diff options
| author | serg dvoriancev <dv_serg@mail.ru> | 2010-04-12 21:52:00 +0400 |
|---|---|---|
| committer | serg dvoriancev <dv_serg@mail.ru> | 2010-04-12 21:52:00 +0400 |
| commit | 312f6a4827d742869daba0ebb186b6de5483379a (patch) | |
| tree | 9285758224d8a53d519f7fab142629397e1ef13d /config | |
| parent | 8d8c3e1278c35aaf235710d07cbe6583337700d5 (diff) | |
| parent | e8fa9505ad3c402bf4a5b5143842c0028382a658 (diff) | |
| download | pfsense-packages-312f6a4827d742869daba0ebb186b6de5483379a.tar.gz pfsense-packages-312f6a4827d742869daba0ebb186b6de5483379a.tar.bz2 pfsense-packages-312f6a4827d742869daba0ebb186b6de5483379a.zip | |
Merge branch 'master' of http://gitweb.pfsense.org/pfsense-packages/mainline
Diffstat (limited to 'config')
149 files changed, 23521 insertions, 13063 deletions
diff --git a/config/apache_mod_security/apache_mod_security.inc b/config/apache_mod_security/apache_mod_security.inc index 76aecabe..4eb24c2c 100644 --- a/config/apache_mod_security/apache_mod_security.inc +++ b/config/apache_mod_security/apache_mod_security.inc @@ -2,7 +2,7 @@ /* apache_mod_security.inc part of apache_mod_security package (http://www.pfSense.com) - Copyright (C) 2009 Scott Ullrich + Copyright (C) 2009, 2010 Scott Ullrich All rights reserved. Redistribution and use in source and binary forms, with or without @@ -74,7 +74,7 @@ function apache_mod_security_install() { require_once(\"/usr/local/pkg/apache_mod_security.inc\"); apache_mod_security_start(); ?> - ENDPHP\n"; +ENDPHP\n"; $stop = "/usr/local/bin/php -q -d auto_prepend_file=config.inc <<ENDPHP <?php @@ -82,7 +82,7 @@ function apache_mod_security_install() { require_once(\"/usr/local/pkg/apache_mod_security.inc\"); apache_mod_security_stop(); ?> - ENDPHP\n"; +ENDPHP\n"; write_rcfile(array( "file" => $filename, @@ -103,7 +103,21 @@ function apache_mod_security_deinstall() { // Regenerate apache configuration and handle server restart function apache_mod_security_resync() { global $config, $g; - generate_apache_configuration(); + apache_mod_security_install(); + if(!file_exists(rules_directory . "/10_asl_rules.conf")) + exec("/usr/bin/fetch -q -o " . rules_directory . "/10_asl_rules.conf http://www.pfsense.com/packages/config/apache_mod_security/rules/10_asl_rules.conf"); + if(!file_exists(rules_directory . "/a_exclude.conf")) + exec("/usr/bin/fetch -q -o " . rules_directory . "/a_exclude.conf http://www.pfsense.com/packages/config/apache_mod_security/rules/a_exclude.conf"); + if(!file_exists(rules_directory . "/blacklist.conf")) + exec("/usr/bin/fetch -q -o " . rules_directory . "/blacklist.conf http://www.pfsense.com/packages/config/apache_mod_security/rules/blacklist.conf"); + if(!file_exists(rules_directory . "/default.conf")) + exec("/usr/bin/fetch -q -o " . rules_directory . "/rules/default.conf http://www.pfsense.com/packages/config/apache_mod_security/rules/default.conf"); + if(!file_exists(rules_directory . "/recons.conf")) + exec("/usr/bin/fetch -q -o " . rules_directory . "/recons.conf http://www.pfsense.com/packages/config/apache_mod_security/rules/recons.conf"); + if(!file_exists(rules_directory . "/rootkits.conf")) + exec("/usr/bin/fetch -q -o " . rules_directory . "/rootkits.conf http://www.pfsense.com/packages/config/apache_mod_security/rules/rootkits.conf"); + if(!file_exists(rules_directory . "/useragents.conf")) + exec("/usr/bin/fetch -q -o " . rules_directory . "/useragents.conf http://www.pfsense.com/packages/config/apache_mod_security/rules/useragents.conf"); apache_mod_security_checkconfig(); apache_mod_security_restart(); } @@ -137,28 +151,44 @@ function generate_apache_configuration() { $servername = "ServerName " . `hostname` . "\n"; } - // Set global listening directive - if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoipaddr']) { - $global_listen = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoipaddr']; - if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoport']) - $global_listen .= ":" . $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoport']; - else - $global_listen .= ":80"; - } else { - $global_listen = "{$config['system']['hostname']}.{$config['system']['domain']}"; - if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoport']) - $global_listen .= ":" . $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoport']; - else - $global_listen .= ":80"; + // Set global listening directive and ensure nothing is listening on this port already + $globalbind = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoipaddr']; + $socksstat = split("\n", `/usr/bin/sockstat | awk '{ print $6 }' | grep ":{$globalbind}" | cut -d ":" -f2`); + if(is_array($socksstat)) { + foreach($socksstat as $ss) { + if($ss == $globalbind) { + $already_binded = true; + $input_errors[] = "Sorry, there is a process already listening on port {$globalbind}"; + } + } } +// if(!$already_binded) { + if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoipaddr']) { + $global_listen = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoipaddr']; + if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoport']) + $global_listen .= ":" . $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoport']; + else + $global_listen .= ":80"; + } else { + $global_listen = "{$config['system']['hostname']}.{$config['system']['domain']}"; + if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoport']) + $global_listen .= ":" . $config['installedpackages']['apachemodsecuritysettings']['config'][0]['globalbindtoport']; + else + $global_listen .= ":80"; + } +// } else { +// log_error("Could not start mod_security + mod_proxy on port {$global_listen}. Process is already bound to this port."); +// } // Setup mem_cache - if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['mod_mem_cache']) { - if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['mod_mem_cache_size']) - $mcachesize = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['mod_mem_cache_size']; - else - $mcachesize = "100"; - //$mem_cache = "MCacheSize $mcachesize\n"; + if(file_exists("/usr/local/libexec/apache22/mod_mem_cache.so")) { + if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['mod_mem_cache']) { + if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['mod_mem_cache_size']) + $mcachesize = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['mod_mem_cache_size']; + else + $mcachesize = "100"; + //$mem_cache = "MCacheSize $mcachesize\n"; + } } // CacheRoot Directive @@ -328,9 +358,9 @@ EOF; $mod_security_rules = ""; $files = return_dir_as_array(rules_directory); foreach($files as $file) { - if(file_exists($file)) { + if(file_exists(rules_directory . "/" . $file)) { // XXX: TODO integrate snorts rule on / off thingie - $file_txt = get_file_contents($file); + $file_txt = file_get_contents(rules_directory . "/" . $file); $mod_security_rules .= $file_txt . "\n"; } } @@ -397,6 +427,9 @@ EOF; } +if(file_exists("/usr/local/libexec/apache22/mod_mem_cache.so")) + $mod_mem_cacheLoad = "Module mem_cache_module libexec/apache22/mod_mem_cache.so\n"; + $apache_config = <<<EOF ################################################################################## # NOTE: This file was generated by the pfSense package management system. # @@ -475,7 +508,6 @@ LoadModule auth_digest_module libexec/apache22/mod_auth_digest.so LoadModule file_cache_module libexec/apache22/mod_file_cache.so LoadModule cache_module libexec/apache22/mod_cache.so LoadModule disk_cache_module libexec/apache22/mod_disk_cache.so -LoadModule mem_cache_module libexec/apache22/mod_mem_cache.so LoadModule dumpio_module libexec/apache22/mod_dumpio.so LoadModule include_module libexec/apache22/mod_include.so LoadModule filter_module libexec/apache22/mod_filter.so @@ -514,6 +546,7 @@ LoadModule speling_module libexec/apache22/mod_speling.so LoadModule userdir_module libexec/apache22/mod_userdir.so LoadModule alias_module libexec/apache22/mod_alias.so LoadModule rewrite_module libexec/apache22/mod_rewrite.so +{$mod_mem_cache} <IfModule !mpm_netware_module> <IfModule !mpm_winnt_module> diff --git a/config/apache_mod_security/apache_mod_security.xml b/config/apache_mod_security/apache_mod_security.xml index 23447a89..ef56609b 100644 --- a/config/apache_mod_security/apache_mod_security.xml +++ b/config/apache_mod_security/apache_mod_security.xml @@ -9,7 +9,7 @@ /* apache_mod_security.xml part of apache_mod_security package (http://www.pfSense.com) - Copyright (C)2009 Scott Ullrich + Copyright (C)2009, 2010 Scott Ullrich All rights reserved. */ /* ========================================================================== */ @@ -62,21 +62,6 @@ <chmod>0644</chmod> <item>http://www.pfsense.com/packages/config/apache_mod_security/apache_mod_security_view_logs.php</item> </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/apachemodsecurity/rules/</prefix> - <chmod>0644</chmod> - <item>http://www.pfsense.com/packages/config/apache_mod_security/rules/default.conf</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/apachemodsecurity/rules/</prefix> - <chmod>0644</chmod> - <item>http://www.pfsense.com/packages/config/apache_mod_security/rules/10_asl_rules.conf</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/apachemodsecurity/rules/</prefix> - <chmod>0644</chmod> - <item>http://www.pfsense.com/packages/config/apache_mod_security/rules/snortmodsec-rules.txt</item> - </additional_files_needed> <tabs> <tab> <text>Proxy Server Settings</text> diff --git a/config/apache_mod_security/apache_mod_security_settings.xml b/config/apache_mod_security/apache_mod_security_settings.xml index 5a5f28c4..e313f3c8 100644 --- a/config/apache_mod_security/apache_mod_security_settings.xml +++ b/config/apache_mod_security/apache_mod_security_settings.xml @@ -9,7 +9,7 @@ /* apache_mod_security_settings.xml part of apache_mod_security package (http://www.pfSense.com) - Copyright (C) 2008 Scott Ullrich + Copyright (C) 2008, 2009, 2010 Scott Ullrich All rights reserved. */ /* ========================================================================== */ @@ -95,7 +95,7 @@ <![CDATA[ This is the port the Proxy Server will listen on. <br/> - NOTE: Leave blank to bind to * + NOTE: Leave blank to bind to 80 ]]> </description> <type>input</type> diff --git a/config/apache_mod_security/apache_mod_security_view_logs.php b/config/apache_mod_security/apache_mod_security_view_logs.php index 1bba2c06..6ef2499a 100644 --- a/config/apache_mod_security/apache_mod_security_view_logs.php +++ b/config/apache_mod_security/apache_mod_security_view_logs.php @@ -3,7 +3,7 @@ /* apache_mod_security_view_logs.php.php part of pfSense (http://www.pfsense.com/) - Copyright (C) 2009 Scott Ullrich <sullrich@gmail.com> + Copyright (C) 2009, 2010 Scott Ullrich <sullrich@gmail.com> All rights reserved. Redistribution and use in source and binary forms, with or without diff --git a/config/avahi/avahi.inc b/config/avahi/avahi.inc index a06485c5..d8ab263b 100644 --- a/config/avahi/avahi.inc +++ b/config/avahi/avahi.inc @@ -56,8 +56,8 @@ function avahi_install() { } // Add needed users and groups - exec("/usr/sbin/pw useradd avahi"); - exec("/usr/sbin/pw groupadd avahi"); + exec("/usr/sbin/pw useradd avahi -u 558"); + exec("/usr/sbin/pw groupadd avahi -g 558"); // Make image RO conf_mount_ro(); diff --git a/config/freeswitch/freeswitch.inc b/config/freeswitch/freeswitch.inc index aa3e4b74..147125a7 100644 --- a/config/freeswitch/freeswitch.inc +++ b/config/freeswitch/freeswitch.inc @@ -263,42 +263,6 @@ function byte_convert( $bytes ) { return round($bytes/pow($convention,$e),2).' '.$s[$e]; } -function lan_sip_profile() -{ - global $config; - clearstatcache(); - - //if the lan directory does not exist then create it - if (!is_dir('/usr/local/freeswitch/conf/sip_profiles/lan/')) { - exec("mkdir /usr/local/freeswitch/conf/sip_profiles/lan/"); - } - - //create the LAN profile if it doesn't exist - if (!file_exists('/usr/local/freeswitch/conf/sip_profiles/lan.xml')) { - $lan_ip = $config['interfaces']['lan']['ipaddr']; - if (strlen($lan_ip) > 0) { - exec("cp /usr/local/freeswitch/conf/sip_profiles/internal.xml /usr/local/freeswitch/conf/sip_profiles/lan.xml"); - - $filename = "/usr/local/freeswitch/conf/sip_profiles/lan.xml"; - $handle = fopen($filename,"rb"); - $contents = fread($handle, filesize($filename)); - fclose($handle); - - $handle = fopen($filename,"w"); - $contents = str_replace("<profile name=\"internal\">", "<profile name=\"lan\">", $contents); - $contents = str_replace("<alias name=\"default\"/>", "", $contents); - $contents = str_replace("<X-PRE-PROCESS cmd=\"include\" data=\"internal/*.xml\"/>", "<X-PRE-PROCESS cmd=\"include\" data=\"lan/*.xml\"/>", $contents); - $contents = str_replace("<param name=\"rtp-ip\" value=\"\$\${local_ip_v4}\"/>", "<param name=\"rtp-ip\" value=\"".$lan_ip."\"/>", $contents); - $contents = str_replace("<param name=\"sip-ip\" value=\"\$\${local_ip_v4}\"/>", "<param name=\"sip-ip\" value=\"".$lan_ip."\"/>", $contents); - fwrite($handle, $contents); - unset($contents); - fclose($handle); - unset($filename); - } - } - -} - function ListFiles($dir) { if($dh = opendir($dir)) { @@ -3741,8 +3705,6 @@ function freeswitch_php_install_command() "stop" => "/usr/local/freeswitch/bin/./freeswitch -stop" ) ); - - lan_sip_profile(); sync_package_freeswitch(); $handle = popen("/usr/local/etc/rc.d/freeswitch.sh start", "r"); diff --git a/config/freeswitch_dev/v_config.inc b/config/freeswitch_dev/v_config.inc index 596fb00f..a508cefc 100644 --- a/config/freeswitch_dev/v_config.inc +++ b/config/freeswitch_dev/v_config.inc @@ -319,46 +319,6 @@ function byte_convert( $bytes ) { return round($bytes/pow($convention,$e),2).' '.$s[$e]; } -function lan_sip_profile() -{ - global $config; - $v_settings_array = $config['installedpackages']['freeswitchsettings']['config'][0]; - foreach($v_settings_array as $name => $value) { - $$name = $value; - } - clearstatcache(); - - //if the lan directory does not exist then create it - if (!is_dir($v_conf_dir.'/sip_profiles/lan/')) { - exec("mkdir ".$v_conf_dir."/sip_profiles/lan/"); - } - - //create the LAN profile if it doesn't exist - if (!file_exists($v_conf_dir.'/sip_profiles/lan.xml')) { - $lan_ip = $config['interfaces']['lan']['ipaddr']; - if (strlen($lan_ip) > 0) { - exec("cp ".$v_conf_dir."/sip_profiles/internal.xml ".$v_conf_dir."/sip_profiles/lan.xml"); - - $filename = $v_conf_dir."/sip_profiles/lan.xml"; - $handle = fopen($filename,"rb"); - $contents = fread($handle, filesize($filename)); - fclose($handle); - - $handle = fopen($filename,"w"); - $contents = str_replace("<profile name=\"internal\">", "<profile name=\"lan\">", $contents); - $contents = str_replace("<alias name=\"default\"/>", "", $contents); - $contents = str_replace("<X-PRE-PROCESS cmd=\"include\" data=\"internal/*.xml\"/>", "<X-PRE-PROCESS cmd=\"include\" data=\"lan/*.xml\"/>", $contents); - $contents = str_replace("<param name=\"rtp-ip\" value=\"\$\${local_ip_v4}\"/>", "<param name=\"rtp-ip\" value=\"".$lan_ip."\"/>", $contents); - $contents = str_replace("<param name=\"sip-ip\" value=\"\$\${local_ip_v4}\"/>", "<param name=\"sip-ip\" value=\"".$lan_ip."\"/>", $contents); - fwrite($handle, $contents); - unset($contents); - fclose($handle); - unset($filename); - } - } - -} - function ListFiles($dir) { if($dh = opendir($dir)) { @@ -3923,23 +3883,20 @@ function v_install_phase_1() unlink_if_exists($v_conf_dir."/directory/default/brian.xml"); unlink_if_exists($v_conf_dir."/directory/default/example.com.xml"); unlink_if_exists($v_conf_dir."/dialplan/default/99999_enum.xml"); - - + write_rcfile(array( "file" => $v_name.".sh", "start" => $v_dir."/bin/./".$v_name." -nc", "stop" => $v_dir."/bin/./".$v_name." -stop" ) ); - - lan_sip_profile(); $static_output = 'Synchronize the config'; update_output_window($static_output); - + sync_package_freeswitch(); - + $static_output = 'Start the Service'; update_output_window($static_output); $handle = popen($v_startup_script_dir."/freeswitch.sh start", "r"); @@ -3951,7 +3908,7 @@ function v_install_phase_1() conf_mount_ro(); config_unlock(); - + } diff --git a/config/haproxy-dev/haproxy.inc b/config/haproxy-dev/haproxy.inc index a799cd48..f14d479c 100644 --- a/config/haproxy-dev/haproxy.inc +++ b/config/haproxy-dev/haproxy.inc @@ -58,48 +58,14 @@ $a_acltypes[] = array('name' => 'path_contains', 'descr' => 'Path contains', $a_acltypes[] = array('name' => 'source_ip', 'descr' => 'Source IP', 'mode' => '', 'syntax' => 'src'); -function haproxy_find_acl($name) { - global $a_acltypes; - - /* XXX why is this broken from xmlsync? */ - if (!$a_acltypes) { - $a_acltypes = array(); - $a_acltypes[] = array('name' => 'host_starts_with', 'descr' => 'Host starts with', - 'mode' => 'http', 'syntax' => 'hdr_beg(host) -i'); - $a_acltypes[] = array('name' => 'host_ends_with', 'descr' => 'Host ends with', - 'mode' =>'http', 'syntax' => 'hdr_end(host) -i'); - $a_acltypes[] = array('name' => 'host_matches', 'descr' => 'Host matches', - 'mode' =>'http', 'syntax' => 'hdr(host) -i'); - $a_acltypes[] = array('name' => 'host_regex', 'descr' => 'Host regex', - 'mode' =>'http', 'syntax' => 'hdr_reg(host) -i'); - $a_acltypes[] = array('name' => 'host_contains', 'descr' => 'Host contains', - 'mode' => 'http', 'syntax' => 'hdr_dir(host) -i'); - $a_acltypes[] = array('name' => 'path_starts_with', 'descr' => 'Path starts with', - 'mode' => 'http', 'syntax' => 'path_beg -i'); - $a_acltypes[] = array('name' => 'path_ends_with', 'descr' => 'Path ends with', - 'mode' => 'http', 'syntax' => 'path_end -i'); - $a_acltypes[] = array('name' => 'path_matches', 'descr' => 'Path matches', - 'mode' => 'http', 'syntax' => 'path -i'); - $a_acltypes[] = array('name' => 'path_regex', 'descr' => 'Path regex', - 'mode' => 'http', 'syntax' => 'path_reg -i'); - $a_acltypes[] = array('name' => 'path_contains', 'descr' => 'Path contains', - 'mode' => 'http', 'syntax' => 'path_dir -i'); - $a_acltypes[] = array('name' => 'source_ip', 'descr' => 'Source IP', - 'mode' => '', 'syntax' => 'src'); - } - - if($a_acltypes) { - foreach ($a_acltypes as $acl) { - if ($acl['name'] == $name) - return $acl; - } - } -} - function haproxy_custom_php_deinstall_command() { exec("rm /usr/local/sbin/haproxy"); exec("rm /usr/local/pkg/haproxy.inc"); exec("rm /usr/local/www/haproxy*"); + exec("rm /usr/local/etc/rc.d/haproxy.sh"); + exec("rm /etc/devd/haproxy.conf"); + exec("/etc/rc.d/devd restart"); + haproxy_install_cron(false); } function haproxy_custom_php_install_command() { @@ -122,6 +88,8 @@ haproxy_enable=\${haproxy-"YES"} start_cmd="haproxy_start" stop_postcmd="haproxy_stop" +check_cmd="haproxy_check" +extra_commands="check" load_rc_config \$name @@ -139,6 +107,20 @@ haproxy_start () { ENDOFF } +haproxy_check () { + echo "Checking haproxy." + /usr/bin/env \ + PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \ + /usr/local/bin/php -q -d auto_prepend_file=config.inc <<ENDOFF + <?php + require_once("globals.inc"); + require_once("functions.inc"); + require_once("haproxy.inc"); + haproxy_check_run(0); + ?> +ENDOFF +} + haproxy_stop () { echo "Stopping haproxy." killall haproxy @@ -153,12 +135,211 @@ EOD; fclose($fd); exec("chmod a+rx /usr/local/etc/rc.d/haproxy.sh"); + $devd = <<<EOD +notify 0 { + match "system" "IFNET"; + match "subsystem" "carp[0-9]+"; + match "type" "LINK_UP"; + action "/usr/local/etc/rc.d/haproxy.sh check"; +}; +notify 0 { + match "system" "IFNET"; + match "subsystem" "carp[0-9]+"; + match "type" "LINK_DOWN"; + action "/usr/local/etc/rc.d/haproxy.sh check"; +}; + +EOD; + exec("mkdir -p /etc/devd"); + $fd = fopen("/etc/devd/haproxy.conf", "w"); + fwrite($fd, $devd); + fclose($fd); + exec("/etc/rc.d/devd restart"); + conf_mount_ro(); exec("/usr/local/etc/rc.d/haproxy.sh start"); } +function haproxy_install_cron($should_install) { + global $config, $g; + if($g['booting']==true) + return; + $is_installed = false; + if(!$config['cron']['item']) + return; + $x=0; + foreach($config['cron']['item'] as $item) { + if(strstr($item['command'], "/usr/local/etc/rc.d/haproxy.sh")) { + $is_installed = true; + break; + } + $x++; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "*/2"; + $cron_item['hour'] = "*"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/local/etc/rc.d/haproxy.sh check"; + $config['cron']['item'][] = $cron_item; + parse_config(true); + write_config(); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + parse_config(true); + write_config(); + } + configure_cron(); + } + break; + } +} + +function haproxy_find_acl($name) { + global $a_acltypes; + + /* XXX why is this broken from xmlsync? */ + if (!$a_acltypes) { + $a_acltypes = array(); + $a_acltypes[] = array('name' => 'host_starts_with', 'descr' => 'Host starts with', + 'mode' => 'http', 'syntax' => 'hdr_beg(host) -i'); + $a_acltypes[] = array('name' => 'host_ends_with', 'descr' => 'Host ends with', + 'mode' =>'http', 'syntax' => 'hdr_end(host) -i'); + $a_acltypes[] = array('name' => 'host_matches', 'descr' => 'Host matches', + 'mode' =>'http', 'syntax' => 'hdr(host) -i'); + $a_acltypes[] = array('name' => 'host_regex', 'descr' => 'Host regex', + 'mode' =>'http', 'syntax' => 'hdr_reg(host) -i'); + $a_acltypes[] = array('name' => 'host_contains', 'descr' => 'Host contains', + 'mode' => 'http', 'syntax' => 'hdr_dir(host) -i'); + $a_acltypes[] = array('name' => 'path_starts_with', 'descr' => 'Path starts with', + 'mode' => 'http', 'syntax' => 'path_beg -i'); + $a_acltypes[] = array('name' => 'path_ends_with', 'descr' => 'Path ends with', + 'mode' => 'http', 'syntax' => 'path_end -i'); + $a_acltypes[] = array('name' => 'path_matches', 'descr' => 'Path matches', + 'mode' => 'http', 'syntax' => 'path -i'); + $a_acltypes[] = array('name' => 'path_regex', 'descr' => 'Path regex', + 'mode' => 'http', 'syntax' => 'path_reg -i'); + $a_acltypes[] = array('name' => 'path_contains', 'descr' => 'Path contains', + 'mode' => 'http', 'syntax' => 'path_dir -i'); + $a_acltypes[] = array('name' => 'source_ip', 'descr' => 'Source IP', + 'mode' => '', 'syntax' => 'src'); + } + + if($a_acltypes) { + foreach ($a_acltypes as $acl) { + if ($acl['name'] == $name) + return $acl; + } + } +} + +function write_backend($fd, $name, $pool, $frontend) { + if(!is_array($pool['ha_servers']['item'])) + continue; + + fwrite ($fd, "backend " . $name . "\n"); + if($pool['cookie_name'] && strtolower($frontend['type']) == "http") + fwrite ($fd, "\tcookie\t\t\t" . $pool['cookie_name'] . " insert indirect\n"); + + // https is an alias for tcp for clarity purpouses + if(strtolower($frontend['type']) == "https") { + $backend_type = "tcp"; + $httpchk = "ssl-hello-chk"; + } else { + $backend_type = $frontend['type']; + $httpchk = "httpchk"; + } + + fwrite ($fd, "\tmode\t\t\t" . $backend_type . "\n"); + + if($frontend['balance']) + fwrite ($fd, "\tbalance\t\t\t" . $frontend['balance'] . "\n"); + + if($frontend['connection_timeout']) + fwrite ($fd, "\tcontimeout\t\t" . $frontend['connection_timeout'] . "\n"); + + if($frontend['server_timeout']) + fwrite ($fd, "\tsrvtimeout\t\t" . $frontend['server_timeout'] . "\n"); + + if($frontend['retries']) + fwrite ($fd, "\tretries\t\t\t" . $frontend['retries'] . "\n"); + + if($frontend['stats_enabled']=='yes') { + fwrite ($fd, "\tstats\t\t\tenable\n"); + if($frontend['stats_uri']) + fwrite ($fd, "\tstats\t\t\turi ".$frontend['stats_uri']."\n"); + if($frontend['stats_realm']) + fwrite ($fd, "\tstats\t\t\trealm " . $frontend['stats_realm'] . "\n"); + else + fwrite ($fd, "\tstats\t\t\trealm .\n"); + fwrite ($fd, "\tstats\t\t\tauth " . $frontend['stats_username'].":". $frontend['stats_password']."\n"); + } + + $uri = $pool['monitor_uri']; + if ($pool['monitor_uri']) + $uri = $pool['monitor_uri']; + else + $uri = "/"; + fwrite ($fd, "\toption\t\t\t{$httpchk} HEAD " . $uri . " HTTP/1.0\n"); + + if($pool['cookie'] && strtolower($frontend['type']) == "http") + $cookie = " cookie {$pool['cookie']} "; + else + $cookie = ""; + if($pool['advanced']) { + $advanced = base64_decode($pool['advanced']); + $advanced_txt = " " . $advanced; + } else { + $advanced_txt = ""; + } + if($pool['checkinter']) + $checkinter = "check inter {$pool['checkinter']}"; + else if (strtolower($frontend['type']) != "tcp") + $checkinter = "check inter 1000"; + else + $checkinter = ""; + + $a_servers = &$pool['ha_servers']['item']; + foreach($a_servers as $be) { + if(!$be['port']) { + // the listener can specify a default port + $be['port'] = $frontend['svrport']; + } + if(!$be['port']) { + // last resort, use the frontend port + $ports = split(",", "{$frontend['port']},"); + $be['port'] = $ports[0]; + } + if (!$be['name']) + $be['name'] = $be['address']; + if($be['backup']) { + $isbackup = "backup"; + } else { + $isbackup = ""; + } + fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . " $cookie " . " $checkinter $isbackup weight " . $be['weight'] . "{$advanced_txt}\n"); + } + fwrite ($fd, "\n"); +} + function haproxy_configure() { + // reload haproxy + haproxy_writeconf(); + return haproxy_check_run(1); +} + +function haproxy_writeconf() { global $config, $g; $a_global = &$config['installedpackages']['haproxy']; @@ -170,7 +351,7 @@ function haproxy_configure() { if(is_array($a_global)) { fwrite ($fd, "global\n"); if($a_global['advanced']) - fwrite ($fd, "\t" . base64deode($a_global['advanced']) . "\n"); + fwrite ($fd, "\t" . base64_decode($a_global['advanced']) . "\n"); fwrite ($fd, "\tmaxconn\t\t\t".$a_global['maxconn']."\n"); if($a_global['remotesyslog']) fwrite ($fd, "\tlog\t\t\t{$a_global['remotesyslog']}\t{$a_global['logfacility']}\t{$a_global['loglevel']}\n"); @@ -187,17 +368,51 @@ function haproxy_configure() { fwrite ($fd, "\n"); } - // Construct and write out configuration file + // Try and get a unique array for address:port as frontends can duplicate + $a_bind = array(); if(is_array($a_backends)) { foreach ($a_backends as $backend) { - if($backend['status'] != 'active') continue; - // Define our backend name - $backendinfo = "listen {$backend['name']}\n"; + if(!$backend['pool']) + continue; + + $bname = $backend['extaddr'] . ":" . $backend['port']; + if (!is_array($a_bind[$bname])) { + $a_bind[$bname] = array(); + $a_bind[$bname]['config'] = array(); + // Settings which are constant for a merged frontend + $a_bind[$bname]['name'] = $backend['name']; + $a_bind[$bname]['extaddr'] = $backend['extaddr']; + $a_bind[$bname]['port'] = $backend['port']; + } + $b = &$a_bind[$bname]; + + // Overwrite ? + $b['type'] = $backend['type']; + $b['forwardfor'] = $backend['forwardfor']; + $b['httpclose'] = $backend['httpclose']; + $b['max_connections'] = $backend['max_connections']; + $b['client_timeout'] = $backend['client_timeout']; + $b['advanced'] = $backend['advanced']; + + // pointer to each backend + $b['config'][] = $backend; + } + } + + $a_pendingpl = array(); + + // Construct and write out configuration file + if(is_array($a_bind)) { + foreach ($a_bind as $bind) { + if (count($bind['config']) > 1) + $frontendinfo = "frontend {$bind['name']}-merged\n"; + else + $frontendinfo = "frontend {$bind['name']}\n"; // Prepare ports for processing by splitting - $portss = "{$backend['port']},"; + $portss = "{$bind['port']},"; $ports = split(",", $portss); // Initialize variable @@ -206,30 +421,30 @@ function haproxy_configure() { // Process and add bind directives for ports foreach($ports as $port) { if($port) { - if($backend['extaddr'] == "any") + if($bind['extaddr'] == "any") $listenip .= "\tbind\t\t\t0.0.0.0:{$port}\n"; - elseif($backend['extaddr']) - $listenip .= "\tbind\t\t\t{$backend['extaddr']}:{$port}\n"; + elseif($bind['extaddr']) + $listenip .= "\tbind\t\t\t{$bind['extaddr']}:{$port}\n"; else $listenip .= "\tbind\t\t\t" . get_current_wan_address('wan') . ":{$port}\n"; } } - fwrite ($fd, "{$backendinfo}"); + fwrite ($fd, "{$frontendinfo}"); fwrite ($fd, "{$listenip}"); // Advanced pass thru - if($backend['advanced']) { - $advanced = base64_decode($backend['advanced']); + if($bind['advanced']) { + $advanced = base64_decode($bind['advanced']); fwrite($fd, "\t" . $advanced . "\n"); } // https is an alias for tcp for clarity purpouses - if(strtolower($backend['type']) == "https") { + if(strtolower($bind['type']) == "https") { $backend_type = "tcp"; $httpchk = "ssl-hello-chk"; } else { - $backend_type = $backend['type']; + $backend_type = $bind['type']; $httpchk = "httpchk"; } @@ -237,157 +452,153 @@ function haproxy_configure() { fwrite ($fd, "\tlog\t\t\tglobal\n"); fwrite ($fd, "\toption\t\t\tdontlognull\n"); - if($backend['httpclose']) + if($bind['httpclose']) fwrite ($fd, "\toption\t\t\thttpclose\n"); - if($backend['forwardfor']) + if($bind['forwardfor']) fwrite ($fd, "\toption\t\t\tforwardfor\n"); - if($backend['max_connections']) - fwrite ($fd, "\tmaxconn\t\t\t" . $backend['max_connections'] . "\n"); - - if($backend['client_timeout']) - fwrite ($fd, "\tclitimeout\t\t" . $backend['client_timeout'] . "\n"); - - if($backend['balance']) - fwrite ($fd, "\tbalance\t\t\t" . $backend['balance'] . "\n"); + if($bind['max_connections']) + fwrite ($fd, "\tmaxconn\t\t\t" . $bind['max_connections'] . "\n"); - if($backend['connection_timeout']) - fwrite ($fd, "\tcontimeout\t\t" . $backend['connection_timeout'] . "\n"); + if($bind['client_timeout']) + fwrite ($fd, "\tclitimeout\t\t" . $bind['client_timeout'] . "\n"); - if($backend['server_timeout']) - fwrite ($fd, "\tsrvtimeout\t\t" . $backend['server_timeout'] . "\n"); + + // Combine the rest of the listener configs + $default_once = 0; + $i = 0; + foreach ($bind['config'] as $bconfig) { + $a_acl=&$bconfig['ha_acls']['item']; + if(!is_array($a_acl)) + $a_acl=array(); + + $poolname = $bconfig['pool'] . "_" . strtolower($bconfig['type']); - if($backend['retries']) - fwrite ($fd, "\tretries\t\t\t" . $backend['retries'] . "\n"); + // Create different pools if the svrport is set + if ($bconfig['svrport'] > 0) + $poolname .= "_" . $bconfig['svrport']; - if($backend['stats_enabled']=='yes') { - fwrite ($fd, "\tstats\t\t\tenable\n"); - if($backend['stats_uri']) - fwrite ($fd, "\tstats\t\t\turi ".$backend['stats_uri']."\n"); - if($backend['stats_realm']) - fwrite ($fd, "\tstats\t\t\trealm " . $backend['stats_realm'] . "\n"); - else - fwrite ($fd, "\tstats\t\t\trealm .\n"); - fwrite ($fd, "\tstats\t\t\tauth " . $backend['stats_username'].":". $backend['stats_password']."\n"); - } + // Write this out once, and must be before any backend config text + if ($default_once == 0) { + fwrite ($fd, "\tdefault_backend\t\t" . $poolname . "\n"); + $default_once++; + } - $a_acl=&$backend['ha_acls']['item']; - if(!is_array($a_acl)) - $a_acl=array(); - - foreach ($a_acl as $entry) { - $acl = haproxy_find_acl($entry['expression']); - if (!$acl) - continue; + if (!isset($a_pendingpl[$poolname])) { + $a_pendingpl[$poolname] = array(); + $a_pendingpl[$poolname]['name'] = $poolname; + $a_pendingpl[$poolname]['frontend'] = $bconfig; + } - // Filter out acls for different modes - if ($acl['mode'] != '' && $acl['mode'] != strtolower($backend['type'])) - continue; + foreach ($a_acl as $entry) { + $acl = haproxy_find_acl($entry['expression']); + if (!$acl) + continue; - if ($acl['syntax'] != '') - $expr = $acl['syntax'] . " " . $entry['value']; - else - $expr = $entry['expression'] . " " . $entry['value']; + // Filter out acls for different modes + if ($acl['mode'] != '' && $acl['mode'] != strtolower($bind['type'])) + continue; - fwrite ($fd, "\tacl\t\t\t".$entry['name']."\t".$expr."\n"); - } + if ($acl['syntax'] != '') + $expr = $acl['syntax'] . " " . $entry['value']; + else + $expr = $entry['expression'] . " " . $entry['value']; - if (is_array($a_pools)) { - foreach ($a_pools as $pool) { - if ($backend['pool'] == $pool['name'] && is_array($pool['ha_servers']['item'])) { - if($pool['status'] != 'active') - continue; - if($pool['cookie_name'] && strtolower($backend['type']) == "http") - fwrite ($fd, "\tcookie\t\t\t" . $pool['cookie_name'] . " insert indirect\n"); - - $uri = $pool['monitor_uri']; - if ($pool['monitor_uri']) - $uri = $pool['monitor_uri']; - else - $uri = "/"; - fwrite ($fd, "\toption\t\t\t{$httpchk} HEAD " . $uri . " HTTP/1.0\n"); - - if($pool['cookie'] && strtolower($backend['type']) == "http") - $cookie = " cookie {$pool['cookie']} "; - else - $cookie = ""; - if($pool['advanced']) { - $advanced = base64_decode($pool['advanced']); - $advanced_txt = " " . $advanced; - } else { - $advanced_txt = ""; - } - if($pool['checkinter']) - $checkinter = "check inter {$pool['checkinter']}"; - else - $checkinter = "check inter 1000"; - - $a_servers = &$pool['ha_servers']['item']; - foreach($a_servers as $be) { - if(!$be['port']) { - // the listener can specify a default port - $be['port'] = $backend['svrport']; - } - if(!$be['port']) { - // last resort, use the frontend port - $ports = split(",", "{$backend['port']},"); - $be['port'] = $ports[0]; - } - if (!$be['name']) - $be['name'] = $be['address']; - if($be['backup']) { - $isbackup = "backup"; - } else { - $isbackup = ""; - } - fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . " $cookie " . " $checkinter $isbackup weight " . $be['weight'] . "{$advanced_txt}\n"); - } - - } + $aclname = $i . "_" . $entry['name']; + fwrite ($fd, "\tacl\t\t\t" . $aclname . "\t" . $expr . "\n"); + fwrite ($fd, "\tuse_backend\t\t" . $poolname . " if " . $aclname . "\n"); + $i++; } + } fwrite ($fd, "\n"); } - // Sync HAProxy configuration (if enabled) - if(isset($config['installedpackages']['haproxy']['enablesync'])) { - if($config['installedpackages']['haproxy']['synchost1']) { - haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost1'], - $config['installedpackages']['haproxy']['syncpassword']); - } - if($config['installedpackages']['haproxy']['synchost2']) { - haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost2'], - $config['installedpackages']['haproxy']['syncpassword']); - } - if($config['installedpackages']['haproxy']['synchost3']) { - haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost3'], - $config['installedpackages']['haproxy']['syncpassword']); + } + if (is_array($a_pendingpl) && is_array($a_pools)) { + foreach ($a_pendingpl as $pending) { + foreach ($a_pools as $pool) { + if ($pending['frontend']['pool'] == $pool['name']) { + write_backend($fd, $pending['name'], $pool, $pending['frontend']); + } } } } + fwrite ($fd, "\n"); + + // Sync HAProxy configuration (if enabled) + if(isset($config['installedpackages']['haproxy']['enablesync'])) { + if($config['installedpackages']['haproxy']['synchost1']) { + haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost1'], + $config['installedpackages']['haproxy']['syncpassword']); + } + if($config['installedpackages']['haproxy']['synchost2']) { + haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost2'], + $config['installedpackages']['haproxy']['syncpassword']); + } + if($config['installedpackages']['haproxy']['synchost3']) { + haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost3'], + $config['installedpackages']['haproxy']['syncpassword']); + } + } // create config file fclose($fd); + if (isset($a_global['carpdev'])) + haproxy_install_cron(true); + else + haproxy_install_cron(false); + $freebsd_version = substr(trim(`uname -r`), 0, 1); if(!file_exists("/usr/bin/limits")) { exec("fetch -q -o /usr/bin/limits http://files.pfsense.org/extras/{$freebsd_version}/limits"); exec("chmod a+rx /usr/bin/limits"); } +} + +function haproxy_is_running() { + $running = (shell_exec("/bin/pgrep -x haproxy") != ''); + return $running; +} + +function haproxy_check_run($reload) { + global $config, $g; + + $a_global = &$config['installedpackages']['haproxy']; exec("/usr/bin/limits -n 300014"); - // reload haproxy if(isset($a_global['enable'])) { - if(is_process_running('haproxy')) { + if (isset($a_global['carpdev'])) { + $status = get_carp_interface_status($a_global['carpdev']); + if ($status != "MASTER") { + if (haproxy_is_running()) { + log_error("Stopping haproxy on CARP backup."); + exec("/bin/pkill -F /var/run/haproxy.pid haproxy"); + } + return (0); + } else if (haproxy_is_running() && $reload == 0) { + return (0); + } + log_error("Starting haproxy on CARP master."); + /* fallthrough */ + } else if ($reload == 0) + return (0); + + if (haproxy_is_running()) { exec("/usr/local/sbin/haproxy -f /var/etc/haproxy.cfg -p /var/run/haproxy.pid -st `cat /var/run/haproxy.pid`"); } else { exec("/usr/local/sbin/haproxy -f /var/etc/haproxy.cfg -p /var/run/haproxy.pid -D"); } return (0); } else { + if ($reload && haproxy_is_running()) { + exec("/bin/pkill -F /var/run/haproxy.pid haproxy"); + } return (1); } + } function haproxy_do_xmlrpc_sync($sync_to_ip, $password) { diff --git a/config/haproxy-dev/haproxy_global.php b/config/haproxy-dev/haproxy_global.php index f7864a4d..7f4ce483 100755 --- a/config/haproxy-dev/haproxy_global.php +++ b/config/haproxy-dev/haproxy_global.php @@ -56,6 +56,9 @@ if ($_POST) { $reqdfieldsn = explode(",", "Maximum connections"); } + if ($_POST['carpdev'] == "disabled") + unset($_POST['carpdev']); + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); if ($_POST['maxconn'] && (!is_numeric($_POST['maxconn']))) @@ -78,6 +81,7 @@ if ($_POST) { $config['installedpackages']['haproxy']['remotesyslog'] = $_POST['remotesyslog'] ? $_POST['remotesyslog'] : false; $config['installedpackages']['haproxy']['logfacility'] = $_POST['logfacility'] ? $_POST['logfacility'] : false; $config['installedpackages']['haproxy']['loglevel'] = $_POST['loglevel'] ? $_POST['loglevel'] : false; + $config['installedpackages']['haproxy']['carpdev'] = $_POST['carpdev'] ? $_POST['carpdev'] : false; $config['installedpackages']['haproxy']['syncpassword'] = $_POST['syncpassword'] ? $_POST['syncpassword'] : false; $config['installedpackages']['haproxy']['advanced'] = base64_encode($_POST['advanced']) ? $_POST['advanced'] : false; $config['installedpackages']['haproxy']['nbproc'] = $_POST['nbproc'] ? $_POST['nbproc'] : false; @@ -98,6 +102,7 @@ $pconfig['synchost3'] = $config['installedpackages']['haproxy']['synchost3']; $pconfig['remotesyslog'] = $config['installedpackages']['haproxy']['remotesyslog']; $pconfig['logfacility'] = $config['installedpackages']['haproxy']['logfacility']; $pconfig['loglevel'] = $config['installedpackages']['haproxy']['loglevel']; +$pconfig['carpdev'] = $config['installedpackages']['haproxy']['carpdev']; $pconfig['advanced'] = base64_decode($config['installedpackages']['haproxy']['advanced']); $pconfig['nbproc'] = $config['installedpackages']['haproxy']['nbproc']; @@ -271,6 +276,34 @@ function enable_change(enable_change) { </td> </tr> <tr> + <td valign="top" class="vncell"> + Carp monitor + </td> + <td class="vtable"> + <select name="carpdev" class="formfld"> + <option value="disabled" <?php if (!isset($pconfig['carpdev'])) echo "selected"; ?>> + disabled + </option> + <?php + if(is_array($config['virtualip']['vip'])) { + foreach($config['virtualip']['vip'] as $carp): + if ($carp['mode'] != "carp") continue; + $ipaddress = $carp['subnet']; + $carp_int = find_carp_interface($ipaddress); + ?> + <option value="<?=$carp_int;?>" <?php if ($carp_int == $pconfig['carpdev']) echo "selected"; ?>> + <?=$carp_int;?> (<?=$ipaddress;?>) + </option> + <?php + endforeach; + } + ?> + </select> + <br/> + Monitor carp interface and only run haproxy on the firewall which is MASTER. + </td> + </tr> + <tr> <td> </td> diff --git a/config/haproxy-dev/haproxy_pool_edit.php b/config/haproxy-dev/haproxy_pool_edit.php index 6087e9d7..d25f0675 100755 --- a/config/haproxy-dev/haproxy_pool_edit.php +++ b/config/haproxy-dev/haproxy_pool_edit.php @@ -52,7 +52,6 @@ if (isset($id) && $a_pools[$id]) { $pconfig['checkinter'] = $a_pools[$id]['checkinter']; $pconfig['monitor_uri'] = $a_pools[$id]['monitor_uri']; $pconfig['cookie'] = $a_pools[$id]['cookie']; - $pconfig['status'] = $a_pools[$id]['status']; $pconfig['advanced'] = base64_decode($a_pools[$id]['advanced']); $pconfig['a_servers']=&$a_pools[$id]['ha_servers']['item']; } @@ -145,7 +144,6 @@ if ($_POST) { $pool['ha_servers']['item']=$a_servers; update_if_changed("name", $pool['name'], $_POST['name']); - update_if_changed("status", $pool['status'], $_POST['status']); update_if_changed("cookie", $pool['cookie'], $_POST['cookie']); update_if_changed("advanced", $pool['advanced'], base64_encode($_POST['advanced'])); update_if_changed("checkinter", $pool['checkinter'], $_POST['checkinter']); @@ -231,15 +229,6 @@ function clearcombo(){ </td> </tr> <tr align="left"> - <td width="22%" valign="top" class="vncellreq">Status</td> - <td width="78%" class="vtable" colspan="2"> - <select name="status"> - <option value="active" <?php if($pconfig['status']=='active') echo "SELECTED";?>>active</option> - <option value="inactive" <?php if($pconfig['status']=='inactive') echo "SELECTED";?>>inactive</option> - </select> - </td> - </tr> - <tr align="left"> <td width="22%" valign="top" class="vncell">Cookie</td> <td width="78%" class="vtable" colspan="2"> <input name="cookie" type="text" <?if(isset($pconfig['cookie'])) echo "value=\"{$pconfig['cookie']}\"";?>size="64"><br/> diff --git a/config/haproxy-dev/haproxy_pools.php b/config/haproxy-dev/haproxy_pools.php index 78a1fdff..c5adc70b 100755 --- a/config/haproxy-dev/haproxy_pools.php +++ b/config/haproxy-dev/haproxy_pools.php @@ -103,38 +103,41 @@ include("head.inc"); <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td width="30%" class="listhdrr">Name</td> - <td width="20%" class="listhdrr">Status</td> - <td width="30%" class="listhdrr">Listener</td> + <td width="10%" class="listhdrr">Servers</td> + <td width="40%" class="listhdrr">Listener</td> <td width="10%" class="list"></td> </tr> <?php $i = 0; foreach ($a_pools as $pool): + + $fe_list = ""; + $sep = ""; + foreach ($a_backends as $backend) { + if($backend['pool'] == $pool['name']) { + $fe_list .= $sep . $backend['name']; + $sep = ", "; + } + } $textss = $textse = ""; - if ($pool['status'] != 'active') { + if ($fe_list == "") { $textss = "<span class=\"gray\">"; $textse = "</span>"; } + if (is_array($pool['ha_servers']['item'])) + $count = count($pool['ha_servers']['item']); + else + $count = 0; ?> <tr> <td class="listlr" ondblclick="document.location='haproxy_pool_edit.php?id=<?=$i;?>';"> <?=$textss . $pool['name'] . $textse;?> </td> <td class="listlr" ondblclick="document.location='haproxy_pool_edit.php?id=<?=$i;?>';"> - <?=$textss . $pool['status'] . $textse;?> + <?=$textss . $count . $textse;?> </td> <td class="listlr" ondblclick="document.location='haproxy_pool_edit.php?id=<?=$i;?>';"> -<?php - echo $textss; - $sep = ""; - foreach ($a_backends as $backend) { - if($backend['pool'] == $pool['name']) { - echo $sep . $backend['name']; - $sep = ", "; - } - } - echo $textse; -?> + <?=$textss . $fe_list . $textse;?> </td> <td class="list" nowrap> <table border="0" cellspacing="0" cellpadding="1"> diff --git a/config/haproxy-stable/haproxy.inc b/config/haproxy-stable/haproxy.inc new file mode 100644 index 00000000..5cc61e4b --- /dev/null +++ b/config/haproxy-stable/haproxy.inc @@ -0,0 +1,581 @@ +<?php +/* + haproxy.inc + Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> + Copyright (C) 2008 Remco Hoef + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* include all configuration functions */ +require_once("functions.inc"); +require_once("pkg-utils.inc"); +require_once("notices.inc"); + +$d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty"; + +$a_acltypes = array(); +$a_acltypes[] = array('name' => 'host_starts_with', 'descr' => 'Host starts with', + 'mode' => 'http', 'syntax' => 'hdr_beg(host) -i'); +$a_acltypes[] = array('name' => 'host_ends_with', 'descr' => 'Host ends with', + 'mode' =>'http', 'syntax' => 'hdr_end(host) -i'); +$a_acltypes[] = array('name' => 'host_matches', 'descr' => 'Host matches', + 'mode' =>'http', 'syntax' => 'hdr(host) -i'); +$a_acltypes[] = array('name' => 'host_regex', 'descr' => 'Host regex', + 'mode' =>'http', 'syntax' => 'hdr_reg(host) -i'); +$a_acltypes[] = array('name' => 'host_contains', 'descr' => 'Host contains', + 'mode' => 'http', 'syntax' => 'hdr_dir(host) -i'); +$a_acltypes[] = array('name' => 'path_starts_with', 'descr' => 'Path starts with', + 'mode' => 'http', 'syntax' => 'path_beg -i'); +$a_acltypes[] = array('name' => 'path_ends_with', 'descr' => 'Path ends with', + 'mode' => 'http', 'syntax' => 'path_end -i'); +$a_acltypes[] = array('name' => 'path_matches', 'descr' => 'Path matches', + 'mode' => 'http', 'syntax' => 'path -i'); +$a_acltypes[] = array('name' => 'path_regex', 'descr' => 'Path regex', + 'mode' => 'http', 'syntax' => 'path_reg -i'); +$a_acltypes[] = array('name' => 'path_contains', 'descr' => 'Path contains', + 'mode' => 'http', 'syntax' => 'path_dir -i'); +$a_acltypes[] = array('name' => 'source_ip', 'descr' => 'Source IP', + 'mode' => '', 'syntax' => 'src'); + +function haproxy_custom_php_deinstall_command() { + exec("rm /usr/local/sbin/haproxy"); + exec("rm /usr/local/pkg/haproxy.inc"); + exec("rm /usr/local/www/haproxy*"); +} + +function haproxy_custom_php_install_command() { + global $g, $config; + conf_mount_rw(); + + $haproxy = <<<EOD +#!