beginport']) { - echo "selected"; - $bfound = 1; - }?>> - <?=htmlspecialchars($wkportdesc);?> - </option> - <?php endforeach; ?> - </select> <input onChange="check_for_aliases();" autocomplete='off' class="formfldalias" name="beginport_cust" id="beginport_cust" type="text" size="5" value="<?php if (!$bfound) echo $pconfig['beginport']; ?>"></td> - </tr> - <tr> - <td>to:</td> - <td><select name="endport" class="formfld" onChange="ext_change(); check_for_aliases();"> - <option value="">(other)</option> - <?php $bfound = 0; foreach ($wkports as $wkport => $wkportdesc): ?> - <option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['endport']) { - echo "selected"; - $bfound = 1; - }?>> - <?=htmlspecialchars($wkportdesc);?> - </option> - <?php endforeach; ?> - </select> <input onChange="check_for_aliases();" class="formfldalias" autocomplete='off' name="endport_cust" id="endport_cust" type="text" size="5" value="<?php if (!$bfound) echo $pconfig['endport']; ?>"></td> - </tr> - </table> - <br> <span class="vexpl">Specify the port or port range Snort Inline should divert on the firewall's external address.<br> - Hint: you can leave the <em>'to'</em> field empty if you only want to divert a single port<br> - Hint: you can leave from and to empty to divert all ports.</span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Inline IP Subnet</td> - <td width="78%" class="vtable"> - <input autocomplete='off' name="localip" type="text" class="formfldalias" id="localip" size="20" value="<?=htmlspecialchars($pconfig['localip']);?>"> - <br> <span class="vexpl">Enter the internal IP subnet address you wish to sniff. Leave blank for all.<br> - e.g. <em>192.168.1.0/24</em></span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell">Description</td> + <td width="22%" valign="top" class="vncellreq">Description</td> <td width="78%" class="vtable"> <input name="descr" type="text" class="formfld" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>"> <br> <span class="vexpl">You may enter a description here for your reference (not parsed).</span></td> </tr> - <?php if ((!(isset($id) && $a_nat[$id])) || (isset($_GET['dup']))): ?> - <?php endif; ?> + <tr> + <td width="22%" valign="top" class="vncell">Memory Performance</td> + <td width="78%" class="vtable"> + <select name="performance" class="formfld" id="performance"> + <?php + $interfaces2 = array('ac-bnfa' => 'AC-BNFA', 'lowmem' => 'LOWMEM', 'ac-std' => 'AC-STD', 'ac' => 'AC', 'ac-banded' => 'AC-BANDED', 'ac-sparsebands' => 'AC-SPARSEBANDS', 'acs' => 'ACS'); + foreach ($interfaces2 as $iface2 => $ifacename2): ?> + <option value="<?=$iface2;?>" <?php if ($iface2 == $pconfig['performance']) echo "selected"; ?>> + <?=htmlspecialchars($ifacename2);?> + </option> + <?php endforeach; ?> + </select><br> + <span class="vexpl">Lowmem and ac-bnfa are recommended for low end systems, Ac: high memory, best performance, ac-std: moderate memory,high performance, acs: small memory, moderateperformance, ac-banded: small memory,moderate performance, ac-sparsebands: small memory, high performance.<br> + Hint: in most cases, you'll want to use WAN here.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Block offenders</td> + <td width="78%" class="vtable"> + <input name="blockoffenders7" type="checkbox" value="yes" <?php if ($pconfig['blockoffenders7'] == "on") echo "checked"; ?> onClick="enable_change(false)"><br> + Checking this option will automatically block hosts that generate a snort alert.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Alerts Tab description type</td> + <td width="78%" class="vtable"> + <select name="snortalertlogtype" class="formfld" id="snortalertlogtype"> + <?php + $interfaces4 = array('fast' => 'SHORT', 'full' => 'FULL'); + foreach ($interfaces4 as $iface4 => $ifacename4): ?> + <option value="<?=$iface4;?