/bin/sh + +# PROVIDE: haproxy +# REQUIRE: LOGIN +# KEYWORD: FreeBSD + +. /etc/rc.subr + +name="haproxy" +rcvar=`set_rcvar` +command="/usr/local/bin/haproxy" +haproxy_enable=\${haproxy-"YES"} + +start_cmd="haproxy_start" +stop_postcmd="haproxy_stop" + +load_rc_config \$name + +haproxy_start () { + echo "Starting haproxy." + /usr/bin/env \ + PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \ + /usr/local/bin/php -q -d auto_prepend_file=config.inc <<ENDOFF + <?php + require_once("globals.inc"); + require_once("functions.inc"); + require_once("haproxy.inc"); + haproxy_configure(); + ?> +ENDOFF +} + +haproxy_stop () { + echo "Stopping haproxy." + killall haproxy +} + +run_rc_command "\$1" + +EOD; + + $fd = fopen("/usr/local/etc/rc.d/haproxy.sh", "w"); + fwrite($fd, $haproxy); + fclose($fd); + exec("chmod a+rx /usr/local/etc/rc.d/haproxy.sh"); + + conf_mount_ro(); + + exec("/usr/local/etc/rc.d/haproxy.sh start"); +} + +function haproxy_find_acl($name) { + global $a_acltypes; + + /* XXX why is this broken from xmlsync? */ + if (!$a_acltypes) { + $a_acltypes = array(); + $a_acltypes[] = array('name' => 'host_starts_with', 'descr' => 'Host starts with', + 'mode' => 'http', 'syntax' => 'hdr_beg(host) -i'); + $a_acltypes[] = array('name' => 'host_ends_with', 'descr' => 'Host ends with', + 'mode' =>'http', 'syntax' => 'hdr_end(host) -i'); + $a_acltypes[] = array('name' => 'host_matches', 'descr' => 'Host matches', + 'mode' =>'http', 'syntax' => 'hdr(host) -i'); + $a_acltypes[] = array('name' => 'host_regex', 'descr' => 'Host regex', + 'mode' =>'http', 'syntax' => 'hdr_reg(host) -i'); + $a_acltypes[] = array('name' => 'host_contains', 'descr' => 'Host contains', + 'mode' => 'http', 'syntax' => 'hdr_dir(host) -i'); + $a_acltypes[] = array('name' => 'path_starts_with', 'descr' => 'Path starts with', + 'mode' => 'http', 'syntax' => 'path_beg -i'); + $a_acltypes[] = array('name' => 'path_ends_with', 'descr' => 'Path ends with', + 'mode' => 'http', 'syntax' => 'path_end -i'); + $a_acltypes[] = array('name' => 'path_matches', 'descr' => 'Path matches', + 'mode' => 'http', 'syntax' => 'path -i'); + $a_acltypes[] = array('name' => 'path_regex', 'descr' => 'Path regex', + 'mode' => 'http', 'syntax' => 'path_reg -i'); + $a_acltypes[] = array('name' => 'path_contains', 'descr' => 'Path contains', + 'mode' => 'http', 'syntax' => 'path_dir -i'); + $a_acltypes[] = array('name' => 'source_ip', 'descr' => 'Source IP', + 'mode' => '', 'syntax' => 'src'); + } + + if($a_acltypes) { + foreach ($a_acltypes as $acl) { + if ($acl['name'] == $name) + return $acl; + } + } +} + +function write_backend($fd, $name, $pool, $frontend) { + if($pool['status'] != 'active' || !is_array($pool['ha_servers']['item'])) + continue; + + fwrite ($fd, "backend " . $name . "\n"); + if($pool['cookie_name'] && strtolower($frontend['type']) == "http") + fwrite ($fd, "\tcookie\t\t\t" . $pool['cookie_name'] . " insert indirect\n"); + + // https is an alias for tcp for clarity purpouses + if(strtolower($frontend['type']) == "https") { + $backend_type = "tcp"; + $httpchk = "ssl-hello-chk"; + } else { + $backend_type = $frontend['type']; + $httpchk = "httpchk"; + } + + fwrite ($fd, "\tmode\t\t\t" . $backend_type . "\n"); + + if($frontend['balance']) + fwrite ($fd, "\tbalance\t\t\t" . $frontend['balance'] . "\n"); + + if($frontend['connection_timeout']) + fwrite ($fd, "\tcontimeout\t\t" . $frontend['connection_timeout'] . "\n"); + + if($frontend['server_timeout']) + fwrite ($fd, "\tsrvtimeout\t\t" . $frontend['server_timeout'] . "\n"); + + if($frontend['retries']) + fwrite ($fd, "\tretries\t\t\t" . $frontend['retries'] . "\n"); + + if($frontend['stats_enabled']=='yes') { + fwrite ($fd, "\tstats\t\t\tenable\n"); + if($frontend['stats_uri']) + fwrite ($fd, "\tstats\t\t\turi ".$frontend['stats_uri']."\n"); + if($frontend['stats_realm']) + fwrite ($fd, "\tstats\t\t\trealm " . $frontend['stats_realm'] . "\n"); + else + fwrite ($fd, "\tstats\t\t\trealm .\n"); + fwrite ($fd, "\tstats\t\t\tauth " . $frontend['stats_username'].":". $frontend['stats_password']."\n"); + } + + $uri = $pool['monitor_uri']; + if ($pool['monitor_uri']) + $uri = $pool['monitor_uri']; + else + $uri = "/"; + fwrite ($fd, "\toption\t\t\t{$httpchk} HEAD " . $uri . " HTTP/1.0\n"); + + if($pool['cookie'] && strtolower($frontend['type']) == "http") + $cookie = " cookie {$pool['cookie']} "; + else + $cookie = ""; + if($pool['advanced']) { + $advanced = base64_decode($pool['advanced']); + $advanced_txt = " " . $advanced; + } else { + $advanced_txt = ""; + } + if($pool['checkinter']) + $checkinter = "check inter {$pool['checkinter']}"; + else if (strtolower($frontend['type']) != "tcp") + $checkinter = "check inter 1000"; + else + $checkinter = ""; + + $a_servers = &$pool['ha_servers']['item']; + foreach($a_servers as $be) { + if(!$be['port']) { + // the listener can specify a default port + $be['port'] = $frontend['svrport']; + } + if(!$be['port']) { + // last resort, use the frontend port + $ports = split(",", "{$frontend['port']},"); + $be['port'] = $ports[0]; + } + if (!$be['name']) + $be['name'] = $be['address']; + if($be['backup']) { + $isbackup = "backup"; + } else { + $isbackup = ""; + } + fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . " $cookie " . " $checkinter $isbackup weight " . $be['weight'] . "{$advanced_txt}\n"); + } + fwrite ($fd, "\n"); +} + +function haproxy_configure() { + global $config, $g; + + $a_global = &$config['installedpackages']['haproxy']; + $a_backends = &$config['installedpackages']['haproxy']['ha_backends']['item']; + $a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item']; + + $fd = fopen("{$g['varetc_path']}/haproxy.cfg", "w"); + + if(is_array($a_global)) { + fwrite ($fd, "global\n"); + if($a_global['advanced']) + fwrite ($fd, "\t" . base64_decode($a_global['advanced']) . "\n"); + fwrite ($fd, "\tmaxconn\t\t\t".$a_global['maxconn']."\n"); + if($a_global['remotesyslog']) + fwrite ($fd, "\tlog\t\t\t{$a_global['remotesyslog']}\t{$a_global['logfacility']}\t{$a_global['loglevel']}\n"); + fwrite ($fd, "\tuid\t\t\t80\n"); + fwrite ($fd, "\tgid\t\t\t80\n"); + // Set numprocs if defined or use system default (#cores) + if($a_global['nbproc']) + $numprocs = $a_global['nbproc']; + else + $numprocs = trim(`/sbin/sysctl kern.smp.cpus | cut -d" " -f2`); + fwrite ($fd, "\tnbproc\t\t\t$numprocs\n"); + fwrite ($fd, "\tchroot\t\t\t/var/empty\n"); + fwrite ($fd, "\tdaemon\n"); + fwrite ($fd, "\n"); + } + + // Try and get a unique array for address:port as frontends can duplicate + $a_bind = array(); + if(is_array($a_backends)) { + foreach ($a_backends as $backend) { + if($backend['status'] != 'active') + continue; + if(!$backend['pool']) + continue; + + $bname = $backend['extaddr'] . ":" . $backend['port']; + if (!is_array($a_bind[$bname])) { + $a_bind[$bname] = array(); + $a_bind[$bname]['config'] = array(); + // Settings which are constant for a merged frontend + $a_bind[$bname]['name'] = $backend['name']; + $a_bind[$bname]['defaultpool'] = $backend['pool'] . "_" . strtolower($backend['type']); + $a_bind[$bname]['extaddr'] = $backend['extaddr']; + $a_bind[$bname]['port'] = $backend['port']; + } + $b = &$a_bind[$bname]; + + // Overwrite ? + $b['type'] = $backend['type']; + $b['forwardfor'] = $backend['forwardfor']; + $b['httpclose'] = $backend['httpclose']; + $b['max_connections'] = $backend['max_connections']; + $b['client_timeout'] = $backend['client_timeout']; + $b['advanced'] = $backend['advanced']; + + // pointer to each backend + $b['config'][] = $backend; + } + } + + $a_pendingpl = array(); + + // Construct and write out configuration file + if(is_array($a_bind)) { + foreach ($a_bind as $bind) { + if (count($bind['config']) > 1) + $frontendinfo = "frontend {$bind['name']}-merged\n"; + else + $frontendinfo = "frontend {$bind['name']}\n"; + + // Prepare ports for processing by splitting + $portss = "{$bind['port']},"; + $ports = split(",", $portss); + + // Initialize variable + $listenip = ""; + + // Process and add bind directives for ports + foreach($ports as $port) { + if($port) { + if($bind['extaddr'] == "any") + $listenip .= "\tbind\t\t\t0.0.0.0:{$port}\n"; + elseif($bind['extaddr']) + $listenip .= "\tbind\t\t\t{$bind['extaddr']}:{$port}\n"; + else + $listenip .= "\tbind\t\t\t" . get_current_wan_address('wan') . ":{$port}\n"; + } + } + + fwrite ($fd, "{$frontendinfo}"); + fwrite ($fd, "{$listenip}"); + + // Advanced pass thru + if($bind['advanced']) { + $advanced = base64_decode($bind['advanced']); + fwrite($fd, "\t" . $advanced . "\n"); + } + + // https is an alias for tcp for clarity purpouses + if(strtolower($bind['type']) == "https") { + $backend_type = "tcp"; + $httpchk = "ssl-hello-chk"; + } else { + $backend_type = $bind['type']; + $httpchk = "httpchk"; + } + + fwrite ($fd, "\tmode\t\t\t" . $backend_type . "\n"); + fwrite ($fd, "\tlog\t\t\tglobal\n"); + fwrite ($fd, "\toption\t\t\tdontlognull\n"); + + if($bind['httpclose']) + fwrite ($fd, "\toption\t\t\thttpclose\n"); + + if($bind['forwardfor']) + fwrite ($fd, "\toption\t\t\tforwardfor\n"); + + if($bind['max_connections']) + fwrite ($fd, "\tmaxconn\t\t\t" . $bind['max_connections'] . "\n"); + + if($bind['client_timeout']) + fwrite ($fd, "\tclitimeout\t\t" . $bind['client_timeout'] . "\n"); + + fwrite ($fd, "\tdefault_backend\t\t" . $bind['defaultpool'] . "\n"); + + // Combine the rest of the listener configs + $i = 0; + foreach ($bind['config'] as $bconfig) { + $a_acl=&$bconfig['ha_acls']['item']; + if(!is_array($a_acl)) + $a_acl=array(); + + $poolname = $bconfig['pool'] . "_" . strtolower($bconfig['type']); + if (!isset($a_pendingpl[$poolname])) { + $a_pendingpl[$poolname] = array(); + $a_pendingpl[$poolname]['name'] = $poolname; + $a_pendingpl[$poolname]['frontend'] = $bconfig; + } + + foreach ($a_acl as $entry) { + $acl = haproxy_find_acl($entry['expression']); + if (!$acl) + continue; + + // Filter out acls for different modes + if ($acl['mode'] != '' && $acl['mode'] != strtolower($bind['type'])) + continue; + + if ($acl['syntax'] != '') + $expr = $acl['syntax'] . " " . $entry['value']; + else + $expr = $entry['expression'] . " " . $entry['value']; + + $aclname = $i . "_" . $entry['name']; + fwrite ($fd, "\tacl\t\t\t" . $aclname . "\t" . $expr . "\n"); + fwrite ($fd, "\tuse_backend\t\t" . $poolname . " if " . $aclname . "\n"); + $i++; + } + + } + fwrite ($fd, "\n"); + } + } + if (is_array($a_pendingpl) && is_array($a_pools)) { + foreach ($a_pendingpl as $pending) { + foreach ($a_pools as $pool) { + if ($pending['frontend']['pool'] == $pool['name']) { + write_backend($fd, $pending['name'], $pool, $pending['frontend']); + } + } + } + } + fwrite ($fd, "\n"); + + // Sync HAProxy configuration (if enabled) + if(isset($config['installedpackages']['haproxy']['enablesync'])) { + if($config['installedpackages']['haproxy']['synchost1']) { + haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost1'], + $config['installedpackages']['haproxy']['syncpassword']); + } + if($config['installedpackages']['haproxy']['synchost2']) { + haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost2'], + $config['installedpackages']['haproxy']['syncpassword']); + } + if($config['installedpackages']['haproxy']['synchost3']) { + haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost3'], + $config['installedpackages']['haproxy']['syncpassword']); + } + } + + // create config file + fclose($fd); + + $freebsd_version = substr(trim(`uname -r`), 0, 1); + if(!file_exists("/usr/bin/limits")) { + exec("fetch -q -o /usr/bin/limits http://files.pfsense.org/extras/{$freebsd_version}/limits"); + exec("chmod a+rx /usr/bin/limits"); + } + + exec("/usr/bin/limits -n 300014"); + + // reload haproxy + if(isset($a_global['enable'])) { + if(is_process_running('haproxy')) { + exec("/usr/local/sbin/haproxy -f /var/etc/haproxy.cfg -p /var/run/haproxy.pid -st `cat /var/run/haproxy.pid`"); + } else { + exec("/usr/local/sbin/haproxy -f /var/etc/haproxy.cfg -p /var/run/haproxy.pid -D"); + } + return (0); + } else { + return (1); + } +} + +function haproxy_do_xmlrpc_sync($sync_to_ip, $password) { + global $config, $g; + + if(!$password) + return; + + if(!$sync_to_ip) + return; + + // Do not allow syncing to self. + $donotsync = false; + $lanip = find_interface_ip($config['interfaces']['lan']['if']); + if($lanip == $sync_to_ip) + $donotsync = true; + $wanip = find_interface_ip($config['interfaces']['wan']['if']); + if($wanip == $sync_to_ip) + $donotsync = true; + for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) { + $optip = find_interface_ip($config['interfaces']['opt' . $j]['if']); + if($optip == $sync_to_ip) + $donotsync = true; + } + if($donotsync) { + log_error("Disallowing sync loop for HAProxy sync."); + return; + } + + $xmlrpc_sync_neighbor = $sync_to_ip; + if($config['system']['webgui']['protocol'] != "") { + $synchronizetoip = $config['system']['webgui']['protocol']; + $synchronizetoip .= "://"; + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if($port == "") { + if($config['system']['webgui']['protocol'] == "http") + $port = "80"; + else + $port = "443"; + } + $synchronizetoip .= $sync_to_ip; + + /* xml will hold the sections to sync */ + $xml = array(); + $xml['haproxy'] = $config['installedpackages']['haproxy']; + + // Prevent sync loops + unset($xml['synchost1']); + unset($xml['synchost2']); + unset($xml['synchost3']); + unset($xml['syncpassword']); + + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($xml) + ); + + /* set a few variables needed for sync code borrowed from filter.inc */ + $url = $synchronizetoip; + log_error("Beginning HAProxy XMLRPC sync to {$url}:{$port}."); + $method = 'pfsense.merge_installedpackages_section_xmlrpc'; + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials('admin', $password); + if($g['debug']) + $cli->setDebug(1); + /* send our XMLRPC message and timeout after 250 seconds */ + $resp = $cli->send($msg, "250"); + if(!$resp) { + $error = "A communications error occurred while attempting HAProxy XMLRPC sync with {$url}:{$port}."; + log_error($error); + file_notice("sync_settings", $error, "HAProxy Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, "250"); + $error = "An error code was received while attempting HAProxy XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "HAProxy Settings Sync", ""); + } else { + log_error("HAProxy XMLRPC sync successfully completed with {$url}:{$port}."); + } + + /* tell haproxy to reload our settings on the destionation sync host. */ + $method = 'pfsense.exec_php'; + $execcmd = "require_once('/usr/local/pkg/haproxy.inc');\n"; + $execcmd .= "haproxy_configure();\n"; + + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("HAProxy XMLRPC reload data {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials('admin', $password); + $resp = $cli->send($msg, "250"); + if(!$resp) { + $error = "A communications error occurred while attempting HAProxy XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "HAProxy Settings Reload", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, "250"); + $error = "An error code was received while attempting HAProxy XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "HAProxy Settings Sync", ""); + } else { + log_error("HAProxy XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + } +} + +?> diff --git a/config/haproxy-stable/haproxy.xml b/config/haproxy-stable/haproxy.xml new file mode 100644 index 00000000..3a0be0ec --- /dev/null +++ b/config/haproxy-stable/haproxy.xml @@ -0,0 +1,110 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + haproxy.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2009 Scott Ullrich + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>haproxy</name> + <version>1.0</version> + <title>HAProxy</title> + <aftersaveredirect>/pkg_ediwt.php?xml=haproxy_pools.php</aftersaveredirect> + <include_file>/usr/local/pkg/haproxy.inc</include_file> + <menu> + <name>HAProxy</name> + <tooltiptext></tooltiptext> + <section>Services</section> + <url>/haproxy_listeners.php</url> + </menu> + <service> + <name>HAProxy</name> + <rcfile>haproxy.sh</rcfile> + <executable>haproxy</executable> + <description>The Reliable, High Performance TCP/HTTP Load Balancer</description> + </service> + <configpath>installedpackages->haproxy->config</configpath> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/haproxy-stable/haproxy.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/haproxy-stable/haproxy_listeners.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/haproxy-stable/haproxy_listeners_edit.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/haproxy-stable/haproxy_global.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/haproxy-stable/haproxy_pools.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/haproxy-stable/haproxy_pool_edit.php</item> + </additional_files_needed> + <custom_delete_php_command> + </custom_delete_php_command> + <custom_add_php_command> + </custom_add_php_command> + <custom_php_resync_config_command> + </custom_php_resync_config_command> + <custom_php_install_command> + $freebsdv=trim(`uname -r | cut -d'.' -f1`); + conf_mount_rw(); + `fetch -q -o /usr/local/sbin/ http://www.pfsense.org/packages/config/haproxy-dev/binaries{$freebsdv}/haproxy`; + exec("chmod a+rx /usr/local/sbin/haproxy"); + haproxy_custom_php_install_command(); + </custom_php_install_command> + <custom_php_deinstall_command> + haproxy_custom_php_deinstall_command(); + </custom_php_deinstall_command> + <custom_php_command_before_form> + </custom_php_command_before_form> +</packagegui> diff --git a/config/haproxy-stable/haproxy_global.php b/config/haproxy-stable/haproxy_global.php new file mode 100755 index 00000000..f7864a4d --- /dev/null +++ b/config/haproxy-stable/haproxy_global.php @@ -0,0 +1,378 @@ +<?php +/* $Id: load_balancer_pool.php,v 1.5.2.6 2007/03/02 23:48:32 smos Exp $ */ +/* + haproxy_global.php + part of pfSense (http://www.pfsense.com/) + Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> + Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("globals.inc"); +require("guiconfig.inc"); +require_once("haproxy.inc"); + +$d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty"; + +if (!is_array($config['installedpackages']['haproxy'])) + $config['installedpackages']['haproxy'] = array(); + + +if ($_POST) { + unset($input_errors); + $pconfig = $_POST; + + if ($_POST['apply']) { + $retval = 0; + config_lock(); + $retval = haproxy_configure(); + config_unlock(); + $savemsg = get_std_save_message($retval); + unlink_if_exists($d_haproxyconfdirty_path); + } else { + if ($_POST['enable']) { + $reqdfields = explode(" ", "maxconn"); + $reqdfieldsn = explode(",", "Maximum connections"); + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if ($_POST['maxconn'] && (!is_numeric($_POST['maxconn']))) + $input_errors[] = "The maximum number of connections should be numeric."; + + if($_POST['synchost1'] && !is_ipaddr($_POST['synchost1'])) + $input_errors[] = "Synchost1 needs to be an IPAddress."; + if($_POST['synchost2'] && !is_ipaddr($_POST['synchost2'])) + $input_errors[] = "Synchost2 needs to be an IPAddress."; + if($_POST['synchost3'] && !is_ipaddr($_POST['synchost3'])) + $input_errors[] = "Synchost3 needs to be an IPAddress."; + + if (!$input_errors) { + $config['installedpackages']['haproxy']['enable'] = $_POST['enable'] ? true : false; + $config['installedpackages']['haproxy']['maxconn'] = $_POST['maxconn'] ? $_POST['maxconn'] : false; + $config['installedpackages']['haproxy']['enablesync'] = $_POST['enablesync'] ? true : false; + $config['installedpackages']['haproxy']['synchost1'] = $_POST['synchost1'] ? $_POST['synchost1'] : false; + $config['installedpackages']['haproxy']['synchost2'] = $_POST['synchost2'] ? $_POST['synchost2'] : false; + $config['installedpackages']['haproxy']['synchost2'] = $_POST['synchost3'] ? $_POST['synchost3'] : false; + $config['installedpackages']['haproxy']['remotesyslog'] = $_POST['remotesyslog'] ? $_POST['remotesyslog'] : false; + $config['installedpackages']['haproxy']['logfacility'] = $_POST['logfacility'] ? $_POST['logfacility'] : false; + $config['installedpackages']['haproxy']['loglevel'] = $_POST['loglevel'] ? $_POST['loglevel'] : false; + $config['installedpackages']['haproxy']['syncpassword'] = $_POST['syncpassword'] ? $_POST['syncpassword'] : false; + $config['installedpackages']['haproxy']['advanced'] = base64_encode($_POST['advanced']) ? $_POST['advanced'] : false; + $config['installedpackages']['haproxy']['nbproc'] = $_POST['nbproc'] ? $_POST['nbproc'] : false; + touch($d_haproxyconfdirty_path); + write_config(); + } + } + +} + +$pconfig['enable'] = isset($config['installedpackages']['haproxy']['enable']); +$pconfig['maxconn'] = $config['installedpackages']['haproxy']['maxconn']; +$pconfig['enablesync'] = isset($config['installedpackages']['haproxy']['enablesync']); +$pconfig['syncpassword'] = $config['installedpackages']['haproxy']['syncpassword']; +$pconfig['synchost1'] = $config['installedpackages']['haproxy']['synchost1']; +$pconfig['synchost2'] = $config['installedpackages']['haproxy']['synchost2']; +$pconfig['synchost3'] = $config['installedpackages']['haproxy']['synchost3']; +$pconfig['remotesyslog'] = $config['installedpackages']['haproxy']['remotesyslog']; +$pconfig['logfacility'] = $config['installedpackages']['haproxy']['logfacility']; +$pconfig['loglevel'] = $config['installedpackages']['haproxy']['loglevel']; +$pconfig['advanced'] = base64_decode($config['installedpackages']['haproxy']['advanced']); +$pconfig['nbproc'] = $config['installedpackages']['haproxy']['nbproc']; + +// defaults +if (!$pconfig['logfacility']) + $pconfig['logfacility'] = 'local0'; +if (!$pconfig['loglevel']) + $pconfig['loglevel'] = 'info'; + +$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); +if(strstr($pfSversion, "1.2")) + $one_two = true; + +$pgtitle = "Services: HAProxy: Settings"; +include("head.inc"); + +?> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<script type="text/javascript" src="javascript/scriptaculous/prototype.js"></script> +<script type="text/javascript" src="javascript/scriptaculous/scriptaculous.js"></script> +<?php include("fbegin.inc"); ?> +<script language="JavaScript"> +<!-- +function enable_change(enable_change) { + var endis; + endis = !(document.iform.enable.checked || enable_change); + document.iform.maxconn.disabled = endis; +} +//--> +</script> +<?php if($one_two): ?> +<p class="pgtitle"><?=$pgtitle?></p> +<?php endif; ?> +<form action="haproxy_global.php" method="post" name="iform"> +<?php if ($input_errors) print_input_errors($input_errors); ?> +<?php if ($savemsg) print_info_box($savemsg); ?> +<?php if (file_exists($d_haproxyconfdirty_path)): ?><p> +<?php print_info_box_np("The load balancer configuration has been changed.<br>You must apply the changes in order for them to take effect.");?><br> +<?php endif; ?> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td class="tabnavtbl"> + <?php + /* active tabs */ + $tab_array = array(); + $tab_array[] = array("Settings", true, "haproxy_global.php"); + $tab_array[] = array("Listener", false, "haproxy_listeners.php"); + $tab_array[] = array("Server Pool", false, "haproxy_pools.php"); + display_top_tabs($tab_array); + ?> + </td></tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="top" class="listtopic">General settings</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"> </td> + <td width="78%" class="vtable"> + <input name="enable" type="checkbox" value="yes" <?php if ($pconfig['enable']) echo "checked"; ?> onClick="enable_change(false)"> + <strong>Enable HAProxy</strong></td> + </tr> + <tr> + <td valign="top" class="vncell"> + Maximum connections + </td> + <td class="vtable"> + <table><tr><td> + <table cellpadding="0" cellspacing="0"> + <tr> + <td> + <input name="maxconn" type="text" class="formfld" id="maxconn" size="5" <?if ($pconfig['enable']!='yes') echo "enabled=\"false\"";?> value="<?=htmlspecialchars($pconfig['maxconn']);?>"> per Backend. + </td> + </tr> + </table> + Sets the maximum per-process number of concurrent connections to X.<br/> + <strong>NOTE:</strong> setting this value too high will result in HAProxy not being able to allocate enough memory.<br/> + <?php + $hascpu = trim(`top | grep haproxy | awk '{ print $6 }'`); + if($hascpu) + echo "<p>Current memory usage {$hascpu}.</p>"; + ?> + </td><td> + <table style="border: 1px solid #000;"> + <tr> + <td><font size=-1>Connections</td> + <td><font size=-1>Memory usage</td> + </tr> + <tr> + <td colspan="2"> + <hr noshade style="border: 1px solid #000;"> + </td> + </tr> + <tr> + <td align="right"><font size=-1>999</td> + <td><font size=-1>1888K</td> + </tr> + <tr> + <td align="right"><font size=-1>99999</td> + <td><font size=-1>8032K</td> + </tr> + <tr> + <td align="right"><font size=-1>999999</td> + <td><font size=-1>50016K</td> + </tr> + <tr> + <td align="right"><font size=-1>9999999</td> + <td><font size=-1>467M</td> + </tr> + </table> + </td></tr></table> + </td> + </tr> + <tr> + <td valign="top" class="vncell"> + Number of processes to start + </td> + <td class="vtable"> + <input name="nbproc" type="text" class="formfld" id="nbproc" size="18" value="<?=htmlspecialchars($pconfig['nbproc']);?>"> + <br/> + Defaults to number of cores/processors installed if left blank (<?php echo trim(`/sbin/sysctl kern.smp.cpus | cut -d" " -f2`); ?> detected). + </td> + </tr> + <tr> + <td valign="top" class="vncell"> + Remote syslog host + </td> + <td class="vtable"> + <input name="remotesyslog" type="text" class="formfld" id="remotesyslog" size="18" value="<?=htmlspecialchars($pconfig['remotesyslog']);?>"> + </td> + </tr> + <tr> + <td valign="top" class="vncell"> + Syslog facility + </td> + <td class="vtable"> + <select name="logfacility" class="formfld"> + <?php + $facilities = array("kern", "user", "mail", "daemon", "auth", "syslog", "lpr", + "news", "uucp", "cron", "auth2", "ftp", "ntp", "audit", "alert", "cron2", + "local0", "local1", "local2", "local3", "local4", "local5", "local6", "local7"); + foreach ($facilities as $f): + ?> + <option value="<?=$f;?>" <?php if ($f == $pconfig['logfacility']) echo "selected"; ?>> + <?=$f;?> + </option> + <?php + endforeach; + ?> + </select> + </td> + </tr> + <tr> + <td valign="top" class="vncell"> + Syslog level + </td> + <td class="vtable"> + <select name="loglevel" class="formfld"> + <?php + $levels = array("emerg", "alert", "crit", "err", "warning", "notice", "info", "debug"); + foreach ($levels as $l): + ?> + <option value="<?=$l;?>" <?php if ($l == $pconfig['loglevel']) echo "selected"; ?>> + <?=$l;?> + </option> + <?php + endforeach; + ?> + </select> + </td> + </tr> + <tr> + <td> + + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Global Advanced pass thru</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"> </td> + <td width="78%" class="vtable"> + <textarea name='advanced' rows="4" cols="70" id='advanced'><?php echo $pconfig['advanced']; ?></textarea> + <br/> + NOTE: paste text into this box that you would like to pass thru in the global settings area. + </td> + </tr> + <tr> + <td> + + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Configuration synchronization</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"> </td> + <td width="78%" class="vtable"> + <input name="enablesync" type="checkbox" value="yes" <?php if ($pconfig['enablesync']) echo "checked"; ?>> + <strong>Sync HAProxy configuration to backup CARP members via XMLRPC.</strong> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Synchronization password</td> + <td width="78%" class="vtable"> + <input name="syncpassword" type="password" value="<?=$pconfig['syncpassword'];?>"> + <br/> + <strong>Enter the password that will be used during configuration synchronization. This is generally the remote webConfigurator password.</strong> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Sync host #1</td> + <td width="78%" class="vtable"> + <input name="synchost1" value="<?=$pconfig['synchost1'];?>"> + <br/> + <strong>Synchronize settings to this hosts IP address.</strong> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Sync host #2</td> + <td width="78%" class="vtable"> + <input name="synchost2" value="<?=$pconfig['synchost2'];?>"> + <br/> + <strong>Synchronize settings to this hosts IP address.</strong> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Sync host #3</td> + <td width="78%" class="vtable"> + <input name="synchost3" value="<?=$pconfig['synchost3'];?>"> + <br/> + <strong>Synchronize settings to this hosts IP address.</strong> + </td> + </tr> + <tr> + <td> + + </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="Submit" type="submit" class="formbtn" value="Save" onClick="enable_change(true)"> + </td> + </td> + </tr> + </table> + </div> +</table> + +<?php if(file_exists("/var/etc/haproxy.cfg")): ?> + <p/> + <div id="configuration" style="display:none; border-style:dashed; padding: 8px;"> + <b><i>/var/etc/haproxy.cfg file contents:</b></i> + <?php + if(file_exists("/var/etc/haproxy.cfg")) { + echo "<pre>" . trim(file_get_contents("/var/etc/haproxy.cfg")) . "</pre>"; + } + ?> + </div> + <div id="showconfiguration"> + <a onClick="new Effect.Fade('showconfiguration'); new Effect.Appear('configuration'); setTimeout('scroll_after_fade();', 250); return false;" href="#">Show</a> automatically generated configuration. + </div> +<?php endif; ?> + +</form> +<script language="JavaScript"> + function scroll_after_fade() { + scrollTo(0,99999999999); + } +<!-- +enable_change(false); +//--> +</script> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/haproxy-stable/haproxy_listeners.php b/config/haproxy-stable/haproxy_listeners.php new file mode 100755 index 00000000..ef67108b --- /dev/null +++ b/config/haproxy-stable/haproxy_listeners.php @@ -0,0 +1,172 @@ +<?php +/* $Id: load_balancer_virtual_server.php,v 1.6.2.1 2006/01/02 23:46:24 sullrich Exp $ */ +/* + haproxy_baclkends.php + part of pfSense (http://www.pfsense.com/) + Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> + Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require_once("guiconfig.inc"); + +$d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty"; + +require_once("haproxy.inc"); + +if (!is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) { + $config['installedpackages']['haproxy']['ha_backends']['item'] = array(); +} +$a_backend = &$config['installedpackages']['haproxy']['ha_backends']['item']; + +if ($_POST) { + $pconfig = $_POST; + + if ($_POST['apply']) { + $retval = 0; + config_lock(); + $retval = haproxy_configure(); + config_unlock(); + $savemsg = get_std_save_message($retval); + unlink_if_exists($d_haproxyconfdirty_path); + } +} + +if ($_GET['act'] == "del") { + if (isset($a_backend[$_GET['id']])) { + if (!$input_errors) { + unset($a_backend[$_GET['id']]); + write_config(); + touch($d_haproxyconfdirty_path); + } + header("Location: haproxy_listeners.php"); + exit; + } +} + +$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); +if(strstr($pfSversion, "1.2")) + $one_two = true; + +$pgtitle = "Services: HAProxy: Listener"; +include("head.inc"); + +?> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<form action="haproxy_listeners.php" method="post"> +<?php if($one_two): ?> +<p class="pgtitle"><?=$pgtitle?></p> +<?php endif; ?> +<?php if ($input_errors) print_input_errors($input_errors); ?> +<?php if ($savemsg) print_info_box($savemsg); ?> +<?php if (file_exists($d_haproxyconfdirty_path)): ?><p> +<?php print_info_box_np("The virtual server configuration has been changed.<br>You must apply the changes in order for them to take effect.");?><br> +<?php endif; ?> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td class="tabnavtbl"> + <?php + /* active tabs */ + $tab_array = array(); + $tab_array[] = array("Settings", false, "haproxy_global.php"); + $tab_array[] = array("Listener", true, "haproxy_listeners.php"); + $tab_array[] = array("Server Pool", false, "haproxy_pools.php"); + display_top_tabs($tab_array); + ?> + </td></tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td width="20%" class="listhdrr">Name</td> + <td width="30%" class="listhdrr">Description</td> + <td width="20%" class="listhdrr">Address</td> + <td width="10%" class="listhdrr">Type</td> + <td width="10%" class="listhdrr">Server pool</td> + <td width="5%" class="list"></td> + </tr> +<?php + $i = 0; + foreach ($a_backend as $backend): + $textss = $textse = ""; + if ($backend['status'] != 'active') { + $textss = "<span class=\"gray\">"; + $textse = "</span>"; + } +?> + <tr> + <td class="listlr" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$i;?>';"> + <?=$textss . $backend['name'] . $textse;?> + </td> + <td class="listlr" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$i;?>';"> + <?=$textss . $backend['desc'] . $textse;?> + </td> + <td class="listlr" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$i;?>';"> +<?php + echo $textss; + if($backend['extaddr'] == "any") + echo "0.0.0.0"; + elseif($backend['extaddr']) + echo $backend['extaddr']; + else + echo get_current_wan_address('wan'); + echo ":" . $backend['port']; + echo $textse; +?> + </td> + <td class="listlr" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$i;?>';"> + <?=$textss . $backend['type'] . $textse;?> + </td> + <td class="listlr" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$i;?>';"> + <?=$textss . $backend['pool'] . $textse;?> + </td> + <td class="list" nowrap> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td valign="middle"><a href="haproxy_listeners_edit.php?id=<?=$i;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0"></a></td> + <td valign="middle"><a href="haproxy_listeners.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this entry?')"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0"></a></td> + <td valign="middle"><a href="haproxy_listeners_edit.php?dup=<?=$i;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> + </tr> + </table> + </td> + </tr> + <?php $i++; endforeach; ?> + <tr> + <td class="list" colspan="5"></td> + <td class="list"> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td valign="middle"><a href="haproxy_listeners_edit.php"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> + </tr> + </table> + </td> + </tr> + </table> + </div> + </table> + </form> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/haproxy-stable/haproxy_listeners_edit.php b/config/haproxy-stable/haproxy_listeners_edit.php new file mode 100755 index 00000000..21258c9d --- /dev/null +++ b/config/haproxy-stable/haproxy_listeners_edit.php @@ -0,0 +1,771 @@ +<?php +/* $Id: load_balancer_pool_edit.php,v 1.24.2.23 2007/03/03 00:07:09 smos Exp $ */ +/* + haproxy_listeners_edit.php + part of pfSense (http://www.pfsense.com/) + Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> + Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); +require_once("haproxy.inc"); + +function haproxy_acl_select($mode) { + global $a_acltypes; + + $seltext = ''; + foreach ($a_acltypes as $expr) { + if ($expr['mode'] == '' || $expr['mode'] == $mode) + $seltext .= "<option value='" . $expr['name'] . "'>" . $expr['descr'] .":</option>"; + } + return $seltext; +} + +$d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty"; + +if (!is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) { + $config['installedpackages']['haproxy']['ha_backends']['item'] = array(); +} + +$a_backend = &$config['installedpackages']['haproxy']['ha_backends']['item']; +$a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item']; + + +if (isset($_POST['id'])) + $id = $_POST['id']; +else + $id = $_GET['id']; + +if (isset($_GET['dup'])) + $id = $_GET['dup']; + +if (isset($id) && $a_backend[$id]) { + $pconfig['name'] = $a_backend[$id]['name']; + $pconfig['desc'] = $a_backend[$id]['desc']; + $pconfig['status'] = $a_backend[$id]['status']; + $pconfig['connection_timeout'] = $a_backend[$id]['connection_timeout']; + $pconfig['server_timeout'] = $a_backend[$id]['server_timeout']; + $pconfig['retries'] = $a_backend[$id]['retries']; + + $pconfig['type'] = $a_backend[$id]['type']; + $pconfig['balance'] = $a_backend[$id]['balance']; + + $pconfig['forwardfor'] = $a_backend[$id]['forwardfor']; + $pconfig['httpclose'] = $a_backend[$id]['httpclose']; + + $pconfig['stats_enabled'] = $a_backend[$id]['stats_enabled']; + $pconfig['stats_username'] = $a_backend[$id]['stats_username']; + $pconfig['stats_password'] = $a_backend[$id]['stats_password']; + $pconfig['stats_uri'] = $a_backend[$id]['stats_uri']; + $pconfig['stats_realm'] = $a_backend[$id]['stats_realm']; + + $pconfig['type'] = $a_backend[$id]['type']; + $pconfig['extaddr'] = $a_backend[$id]['extaddr']; + $pconfig['pool'] = $a_backend[$id]['pool']; + $pconfig['max_connections'] = $a_backend[$id]['max_connections']; + $pconfig['client_timeout'] = $a_backend[$id]['client_timeout']; + $pconfig['port'] = $a_backend[$id]['port']; + $pconfig['svrport'] = $a_backend[$id]['svrport']; + $pconfig['a_acl']=&$a_backend[$id]['ha_acls']['item']; + $pconfig['advanced'] = base64_decode($a_backend[$id]['advanced']); + +} + +if (isset($_GET['dup'])) + unset($id); + +$changedesc = "Services: HAProxy: Listener"; +$changecount = 0; + +if ($_POST) { + $changecount++; + + unset($input_errors); + $pconfig = $_POST; + + if ($_POST['stats_enabled']) { + $reqdfields = explode(" ", "name connection_timeout server_timeout stats_username stats_password stats_uri stats_realm"); + $reqdfieldsn = explode(",", "Name,Connection timeout,Server timeout,Stats Username,Stats Password,Stats Uri,Stats Realm"); + } else { + $reqdfields = explode(" ", "name connection_timeout server_timeout"); + $reqdfieldsn = explode(",", "Name,Connection timeout,Server timeout"); + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + $reqdfields = explode(" ", "name type port max_connections client_timeout"); + $reqdfieldsn = explode(",", "Name,Type,Port,Max connections,Client timeout"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['name'])) + $input_errors[] = "The field 'Name' contains invalid characters."; + + if (!is_numeric($_POST['connection_timeout'])) + $input_errors[] = "The field 'Connection timeout' value is not a number."; + + if (!is_numeric($_POST['server_timeout'])) + $input_errors[] = "The field 'Server timeout' value is not a number."; + + if (!$_POST['retries'] && is_numeric($_POST['retries'])) + $input_errors[] = "The field 'Retries' value is not a number."; + + if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['stats_username'])) + $input_errors[] = "The field 'Stats Username' contains invalid characters."; + + if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['stats_password'])) + $input_errors[] = "The field 'Stats Password' contains invalid characters."; + + if (!is_numeric($_POST['max_connections'])) + $input_errors[] = "The field 'Max connections' value is not a number."; + + $ports = split(",", $_POST['port'] . ","); + foreach($ports as $port) + if ($port && !is_numeric($port)) + $input_errors[] = "The field 'Port' value is not a number."; + + if (!is_numeric($_POST['client_timeout'])) + $input_errors[] = "The field 'Client timeout' value is not a number."; + + /* Ensure that our pool names are unique */ + for ($i=0; isset($config['installedpackages']['haproxy']['ha_backends']['item'][$i]); $i++) + if (($_POST['name'] == $config['installedpackages']['haproxy']['ha_backends']['item'][$i]['name']) && ($i != $id)) + $input_errors[] = "This listener name has already been used. Listener names must be unique."; + + $a_acl=array(); + $acl_names=array(); + for($x=0; $x<99; $x++) { + $acl_name=$_POST['acl_name'.$x]; + $acl_expression=$_POST['acl_expression'.$x]; + $acl_value=$_POST['acl_value'.$x]; + + if ($acl_name) { + // check for duplicates + if (in_array($acl_name, $acl_names)) { + $input_errors[] = "The name '$acl_name' is duplicate."; + } + + $acl_names[]=$acl_name; + + $acl=array(); + $acl['name']=$acl_name; + $acl['expression']=$acl_expression; + $acl['value']=$acl_value; + $a_acl[]=$acl; + + if (preg_match("/[^a-zA-Z0-9\.\-_]/", $acl_name)) + $input_errors[] = "The field 'Name' contains invalid characters."; + + if (!preg_match("/.{2,}/", $acl_value)) + $input_errors[] = "The field 'Value' is required."; + + if (!preg_match("/.{2,}/", $acl_name)) + $input_errors[] = "The field 'Name' is required."; + + } + } + + $pconfig['a_acl']=$a_acl; + + if (!$input_errors) { + $backend = array(); + if(isset($id) && $a_backend[$id]) + $backend = $a_backend[$id]; + + if($backend['name'] != "") + $changedesc .= " modified '{$backend['name']}' pool:"; + + + update_if_changed("name", $backend['name'], $_POST['name']); + update_if_changed("description", $backend['desc'], $_POST['desc']); + update_if_changed("status", $backend['status'], $_POST['status']); + update_if_changed("connection_timeout", $backend['connection_timeout'], $_POST['connection_timeout']); + update_if_changed("server_timeout", $backend['server_timeout'], $_POST['server_timeout']); + update_if_changed("retries", $backend['retries'], $_POST['retries']); + update_if_changed("type", $backend['type'], $_POST['type']); + update_if_changed("balance", $backend['balance'], $_POST['balance']); + update_if_changed("cookie_name", $backend['cookie_name'], $_POST['cookie_name']); + update_if_changed("forwardfor", $backend['forwardfor'], $_POST['forwardfor']); + update_if_changed("httpclose", $backend['httpclose'], $_POST['httpclose']); + update_if_changed("stats_enabled", $backend['stats_enabled'], $_POST['stats_enabled']); + update_if_changed("stats_username", $backend['stats_username'], $_POST['stats_username']); + update_if_changed("stats_password", $backend['stats_password'], $_POST['stats_password']); + update_if_changed("stats_uri", $backend['stats_uri'], $_POST['stats_uri']); + update_if_changed("stats_realm", $backend['stats_realm'], $_POST['stats_realm']); + update_if_changed("type", $backend['type'], $_POST['type']); + update_if_changed("port", $backend['port'], $_POST['port']); + update_if_changed("svrport", $backend['svrport'], $_POST['svrport']); + update_if_changed("extaddr", $backend['extaddr'], $_POST['extaddr']); + update_if_changed("pool", $backend['pool'], $_POST['pool']); + update_if_changed("max_connections", $backend['max_connections'], $_POST['max_connections']); + update_if_changed("client_timeout", $backend['client_timeout'], $_POST['client_timeout']); + update_if_changed("advanced", $backend['advanced'], base64_encode($_POST['advanced'])); + + $backend['ha_acls']['item'] = $a_acl; + + if (isset($id) && $a_backend[$id]) { + $a_backend[$id] = $backend; + } else { + $a_backend[] = $backend; + } + + if ($changecount > 0) { + touch($d_haproxyconfdirty_path); + write_config($changedesc); + } + + header("Location: haproxy_listeners.php"); + exit; + } +} + +$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); +if(strstr($pfSversion, "1.2")) + $one_two = true; + +$pgtitle = "HAProxy: Listener: Edit"; +include("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php if($one_two): ?> +<script type="text/javascript" src="/javascript/scriptaculous/prototype.js"></script> +<script type="text/javascript" src="/javascript/scriptaculous/scriptaculous.js"></script> +<?php endif; ?> +<script type="text/javascript"> + // Global Variables + var rowname = new Array(99); + var rowtype = new Array(99); + var newrow = new Array(99); + var rowsize = new Array(99); + + for (i = 0; i < 99; i++) { + rowname[i] = ''; + rowtype[i] = ''; + newrow[i] = ''; + rowsize[i] = '25'; + } + + var field_counter_js = 0; + var loaded = 0; + var is_streaming_progress_bar = 0; + var temp_streaming_text = ""; + + var addRowTo = (function() { + return (function (tableId) { + var d, tbody, tr, td, bgc, i, ii, j, type, seltext; + var btable, btbody, btr, btd; + + d = document; + type = d.getElementById("type").value; + if (type == 'health') + seltext = "<?php echo haproxy_acl_select('health');?>"; + else if (type == 'tcp') + seltext = "<?php echo haproxy_acl_select('tcp');?>"; + else if (type == 'https') + seltext = "<?php echo haproxy_acl_select('https');?>"; + else + seltext = "<?php echo haproxy_acl_select('http');?>"; + if (seltext == '') { + alert("No ACL types available in current listener mode"); + return; + } + + tbody = d.getElementById(tableId).getElementsByTagName("tbody").item(0); + tr = d.createElement("tr"); + totalrows++; + tr.setAttribute("id","aclrow" + totalrows); + for (i = 0; i < field_counter_js; i++) { + td = d.createElement("td"); + if(rowtype[i] == 'textbox') { + td.innerHTML="<INPUT type='hidden' value='" + totalrows +"' name='" + rowname[i] + "_row-" + totalrows + + "'></input><input size='" + rowsize[i] + "' name='" + rowname[i] + totalrows + + "' id='" + rowname[i] + totalrows + + "'></input> "; + } else if(rowtype[i] == 'select') { + td.innerHTML="<INPUT type='hidden' value='" + totalrows +"' name='" + rowname[i] + "_row-" + totalrows + + "'></input><select name='" + rowname[i] + totalrows + + "' id='" + rowname[i] + totalrows + + "'>" + seltext + "</select> "; + } else { + td.innerHTML="<INPUT type='hidden' value='" + totalrows +"' name='" + rowname[i] + "_row-" + totalrows + + "'></input><input type='checkbox' name='" + rowname[i] + totalrows + + "' id='" + rowname[i] + totalrows + "'></input> "; + } + tr.appendChild(td); + } + td = d.createElement("td"); + td.rowSpan = "1"; + td.setAttribute("class","list"); + + // Recreate the button table. + btable = document.createElement("table"); + btable.setAttribute("border", "0"); + btable.setAttribute("cellspacing", "0"); + btable.setAttribute("cellpadding", "1"); + btbody = document.createElement("tbody"); + btr = document.createElement("tr"); + btd = document.createElement("td"); + btd.setAttribute("valign", "middle"); + btd.innerHTML = '<img src="/themes/' + theme + '/images/icons/icon_x.gif" title="delete entry" width="17" height="17" border="0" onclick="removeRow(this); return false;">'; + btr.appendChild(btd); + btd = document.createElement("td"); + btd.setAttribute("valign", "middle"); + btd.innerHTML = '<img src="/themes/' + theme + "/images/icons/icon_plus.gif\" title=\"duplicate entry\" width=\"17\" height=\"17\" border=\"0\" onclick=\"dupRow(" + totalrows + ", 'acltable'); return false;\">"; + btr.appendChild(btd); + btbody.appendChild(btr); + btable.appendChild(btbody); + + td.appendChild(btable); + tr.appendChild(td); + tbody.appendChild(tr); + }); + })(); + + function dupRow(rowId, tableId) { + var dupEl; + var newEl; + + addRowTo(tableId); + for (i = 0; i < field_counter_js; i++) { + dupEl = document.getElementById(rowname[i] + rowId); + newEl = document.getElementById(rowname[i] + totalrows); + if (dupEl && newEl) + newEl.value = dupEl.value; + } + } + + function removeRow(el) { + var cel; + // Break out of one table first + while (el && el.nodeName.toLowerCase() != "table") + el = el.parentNode; + while (el && el.nodeName.toLowerCase() != "tr") + el = el.parentNode; + + if (el && el.parentNode) { + cel = el.getElementsByTagName("td").item(0); + el.parentNode.removeChild(el); + } + } + + function find_unique_field_name(field_name) { + // loop through field_name and strip off -NUMBER + var last_found_dash = 0; + for (var i = 0; i < field_name.length; i++) { + // is this a dash, if so, update + // last_found_dash + if (field_name.substr(i,1) == "-" ) + last_found_dash = i; + } + if (last_found_dash < 1) + return field_name; + return(field_name.substr(0,last_found_dash)); + } + + rowname[0] = "acl_name"; + rowtype[0] = "textbox"; + rowsize[0] = "20"; + + rowname[1] = "acl_expression"; + rowtype[1] = "select"; + rowsize[1] = "10"; + + rowname[2] = "acl_value"; + rowtype[2] = "textbox"; + rowsize[2] = "35"; + + function toggle_stats() { + var stats_enabled=document.getElementById('stats_enabled'); + var stats_realm_row=document.getElementById('stats_realm_row'); + var stats_username_row=document.getElementById('stats_username_row'); + var stats_password_row=document.getElementById('stats_password_row'); + var stats_uri_row=document.getElementById('stats_uri_row'); + + if (stats_enabled.checked) { + stats_realm_row.style.display=''; + stats_username_row.style.display=''; + stats_password_row.style.display=''; + stats_uri_row.style.display=''; + } else { + stats_realm_row.style.display='none'; + stats_username_row.style.display='none'; + stats_password_row.style.display='none'; + stats_uri_row.style.display='none'; + } + } + function type_change() { + var type, d, i, j, el, row; + var count = <?=count($a_acltypes);?>; + var acl = [ <?php foreach ($a_acltypes as $expr) echo "'".$expr['name']."'," ?> ]; + var mode = [ <?php foreach ($a_acltypes as $expr) echo "'".$expr['mode']."'," ?> ]; + + d = document; + type = d.getElementById("type").value; + for (i = 0; i < 99; i++) { + el = d.getElementById("acl_expression" + i); + row = d.getElementById("aclrow" + i); + if (!el) + continue; + for (j = 0; j < count; j++) { + if (acl[j] == el.value) { + if (mode[j] != '' && mode[j] != type) { + Effect.Fade(row,{ duration: 1.0 }); + } else { + Effect.Appear(row,{ duration: 1.0 }); + } + } + } + } + } +</script> +<?php include("fbegin.inc"); ?> +<?php if ($input_errors) print_input_errors($input_errors); ?> +<?php if($one_two): ?> +<p class="pgtitle"><?=$pgtitle?></p> +<form action="haproxy_listeners_edit.php" method="post" name="iform" id="iform"> +<?php endif; ?> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="top" class="listtopic">Edit haproxy listener</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Name</td> + <td width="78%" class="vtable" colspan="2"> + <input name="name" type="text" <?if(isset($pconfig['name'])) echo "value=\"{$pconfig['name']}\"";?> size="25" maxlength="25"> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Description</td> + <td width="78%" class="vtable" colspan="2"> + <input name="desc" type="text" <?if(isset($pconfig['desc'])) echo "value=\"{$pconfig['desc']}\"";?> size="64"> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncellreq">Status</td> + <td width="78%" class="vtable" colspan="2"> + <select name="status" id="status"> + <option value="active"<?php if($pconfig['status'] == "active") echo " SELECTED"; ?>>Active</option> + <option value="disabled"<?php if($pconfig['status'] == "disabled") echo " SELECTED"; ?>>Disabled</option> + </select> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">External address</td> + <td width="78%" class="vtable"> + <select name="extaddr" class="formfld"> + <option value="" <?php if (!$pconfig['extaddr']) echo "selected"; ?>>Interface address</option> + <?php + if (is_array($config['virtualip']['vip'])): + foreach ($config['virtualip']['vip'] as $sn): + ?> + <option value="<?=$sn['subnet'];?>" <?php if ($sn['subnet'] == $pconfig['extaddr']) echo "selected"; ?>> + <?=htmlspecialchars("{$sn['subnet']} ({$sn['descr']})");?> + </option> + <?php + endforeach; + endif; + ?> + <option value="any" <?php if($pconfig['extaddr'] == "any") echo "selected"; ?>>any</option> + </select> + <br /> + <span class="vexpl"> + If you want this rule to apply to another IP address than the IP address of the interface chosen above, + select it here (you need to define <a href="firewall_virtual_ip.php">Virtual IP</a> addresses on the first). + Also note that if you are trying to redirect connections on the LAN select the "any" option. + </span> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncellreq">External port</td> + <td width="78%" class="vtable" colspan="2"> + <input name="port" type="text" <?if(isset($pconfig['port'])) echo "value=\"{$pconfig['port']}\"";?> size="10" maxlength="10"> + <div>The port to listen to. To specify multiple ports, separate with a comma (,). EXAMPLE: 80,443</div> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Server pool</td> + <td width="78%" class="vtable"> + <select name="pool" class="formfld"> + <?php + if (is_array($a_pools)) { + foreach ($a_pools as $p): + ?> + <option value="<?=$p['name'];?>" <?php if ($p['name'] == $pconfig['pool']) echo "selected"; ?>> + <?=htmlspecialchars("{$p['name']}");?> + </option> + <?php + endforeach; + } else { + ?> + <option value="-">-</option> + <?php + } + ?> + </select> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Server Port</td> + <td width="78%" class="vtable" colspan="2"> + <input name="svrport" type="text" <?if(isset($pconfig['svrport'])) echo "value=\"{$pconfig['svrport']}\"";?> size="10" maxlength="10"> + <div>The default server port.</div> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncellreq">Type</td> + <td width="78%" class="vtable" colspan="2"> + <select name="type" id="type" onchange="type_change();"> + <option value="http"<?php if($pconfig['type'] == "http") echo " SELECTED"; ?>>HTTP</option> + <option value="https"<?php if($pconfig['type'] == "https") echo " SELECTED"; ?>>HTTPS</option> + <option value="tcp"<?php if($pconfig['type'] == "tcp") echo " SELECTED"; ?>>TCP</option> + <option value="health"<?php if($pconfig['type'] == "health") echo " SELECTED"; ?>>Health</option> + </select> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Access Control lists</td> + <td width="78%" class="vtable" colspan="2" valign="top"> + <table class="" width="100%" cellpadding="0" cellspacing="0" id='acltable'> + <tr> + <td width="35%" class="">Name</td> + <td width="40%" class="">Expression</td> + <td width="20%" class="">Value</td> + <td width="5%" class=""></td> + </tr> + <?php + $a_acl=$pconfig['a_acl']; + + if (!is_array($a_acl)) { + $a_acl=array(); + } + + $counter=0; + foreach ($a_acl as $acl) { + $t = haproxy_find_acl($acl['expression']); + $display = ''; + if (!$t || ($t['mode'] != '' && $t['mode'] != strtolower($pconfig['type']))) + $display = 'style="display: none;"'; + ?> + <tr id="aclrow<?=$counter;?>" <?=$display;?>> + <td><input name="acl_name<?=$counter;?>" id="acl_name<?=$counter;?>" type="text" value="<?=$acl['name']; ?>" size="20"/></td> + <td> + <select name="acl_expression<?=$counter;?>" id="acl_expression<?=$counter;?>"> + <?php + foreach ($a_acltypes as $expr) { ?> + <option value="<?=$expr['name'];?>"<?php if($acl['expression'] == $expr['name']) echo " SELECTED"; ?>><?=$expr['descr'];?>:</option> + <?php } ?> + </select> + </td> + <td><input name="acl_value<?=$counter;?>" id="acl_value<?=$counter;?>" type="text" value="<?=$acl['value']; ?>" size="35"/></td> + <td class="list"> + <table border="0" cellspacing="0" cellpadding="1"><tr> + <td valign="middle"> + <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete entry" width="17" height="17" border="0" onclick="removeRow(this); return false;"> + </td> + <td valign="middle"> + <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="duplicate entry" width="17" height="17" border="0" onclick="dupRow(<?=$counter;?>, 'acltable'); return false;"> + </td></tr></table> + </td> + </tr> + <?php + $counter++; + } + ?> + </table> + <a onclick="javascript:addRowTo('acltable'); return false;" href="#"> + <img border="0" src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" alt="" title="add another entry" /> + </a><br/> + For more information about ACL's please see <a href='http://haproxy.1wt.eu/download/1.3/doc/configuration.txt' target='_new'>HAProxy Documentation</a> Section 7 - Using ACL's + </td> + </tr> + </table> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="top" class="listtopic">Advanced settings</td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncellreq">Connection timeout</td> + <td width="78%" class="vtable" colspan="2"> + <input name="connection_timeout" type="text" <?if(isset($pconfig['connection_timeout'])) echo "value=\"{$pconfig['connection_timeout']}\"";?> size="64"> + <div>the time (in milliseconds) we give up if the connection does not complete within (30000).</div> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncellreq">Server timeout</td> + <td width="78%" class="vtable" colspan="2"> + <input name="server_timeout" type="text" <?if(isset($pconfig['server_timeout'])) echo "value=\"{$pconfig['server_timeout']}\"";?> size="64"> + <div>the time (in milliseconds) we accept to wait for data from the server, or for the server to accept data (30000).</div> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Retries</td> + <td width="78%" class="vtable" colspan="2"> + <input name="retries" type="text" <?if(isset($pconfig['retries'])) echo "value=\"{$pconfig['retries']}\"";?> size="64"> + <div>After a connection failure to a server, it is possible to retry, potentially +on another server. This is useful if health-checks are too rare and you don't +want the clients to see the failures. The number of attempts to reconnect is +set by the 'retries' parameter (2).</div> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncellreq">Balance</td> + <td width="78%" class="vtable" colspan="2"> + <table width="100%"> + <tr> + <td width="20%" valign="top"> + <input type="radio" name="balance" id="balance" value="roundrobin"<?php if($pconfig['balance'] == "roundrobin") echo " CHECKED"; ?>>Round robin + </td> + <td> + Each server is used in turns, according to their weights. + This is the smoothest and fairest algorithm when the server's + processing time remains equally distributed. This algorithm + is dynamic, which means that server weights may be adjusted + on the fly for slow starts for instance. + </td> + </tr> + <tr><td valign="top"><input type="radio" name="balance" id="balance" value="source"<?php if($pconfig['balance'] == +"source") echo " CHECKED"; ?>>Source</td><td> + The source IP address is hashed and divided by the total + weight of the running servers to designate which server will + receive the request. This ensures that the same client IP + address will always reach the same server as long as no + server goes down or up. If the hash result changes due to the + number of running servers changing, many clients will be + directed to a different server. This algorithm is generally + used in TCP mode where no cookie may be inserted. It may also + be used on the Internet to provide a best-effort stickyness + to clients which refuse session cookies. This algorithm is + static, which means that changing a server's weight on the + fly will have no effect. + </td> + </tr> + </table> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Stats Enabled</td> + <td width="78%" class="vtable" colspan="2"> + <input id="stats_enabled" name="stats_enabled" type="checkbox" value="yes" <?php if ($pconfig['stats_enabled']=='yes') echo "checked"; ?> onclick='toggle_stats();'><br/> + EXAMPLE: haproxystats + </td> + </tr> + <tr align="left" id='stats_realm_row' name='stats_realm_row' <?if ($pconfig['stats_enabled']!='yes') echo "style=\"display: none;\"";?>> + <td width="22%" valign="top" class="vncellreq">Stats Realm</td> + <td width="78%" class="vtable" colspan="2"> + <input id="stats_realm" name="stats_realm" type="text" <?if(isset($pconfig['stats_realm'])) echo "value=\"{$pconfig['stats_realm']}\"";?> size="64"> + </td> + </tr> + <tr align="left" id='stats_uri_row' name='stats_uri_row' <?if ($pconfig['stats_enabled']!='yes') echo "style=\"display: none;\"";?>> + <td width="22%" valign="top" class="vncellreq">Stats Uri</td> + <td width="78%" class="vtable" colspan="2"> + <input id="stats_uri" name="stats_uri" type="text" <?if(isset($pconfig['stats_uri'])) echo "value=\"{$pconfig['stats_uri']}\"";?> size="64"><br/> + EXAMPLE: /haproxy?stats + </td> + </tr> + <tr align="left" id='stats_username_row' name='stats_username_row' <?if ($pconfig['stats_enabled']!='yes') echo "style=\"display: none;\"";?>> + <td width="22%" valign="top" class="vncellreq">Stats Username</td> + <td width="78%" class="vtable" colspan="2"> + <input id="stats_username" name="stats_username" type="text" <?if(isset($pconfig['stats_username'])) echo "value=\"{$pconfig['stats_username']}\"";?> size="64"> + </td> + </tr> + + <tr align="left" id='stats_password_row' name='stats_password_row' <?if ($pconfig['stats_enabled']!='yes') echo "style=\"display: none;\"";?>> + <td width="22%" valign="top" class="vncellreq">Stats Password</td> + <td width="78%" class="vtable" colspan="2"> + <input id="stats_password" name="stats_password" type="password" <?if(isset($pconfig['stats_password'])) echo "value=\"{$pconfig['stats_password']}\"";?> size="64"> + <br/> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncellreq">Max connections</td> + <td width="78%" class="vtable" colspan="2"> + <input name="max_connections" type="text" <?if(isset($pconfig['max_connections'])) echo "value=\"{$pconfig['max_connections']}\"";?> size="10" maxlength="10"> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncellreq">Client timeout</td> + <td width="78%" class="vtable" colspan="2"> + <input name="client_timeout" type="text" <?if(isset($pconfig['client_timeout'])) echo "value=\"{$pconfig['client_timeout']}\"";?> size="10" maxlength="10"> + <div>the time (in milliseconds) we accept to wait for data from the client, or for the client to accept data (30000).</div> + </td> + </tr> +<?php +?> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Use 'forwardfor' option</td> + <td width="78%" class="vtable" colspan="2"> + <input id="forwardfor" name="forwardfor" type="checkbox" value="yes" <?php if ($pconfig['forwardfor']=='yes') echo "checked"; ?>> + <br/> + The 'forwardfor' option creates an HTTP 'X-Forwarded-For' header which + contains the client's IP address. This is useful to let the final web server + know what the client address was (eg for statistics on domains) + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Use 'httpclose' option</td> + <td width="78%" class="vtable" colspan="2"> + <input id="httpclose" name="httpclose" type="checkbox" value="yes" <?php if ($pconfig['httpclose']=='yes') echo "checked"; ?>> + <br/> + The 'httpclose' option removes any 'Connection' header both ways, and + adds a 'Connection: close' header in each direction. This makes it easier to + disable HTTP keep-alive than the previous 4-rules block. + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Advanced pass thru</td> + <td width="78%" class="vtable" colspan="2"> + <textarea name='advanced' rows="4" cols="70" id='advanced'><?php echo $pconfig['advanced']; ?></textarea> + <br/> + NOTE: paste text into this box that you would like to pass thru. + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="Submit" type="submit" class="formbtn" value="Save"> + <input type="button" class="formbtn" value="Cancel" onclick="history.back()"> + <?php if (isset($id) && $a_backend[$id]): ?> + <input name="id" type="hidden" value="<?=$id;?>"> + <?php endif; ?> + </td> + </tr> + <tr> + <br/> <br/> + <td colspan='3'> + <span class="vexpl"><b>NOTE:</b> You must add a firewall rule permitting access to this frontend!</span> + </td> + </tr> + </table> + </form> +<br> +<script type="text/javascript"> + field_counter_js = 3; + rows = 1; + totalrows = <?php echo $counter; ?>; + loaded = <?php echo $counter; ?>; +</script> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/haproxy-stable/haproxy_pool_edit.php b/config/haproxy-stable/haproxy_pool_edit.php new file mode 100755 index 00000000..6087e9d7 --- /dev/null +++ b/config/haproxy-stable/haproxy_pool_edit.php @@ -0,0 +1,505 @@ +<?php +/* $Id: load_balancer_pool_edit.php,v 1.24.2.23 2007/03/03 00:07:09 smos Exp $ */ +/* + haproxy_pool_edit.php + part of pfSense (http://www.pfsense.com/) + Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> + Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty"; + +if (!is_array($config['installedpackages']['haproxy']['ha_pools']['item'])) { + $config['installedpackages']['haproxy']['ha_pools']['item'] = array(); +} + +$a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item']; + +if (isset($_POST['id'])) + $id = $_POST['id']; +else + $id = $_GET['id']; + +if (isset($_GET['dup'])) + $id = $_GET['dup']; + +if (isset($id) && $a_pools[$id]) { + $pconfig['name'] = $a_pools[$id]['name']; + $pconfig['checkinter'] = $a_pools[$id]['checkinter']; + $pconfig['monitor_uri'] = $a_pools[$id]['monitor_uri']; + $pconfig['cookie'] = $a_pools[$id]['cookie']; + $pconfig['status'] = $a_pools[$id]['status']; + $pconfig['advanced'] = base64_decode($a_pools[$id]['advanced']); + $pconfig['a_servers']=&$a_pools[$id]['ha_servers']['item']; +} + +if (isset($_GET['dup'])) + unset($id); + +$changedesc = "Services: HAProxy: pools: "; +$changecount = 0; + +if ($_POST) { + $changecount++; + + unset($input_errors); + $pconfig = $_POST; + + $reqdfields = explode(" ", "name"); + $reqdfieldsn = explode(",", "Name"); + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['name'])) + $input_errors[] = "The field 'Name' contains invalid characters."; + + /* Ensure that our pool names are unique */ + for ($i=0; isset($config['installedpackages']['haproxy']['ha_pools']['item'][$i]); $i++) + if (($_POST['name'] == $config['installedpackages']['haproxy']['ha_pools']['item'][$i]['name']) && ($i != $id)) + $input_errors[] = "This pool name has already been used. Pool names must be unique."; + + $a_servers=array(); + for($x=0; $x<99; $x++) { + $server_name=$_POST['server_name'.$x]; + $server_address=$_POST['server_address'.$x]; + $server_port=$_POST['server_port'.$x]; + $server_weight=$_POST['server_weight'.$x]; + $server_backup=$_POST['server_backup'.$x]; + + if ($server_address) { + + $server=array(); + $server['name']=$server_name; + $server['address']=$server_address; + $server['port']=$server_port; + $server['weight']=$server_weight; + $server['backup']=$server_backup; + $a_servers[]=$server; + + if (preg_match("/[^a-zA-Z0-9\.\-_]/", $server_name)) + $input_errors[] = "The field 'Name' contains invalid characters."; + if (preg_match("/[^a-zA-Z0-9\.\-_]/", $server_address)) + $input_errors[] = "The field 'Address' contains invalid characters."; + + if (!preg_match("/.{2,}/", $server_name)) + $input_errors[] = "The field 'Name' is required."; + + if (!preg_match("/.{2,}/", $server_address)) + $input_errors[] = "The field 'Address' is required."; + + if (!preg_match("/.{2,}/", $server_weight)) + $input_errors[] = "The field 'Weight' is required."; + + if (!is_numeric($server_weight)) + $input_errors[] = "The field 'Weight' value is not a number."; + if ($server_port && !is_numeric($server_port)) + $input_errors[] = "The field 'Port' value is not a number."; + } + } + + if (!$input_errors) { + $pool = array(); + if(isset($id) && $a_pools[$id]) + $pool = $a_pools[$id]; + + if ($pool['name'] != $_POST['name']) { + // name changed: + if (!is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) { + $config['installedpackages']['haproxy']['ha_backends']['item'] = array(); + } + $a_backend = &$config['installedpackages']['haproxy']['ha_backends']['item']; + + for ( $i = 0; $i < count($a_backend); $i++) { + if ($a_backend[$i]['pool'] == $pool['name']) + $a_backend[$i]['pool'] = $_POST['name']; + } + } + + if($pool['name'] != "") + $changedesc .= " modified '{$pool['name']}' pool:"; + + $pool['ha_servers']['item']=$a_servers; + + update_if_changed("name", $pool['name'], $_POST['name']); + update_if_changed("status", $pool['status'], $_POST['status']); + update_if_changed("cookie", $pool['cookie'], $_POST['cookie']); + update_if_changed("advanced", $pool['advanced'], base64_encode($_POST['advanced'])); + update_if_changed("checkinter", $pool['checkinter'], $_POST['checkinter']); + update_if_changed("monitor_uri", $pool['monitor_uri'], $_POST['monitor_uri']); + + if (isset($id) && $a_pools[$id]) { + $a_pools[$id] = $pool; + } else { + $a_pools[] = $pool; + } + + if ($changecount > 0) { + touch($d_haproxyconfdirty_path); + write_config($changedesc); + /* + echo "<PRE>"; + print_r($config); + echo "</PRE>"; + */ + } + + header("Location: haproxy_pools.php"); + exit; + } + $pconfig['a_servers']=&$a_pools[$id]['ha_servers']['item']; +} + +$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); +if(strstr($pfSversion, "1.2")) + $one_two = true; + +$pgtitle = "HAProxy: pool: Edit"; +include("head.inc"); + +row_helper(); + +?> + +<input type='hidden' name='address_type' value='textbox' /> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<script type="text/javascript" language="javascript" src="pool.js"></script> + +<script language="javascript"> +function clearcombo(){ + for (var i=document.iform.serversSelect.options.length-1; i>=0; i--){ + document.iform.serversSelect.options[i] = null; + } + document.iform.serversSelect.selectedIndex = -1; +} +</script> +<script type="text/javascript"> + rowname[0] = "server_name"; + rowtype[0] = "textbox"; + rowsize[0] = "30"; + rowname[1] = "server_address"; + rowtype[1] = "textbox"; + rowsize[1] = "30"; + rowname[2] = "server_port"; + rowtype[2] = "textbox"; + rowsize[2] = "5"; + rowname[3] = "server_weight"; + rowtype[3] = "textbox"; + rowsize[3] = "5"; + rowname[4] = "server_backup"; + rowtype[4] = "checkbox"; + rowsize[4] = "5"; +</script> +<?php include("fbegin.inc"); ?> +<?php if ($input_errors) print_input_errors($input_errors); ?> +<?php if($one_two): ?> +<p class="pgtitle"><?=$pgtitle?></p> +<?php endif; ?> + <form action="haproxy_pool_edit.php" method="post" name="iform" id="iform"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="2" valign="top" class="listtopic">Edit HAProxy pool</td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncellreq">Name</td> + <td width="78%" class="vtable" colspan="2"> + <input name="name" type="text" <?if(isset($pconfig['name'])) echo "value=\"{$pconfig['name']}\"";?> size="16" maxlength="16"> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncellreq">Status</td> + <td width="78%" class="vtable" colspan="2"> + <select name="status"> + <option value="active" <?php if($pconfig['status']=='active') echo "SELECTED";?>>active</option> + <option value="inactive" <?php if($pconfig['status']=='inactive') echo "SELECTED";?>>inactive</option> + </select> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Cookie</td> + <td width="78%" class="vtable" colspan="2"> + <input name="cookie" type="text" <?if(isset($pconfig['cookie'])) echo "value=\"{$pconfig['cookie']}\"";?>size="64"><br/> + This value will be checked in incoming requests, and the first + operational pool possessing the same value will be selected. In return, in + cookie insertion or rewrite modes, this value will be assigned to the cookie + sent to the client. There is nothing wrong in having several servers sharing + the same cookie value, and it is in fact somewhat common between normal and + backup servers. See also the "cookie" keyword in backend section. + + </td> + </tr> + <tr align="left"> + <td class="vncellreq" colspan="3">Server list</td> + </tr> + <tr> + <td width="78%" class="vtable" colspan="2" valign="top"> + <table class="" width="100%" cellpadding="0" cellspacing="0" id='servertable'> + <tr> + <td width="30%" class="">Name</td> + <td width="30%" class="">Address</td> + <td width="18%" class="">Port</td> + <td width="18%" class="">Weight</td> + <td width="5%" class="">Backup</td> + <td width="4%" class=""></td> + </tr> + <?php + $a_servers=$pconfig['a_servers']; + + if (!is_array($a_servers)) { + $a_servers=array(); + } + + $counter=0; + foreach ($a_servers as $server) { + ?> + <tr id="tr_view_<?=$counter;?>" name="tr_view_<?=$counter;?>"> + <td class="vtable"><?=$server['name']; ?></td> + <td class="vtable"><?=$server['address']; ?></td> + <td class="vtable"><?=$server['port']; ?></td> + <td class="vtable"><?=$server['weight']; ?></td> + <td class="vtable"><?=$server['backup']; ?></td> + <td class="list"> + <table border="0" cellspacing="0" cellpadding="1"><tr> + <td valign="middle"> + <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit entry" width="17" height="17" border="0" onclick="editRow(<?=$counter;?>); return false;"> + </td> + <td valign="middle"> + <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="duplicate entry" width="17" height="17" border="0" onclick="dupRow(<?=$counter;?>, 'servertable'); return false;"> + </td></tr></table> + </td> + </tr> + <tr id="tr_edit_<?=$counter;?>" name="tr_edit_<?=$counter;?>" style="display: none;"> + <td class="vtable"> + <input name="server_name<?=$counter;?>" id="server_name<?=$counter;?>" type="text" value="<?=$server['name']; ?>" size="30"/></td> + <td class="vtable"> + <input name="server_address<?=$counter;?>" id="server_address<?=$counter;?>" type="text" value="<?=$server['address']; ?>" size="30"/></td> + <td class="vtable"> + <input name="server_port<?=$counter;?>" id="server_port<?=$counter;?>" type="text" value="<?=$server['port']; ?>" size="5"/></td> + <td class="vtable"> + <input name="server_weight<?=$counter;?>" id="server_weight<?=$counter;?>" type="text" value="<?=$server['weight']; ?>" size="5"/></td> + <td class="vtable"> + <input name="server_backup<?=$counter;?>" id="server_backup<?=$counter;?>" type="checkbox" value="yes" <?php if ($server['backup']=='yes') echo "checked"; ?>/></td> + <td class="list"> + <table border="0" cellspacing="0" cellpadding="1"><tr> + <td valign="middle"> + <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="delete entry" width="17" height="17" border="0" onclick="removeRow(this); return false;"> + </td> + <td valign="middle"> + <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="duplicate entry" width="17" height="17" border="0" onclick="dupRow(<?=$counter;?>, 'servertable'); return false;"> + </td></tr></table> + </td> + </tr> + <?php + $counter++; + } + ?> + </table> + <a onclick="javascript:addRowTo('servertable'); return false;" href="#"> + <img border="0" src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" alt="" title="add another entry" /> + </a> + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Check freq</td> + <td width="78%" class="vtable" colspan="2"> + <input name="checkinter" type="text" <?if(isset($pconfig['checkinter'])) echo "value=\"{$pconfig['checkinter']}\"";?>size="20"> milliseconds + <br/>Defaults to 1000 if left blank. + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Health check URI</td> + <td width="78%" class="vtable" colspan="2"> + <input name="monitor_uri" type="text" <?if(isset($pconfig['monitor_uri'])) echo "value=\"{$pconfig['monitor_uri']}\"";?>size="64"> + <br/>Defaults to / if left blank. + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top" class="vncell">Advanced pass thru</td> + <td width="78%" class="vtable" colspan="2"> + <textarea name='advanced' rows="4" cols="70" id='advanced'><?php echo $pconfig['advanced']; ?></textarea> + <br/> + NOTE: paste text into this box that you would like to pass thru. + </td> + </tr> + <tr align="left"> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="Submit" type="submit" class="formbtn" value="Save"> + <input type="button" class="formbtn" value="Cancel" onclick="history.back()"> + <?php if (isset($id) && $a_pools[$id]): ?> + <input name="id" type="hidden" value="<?=$id;?>"> + <?php endif; ?> + </td> + </tr> + </table> + </form> +<br> +<?php include("fend.inc"); ?> +<script type="text/javascript"> + field_counter_js = 5; + rows = 1; + totalrows = <?php echo $counter; ?>; + loaded = <?php echo $counter; ?>; +</script> +</body> +</html> + +<?php + +function row_helper() { + echo <<<EOF +<script type="text/javascript"> +// Global Variables +var rowname = new Array(99); +var rowtype = new Array(99); +var newrow = new Array(99); +var rowsize = new Array(99); + +for (i = 0; i < 99; i++) { + rowname[i] = ''; + rowtype[i] = ''; + newrow[i] = ''; + rowsize[i] = '25'; +} + +var field_counter_js = 0; +var loaded = 0; +var is_streaming_progress_bar = 0; +var temp_streaming_text = ""; + +var addRowTo = (function() { + return (function (tableId) { + var d, tbody, tr, td, bgc, i, ii, j; + var btable, btbody, btr, btd; + + d = document; + tbody = d.getElementById(tableId).getElementsByTagName("tbody").item(0); + tr = d.createElement("tr"); + totalrows++; + for (i = 0; i < field_counter_js; i++) { + td = d.createElement("td"); + if(rowtype[i] == 'textbox') { + td.innerHTML="<INPUT type='hidden' value='" + totalrows +"' name='" + rowname[i] + "_row-" + totalrows + + "'></input><input size='" + rowsize[i] + "' name='" + rowname[i] + totalrows + + "' id='" + rowname[i] + totalrows + "'></input> "; + } else if(rowtype[i] == 'select') { + td.innerHTML="<INPUT type='hidden' value='" + totalrows +"' name='" + rowname[i] + "_row-" + totalrows + + "'></input><select size='" + rowsize[i] + "' name='" + rowname[i] + totalrows + + "' id='" + rowname[i] + totalrows + "'>$options</select> "; + } else { + td.innerHTML="<INPUT type='hidden' value='" + totalrows +"' name='" + rowname[i] + "_row-" + totalrows + + "'></input><input type='checkbox' name='" + rowname[i] + totalrows + + "' id='" + rowname[i] + totalrows + "' value='yes'></input> "; + } + td.setAttribute("class","vtable"); + tr.appendChild(td); + } + td = d.createElement("td"); + td.rowSpan = "1"; + td.setAttribute("class","list"); + + // Recreate the button table. + btable = document.createElement("table"); + btable.setAttribute("border", "0"); + btable.setAttribute("cellspacing", "0"); + btable.setAttribute("cellpadding", "1"); + btbody = document.createElement("tbody"); + btr = document.createElement("tr"); + btd = document.createElement("td"); + btd.setAttribute("valign", "middle"); + btd.innerHTML = '<img src="/themes/' + theme + '/images/icons/icon_x.gif" title="delete entry" width="17" height="17" border="0" onclick="removeRow(this); return false;">'; + btr.appendChild(btd); + btd = document.createElement("td"); + btd.setAttribute("valign", "middle"); + btd.innerHTML = '<img src="/themes/' + theme + "/images/icons/icon_plus.gif\" title=\"duplicate entry\" width=\"17\" height=\"17\" border=\"0\" onclick=\"dupRow(" + totalrows + ", 'servertable'); return false;\">"; + btr.appendChild(btd); + btbody.appendChild(btr); + btable.appendChild(btbody); + + td.appendChild(btable); + tr.appendChild(td); + tbody.appendChild(tr); + }); +})(); + +function dupRow(rowId, tableId) { + var dupEl; + var newEl; + + addRowTo(tableId); + for (i = 0; i < field_counter_js; i++) { + dupEl = document.getElementById(rowname[i] + rowId); + newEl = document.getElementById(rowname[i] + totalrows); + if (dupEl && newEl) + if(rowtype[i] == 'checkbox') + newEl.checked = dupEl.checked; + else + newEl.value = dupEl.value; + } +} + +function removeRow(el) { + var cel; + // Break out of one table first + while (el && el.nodeName.toLowerCase() != "table") + el = el.parentNode; + while (el && el.nodeName.toLowerCase() != "tr") + el = el.parentNode; + + if (el && el.parentNode) { + cel = el.getElementsByTagName("td").item(0); + el.parentNode.removeChild(el); + } +} +function editRow(num) { + var trview = document.getElementById('tr_view_' + num); + var tredit = document.getElementById('tr_edit_' + num); + + trview.style.display='none'; + tredit.style.display=''; +} + +function find_unique_field_name(field_name) { + // loop through field_name and strip off -NUMBER + var last_found_dash = 0; + for (var i = 0; i < field_name.length; i++) { + // is this a dash, if so, update + // last_found_dash + if (field_name.substr(i,1) == "-" ) + last_found_dash = i; + } + if (last_found_dash < 1) + return field_name; + return(field_name.substr(0,last_found_dash)); +} +</script> + +EOF; + +} + +?> diff --git a/config/haproxy-stable/haproxy_pools.php b/config/haproxy-stable/haproxy_pools.php new file mode 100755 index 00000000..78a1fdff --- /dev/null +++ b/config/haproxy-stable/haproxy_pools.php @@ -0,0 +1,166 @@ +<?php +/* $Id: load_balancer_virtual_server.php,v 1.6.2.1 2006/01/02 23:46:24 sullrich Exp $ */ +/* + haproxy_pools.php + part of pfSense (http://www.pfsense.com/) + Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> + Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require_once("guiconfig.inc"); +require_once("haproxy.inc"); + +$d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty"; + +if (!is_array($config['installedpackages']['haproxy']['ha_pools']['item'])) { + $config['installedpackages']['haproxy']['ha_pools']['item'] = array(); +} +if (!is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) { + $config['installedpackages']['haproxy']['ha_backends']['item'] = array(); +} + +$a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item']; +$a_backends = &$config['installedpackages']['haproxy']['ha_backends']['item']; + +if ($_POST) { + $pconfig = $_POST; + + if ($_POST['apply']) { + $retval = 0; + config_lock(); + $retval = haproxy_configure(); + config_unlock(); + $savemsg = get_std_save_message($retval); + unlink_if_exists($d_haproxyconfdirty_path); + } +} + +if ($_GET['act'] == "del") { + if (isset($a_pools[$_GET['id']])) { + unset($a_pools[$_GET['id']]); + write_config(); + touch($d_haproxyconfdirty_path); + } + header("Location: haproxy_pools.php"); + exit; +} + +$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); +if(strstr($pfSversion, "1.2")) + $one_two = true; + +$pgtitle = "Services: HAProxy: Server pools"; +include("head.inc"); + +?> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<?php if($one_two): ?> +<p class="pgtitle"><?=$pgtitle?></p> +<?php endif; ?> +<form action="haproxy_pools.php" method="post"> +<?php if ($input_errors) print_input_errors($input_errors); ?> +<?php if ($savemsg) print_info_box($savemsg); ?> +<?php if (file_exists($d_haproxyconfdirty_path)): ?><p> +<?php print_info_box_np("The virtual pool configuration has been changed.<br>You must apply the changes in order for them to take effect.");?><br> +<?php endif; ?> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td class="tabnavtbl"> + <?php + /* active tabs */ + $tab_array = array(); + $tab_array[] = array("Settings", false, "haproxy_global.php"); + $tab_array[] = array("Listener", false, "haproxy_listeners.php"); + $tab_array[] = array("Server Pool", true, "haproxy_pools.php"); + display_top_tabs($tab_array); + ?> + </td></tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td width="30%" class="listhdrr">Name</td> + <td width="20%" class="listhdrr">Status</td> + <td width="30%" class="listhdrr">Listener</td> + <td width="10%" class="list"></td> + </tr> +<?php + $i = 0; + foreach ($a_pools as $pool): + $textss = $textse = ""; + if ($pool['status'] != 'active') { + $textss = "<span class=\"gray\">"; + $textse = "</span>"; + } +?> + <tr> + <td class="listlr" ondblclick="document.location='haproxy_pool_edit.php?id=<?=$i;?>';"> + <?=$textss . $pool['name'] . $textse;?> + </td> + <td class="listlr" ondblclick="document.location='haproxy_pool_edit.php?id=<?=$i;?>';"> + <?=$textss . $pool['status'] . $textse;?> + </td> + <td class="listlr" ondblclick="document.location='haproxy_pool_edit.php?id=<?=$i;?>';"> +<?php + echo $textss; + $sep = ""; + foreach ($a_backends as $backend) { + if($backend['pool'] == $pool['name']) { + echo $sep . $backend['name']; + $sep = ", "; + } + } + echo $textse; +?> + </td> + <td class="list" nowrap> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td valign="middle"><a href="haproxy_pool_edit.php?id=<?=$i;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0"></a></td> + <td valign="middle"><a href="haproxy_pools.php?act=del&id=<?=$i;?>" onclick="return confirm('Do you really want to delete this entry?')"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0"></a></td> + <td valign="middle"><a href="haproxy_pool_edit.php?dup=<?=$i;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> + </tr> + </table> + </td> + </tr> + <?php $i++; endforeach; ?> + <tr> + <td class="list" colspan="3"></td> + <td class="list"> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td valign="middle"><a href="haproxy_pool_edit.php"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> + </tr> + </table> + </td> + </tr> + </table> + </div> + </table> + </form> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/haproxy/haproxy.inc b/config/haproxy/haproxy.inc index 536ef1f7..a94c84fd 100644 --- a/config/haproxy/haproxy.inc +++ b/config/haproxy/haproxy.inc @@ -109,7 +109,7 @@ function haproxy_configure() { if(is_array($a_global)) { fwrite ($fd, "global\n"); if($a_global['advanced']) - fwrite ($fd, "\t" . base64deode($a_global['advanced']) . "\n"); + fwrite ($fd, "\t" . base64_decode($a_global['advanced']) . "\n"); fwrite ($fd, "\tmaxconn\t\t\t".$a_global['maxconn']."\n"); if($a_global['remotesyslog']) fwrite ($fd, "\tlog\t\t\t{$a_global['remotesyslog']}\tlocal0\n"); @@ -417,4 +417,4 @@ function haproxy_do_xmlrpc_sync($sync_to_ip, $password) { } } -?>
\ No newline at end of file +?> diff --git a/config/iprangealiases/iprangealiases.inc b/config/iprangealiases/iprangealiases.inc new file mode 100644 index 00000000..036bc195 --- /dev/null +++ b/config/iprangealiases/iprangealiases.inc @@ -0,0 +1,18 @@ +<?php + +function iprangealiases_install() { + global $g, $config; + + // Test to make sure the patch is not already applied. + $out = `patch -fslC --reverse -p1 -b .before_iprangealiases -d / -i /usr/local/pkg/iprangealiases.patch |& grep -ci reject`; + if ($out == 0) { + // If the patch has not already been applied, test to see if it will apply cleanly. + $out = `patch -fsNlC -p1 -b .before_iprangealiases -d / -i /usr/local/pkg/iprangealiases.patch |& grep -ci reject`; + if ($out == 0) { + // The patch should apply cleanly, let 'er rip. + mwexec("patch -fsNl -p1 -b .before_iprangealiases -d / -i /usr/local/pkg/iprangealiases.patch "); + } + } +} + +?>