>" <?php if ($iface4 == $pconfig['snortalertlogtype']) echo "selected"; ?>> + <?=htmlspecialchars($ifacename4);?> + </option> + <?php endforeach; ?> + </select><br> + <span class="vexpl">Please choose the type of Alert logging you will like see in the Alerts Tab.<br> + Hint: in most cases, short descriptions are best.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Send alerts to main System logs</td> + <td width="78%" class="vtable"> + <input name="alertsystemlog" type="checkbox" value="yes" <?php if ($pconfig['alertsystemlog'] == "on") echo "checked"; ?> onClick="enable_change(false)"><br> + Snort will send Alerts to the Pfsense system logs.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Log to a Tcpdump file</td> + <td width="78%" class="vtable"> + <input name="tcpdumplog" type="checkbox" value="yes" <?php if ($pconfig['tcpdumplog'] == "on") echo "checked"; ?> onClick="enable_change(false)"><br> + Snort will log packets to a tcpdump-formatted file. The file then can be analyzed by a wireshark type of application. WARNING: File may become large.</td> + </tr> + <tr> + <td valign="top" class="vncell">HTTP server flow depth</td> + <td class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td><input name="flow_depth" type="text" class="formfld" id="flow_depth" size="5" value="<?=htmlspecialchars($pconfig['flow_depth']);?>"> <strong>-1</strong> to <strong>1460</strong> (<strong>-1</strong> disables HTTP inspect, <strong>0</strong> enables all HTTP inspect)</td> + </tr> + </table> + Amount of HTTP server response payload to inspect. Snort's performance may increase by ajusting this value.<br> + Setting this value too low may cause false negatives. Value above 0 is in bytes.<br> + <strong>Default value is 0</strong></td> + </tr> <tr> <td width="22%" valign="top"> </td> <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()"> + <input name="Submit" type="submit" class="formbtn" value="Save"> <input name="Submit2" type="submit" class="formbtn" value="Start" onClick="enable_change(true)"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()"> <?php if (isset($id) && $a_nat[$id]): ?> <input name="id" type="hidden" value="<?=$id;?>"> <?php endif; ?> </td> </tr> - </table> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"><span class="vexpl"><span class="red"><strong>Note:</strong></span> + <br> + Please save your settings befor you click start. </td> + </tr> + </table> + </table> </form> + <script language="JavaScript"> <!-- - ext_change(); -//--> -</script> -<?php -$isfirst = 0; -$aliases = ""; -$addrisfirst = 0; -$aliasesaddr = ""; -if($config['aliases']['alias'] <> "") - foreach($config['aliases']['alias'] as $alias_name) { - if(!stristr($alias_name['address'], ".")) { - if($isfirst == 1) $aliases .= ","; - $aliases .= "'" . $alias_name['name'] . "'"; - $isfirst = 1; - } else { - if($addrisfirst == 1) $aliasesaddr .= ","; - $aliasesaddr .= "'" . $alias_name['name'] . "'"; - $addrisfirst = 1; - } - } -?> -<script language="JavaScript"> -<!-- - var addressarray=new Array(<?php echo $aliasesaddr; ?>); - var customarray=new Array(<?php echo $aliases; ?>); +enable_change(false); //--> </script> <?php include("fend.inc"); ?> diff --git a/config/snort-dev/snort_interfaces_global.php b/config/snort-dev/snort_interfaces_global.php new file mode 100644 index 00000000..43c5cf6c --- /dev/null +++ b/config/snort-dev/snort_interfaces_global.php @@ -0,0 +1,279 @@ +<?php +/* + snort_interfaces_global.php + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + Copyright (C) 2003-2006 Robert Zelaya + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +$pgtitle = "Services:[Snort][Global Settings]"; +require("guiconfig.inc"); + +/* make things short */ +$pconfig['snortdownload'] = $config['installedpackages']['snortglobal']['snortdownload']; +$pconfig['oinkmastercode'] = $config['installedpackages']['snortglobal']['oinkmastercode']; +$pconfig['emergingthreats'] = $config['installedpackages']['snortglobal']['emergingthreats']; +$pconfig['rm_blocked'] = $config['installedpackages']['snortglobal']['rm_blocked']; +$pconfig['autorulesupdate7'] = $config['installedpackages']['snortglobal']['autorulesupdate7']; +$pconfig['whitelistvpns'] = $config['installedpackages']['snortglobal']['whitelistvpns']; +$pconfig['clickablalerteurls'] = $config['installedpackages']['snortglobal']['clickablalerteurls']; +$pconfig['associatealertip'] = $config['installedpackages']['snortglobal']['associatealertip']; + +if ($_POST) { + + unset($input_errors); + $pconfig = $_POST; + + /* input validation */ + if ($_POST['enable']) { + $reqdfields = explode(" ", "interface"); + $reqdfieldsn = explode(",", "Interface"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if ($_POST['httpslogin_enable']) { + if (!$_POST['cert'] || !$_POST['key']) { + $input_errors[] = "Certificate and key must be specified for HTTPS login."; + } else { + if (!strstr($_POST['cert'], "BEGIN CERTIFICATE") || !strstr($_POST['cert'], "END CERTIFICATE")) + $input_errors[] = "This certificate does not appear to be valid."; + if (!strstr($_POST['key'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['key'], "END RSA PRIVATE KEY")) + $input_errors[] = "This key does not appear to be valid."; + } + + if (!$_POST['httpsname'] || !is_domain($_POST['httpsname'])) { + $input_errors[] = "The HTTPS server name must be specified for HTTPS login."; + } + } + } + + if ($_POST['timeout'] && (!is_numeric($_POST['timeout']) || ($_POST['timeout'] < 1))) { + $input_errors[] = "The timeout must be at least 1 minute."; + } + if ($_POST['idletimeout'] && (!is_numeric($_POST['idletimeout']) || ($_POST['idletimeout'] < 1))) { + $input_errors[] = "The idle timeout must be at least 1 minute."; + } + if (($_POST['radiusip'] && !is_ipaddr($_POST['radiusip']))) { + $input_errors[] = "A valid IP address must be specified. [".$_POST['radiusip']."]"; + } + if (($_POST['radiusip2'] && !is_ipaddr($_POST['radiusip2']))) { + $input_errors[] = "A valid IP address must be specified. [".$_POST['radiusip2']."]"; + } + if (($_POST['radiusport'] && !is_port($_POST['radiusport']))) { + $input_errors[] = "A valid port number must be specified. [".$_POST['radiusport']."]"; + } + if (($_POST['radiusport2'] && !is_port($_POST['radiusport2']))) { + $input_errors[] = "A valid port number must be specified. [".$_POST['radiusport2']."]"; + } + if (($_POST['radiusacctport'] && !is_port($_POST['radiusacctport']))) { + $input_errors[] = "A valid port number must be specified. [".$_POST['radiusacctport']."]"; + } + if ($_POST['maxproc'] && (!is_numeric($_POST['maxproc']) || ($_POST['maxproc'] < 4) || ($_POST['maxproc'] > 100))) { + $input_errors[] = "The total maximum number of concurrent connections must be between 4 and 100."; + } + $mymaxproc = $_POST['maxproc'] ? $_POST['maxproc'] : 16; + if ($_POST['maxprocperip'] && (!is_numeric($_POST['maxprocperip']) || ($_POST['maxprocperip'] > $mymaxproc))) { + $input_errors[] = "The maximum number of concurrent connections per client IP address may not be larger than the global maximum."; + } + + if (!$input_errors) { + + $config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload']; + $config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode']; + $config['installedpackages']['snortglobal']['emergingthreats'] = $_POST['emergingthreats'] ? on : off; + $config['installedpackages']['snortglobal']['rm_blocked'] = $_POST['rm_blocked']; + $config['installedpackages']['snortglobal']['autorulesupdate7'] = $_POST['autorulesupdate7']; + $config['installedpackages']['snortglobal']['whitelistvpns'] = $_POST['whitelistvpns'] ? on : off; + $config['installedpackages']['snortglobal']['clickablalerteurls'] = $_POST['clickablalerteurls'] ? on : off; + $config['installedpackages']['snortglobal']['associatealertip'] = $_POST['associatealertip'] ? on : off; + + write_config(); + + $retval = 0; + + config_lock(); + $retval = captiveportal_configure(); + config_unlock(); + + $savemsg = get_std_save_message($retval); + } +} +include("head.inc"); +?