\ No newline at end of file diff --git a/config/iprangealiases/iprangealiases.patch b/config/iprangealiases/iprangealiases.patch new file mode 100644 index 00000000..5a80e111 --- /dev/null +++ b/config/iprangealiases/iprangealiases.patch @@ -0,0 +1,265 @@ +--- /etc/inc/util.inc.orig 2010-03-09 13:01:37.000000000 -0500 ++++ /etc/inc/util.inc 2010-03-09 13:01:40.000000000 -0500 +@@ -78,6 +78,127 @@ + return long2ip(gen_subnet_mask_long($bits)); + } + ++/* Convert IP address to unsigned long int. */ ++function ip2ulong($ip) { ++ return sprintf("%u", ip2long($ip)); ++} ++ ++/* Find out how many IPs are contained within a given IP range ++ * e.g. 192.168.0.0 to 192.168.0.255 returns 256 ++ */ ++function ip_range_size($startip, $endip) { ++ if (is_ipaddr($startip) && is_ipaddr($endip)) { ++ // Operate as unsigned long because otherwise it wouldn't work ++ // when crossing over from 127.255.255.255 / 128.0.0.0 barrier ++ return abs(ip2ulong($startip) - ip2ulong($endip)) + 1; ++ } ++ return -1; ++} ++ ++/* Find the smallest possible subnet mask which can contain a given number of IPs ++ * e.g. 512 IPs can fit in a /23, but 513 IPs need a /22 ++ */ ++function find_smallest_cidr($number) { ++ $smallest = 1; ++ for ($b=32; $b > 0; $b--) { ++ $smallest = ($number <= pow(2,$b)) ? $b : $smallest; ++ } ++ return (32-$smallest); ++} ++ ++/* Return the previous IP address before the given address */ ++function ip_before($ip) { ++ return long2ip(ip2long($ip)-1); ++} ++ ++/* Return the next IP address after the given address */ ++function ip_after($ip) { ++ return long2ip(ip2long($ip)+1); ++} ++ ++/* Return true if the first IP is 'before' the second */ ++function ip_less_than($ip1, $ip2) { ++ // Compare as unsigned long because otherwise it wouldn't work when ++ // crossing over from 127.255.255.255 / 128.0.0.0 barrier ++ return ip2ulong($ip1) < ip2ulong($ip2); ++} ++ ++/* Return true if the first IP is 'after' the second */ ++function ip_greater_than($ip1, $ip2) { ++ // Compare as unsigned long because otherwise it wouldn't work ++ // when crossing over from 127.255.255.255 / 128.0.0.0 barrier ++ return ip2ulong($ip1) > ip2ulong($ip2); ++} ++ ++/* Convert a range of IPs to an array of subnets which can contain the range. */ ++function ip_range_to_subnet_array($startip, $endip) { ++ if (!is_ipaddr($startip) || !is_ipaddr($endip)) { ++ return array(); ++ } ++ ++ // Container for subnets within this range. ++ $rangesubnets = array(); ++ ++ // Figure out what the smallest subnet is that holds the number of IPs in the given range. ++ $cidr = find_smallest_cidr(ip_range_size($startip, $endip)); ++ ++ // Loop here to reduce subnet size and retest as needed. We need to make sure ++ // that the target subnet is wholly contained between $startip and $endip. ++ for ($cidr; $cidr <= 32; $cidr++) { ++ // Find the network and broadcast addresses for the subnet being tested. ++ $targetsub_min = gen_subnet($startip, $cidr); ++ $targetsub_max = gen_subnet_max($startip, $cidr); ++ ++ // Check best case where the range is exactly one subnet. ++ if (($targetsub_min == $startip) && ($targetsub_max == $endip)) { ++ // Hooray, the range is exactly this subnet! ++ return array("{$startip}/{$cidr}"); ++ } ++ ++ // These remaining scenarios will find a subnet that uses the largest ++ // chunk possible of the range being tested, and leave the rest to be ++ // tested recursively after the loop. ++ ++ // Check if the subnet begins with $startip and ends before $endip ++ if (($targetsub_min == $startip) && ip_less_than($targetsub_max, $endip)) { ++ break; ++ } ++ ++ // Check if the subnet ends at $endip and starts after $startip ++ if (ip_greater_than($targetsub_min, $startip) && ($targetsub_max == $endip)) { ++ break; ++ } ++ ++ // Check if the subnet is between $startip and $endip ++ if (ip_greater_than($targetsub_min, $startip) && ip_less_than($targetsub_max, $endip)) { ++ break; ++ } ++ } ++ ++ // Some logic that will recursivly search from $startip to the first IP before the start of the subnet we just found. ++ // NOTE: This may never be hit, the way the above algo turned out, but is left for completeness. ++ if ($startip != $targetsub_min) { ++ $rangesubnets = array_merge($rangesubnets, ip_range_to_subnet_array($startip, ip_before($targetsub_min))); ++ } ++ ++ // Add in the subnet we found before, to preserve ordering ++ $rangesubnets[] = "{$targetsub_min}/{$cidr}"; ++ ++ // And some more logic that will search after the subnet we found to fill in to the end of the range. ++ if ($endip != $targetsub_max) { ++ $rangesubnets = array_merge($rangesubnets, ip_range_to_subnet_array(ip_after($targetsub_max), $endip)); ++ } ++ return $rangesubnets; ++} ++ ++function is_iprange($range) { ++ if (substr_count($range, '-') != 1) { ++ return false; ++ } ++ list($ip1, $ip2) = explode ('-', $range); ++ return (is_ipaddr($ip1) && is_ipaddr($ip2)); ++} ++ + function is_numericint($arg) { + return (preg_match("/[^0-9]/", $arg) ? false : true); + } +--- /usr/local/www/firewall_aliases_edit.php.orig 2010-03-09 13:08:12.000000000 -0500 ++++ /usr/local/www/firewall_aliases_edit.php 2010-03-10 18:54:36.000000000 -0500 +@@ -96,11 +96,6 @@ + $reqdfields = explode(" ", "name address"); + $reqdfieldsn = explode(",", "Name,Address"); + +- if ($_POST['type'] == "network") { +- $reqdfields[] = "address_subnet"; +- $reqdfieldsn[] = "Subnet bit count"; +- } +- + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if(strtolower($_POST['name']) == "lan") +@@ -122,10 +117,13 @@ + $input_errors[] = "A valid address must be specified."; + } + if ($_POST['type'] == "network") { +- if (!is_ipaddr($_POST['address'])) { ++ if (!is_numeric($_POST['address_subnet']) && !is_iprange($_POST['address'])) { ++ $input_errors[] = "Subnet bit count must be specified"; ++ } ++ if (!is_ipaddr($_POST['address']) && !is_iprange($_POST['address'])) { + $input_errors[] = "A valid address must be specified."; + } +- if (!is_numeric($_POST['address_subnet'])) { ++ if (!is_numeric($_POST['address_subnet']) && !is_iprange($_POST['address'])) { + $input_errors[] = "A valid subnet bit count must be specified."; + } + } +@@ -160,21 +158,28 @@ + + $alias = array(); + $alias['name'] = $_POST['name']; +- if ($_POST['type'] == "network") +- $alias['address'] = $_POST['address'] . "/" . $_POST['address_subnet']; + +- else ++ $count = 1; ++ if ($_POST['type'] == "network") { ++ if (is_iprange($_POST['address'])) { ++ list($startip, $endip) = explode('-', $_POST["address"]); ++ $rangesubnets = ip_range_to_subnet_array($startip, $endip); ++ $count = count($rangesubnets); ++ $alias['address'] .= implode($rangesubnets, ' '); ++ } else { ++ $alias['address'] = $_POST['address'] . "/" . $_POST['address_subnet']; ++ } ++ } else { + $alias['address'] = $_POST['address']; ++ } + + $address = $alias['address']; + $final_address_detail = mb_convert_encoding($_POST['detail'],"HTML-ENTITIES","auto"); +- if($final_address_detail <> "") { +- $final_address_details .= $final_address_detail; ++ if($final_address_detail <> "") { ++ $final_address_details .= str_repeat($final_address_detail . "||", $count); + } else { +- $final_address_details .= "Entry added" . " "; +- $final_address_details .= date('r'); +- } +- $final_address_details .= "||"; ++ $final_address_details .= str_repeat("Entry added " . date('r') . "||", $count); ++ } + $isfirst = 0; + + if($_POST['type'] == "url") { +@@ -234,28 +239,38 @@ + } else { + /* item is a normal alias type */ + for($x=0; $x<299; $x++) { ++ $count = 1; + $comd = "\$subnet = \$_POST['address" . $x . "'];"; + eval($comd); + $comd = "\$subnet_address = \$_POST['address_subnet" . $x . "'];"; + eval($comd); + if($subnet <> "") { +- $address .= " "; +- $address .= $subnet; +- if($subnet_address <> "") $address .= "/" . $subnet_address; ++ if ($_POST['type'] == "network" && is_iprange($subnet)) { ++ list($startip, $endip) = explode('-', $subnet); ++ $rangesubnets = ip_range_to_subnet_array($startip, $endip); ++ $count = count($rangesubnets); ++ if ($address <> "") { ++ $address .= " "; ++ } ++ $address .= implode($rangesubnets, ' '); ++ } else { ++ $address .= " " . $subnet; ++ if ($subnet_address <> "") { ++ $address .= "/" . $subnet_address; ++ } ++ } + + /* Compress in details to a single key, data separated by pipes. + Pulling details here lets us only pull in details for valid + address entries, saving us from having to track which ones to + process later. */ +- $comd = "\$final_address_detail = mb_convert_encoding(\$_POST['detail" . $x . "'],'HTML-ENTITIES','auto');"; +- eval($comd); +- if($final_address_detail <> "") { +- $final_address_details .= $final_address_detail; +- } else { +- $final_address_details .= "Entry added" . " "; +- $final_address_details .= date('r'); +- } +- $final_address_details .= "||"; ++ $comd = "\$final_address_detail = mb_convert_encoding(\$_POST['detail" . $x . "'],'HTML-ENTITIES','auto');"; ++ eval($comd); ++ if($final_address_detail <> "") { ++ $final_address_details .= str_repeat($final_address_detail . "||", $count); ++ } else { ++ $final_address_details .= str_repeat("Entry added " . date('r') . "||", $count); ++ } + } + } + } +@@ -358,7 +373,7 @@ + $url_str = gettext("URL"); + $update_freq_str = gettext("Update Freq."); + +-$networks_help = gettext("Networks can be expressed like 10.0.0.0 format. Select the CIDR (network mask) that pertains to each entry."); ++$networks_help = gettext("Networks can be expressed like 10.0.0.0 format. Select the CIDR (network mask) that pertains to each entry. You may also enter an IP Range such as 192.168.1.1-192.168.1.254."); + $hosts_help = gettext("Enter as many hosts as you would like. Hosts should be expressed in their ip address format."); + $ports_help = gettext("Enter as many ports as you wish. Port ranges can be expressed by seperating with a colon."); + $url_help = gettext("Enter as many urls as you wish. Also set the time that you would like the url refreshed in days. After saving {$g['product_name']} will download the URL and import the items into the alias."); +@@ -595,4 +610,4 @@ + } + fclose($fd); + } +-?> +\ No newline at end of file ++?> diff --git a/config/iprangealiases/iprangealiases.xml b/config/iprangealiases/iprangealiases.xml new file mode 100644 index 00000000..0464ec6a --- /dev/null +++ b/config/iprangealiases/iprangealiases.xml @@ -0,0 +1,65 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + iprangealiases.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Patch to add IP Range Support to Network Aliases</description> + <requirements>pfSense 1.2.3</requirements> + <faq>None</faq> + <name>IP Range Aliases</name> + <version>0.2</version> + <title>IP Range Aliases</title> + <include_file>/usr/local/pkg/iprangealiases.inc</include_file> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/iprangealiases/iprangealiases.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/iprangealiases/iprangealiases.patch</item> + </additional_files_needed> + <custom_php_install_command> + iprangealiases_install(); + </custom_php_install_command> +</packagegui> diff --git a/config/nrpe2/nrpe2.inc b/config/nrpe2/nrpe2.inc index 261f2e3b..8898bc9c 100644 --- a/config/nrpe2/nrpe2.inc +++ b/config/nrpe2/nrpe2.inc @@ -32,7 +32,7 @@ function nrpe2_custom_php_install_command() $ip = $config['interfaces']['lan']['ipaddr']; - $config['installedpackages']['nrpe2']['config'][0]['enabled'] = TRUE; + $config['installedpackages']['nrpe2']['config'][0]['enabled'] = "on"; $config['installedpackages']['nrpe2']['config'][0]['server_address'] = $ip; $config['installedpackages']['nrpe2']['config'][0]['server_port'] = 5666; $config['installedpackages']['nrpe2']['config'][0]['allowed_hosts'] = "127.0.0.1"; @@ -188,4 +188,4 @@ function nrpe2_custom_php_service() } } -?>
\ No newline at end of file +?> diff --git a/config/nrpe2/nrpe2.xml b/config/nrpe2/nrpe2.xml index 723bbba9..55f96319 100644 --- a/config/nrpe2/nrpe2.xml +++ b/config/nrpe2/nrpe2.xml @@ -14,7 +14,7 @@ <url>/pkg_edit.php?xml=nrpe2.xml&id=0</url> </menu> <service> - <name>NRPEv2</name> + <name>nrpe2</name> <rcfile>nrpe2</rcfile> <executable>nrpe2</executable> <description>Nagios NRPE Daemon</description> @@ -159,6 +159,8 @@ nrpe2_custom_php_write_config(); </custom_php_deinstall_command> <custom_php_resync_config_command> + nrpe2_custom_php_write_config(); + nrpe2_custom_php_service(); </custom_php_resync_config_command> <custom_php_command_before_form> unset($_POST['temp']); diff --git a/config/open-vm-tools_2/open-vm-tools.inc b/config/open-vm-tools_2/open-vm-tools.inc new file mode 100644 index 00000000..f1dc17fb --- /dev/null +++ b/config/open-vm-tools_2/open-vm-tools.inc @@ -0,0 +1,156 @@ +<?php + +function open_vm_tools_deinstall() { + exec("rm /usr/local/etc/rc.d/vmware*"); +} + +function open_vm_tools_install() { + + $vmware_guestd = <<<EOF +#!/bin/sh +# +# This file was automatically generated +# by the pfSense package manager. +# +# Do not edit this file. Edit +# /usr/local/pkg/open-vm-tools.inc instead. +# +# PROVIDE: vmware-guestd +# REQUIRE: DAEMON +# BEFORE: LOGIN + +. /etc/rc.subr + +# Global +checkvm_cmd="/usr/local/bin/vmware-checkvm > /dev/null" + +# VMware guest daemon +name="vmware_guestd" +rcvar=`set_rcvar` +start_precmd="\${checkvm_cmd}" +unset start_cmd +stop_precmd="\${checkvm_cmd}" +unset stop_cmd +command="/usr/local/bin/vmtoolsd" +command_args="-c /usr/local/share/vmware-tools/tools.conf -p /usr/local/lib/open-vm-tools/plugins/vmsvc" +pidfile="/var/run/\${name}.pid" + +load_rc_config \$name +vmware_guestd_enable="YES" +vmware_guestd_flags="--background \${pidfile}" +run_rc_command "\$1" + +EOF; + + $vmware_kmod = <<<EOF +#!/bin/sh +# +# This file was automatically generated +# by the pfSense package manager. +# +# Do not edit this file. Edit +# /usr/local/pkg/open-vm-tools.inc instead. +# +# PROVIDE: vmware-kmod +# REQUIRE: FILESYSTEMS +# BEFORE: netif + +. /etc/rc.subr + +# Global +checkvm_cmd="/usr/local/bin/vmware-checkvm > /dev/null" + +# Functions +vmware_guest_vmmemctl_start() +{ + echo 'Loading vmmemctl kernel module.' + kldload /usr/local/lib/vmware-tools/modules/drivers/vmmemctl.ko >/dev/null 2>&1 +} +vmware_guest_vmxnet_start() +{ + echo 'Loading vmxnet kernel module.' + kldload /usr/local/lib/vmware-tools/modules/drivers/vmxnet.ko >/dev/null 2>&1 +} +vmware_guest_vmblock_start() +{ + echo 'Loading vmblock kernel module.' + kldload /usr/local/lib/vmware-tools/modules/drivers/vmblock.ko >/dev/null 2>&1 +} +vmware_guest_vmhgfs_start() +{ + echo 'Loading vmhgfs kernel module.' + kldload /usr/local/lib/vmware-tools/modules/drivers/vmhgfs.ko >/dev/null 2>&1 +} + +# VMware kernel module: vmmemctl +name="vmware_guest_vmmemctl" +rcvar=`set_rcvar` +start_precmd="\${checkvm_cmd}" +start_cmd="vmware_guest_vmmemctl_start" +stop_precmd="\${checkvm_cmd}" +stop_cmd=":" + +load_rc_config \$name +vmware_guest_vmmemctl_enable="YES" +run_rc_command "\$1" + +# VMware kernel module: vmxnet +name="vmware_guest_vmxnet" +rcvar=`set_rcvar` +start_precmd="\${checkvm_cmd}" +start_cmd="vmware_guest_vmxnet_start" +stop_precmd="\${checkvm_cmd}" +stop_cmd=":" + +load_rc_config \$name +vmware_guest_vmxnet_enable="YES" +run_rc_command "\$1" + +# VMware kernel module: vmblock +name="vmware_guest_vmblock" +rcvar=`set_rcvar` +start_precmd="\${checkvm_cmd}" +start_cmd="vmware_guest_vmblock_start" +stop_precmd="\${checkvm_cmd}" +stop_cmd=":" + +load_rc_config \$name +vmware_guest_vmblock_enable="YES" +run_rc_command "\$1" + +# VMware kernel module: vmhgfs +name="vmware_guest_vmhgfs" +rcvar=`set_rcvar` +start_precmd="\${checkvm_cmd}" +start_cmd="vmware_guest_vmhgfs_start" +stop_precmd="\${checkvm_cmd}" +stop_cmd=":" + +load_rc_config \$name +vmware_guest_vmhgfs_enable="YES" +run_rc_command "\$1" + +EOF; + + // Write out conf files. + $fd = fopen("/usr/local/etc/rc.d/vmware-guestd.sh", "w"); + if(!$fd) + die("Could not open /usr/local/etc/rc.d/vmware-guestd.sh for writing"); + fwrite($fd, $vmware_guestd); + fclose($fd); + $fd = fopen("/usr/local/etc/rc.d/vmware-kmod.sh", "w"); + if(!$fd) + die("Could not open /usr/local/etc/rc.d/vmware-kmod.sh for writing"); + fwrite($fd, $vmware_kmod); + fclose($fd); + + // Remove non used files + unlink_if_exists("/usr/local/etc/rc.d/vmware-kmod"); + unlink_if_exists("/usr/local/etc/rc.d/vmware-guestd"); + + // Make sure files are executable. + exec("chmod a+rx /usr/local/etc/rc.d/*.sh"); + +} + +?>
\ No newline at end of file diff --git a/config/open-vm-tools_2/open-vm-tools.xml b/config/open-vm-tools_2/open-vm-tools.xml new file mode 100644 index 00000000..c2a74f16 --- /dev/null +++ b/config/open-vm-tools_2/open-vm-tools.xml @@ -0,0 +1,69 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ + /* ========================================================================== */ + /* + open-vm-tools.xml + part of pfSense (http://www.pfSense.org) + Copyright (C) 2008 BSD Perimeter LLC + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2008 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ + /* ========================================================================== */ + /* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <name>open-vm-tools</name> + <version>217847</version> + <title>Open VM Tools</title> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0644</chmod> + <item>http://www.pfsense.com/packages/config/open-vm-tools_2/open-vm-tools.inc</item> + </additional_files_needed> + <custom_add_php_command> + </custom_add_php_command> + <custom_php_install_command> + conf_mount_rw(); + open_vm_tools_install(); + exec("/usr/local/etc/rc.d/vmware-guestd.sh start"); + exec("/usr/local/etc/rc.d/vmware-kmod.sh start"); + conf_mount_ro(); + </custom_php_install_command> + <custom_php_deinstall_command> + conf_mount_rw(); + exec("/usr/local/etc/rc.d/vmware-guestd.sh stop"); + exec("/usr/local/etc/rc.d/vmware-kmod.sh stop"); + open_vm_tools_deinstall(); + conf_mount_ro(); + </custom_php_deinstall_command> + <include_file>/usr/local/pkg/open-vm-tools.inc</include_file> +</packagegui>
\ No newline at end of file diff --git a/config/openbgpd/openbgpd_status.php b/config/openbgpd/openbgpd_status.php index cb83c6bf..2dce434d 100644 --- a/config/openbgpd/openbgpd_status.php +++ b/config/openbgpd/openbgpd_status.php @@ -94,7 +94,7 @@ function listCmds() { echo "<p>This status page includes the following information:\n"; echo "<ul width=\"700\">\n"; for ($i = 0; isset($commands[$i]); $i++ ) { - echo "<li><strong><a href=\"#" . $commands[$i][0] . "\">" . $commands[$i][0] . "</a></strong>\n"; + echo "<li><strong><a href=\"#" . $commands[$i][0] . "\">" . $commands[$i][0] . "</a></strong></li>\n"; } echo "</ul>\n"; } diff --git a/config/openospfd/openospfd.inc b/config/openospfd/openospfd.inc index 6d50cce9..0a5ef351 100644 --- a/config/openospfd/openospfd.inc +++ b/config/openospfd/openospfd.inc @@ -1,6 +1,6 @@ <?php /* - ospfd.inc + openospfd.inc Copyright (C) 2010 Ermal Luçi part of pfSense All rights reserved. @@ -27,6 +27,24 @@ POSSIBILITY OF SUCH DAMAGE. */ +function ospfd_display_friendlyiface () { + global $evaledvar, $config, $g; + + if (intval($g['latest_config']) >= 6) + return; + + if ($evaledvar) { + foreach ($evaledvar as $idx => $field) { + if ($field['interface']) { + if (empty($config['interfaces'][$field['interface']]['descr'])) + $evaledvar[$idx]['interface'] = strtoupper($evaledvar[$idx]['interface']); + else + $evaledvar[$idx]['interface'] = $config['interfaces'][$field['interface']]['descr']; + } + } + } +} + function ospfd_install_conf() { global $config, $g, $input_errors; @@ -41,7 +59,7 @@ function ospfd_install_conf() { if($config['installedpackages']['ospfd']['config']) $ospfd_conf = &$config['installedpackages']['ospfd']['config'][0]; else { - log_error("OSPFd: No config data found."); + log_error("OpenOSPFd: No config data found."); return; } @@ -54,13 +72,21 @@ function ospfd_install_conf() { if ($ospfd_conf['updatefib']) $conffile .= "fib-update no\n"; + if (is_array($ospfd_conf['row'])) { + foreach ($ospfd_conf['row'] as $redistr) { + if (isset($redistr['redistribute'])) + $conffile .= "no "; + $conffile .= "redistribute {$redistr['routevalue']}\n"; + } + } + if ($ospfd_conf['redistributeconnectedsubnets']) $conffile .= "redistribute connected\n"; if ($ospfd_conf['redistributedefaultroute']) $conffile .= "redistribute default\n"; - if ($ospfd_conf['resdistributestatic']) + if ($ospfd_conf['redistributestatic']) $conffile .= "redistribute static\n"; if ($ospfd_conf['spfholdtime']) @@ -75,9 +101,17 @@ function ospfd_install_conf() { $conffile .= "area {$ospfd_conf['area']} {\n"; if ($config['installedpackages']['ospfdinterfaces']['config']) { - foreach ($config['installedpackages']['ospfdinterfaces']['config'] as $conf) { - $conffile .= "\tinterface " . $config['interfaces'][$conf['interface']]['if']; + foreach ($config['installedpackages']['ospfdinterfaces']['config'] as $conf) { + if (intval($g['latest_config']) >= 6) { + $ospfdif = get_real_interface($conf['interface']); + if ($ospfdif) + $conffile .= "\tinterface {$ospfdif}"; + else + continue; + } else + $conffile .= "\tinterface " . $config['interfaces'][$conf['interface']]['if']; $options_present = false; + $ifconfigs = ""; if (!empty($conf['metric'])) { $options_present = true; $ifconfigs .= "\t\tmetric {$conf['metric']}\n"; @@ -91,23 +125,27 @@ function ospfd_install_conf() { $ifconfigs .= "\t\tauth-type crypt\n"; $ifconfigs .= "\t\tauth-md 1 \"" . substr($conf['password'], 0, 15) . "\"\n"; $ifconfigs .= "\t\tauth-md-keyid 1\n"; - } else if (!empty($conf['passward'])) { + } else if (!empty($conf['password'])) { $options_present = true; $ifconfigs .= "\t\tauth-type simple\n"; $ifconfigs .= "\t\tauth-key \"" . substr($conf['password'], 0, 7) . "\"\n"; } if (!empty($conf['routerpriorityelections'])) { - $options_present = true; - $ifconfigs .= "\t\trouter-priority {$conf['routerpriorityelections']}\n"; - } + $options_present = true; + $ifconfigs .= "\t\trouter-priority {$conf['routerpriorityelections']}\n"; + } if (!empty($conf['retransmitinterval'])) { $options_present = true; $ifconfigs .= "\t\tretransmit-interval {$conf['retransmitinterval']}\n"; } if (!empty($conf['deadtimer'])) { - $options_present = true; - $ifconfigs .= "\t\trouter-dead-time {$conf['deadtimer']}\n"; - } + $options_present = true; + $ifconfigs .= "\t\trouter-dead-time {$conf['deadtimer']}\n"; + } + if (!empty($conf['passive'])) { + $options_present = true; + $ifconfigs .= "\t\tpassive\n"; + } if (!empty($ifconfigs)) { $conffile .= " {\n {$ifconfigs} \n"; if ($options_present == true) @@ -138,23 +176,31 @@ function ospfd_install_conf() { exec("chmod u+rw /usr/local/etc/ospfd.conf"); // ospfd process running? if so reload, elsewise start. - if(is_ospfd_running() == true) { - exec("/usr/local/sbin/ospfctl reload"); - } else { - exec("/usr/local/sbin/ospfd"); + $oarray = array(); + $rval = 0; + exec("/usr/local/sbin/ospfctl reload", $oarray, $rval); + if ($rval != 0) { + /* + * ospfd isnt actually running as nothing accepted a connection + * on the /var/run/ospfd.sock unix socket by ospfctl, this is + * just to ensure a clean state. Killing a live ospfd would be bad. + */ + exec("/bin/pkill -x ospfd"); + // start ospfd + exec("/usr/local/sbin/ospfd -f /usr/local/etc/ospfd.conf"); } conf_mount_ro(); } function ospfd_validate_interface() { - global $config, $g, $input_errors; + global $config, $g, $id, $input_errors; if ($config['installedpackages']['ospfdinterfaces']['config']) { foreach ($config['installedpackages']['ospfdinterfaces']['config'] as $index => $conf) { if ($index == 0) continue; - if ($conf['interface'] == $_POST['interface']) + if ($id != $index && $conf['interface'] == $_POST['interface']) $input_errors[] = "Interface {$_POST['interface']} is already configured."; } } @@ -174,32 +220,23 @@ function ospfd_validate_input() { if ($_POST['spfdelay'] <> "" && ($_POST['spfdelay'] < 1 || $_POST['spfdelay'] > 10)) $input_errors[] = "SPF delay needs to be between 1 and 10."; if (!$config['installedpackages']['ospfdinterfaces']['config']) - $input_errors[] = "Please select an interface to use for OSPFd."; + $input_errors[] = "Please select an interface to use for OpenOSPFd."; } // get the raw ospfd confi file for manual inspection/editing function ospfd_get_raw_config() { - return file_get_contents("/usr/local/etc/ospfd.conf"); + return file_get_contents("/usr/local/etc/ospfd.conf"); } // serialize the raw ospfd confi file to config.xml function ospfd_put_raw_config($conffile) { - global $config; - if ($conffile == "") - unset($config['installedpackages']['ospfd']['rawconfig']); - else { - $config['installedpackages']['ospfd']['rawconfig'] = array(); - $config['installedpackages']['ospfd']['rawconfig']['item'] = explode("\n",$_POST['ospfd_raw']); - //$config['installedpackages']['ospfd']['rawconfig'] = $conffile; - } -} - -function is_ospfd_running() { - $status = `ps awux | grep ospfd | grep "parent" | grep -v grep | wc -l | awk '{ print \$1 }'`; - if(intval($status) > 0) - return true; - else - return false; + global $config; + if ($conffile == "") + unset($config['installedpackages']['ospfd']['rawconfig']); + else { + $config['installedpackages']['ospfd']['rawconfig'] = array(); + $config['installedpackages']['ospfd']['rawconfig']['item'] = explode("\n",$_POST['ospfd_raw']); + $config['installedpackages']['ospfd']['rawconfig'] = $conffile; + } } - ?> diff --git a/config/openospfd/openospfd.xml b/config/openospfd/openospfd.xml index fea7e67f..ebf30909 100644 --- a/config/openospfd/openospfd.xml +++ b/config/openospfd/openospfd.xml @@ -1,16 +1,26 @@ <packagegui> - <name>OSPFd</name> + <name>ospfd</name> <version>0.1</version> - <title>Services: OSPFd</title> + <title>Services: OpenOSPFd</title> <include_file>/usr/local/pkg/openospfd.inc</include_file> <aftersaveredirect>pkg_edit.php?xml=openospfd.xml&id=0</aftersaveredirect> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/openospfd/openospfd.inc</item> - </additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/openospfd/openospfd.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/openospfd/openospfd_interfaces.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/openospfd/status_ospfd.php</item> + </additional_files_needed> <menu> - <name>OSPFd</name> + <name>OpenOSPFd</name> <tooltiptext>Modify ospfd settings.</tooltiptext> <section>Services</section> <configfile>openospfd.xml</configfile> @@ -26,9 +36,13 @@ <text>Interface Settings</text> <url>pkg.php?xml=openospfd_interfaces.xml</url> </tab> + <tab> + <text>Status</text> + <url>/status_ospfd.php</url> + </tab> </tabs> <service> - <name>ospfd</name> + <name>OpenOSPFd</name> <rcfile>ospfd.sh</rcfile> <executable>ospfd</executable> </service> @@ -36,63 +50,91 @@ <field> <fielddescr>Router ID</fielddescr> <fieldname>routerid</fieldname> - <description>Specify the Router ID.</description> + <description> + <![CDATA[ + Specify the Router ID. RID is the highest logical (loopback) IP address configured on a router. For more information on router identifiers see <a target='_new' href='http://en.wikipedia.org/wiki/Open_Shortest_Path_First'>wikipedia</a>. + ]]> + </description> <type>input</type> </field> <field> <fielddescr>Area</fielddescr> <fieldname>area</fieldname> - <description>OSPF area for this instance of OSPFd.</description> + <description> + <![CDATA[ + OpenOSPFd area for this instance of OSPF. For more information on Areas see <a target='_new' href='http://en.wikipedia.org/wiki/Open_Shortest_Path_First#Area_types'>wikipedia</a>. + ]]> + </description> <type>input</type> <required/> </field> - <field> - <fielddescr>Update FIB (Routing table)</fielddescr> - <fieldname>updatefib</fieldname> - <description>Enables the updating of the host routing table</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Redistribute connected subnets</fielddescr> - <fieldname>redistributeconnectedsubnets</fieldname> - <description>Enables the redistribution of connected networks (Default no)</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Redistribute default route</fielddescr> - <fieldname>redistributedefaultroute</fieldname> - <description>Enables the redistribution of a default route to this device (Default no)</description> - <type>checkbox</type> - </field> <field> - <fielddescr>Redistribute static</fielddescr> - <fieldname>resdistributestatic</fieldname> - <description>Enables the redistribution of static routes</description> - <type>checkbox</type> - </field> + <fielddescr>Disable FIB updates (Routing table)</fielddescr> + <fieldname>updatefib</fieldname> + <description>Disables the updating of the host routing table(turns into stub router).</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Redistribute connected subnets</fielddescr> + <fieldname>redistributeconnectedsubnets</fieldname> + <description>Enables the redistribution of connected networks (Default no)</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Redistribute default route</fielddescr> + <fieldname>redistributedefaultroute</fieldname> + <description>Enables the redistribution of a default route to this device (Default no)</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Redistribute static</fielddescr> + <fieldname>redistributestatic</fieldname> + <description>Enables the redistribution of static routes</description> + <type>checkbox</type> + </field> <field> <fielddescr>SPF Hold Time</fielddescr> <fieldname>spfholdtime</fieldname> <description>Set the SPF holdtime in seconds. The minimum time between two consecutive shortest path first calculations. The default value is 5 seconds; the valid range is 1-5 seconds.</description> <type>input</type> - </field> + </field> <field> <fielddescr>SPF Delay</fielddescr> <fieldname>spfdelay</fieldname> - <description>Set SPF delay in seconds. The delay between receiving an update to the link state database and starting the shortest path first calculation. The default value is 1; valid range is 1-10 sec-onds.</description> + <description>Set SPF delay in seconds. The delay between receiving an update to the link state database and starting the shortest path first calculation. The default value is 1; valid range is 1-10 seconds.</description> <type>input</type> - </field> + </field> <field> <fielddescr>RFC 1583 compatible</fielddescr> <fieldname>rfc1583</fieldname> <description>If set to yes, decisions regarding AS-external routes are evaluated according to RFC 1583. The default is no.</description> <type>checkbox</type> </field> + <field> + <fielddescr>These rules take precedence over any redistribute options specified above.</fielddescr> + <fieldname>none</fieldname> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>Disable Redistribute</fielddescr> + <fieldname>redistribute</fieldname> + <description>Redistribute rules.</description> + <type>checkbox</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Route value</fielddescr> + <fieldname>routevalue</fieldname> + <type>input</type> + <size>25</size> + </rowhelperfield> + </rowhelper> + </field> </fields> <custom_php_resync_config_command> - ospfd_install_conf(); - </custom_php_resync_config_command> + ospfd_install_conf(); + </custom_php_resync_config_command> <custom_php_validation_command> ospfd_validate_input(); </custom_php_validation_command> -</packagegui> +</packagegui>
\ No newline at end of file diff --git a/config/openospfd/openospfd_interfaces.xml b/config/openospfd/openospfd_interfaces.xml index b8f2522e..445eefea 100644 --- a/config/openospfd/openospfd_interfaces.xml +++ b/config/openospfd/openospfd_interfaces.xml @@ -1,16 +1,17 @@ <packagegui> <name>OSPFd Interfaces</name> <version>0.1</version> - <title>Services: OSPFd</title> + <title>Services: OpenOSPFd</title> <include_file>/usr/local/pkg/openospfd.inc</include_file> - <aftersaveredirect>pkg_edit.php?xml=openospfd.xml&id=0</aftersaveredirect> + <aftersaveredirect>pkg.php?xml=openospfd_interfaces.xml</aftersaveredirect> + <custom_php_command_before_form>ospfd_display_friendlyiface();</custom_php_command_before_form> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/openospfd/openospfd.inc</item> - </additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/openospfd/openospfd.inc</item> + </additional_files_needed> <menu> - <name>OSPFd</name> + <name>OSPF</name> <tooltiptext>Modify ospfd settings.</tooltiptext> <section>Services</section> <configfile>openospfd.xml</configfile> @@ -26,83 +27,96 @@ <url>pkg.php?xml=openospfd_interfaces.xml</url> <active/> </tab> + <tab> + <text>Status</text> + <url>/status_ospfd.php</url> + </tab> </tabs> <adddeleteeditpagefields> <columnitem> - <fielddescr>Interface</fielddescr> - <fieldname>interface</fieldname> - </columnitem> + <fielddescr>Interface</fielddescr> + <fieldname>interface</fieldname> + <type>interface</type> + </columnitem> <columnitem> - <fielddescr>Description</fielddescr> - <fieldname>descr</fieldname> - </columnitem> + <fielddescr>Description</fielddescr> + <fieldname>descr</fieldname> + </columnitem> </adddeleteeditpagefields> <service> - <name>ospfd</name> + <name>OpenOSPFd</name> <rcfile>ospfd.sh</rcfile> <executable>ospfd</executable> </service> <fields> - <field> - <fielddescr>Interface</fielddescr> - <fieldname>interface</fieldname> - <description>Enter the desired participating interface here.</description> - <type>interfaces_selection</type> + <field> + <fielddescr>Interface</fielddescr> + <fieldname>interface</fieldname> + <description>Enter the desired participating interface here.</description> + <type>interfaces_selection</type> <required/> - </field> + </field> <field> <fielddescr>Metric</fielddescr> <fieldname>metric</fieldname> <description>Metric for this OSPF interface (leave blank for default).</description> <type>input</type> - </field> + </field> <field> - <fielddescr>Description</fielddescr> - <fieldname>descr</fieldname> + <fielddescr>Description</fielddescr> + <fieldname>descr</fieldname> <size>30</size> - <type>input</type> - </field> - <field> - <fielddescr>Enable MD5 password for this OSPFd interface (default no)</fielddescr> - <fieldname>md5password</fieldname> - <description>Enables the use of an MD5 password to on this instance</description> - <type>checkbox</type> - </field> + <type>input</type> + </field> + <field> + <fielddescr>Interface is Passive</fielddescr> + <fieldname>passive</fieldname> + <description>Prevent transmission and reception of OSPF packets on this interface. The specified interface will be announced as a stub network.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Enable MD5 password for this OpenOSPFd interface (default no)</fielddescr> + <fieldname>md5password</fieldname> + <description>Enables the use of an MD5 password to on this instance</description> + <type>checkbox</type> + </field> <field> <fielddescr>Password</fielddescr> <fieldname>password</fieldname> <description>Password for this OSPF interface.</description> <type>input</type> - </field> + </field> <field> <fielddescr>Router Priority</fielddescr> <fieldname>routerpriorityelections</fieldname> - <description>Router priority when participating in elections for DR (Default 1) Valid range is 0-255. 0 will cause the router to not participate in election.</description> + <description> + Router priority when participating in elections for DR (Default 1) Valid range is 0-255. 0 will cause the router to not participate in election. + </description> <type>input</type> - </field> + </field> <field> <fielddescr>Hello Interval</fielddescr> <fieldname>hellointervalinseconds</fieldname> <description>Hello Interval this OSPF interface in seconds (Default 10).</description> <type>input</type> - </field> + </field> <field> <fielddescr>Retransmit Interval</fielddescr> <fieldname>retransmitinterval</fieldname> <description>Retransmit Interval this OSPF interface in seconds (Default 5).</description> <type>input</type> - </field> + </field> <field> <fielddescr>Dead Timer</fielddescr> <fieldname>deadtimer</fieldname> <description>Dead Timer for this OSPF interface in seconds (Default 40).</description> <type>input</type> - </field> + </field> </fields> <custom_php_resync_config_command> - ospfd_install_conf(); - </custom_php_resync_config_command> + ospfd_install_conf(); + </custom_php_resync_config_command> <custom_php_validation_command> - ospfd_validate_interface(); - </custom_php_validation_command> + ospfd_validate_interface(); + </custom_php_validation_command> </packagegui> diff --git a/config/openospfd/status_ospfd.php b/config/openospfd/status_ospfd.php new file mode 100644 index 00000000..e7a5b4ec --- /dev/null +++ b/config/openospfd/status_ospfd.php @@ -0,0 +1,144 @@ +<?php +/* + status_ospfd.php + Copyright (C) 2010 Nick Buraglio; nick@buraglio.com + Copyright (C) 2010 Scott Ullrich <sullrich@pfsense.org> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INClUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$pgtitle = "OpenOSPFd: Status"; +include("head.inc"); + +/* List all of the commands as an index. */ +function listCmds() { + global $commands; + echo "<br/>This status page includes the following information:\n"; + echo "<ul width=\"100%\">\n"; + for ($i = 0; isset($commands[$i]); $i++ ) { + echo "<li><strong><a href=\"#" . $commands[$i][0] . "\">" . $commands[$i][0] . "</a></strong></li>\n"; + } + echo "</ul>\n"; +} + +function execCmds() { + global $commands; + for ($i = 0; isset($commands[$i]); $i++ ) { + doCmdT($commands[$i][0], $commands[$i][1]); + } +} + +/* Define a command, with a title, to be executed later. */ +function defCmdT($title, $command) { + global $commands; + $title = htmlspecialchars($title,ENT_NOQUOTES); + $commands[] = array($title, $command); +} + +function doCmdT($title, $command) { + echo "<p>\n"; + echo "<a name=\"" . $title . "\">\n"; + echo "<table width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n"; + echo "<tr><td class=\"listtopic\">" . $title . "</td></tr>\n"; + echo "<tr><td class=\"listlr\"><pre>"; /* no newline after pre */ + + if ($command == "dumpconfigxml") { + $fd = @fopen("/conf/config.xml", "r"); + if ($fd) { + while (!feof($fd)) { + $line = fgets($fd); + /* remove sensitive contents */ + $line = preg_replace("/<password>.*?<\\/password>/", "<password>xxxxx</password>", $line); + $line = preg_replace("/<pre-shared-key>.*?<\\/pre-shared-key>/", "<pre-shared-key>xxxxx</pre-shared-key>", $line); + $line = preg_replace("/<rocommunity>.*?<\\/rocommunity>/", "<rocommunity>xxxxx</rocommunity>", $line); + $line = str_replace("\t", " ", $line); + echo htmlspecialchars($line,ENT_NOQUOTES); + } + } + fclose($fd); + } else { + $execOutput = ""; + $execStatus = ""; + exec ($command . " 2>&1", $execOutput, $execStatus); + for ($i = 0; isset($execOutput[$i]); $i++) { + if ($i > 0) { + echo "\n"; + } + echo htmlspecialchars($execOutput[$i],ENT_NOQUOTES); + } + } + echo "</pre></tr>\n"; + echo "</table>\n"; +} + +$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); +if(strstr($pfSversion, "1.2")) + $one_two = true; + +?> + +<html> + <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + <?php include("fbegin.inc"); ?> + <?php if($one_two): ?> + <p class="pgtitle"><?=$pgtitle?></font></p> + <?php endif; ?> + <?php if ($savemsg) print_info_box($savemsg); ?> + <div id="mainlevel"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <?php + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=openospfd.xml&id=0"); + $tab_array[] = array(gettext("Interface Settings"), false, "/pkg.php?xml=openospfd_interfaces.xml"); + $tab_array[] = array(gettext("Status"), true, "/status_ospfd.php"); + display_top_tabs($tab_array); + ?> + </table> + <tr> + <td class="tabcont" > + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td> +<?php + defCmdT("OpenOSPFd Summary","/usr/local/sbin/ospfctl show summary"); + defCmdT("OpenOSPFd Neighbors","/usr/local/sbin/ospfctl show neighbor"); + defCmdT("OpenOSPFd FIB","/usr/local/sbin/ospfctl show fib"); + defCmdT("OpenOSPFd RIB","/usr/local/sbin/ospfctl show rib"); + defCmdT("OpenOSPFd Interfaces","/usr/local/sbin/ospfctl show interfaces"); + defCmdT("OpenOSPFD Database","/usr/local/sbin/ospfctl show database"); +?> + <div id="cmdspace" style="width:100%"> + <?php listCmds(); ?> + <?php execCmds(); ?> + </div> + </td> + </tr> + </td> + </tr> + </table> + </div> + <?php include("fend.inc"); ?> + </body> +</html> diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc index 15096e6c..ddc97025 100755 --- a/config/openvpn-client-export/openvpn-client-export.inc +++ b/config/openvpn-client-export/openvpn-client-export.inc @@ -35,6 +35,7 @@ require_once("globals.inc"); require_once("openvpn.inc"); function openvpn_client_export_install() { + conf_mount_rw(); $tarpath = "/tmp/openvpn-client-export.tgz"; $phpfile = "vpn_openvpn_export.php"; $ovpndir = "/usr/local/share/openvpn"; @@ -45,15 +46,18 @@ function openvpn_client_export_install() { exec("/usr/bin/tar zxf {$tarpath} -C {$ovpndir}"); unlink($tarpath); + conf_mount_ro(); } function openvpn_client_export_deinstall() { + conf_mount_rw(); $phpfile = "vpn_openvpn_export.php"; $ovpndir = "/usr/local/share/openvpn"; $workdir = "{$ovpndir}/client-export"; unlink_if_exists("/usr/local/www/{$phpfile}"); exec("/bin/rm -r {$workdir}"); + conf_mount_ro(); } function openvpn_client_export_prefix($srvid) { @@ -86,8 +90,8 @@ function openvpn_client_pem_to_pk12($outpath, $outpass, $crtpath, $keypath, $cap unlink($capath); } -function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoken, $nokeys = false, $proxy) { - global $config, $input_errors; +function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoken, $nokeys = false, $proxy, $zipconf = false, $outpass = "") { + global $config, $input_errors, $g; // lookup server settings $settings = $config['openvpn']['openvpn-server'][$srvid]; @@ -109,10 +113,12 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoke } // lookup user info - $user =& $config['system']['user'][$usrid]; - if (!$user) { - $input_errors[] = "Could not find user settings."; - return false; + if ($usrid) { + $user =& $config['system']['user'][$usrid]; + if (!$user) { + $input_errors[] = "Could not find user settings."; + return false; + } } // determine basic variables @@ -177,12 +183,11 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoke } else { $conf .= "pkcs12 {$prefix}.p12\n"; } - } + } else if ($settings['mode'] == "server_user") + $conf .= "ca {$prefix}-ca.crt\n"; - if($nokeys == false) { - if ($settings['tls']) - $conf .= "tls-auth {$prefix}-tls.key\n"; - } + if ($settings['tls']) + $conf .= "tls-auth {$prefix}-tls.key 1\n"; // add optional settings if ($settings['compression']) @@ -190,37 +195,86 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoke if ($settings['passtos']) $conf .= "passtos\n"; - return $conf; + if ($zipconf == true) { + // create template directory + $tempdir = "{$g['tmp_path']}/{$prefix}"; + mkdir($tempdir, 0700, true); + + file_put_contents("{$tempdir}/{$prefix}-ovpn.conf", $conf); + + file_put_contents("{$tempdir}/{$prefix}-ca.crt", base64_decode($server_ca['crt'])); + if ($settings['tls']) { + $tlsfile = "{$tempdir}/{$prefix}-tls.key"; + file_put_contents($tlsfile, base64_decode($settings['tls'])); + } + + // write key files + if ($settings['mode'] != "server_user") { + $crtfile = "{$tempdir}/{$prefix}-cert.crt"; + file_put_contents($crtfile, base64_decode($cert['crt'])); + $keyfile = "{$tempdir}/{$prefix}.key"; + file_put_contents($keyfile, base64_decode($cert['prv'])); + + // convert to pkcs12 format + $p12file = "{$tempdir}/{$prefix}.p12"; + if ($usetoken) + openvpn_client_pem_to_pk12($p12file, $outpass, $crtfile, $keyfile); + else + openvpn_client_pem_to_pk12($p12file, $outpass, $crtfile, $keyfile, $cafile); + + exec("cd {$tempdir}/.. && /usr/local/bin/zip -r {$g['tmp_path']}/{$prefix}-config.zip {$prefix}"); + + // Remove temporary directory + exec("rm -rf {$tempdir}"); + return "{$prefix}-config.zip"; + } + } else + return $conf; } function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $usetoken, $outpass, $proxy) { - global $config, $g; + global $config, $g, $input_errors; $ovpndir = "/usr/local/share/openvpn"; $workdir = "{$ovpndir}/client-export"; // lookup server settings $settings = $config['openvpn']['openvpn-server'][$srvid]; - if (empty($settings)) + if (empty($settings)) { + $input_errors[] = "Could not find a valid server config for id: {$srvid}"; return false; - if ($settings['disable']) + } + if ($settings['disable']) { + $input_errors[] = "This server is disabled."; return false; + } + + $nokeys = false; // lookup server certificate info $server_cert =& lookup_cert($settings['certref']); $server_ca =& lookup_ca($server_cert['caref']); - if (!$server_cert || !$server_ca) + if (!$server_cert || !$server_ca) { + $input_errors[] = "Could not find a valid certificate."; return false; + } // lookup user info - $user =& $config['system']['user'][$usrid]; - if (!$user) - return false; + if ($usrid) { + $user =& $config['system']['user'][$usrid]; + if (!$user) { + $input_errors[] = "Could not find the details about userid: {$usrid}"; + return false; + } + } // lookup user certificate info - $cert =& $user['cert'][$crtid]; - if (!$cert) - return false; + if ($settings['mode'] != "server_user") { + $cert =& $user['cert'][$crtid]; + if (!$cert) + return false; + } else + $nokeys = true; // create template directory $tempdir = $g['tmp_path'] . "/openvpn-export-".uniqid(); @@ -243,30 +297,34 @@ function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $uset $pwdfle .= "{$proxy['password']}\n"; file_put_contents("{$confdir}/{$proxy['passwdfile']}", $pwdfle); } - $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoken, false, $proxy); - if (!$conf) + $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoken, $nokeys, $proxy); + if (!$conf) { + $input_errors[] = "Could not create a config to export."; return false; + } file_put_contents($cfgfile, $conf); - // write key files $cafile = "{$tempdir}/config/{$prefix}-ca.crt"; file_put_contents($cafile, base64_decode($server_ca['crt'])); - $crtfile = "{$tempdir}/config/{$prefix}-{$user['name']}.crt"; - file_put_contents($crtfile, base64_decode($cert['crt'])); - $keyfile = "{$tempdir}/config/{$prefix}-{$user['name']}.key"; - file_put_contents($keyfile, base64_decode($cert['prv'])); if ($settings['tls']) { $tlsfile = "{$tempdir}/config/{$prefix}-tls.key"; file_put_contents($tlsfile, base64_decode($settings['tls'])); } - // convert to pkcs12 format - $p12file = "{$tempdir}/config/{$prefix}.p12"; - if ($usetoken) - openvpn_client_pem_to_pk12($p12file, $outpass, $crtfile, $keyfile); - else - openvpn_client_pem_to_pk12($p12file, $outpass, $crtfile, $keyfile, $cafile); + // write key files + if ($settings['mode'] != "server_user") { + $crtfile = "{$tempdir}/config/{$prefix}-{$user['name']}.crt"; + file_put_contents($crtfile, base64_decode($cert['crt'])); + $keyfile = "{$tempdir}/config/{$prefix}-{$user['name']}.key"; + file_put_contents($keyfile, base64_decode($cert['prv'])); + // convert to pkcs12 format + $p12file = "{$tempdir}/{$prefix}.p12"; + if ($usetoken) + openvpn_client_pem_to_pk12($p12file, $outpass, $crtfile, $keyfile); + else + openvpn_client_pem_to_pk12($p12file, $outpass, $crtfile, $keyfile, $cafile); + } // 7zip the configuration data chdir($tempdir); @@ -278,6 +336,7 @@ function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $uset $files .= "procchain-import"; else $files .