> +<?php include("fbegin.inc"); ?> +<script language="JavaScript"> +<!-- + +/* make shure all the settings exist or function hide will not work */ +function enable_change(enable_change) { + var endis, radius_endis; + endis = !(document.iform.enable.checked || enable_change); +// radius_endis = !((!endis && document.iform.auth_method[2].checked) || enable_change); + + document.iform.snortdownload[0].disabled = endis; + document.iform.snortdownload[1].disabled = endis; + document.iform.snortdownload[2].disabled = endis; + document.iform.oinkmastercode.disabled = endis; + document.iform.emergingthreats.disabled = endis; + document.iform.rm_blocked.disabled = endis; + document.iform.autorulesupdate7.disabled = endis; + document.iform.whitelistvpns.disabled = endis; + document.iform.clickablalerteurls.disabled = endis; + document.iform.associatealertip.disabled = endis; +} +//--> +</script> +<p class="pgtitle"><?=$pgtitle?></p> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php if ($input_errors) print_input_errors($input_errors); ?> +<?php if ($savemsg) print_info_box($savemsg); ?> +<form action="snort_interfaces_global.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td class="tabnavtbl"> +<?php + $tab_array = array(); + $tab_array[] = array("Snort Inertfaces", false, "snort_interfaces.php"); + $tab_array[] = array("Global Settings", true, "snort_interfaces_global.php"); + $tab_array[] = array("Rule Updates", false, "services_captiveportal_ip.php"); + $tab_array[] = array("Alerts", false, "services_captiveportal_users.php"); + $tab_array[] = array("Blocked", false, "services_captiveportal_filemanager.php"); + $tab_array[] = array("Whitelists", false, "services_captiveportal_users.php"); + $tab_array[] = array("Help & Info", false, "services_captiveportal_filemanager.php"); + display_top_tabs($tab_array); +?> </td></tr> + <tr> + <td class="tabcont"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td width="22%" valign="top" class="vncell">Install Snort.org rules</td> + <td width="78%" class="vtable"> + <table cellpadding="0" cellspacing="0"> + <tr> + <td colspan="2"><input name="snortdownload" type="radio" id="snortdownload" value="off" onClick="enable_change(false)" <?php if($pconfig['snortdownload']!="premium" && $pconfig['snortdownload']!="basic") echo "checked"; ?>> + Do <strong>NOT</strong> install</td> + </tr> + <tr> + <td colspan="2"><input name="snortdownload" type="radio" id="snortdownload" value="premium" onClick="enable_change(false)" <?php if($pconfig['snortdownload']=="premium") echo "checked"; ?>> + Premium rules <a href="http://forum.pfsense.org/index.php/topic,16847.0.html" target="_blank">HIGHLY RECOMMENDED</a></td> + </tr> + <tr> + <td colspan="2"><input name="snortdownload" type="radio" id="snortdownload" value="basic" onClick="enable_change(false)" <?php if($pconfig['snortdownload']=="basic") echo "checked"; ?>> + Basic Rules</td> + </tr> + <tr> + <td> </td> + <td> </td> + </tr> + </table> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="top" class="optsect_t2">Oinkmaster code</td> + </tr> + <tr> + <td class="vncell" valign="top">Code</td> + <td class="vtable"><input name="oinkmastercode" type="text" class="formfld" id="oinkmastercode" size="52" value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>"><br> + Obtain a snort.org Oinkmaster code and paste here.</td> + </td> + </table> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Install <strong>Emergingthreats</strong> rules</td> + <td width="78%" class="vtable"> + <input name="emergingthreats" type="checkbox" value="yes" <?php if ($config['installedpackages']['snortglobal']['emergingthreats']=="on") echo "checked"; ?