= "procchain-standard"; + exec("/usr/local/libexec/p7zip/7z -y a archive.7z {$files}"); // create the final installer @@ -316,14 +375,18 @@ function viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $usead return false; // lookup user info - $user =& $config['system']['user'][$usrid]; - if (!$user) - return false; + if ($usrid) { + $user =& $config['system']['user'][$usrid]; + if (!$user) + return false; + } // lookup user certificate info - $cert =& $user['cert'][$crtid]; - if (!$cert) - return false; + if ($settings['mode'] != "server_user") { + $cert =& $user['cert'][$crtid]; + if (!$cert) + return false; + } // create template directory mkdir($tempdir, 0700, true); @@ -357,12 +420,15 @@ function viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $usead EOF; $configfile = "{$tempdir}/config.conf"; - $conf .= <<<EOF + $conf .= "ca ca.crt\n"; + $conf .= "tls-auth ta.key 1\n"; + if ($settings['mode'] != "server_user") { + $conf .= <<<EOF cert cert.crt -tls-auth ta.key -ca ca.crt key key.key EOF; + } + file_put_contents($configfile, $visc_settings . "\n" . $conf); // ca.crt cert.crt config.conf key.key ta.key @@ -371,13 +437,16 @@ EOF; $cafile = "{$tempdir}/ca.crt"; file_put_contents($cafile, base64_decode($server_ca['crt'])); - // write user .crt - $crtfile = "{$tempdir}/cert.crt"; - file_put_contents($crtfile, base64_decode($cert['crt'])); + if ($settings['mode'] != "server_user") { - // write user .key - $keyfile = "{$tempdir}/key.key"; - file_put_contents($keyfile, base64_decode($cert['prv'])); + // write user .crt + $crtfile = "{$tempdir}/cert.crt"; + file_put_contents($crtfile, base64_decode($cert['crt'])); + + // write user .key + $keyfile = "{$tempdir}/key.key"; + file_put_contents($keyfile, base64_decode($cert['prv'])); + } // TLS support? if ($settings['tls']) { diff --git a/config/openvpn-client-export/vpn_openvpn_export.php b/config/openvpn-client-export/vpn_openvpn_export.php index 2af4da59..861dda89 100755 --- a/config/openvpn-client-export/vpn_openvpn_export.php +++ b/config/openvpn-client-export/vpn_openvpn_export.php @@ -67,8 +67,6 @@ foreach($a_server as $sindex => & $server) { $ras_user[] = $ras_userent; } } - if (!count($ras_user)) - continue; $ras_serverent = array(); $prot = $server['protocol']; $port = $server['local_port']; @@ -79,6 +77,7 @@ foreach($a_server as $sindex => & $server) { $ras_serverent['index'] = $sindex; $ras_serverent['name'] = $name; $ras_serverent['users'] = $ras_user; + $ras_serverent['mode'] = $server['mode']; $ras_server[] = $ras_serverent; } @@ -91,14 +90,24 @@ if (isset($_POST['act'])) $act = $_POST['act']; $error = false; -if($act == "conf") { +if($act == "conf" || $act == "confall") { $srvid = $_GET['srvid']; $usrid = $_GET['usrid']; $crtid = $_GET['crtid']; - if (($srvid === false) || ($usrid === false) || ($crtid === false)) { + if ($srvid === false) { + pfSenseHeader("vpn_openvpn_export.php"); + exit; + } else if (($config['openvpn']['openvpn-server'][$srvid]['mode'] != "server_user") && + (($usrid === false) || ($crtid === false))) { pfSenseHeader("vpn_openvpn_export.php"); exit; } + + if ($config['openvpn']['openvpn-server'][$srvid]['mode'] == "server_user") + $nokeys = true; + else + $nokeys = false; + if (empty($_GET['useaddr'])) { $error = true; $input_errors[] = "You need to specify an IP or hostname."; @@ -106,6 +115,9 @@ if($act == "conf") { $useaddr = $_GET['useaddr']; $usetoken = $_GET['usetoken']; + $password = ""; + if ($_GET['password']) + $password = $_GET['password']; $proxy = ""; if (!empty($_GET['proxy_addr']) || !empty($_GET['proxy_port'])) { @@ -136,20 +148,31 @@ if($act == "conf") { } $exp_name = openvpn_client_export_prefix($srvid); - $exp_data = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoken, false, $proxy); + if ($act == "confall") + $zipconf = true; + $exp_data = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoken, $nokeys, $proxy, $zipconf, $password); if (!$exp_data) { $input_errors[] = "Failed to export config files!"; $error = true; } if (!$error) { - $exp_name = urlencode($exp_name."-config.ovpn"); - $exp_size = strlen($exp_data); + if ($act == "confall") { + $exp_name = urlencode($exp_data); + $exp_size = filesize("{$g['tmp_path']}/{$exp_data}"); + } else { + $exp_name = urlencode($exp_name."-config.ovpn"); + $exp_size = strlen($exp_data); + } header("Content-Type: application/octet-stream"); header("Content-Disposition: attachment; filename={$exp_name}"); header("Content-Length: $exp_size"); - echo $exp_data; + if ($act == "confall") + readfile("{$g['tmp_path']}/{$exp_data}"); + else + echo $exp_data; + @unlink($exp_data); exit; } } @@ -158,10 +181,14 @@ if($act == "visc") { $srvid = $_GET['srvid']; $usrid = $_GET['usrid']; $crtid = $_GET['crtid']; - if (($srvid === false) || ($usrid === false) || ($crtid === false)) { - pfSenseHeader("vpn_openvpn_export.php"); - exit; - } + if ($srvid === false) { + pfSenseHeader("vpn_openvpn_export.php"); + exit; + } else if (($config['openvpn']['openvpn-server'][$srvid]['mode'] != "server_user") && + (($usrid === false) || ($crtid === false))) { + pfSenseHeader("vpn_openvpn_export.php"); + exit; + } if (empty($_GET['useaddr'])) { $error = true; $input_errors[] = "You need to specify an IP or hostname."; @@ -171,7 +198,7 @@ if($act == "visc") { $usetoken = $_GET['usetoken']; $password = ""; if ($_GET['password']) - $password = $_GET['password']; ; + $password = $_GET['password']; $proxy = ""; if (!empty($_GET['proxy_addr']) || !empty($_GET['proxy_port'])) { @@ -224,10 +251,14 @@ if($act == "inst") { $srvid = $_GET['srvid']; $usrid = $_GET['usrid']; $crtid = $_GET['crtid']; - if (($srvid === false) || ($usrid === false) || ($crtid === false)) { - pfSenseHeader("vpn_openvpn_export.php"); - exit; - } + if ($srvid === false) { + pfSenseHeader("vpn_openvpn_export.php"); + exit; + } else if (($config['openvpn']['openvpn-server'][$srvid]['mode'] != "server_user") && + (($usrid === false) || ($crtid === false))) { + pfSenseHeader("vpn_openvpn_export.php"); + exit; + } if (empty($_GET['useaddr'])) { $error = true; $input_errors[] = "You need to specify an IP or hostname."; @@ -301,12 +332,13 @@ var servers = new Array(); servers[<?=$sindex;?>] = new Array(); servers[<?=$sindex;?>][0] = '<?=$server['index'];?>'; servers[<?=$sindex;?>][1] = new Array(); +servers[<?=$sindex;?>][2] = '<?=$server['mode'];?>';; <?php foreach ($server['users'] as $uindex => & $user): ?> servers[<?=$sindex;?>][1][<?=$uindex;?>] = new Array(); servers[<?=$sindex;?>][1][<?=$uindex;?>][0] = '<?=$user['uindex'];?>'; servers[<?=$sindex;?>][1][<?=$uindex;?>][1] = '<?=$user['cindex'];?>'; servers[<?=$sindex;?>][1][<?=$uindex;?>][2] = '<?=$user['name'];?>'; -servers[<?=$sindex;?>][1][<?=$uindex;?>][3] = '<?=$user['certname'];?>'; +servers[<?=$sindex;?>][1][<?=$uindex;?>][3] = '<?=str_replace("'", "\\'", $user['certname']);?>'; <? endforeach; ?> <? endforeach; ?> @@ -384,8 +416,10 @@ function download_begin(act, i) { var dlurl; dlurl = "/vpn_openvpn_export.php?act=" + act; dlurl += "&srvid=" + servers[index][0]; - dlurl += "&usrid=" + users[i][0]; - dlurl += "&crtid=" + users[i][1]; + if (users[i]) { + dlurl += "&usrid=" + users[i][0]; + dlurl += "&crtid=" + users[i][1]; + } dlurl += "&useaddr=" + useaddr; dlurl += "&usetoken=" + usetoken; if (usepass) @@ -421,12 +455,32 @@ function server_changed() { cell1.className = "listr"; cell1.innerHTML = users[i][3]; cell2.className = "listr"; - cell2.innerHTML = "<a href='javascript:download_begin(\"conf\"," + i + ")'>Configuration</a>"; + cell2.innerHTML = "<a href='javascript:download_begin(\"conf\"," + i + ")'>Configuration</a>"; + cell2.innerHTML += " / "; + cell2.innerHTML += "<a href='javascript:download_begin(\"confall\"," + i + ")'>Configuration archive</a>"; cell2.innerHTML += " / "; cell2.innerHTML += "<a href='javascript:download_begin(\"inst\"," + i + ")'>Windows Installer</a>"; cell2.innerHTML += " / "; cell2.innerHTML += "<a href='javascript:download_begin(\"visc\"," + i + ")'>Viscosity Bundle</a>"; } + if (servers[index][2] == 'server_user') { + var row = table.insertRow(table.rows.length); + var cell0 = row.insertCell(0); + var cell1 = row.insertCell(1); + var cell2 = row.insertCell(2); + cell0.className = "listlr"; + cell0.innerHTML = "External authentication users"; + cell1.className = "listr"; + cell1.innerHTML = "none"; + cell2.className = "listr"; + cell2.innerHTML = "<a href='javascript:download_begin(\"conf\"," + i + ")'>Configuration</a>"; + cell2.innerHTML += " / "; + cell2.innerHTML += "<a href='javascript:download_begin(\"confall\"," + i + ")'>Configuration archive</a>"; + cell2.innerHTML += " / "; + cell2.innerHTML += "<a href='javascript:download_begin(\"inst\"," + i + ")'>Windows Installer</a>"; + cell2.innerHTML += " / "; + cell2.innerHTML += "<a href='javascript:download_begin(\"visc\"," + i + ")'>Viscosity Bundle</a>"; + } } function useaddr_changed(obj) { @@ -449,7 +503,7 @@ function usepass_changed() { function useproxy_changed(obj) { if ((obj.id == "useproxy" && obj.checked) || - $(obj.id).value != 'none') { + $(obj.id + 'pass').value != 'none') { $(obj.id + '_opts').show(); } else { $(obj.id + '_opts').hide(); @@ -505,7 +559,7 @@ function useproxy_changed(obj) { <div style="display:none;" name="HostName" id="HostName"> <input name="useaddr_hostname" id="useaddr_hostname" /> <span class="vexpl"> - Enter the hostname or ip address desired to be used for the config. + Enter the hostname or IP address the client will use to connect to this server. </span> </div> </td> @@ -584,7 +638,7 @@ function useproxy_changed(obj) { <tr> <td align="right" width='25%'> <span class="vexpl"> - Ip Addr : + IP Address : </span> </td> <td> diff --git a/config/siproxd.inc b/config/siproxd.inc index 50ca53d8..9fed8e10 100644 --- a/config/siproxd.inc +++ b/config/siproxd.inc @@ -32,7 +32,6 @@ if(!function_exists("filter_configure")) function sync_package_sipproxd_users() { conf_mount_rw(); - config_lock(); global $config; $fout = fopen("/usr/local/etc/siproxd_passwd.cfg","w"); fwrite($fout, "# This file was automatically generated by the pfSense\n# package management system.\n\n"); @@ -43,7 +42,6 @@ function sync_package_sipproxd_users() { } fclose($fout); conf_mount_ro(); - config_unlock(); system("/usr/bin/killall -HUP siproxd"); } @@ -81,8 +79,8 @@ function siproxd_generate_rules($type) { foreach ($ifaces as $iface) { if($iface <> "") { $rules .= "# allow SIP signaling and RTP traffic\n"; - $rules .= "pass in quick on {$iface} proto udp from any to any port = {$port}\n"; - $rules .= "pass in quick on {$iface} proto udp from any to any port {$rtplower}:{$rtpupper}\n"; + $rules .= "pass in on {$iface} proto udp from any to any port = {$port}\n"; + $rules .= "pass in on {$iface} proto udp from any to any port {$rtplower}:{$rtpupper}\n"; } } break; @@ -95,109 +93,107 @@ function siproxd_generate_rules($type) { } function sync_package_siproxd() { - global $config; + global $config; - conf_mount_rw(); - - unlink_if_exists("/usr/local/etc/rc.d/siproxd"); - - $conf = &$config['installedpackages']['siproxd']['config'][0]; - $fout = fopen("/usr/local/etc/siproxd.conf","w"); + conf_mount_rw(); + unlink_if_exists("/usr/local/etc/rc.d/siproxd"); + $conf = &$config['installedpackages']['siproxd']['config'][0]; + $fout = fopen("/usr/local/etc/siproxd.conf","w"); - fwrite($fout, "# This file was automatically generated by the pfSense\n"); - fwrite($fout, "# package management system.\n\n"); + fwrite($fout, "# This file was automatically generated by the pfSense\n"); + fwrite($fout, "# package management system.\n\n"); - /* proxy is turned off in package settings */ - if($_POST['rtpenable'] == "0") { - fclose($fout); - return; - } + /* proxy is turned off in package settings */ + if($_POST['rtpenable'] == "0") { + fclose($fout); + return; + } - if($_POST['if_inbound'] != "") { - fwrite($fout, "if_inbound = " . convert_friendly_interface_to_real_interface_name($_POST['if_inbound']) . "\n"); - } + if($_POST['if_inbound'] != "") { + fwrite($fout, "if_inbound = " . convert_friendly_interface_to_real_interface_name($_POST['if_inbound']) . "\n"); + } - if($_POST['if_outbound'] != "") { - if($config['interfaces'][$_POST['if_outbound']]['ipaddr'] == "pppoe") { - fwrite($fout, "if_outbound = ng0\n"); + if($_POST['if_outbound'] != "") { + if($config['interfaces'][$_POST['if_outbound']]['ipaddr'] == "pppoe") { + fwrite($fout, "if_outbound = ng0\n"); } else { - fwrite($fout, "if_outbound = " . convert_friendly_interface_to_real_interface_name($_POST['if_outbound']) . "\n"); - } - } + fwrite($fout, "if_outbound = " . convert_friendly_interface_to_real_interface_name($_POST['if_outbound']) . "\n"); + } + } - if($_POST['port'] != "") { - fwrite($fout, "sip_listen_port = " . $_POST['port'] . "\n"); - } else { - fwrite($fout, "sip_listen_port = 5060\n"); - } - - fwrite($fout, "daemonize = 1\n"); - fwrite($fout, "silence_log = 0\n"); - fwrite($fout, "log_calls = 1\n"); - fwrite($fout, "user = nobody\n"); - fwrite($fout, "chrootjail = /usr/local/siproxd/\n"); - fwrite($fout, "registration_file = siproxd_registrations\n"); - fwrite($fout, "pid_file = siproxd.pid\n"); - - if($_POST['rtpenable'] != "") { - fwrite($fout, "rtp_proxy_enable = " . $_POST['rtpenable'] . "\n"); - } else { - fwrite($fout, "rtp_proxy_enable = 1\n"); - } - - if($_POST['rtplower'] != "") { - if($_POST['rtpupper'] != "") { - fwrite($fout, "rtp_port_low = " . $_POST['rtplower'] . "\n"); - fwrite($fout, "rtp_port_high = " . $_POST['rtpupper'] . "\n"); - } - } - - if($_POST['rtptimeout'] != "") { - fwrite($fout, "rtp_timeout = " . $_POST['rtptimeout'] . "\n"); - } else { - fwrite($fout, "rtp_timeout = 300\n"); - } - - if($_POST['defaulttimeout'] != "") { - fwrite($fout, "default_expires = " . $_POST['defaulttimeout'] . "\n"); - } else { - fwrite($fout, "default_expires = 600\n"); - } - - if($_POST['authentication']) { - fwrite($fout, "proxy_auth_realm = Authentication_Realm\n"); - fwrite($fout, "proxy_auth_pwfile = /usr/local/etc/siproxd_passwd.cfg\n"); - } - - fwrite($fout, "debug_level = 0x00000000\n"); - if($_POST['outboundproxyhost'] != "") { - if($_POST['outboundproxyport'] != "") { - fwrite($fout, "outbound_proxy_host = " . $_POST['outboundproxyhost'] . "\n"); - fwrite($fout, "outbound_proxy_port = " . $_POST['outboundproxyport'] . "\n"); - } - } + if($_POST['port'] != "") { + fwrite($fout, "sip_listen_port = " . $_POST['port'] . "\n"); + } else { + fwrite($fout, "sip_listen_port = 5060\n"); + } - if($_POST['expeditedforwarding'] != "") - fwrite($fout, "rtp_dscp = 46\n"); + fwrite($fout, "daemonize = 1\n"); + fwrite($fout, "silence_log = 0\n"); + fwrite($fout, "log_calls = 1\n"); + fwrite($fout, "user = nobody\n"); + fwrite($fout, "chrootjail = /usr/local/siproxd/\n"); + fwrite($fout, "registration_file = siproxd_registrations\n"); + fwrite($fout, "pid_file = siproxd.pid\n"); + + if($_POST['rtpenable'] != "") { + fwrite($fout, "rtp_proxy_enable = " . $_POST['rtpenable'] . "\n"); + } else { + fwrite($fout, "rtp_proxy_enable = 1\n"); + } + + if($_POST['rtplower'] != "") { + if($_POST['rtpupper'] != "") { + fwrite($fout, "rtp_port_low = " . $_POST['rtplower'] . "\n"); + fwrite($fout, "rtp_port_high = " . $_POST['rtpupper'] . "\n"); + } + } + + if($_POST['rtptimeout'] != "") { + fwrite($fout, "rtp_timeout = " . $_POST['rtptimeout'] . "\n"); + } else { + fwrite($fout, "rtp_timeout = 300\n"); + } + + if($_POST['defaulttimeout'] != "") { + fwrite($fout, "default_expires = " . $_POST['defaulttimeout'] . "\n"); + } else { + fwrite($fout, "default_expires = 600\n"); + } + + if($_POST['authentication']) { + fwrite($fout, "proxy_auth_realm = Authentication_Realm\n"); + fwrite($fout, "proxy_auth_pwfile = /usr/local/etc/siproxd_passwd.cfg\n"); + } + + fwrite($fout, "debug_level = 0x00000000\n"); + if($_POST['outboundproxyhost'] != "") { + if($_POST['outboundproxyport'] != "") { + fwrite($fout, "outbound_proxy_host = " . $_POST['outboundproxyhost'] . "\n"); + fwrite($fout, "outbound_proxy_port = " . $_POST['outboundproxyport'] . "\n"); + } + } + + if($_POST['expeditedforwarding'] != "") + fwrite($fout, "rtp_dscp = 46\n"); - fclose($fout); + fclose($fout); - write_rcfile(array( - "file" => "siproxd.sh", - "start" => "/usr/local/sbin/siproxd -c /usr/local/etc/siproxd.conf &", - "stop" => "/usr/bin/killall siproxd" - ) - ); + write_rcfile(array( + "file" => "siproxd.sh", + "start" => "/usr/local/sbin/siproxd -c /usr/local/etc/siproxd.conf &", + "stop" => "/usr/bin/killall siproxd" + ) + ); - exec("killall siproxd"); + exec("killall siproxd"); - sleep(1); - - start_service("siproxd"); + sleep(1); - filter_configure(); + start_service("siproxd"); - conf_mount_ro(); - } + filter_configure(); + + conf_mount_ro(); +} ?> diff --git a/config/snort-dev/NOTES.txt b/config/snort-dev/NOTES.txt deleted file mode 100644 index b6c49926..00000000 --- a/config/snort-dev/NOTES.txt +++ /dev/null @@ -1,59 +0,0 @@ - - -November 18 2009 - -Snort_inline due date is by Dec 1st. (Why ? Scott said so.) - -Gui is almost done. just odds and ends left. - -If you work on this package just comment on every-thing you change or add. - -==================== -Goals -==================== - -Release the New snort GUI as a package for 1.2.3 so that we can work out bugs. - -Move the Snort GUI to base of Pfsense. The divert options should be added to firewall_nat.php or firewall_rules.php. - -Ask Ermal to add divert out to Pfsense again though, he has kept divert in. - -================================= -Any Devs that would like to help please work on snort_rules_edit.php and snort_rules.php. They work but need cleaning up. -================================= - -To get snort_rules_edit.php and snort_rules.php working - - * Update the rules. - * Add at least on rule to snort_interfaces.php. - -snort_rules_edit.php -Make sure all snort sig options that are in the GUI are written to file. - -snort_rules.php -Change the way the rules get disabled, by removing the x icon image and replacing it with check boxes. -This should improve the users experience. Moreover, check boxes could be added to blocked.php tab to improve performance. -Users always complain that the way were deleting options is slow. - -=========================================== -Misc. -=========================================== - -All further development will be in Freebsd 8. - -ALL further snort and barnyard builds will be mmx sse. - -All further snort builds will have snort_inline code. - -All further builds will have "did I start on a pfsense system" code, if not, exit. - -Adding extra options to the new snort gui for snort_inline should be easy. - -Snort_inline binaries with custom c++ code ready to go. - -Snort_inline works with only one Wan and Lan. Add a Opt onterface and the TCP flow goes into a loop. -This should be easy to fix by the firewall guru by modifying the divert rule I am using. - - - -Done.
\ No newline at end of file diff --git a/config/snort-dev/help_and_info.html b/config/snort-dev/help_and_info.html deleted file mode 100644 index d3875940..00000000 --- a/config/snort-dev/help_and_info.html +++ /dev/null @@ -1,89 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-<title>Help & Info</title>
-<base target="main">
-<link href="/snort/css/style.css" rel="stylesheet" type="text/css" />
-</head>
-
-<body class="textstyle">
-<p> About</p>
-<p2> Pfsense <strong>Snort Package</strong> adds network protection from both internal and external threats <br>
- without the expense of proprietary software. The <strong>Snort Package</strong> includes alert monitoring, <br>
- blocked hosts monitoring, whitelists, rule editing/selecting, and auto rule downloads from multiple sources.<br><br>
-
-<strong> * Why should I care about my Network Security</strong><br>
-
-<blockquote> Corporate network attacks have a 50% success rate. </blockquote>
-<blockquote> More than 25% of Home PC's are infected with some spyware.</blockquote><br>
-
-<strong> Snort 2.8.4.1_5 pkg v. 1.8 alpha was code by:</strong><br><br>
-Roberto Zelaya (robiscool)<br><br>
-<strong> Special thanks to:</strong><br><br>
-Scott Ullrich (sullrich) for providing the basic snort code.
-</p2>
-
-<p> Help</p>
-<p2><strong> * Where to ask your questions for the Snort Package</strong><br><br>
-<blockquote> <a href="http://forum.pfsense.org">Pfsense forums</a> </blockquote>
-<blockquote> <a href="http://www.pfsense.org/index.php?option=com_content&task=view&id=66&Itemid=71">Mailing Lists</a> </blockquote>
-<blockquote> <a href="http://forum.pfsense.org/index.php/topic,16847.0.html">Pfsense Snort FAQ</a> </blockquote></p2>
-
-<p> Credits</p>
-<p2>
-
-Pfsense Team for the Core GUI and networking.<br>
-<br>
-
-pfSense is brought to you by a dedicated group of developers who are security and network professionals by trade. The following people are active developers of the pfSense project. Username is listed in parenthesis (generally also the person's forum username, IRC nickname, etc.).<br><br>
-
-Founders<br>
-In alphabetical order<br><br>
-
-Chris Buechler (cmb)<br>
-Scott Ullrich (sullrich)<br><br>
-
-Active Developers<br>
-Listed in order of seniority along with date of first contribution.<br><br>
-
-Bill Marquette (billm) - February 2005<br>
-Holger Bauer (hoba) - May 2005<br>
-Erik Kristensen (ekristen) - August 2005<br>
-Seth Mos (smos) - November 2005<br>
-Scott Dale (sdale) - December 2006<br>
-Martin Fuchs (mfuchs) - June 2007<br>
-Ermal Luçi (ermal) - January 2008<br>
-Matthew Grooms (mgrooms) - July 2008<br>
-Mark Crane (mcrane) - October 2008<br>
-Jim Pingle (jim-p) - February 2009<br>
-Rob Zelaya (robiscool) - March 2009<br>
-Renato Botelho (rbgarga) - May 2009<br><br>
-
-FreeBSD Developer Assistance<br>
-We would like to thank the following FreeBSD developers for their assistance.<br><br>
-
-Max Laier (mlaier)<br>
-Christian S.J. Peron (csjp)<br>
-Andrew Thompson (thompsa)<br>
-Bjoern A. Zeeb (bz)<br><br>
-
-among many others who help us directly, and everyone who contributes to FreeBSD.<br><br>
-
-Inactive Developers<br>
-The following individuals are no longer active contributors, having moved on because of other commitments, or employers forbidding contributions. We thank them for their past contributions.<br><br>
-
-Daniel Berlin (dberlin)<br>
-Daniel Haischt (dsh)<br>
-Espen Johansen (lsf)<br>
-Scott Kamp (dingo)<br>
-Bachman Kharazmi (bkw)<br>
-Fernando Tarlá Cardoso Lemos (fernando)<br>
-Kyle Mott (kyle)<br>
-Colin Smith (colin)<br></p2>
-
-<p> Thank Yous</p>
-
-
-</body>
-</html>
diff --git a/config/snort-dev/pfsense_rules/pfsense_rules.tar.gz.md5 b/config/snort-dev/pfsense_rules/pfsense_rules.tar.gz.md5 deleted file mode 100644 index 0aede4a0..00000000 --- a/config/snort-dev/pfsense_rules/pfsense_rules.tar.gz.md5 +++ /dev/null @@ -1 +0,0 @@ -102
\ No newline at end of file diff --git a/config/snort-dev/snort.xml b/config/snort-dev/snort.xml deleted file mode 100644 index 6aa5c924..00000000 --- a/config/snort-dev/snort.xml +++ /dev/null @@ -1,199 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> -<packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ -/* - authng.xml - part of pfSense (http://www.pfsense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> - <name>Snort</name> - <version>2.8.5.2</version> - <title>Services: Snort 2.8.5.2 pkg v. 1.9</title> - <include_file>/usr/local/pkg/snort/snort.inc</include_file> - <menu> - <name>Snort</name> - <tooltiptext>Setup snort specific settings</tooltiptext> - <section>Services</section> - <url>/snort/snort_interfaces.php</url> - </menu> - <service> - <name>snort</name> - <rcfile></rcfile> - <executable>snort</executable> - <description>Snort is the most widely deployed IDS/IPS technology worldwide.</description> - </service> - <tabs> - </tabs> - <additional_files_needed> - <prefix>/usr/local/pkg/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort.inc</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/bin/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/bin/barnyard2</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/bin/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/bin/oinkmaster_contrib/create-sidmap.pl</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/bin/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/bin/oinkmaster_contrib/oinkmaster.pl</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/bin/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/bin/oinkmaster_contrib/snort_rename.pl</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_gui.inc</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/pf/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_dynamic_ip_reload.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_whitelist.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_alerts.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_barnyard.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_blocked.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_define_servers.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_download_rules.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_check_for_rule_updates.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_help_info.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/help_and_info.html</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_interfaces.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_interfaces_edit.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_interfaces_global.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_rules.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_rules_edit.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_rulesets.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_preprocessors.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/etc/rc.d/</prefix> - <chmod>755</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort.sh</item> - </additional_files_needed> - <fields> - </fields> - <custom_add_php_command> - </custom_add_php_command> - <custom_php_resync_config_command> - sync_snort_package(); - </custom_php_resync_config_command> - <custom_php_install_command> - snort_postinstall(); - </custom_php_install_command> - <custom_php_deinstall_command> - snort_deinstall(); - </custom_php_deinstall_command> -</packagegui> diff --git a/config/snort-dev/snort_alerts.php b/config/snort-dev/snort_alerts.php deleted file mode 100644 index dae9983c..00000000 --- a/config/snort-dev/snort_alerts.php +++ /dev/null @@ -1,625 +0,0 @@ -<?php -/* $Id$ */ -/* - snort_alerts.php - part of pfSense - - Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>. - Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. - Copyright (C) 2006 Scott Ullrich - All rights reserved. - - Modified for the Pfsense snort package v. 1.8+ - Copyright (C) 2009 Robert Zelaya Sr. Developer - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("globals.inc"); -require("guiconfig.inc"); - -$snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype']; -$snort_logfile = '/var/log/snort/alert'; - -$pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh']; -$pconfig['alertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber']; - -if ($pconfig['alertnumber'] == '' || $pconfig['alertnumber'] == '0') -{ - $anentries = '250'; -}else{ - $anentries = $pconfig['alertnumber']; -} - -if ($_POST['save']) -{ - - //unset($input_errors); - //$pconfig = $_POST; - - /* input validation */ - if ($_POST['save']) - { - - // if (($_POST['radiusacctport'] && !is_port($_POST['radiusacctport']))) { - // $input_errors[] = "A valid port number must be specified. [".$_POST['radiusacctport']."]"; - // } - - } - - /* no errors */ - if (!$input_errors) - { - - $config['installedpackages']['snortglobal']['alertsblocks']['arefresh'] = $_POST['arefresh'] ? on : off; - $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber'] = $_POST['alertnumber']; - - conf_mount_rw(); - write_config(); - //conf_mount_ro(); - sleep(2); - - header("Location: /snort/snort_alerts.php"); - - } - -} - - -if ($_POST['delete']) -{ - - exec("killall syslogd"); - conf_mount_rw(); - if(file_exists("/var/log/snort/alert")) - { - exec('/bin/rm /var/log/snort/*'); - exec('/usr/bin/touch /var/log/snort/alert'); - } - conf_mount_ro(); - system_syslogd_start(); - //exec("/usr/bin/killall -HUP snort"); - -} - -if ($_POST['download']) -{ - - ob_start(); //importanr or other post will fail - $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); - $file_name = "snort_logs_{$save_date}.tar.gz"; - exec("/usr/bin/tar cfz /tmp/snort_logs_{$save_date}.tar.gz /var/log/snort"); - - if(file_exists("/tmp/snort_logs_{$save_date}.tar.gz")) - { - $file = "/tmp/snort_logs_{$save_date}.tar.gz"; - header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); - header("Pragma: private"); // needed for IE - header("Cache-Control: private, must-revalidate"); // needed for IE - header('Content-type: application/force-download'); - header('Content-Transfer-Encoding: Binary'); - header("Content-length: ".filesize($file)); - header("Content-disposition: attachment; filename = {$file_name}"); - readfile("$file"); - exec("/bin/rm /tmp/snort_logs_{$save_date}.tar.gz"); - od_end_clean(); //importanr or other post will fail - }else{ - echo 'Error no saved file.'; - } - -} - - -/* WARNING: took me forever to figure reg expression, dont lose */ -// $fileline = '12/09-18:12:02.086733 [**] [122:6:0] (portscan) TCP Filtered Decoy Portscan [**] [Priority: 3] {PROTO:255} 125.135.214.166 -> 70.61.243.50'; - -function get_snort_alert_date($fileline) -{ - /* date full date \d+\/\d+-\d+:\d+:\d+\.\d+\s */ - if (preg_match("/\d+\/\d+-\d+:\d+:\d\d/", $fileline, $matches1)) - { - $alert_date = "$matches1[0]"; - } - -return $alert_date; - -} - -function get_snort_alert_disc($fileline) -{ - /* disc */ - if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) - { - $alert_disc = "$matches[2]"; - } - -return $alert_disc; - -} - -function get_snort_alert_class($fileline) -{ - /* class */ - if (preg_match('/\[Classification:\s.+[^\d]\]/', $fileline, $matches2)) - { - $alert_class = "$matches2[0]"; - } - -return $alert_class; - -} - -function get_snort_alert_priority($fileline) -{ - /* Priority */ - if (preg_match('/Priority:\s\d/', $fileline, $matches3)) - { - $alert_priority = "$matches3[0]"; - } - -return $alert_priority; - -} - -function get_snort_alert_proto($fileline) -{ - /* Priority */ - if (preg_match('/\{.+\}/', $fileline, $matches3)) - { - $alert_proto = "$matches3[0]"; - } - -return $alert_proto; - -} - -function get_snort_alert_proto_full($fileline) -{ - /* Protocal full */ - if (preg_match('/.+\sTTL/', $fileline, $matches2)) - { - $alert_proto_full = "$matches2[0]"; - } - -return $alert_proto_full; - -} - -function get_snort_alert_ip_src($fileline) -{ - /* SRC IP */ - $re1='.*?'; # Non-greedy match on filler - $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 - - if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4)) - { - $alert_ip_src = $matches4[1][0]; - } - -return $alert_ip_src; - -} - -function get_snort_alert_src_p($fileline) -{ - /* source port */ - if (preg_match('/:\d+\s-/', $fileline, $matches5)) - { - $alert_src_p = "$matches5[0]"; - } - -return $alert_src_p; - -} - -function get_snort_alert_flow($fileline) -{ - /* source port */ - if (preg_match('/(->|<-)/', $fileline, $matches5)) - { - $alert_flow = "$matches5[0]"; - } - -return $alert_flow; - -} - -function get_snort_alert_ip_dst($fileline) -{ - /* DST IP */ - $re1dp='.*?'; # Non-greedy match on filler - $re2dp='(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?![\\d])'; # Uninteresting: ipaddress - $re3dp='.*?'; # Non-greedy match on filler - $re4dp='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 - - if ($c=preg_match_all ("/".$re1dp.$re2dp.$re3dp.$re4dp."/is", $fileline, $matches6)) - { - $alert_ip_dst = $matches6[1][0]; - } - -return $alert_ip_dst; - -} - -function get_snort_alert_dst_p($fileline) -{ - /* dst port */ - if (preg_match('/:\d+$/', $fileline, $matches7)) - { - $alert_dst_p = "$matches7[0]"; - } - -return $alert_dst_p; - -} - -function get_snort_alert_dst_p_full($fileline) -{ - /* dst port full */ - if (preg_match('/:\d+\n[A-Z]+\sTTL/', $fileline, $matches7)) - { - $alert_dst_p = "$matches7[0]"; - } - -return $alert_dst_p; - -} - -function get_snort_alert_sid($fileline) -{ - /* SID */ - if (preg_match('/\[\d+:\d+:\d+\]/', $fileline, $matches8)) - { - $alert_sid = "$matches8[0]"; - } - -return $alert_sid; - -} - -// - -$pgtitle = "Services: Snort: Snort Alerts"; -include("head.inc"); - -?> - -<link rel="stylesheet" href="/snort/css/style.css" type="text/css" media="all"> -<script type="text/javascript" src="/snort/javascript/mootools.js"></script> -<script type="text/javascript" src="/snort/javascript/sortableTable.js"></script> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php - -include("fbegin.inc"); - -/* refresh every 60 secs */ -if ($pconfig['arefresh'] == 'on' || $pconfig['arefresh'] == '') -{ - echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_alerts.php\" />\n"; -} -?> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td> -<?php - $tab_array = array(); - $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); - $tab_array[] = array("Global Settings", false, "/snort/snort_interfaces_global.php"); - $tab_array[] = array("Rule Updates", false, "/snort/snort_download_rules.php"); - $tab_array[] = array("Alerts", true, "/snort/snort_alerts.php"); - $tab_array[] = array("Blocked", false, "/snort/snort_blocked.php"); - $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort_whitelist.xml"); - $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); - display_top_tabs($tab_array); -?> - </td> - </tr> - <tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="1" cellspacing="0" cellpadding="0"> - <tr> - <td width="22%" colspan="0" class="listtopic"> - Last <?=$anentries;?> Alert Entries. - </td> - <td width="78%" class="listtopic"> - Latest Alert Entries Are Listed First. - </td> - </tr> - <tr> - <td width="22%" class="vncell">Save or Remove Logs</td> - <td width="78%" class="vtable"> - <form action="/snort/snort_alerts.php" method="post"> - <input name="download" type="submit" class="formbtn" value="Download"> - All log files will be saved. - <input name="delete" type="submit" class="formbtn" value="Clear"> - <span class="red"><strong>Warning:</strong></span> all log files will be deleted. - </form> - </td> - </tr> - <tr> - <td width="22%" class="vncell">Auto Refresh and Log View</td> - <td width="78%" class="vtable"> - <form action="/snort/snort_alerts.php" method="post"> - <input name="save" type="submit" class="formbtn" value="Save"> - Refresh - <input name="arefresh" type="checkbox" value="on" <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['arefresh']=="on") echo "checked"; ?>> - <strong>Default</strong> is <strong>ON</strong>. - <input name="alertnumber" type="text" class="formfld" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>"> - Enter the number of log entries to view. <strong>Default</strong> is <strong>250</strong>. - </form> - </td> - </tr> - </table> - </div> - </td> - </tr> -</table> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <td width="100%"> - <br> - <div class="tableFilter"> - <form id="tableFilter" onsubmit="myTable.filter(this.id); return false;">Filter: - <select id="column"> - <option value="1">PRIORITY</option> - <option value="2">PROTO</option> - <option value="3">DESCRIPTION</option> - <option value="4">CLASS</option> - <option value="5">SRC</option> - <option value="6">SRC PORT</option> - <option value="7">FLOW</option> - <option value="8">DST</option> - <option value="9">DST PORT</option> - <option value="10">SID</option> - <option value="11">Date</option> - </select> - <input type="text" id="keyword" /> - <input type="submit" value="Submit" /> - <input type="reset" value="Clear" /> - </form> - </div> -<table class="allRow" id="myTable" width="100%" border="2" cellpadding="1" cellspacing="1"> - <thead> - <th axis="number">#</th> - <th axis="string">PRI</th> - <th axis="string">PROTO</th> - <th axis="string">DESCRIPTION</th> - <th axis="string">CLASS</th> - <th axis="string">SRC</th> - <th axis="string">SPORT</th> - <th axis="string">FLOW</th> - <th axis="string">DST</th> - <th axis="string">DPORT</th> - <th axis="string">SID</th> - <th axis="date">Date</th> - </thead> - <tbody> -<?php - - /* make sure alert file exists */ - if(!file_exists('/var/log/snort/alert')) - { - conf_mount_rw(); - exec('/usr/bin/touch /var/log/snort/alert'); - conf_mount_ro(); - } - - $logent = $anentries; - - /* detect the alert file type */ - if ($snortalertlogt == 'full') - { - $alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents('/var/log/snort/alert')))); - }else{ - $alerts_array = array_reverse(array_filter(split("\n", file_get_contents('/var/log/snort/alert')))); - } - - - -if (is_array($alerts_array)) -{ - - $counter = 0; - foreach($alerts_array as $fileline) - { - - if($logent <= $counter) - continue; - - $counter++; - - /* Date */ - $alert_date_str = get_snort_alert_date($fileline); - - if($alert_date_str != '') - { - $alert_date = $alert_date_str; - }else{ - $alert_date = 'empty'; - } - - /* Discription */ - $alert_disc_str = get_snort_alert_disc($fileline); - - if($alert_disc_str != '') - { - $alert_disc = $alert_disc_str; - }else{ - $alert_disc = 'empty'; - } - - /* Classification */ - $alert_class_str = get_snort_alert_class($fileline); - - if($alert_class_str != '') - { - - $alert_class_match = array('[Classification:',']'); - $alert_class = str_replace($alert_class_match, '', "$alert_class_str"); - }else{ - $alert_class = 'Prep'; - } - - /* Priority */ - $alert_priority_str = get_snort_alert_priority($fileline); - - if($alert_priority_str != '') - { - $alert_priority_match = array('Priority: ',']'); - $alert_priority = str_replace($alert_priority_match, '', "$alert_priority_str"); - }else{ - $alert_priority = 'empty'; - } - - /* Protocol */ - /* Detect alert file type */ - if ($snortalertlogt == 'full') - { - $alert_proto_str = get_snort_alert_proto_full($fileline); - }else{ - $alert_proto_str = get_snort_alert_proto($fileline); - } - - if($alert_proto_str != '') - { - $alert_proto_match = array(" TTL",'{','}'); - $alert_proto = str_replace($alert_proto_match, '', "$alert_proto_str"); - }else{ - $alert_proto = 'empty'; - } - - /* IP SRC */ - $alert_ip_src_str = get_snort_alert_ip_src($fileline); - - if($alert_ip_src_str != '') - { - $alert_ip_src = $alert_ip_src_str; - }else{ - $alert_ip_src = 'empty'; - } - - /* IP SRC Port */ - $alert_src_p_str = get_snort_alert_src_p($fileline); - - if($alert_src_p_str != '') - { - $alert_src_p_match = array(' -',':'); - $alert_src_p = str_replace($alert_src_p_match, '', "$alert_src_p_str"); - }else{ - $alert_src_p = 'empty'; - } - - /* Flow */ - $alert_flow_str = get_snort_alert_flow($fileline); - - if($alert_flow_str != '') - { - $alert_flow = $alert_flow_str; - }else{ - $alert_flow = 'empty'; - } - - /* IP Destination */ - $alert_ip_dst_str = get_snort_alert_ip_dst($fileline); - - if($alert_ip_dst_str != '') - { - $alert_ip_dst = $alert_ip_dst_str; - }else{ - $alert_ip_dst = 'empty'; - } - - /* IP DST Port */ - if ($snortalertlogt == 'full') - { - $alert_dst_p_str = get_snort_alert_dst_p_full($fileline); - }else{ - $alert_dst_p_str = get_snort_alert_dst_p($fileline); - } - - if($alert_dst_p_str != '') - { - $alert_dst_p_match = array(':',"\n"," TTL"); - $alert_dst_p_str2 = str_replace($alert_dst_p_match, '', "$alert_dst_p_str"); - $alert_dst_p_match2 = array('/[A-Z]/'); - $alert_dst_p = preg_replace($alert_dst_p_match2, '', "$alert_dst_p_str2"); - }else{ - $alert_dst_p = 'empty'; - } - - /* SID */ - $alert_sid_str = get_snort_alert_sid($fileline); - - if($alert_sid_str != '') - { - $alert_sid_match = array('[',']'); - $alert_sid = str_replace($alert_sid_match, '', "$alert_sid_str"); - }else{ - $alert_sid_str = 'empty'; - } - - /* NOTE: using one echo improves performance by 2x */ - if ($alert_disc != 'empty') - { - echo "<tr id=\"{$counter}\"> - <td class=\"centerAlign\">{$counter}</td> - <td class=\"centerAlign\">{$alert_priority}</td> - <td class=\"centerAlign\">{$alert_proto}</td> - <td>{$alert_disc}</td> - <td class=\"centerAlign\">{$alert_class}</td> - <td>{$alert_ip_src}</td> - <td class=\"centerAlign\">{$alert_src_p}</td> - <td class=\"centerAlign\">{$alert_flow}</td> - <td>{$alert_ip_dst}</td> - <td class=\"centerAlign\">{$alert_dst_p}</td> - <td class=\"centerAlign\">{$alert_sid}</td> - <td>{$alert_date}</td> - </tr>\n"; - } - -// <script type="text/javascript"> -// var myTable = {}; -// window.addEvent('domready', function(){ -// myTable = new sortableTable('myTable', {overCls: 'over', onClick: function(){alert(this.id)}}); -// }); -// </script> - - } -} - -?> - </tbody> - </table> - </td> -</table> - -<?php include("fend.inc"); ?> - - <script type="text/javascript"> - var myTable = {}; - window.addEvent('domready', function(){ - myTable = new sortableTable('myTable', {overCls: 'over'}); - }); - </script> - -</body> -</html> diff --git a/config/snort-dev/snort_blocked.php b/config/snort-dev/snort_blocked.php deleted file mode 100644 index dcd2faaa..00000000 --- a/config/snort-dev/snort_blocked.php +++ /dev/null @@ -1,440 +0,0 @@ -<?php -/* $Id$ */ -/* - snort_blocked.php - Copyright (C) 2006 Scott Ullrich - All rights reserved. - - Modified for the Pfsense snort package v. 1.8+ - Copyright (C) 2009 Robert Zelaya Sr. Developer - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); - -$pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']; -$pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber']; - -if ($pconfig['blertnumber'] == '' || $pconfig['blertnumber'] == '0') -{ - $bnentries = '500'; -}else{ - $bnentries = $pconfig['blertnumber']; -} - -if($_POST['todelete'] or $_GET['todelete']) { - if($_POST['todelete']) - $ip = $_POST['todelete']; - if($_GET['todelete']) - $ip = $_GET['todelete']; - exec("/sbin/pfctl -t snort2c -T delete {$ip}"); -} - -if ($_POST['remove']) { - -exec("/sbin/pfctl -t snort2c -T flush"); -sleep(1); -header("Location: /snort/snort_blocked.php"); - -} - -/* TODO: build a file with block ip and disc */ -if ($_POST['download']) -{ - - ob_start(); //important or other posts will fail - $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); - $file_name = "snort_blocked_{$save_date}.tar.gz"; - exec('/bin/mkdir /tmp/snort_blocked'); - exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.pf'); - - $blocked_ips_array_save = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.pf')))); - - if ($blocked_ips_array_save[0] != '') - { - - /* build the list */ - $counter = 0; - foreach($blocked_ips_array_save as $fileline3) - { - - $counter++; - - exec("/bin/echo $fileline3 >> /tmp/snort_blocked/snort_block.pf"); - - } - } - - exec("/usr/bin/tar cfz /tmp/snort_blocked_{$save_date}.tar.gz /tmp/snort_blocked"); - - if(file_exists("/tmp/snort_blocked_{$save_date}.tar.gz")) - { - $file = "/tmp/snort_blocked_{$save_date}.tar.gz"; - header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); - header("Pragma: private"); // needed for IE - header("Cache-Control: private, must-revalidate"); // needed for IE - header('Content-type: application/force-download'); - header('Content-Transfer-Encoding: Binary'); - header("Content-length: ".filesize($file)); - header("Content-disposition: attachment; filename = {$file_name}"); - readfile("$file"); - exec("/bin/rm /tmp/snort_blocked_{$save_date}.tar.gz"); - exec("/bin/rm /tmp/snort_block.pf"); - exec("/bin/rm /tmp/snort_blocked/snort_block.pf"); - od_end_clean(); //importanr or other post will fail - }else{ - echo 'Error no saved file.'; - } - -} - -if ($_POST['save']) -{ - - /* input validation */ - if ($_POST['save']) - { - - - } - - /* no errors */ - if (!$input_errors) - { - - $config['installedpackages']['snortglobal']['alertsblocks']['brefresh'] = $_POST['brefresh'] ? on : off; - $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'] = $_POST['blertnumber']; - - conf_mount_rw(); - write_config(); - //conf_mount_ro(); - sleep(2); - - header("Location: /snort/snort_blocked.php"); - - } - -} - -/* build filter funcs */ -function get_snort_alert_ip_src($fileline) -{ - /* SRC IP */ - $re1='.*?'; # Non-greedy match on filler - $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 - - if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4)) - { - $alert_ip_src = $matches4[1][0]; - } - -return $alert_ip_src; - -} - -function get_snort_alert_disc($fileline) -{ - /* disc */ - if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) - { - $alert_disc = "$matches[2]"; - } - -return $alert_disc; - -} - -/* build sec filters */ -function get_snort_block_ip($fileline) -{ - /* ip */ - if (preg_match("/\[\d+\.