> onClick="enable_change(false)"><br> + Emerging Threats is an open source community that produces fastest moving and diverse Snort Rules.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Remove blocked hosts every</td> + <td width="78%" class="vtable"> + <select name="rm_blocked" class="formfld" id="rm_blocked"> + <?php + $interfaces3 = array('never_b' => 'NEVER', '1h_b' => '1 HOUR', '3h_b' => '3 HOURS', '6h_b' => '6 HOURS', '12h_b' => '12 HOURS', '1d_b' => '1 DAY', '4d_b' => '4 DAYS', '7d_b' => '7 DAYS', '28d_b' => '28 DAYS'); + foreach ($interfaces3 as $iface3 => $ifacename3): ?> + <option value="<?=$iface3;?>" <?php if ($iface3 == $pconfig['rm_blocked']) echo "selected"; ?>> + <?=htmlspecialchars($ifacename3);?> + </option> + <?php endforeach; ?> + </select><br> + <span class="vexpl">Please select the amount of time you would like hosts to be blocked for.<br> + Hint: in most cases, 1 hour is a good choice.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Update rules automatically</td> + <td width="78%" class="vtable"> + <select name="autorulesupdate7" class="formfld" id="autorulesupdate7"> + <?php + $interfaces3 = array('never_up' => 'NEVER', '6h_up' => '6 HOURS', '12h_up' => '12 HOURS', '1d_up' => '1 DAY', '4d_up' => '4 DAYS', '7d_up' => '7 DAYS', '28d_up' => '28 DAYS'); + foreach ($interfaces3 as $iface3 => $ifacename3): ?> + <option value="<?=$iface3;?>" <?php if ($iface3 == $pconfig['autorulesupdate7']) echo "selected"; ?>> + <?=htmlspecialchars($ifacename3);?> + </option> + <?php endforeach; ?> + </select><br> + <span class="vexpl">Please select the update times for rules.<br> + Hint: in most cases, every 12 hours is a good choice.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Whitelist VPNs automatically</td> + <td width="78%" class="vtable"> + <input name="whitelistvpns" type="checkbox" value="yes" <?php if ($config['installedpackages']['snortglobal']['whitelistvpns'] == "on") echo "checked"; ?> onClick="enable_change(false)"><br> + Checking this option will install whitelists for all VPNs.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Convert Snort alerts urls to clickable links</td> + <td width="78%" class="vtable"> + <input name="clickablalerteurls" type="checkbox" value="yes" <?php if ($config['installedpackages']['snortglobal']['clickablalerteurls'] == "on") echo "checked"; ?> onClick="enable_change(false)"><br> + Checking this option will automatically convert URLs in the Snort alerts tab to clickable links.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Associate events on Blocked tab</td> + <td width="78%" class="vtable"> + <input name="associatealertip" type="checkbox" value="yes" <?php if ($config['installedpackages']['snortglobal']['associatealertip'] == "on") echo "checked"; ?> onClick="enable_change(false)"><br> + Checking this option will automatically associate the blocked reason from the snort alerts file.</td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="Submit" type="submit" class="formbtn" value="Save" onClick="enable_change(true)"> + </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"><span class="vexpl"><span class="red"><strong>Note:<br> + </strong></span>Changing any settings on this page will disconnect all clients! Don't forget to enable the DHCP server on your captive portal interface! Make sure that the default/maximum DHCP lease time is higher than the timeout entered on this page. Also, the DNS forwarder needs to be enabled for DNS lookups by unauthenticated clients to work. </span></td> + </tr> + </table> + </td> + </tr> + </table> +</form> +<script language="JavaScript"> +<!-- +enable_change(false); +//--> +</script> +<?php include("fend.inc"); ?> +</body> +</html> |