\d+\.\d+\.\d+\]/", $fileline, $matches)) - { - $alert_block_ip = "$matches[0]"; - } - -return $alert_block_ip; - -} - -function get_snort_block_disc($fileline) -{ - /* disc */ - if (preg_match("/\]\s\[.+\]$/", $fileline, $matches)) - { - $alert_block_disc = "$matches[0]"; - } - -return $alert_block_disc; - -} - -/* tell the user what settings they have */ -$blockedtab_msg_chk = $config['installedpackages']['snortglobal']['rm_blocked']; - if ($blockedtab_msg_chk == "1h_b") { - $blocked_msg = "hour"; - } - if ($blockedtab_msg_chk == "3h_b") { - $blocked_msg = "3 hours"; - } - if ($blockedtab_msg_chk == "6h_b") { - $blocked_msg = "6 hours"; - } - if ($blockedtab_msg_chk == "12h_b") { - $blocked_msg = "12 hours"; - } - if ($blockedtab_msg_chk == "1d_b") { - $blocked_msg = "day"; - } - if ($blockedtab_msg_chk == "4d_b") { - $blocked_msg = "4 days"; - } - if ($blockedtab_msg_chk == "7d_b") { - $blocked_msg = "7 days"; - } - if ($blockedtab_msg_chk == "28d_b") { - $blocked_msg = "28 days"; - } - -if ($blockedtab_msg_chk != "never_b") -{ -$blocked_msg_txt = "Hosts are removed every <strong>$blocked_msg</strong>."; -}else{ -$blocked_msg_txt = "Settings are set to never <strong>remove</strong> hosts."; -} - -$pgtitle = "Services: Snort Blocked Hosts"; -include("head.inc"); - -?> - -<body link="#000000" vlink="#000000" alink="#000000"> -<?php - -include("fbegin.inc"); - -/* refresh every 60 secs */ -if ($pconfig['brefresh'] == 'on' || $pconfig['brefresh'] == '') -{ - echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_blocked.php\" />\n"; -} -?> - -<script src="/row_toggle.js" type="text/javascript"></script> -<script src="/javascript/sorttable.js" type="text/javascript"></script> -<?php if ($savemsg) print_info_box($savemsg); ?> -<table width="99%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> -<?php - $tab_array = array(); - $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); - $tab_array[] = array("Global Settings", false, "/snort/snort_interfaces_global.php"); - $tab_array[] = array("Rule Updates", false, "/snort/snort_download_rules.php"); - $tab_array[] = array("Alerts", false, "/snort/snort_alerts.php"); - $tab_array[] = array("Blocked", true, "/snort/snort_blocked.php"); - $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort_whitelist.xml"); - $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); - display_top_tabs($tab_array); -?> - </td> - </tr> - <tr> - <td> - <div id="mainarea"> - - <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td width="22%" colspan="0" class="listtopic"> - Last <?=$bnentries;?> Blocked. - </td> - <td width="78%" class="listtopic"> - This page lists hosts that have been blocked by Snort. <?=$blocked_msg_txt;?> - </td> - </tr> - <tr> - <td width="22%" class="vncell">Save or Remove Hosts</td> - <td width="78%" class="vtable"> - <form action="/snort/snort_blocked.php" method="post"> - <input name="download" type="submit" class="formbtn" value="Download"> - All blocked hosts will be saved. - <input name="remove" type="submit" class="formbtn" value="Clear"> - <span class="red"><strong>Warning:</strong></span> all hosts will be removed. - </form> - </td> - </tr> - <tr> - <td width="22%" class="vncell">Auto Refresh and Log View</td> - <td width="78%" class="vtable"> - <form action="/snort/snort_blocked.php" method="post"> - <input name="save" type="submit" class="formbtn" value="Save"> - Refresh - <input name="brefresh" type="checkbox" value="on" <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=="on" || $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=='') echo "checked"; ?>> - <strong>Default</strong> is <strong>ON</strong>. - <input name="blertnumber" type="text" class="formfld" id="blertnumber" size="5" value="<?=htmlspecialchars($bnentries);?>"> - Enter the number of blocked entries to view. <strong>Default</strong> is <strong>500</strong>. - </form> - </td> - </tr> - </table> - - </div> - </td> - </tr> - - <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> - <tr> - <td> - <table id="sortabletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr id="frheader"> - <td width="5%" class="listhdrr">Remove</td> - <td class="listhdrr">#</td> - <td class="listhdrr">IP</td> - <td class="listhdrr">Alert Description</td> - </tr> -<?php - -/* set the arrays */ -exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache'); -$alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents('/var/log/snort/alert')))); -$blocked_ips_array = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.cache')))); - -$logent = $bnentries; - -if ($blocked_ips_array[0] != '' && $alerts_array[0] != '') -{ - - /* build the list and compare blocks to alerts */ - $counter = 0; - foreach($alerts_array as $fileline) - { - - $counter++; - - $alert_ip_src = get_snort_alert_ip_src($fileline); - $alert_ip_disc = get_snort_alert_disc($fileline); - $alert_ip_src_array[] = get_snort_alert_ip_src($fileline); - - if (in_array("$alert_ip_src", $blocked_ips_array)) - { - $input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n"; - } - } - - foreach($blocked_ips_array as $alert_block_ip) - { - - if (!in_array($alert_block_ip, $alert_ip_src_array)) - { - $input[] = "[$alert_block_ip] " . "[N\A]\n"; - } - } - - /* reduce double occurrences */ - $result = array_unique($input); - - /* buil final list, preg_match, buld html */ - $counter2 = 0; - - foreach($result as $fileline2) - { - if($logent <= $counter2) - continue; - - $counter2++; - - $alert_block_ip_str = get_snort_block_ip($fileline2); - - if($alert_block_ip_str != '') - { - $alert_block_ip_match = array('[',']'); - $alert_block_ip = str_replace($alert_block_ip_match, '', "$alert_block_ip_str"); - }else{ - $alert_block_ip = 'empty'; - } - - $alert_block_disc_str = get_snort_block_disc($fileline2); - - if($alert_block_disc_str != '') - { - $alert_block_disc_match = array('] [',']'); - $alert_block_disc = str_replace($alert_block_disc_match, '', "$alert_block_disc_str"); - }else{ - $alert_block_disc = 'empty'; - } - - /* use one echo to do the magic*/ - echo "<tr> - <td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($alert_block_ip)) . "'> - <img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td> - <td> {$counter2}</td> - <td> {$alert_block_ip}</td> - <td> {$alert_block_disc}</td> - </tr>\n"; - - } - -}else{ - - /* if alerts file is empty and blocked table is not empty */ - $counter2 = 0; - - foreach($blocked_ips_array as $alert_block_ip) - { - if($logent <= $counter2) - continue; - - $counter2++; - - $alert_block_disc = 'N/A'; - - /* use one echo to do the magic*/ - echo "<tr> - <td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($alert_block_ip)) . "'> - <img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td> - <td> {$counter2}</td> - <td> {$alert_block_ip}</td> - <td> {$alert_block_disc}</td> - </tr>\n"; - } -} - -if ($blocked_ips_array[0] == '') -{ - echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\"><br><strong>There are currently no items being blocked by snort.</strong></td></tr>"; -}else{ - echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter2} items listed.</td></tr>"; -} - -?> - </table> - </td> - </tr> - </table> - </div> - </td> - </tr> -</table> -<?php include("fend.inc"); ?> -</body> -</html> diff --git a/config/snort-dev/snort_download_rules.php b/config/snort-dev/snort_download_rules.php deleted file mode 100644 index a8e3ca49..00000000 --- a/config/snort-dev/snort_download_rules.php +++ /dev/null @@ -1,1173 +0,0 @@ -<?php -/* $Id$ */ -/* - snort_rulesets.php - Copyright (C) 2006 Scott Ullrich - Copyright (C) 2009 Robert Zelaya - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -/* Setup enviroment */ - -require("guiconfig.inc"); -require_once("functions.inc"); -require_once("service-utils.inc"); -require("/usr/local/pkg/snort/snort.inc"); - -$tmpfname = "/tmp/snort_rules_up"; -$snortdir = "/usr/local/etc/snort"; -$snortdir_wan = "/usr/local/etc/snort"; -$snort_filename_md5 = "snortrules-snapshot-2.8.tar.gz.md5"; -$snort_filename = "snortrules-snapshot-2.8.tar.gz"; -$emergingthreats_filename_md5 = "version.txt"; -$emergingthreats_filename = "emerging.rules.tar.gz"; -$pfsense_rules_filename_md5 = "pfsense_rules.tar.gz.md5"; -$pfsense_rules_filename = "pfsense_rules.tar.gz"; - -$id_d = $_GET['id_d']; -if (isset($_POST['id_d'])) - $id_d = $_POST['id_d']; - -/* Time stamps define */ -$last_md5_download = $config['installedpackages']['snortglobal']['last_md5_download']; -$last_rules_install = $config['installedpackages']['snortglobal']['last_rules_install']; - -/* define checks */ -$oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; -$snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; -$emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; - - - if ($snortdownload == "off" && $emergingthreats != "on") - { - $snort_emrging_info = "stop"; - } - - if ($oinkid == "" && $snortdownload != "off") - { - $snort_oinkid_info = "stop"; - } - - - /* check if main rule directory is empty */ - $if_mrule_dir = "/usr/local/etc/snort/rules"; - $mfolder_chk = (count(glob("$if_mrule_dir/*")) === 0) ? 'empty' : 'full'; - -/* If no id show the user a button */ -if ($id_d == "" || $snort_emrging_info == "stop" || $snort_oinkid_info == "stop") { - -$pgtitle = "Services: Snort: Update Rules"; - -include("head.inc"); -include("fbegin.inc"); - -/* make sure user has javascript on */ -echo "<style type=\"text/css\"> -.alert { - position:absolute; - top:10px; - left:0px; - width:94%; -background:#FCE9C0; -background-position: 15px; -border-top:2px solid #DBAC48; -border-bottom:2px solid #DBAC48; -padding: 15px 10px 85% 50px; -} -</style> -<noscript><div class=\"alert\" ALIGN=CENTER><img src=\"/themes/nervecenter/images/icons/icon_alert.gif\"/><strong>Please enable JavaScript to view this content</CENTER></div></noscript>\n"; -echo "<body link=\"#000000\" vlink=\"#000000\" alink=\"#000000\">\n"; - -echo "<script src=\"/row_toggle.js\" type=\"text/javascript\"></script>\n -<script src=\"/javascript/sorttable.js\" type=\"text/javascript\"></script>\n -<table width=\"99%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n - <tr>\n - <td>\n"; - - $tab_array = array(); - $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); - $tab_array[] = array("Global Settings", false, "/snort/snort_interfaces_global.php"); - $tab_array[] = array("Rule Updates", true, "/snort/snort_download_rules.php"); - $tab_array[] = array("Alerts", false, "/snort/snort_alerts.php"); - $tab_array[] = array("Blocked", false, "/snort/snort_blocked.php"); - $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort_whitelist.xml"); - $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); - display_top_tabs($tab_array); - -if ($snort_emrging_info == "stop" && $snort_oinkid_info == "stop") { -$disable_enable_button = 'onclick="this.disabled=true"'; -}else{ -$disable_enable_button = "onClick=\"parent.location='/snort/snort_download_rules.php?id_d=up'\""; -} -echo "</td>\n - </tr>\n - <tr>\n - <td>\n - <div id=\"mainarea\">\n - <table id=\"maintable\" class=\"tabcont\" width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n - <tr>\n - <td>\n -<input name=\"Submit\" type=\"submit\" class=\"formbtn\" $disable_enable_button value=\"Update Rules\" $disable_button> <br><br> \n"; - -if ($mfolder_chk == "empty") -{ -echo "<span class=\"red\"><strong>WARNING:</strong></span> The main rules <strong>directory</strong> is <strong>empty</strong>. /usr/local/etc/snort/rules <br><br>\n"; -} - -if ($snort_emrging_info == "stop") { -echo "<span class=\"red\"><strong>WARNING:</strong></span> Click on the <strong>\"Global Settings\"</strong> tab and select ether snort.org or enmergingthreats.net rules to download. <br><br> \n"; -} - -if ($snort_oinkid_info == "stop") { -echo "<span class=\"red\"><strong>WARNING:</strong></span> Click on the <strong>\"Global Settings\"</strong> tab and enter a <strong>oinkmaster</strong> code. <br><br> \n"; -} - - -echo " </td>\n - </tr>\n - </table>\n - </div>\n - </td>\n - </tr>\n -</table>\n -\n -</form>\n -\n -<p>\n\n"; - -if ($id_d == "") -echo "Click on the <strong>\"Update Rules\"</strong> button to start the updates. <br><br> \n"; - -if ($config['installedpackages']['snortglobal']['last_md5_download'] != "") -echo "The last time the updates were started <strong>$last_md5_download</strong>. <br><br> \n"; - -if ($config['installedpackages']['snortglobal']['last_rules_install'] != "") -echo "The last time the updates were installed <strong>$last_rules_install</strong>. <br><br> \n"; - -include("fend.inc"); - -echo "</body>"; -echo "</html>"; - -exit(0); - -} - -$pgtitle = "Services: Snort: Update Rules"; - -include("/usr/local/www/head.inc"); - -?> -<script src="/javascript/scriptaculous/prototype.js" type="text/javascript"></script> -<script type="text/javascript" src="/snort/javascript/jquery-1.3.2.js"></script> -<script type="text/javascript" src="/snort/javascript/jquery.blockUI.js?v2.28"></script> - -<script type="text/javascript"> -<!-- - -function displaymessage() -{ - - $.blockUI.defaults.message = "Please be patient...."; - - $.blockUI({ - - css: { - border: 'none', - padding: '15px', - backgroundColor: '#000', - '-webkit-border-radius': '10px', - '-moz-border-radius': '10px', - opacity: .5, - color: '#fff', - } - }); - -} - -function displaymessagestop() -{ - -setTimeout($.unblockUI, 2000); - -} - -// --> -</script> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("/usr/local/www/fbegin.inc"); ?> - - - -<form action="snort_download_rules.php" method="post"> -<div id="inputerrors"></div> - -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> -<?php - $tab_array = array(); - $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); - $tab_array[] = array("Global Settings", false, "/snort/snort_interfaces_global.php"); - $tab_array[] = array("Rule Updates", true, "/snort/snort_download_rules.php"); - $tab_array[] = array("Alerts", false, "/snort/snort_alerts.php"); - $tab_array[] = array("Blocked", false, "/snort/snort_blocked.php"); - $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml"); - $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); - display_top_tabs($tab_array); -?> - -<script type="text/javascript"> -<!-- - displaymessage(); -// --> -</script> - - </td> - </tr> - <tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td align="center" valign="top"> - <!-- progress bar --> - <table id="progholder" width='420' style='border-collapse: collapse; border: 1px solid #000000;' cellpadding='2' cellspacing='2'> - <tr> - <td> - <img border='0' src='../themes/<?= $g['theme']; ?>/images/misc/progress_bar.gif' width='280' height='23' name='progressbar' id='progressbar' alt='' /> - </td> - </tr> - </table> - <br /> - <!-- status box --> - <textarea cols="60" rows="2" name="status" id="status" wrap="hard"> - <?=gettext("Initializing...");?> - </textarea> - <!-- command output box --> - <textarea cols="60" rows="2" name="output" id="output" wrap="hard"> - </textarea> - </td> - </tr> - </table> - </div> - </td> - </tr> -</table> -</form> -<?php include("fend.inc");?> - -<?php - -conf_mount_rw(); - -/* Begin main code */ -/* Set user agent to Mozilla */ -ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); -ini_set("memory_limit","125M"); - -/* mark the time update started */ -$config['installedpackages']['snortglobal']['last_md5_download'] = date("Y-M-jS-h:i-A"); - -/* send current buffer */ -ob_flush(); -conf_mount_rw(); - -$premium_subscriber_chk = $config['installedpackages']['snortglobal']['snortdownload']; - -if ($premium_subscriber_chk == "premium") { - $premium_subscriber = "_s"; -}else{ - $premium_subscriber = ""; -} - -$premium_url_chk = $config['installedpackages']['snortglobal']['snortdownload']; -if ($premium_url_chk == "premium") { - $premium_url = "sub-rules"; -}else{ - $premium_url = "reg-rules"; -} - -/* hide progress bar */ -hide_progress_bar_status(); - -/* send current buffer */ -ob_flush(); -conf_mount_rw(); - -/* remove old $tmpfname files */ -if (file_exists("{$tmpfname}")) { - update_status(gettext("Removing old tmp files...")); - exec("/bin/rm -r {$tmpfname}"); - apc_clear_cache(); -} - -/* Make shure snortdir exits */ -exec("/bin/mkdir -p {$snortdir}"); -exec("/bin/mkdir -p {$snortdir}/rules"); -exec("/bin/mkdir -p {$snortdir}/signatures"); -exec("/bin/mkdir -p /usr/local/lib/snort/dynamicrules/"); - -/* send current buffer */ -ob_flush(); -conf_mount_rw(); - -/* If tmp dir does not exist create it */ -if (file_exists($tmpfname)) { - update_status(gettext("The directory tmp exists...")); -} else { - mkdir("{$tmpfname}", 700); -} - -/* unhide progress bar and lets end this party */ -unhide_progress_bar_status(); - -/* download md5 sig from snort.org */ -if ($snortdownload == "basic" || $snortdownload == "premium") -{ - if (file_exists("{$tmpfname}/{$snort_filename_md5}") && - filesize("{$tmpfname}/{$snort_filename_md5}") > 0) { - update_status(gettext("snort.org md5 temp file exists...")); - } else { - update_status(gettext("Downloading snort.org md5 file...")); - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - $image = @file_get_contents("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5?oink_code={$oinkid}"); -// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5"); - $f = fopen("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5", 'w'); - fwrite($f, $image); - fclose($f); - update_status(gettext("Done downloading snort.org md5")); - } -} - -/* download md5 sig from emergingthreats.net */ -if ($emergingthreats == "on") -{ - update_status(gettext("Downloading emergingthreats md5 file...")); - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - $image = @file_get_contents("http://www.emergingthreats.net/version.txt"); -// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/version.txt"); - $f = fopen("{$tmpfname}/version.txt", 'w'); - fwrite($f, $image); - fclose($f); - update_status(gettext("Done downloading emergingthreats md5")); -} - -/* download md5 sig from pfsense.org */ -if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) { - update_status(gettext("pfsense md5 temp file exists...")); -} else { - update_status(gettext("Downloading pfsense md5 file...")); - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - $image = @file_get_contents("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5"); -// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz.md5"); - $f = fopen("{$tmpfname}/pfsense_rules.tar.gz.md5", 'w'); - fwrite($f, $image); - fclose($f); - update_status(gettext("Done downloading pfsense md5.")); -} - -/* If md5 file is empty wait 15min exit */ -if ($snortdownload != "off") -{ - if (0 == filesize("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5")) - { - update_status(gettext("Please wait... You may only check for New Rules every 15 minutes...")); - update_output_window(gettext("Rules are released every month from snort.org. You may download the Rules at any time.")); - hide_progress_bar_status(); - /* Display last time of sucsessful md5 check from cache */ - echo "\n\n</body>\n</html>\n"; - echo ' -<script type="text/javascript"> -<!-- - displaymessagestop(); -// --> -</script>'; -echo "</body>"; -echo "</html>"; -conf_mount_ro(); - exit(0); - } -} - -/* If emergingthreats md5 file is empty wait 15min exit not needed */ - -/* If pfsense md5 file is empty wait 15min exit */ -if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ - update_status(gettext("Please wait... You may only check for New Pfsense Rules every 15 minutes...")); - update_output_window(gettext("Rules are released to support Pfsense packages.")); - hide_progress_bar_status(); - /* Display last time of sucsessful md5 check from cache */ - echo "\n\n</body>\n</html>\n"; - echo ' -<script type="text/javascript"> -<!-- - displaymessagestop(); -// --> -</script>'; -echo "</body>"; -echo "</html>"; -conf_mount_ro(); - exit(0); -} - -/* Check if were up to date snort.org */ -if ($snortdownload != "off") -{ - if (file_exists("{$snortdir}/snortrules-snapshot-2.8.tar.gz.md5")) - { - $md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); - $md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; - $md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); - $md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; - /* Write out time of last sucsessful md5 to cache */ - write_config(); // Will cause switch back to read-only on nanobsd - conf_mount_rw(); - if ($md5_check_new == $md5_check_old) - { - update_status(gettext("Your rules are up to date...")); - update_output_window(gettext("You may start Snort now, check update.")); - hide_progress_bar_status(); - echo "\n\n</body>\n</html>\n"; - $snort_md5_check_ok = on; - } - } -} - -/* Check if were up to date emergingthreats.net */ -if ($emergingthreats == "on") -{ - if (file_exists("{$snortdir}/version.txt")) - { - $emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/version.txt"); - $emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; - $emerg_md5_check_old_parse = file_get_contents("{$snortdir}/version.txt"); - $emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; - /* Write out time of last sucsessful md5 to cache */ - // Will cause switch back to read-only on nanobsd - write_config(); - conf_mount_rw(); - if ($emerg_md5_check_new == $emerg_md5_check_old) - { - hide_progress_bar_status(); - $emerg_md5_check_ok = on; - } - } -} - -/* Check if were up to date pfsense.org */ - if (file_exists("{$snortdir}/pfsense_rules.tar.gz.md5")) - { - $pfsense_check_new_parse = file_get_contents("{$tmpfname}/pfsense_rules.tar.gz.md5"); - $pfsense_md5_check_new = `/bin/echo "{$pfsense_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; - $pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/pfsense_rules.tar.gz.md5"); - $pfsense_md5_check_old = `/bin/echo "{$pfsense_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; - /* Write out time of last sucsessful md5 to cache */ - // Will cause switch back to read-only on nanobsd - write_config(); - conf_mount_rw(); - if ($pfsense_md5_check_new == $pfsense_md5_check_old) - { - hide_progress_bar_status(); - $pfsense_md5_check_ok = on; - } - } - -/* Check if were up to date is so, exit */ -/* WARNING This code needs constant checks */ -if ($snortdownload != "off" && $emergingthreats != "off") -{ - if ($snort_md5_check_ok == "on" && $emerg_md5_check_ok == "on") - { - update_status(gettext("All your rules are up to date...")); - update_output_window(gettext("You may start Snort now...")); - echo ' - <script type="text/javascript"> - <!-- - displaymessagestop(); - // --> - </script>'; - echo "</body>"; - echo "</html>"; - conf_mount_ro(); - exit(0); - } -} - -if ($snortdownload == "on" && $emergingthreats == "off") -{ - if ($snort_md5_check_ok == "on") - { - update_status(gettext("Your snort.org rules are up to date...")); - update_output_window(gettext("You may start Snort now...")); - echo ' - <script type="text/javascript"> - <!-- - displaymessagestop(); - // --> - </script>'; - echo "</body>"; - echo "</html>"; - conf_mount_ro(); - exit(0); - } -} - -if ($snortdownload == "off" && $emergingthreats == "on") -{ - if ($emerg_md5_check_ok == "on") - { - update_status(gettext("Your Emergingthreats rules are up to date...")); - update_output_window(gettext("You may start Snort now...")); - echo ' - <script type="text/javascript"> - <!-- - displaymessagestop(); - // --> - </script>'; - echo "</body>"; - echo "</html>"; - conf_mount_ro(); - exit(0); - } -} - -/* You are Not Up to date, always stop snort when updating rules for low end machines */; -update_status(gettext("You are NOT up to date...")); -update_output_window(gettext("Stopping Snort service...")); -$chk_if_snort_up = exec("pgrep -x snort"); -if ($chk_if_snort_up != "") { - exec("/usr/bin/touch /tmp/snort_download_halt.pid"); - exec("/bin/sh /usr/local/etc/rc.d/snort.sh stop"); - sleep(2); -} - -/* download snortrules file */ -if ($snortdownload != "off") -{ - if ($snort_md5_check_ok != on) { - if (file_exists("{$tmpfname}/{$snort_filename}")) { - update_status(gettext("Snortrule tar file exists...")); - } else { - unhide_progress_bar_status(); - update_status(gettext("There is a new set of Snort rules posted. Downloading...")); - update_output_window(gettext("May take 4 to 10 min...")); -// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz", $tmpfname . "/{$snort_filename}", "read_body_firmware"); - download_file_with_progress_bar("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz?oink_code={$oinkid}", $tmpfname . "/{$snort_filename}", "read_body_firmware"); - update_all_status($static_output); - update_status(gettext("Done downloading rules file.")); - if (150000 > filesize("{$tmpfname}/$snort_filename")){ - update_status(gettext("Error with the snort rules download...")); - update_output_window(gettext("Snort rules file downloaded failed...")); - echo ' -<script type="text/javascript"> -<!-- - displaymessagestop(); -// --> -</script>'; -echo "</body>"; -echo "</html>"; -conf_mount_ro(); - exit(0); - } - } - } -} - -/* download emergingthreats rules file */ -if ($emergingthreats == "on") -{ - if ($emerg_md5_check_ok != on) - { - if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) - { - update_status(gettext("Emergingthreats tar file exists...")); - }else{ - update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); - update_output_window(gettext("May take 4 to 10 min...")); -// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware"); - download_file_with_progress_bar("http://www.emergingthreats.net/rules/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware"); - update_all_status($static_output); - update_status(gettext("Done downloading Emergingthreats rules file.")); - } - } -} - -/* download pfsense rules file */ -if ($pfsense_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { - update_status(gettext("Snortrule tar file exists...")); -} else { - unhide_progress_bar_status(); - update_status(gettext("There is a new set of Pfsense rules posted. Downloading...")); - update_output_window(gettext("May take 4 to 10 min...")); -// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz", $tmpfname . "/{$pfsense_rules_filename}", "read_body_firmware"); - download_file_with_progress_bar("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz", $tmpfname . "/{$pfsense_rules_filename}", "read_body_firmware"); - update_all_status($static_output); - update_status(gettext("Done downloading rules file.")); - } -} - -/* Compair md5 sig to file sig */ - -//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -//if ($premium_url_chk == on) { -//$md5 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); -//$file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; -// if ($md5 == $file_md5_ondisk) { -// update_status(gettext("Valid md5 checksum pass...")); -//} else { -// update_status(gettext("The downloaded file does not match the md5 file...P is ON")); -// update_output_window(gettext("Error md5 Mismatch...")); -// exit(0); -// } -//} - -//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -//if ($premium_url_chk != on) { -//$md55 = `/bin/cat {$tmpfname}/{$snort_filename_md5} | /usr/bin/awk '{ print $4 }'`; -//$file_md5_ondisk2 = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; -// if ($md55 == $file_md5_ondisk2) { -// update_status(gettext("Valid md5 checksum pass...")); -//} else { -// update_status(gettext("The downloaded file does not match the md5 file...Not P")); -// update_output_window(gettext("Error md5 Mismatch...")); -// exit(0); -// } -//} - -/* Untar snort rules file individually to help people with low system specs */ -if ($snortdownload != "off") -{ - if ($snort_md5_check_ok != on) { - if (file_exists("{$tmpfname}/{$snort_filename}")) { - update_status(gettext("Extracting rules...")); - update_output_window(gettext("May take a while...")); - exec("/bin/mkdir -p {$snortdir}/rules_bk/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/rules_bk rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} etc/" . - " so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/" . - " so_rules/bad-traffic.rules/" . - " so_rules/chat.rules/" . - " so_rules/dos.rules/" . - " so_rules/exploit.rules/" . - " so_rules/imap.rules/" . - " so_rules/misc.rules/" . - " so_rules/multimedia.rules/" . - " so_rules/netbios.rules/" . - " so_rules/nntp.rules/" . - " so_rules/p2p.rules/" . - " so_rules/smtp.rules/" . - " so_rules/sql.rules/" . - " so_rules/web-client.rules/" . - " so_rules/web-misc.rules/"); - /* add prefix to all snort.org files */ - /* remove this part and make it all php with the simplst code posible */ - chdir ("/usr/local/etc/snort/rules_bk/rules"); - sleep(2); - exec('/usr/local/bin/perl /usr/local/bin/snort_rename.pl s/^/snort_/ *.rules'); - update_status(gettext("Done extracting Rules.")); - }else{ - update_status(gettext("The Download rules file missing...")); - update_output_window(gettext("Error rules extracting failed...")); - echo ' -<script type="text/javascript"> -<!-- - displaymessagestop(); -// --> -</script>'; -echo "</body>"; -echo "</html>"; -conf_mount_ro(); - exit(0); - } - } -} - -/* Untar emergingthreats rules to tmp */ -if ($emergingthreats == "on") -{ - if ($emerg_md5_check_ok != on) - { - if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) - { - update_status(gettext("Extracting rules...")); - update_output_window(gettext("May take a while...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir} rules/"); - } - } -} - -/* Untar Pfsense rules to tmp */ -if ($pfsense_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { - update_status(gettext("Extracting Pfsense rules...")); - update_output_window(gettext("May take a while...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$pfsense_rules_filename} -C {$snortdir} rules/"); - } -} - -/* Untar snort signatures */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$snort_filename}")) { -$signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; -if ($premium_url_chk == on) { - update_status(gettext("Extracting Signatures...")); - update_output_window(gettext("May take a while...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); - update_status(gettext("Done extracting Signatures.")); - } - } -} - -/* Copy so_rules dir to snort lib dir */ -if ($snortdownload != "off") -{ - if ($snort_md5_check_ok != on) { - if (file_exists("{$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { - update_status(gettext("Copying so_rules...")); - update_output_window(gettext("May take a while...")); - exec("/bin/cp -f {$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/"); - exec("/bin/cp {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/snort_bad-traffic.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/chat.rules {$snortdir}/rules/snort_chat.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/dos.rules {$snortdir}/rules/snort_dos.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/snort_exploit.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/imap.rules {$snortdir}/rules/snort_imap.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/misc.rules {$snortdir}/rules/snort_misc.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/snort_multimedia.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/snort_netbios.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/snort_nntp.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/snort_p2p.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/snort_smtp.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/sql.rules {$snortdir}/rules/snort_sql.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/snort_web-client.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/web.misc.rules {$snortdir}/rules/snort_web.misc.so.rules"); - exec("/bin/rm -r {$snortdir}/so_rules"); - update_status(gettext("Done copying so_rules.")); - }else{ - update_status(gettext("Directory so_rules does not exist...")); - update_output_window(gettext("Error copying so_rules...")); - echo ' -<script type="text/javascript"> -<!-- - displaymessagestop(); -// --> -</script>'; - echo "</body>"; - echo "</html>"; - conf_mount_ro(); - exit(0); - } - } -} - -/* Copy renamed snort.org rules to snort dir */ -if ($snortdownload != "off") -{ - if ($snort_md5_check_ok != on) - { - if (file_exists("{$snortdir}/rules_bk/rules/Makefile.am")) - { - update_status(gettext("Copying renamed snort.org rules to snort directory...")); - exec("/bin/cp {$snortdir}/rules_bk/rules/* {$snortdir}/rules/"); - }else{ - update_status(gettext("The renamed snort.org rules do not exist...")); - update_output_window(gettext("Error copying config...")); - echo ' -<script type="text/javascript"> -<!-- - displaymessagestop(); -// --> -</script>'; - echo "</body>"; - echo "</html>"; - conf_mount_ro(); - exit(0); - } - } -} - -/* Copy configs to snort dir */ -if ($snortdownload != "off") -{ - if ($snort_md5_check_ok != on) - { - if (file_exists("{$snortdir}/etc/Makefile.am")) { - update_status(gettext("Copying configs to snort directory...")); - exec("/bin/cp {$snortdir}/etc/* {$snortdir}"); - exec("/bin/rm -r {$snortdir}/etc"); - }else{ - update_status(gettext("The snort config does not exist...")); - update_output_window(gettext("Error copying config...")); - echo ' -<script type="text/javascript"> -<!-- - displaymessagestop(); -// --> -</script>'; -echo "</body>"; -echo "</html>"; -conf_mount_ro(); - exit(0); - } - } -} - - -/* Copy md5 sig to snort dir */ -if ($snortdownload != "off") -{ - if ($snort_md5_check_ok != on) { - if (file_exists("{$tmpfname}/$snort_filename_md5")) { - update_status(gettext("Copying md5 sig to snort directory...")); - exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); - }else{ - update_status(gettext("The md5 file does not exist...")); - update_output_window(gettext("Error copying config...")); - echo ' -<script type="text/javascript"> -<!-- - displaymessagestop(); -// --> -</script>'; - echo "</body>"; - echo "</html>"; - conf_mount_ro(); - exit(0); - } - } -} - -/* Copy emergingthreats md5 sig to snort dir */ -if ($emergingthreats == "on") -{ - if ($emerg_md5_check_ok != on) - { - if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) - { - update_status(gettext("Copying md5 sig to snort directory...")); - exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); - }else{ - update_status(gettext("The emergingthreats md5 file does not exist...")); - update_output_window(gettext("Error copying config...")); - echo "</body>"; - echo "</html>"; - conf_mount_ro(); - exit(0); - } - } -} - -/* Copy Pfsense md5 sig to snort dir */ -if ($pfsense_md5_check_ok != on) { -if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) { - update_status(gettext("Copying Pfsense md5 sig to snort directory...")); - exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5"); -} else { - update_status(gettext("The Pfsense md5 file does not exist...")); - update_output_window(gettext("Error copying config...")); - echo ' -<script type="text/javascript"> -<!-- - displaymessagestop(); -// --> -</script>'; - echo "</body>"; - echo "</html>"; - conf_mount_ro(); - exit(0); - } -} - -/* Copy signatures dir to snort dir */ -if ($snortdownload != "off") -{ - if ($snort_md5_check_ok != on) - { - $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; - if ($premium_url_chk == on) - { - if (file_exists("{$snortdir}/doc/signatures")) { - update_status(gettext("Copying signatures...")); - update_output_window(gettext("May take a while...")); - exec("/bin/mv -f {$snortdir}/doc/signatures {$snortdir}/signatures"); - exec("/bin/rm -r {$snortdir}/doc/signatures"); - update_status(gettext("Done copying signatures.")); - }else{ - update_status(gettext("Directory signatures exist...")); - update_output_window(gettext("Error copying signature...")); - echo ' -<script type="text/javascript"> -<!-- - displaymessagestop(); -// --> -</script>'; -echo "</body>"; -echo "</html>"; -conf_mount_ro(); - exit(0); - } - } - } -} - -/* double make shure cleanup emerg rules that dont belong */ -if (file_exists("/usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules")) { - apc_clear_cache(); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-botcc.rules"); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-compromised-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-drop-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-dshield-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-rbn-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-tor-BLOCK.rules"); -} - -if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) { - exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so"); - exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*"); -} - -/* make shure default rules are in the right format */ -exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); -exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); -exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - -/* create a msg-map for snort */ -update_status(gettext("Updating Alert Messages...")); -update_output_window(gettext("Please Wait...")); -exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/sid-msg.map"); - - -////////////////// - -/* open oinkmaster_conf for writing" function */ -function oinkmaster_conf() -{ - - global $config, $g, $id, $if_real, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; - conf_mount_rw(); - -/* enable disable setting will carry over with updates */ -/* TODO carry signature changes with the updates */ -if ($snort_md5_check_ok != on || $emerg_md5_check_ok != on || $pfsense_md5_check_ok != on) { - -if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'])) { -$enabled_sid_on = $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']; -$enabled_sid_on_array = split('\|\|', $enabled_sid_on); -foreach($enabled_sid_on_array as $enabled_item_on) -$selected_sid_on_sections .= "$enabled_item_on\n"; - } - -if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { -$enabled_sid_off = $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off']; -$enabled_sid_off_array = split('\|\|', $enabled_sid_off); -foreach($enabled_sid_off_array as $enabled_item_off) -$selected_sid_off_sections .= "$enabled_item_off\n"; - } - -$snort_sid_text = <<<EOD - -########################################### -# # -# this is auto generated on snort updates # -# # -########################################### - -path = /bin:/usr/bin:/usr/local/bin - -update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ - -url = dir:///usr/local/etc/snort/rules - -$selected_sid_on_sections - -$selected_sid_off_sections - -EOD; - - /* open snort's oinkmaster.conf for writing */ - $oinkmasterlist = fopen("/usr/local/etc/snort/snort_$id$if_real/oinkmaster_$id$if_real.conf", "w"); - - fwrite($oinkmasterlist, "$snort_sid_text"); - - /* close snort's oinkmaster.conf file */ - fclose($oinkmasterlist); - - } -} - -/* Run oinkmaster to snort_wan and cp configs */ -/* If oinkmaster is not needed cp rules normally */ -/* TODO add per interface settings here */ -function oinkmaster_run() -{ - - global $config, $g, $id, $if_real, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; - conf_mount_rw(); - - if ($snort_md5_check_ok != on || $emerg_md5_check_ok != on || $pfsense_md5_check_ok != on) - { - - if ($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'] == '' && $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'] == '') - { - update_status(gettext("Your first set of rules are being copied...")); - update_output_window(gettext("May take a while...")); - exec("/bin/echo \"test {$snortdir} {$snortdir_wan} $id$if_real\" > /root/debug"); - exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/snort_$id$if_real/rules/"); - exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/generators {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/sid {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}/snort_$id$if_real"); - }else{ - update_status(gettext("Your enable and disable changes are being applied to your fresh set of rules...")); - update_output_window(gettext("May take a while...")); - exec("/bin/echo \"test2 {$snortdir} {$snortdir_wan} $id$if_real\" > /root/debug"); - exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/snort_$id$if_real/rules/"); - exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/generators {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/sid {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}/snort_$id$if_real"); - - /* might have to add a sleep for 3sec for flash drives or old drives */ - exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort/snort_$id$if_real/oinkmaster_$id$if_real.conf -o /usr/local/etc/snort/snort_$id$if_real/rules > /usr/local/etc/snort/oinkmaster_$id$if_real.log"); - } - } -} - -/* Start the proccess for every interface rule */ -/* TODO: try to make the code smother */ - -if (!empty($config['installedpackages']['snortglobal']['rule'])) -{ - - $rule_array = $config['installedpackages']['snortglobal']['rule']; - $id = -1; - foreach ($rule_array as $value) { - - $id += 1; - - $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; - $if_real = convert_friendly_interface_to_real_interface_name($result_lan); - - /* make oinkmaster.conf for each interface rule */ - oinkmaster_conf(); - - /* run oinkmaster for each interface rule */ - oinkmaster_run(); - - } -} - -////////////// - -/* mark the time update finnished */ -$config['installedpackages']['snortglobal']['last_rules_install'] = date("Y-M-jS-h:i-A"); - -/* remove old $tmpfname files */ -if (file_exists("{$tmpfname}")) -{ - update_status(gettext("Cleaning up...")); - exec("/bin/rm -r /tmp/snort_rules_up"); - sleep(2); - exec("/bin/rm -r {$snortdir}/rules_bk/rules/"); - apc_clear_cache(); -} - -/* php code to flush out cache some people are reportting missing files this might help */ -sleep(2); -apc_clear_cache(); -exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync"); - -/* make all dirs snorts */ -exec("/usr/sbin/chown -R snort:snort /var/log/snort"); -exec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort"); -exec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort"); -exec("/bin/chmod -R 755 /var/log/snort"); -exec("/bin/chmod -R 755 /usr/local/etc/snort"); -exec("/bin/chmod -R 755 /usr/local/lib/snort"); - - -/* if snort is running hardrestart, if snort is not running do nothing */ -if (file_exists("/tmp/snort_download_halt.pid")) { - exec("/bin/sh /usr/local/etc/rc.d/snort.sh start"); - update_status(gettext("The Rules update finished...")); - update_output_window(gettext("Snort has restarted with your new set of rules...")); - exec("/bin/rm /tmp/snort_download_halt.pid"); -} else { - update_status(gettext("The Rules update finished...")); - update_output_window(gettext("You may start snort now...")); -} - -echo ' -<script type="text/javascript"> -<!-- - displaymessagestop(); -// --> -</script>'; - -/* hide progress bar and lets end this party */ -hide_progress_bar_status(); -conf_mount_ro(); -?> - -<?php - -function read_body_firmware($ch, $string) { - global $fout, $file_size, $downloaded, $counter, $version, $latest_version, $current_installed_pfsense_version; - $length = strlen($string); - $downloaded += intval($length); - $downloadProgress = round(100 * (1 - $downloaded / $file_size), 0); - $downloadProgress = 100 - $downloadProgress; - $a = $file_size; - $b = $downloaded; - $c = $downloadProgress; - $text = " Snort download in progress\\n"; - $text .= "----------------------------------------------------\\n"; - $text .= " Downloaded : {$b}\\n"; - $text .= "----------------------------------------------------\\n"; - $counter++; - if($counter > 150) { - update_output_window($text); - update_progress_bar($downloadProgress); - flush(); - $counter = 0; - } - conf_mount_rw(); - fwrite($fout, $string); - conf_mount_ro(); - return $length; -} - -?> - -</body> -</html> diff --git a/config/snort-dev/snort_help_info.php b/config/snort-dev/snort_help_info.php deleted file mode 100644 index 754a82e3..00000000 --- a/config/snort-dev/snort_help_info.php +++ /dev/null @@ -1,71 +0,0 @@ -<?php
-/* $Id$ */
-/*
- halt.php
- part of pfSense
- Copyright (C) 2004 Scott Ullrich
- All rights reserved.
-
- part of m0n0wall as reboot.php (http://m0n0.ch/wall)
- Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-*/
-
-require("guiconfig.inc");
-
-
-header("snort_help_info.php");
-
-$pgtitle = "Snort: Services: Help and Info";
-include('head.inc');
-?>
-
-<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
-<?php include("fbegin.inc"); ?>
-
-<table width="100%" border="0" cellpadding="0" cellspacing="0">
- <tr>
- <td>
-<?php
- $tab_array = array();
- $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php");
- $tab_array[] = array("Global Settings", false, "/snort/snort_interfaces_global.php");
- $tab_array[] = array("Rule Updates", false, "/snort/snort_download_rules.php");
- $tab_array[] = array("Alerts", false, "/snort/snort_alerts.php");
- $tab_array[] = array("Blocked", false, "/snort/snort_blocked.php");
- $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort_whitelist.xml");
- $tab_array[] = array("Help & Info", true, "/snort/snort_help_info.php");
- display_top_tabs($tab_array);
-?>
- </td>
-</tr>
- <td>
- <iFrame src='/snort/help_and_info.html' frameborder=0 width=780px height=600px name='name' marginheight=0 marginwidth=0 scrolling=on></iFrame>
- </td>
-
-</table>
-
-<?php include("fend.inc"); ?>
-</body>
-</html>
diff --git a/config/snort-dev/snort_interfaces.php b/config/snort-dev/snort_interfaces.php deleted file mode 100644 index c508222b..00000000 --- a/config/snort-dev/snort_interfaces.php +++ /dev/null @@ -1,414 +0,0 @@ -<?php -/* $Id$ */ -/* - - originally part of m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. - Copyright (C) 2008-2009 Robert Zelaya. - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); -require("/usr/local/pkg/snort/snort_gui.inc"); -include_once("/usr/local/pkg/snort/snort.inc"); - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - -if (!is_array($config['installedpackages']['snortglobal']['rule'])) - $config['installedpackages']['snortglobal']['rule'] = array(); - -$a_nat = &$config['installedpackages']['snortglobal']['rule']; - -/* if a custom message has been passed along, lets process it */ -if ($_GET['savemsg']) - $savemsg = $_GET['savemsg']; - -if ($_POST) { - - $pconfig = $_POST; - - if ($_POST['apply']) { - - write_config(); - - $retval = 0; - - if(stristr($retval, "error") <> true) - $savemsg = get_std_save_message($retval); - else - $savemsg = $retval; - - unlink_if_exists("/tmp/config.cache"); - $retval |= filter_configure(); - - if ($retval == 0) { - if (file_exists($d_natconfdirty_path)) - unlink($d_natconfdirty_path); - if (file_exists($d_filterconfdirty_path)) - unlink($d_filterconfdirty_path); - } - - } -} - -if (isset($_POST['del_x'])) { - /* delete selected rules */ - if (is_array($_POST['rule']) && count($_POST['rule'])) { - foreach ($_POST['rule'] as $rulei) { - - - /* dont flood the syslog code */ - exec("/bin/cp /var/log/system.log /var/log/system.log.bk"); - exec("/bin/sh /usr/local/etc/rc.d/snort.sh stop $rulei"); - - /* stop syslog flood code */ - $if_real_wan_rulei = $a_nat[$rulei]['interface']; - $if_real_wan_rulei2 = convert_friendly_interface_to_real_interface_name2($if_real_wan_rulei); - exec("/bin/cp /var/log/system.log /var/log/snort/snort_sys_$rulei$if_real.log"); - exec("/usr/bin/killall syslogd"); - exec("/usr/sbin/clog -i -s 262144 /var/log/system.log"); - exec("/usr/sbin/syslogd -c -ss -f /var/etc/syslog.conf"); - sleep(2); - exec("/bin/cp /var/log/system.log.bk /var/log/system.log"); - $after_mem = exec("/usr/bin/top | /usr/bin/grep Wired | /usr/bin/awk '{ print $2 }'"); - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'MEM after {$rulei}{$if_real} STOP {$after_mem}'"); - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule removed for {$rulei}{$if_real}...'"); - - unset($a_nat[$rulei]); - - } - - - - conf_mount_rw(); - exec("/bin/rm -r /usr/local/etc/snort/snort_$rulei$if_real"); - exec("/bin/rm /var/log/snort/snort.u2_$rulei$if_real*"); - conf_mount_ro(); - - write_config(); - // touch($d_natconfdirty_path); - header("Location: /snort/snort_interfaces.php"); - exit; - } - -} else { - - /* yuck - IE won't send value attributes for image buttons, while Mozilla does - so we use .x/.y to find move button clicks instead... */ - unset($movebtn); - foreach ($_POST as $pn => $pd) { - if (preg_match("/move_(\d+)_x/", $pn, $matches)) { - $movebtn = $matches[1]; - break; - } - } - /* move selected rules before this rule */ - if (isset($movebtn) && is_array($_POST['rule']) && count($_POST['rule'])) { - $a_nat_new = array(); - - /* copy all rules < $movebtn and not selected */ - for ($i = 0; $i < $movebtn; $i++) { - if (!in_array($i, $_POST['rule'])) - $a_nat_new[] = $a_nat[$i]; - } - - /* copy all selected rules */ - for ($i = 0; $i < count($a_nat); $i++) { - if ($i == $movebtn) - continue; - if (in_array($i, $_POST['rule'])) - $a_nat_new[] = $a_nat[$i]; - } - - /* copy $movebtn rule */ - if ($movebtn < count($a_nat)) - $a_nat_new[] = $a_nat[$movebtn]; - - /* copy all rules > $movebtn and not selected */ - for ($i = $movebtn+1; $i < count($a_nat); $i++) { - if (!in_array($i, $_POST['rule'])) - $a_nat_new[] = $a_nat[$i]; - } - $a_nat = $a_nat_new; - write_config(); - touch($d_natconfdirty_path); - header("Location: snort_interfaces.php"); - - exit; - } -} - - -/* start/stop snort */ -if ($_GET['act'] == "toggle" && $_GET['id'] != "") -{ - - $if_real2 = convert_friendly_interface_to_real_interface_name($a_nat[$id]['interface']); - $name = "{$id}{$if_real2}"; - $snort_pid = exec("pgrep -F /var/run/snort_{$if_real2}{$name}.pid snort"); - - if ($snort_pid != "") { - exec("/bin/sh /usr/local/etc/rc.d/snort.sh stop $name"); - }else{ - sync_snort_package_all(); - exec("/bin/sh /usr/local/etc/rc.d/snort.sh start $name"); - } - header("Location: snort_interfaces.php"); -} - -$pgtitle = "Services: Snort 2.8.5.2 pkg v. 1.9"; -include("head.inc"); - -?> -<body link="#000000" vlink="#000000" alink="#000000"> -<?php include("fbegin.inc"); ?> -<style type="text/css"> -.alert { - position:absolute; - top:10px; - left:0px; - width:94%; -background:#FCE9C0; -background-position: 15px; -border-top:2px solid #DBAC48; -border-bottom:2px solid #DBAC48; -padding: 15px 10px 50% 50px; -} -.listbg2 { - border-right: 1px solid #999999; - border-bottom: 1px solid #999999; - font-size: 11px; - background-color: #090; - color: #000; - padding-right: 16px; - padding-left: 6px; - padding-top: 4px; - padding-bottom: 4px; -} -.listbg3 { - border-right: 1px solid #999999; - border-bottom: 1px solid #999999; - font-size: 11px; - background-color: #777777; - color: #000; - padding-right: 16px; - padding-left: 6px; - padding-top: 4px; - padding-bottom: 4px; -} -</style> -<noscript><div class="alert" ALIGN=CENTER><img src="../themes/nervecenter/images/icons/icon_alert.gif"/><strong>Please enable JavaScript to view this content</CENTER></div></noscript> - -<form action="snort_interfaces.php" method="post" name="iform"> -<script type="text/javascript" language="javascript" src="row_toggle.js"> -</script> -<?php if (file_exists($d_natconfdirty_path)): ?><p> -<?php - if($savemsg) - print_info_box_np2("{$savemsg}<br>The Snort configuration has been changed.<br>You must apply the changes in order for them to take effect."); - else - print_info_box_np2("The Snort configuration has been changed.<br>You must apply the changes in order for them to take effect."); -?> -<?php endif; ?> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td> -<?php - $tab_array = array(); - $tab_array[] = array("Snort Interfaces", true, "/snort/snort_interfaces.php"); - $tab_array[] = array("Global Settings", false, "/snort/snort_interfaces_global.php"); - $tab_array[] = array("Rule Updates", false, "/snort/snort_download_rules.php"); - $tab_array[] = array("Alerts", false, "/snort/snort_alerts.php"); - $tab_array[] = array("Blocked", false, "/snort/snort_blocked.php"); - $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort_whitelist.xml"); - $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); - display_top_tabs($tab_array); -?> - </td></tr> - <tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr id="frheader"> - <td width="4%" class="list"> </td> - <td width="1%" class="list"> </td> - <td width="10%" class="listhdrr">If</td> - <td width="10%" class="listhdrr">Snort</td> - <td width="10%" class="listhdrr">Performance</td> - <td width="10%" class="listhdrr">Block</td> - <td width="10%" class="listhdrr">Barnyard2</td> - <td width="50%" class="listhdr">Description</td> - <td width="3%" class="list"> - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td width="17"></td> - <td><a href="snort_interfaces_edit.php"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> - </tr> - </table> - </td> - </tr> - <?php $nnats = $i = 0; foreach ($a_nat as $natent): ?> - <tr valign="top" id="fr<?=$nnats;?>"> - <?php - /* convert fake interfaces to real and check if iface is up */ - $if_real = convert_friendly_interface_to_real_interface_name($natent['interface']); - - $snort_pid = exec("pgrep -F /var/run/snort_{$if_real}{$nnats}{$if_real}.pid snort"); - if ($snort_pid) { - $class_color_up = "listbg2"; - $iconfn = "block"; - }else{ - $class_color_up = "listbg"; - $iconfn = "pass"; - } - - - ?> - <td class="listt"><a href="?act=toggle&id=<?=$i;?>"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_<?=$iconfn;?>.gif" width="13" height="13" border="0" title="click to toggle start/stop snort"></a><input type="checkbox" id="frc<?=$nnats;?>" name="rule[]" value="<?=$i;?>" onClick="fr_bgcolor('<?=$nnats;?>')" style="margin: 0; padding: 0; width: 7px; height: 7px;"></td> - <td class="listt" align="center"></td> - <td class="<?=$class_color_up;?>" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> - <?php - if (!$natent['interface'] || ($natent['interface'] == "wan")) - echo "WAN"; - else if(strtolower($natent['interface']) == "lan") - echo "LAN"; - else if(strtolower($natent['interface']) == "pppoe") - echo "PPPoE"; - else if(strtolower($natent['interface']) == "pptp") - echo "PPTP"; - else - echo strtoupper($natent['interface']); - ?> - </td> - <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> - <?php - $check_snort_info = $config['installedpackages']['snortglobal']['rule'][$nnats]['enable']; - if ($check_snort_info == "on") - { - $check_snort = enabled; - } else { - $check_snort = disabled; - } - ?> - <?=strtoupper($check_snort);?> - </td> - <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> - <?php - $check_performance_info = $config['installedpackages']['snortglobal']['rule'][$nnats]['performance']; - if ($check_performance_info != "") { - $check_performance = $check_performance_info; - }else{ - $check_performance = "lowmem"; - } - ?> - <?=strtoupper($check_performance);?> - </td> - <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> - <?php - $check_blockoffenders_info = $config['installedpackages']['snortglobal']['rule'][$nnats]['blockoffenders7']; - if ($check_blockoffenders_info == "on") - { - $check_blockoffenders = enabled; - } else { - $check_blockoffenders = disabled; - } - ?> - <?=strtoupper($check_blockoffenders);?> - </td> - <?php - - $byard_pid = exec("pgrep -F /var/run/barnyard2_{$nnats}{$if_real}.pid barnyard2"); - if ($byard_pid) { - $class_color_upb = "listbg2"; - }else{ - $class_color_upb = "listbg"; - } - - ?> - <td class="<?=$class_color_upb;?>" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> - <?php - $check_snortbarnyardlog_info = $config['installedpackages']['snortglobal']['rule'][$nnats]['barnyard_enable']; - if ($check_snortbarnyardlog_info == "on") - { - $check_snortbarnyardlog = strtoupper(enabled); - }else{ - $check_snortbarnyardlog = strtoupper(disabled); - } - ?> - <?php echo "$check_snortbarnyardlog";?> - </td> - <td class="listbg3" onClick="fr_toggle(<?=$nnats;?>)" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> - <font color="#ffffff"> - <?=htmlspecialchars($natent['descr']);?> - </td> - <td valign="middle" class="list" nowrap> - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td><a href="snort_interfaces_edit.php?id=<?=$i;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0" title="edit rule"></a></td> - </tr> - </table> - </tr> - <?php $i++; $nnats++; endforeach; ?> - <tr> - <td class="list" colspan="8"></td> - <td class="list" valign="middle" nowrap> - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td><?php if ($nnats == 0): ?><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" width="17" height="17" title="delete selected rules" border="0"><?php else: ?><input name="del" type="image" src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" title="delete selected mappings" onclick="return confirm('Do you really want to delete the selected Snort Rule?')"><?php endif; ?></td> - </tr> - </table> - </td> - </tr> - </table> - </div> - </td> - </tr> -</table> - -<br> - <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <td width="100%"><span class="vexpl"><span class="red"><strong>Note:</strong></span> - <br> - This is the <strong>Snort Menu</strong>, displaying an overview of all interface settings. - <br> - Please edit the <strong>Global Settings</strong> tab before adding an interface. - <br><br> - <strong>Click</strong> on the <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0" title="Add Icon"> icon to add an interface.                           <strong>Click</strong> on the <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_pass.gif" width="13" height="13" border="0" title="Start Icon"> icon to <strong>start</strong> snort and barnyard. - <br> - <strong>Click</strong> on the <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0" title="Edit Icon"> icon to edit an interface and settings.      <strong>Click</strong> on the <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" width="13" height="13" border="0" title="Stop Icon"> icon to <strong>stop</strong> snort and barnyard. - <br> - <strong> Click</strong> on the <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" title="Delete Icon"> icon to delete an interface and settings. -</td> - </table> - -<?php -if ($pkg['tabs'] <> "") { - echo "</td></tr></table>"; -} -?> - -</form> -<?php include("fend.inc"); ?> -</body> -</html> diff --git a/config/snort-dev/snort_rules_edit.php b/config/snort-dev/snort_rules_edit.php deleted file mode 100644 index 412024d8..00000000 --- a/config/snort-dev/snort_rules_edit.php +++ /dev/null @@ -1,243 +0,0 @@ -#!/usr/local/bin/php
-<?php
-/*
- system_edit.php
- Copyright (C) 2004, 2005 Scott Ullrich
- All rights reserved.
-
- Adapted for FreeNAS by Volker Theile (votdev@gmx.de)
- Copyright (C) 2006-2009 Volker Theile
-
- Adapted for Pfsense Snort package by Robert Zelaya
- Copyright (C) 2008-2009 Robert Zelaya
-
- Using dp.SyntaxHighlighter for syntax highlighting
- http://www.dreamprojections.com/SyntaxHighlighter
- Copyright (C) 2004-2006 Alex Gorbatchev. All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-*/
-require("guiconfig.inc");
-require("config.inc");
-
-//////////////////
-
-if (!is_array($config['installedpackages']['snortglobal']['rule'])) {
- $config['installedpackages']['snortglobal']['rule'] = array();
-}
-
-//nat_rules_sort();
-$a_nat = &$config['installedpackages']['snortglobal']['rule'];
-
-$id = $_GET['id'];
-if (isset($_POST['id']))
- $id = $_POST['id'];
-
-$ids = $_GET['ids'];
-if (isset($_POST['ids']))
- $ids = $_POST['ids'];
-
-
-if (isset($id) && $a_nat[$id]) {
-
- $pconfig['enable'] = $a_nat[$id]['enable'];
- $pconfig['interface'] = $a_nat[$id]['interface'];
- $pconfig['rulesets'] = $a_nat[$id]['rulesets'];
-}
-
-/* convert fake interfaces to real */
-$if_real = convert_friendly_interface_to_real_interface_name($pconfig['interface']);
-
-
-$file = $_GET['openruleset'];
-
-//read snort file
-$filehandle = fopen($file, "r");
-
-//get rule id
-$lineid = $_GET['ids'];
-
-//read file into string, and get filesize
-$contents2 = fread($filehandle, filesize($file));
-
-//close handler
-fclose ($filehandle);
-
-//delimiter for each new rule is a new line
-$delimiter = "\n";
-
-//split the contents of the string file into an array using the delimiter
-$splitcontents = explode($delimiter, $contents2);
-
-//copy rule contents from array into string
-$tempstring = $splitcontents[$lineid];
-
-function write_rule_file($content_changed, $received_file)
-{
- //read snort file with writing enabled
- $filehandle = fopen($received_file, "w");
-
- //delimiter for each new rule is a new line
- $delimiter = "\n";
-
- //implode the array back into a string for writing purposes
- $fullfile = implode($delimiter, $content_changed);
-
- //write data to file
- fwrite($filehandle, $fullfile);
-
- //close file handle
- fclose($filehandle);
-
-}
-
-
-
-if($_POST['highlight'] <> "") {
- if($_POST['highlight'] == "yes" or
- $_POST['highlight'] == "enabled") {
- $highlight = "yes";
- } else {
- $highlight = "no";
- }
-} else {
- $highlight = "no";
-}
-
-if($_POST['rows'] <> "")
- $rows = $_POST['rows'];
-else
- $rows = 1;
-
-if($_POST['cols'] <> "")
- $cols = $_POST['cols'];
-else
- $cols = 66;
-
-if ($_POST)
-{
- if ($_POST['save']) {
-
- /* get the changes */
- $rule_content2 = $_POST['code'];
-
- //copy string into file array for writing
- $splitcontents[$lineid] = $rule_content2;
-
- //write the new .rules file
- write_rule_file($splitcontents, $file);
-
- header("Location: /snort/snort_rules_edit.php?id=$id&openruleset=$file&ids=$ids");
-
- }
-}
-
-$pgtitle = array(gettext("Advanced"), gettext("File Editor"));
-
-//
-?>
-
-<?php include("head.inc");?>
-
-<body link="#000000" vlink="#000000" alink="#000000">
-<table width="100%" border="0" cellpadding="0" cellspacing="0">
- <tr>
- <td class="tabcont">
- <form action="snort_rules_edit.php?id=<?=$id; ?>&openruleset=<?=$file; ?>&ids=<?=$ids; ?>" method="post">
- <?php if ($savemsg) print_info_box($savemsg);?>
- <table width="100%" cellpadding='9' cellspacing='9' bgcolor='#eeeeee'>
- <tr>
- <td>
- <input name="save" type="submit" class="formbtn" id="save" value="save" /> <input type="button" class="formbtn" value="Cancel" onclick="history.back()">
- <hr noshade="noshade" />
- <?=gettext("Disable original rule"); ?>:
- <input id="highlighting_enabled" name="highlight2" type="radio" value="yes" <?php if($highlight == "yes") echo " checked=\"checked\""; ?> />
- <label for="highlighting_enabled"><?=gettext("Enabled"); ?></label>
- <input id="highlighting_disabled" name="highlight2" type="radio" value="no"<?php if($highlight == "no") echo " checked=\"checked\""; ?> />
- <label for="highlighting_disabled"><?=gettext("Disabled"); ?></label>
- </td>
- </tr>
- </table>
- <table width='100%'>
- <tr>
- <td valign="top" class="label">
- <div style="background: #eeeeee;" id="textareaitem">
- <!-- NOTE: The opening *and* the closing textarea tag must be on the same line. -->
- <textarea wrap="off" style="width: 98%; margin: 7px;" class="<?php echo $language; ?>:showcolumns" rows="<?php echo $rows; ?>" cols="<?php echo $cols; ?>" name="code"><?php echo $tempstring;?></textarea>
- </div>
- </td>
- </tr>
- </table>
- <table width='100%'>
- <tr>
- <td valign="top" class="label">
- <div style="background: #eeeeee;" id="textareaitem">
- <!-- NOTE: The opening *and* the closing textarea tag must be on the same line. -->
- <textarea disabled wrap="off" style="width: 98%; margin: 7px;" class="<?php echo $language; ?>:showcolumns" rows="33" cols="<?php echo $cols; ?>" name="code2"><?php echo $contents2;?></textarea>
- </div>
- </td>
- </tr>
- </table>
- <?php // include("formend.inc");?>
- </form>
- </td>
- </tr>
-</table>
-<script class="javascript" src="/snort/syntaxhighlighter/shCore.js"></script>
-<script class="javascript" src="/snort/syntaxhighlighter/shBrushCSharp.js"></script>
-<script class="javascript" src="/snort/syntaxhighlighter/shBrushPhp.js"></script>
-<script class="javascript" src="/snort/syntaxhighlighter/shBrushJScript.js"></script>
-<script class="javascript" src="/snort/syntaxhighlighter/shBrushJava.js"></script>
-<script class="javascript" src="/snort/syntaxhighlighter/shBrushVb.js"></script>
-<script class="javascript" src="/snort/syntaxhighlighter/shBrushSql.js"></script>
-<script class="javascript" src="/snort/syntaxhighlighter/shBrushXml.js"></script>
-<script class="javascript" src="/snort/syntaxhighlighter/shBrushDelphi.js"></script>
-<script class="javascript" src="/snort/syntaxhighlighter/shBrushPython.js"></script>
-<script class="javascript" src="/snort/syntaxhighlighter/shBrushRuby.js"></script>
-<script class="javascript" src="/snort/syntaxhighlighter/shBrushCss.js"></script>
-<script class="javascript">
-<!--
- // Set focus.
- document.forms[0].savetopath.focus();
-
- // Append css for syntax highlighter.
- var head = document.getElementsByTagName("head")[0];
- var linkObj = document.createElement("link");
- linkObj.setAttribute("type","text/css");
- linkObj.setAttribute("rel","stylesheet");
- linkObj.setAttribute("href","/snort/syntaxhighlighter/SyntaxHighlighter.css");
- head.appendChild(linkObj);
-
- // Activate dp.SyntaxHighlighter?
- <?php
- if($_POST['highlight'] == "yes") {
- echo "dp.SyntaxHighlighter.HighlightAll('code', true, true);\n";
- // Disable 'Save' button.
- echo "document.forms[0].Save.disabled = 1;\n";
- }
-?>
-//-->
-</script>
-<?php //include("fend.inc");?>
-
-</body>
-</html>
diff --git a/config/snort-dev/bin/barnyard2 b/config/snort-old/bin/barnyard2 Binary files differindex b942e87f..b942e87f 100644 --- a/config/snort-dev/bin/barnyard2 +++ b/config/snort-old/bin/barnyard2 diff --git a/config/snort-dev/bin/oinkmaster_contrib/README.contrib b/config/snort-old/bin/oinkmaster_contrib/README.contrib index 6923fa26..6923fa26 100644 --- a/config/snort-dev/bin/oinkmaster_contrib/README.contrib +++ b/config/snort-old/bin/oinkmaster_contrib/README.contrib diff --git a/config/snort-dev/bin/oinkmaster_contrib/addmsg.pl b/config/snort-old/bin/oinkmaster_contrib/addmsg.pl index e5866d6f..e5866d6f 100644 --- a/config/snort-dev/bin/oinkmaster_contrib/addmsg.pl +++ b/config/snort-old/bin/oinkmaster_contrib/addmsg.pl diff --git a/config/snort-dev/bin/oinkmaster_contrib/addsid.pl b/config/snort-old/bin/oinkmaster_contrib/addsid.pl index 64255d22..64255d22 100644 --- a/config/snort-dev/bin/oinkmaster_contrib/addsid.pl +++ b/config/snort-old/bin/oinkmaster_contrib/addsid.pl diff --git a/config/snort-dev/bin/oinkmaster_contrib/create-sidmap.pl b/config/snort-old/bin/oinkmaster_contrib/create-sidmap.pl index 26a9040c..26a9040c 100644 --- a/config/snort-dev/bin/oinkmaster_contrib/create-sidmap.pl +++ b/config/snort-old/bin/oinkmaster_contrib/create-sidmap.pl diff --git a/config/snort-dev/bin/oinkmaster_contrib/makesidex.pl b/config/snort-old/bin/oinkmaster_contrib/makesidex.pl index 80354735..80354735 100644 --- a/config/snort-dev/bin/oinkmaster_contrib/makesidex.pl +++ b/config/snort-old/bin/oinkmaster_contrib/makesidex.pl diff --git a/config/snort-dev/bin/oinkmaster_contrib/oinkgui.pl b/config/snort-old/bin/oinkmaster_contrib/oinkgui.pl index 4e96f7db..4e96f7db 100644 --- a/config/snort-dev/bin/oinkmaster_contrib/oinkgui.pl +++ b/config/snort-old/bin/oinkmaster_contrib/oinkgui.pl diff --git a/config/snort-dev/bin/oinkmaster_contrib/oinkmaster.pl b/config/snort-old/bin/oinkmaster_contrib/oinkmaster.pl index f9c4d215..f9c4d215 100644 --- a/config/snort-dev/bin/oinkmaster_contrib/oinkmaster.pl +++ b/config/snort-old/bin/oinkmaster_contrib/oinkmaster.pl diff --git a/config/snort-dev/bin/snort2c b/config/snort-old/bin/snort2c Binary files differindex fdc91ac8..fdc91ac8 100644..100755 --- a/config/snort-dev/bin/snort2c +++ b/config/snort-old/bin/snort2c diff --git a/config/snort-dev/pfsense_rules/local.rules b/config/snort-old/pfsense_rules/local.rules index 83a05f1b..83a05f1b 100644 --- a/config/snort-dev/pfsense_rules/local.rules +++ b/config/snort-old/pfsense_rules/local.rules diff --git a/config/snort-old/pfsense_rules/pfsense_rules.tar.gz.md5 b/config/snort-old/pfsense_rules/pfsense_rules.tar.gz.md5 new file mode 100644 index 00000000..83d5bdae --- /dev/null +++ b/config/snort-old/pfsense_rules/pfsense_rules.tar.gz.md5 @@ -0,0 +1 @@ +10002
\ No newline at end of file diff --git a/config/snort-dev/pfsense_rules/rules/pfsense-voip.rules b/config/snort-old/pfsense_rules/rules/pfsense-voip.rules index 12f2fdf2..12f2fdf2 100644 --- a/config/snort-dev/pfsense_rules/rules/pfsense-voip.rules +++ b/config/snort-old/pfsense_rules/rules/pfsense-voip.rules diff --git a/config/snort-dev/snort.inc b/config/snort-old/snort.inc index 76a1e855..74a863ad 100644..100755 --- a/config/snort-dev/snort.inc +++ b/config/snort-old/snort.inc @@ -3,7 +3,6 @@ /* snort.inc Copyright (C) 2006 Scott Ullrich - Copyright (C) 2009 Robert Zelaya part of pfSense All rights reserved. @@ -31,591 +30,214 @@ require_once("pfsense-utils.inc"); -// Needed on 2.0 because of filter_get_vpns_list() -require_once("filter.inc"); - -/* Get id and realinterfaces */ - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - -$interface_fake = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; -$if_real = convert_friendly_interface_to_real_interface_name($interface_fake); - -/* get the real iface name of wan */ -function convert_friendly_interface_to_real_interface_name2($interface) -{ - global $config; - - $lc_interface = strtolower($interface); - if($lc_interface == "lan") return $config['interfaces']['lan']['if']; - if($lc_interface == "wan") return $config['interfaces']['wan']['if']; - $ifdescrs = array(); - for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) - $ifdescrs['opt' . $j] = "opt" . $j; - foreach ($ifdescrs as $ifdescr => $ifname) - { - if(strtolower($ifname) == $lc_interface) - return $config['interfaces'][$ifname]['if']; - if(strtolower($config['interfaces'][$ifname]['descr']) == $lc_interface) - return $config['interfaces'][$ifname]['if']; - } - - return $interface; -} - -$if_real_wan = convert_friendly_interface_to_real_interface_name2($interface_fake); +// Needed on 2.0 because of get_vpns_list() +require_once("filter.inc"); /* Allow additional execution time 0 = no limit. */ ini_set('max_execution_time', '9999'); ini_set('max_input_time', '9999'); /* define oinkid */ -if($config['installedpackages']['snortglobal']) - $oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; - -function snort_postinstall() -{ - global $config; - conf_mount_rw(); - - if(!file_exists("/var/log/snort/")) - mwexec("mkdir -p /var/log/snort/"); - - if(!file_exists("/var/log/snort/alert")) - touch("/var/log/snort/alert"); - - /* snort -> advanced features */ - $bpfbufsize = $config['installedpackages']['snortglobal']['bpfbufsize']; - $bpfmaxbufsize = $config['installedpackages']['snortglobal']['bpfmaxbufsize']; - $bpfmaxinsns = $config['installedpackages']['snortglobal']['bpfmaxinsns']; - - - /* create a few directories and ensure the sample files are in place */ - exec("/bin/mkdir -p /usr/local/etc/snort"); - exec("/bin/mkdir -p /var/log/snort"); - exec("/bin/mkdir -p /usr/local/etc/snort/rules"); - - if(file_exists("/usr/local/etc/snort/snort.conf-sample")) - { - exec("/bin/rm /usr/local/etc/snort/snort.conf-sample"); - exec("/bin/rm /usr/local/etc/snort/threshold.conf-sample"); - exec("/bin/rm /usr/local/etc/snort/sid-msg.map-sample"); - exec("/bin/rm /usr/local/etc/snort/unicode.map-sample"); - exec("/bin/rm /usr/local/etc/snort/classification.config-sample"); - exec("/bin/rm /usr/local/etc/snort/generators-sample"); - exec("/bin/rm /usr/local/etc/snort/reference.config-sample"); - exec("/bin/rm /usr/local/etc/snort/gen-msg.map-sample"); - exec("/bin/rm /usr/local/etc/snort/sid"); - exec("/bin/rm /usr/local/etc/rc.d/snort"); - exec("/bin/rm /usr/local/etc/rc.d/bardyard2"); - } - - if(!file_exists("/usr/local/etc/snort/custom_rules")) - { - exec("/bin/mkdir -p /usr/local/etc/snort/custom_rules/"); - } - - exec("/usr/sbin/pw groupadd snort"); - exec('/usr/sbin/pw useradd snort -c "SNORT USER" -d /nonexistent -g snort -s /sbin/nologin'); - exec("/usr/sbin/chown -R snort:snort /var/log/snort"); - exec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort"); - exec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort"); - exec("/bin/chmod -R 755 /var/log/snort"); - exec("/bin/chmod -R 755 /usr/local/etc/snort"); - exec("/bin/chmod -R 755 /usr/local/lib/snort"); - - - /* remove example files */ - if(file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0")) - { - exec('/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*'); - } - - if(file_exists("/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so")) - { - exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*'); - } +if($config['installedpackages']['snort']) + $oinkid = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; - /* move files around, make it look clean */ - exec('/bin/mkdir -p /usr/local/www/snort/css'); - exec('/bin/mkdir -p /usr/local/www/snort/images'); - exec('/bin/mkdir -p /usr/local/www/snort/javascript'); - - chdir ("/usr/local/www/snort/css/"); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/css/style.css'); - chdir ("/usr/local/www/snort/images/"); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/alert.jpg'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/down.gif'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/down2.gif'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/icon-table-sort.png'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/icon-table-sort-asc.png'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/icon-table-sort-desc.png'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/up.gif'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/up2.gif'); - chdir ("/usr/local/www/snort/javascript/"); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/javascript/jquery.blockUI.js'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/javascript/jquery-1.3.2.js'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/javascript/mootools.js'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/javascript/sortableTable.js'); - - /* back to default */ - chdir ("/root/"); - - conf_mount_ro(); - -} - function sync_package_snort_reinstall() { global $config; - conf_mount_rw(); - - if(!$config['installedpackages']['snortglobal']) + if(!$config['installedpackages']['snort']) return; /* create snort configuration file */ create_snort_conf(); /* start snort service */ - // start_service("snort"); // do not start, may be needed latter. - - conf_mount_ro(); -} - -/* func for updating cron */ -function snort_rm_blocked_install_cron($should_install) -{ - global $config, $g; - - if ($g['booting']==true) - return; - - $is_installed = false; - - if(!$config['cron']['item']) - return; - - $x=0; - foreach($config['cron']['item'] as $item) - { - if (strstr($item['command'], "snort2c")) - { - $is_installed = true; - break; - } - $x++; - } - - $snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked']; - if ($snort_rm_blocked_info_ck == "1h_b") - { - $snort_rm_blocked_min = "*/5"; - $snort_rm_blocked_hr = "*"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "3600"; - } - if ($snort_rm_blocked_info_ck == "3h_b") - { - $snort_rm_blocked_min = "*/15"; - $snort_rm_blocked_hr = "*"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "10800"; - } - if ($snort_rm_blocked_info_ck == "6h_b") - { - $snort_rm_blocked_min = "*/30"; - $snort_rm_blocked_hr = "*"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "21600"; - } - if ($snort_rm_blocked_info_ck == "12h_b") - { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/1"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "43200"; - } - if ($snort_rm_blocked_info_ck == "1d_b") - { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/2"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "86400"; - } - if ($snort_rm_blocked_info_ck == "4d_b") - { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/8"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "345600"; - } - if ($snort_rm_blocked_info_ck == "7d_b") - { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/14"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "604800"; - } - if ($snort_rm_blocked_info_ck == "28d_b") - { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "0"; - $snort_rm_blocked_mday = "*/2"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "2419200"; - } - switch($should_install) - { - case true: - if(!$is_installed) - { - $cron_item = array(); - $cron_item['minute'] = "$snort_rm_blocked_min"; - $cron_item['hour'] = "$snort_rm_blocked_hr"; - $cron_item['mday'] = "$snort_rm_blocked_mday"; - $cron_item['month'] = "$snort_rm_blocked_month"; - $cron_item['wday'] = "$snort_rm_blocked_wday"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; - $config['cron']['item'][] = $cron_item; - write_config("Installed $snort_rm_blocked_info_ck minute filter reload for Time Based Rules"); - configure_cron(); - } - break; - case false: - if($is_installed == true) - { - if($x > 0) - { - unset($config['cron']['item'][$x]); - write_config(); - conf_mount_rw(); - } - configure_cron(); - } - break; - } -} - -/* func to install snort update */ -function snort_rules_up_install_cron($should_install) { - global $config, $g; - - if ($g['booting']==true) - return; - - $is_installed = false; - - if(!$config['cron']['item']) - return; - - $x=0; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort_check_for_rule_updates.php")) { - $is_installed = true; - break; - } - $x++; - } - $snort_rules_up_info_ck = $config['installedpackages']['snortglobal']['autorulesupdate7']; - if ($snort_rules_up_info_ck == "6h_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "*/6"; - $snort_rules_up_mday = "*"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "12h_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "*/12"; - $snort_rules_up_mday = "*"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "1d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/1"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "4d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/4"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "7d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/7"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "28d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/28"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - switch($should_install) { - case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['minute'] = "$snort_rules_up_min"; - $cron_item['hour'] = "$snort_rules_up_hr"; - $cron_item['mday'] = "$snort_rules_up_mday"; - $cron_item['month'] = "$snort_rules_up_month"; - $cron_item['wday'] = "$snort_rules_up_wday"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /usr/local/etc/snort/snort_update.log"; - $config['cron']['item'][] = $cron_item; - write_config("Installed 15 minute filter reload for Time Based Rules"); - configure_cron(); - } - break; - case false: - if($is_installed == true) { - if($x > 0) { - unset($config['cron']['item'][$x]); - write_config(); - conf_mount_rw(); - } - configure_cron(); - } - break; - } + start_service("snort"); } - -/* make sure this func on writes to files and does not start snort */ -function sync_snort_package() +function sync_package_snort() { global $config, $g; conf_mount_rw(); + mwexec("mkdir -p /var/log/snort/"); + if(!file_exists("/var/log/snort/alert")) + touch("/var/log/snort/alert"); - /* all new files are for the user snort nologin */ - if(!file_exists("/var/log/snort")) - { - exec("/bin/mkdir -p /var/log/snort"); - } - - exec("/usr/sbin/chown -R snort:snort /var/log/snort"); - exec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort"); - exec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort"); - exec("/bin/chmod -R 755 /var/log/snort"); - exec("/bin/chmod -R 755 /usr/local/etc/snort"); - exec("/bin/chmod -R 755 /usr/local/lib/snort"); - - conf_mount_ro(); -} - - -/* make sure this func on writes to files and does not start snort */ -function sync_snort_package_all() -{ - global $config, $g, $id, $if_real, $interface_fake; - conf_mount_rw(); - -/* RedDevil suggested code */ -/* TODO: more testing needs to be done */ -exec("/sbin/sysctl net.bpf.bufsize=8388608"); -exec("/sbin/sysctl net.bpf.maxbufsize=4194304"); -exec("/sbin/sysctl net.bpf.maxinsns=512"); -exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); - - /* do not start config build if rules is empty */ - if (!empty($config['installedpackages']['snortglobal']['rule'])) - { - if ($id == "") - { - - $rule_array = $config['installedpackages']['snortglobal']['rule']; - $id = -1; - foreach ($rule_array as $value) - { - - $id += 1; - - $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; - $if_real = convert_friendly_interface_to_real_interface_name($result_lan); - - /* create snort configuration file */ - create_snort_conf(); - - /* if rules exist cp rules to each iface */ - create_rules_iface(); + /* snort -> advanced features */ + $bpfbufsize = $config['installedpackages']['snortadvanced']['config'][0]['bpfbufsize']; + $bpfmaxbufsize = $config['installedpackages']['snortadvanced']['config'][0]['bpfmaxbufsize']; + $bpfmaxinsns = $config['installedpackages']['snortadvanced']['config'][0]['bpfmaxinsns']; - /* create barnyard2 configuration file */ - $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; - if ($snortbarnyardlog_info_chk == 'on') - create_barnyard2_conf(); + /* set the snort performance model */ + if($config['installedpackages']['snort']['config'][0]['performance']) + $snort_performance = $config['installedpackages']['snort']['config'][0]['performance']; + else + $snort_performance = "ac-bnfa"; + /* create a few directories and ensure the sample files are in place */ + exec("/bin/mkdir -p /usr/local/etc/snort"); + exec("/bin/mkdir -p /var/log/snort"); + exec("/bin/mkdir -p /usr/local/etc/snort/rules"); + exec("/bin/rm /usr/local/etc/snort/snort.conf-sample"); + exec("/bin/rm /usr/local/etc/snort/threshold.conf-sample"); + exec("/bin/rm /usr/local/etc/snort/sid-msg.map-sample"); + exec("/bin/rm /usr/local/etc/snort/unicode.map-sample"); + exec("/bin/rm /usr/local/etc/snort/classification.config-sample"); + exec("/bin/rm /usr/local/etc/snort/generators-sample"); + exec("/bin/rm /usr/local/etc/snort/reference.config-sample"); + exec("/bin/rm /usr/local/etc/snort/gen-msg.map-sample"); + exec("/bin/rm /usr/local/etc/snort/sid"); + exec("/bin/rm -f /usr/local/etc/rc.d/snort"); + + $first = 0; + $snortInterfaces = array(); /* -gtm */ + + $if_list = $config['installedpackages']['snort']['config'][0]['iface_array']; + $if_array = split(',', $if_list); + //print_r($if_array); + if($if_array) { + foreach($if_array as $iface) { + $if = convert_friendly_interface_to_real_interface_name($iface); + + if($config['interfaces'][$iface]['ipaddr'] == "pppoe") { + $if = "ng0"; } - - }else{ - - /* create snort configuration file */ - create_snort_conf(); - - - /* if rules exist cp rules to each iface */ - create_rules_iface(); - - /* create barnyard2 configuration file */ - $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; - if ($snortbarnyardlog_info_chk == on) - { - create_barnyard2_conf(); + + /* build a list of user specified interfaces -gtm */ + if($if){ + array_push($snortInterfaces, $if); + $first = 1; } + } + + if (count($snortInterfaces) < 1) { + log_error("Snort will not start. You must select an interface for it to listen on."); + return; } } - - /* all new files are for the user snort nologin */ - if(!file_exists("/var/log/snort")) + //print_r($snortInterfaces); + + /* create log directory */ + $start = "/bin/mkdir -p /var/log/snort\n"; + + /* snort advanced features - bpf tuning */ + if($bpfbufsize) + $start .= "sysctl net.bpf.bufsize={$bpfbufsize}\n"; + if($bpfmaxbufsize) + $start .= "sysctl net.bpf.maxbufsize={$bpfmaxbufsize}\n"; + if($bpfmaxinsns) + $start .= "sysctl net.bpf.maxinsns={$bpfmaxinsns}\n"; + + /* go ahead and issue bpf changes */ + if($bpfbufsize) + mwexec_bg("sysctl net.bpf.bufsize={$bpfbufsize}"); + if($bpfmaxbufsize) + mwexec_bg("sysctl net.bpf.maxbufsize={$bpfmaxbufsize}"); + if($bpfmaxinsns) + mwexec_bg("sysctl net.bpf.maxinsns={$bpfmaxinsns}"); + + /* always stop barnyard2 before starting snort -gtm */ + $start .= "/usr/bin/killall barnyard2\n"; + + /* start a snort process for each interface -gtm */ + /* Note the sleep delay. Seems to help getting mult interfaces to start -gtm */ + /* snort start options are; config file, log file, demon, interface, packet flow, alert type, quiet */ + /* TODO; get snort to start under nologin shell */ + foreach($snortInterfaces as $snortIf) { - exec("/bin/mkdir -p /var/log/snort"); - } - - exec("/usr/sbin/chown -R snort:snort /var/log/snort"); - exec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort"); - exec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort"); - exec("/bin/chmod -R 755 /var/log/snort"); - exec("/bin/chmod -R 755 /usr/local/etc/snort"); - exec("/bin/chmod -R 755 /usr/local/lib/snort"); - - /* Generate the snort instance list */ - $rc_snort = ""; - $i = 0; - $rules = &$config['installedpackages']['snortglobal']['rule']; - foreach($rules as $snort) { - $name = "${i}${if_real}"; - $if_real = convert_friendly_interface_to_real_interface_name($snort['interface']); - $rc_snort .= "snort_list=\"\${snort_list} ${name}\"\n"; - $rc_snort .= "snort_${name}_conf=\"/usr/local/etc/snort/snort_${name}/snort.conf\"\n"; - $rc_snort .= "snort_${name}_name=\"${name}\"\n"; - $rc_snort .= "snort_${name}_id=\"${i}\"\n"; - $rc_snort .= "snort_${name}_interface=\"${if_real}\"\n"; - - $snortenable_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable']; - if ($snortenable_info_chk == 'on') - $rc_snort .= "snort_${name}_enable=\"YES\"\n"; - else - $rc_snort .= "snort_${name}_enable=\"NO\"\n"; - - $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; - if ($snortbarnyardlog_info_chk == 'on') - $rc_snort .= "snort_${name}_barnyard=\"YES\"\n"; - $i++; - } - $rcconf = fopen("/var/etc/rc.snort", "w"); - if(!$rcconf) { - log_error("Could not open /var/etc/rc.snort for writing."); - exit; - } - fwrite($rcconf, $rc_snort); - fclose($rcconf); - - - conf_mount_ro(); - -} - -/* Start of main config files */ -/* Start of main config files */ - - - -/* if rules exist copy to new interfaces */ -function create_rules_iface() -{ + $start .= "sleep 4\n"; + $start .= "/usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i {$snortIf} -q\n"; + /* define snortbarnyardlog_chk */ + $snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; + if ($snortbarnyardlog_info_chk == on) + $start .= "\nsleep 4;/usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D -q\n"; + } + $check_if_snort_runs = "\n\tif [ \"`ls -A /usr/local/etc/snort/rules`\" ] ; then\n\techo \"rules exist\"\n\telse\n\techo \"rules DONT exist\"\n\texit 2\n\tfi \n\n\tif [ \"`pgrep -x snort`\" = \"\" ] ; then\n\t/bin/rm /tmp/snort.sh.pid\n\tfi \n\n\tif [ \"`pgrep -x snort`\" != \"\" ] ; then\n\tlogger -p daemon.info -i -t SnortStartup \"Snort already running...\"\n\t/usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php &\n\texit 1\n\tfi\n\n"; + $if_snort_pid = "\nif ls /tmp/snort.sh.pid > /dev/null\nthen\n echo \"snort.sh is running\"\n exit 0\nelse\n echo \"snort.sh is not running\"\nfi\n"; + $echo_snort_sh_pid = "\necho \"snort.sh run\" > /tmp/snort.sh.pid\n"; + $echo_snort_sh_startup_log = "\necho \"snort.sh run\" >> /tmp/snort.sh_startup.log\n"; + $del_old_pids = "\nrm -f /var/run/snort_*\n"; + $sample_before = "BEFORE_MEM=`top | grep Wired | awk '{print \$12}'`\n"; + $sample_after = "\n\tAFTER_MEM=`top | grep Wired | awk '{print \$12}'`\n"; + if ($snort_performance == "ac-bnfa") + $sleep_before_final = "\necho \"Sleeping before final memory sampling...\"\nWAITSECURE=60\n"; + else + $sleep_before_final = "\necho \"Sleeping before final memory sampling...\"\nWAITSECURE=300\n"; + $sleep_before_final .= "while [ \"\$MYSNORTLOG\" = \"\" -a \$WAITSECURE -gt 0 ] ; do\n\tsleep 2\n\tMYSNORTLOG=`/usr/sbin/clog /var/log/system.log | grep snort | tail | grep 'Snort initialization completed successfully'`\n\tWAITSECURE=`expr \$WAITSECURE - 1`\ndone\n"; + $total_used_after = "TOTAL_USAGE=`top | grep snort | grep -v grep | awk '{ print \$6 }'`\n"; + $echo_usage .= $sample_after . "\t" . $total_used_after . "\techo \"Ram free BEFORE starting Snort: \$BEFORE_MEM -- Ram free AFTER starting Snort: \$AFTER_MEM -- Mode " . $snort_performance . " -- Snort memory usage: \$TOTAL_USAGE\" | logger -p daemon.info -i -t SnortStartup\n\n"; + + /* write out rc.d start/stop file */ + write_rcfile(array( + "file" => "snort.sh", + "start" => "{$check_if_snort_runs}{$if_snort_pid}{$echo_snort_sh_pid}{$echo_snort_sh_startup_log}{$del_old_pids}{$sample_before}{$start}{$sleep_before_final}{$echo_usage}", + "stop" => "/usr/bin/killall snort; killall barnyard2" + ) + ); - global $config, $g, $id, $if_real; - conf_mount_rw(); + /* create snort configuration file */ + create_snort_conf(); - $if_rule_dir = "/usr/local/etc/snort/snort_$id$if_real/rules"; - $folder_chk = (count(glob("$if_rule_dir/*")) === 0) ? 'empty' : 'full'; +/* create barnyard2 configuration file */ +$snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; +if ($snortbarnyardlog_info_chk == on) + create_barnyard2_conf(); - if ($folder_chk == "empty") - { - exec("/bin/cp -R /usr/local/etc/snort/rules /usr/local/etc/snort/snort_$id$if_real"); - if (file_exists("/usr/local/etc/snort/custom_rules/local_$id$if_real.rules")) - { - exec("/bin/cp /usr/local/etc/snort/custom_rules/local_$id$if_real.rules /usr/local/etc/snort/snort_$id$if_real/rules/local_$id$if_real.rules"); - } + /* snort will not start on install untill setting are set */ +if ($config['installedpackages']['snort']['config'][0]['autorulesupdate7'] != "") { + /* start snort service */ + conf_mount_ro(); + start_service("snort"); } } /* open barnyard2.conf for writing */ function create_barnyard2_conf() { - global $bconfig, $bg, $id, $if_real; + global $bconfig, $bg; /* write out barnyard2_conf */ - - if(!file_exists("/usr/local/etc/snort/snort_$id$if_real/barnyard2.conf")) - { - exec("/bin//usr/bin/touch /usr/local/etc/snort/snort_$id$if_real/barnyard2.conf"); - } - + conf_mount_rw(); $barnyard2_conf_text = generate_barnyard2_conf(); - $bconf = fopen("/usr/local/etc/snort/snort_$id$if_real/barnyard2.conf", "w"); + $bconf = fopen("/usr/local/etc/barnyard2.conf", "w"); if(!$bconf) { - log_error("Could not open /usr/local/etc/snort/snort_$id$if_real/barnyard2.conf for writing."); + log_error("Could not open /usr/local/etc/barnyard2.conf for writing."); exit; } fwrite($bconf, $barnyard2_conf_text); fclose($bconf); + conf_mount_ro(); } - /* open barnyard2.conf for writing" */ function generate_barnyard2_conf() { - global $config, $g, $id, $if_real; + global $config, $g; conf_mount_rw(); /* define snortbarnyardlog */ /* TODO add support for the other 5 output plugins */ -$snortbarnyardlog_database_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; -$snortbarnyardlog_hostname_info_chk = exec("/bin/hostname"); - -$snortbarnyardlog_interface_info_chk = $if_real; +$snortbarnyardlog_database_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_database']; +$snortbarnyardlog_hostname_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_hostname']; +$snortbarnyardlog_interface_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_interface']; $barnyard2_conf_text = <<<EOD # barnyard2.conf # barnyard2 can be found at http://www.securixlive.com/barnyard2/index.php -# + # Copyright (C) 2006 Robert Zelaya # part of pfSense # All rights reserved. -# + +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: + # 1. Redistributions of source code must retain the above copyright notice, # this list of conditions and the following disclaimer. -# + # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. -# + # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE @@ -626,7 +248,6 @@ $barnyard2_conf_text = <<<EOD # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. -# # set the appropriate paths to the file(s) your Snort process is using config reference-map: /usr/local/etc/snort/reference.config @@ -635,7 +256,7 @@ config gen-msg-map: /usr/local/etc/snort/gen-msg.map config sid-msg-map: /usr/local/etc/snort/sid-msg.map config hostname: $snortbarnyardlog_hostname_info_chk -config interface: $id$snortbarnyardlog_interface_info_chk +config interface: $snortbarnyardlog_interface_info_chk # Step 2: setup the input plugins input unified2 @@ -646,19 +267,19 @@ input unified2 $snortbarnyardlog_database_info_chk EOD; - + conf_mount_rw(); return $barnyard2_conf_text; } function create_snort_conf() { - global $config, $g, $id, $if_real; + global $config, $g; /* write out snort.conf */ $snort_conf_text = generate_snort_conf(); conf_mount_rw(); - $conf = fopen("/usr/local/etc/snort/snort_$id$if_real/snort.conf", "w"); + $conf = fopen("/usr/local/etc/snort/snort.conf", "w"); if(!$conf) { - log_error("Could not open /usr/local/etc/snort/$id$if_real/snort.conf for writing."); + log_error("Could not open /usr/local/etc/snort/snort.conf for writing."); exit; } fwrite($conf, $snort_conf_text); @@ -666,74 +287,57 @@ function create_snort_conf() { conf_mount_ro(); } -function snort_deinstall() -{ +function snort_deinstall() { - global $config, $g, $id, $if_real; + global $config, $g; conf_mount_rw(); - + + /* remove custom sysctl */ remove_text_from_file("/etc/sysctl.conf", "sysctl net.bpf.bufsize=20480"); /* decrease bpf buffers back to 4096, from 20480 */ exec("/sbin/sysctl net.bpf.bufsize=4096"); - exec("/usr/usr/bin/killall snort"); - sleep(2); - exec("/usr/usr/bin/killall -9 snort"); - sleep(2); - exec("/usr/usr/bin/killall barnyard2"); - sleep(2); - exec("/usr/usr/bin/killall -9 barnyard2"); - sleep(2); - exec("/usr/sbin/pw userdel snort"); - exec("/usr/sbin/pw groupdel snort"); + exec("/usr/bin/killall snort"); + sleep(5); + exec("/usr/bin/killall -9 snort"); + exec("rm -f /usr/local/etc/rc.d/snort*"); exec("rm -rf /usr/local/etc/snort*"); - exec("cd /var/db/pkg && pkg_delete `ls | grep barnyard2`"); exec("cd /var/db/pkg && pkg_delete `ls | grep snort`"); + exec("cd /var/db/pkg && pkg_delete `ls | grep mysql-client`"); + exec("cd /var/db/pkg && pkg_delete `ls | grep libdnet`"); + exec("/usr/bin/killall -9 snort"); + exec("/usr/bin/killall snort"); /* Remove snort cron entries Ugly code needs smoothness*/ -function snort_rm_blocked_deinstall_cron($should_install) -{ + function snort_rm_blocked_deinstall_cron($should_install) { global $config, $g; - conf_mount_rw(); $is_installed = false; if(!$config['cron']['item']) - return; + return; $x=0; - foreach($config['cron']['item'] as $item) - { - if (strstr($item['command'], "snort2c")) - { - $is_installed = true; - break; - } - - $x++; - + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort2c")) { + $is_installed = true; + break; + } + $x++; + } + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + } + configure_cron(); + } } - if($is_installed == true) - { - if($x > 0) - { - unset($config['cron']['item'][$x]); - write_config(); - conf_mount_rw(); - } - - configure_cron(); - - } - conf_mount_ro(); -} - - + function snort_rules_up_deinstall_cron($should_install) { global $config, $g; - conf_mount_rw(); - + $is_installed = false; if(!$config['cron']['item']) @@ -751,7 +355,6 @@ function snort_rm_blocked_deinstall_cron($should_install) if($x > 0) { unset($config['cron']['item'][$x]); write_config(); - conf_mount_rw(); } configure_cron(); } @@ -760,203 +363,186 @@ function snort_rm_blocked_deinstall_cron($should_install) snort_rm_blocked_deinstall_cron(""); snort_rules_up_deinstall_cron(""); - - /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */ - /* Keep this as a last step */ - unset($config['installedpackages']['snortglobal']); - write_config(); - conf_mount_rw(); - - exec("rm -r /usr/local/www/snort"); - exec("rm -r /usr/local/pkg/snort"); - exec("rm -r /usr/local/lib/snort/"); - - conf_mount_ro(); +/* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */ +/* Keep this as a last step */ + +unset($config['installedpackages']['snort']); +unset($config['installedpackages']['snortdefservers']); +unset($config['installedpackages']['snortwhitelist']); +unset($config['installedpackages']['snortthreshold']); +unset($config['installedpackages']['snortadvanced']); + + +write_config(); +conf_mount_ro(); } -function generate_snort_conf() -{ +function generate_snort_conf() { - global $config, $g, $if_real, $id; + global $config, $g; conf_mount_rw(); - /* obtain external interface */ /* XXX: make multi wan friendly */ - $snort_ext_int = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; - -// $snort_config_pass_thru = $config['installedpackages']['snortglobal']['rule'][$id]['configpassthru']; + $snort_ext_int = $config['installedpackages']['snort']['config'][0]['iface_array'][0]; - /* create basic files */ - if(!file_exists("/usr/local/etc/snort/snort/snort_$id$if_real")) - { - exec("/bin/mkdir -p /usr/local/etc/snort/snort_$id$if_real/"); - exec("/bin/mkdir -p /usr/local/etc/snort/snort_$id$if_real/rules"); - - if(!file_exists("/usr/local/etc/snort/snort_$id$if_real/gen-msg.map")) - { - exec("/bin/cp /usr/local/etc/snort/classification.config /usr/local/etc/snort/snort_$id$if_real/classification.config"); - exec("/bin/cp /usr/local/etc/snort/gen-msg.map /usr/local/etc/snort/snort_$id$if_real/gen-msg.map"); - exec("/bin/cp /usr/local/etc/snort/reference.config /usr/local/etc/snort/snort_$id$if_real/reference.config"); - exec("/bin/cp /usr/local/etc/snort/sid-msg.map /usr/local/etc/snort/snort_$id$if_real/sid-msg.map"); - exec("/bin/cp /usr/local/etc/snort/unicode.map /usr/local/etc/snort/snort_$id$if_real/unicode.map"); - exec("/bin/cp /usr/local/etc/snort/threshold.conf /usr/local/etc/snort/snort_$id$if_real/threshold.conf"); - exec("/bin/cp /usr/local/etc/snort/snort.conf /usr/local/etc/snort/snort_$id$if_real/snort.conf"); - exec("/bin//usr/bin/touch /usr/local/etc/snort/snort_$id$if_real/barnyard2.conf"); - exec("/bin/mkdir -p /usr/local/etc/snort/snort_$id$if_real/rules"); - } - } + $snort_config_pass_thru = $config['installedpackages']['snortadvanced']['config'][0]['configpassthru']; /* define snortalertlogtype */ -$snortalertlogtype = $config['installedpackages']['snortglobal']['snortalertlogtype']; +$snortalertlogtype = $config['installedpackages']['snortadvanced']['config'][0]['snortalertlogtype']; if ($snortalertlogtype == fast) $snortalertlogtype_type = "output alert_fast: alert"; else $snortalertlogtype_type = "output alert_full: alert"; /* define alertsystemlog */ -$alertsystemlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['alertsystemlog']; +$alertsystemlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['alertsystemlog']; if ($alertsystemlog_info_chk == on) $alertsystemlog_type = "output alert_syslog: log_alert"; /* define tcpdumplog */ -$tcpdumplog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['tcpdumplog']; +$tcpdumplog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['tcpdumplog']; if ($tcpdumplog_info_chk == on) $tcpdumplog_type = "output log_tcpdump: snorttcpd.log"; +/* define snortbarnyardlog_chk */ +$snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; +if ($snortbarnyardlog_info_chk == on) + $snortbarnyardlog_type = "barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D"; + /* define snortunifiedlog */ -$snortunifiedlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['snortunifiedlog']; +$snortunifiedlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortunifiedlog']; if ($snortunifiedlog_info_chk == on) - $snortunifiedlog_type = "output unified2: filename snort.u2_$id$if_real, limit 128"; + $snortunifiedlog_type = "output unified2: filename snort.u2, limit 128"; -/* define spoink (DISABLED)*/ -$spoink_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['blockoffenders7']; -if (0 && $spoink_info_chk == on) +/* define spoink */ +$spoink_info_chk = $config['installedpackages']['snort']['config'][0]['blockoffenders7']; +if ($spoink_info_chk == on) $spoink_type = "output alert_pf: /var/db/whitelist,snort2c"; /* define servers and ports snortdefservers */ /* def DNS_SERVSERS */ -$def_dns_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_dns_servers']; +$def_dns_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_dns_servers']; if ($def_dns_servers_info_chk == "") $def_dns_servers_type = "\$HOME_NET"; else $def_dns_servers_type = "$def_dns_servers_info_chk"; /* def DNS_PORTS */ -$def_dns_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_dns_ports']; +$def_dns_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_dns_ports']; if ($def_dns_ports_info_chk == "") $def_dns_ports_type = "53"; else $def_dns_ports_type = "$def_dns_ports_info_chk"; /* def SMTP_SERVSERS */ -$def_smtp_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_smtp_servers']; +$def_smtp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_smtp_servers']; if ($def_smtp_servers_info_chk == "") $def_smtp_servers_type = "\$HOME_NET"; else $def_smtp_servers_type = "$def_smtp_servers_info_chk"; /* def SMTP_PORTS */ -$def_smtp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_smtp_ports']; +$def_smtp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_smtp_ports']; if ($def_smtp_ports_info_chk == "") $def_smtp_ports_type = "25"; else $def_smtp_ports_type = "$def_smtp_ports_info_chk"; /* def MAIL_PORTS */ -$def_mail_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_mail_ports']; +$def_mail_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_mail_ports']; if ($def_mail_ports_info_chk == "") $def_mail_ports_type = "25,143,465,691"; else $def_mail_ports_type = "$def_mail_ports_info_chk"; /* def HTTP_SERVSERS */ -$def_http_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_http_servers']; +$def_http_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_http_servers']; if ($def_http_servers_info_chk == "") $def_http_servers_type = "\$HOME_NET"; else $def_http_servers_type = "$def_http_servers_info_chk"; /* def WWW_SERVSERS */ -$def_www_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_www_servers']; +$def_www_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_www_servers']; if ($def_www_servers_info_chk == "") $def_www_servers_type = "\$HOME_NET"; else $def_www_servers_type = "$def_www_servers_info_chk"; /* def HTTP_PORTS */ -$def_http_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_http_ports']; +$def_http_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_http_ports']; if ($def_http_ports_info_chk == "") $def_http_ports_type = "80"; else $def_http_ports_type = "$def_http_ports_info_chk"; /* def SQL_SERVSERS */ -$def_sql_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_sql_servers']; +$def_sql_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sql_servers']; if ($def_sql_servers_info_chk == "") $def_sql_servers_type = "\$HOME_NET"; else $def_sql_servers_type = "$def_sql_servers_info_chk"; /* def ORACLE_PORTS */ -$def_oracle_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_oracle_ports']; +$def_oracle_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_oracle_ports']; if ($def_oracle_ports_info_chk == "") $def_oracle_ports_type = "1521"; else $def_oracle_ports_type = "$def_oracle_ports_info_chk"; /* def MSSQL_PORTS */ -$def_mssql_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_mssql_ports']; +$def_mssql_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_mssql_ports']; if ($def_mssql_ports_info_chk == "") $def_mssql_ports_type = "1433"; else $def_mssql_ports_type = "$def_mssql_ports_info_chk"; /* def TELNET_SERVSERS */ -$def_telnet_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_telnet_servers']; +$def_telnet_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_telnet_servers']; if ($def_telnet_servers_info_chk == "") $def_telnet_servers_type = "\$HOME_NET"; else $def_telnet_servers_type = "$def_telnet_servers_info_chk"; /* def TELNET_PORTS */ -$def_telnet_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_telnet_ports']; +$def_telnet_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_telnet_ports']; if ($def_telnet_ports_info_chk == "") $def_telnet_ports_type = "23"; else $def_telnet_ports_type = "$def_telnet_ports_info_chk"; /* def SNMP_SERVSERS */ -$def_snmp_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_snmp_servers']; +$def_snmp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_snmp_servers']; if ($def_snmp_servers_info_chk == "") $def_snmp_servers_type = "\$HOME_NET"; else $def_snmp_servers_type = "$def_snmp_servers_info_chk"; /* def SNMP_PORTS */ -$def_snmp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_snmp_ports']; +$def_snmp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_snmp_ports']; if ($def_snmp_ports_info_chk == "") $def_snmp_ports_type = "161"; else $def_snmp_ports_type = "$def_snmp_ports_info_chk"; /* def FTP_SERVSERS */ -$def_ftp_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ftp_servers']; +$def_ftp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ftp_servers']; if ($def_ftp_servers_info_chk == "") $def_ftp_servers_type = "\$HOME_NET"; else $def_ftp_servers_type = "$def_ftp_servers_info_chk"; /* def FTP_PORTS */ -$def_ftp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ftp_ports']; +$def_ftp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ftp_ports']; if ($def_ftp_ports_info_chk == "") $def_ftp_ports_type = "21"; else $def_ftp_ports_type = "$def_ftp_ports_info_chk"; /* def SSH_SERVSERS */ -$def_ssh_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssh_servers']; +$def_ssh_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssh_servers']; if ($def_ssh_servers_info_chk == "") $def_ssh_servers_type = "\$HOME_NET"; else @@ -969,124 +555,360 @@ else $ssh_port = "22"; /* def SSH_PORTS */ -$def_ssh_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssh_ports']; +$def_ssh_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssh_ports']; if ($def_ssh_ports_info_chk == "") $def_ssh_ports_type = "{$ssh_port}"; else $def_ssh_ports_type = "$def_ssh_ports_info_chk"; /* def POP_SERVSERS */ -$def_pop_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_pop_servers']; +$def_pop_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop_servers']; if ($def_pop_servers_info_chk == "") $def_pop_servers_type = "\$HOME_NET"; else $def_pop_servers_type = "$def_pop_servers_info_chk"; /* def POP2_PORTS */ -$def_pop2_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_pop2_ports']; +$def_pop2_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop2_ports']; if ($def_pop2_ports_info_chk == "") $def_pop2_ports_type = "109"; else $def_pop2_ports_type = "$def_pop2_ports_info_chk"; /* def POP3_PORTS */ -$def_pop3_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_pop3_ports']; +$def_pop3_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop3_ports']; if ($def_pop3_ports_info_chk == "") $def_pop3_ports_type = "110"; else $def_pop3_ports_type = "$def_pop3_ports_info_chk"; /* def IMAP_SERVSERS */ -$def_imap_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_imap_servers']; +$def_imap_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_imap_servers']; if ($def_imap_servers_info_chk == "") $def_imap_servers_type = "\$HOME_NET"; else $def_imap_servers_type = "$def_imap_servers_info_chk"; /* def IMAP_PORTS */ -$def_imap_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_imap_ports']; +$def_imap_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_imap_ports']; if ($def_imap_ports_info_chk == "") $def_imap_ports_type = "143"; else $def_imap_ports_type = "$def_imap_ports_info_chk"; /* def SIP_PROXY_IP */ -$def_sip_proxy_ip_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_sip_proxy_ip']; +$def_sip_proxy_ip_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sip_proxy_ip']; if ($def_sip_proxy_ip_info_chk == "") $def_sip_proxy_ip_type = "\$HOME_NET"; else $def_sip_proxy_ip_type = "$def_sip_proxy_ip_info_chk"; /* def SIP_PROXY_PORTS */ -$def_sip_proxy_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_sip_proxy_ports']; +$def_sip_proxy_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sip_proxy_ports']; if ($def_sip_proxy_ports_info_chk == "") $def_sip_proxy_ports_type = "5060:5090,16384:32768"; else $def_sip_proxy_ports_type = "$def_sip_proxy_ports_info_chk"; /* def AUTH_PORTS */ -$def_auth_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_auth_ports']; +$def_auth_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_auth_ports']; if ($def_auth_ports_info_chk == "") $def_auth_ports_type = "113"; else $def_auth_ports_type = "$def_auth_ports_info_chk"; /* def FINGER_PORTS */ -$def_finger_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_finger_ports']; +$def_finger_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_finger_ports']; if ($def_finger_ports_info_chk == "") $def_finger_ports_type = "79"; else $def_finger_ports_type = "$def_finger_ports_info_chk"; /* def IRC_PORTS */ -$def_irc_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_irc_ports']; +$def_irc_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_irc_ports']; if ($def_irc_ports_info_chk == "") $def_irc_ports_type = "6665,6666,6667,6668,6669,7000"; else $def_irc_ports_type = "$def_irc_ports_info_chk"; /* def NNTP_PORTS */ -$def_nntp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_nntp_ports']; +$def_nntp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_nntp_ports']; if ($def_nntp_ports_info_chk == "") $def_nntp_ports_type = "119"; else $def_nntp_ports_type = "$def_nntp_ports_info_chk"; /* def RLOGIN_PORTS */ -$def_rlogin_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_rlogin_ports']; +$def_rlogin_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_rlogin_ports']; if ($def_rlogin_ports_info_chk == "") $def_rlogin_ports_type = "513"; else $def_rlogin_ports_type = "$def_rlogin_ports_info_chk"; /* def RSH_PORTS */ -$def_rsh_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_rsh_ports']; +$def_rsh_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_rsh_ports']; if ($def_rsh_ports_info_chk == "") $def_rsh_ports_type = "514"; else $def_rsh_ports_type = "$def_rsh_ports_info_chk"; /* def SSL_PORTS */ -$def_ssl_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssl_ports']; +$def_ssl_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssl_ports']; if ($def_ssl_ports_info_chk == "") - $def_ssl_ports_type = "443,465,563,636,989,990,992,993,994,995"; + $def_ssl_ports_type = "25,443,465,636,993,995"; else $def_ssl_ports_type = "$def_ssl_ports_info_chk"; + /* add auto update scripts to /etc/crontab */ +// $text_ww = "*/60\t* \t 1\t *\t *\t root\t /usr/bin/nice -n20 /usr/local/pkg/snort_check_for_rule_updates.php"; +// $filenamea = "/etc/crontab"; +// remove_text_from_file($filenamea, $text_ww); +// add_text_to_file($filenamea, $text_ww); +// exec("killall -HUP cron"); */ + /* should we install a automatic update crontab entry? */ - $automaticrulesupdate = $config['installedpackages']['snortglobal']['automaticrulesupdate7']; + $automaticrulesupdate = $config['installedpackages']['snort']['config'][0]['automaticrulesupdate']; /* if user is on pppoe, we really want to use ng0 interface */ if($config['interfaces'][$snort_ext_int]['ipaddr'] == "pppoe") $snort_ext_int = "ng0"; /* set the snort performance model */ - if($config['installedpackages']['snortglobal']['rule'][$id]['performance']) - $snort_performance = $config['installedpackages']['snortglobal']['rule'][$id]['performance']; + if($config['installedpackages']['snort']['config'][0]['performance']) + $snort_performance = $config['installedpackages']['snort']['config'][0]['performance']; else - $snort_performance = "lowmem"; + $snort_performance = "ac-bnfa"; + + /* set the snort block hosts time IMPORTANT snort has trouble installing if snort_rm_blocked_info_ck != "" */ + $snort_rm_blocked_info_ck = $config['installedpackages']['snort']['config'][0]['rm_blocked']; + if ($snort_rm_blocked_info_ck == "never_b") + $snort_rm_blocked_false = ""; + else + $snort_rm_blocked_false = "true"; + +if ($snort_rm_blocked_info_ck != "") { +function snort_rm_blocked_install_cron($should_install) { + global $config, $g; + conf_mount_rw(); + if ($g['booting']==true) + return; + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort2c")) { + $is_installed = true; + break; + } + $x++; + } + $snort_rm_blocked_info_ck = $config['installedpackages']['snort']['config'][0]['rm_blocked']; + if ($snort_rm_blocked_info_ck == "1h_b") { + $snort_rm_blocked_min = "*/5"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "3600"; + } + if ($snort_rm_blocked_info_ck == "3h_b") { + $snort_rm_blocked_min = "*/15"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "10800"; + } + if ($snort_rm_blocked_info_ck == "6h_b") { + $snort_rm_blocked_min = "*/30"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "21600"; + } + if ($snort_rm_blocked_info_ck == "12h_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/1"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "43200"; + } + if ($snort_rm_blocked_info_ck == "1d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/2"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "86400"; + } + if ($snort_rm_blocked_info_ck == "4d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/8"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "345600"; + } + if ($snort_rm_blocked_info_ck == "7d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/14"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "604800"; + } + if ($snort_rm_blocked_info_ck == "28d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "0"; + $snort_rm_blocked_mday = "*/2"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "2419200"; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "$snort_rm_blocked_min"; + $cron_item['hour'] = "$snort_rm_blocked_hr"; + $cron_item['mday'] = "$snort_rm_blocked_mday"; + $cron_item['month'] = "$snort_rm_blocked_month"; + $cron_item['wday'] = "$snort_rm_blocked_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; + $config['cron']['item'][] = $cron_item; + write_config("Installed 15 minute filter reload for Time Based Rules"); + conf_mount_rw(); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + conf_mount_rw(); + } + configure_cron(); + } + break; + } + } + snort_rm_blocked_install_cron(""); + snort_rm_blocked_install_cron($snort_rm_blocked_false); +} + + /* set the snort rules update time */ + $snort_rules_up_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; + if ($snort_rules_up_info_ck == "never_up") + $snort_rules_up_false = ""; + else + $snort_rules_up_false = "true"; + +if ($snort_rules_up_info_ck != "") { +function snort_rules_up_install_cron($should_install) { + global $config, $g; + conf_mount_rw(); + if ($g['booting']==true) + return; + + $is_installed = false; - /* open snort's whitelist for writing */ + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort_check_for_rule_updates.php")) { + $is_installed = true; + break; + } + $x++; + } + $snort_rules_up_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; + if ($snort_rules_up_info_ck == "6h_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "*/6"; + $snort_rules_up_mday = "*"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "12h_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "*/12"; + $snort_rules_up_mday = "*"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "1d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/1"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "4d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/4"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "7d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/7"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "28d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/28"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "$snort_rules_up_min"; + $cron_item['hour'] = "$snort_rules_up_hr"; + $cron_item['mday'] = "$snort_rules_up_mday"; + $cron_item['month'] = "$snort_rules_up_month"; + $cron_item['wday'] = "$snort_rules_up_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort_check_for_rule_updates.php >> /usr/local/etc/snort_bkup/snort_update.log"; + $config['cron']['item'][] = $cron_item; + write_config("Installed 15 minute filter reload for Time Based Rules"); + conf_mount_rw(); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + conf_mount_rw(); + } + configure_cron(); + } + break; + } + } + snort_rules_up_install_cron(""); + snort_rules_up_install_cron($snort_rules_up_false); +} + /* Be sure we're really rw before writing */ + conf_mount_rw(); + /* open snort2c's whitelist for writing */ $whitelist = fopen("/var/db/whitelist", "w"); if(!$whitelist) { log_error("Could not open /var/db/whitelist for writing."); @@ -1142,14 +964,13 @@ else $home_net .= "127.0.0.1 "; /* iterate all vips and add to whitelist */ - if($config['virtualip']) foreach($config['virtualip']['vip'] as $vip) if($vip['subnet']) $home_net .= $vip['subnet'] . " "; - if($config['installedpackages']['snortglobal']['whitelist']) - foreach($config['installedpackages']['snortglobal']['whitelist'] as $snort) + if($config['installedpackages']['snortwhitelist']) + foreach($config['installedpackages']['snortwhitelist']['config'] as $snort) if($snort['ip']) $home_net .= $snort['ip'] . " "; @@ -1169,11 +990,11 @@ else fwrite($whitelist, trim($wl) . "\n"); /* should we whitelist vpns? */ - $whitelistvpns = $config['installedpackages']['snortglobal']['whitelistvpns']; + $whitelistvpns = $config['installedpackages']['snort']['config'][0]['whitelistvpns']; /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */ if($whitelistvpns) { - $vpns_list = filter_get_vpns_list(); + $vpns_list = get_vpns_list(); $whitelist_vpns = split(" ", $vpns_list); foreach($whitelist_vpns as $wl) if(trim($wl)) @@ -1182,9 +1003,34 @@ else /* close file */ fclose($whitelist); - + + /* Be sure we're really rw before writing */ + conf_mount_rw(); + /* open snort's threshold.conf for writing */ + $threshlist = fopen("/usr/local/etc/snort/threshold.conf", "w"); + if(!$threshlist) { + log_error("Could not open /usr/local/etc/snort/threshold.conf for writing."); + return; + } + + /* list all entries to new lines */ + if($config['installedpackages']['snortthreshold']) + foreach($config['installedpackages']['snortthreshold']['config'] as $snortthreshlist) + if($snortthreshlist['threshrule']) + $snortthreshlist_r .= $snortthreshlist['threshrule'] . "\n"; + + + /* foreach through threshlist, writing out to file */ + $threshlist_split = split("\n", $snortthreshlist_r); + foreach($threshlist_split as $wl) + if(trim($wl)) + fwrite($threshlist, trim($wl) . "\n"); + + /* close snort's threshold.conf file */ + fclose($threshlist); + /* generate rule sections to load */ - $enabled_rulesets = $config['installedpackages']['snortglobal']['rule'][$id]['rulesets']; + $enabled_rulesets = $config['installedpackages']['snort']['rulesets']; if($enabled_rulesets) { $selected_rules_sections = ""; $enabled_rulesets_array = split("\|\|", $enabled_rulesets); @@ -1194,250 +1040,6 @@ else conf_mount_ro(); -///////////////////////////// - -/* preprocessor code */ - -/* def perform_stat */ -$snort_perform_stat = <<<EOD -########################## - # -# NEW # -# Performance Statistics # - # -########################## - -preprocessor perfmonitor: time 300 file /var/log/snort/snort_$id$if_real.stats pktcnt 10000 - -EOD; - -$def_perform_stat_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['perform_stat']; -if ($def_perform_stat_info_chk == "on") - $def_perform_stat_type = "$snort_perform_stat"; -else - $def_perform_stat_type = ""; - -/* def http_inspect */ -$snort_http_inspect = <<<EOD -################# - # -# HTTP Inspect # - # -################# - -preprocessor http_inspect: global iis_unicode_map unicode.map 1252 - -preprocessor http_inspect_server: server default \ - ports { 80 8080 } \ - non_strict \ - non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ - flow_depth 0 \ - apache_whitespace no \ - directory no \ - iis_backslash no \ - u_encode yes \ - ascii no \ - chunk_length 500000 \ - bare_byte yes \ - double_decode yes \ - iis_unicode no \ - iis_delimiter no \ - multi_slash no - -EOD; - -$def_http_inspect_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['http_inspect']; -if ($def_http_inspect_info_chk == "on") - $def_http_inspect_type = "$snort_http_inspect"; -else - $def_http_inspect_type = ""; - -/* def other_preprocs */ -$snort_other_preprocs = <<<EOD -################## - # -# Other preprocs # - # -################## - -preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 -preprocessor bo - -EOD; - -$def_other_preprocs_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['other_preprocs']; -if ($def_other_preprocs_info_chk == "on") - $def_other_preprocs_type = "$snort_other_preprocs"; -else - $def_other_preprocs_type = ""; - -/* def ftp_preprocessor */ -$snort_ftp_preprocessor = <<<EOD -##################### - # -# ftp preprocessor # - # -##################### - -preprocessor ftp_telnet: global \ -inspection_type stateless - -preprocessor ftp_telnet_protocol: telnet \ - normalize \ - ayt_attack_thresh 200 - -preprocessor ftp_telnet_protocol: \ - ftp server default \ - def_max_param_len 100 \ - ports { 21 } \ - ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \ - ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \ - ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ - ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ - ftp_cmds { FEAT CEL CMD MACB } \ - ftp_cmds { MDTM REST SIZE MLST MLSD } \ - ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ - alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ - alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \ - alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \ - alt_max_param_len 256 { RNTO CWD } \ - alt_max_param_len 400 { PORT } \ - alt_max_param_len 512 { SIZE } \ - chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \ - chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \ - chk_str_fmt { LIST NLST SITE SYST STAT HELP } \ - chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \ - chk_str_fmt { FEAT CEL CMD } \ - chk_str_fmt { MDTM REST SIZE MLST MLSD } \ - chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ - cmd_validity MODE < char ASBCZ > \ - cmd_validity STRU < char FRP > \ - cmd_validity ALLO < int [ char R int ] > \ - cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ - cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ - cmd_validity PORT < host_port > - -preprocessor ftp_telnet_protocol: ftp client default \ - max_resp_len 256 \ - bounce yes \ - telnet_cmds yes - -EOD; - -$def_ftp_preprocessor_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['ftp_preprocessor']; -if ($def_ftp_preprocessor_info_chk == "on") - $def_ftp_preprocessor_type = "$snort_ftp_preprocessor"; -else - $def_ftp_preprocessor_type = ""; - -/* def smtp_preprocessor */ -$snort_smtp_preprocessor = <<<EOD -##################### - # -# SMTP preprocessor # - # -##################### - -preprocessor SMTP: \ - ports { 25 465 691 } \ - inspection_type stateful \ - normalize cmds \ - valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \ -CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \ -PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - max_header_line_len 1000 \ - max_response_line_len 512 \ - alt_max_command_line_len 260 { MAIL } \ - alt_max_command_line_len 300 { RCPT } \ - alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ - alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ - alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ - alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ - alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - xlink2state { enable } - -EOD; - -$def_smtp_preprocessor_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['smtp_preprocessor']; -if ($def_smtp_preprocessor_info_chk == "on") - $def_smtp_preprocessor_type = "$snort_smtp_preprocessor"; -else - $def_smtp_preprocessor_type = ""; - -/* def sf_portscan */ -$snort_sf_portscan = <<<EOD -################ - # -# sf Portscan # - # -################ - -preprocessor sfportscan: scan_type { all } \ - proto { all } \ - memcap { 10000000 } \ - sense_level { medium } \ - ignore_scanners { \$HOME_NET } - -EOD; - -$def_sf_portscan_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['sf_portscan']; -if ($def_sf_portscan_info_chk == "on") - $def_sf_portscan_type = "$snort_sf_portscan"; -else - $def_sf_portscan_type = ""; - -/* def dce_rpc_2 */ -$snort_dce_rpc_2 = <<<EOD -############### - # -# NEW # -# DCE/RPC 2 # - # -############### - -preprocessor dcerpc2: memcap 102400, events [smb, co, cl] -preprocessor dcerpc2_server: default, policy WinXP, \ - detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ - autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ - smb_max_chain 3 - -EOD; - -$def_dce_rpc_2_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['dce_rpc_2']; -if ($def_dce_rpc_2_info_chk == "on") - $def_dce_rpc_2_type = "$snort_dce_rpc_2"; -else - $def_dce_rpc_2_type = ""; - -/* def dns_preprocessor */ -$snort_dns_preprocessor = <<<EOD -#################### - # -# DNS preprocessor # - # -#################### - -preprocessor dns: \ - ports { 53 } \ - enable_rdata_overflow - -EOD; - -$def_dns_preprocessor_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['dns_preprocessor']; -if ($def_dns_preprocessor_info_chk == "on") - $def_dns_preprocessor_type = "$snort_dns_preprocessor"; -else - $def_dns_preprocessor_type = ""; - -/* def SSL_PORTS IGNORE */ -$def_ssl_ports_ignore_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssl_ports_ignore']; -if ($def_ssl_ports_ignore_info_chk == "") - $def_ssl_ports_ignore_type = "443 465 563 636 989 990 992 993 994 995"; -else - $def_ssl_ports_ignore_type = "$def_ssl_ports_ignore_info_chk"; - -////////////////////////////////////////////////////////////////// /* build snort configuration file */ /* TODO; feed back from pfsense users to reduce false positives */ $snort_conf_text = <<<EOD @@ -1449,21 +1051,21 @@ else # for more information # snort.conf # Snort can be found at http://www.snort.org/ -# -# Copyright (C) 2009 Robert Zelaya + +# Copyright (C) 2006 Robert Zelaya # part of pfSense # All rights reserved. -# + # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are met: -# + # 1. Redistributions of source code must retain the above copyright notice, # this list of conditions and the following disclaimer. -# + # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. -# + # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE @@ -1552,7 +1154,7 @@ portvar DCERPC_BRIGHTSTORE [6503,6504] # ##################### -var RULE_PATH /usr/local/etc/snort/snort_$id$if_real/rules +var RULE_PATH /usr/local/etc/snort/rules # var PREPROC_RULE_PATH ./preproc_rules ################################ @@ -1577,7 +1179,8 @@ config disable_decode_drops # ################################### -config detection: search-method {$snort_performance} max_queue_events 5 +config detection: search-method {$snort_performance} +config detection: max_queue_events 5 config event_queue: max_queue 8 log 3 order_events content_length #Configure dynamic loaded libraries @@ -1592,25 +1195,150 @@ dynamicdetection directory /usr/local/lib/snort/dynamicrules/ ################### preprocessor frag3_global: max_frags 8192 +preprocessor frag3_engine: policy windows +preprocessor frag3_engine: policy linux +preprocessor frag3_engine: policy first preprocessor frag3_engine: policy bsd detect_anomalies preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp yes, track_icmp yes +preprocessor stream5_tcp: bind_to any, policy windows +preprocessor stream5_tcp: bind_to any, policy linux +preprocessor stream5_tcp: bind_to any, policy vista +preprocessor stream5_tcp: bind_to any, policy macos preprocessor stream5_tcp: policy BSD, ports both all, use_static_footprint_sizes -preprocessor stream5_udp: -preprocessor stream5_icmp: +preprocessor stream5_udp +preprocessor stream5_icmp + +########################## + # +# NEW # +# Performance Statistics # + # +########################## + +preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 10000 + +################# + # +# HTTP Inspect # + # +################# + +preprocessor http_inspect: global iis_unicode_map unicode.map 1252 + +preprocessor http_inspect_server: server default \ + ports { 80 8080 } \ + no_alerts \ + non_strict \ + non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ + flow_depth 0 \ + apache_whitespace yes \ + directory no \ + iis_backslash no \ + u_encode yes \ + ascii yes \ + chunk_length 500000 \ + bare_byte yes \ + double_decode yes \ + iis_unicode yes \ + iis_delimiter yes \ + multi_slash no + +################## + # +# Other preprocs # + # +################## + +preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 +preprocessor bo -{$def_perform_stat_type} +##################### + # +# ftp preprocessor # + # +##################### -{$def_http_inspect_type} +preprocessor ftp_telnet: global \ +inspection_type stateless -{$def_other_preprocs_type} +preprocessor ftp_telnet_protocol: telnet \ + normalize \ + ayt_attack_thresh 200 -{$def_ftp_preprocessor_type} +preprocessor ftp_telnet_protocol: \ + ftp server default \ + def_max_param_len 100 \ + ports { 21 } \ + ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \ + ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \ + ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ + ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ + ftp_cmds { FEAT CEL CMD MACB } \ + ftp_cmds { MDTM REST SIZE MLST MLSD } \ + ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ + alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ + alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \ + alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \ + alt_max_param_len 256 { RNTO CWD } \ + alt_max_param_len 400 { PORT } \ + alt_max_param_len 512 { SIZE } \ + chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \ + chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \ + chk_str_fmt { LIST NLST SITE SYST STAT HELP } \ + chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \ + chk_str_fmt { FEAT CEL CMD } \ + chk_str_fmt { MDTM REST SIZE MLST MLSD } \ + chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ + cmd_validity MODE < char ASBCZ > \ + cmd_validity STRU < char FRP > \ + cmd_validity ALLO < int [ char R int ] > \ + cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ + cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ + cmd_validity PORT < host_port > -{$def_smtp_preprocessor_type} +preprocessor ftp_telnet_protocol: ftp client default \ + max_resp_len 256 \ + bounce yes \ + telnet_cmds yes -{$def_sf_portscan_type} +##################### + # +# SMTP preprocessor # + # +##################### + +preprocessor SMTP: \ + ports { 25 465 691 } \ + inspection_type stateful \ + normalize cmds \ + valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \ +CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \ +PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + max_header_line_len 1000 \ + max_response_line_len 512 \ + alt_max_command_line_len 260 { MAIL } \ + alt_max_command_line_len 300 { RCPT } \ + alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ + alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ + alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ + alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ + alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + xlink2state { enable } + +################ + # +# sf Portscan # + # +################ + +preprocessor sfportscan: scan_type { all } \ + proto { all } \ + memcap { 10000000 } \ + sense_level { medium } \ + ignore_scanners { \$HOME_NET } ############################ # @@ -1622,9 +1350,28 @@ preprocessor stream5_icmp: # ############################ -{$def_dce_rpc_2_type} +############### + # +# NEW # +# DCE/RPC 2 # + # +############### -{$def_dns_preprocessor_type} +preprocessor dcerpc2: memcap 102400, events [smb, co, cl] +preprocessor dcerpc2_server: default, policy WinXP, \ + detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ + autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ + smb_max_chain 3 + +#################### + # +# DNS preprocessor # + # +#################### + +preprocessor dns: \ + ports { 53 } \ + enable_rdata_overflow ############################## # @@ -1633,7 +1380,7 @@ preprocessor stream5_icmp: # ############################## -preprocessor ssl: ports { {$def_ssl_ports_ignore_type} }, trustservers, noinspect_encrypted +preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 }, trustservers, noinspect_encrypted ##################### # @@ -1654,9 +1401,9 @@ $spoink_type # ################# -include /usr/local/etc/snort/snort_$id$if_real/reference.config -include /usr/local/etc/snort/snort_$id$if_real/classification.config -include /usr/local/etc/snort/snort_$id$if_real/threshold.conf +include /usr/local/etc/snort/reference.config +include /usr/local/etc/snort/classification.config +include /usr/local/etc/snort/threshold.conf # Snort user pass through configuration {$snort_config_pass_thru} @@ -1670,13 +1417,13 @@ include /usr/local/etc/snort/snort_$id$if_real/threshold.conf {$selected_rules_sections} EOD; - + conf_mount_ro(); return $snort_conf_text; } /* check downloaded text from snort.org to make sure that an error did not occur * for example, if you are not a premium subscriber you can only download rules - * so often, etc. TO BE: Removed unneeded. + * so often, etc. */ function check_for_common_errors($filename) { global $snort_filename, $snort_filename_md5, $console_mode; @@ -1731,12 +1478,14 @@ function verify_downloaded_file($filename) { } exit; } - update_all_status("Verified {$filename}."); + update_all_status("Verifyied {$filename}."); } /* extract rules */ function extract_snort_rules_md5($tmpfname) { global $snort_filename, $snort_filename_md5, $console_mode; + ini_set("memory_limit","64M"); + conf_mount_rw(); ob_flush(); if(!$console_mode) { $static_output = gettext("Extracting snort rules..."); @@ -1759,6 +1508,7 @@ function extract_snort_rules_md5($tmpfname) { log_error("Snort rules extracted."); echo "Snort rules extracted."; } + conf_mount_ro(); } /* verify MD5 against downloaded item */ @@ -1771,7 +1521,7 @@ function verify_snort_rules_md5($tmpfname) { } $md555 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); - $md5 = `echo "{$md555}" | /usr/bin/awk '{ print $4 }'`; + $md5 = `/bin/echo "{$md555}" | /usr/bin/awk '{ print $4 }'`; $file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; if($md5 == $file_md5_ondisk) { if(!$console_mode) { @@ -1827,7 +1577,7 @@ function get_snort_alert($ip) { if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) $alert_title = $matches[2]; if (preg_match("/(\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)/", $fileline, $matches)) - $alert_ip = $matches[$id]; + $alert_ip = $matches[0]; if($alert_ip == $ip) { if(!$snort_config[$ip]) $snort_config[$ip] = $alert_title; @@ -1840,7 +1590,7 @@ function get_snort_alert($ip) { function make_clickable($buffer) { global $config, $g; /* if clickable urls is disabled, simply return buffer back to caller */ - $clickablalerteurls = $config['installedpackages']['snort']['config'][$id]['oinkmastercode']; + $clickablalerteurls = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; if(!$clickablalerteurls) return $buffer; $buffer = eregi_replace("(^|[ \n\r\t])((http(s?)://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $buffer); diff --git a/config/snort-old/snort.xml b/config/snort-old/snort.xml new file mode 100644 index 00000000..3bc40fce --- /dev/null +++ b/config/snort-old/snort.xml @@ -0,0 +1,378 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfsense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>Snort</name> + <version>2.8.4.1_5</version> + <title>Services: Snort 2.8.4.1_5 pkg v. 1.8</title> + <include_file>/usr/local/pkg/snort.inc</include_file> + <menu> + <name>Snort</name> + <tooltiptext>Setup snort specific settings</tooltiptext> + <section>Services</section> + <url>/pkg_edit.php?xml=snort.xml&id=0</url> + </menu> + <service> + <name>snort</name> + <rcfile>snort.sh</rcfile> + <executable>snort</executable> + <description>Snort is the most widely deployed IDS/IPS technology worldwide..</description> + </service> + <tabs> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=snort.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Update Rules</text> + <url>/snort_download_rules.php</url> + </tab> + <tab> + <text>Categories</text> + <url>/snort_rulesets.php</url> + </tab> + <tab> + <text>Rules</text> + <url>/snort_rules.php</url> + </tab> + <tab> + <text>Servers</text> + <url>/pkg_edit.php?xml=snort_define_servers.xml&id=0</url> + </tab> + <tab> + <text>Blocked</text> + <url>/snort_blocked.php</url> + </tab> + <tab> + <text>Whitelist</text> + <url>/pkg.php?xml=snort_whitelist.xml</url> + </tab> + <tab> + <text>Threshold</text> + <url>/pkg.php?xml=snort_threshold.xml</url> + </tab> + <tab> + <text>Alerts</text> + <url>/snort_alerts.php</url> + </tab> + <tab> + <text>Advanced</text> + <url>/pkg_edit.php?xml=snort_advanced.xml&id=0</url> + </tab> + </tabs> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/bin/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/bin/barnyard2</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/bin/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/bin/oinkmaster_contrib/create-sidmap.pl</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/bin/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/bin/oinkmaster_contrib/oinkmaster.pl</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort_download_rules.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort_rules.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort_rules_edit.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort_rulesets.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort_whitelist.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort_blocked.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort_check_for_rule_updates.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort_alerts.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/pf/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort_dynamic_ip_reload.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort_advanced.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort_define_servers.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort_threshold.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/pfsense_rules/local.rules</item> + </additional_files_needed> + <fields> + <field> + <fielddescr>Interface</fielddescr> + <fieldname>iface_array</fieldname> + <description>Select the interface(s) Snort will listen on.</description> + <type>interfaces_selection</type> + <size>3</size> + <value>lan</value> + <multiple>true</multiple> + </field> + <field> + <fielddescr>Memory Performance</fielddescr> + <fieldname>performance</fieldname> + <description>Lowmem and ac-bnfa are recommended for low end systems, Ac: high memory, best performance, ac-std: moderate memory,high performance, acs: small memory, moderateperformance, ac-banded: small memory,moderate performance, ac-sparsebands: small memory, high performance.</description> + <type>select</type> + <options> + <option> + <name>ac-bnfa</name> + <value>ac-bnfa</value> + </option> + <option> + <name>lowmem</name> + <value>lowmem</value> + </option> + <option> + <name>ac-std</name> + <value>ac-std</value> + </option> + <option> + <name>ac</name> + <value>ac</value> + </option> + <option> + <name>ac-banded</name> + <value>ac-banded</value> + </option> + <option> + <name>ac-sparsebands</name> + <value>ac-sparsebands</value> + </option> + <option> + <name>acs</name> + <value>acs</value> + </option> + </options> + </field> + <field> + <fielddescr>Oinkmaster code</fielddescr> + <fieldname>oinkmastercode</fieldname> + <description>Obtain a snort.org Oinkmaster code and paste here.</description> + <type>input</type> + <size>60</size> + <value></value> + </field> + <field> + <fielddescr>Snort.org subscriber</fielddescr> + <fieldname>subscriber</fieldname> + <description>Check this box if you are a Snort.org subscriber (premium rules).</description> + <type>checkbox</type> + <size>60</size> + </field> + <field> + <fielddescr>Block offenders</fielddescr> + <fieldname>blockoffenders7</fieldname> + <description>Checking this option will automatically block hosts that generate a snort alert.</description> + <type>checkbox</type> + <size>60</size> + </field> + <field> + <fielddescr>Remove blocked hosts every</fielddescr> + <fieldname>rm_blocked</fieldname> + <description>Please select the amount of time hosts are blocked</description> + <type>select</type> + <options> + <option> + <name>never</name> + <value>never_b</value> + </option> + <option> + <name>1 hour</name> + <value>1h_b</value> + </option> + <option> + <name>3 hours</name> + <value>3h_b</value> + </option> + <option> + <name>6 hours</name> + <value>6h_b</value> + </option> + <option> + <name>12 hours</name> + <value>12h_b</value> + </option> + <option> + <name>1 day</name> + <value>1d_b</value> + </option> + <option> + <name>4 days</name> + <value>4d_b</value> + </option> + <option> + <name>7 days</name> + <value>7d_b</value> + </option> + <option> + <name>28 days</name> + <value>28d_b</value> + </option> + </options> + </field> + <field> + </field> + <field> + <fielddescr>Update rules automatically</fielddescr> + <fieldname>autorulesupdate7</fieldname> + <description>Please select the update times for rules.</description> + <type>select</type> + <options> + <option> + <name>never</name> + <value>never_up</value> + </option> + <option> + <name>6 hours</name> + <value>6h_up</value> + </option> + <option> + <name>12 hours</name> + <value>12h_up</value> + </option> + <option> + <name>1 day</name> + <value>1d_up</value> + </option> + <option> + <name>4 days</name> + <value>4d_up</value> + </option> + <option> + <name>7 days</name> + <value>7d_up</value> + </option> + <option> + <name>28 days</name> + <value>28d_up</value> + </option> + </options> + </field> + <field> + <fielddescr>Whitelist VPNs automatically</fielddescr> + <fieldname>whitelistvpns</fieldname> + <description>Checking this option will install whitelists for all VPNs.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Convert Snort alerts urls to clickable links</fielddescr> + <fieldname>clickablalerteurls</fieldname> + <description>Checking this option will automatically convert URLs in the Snort alerts tab to clickable links.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Associate events on Blocked tab</fielddescr> + <fieldname>associatealertip</fieldname> + <description>Checking this option will automatically associate the blocked reason from the snort alerts file.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Install emergingthreats rules.</fielddescr> + <fieldname>emergingthreats</fieldname> + <description>Emerging Threats is an open source community that produces fastest moving and diverse Snort Rules.</description> + <type>checkbox</type> + </field> + </fields> + <custom_php_resync_config_command> + sync_package_snort(); + </custom_php_resync_config_command> + <custom_add_php_command> + </custom_add_php_command> + <custom_php_install_command> + sync_package_snort_reinstall(); + </custom_php_install_command> + <custom_php_deinstall_command> + snort_deinstall(); + </custom_php_deinstall_command> +</packagegui> diff --git a/config/snort/snort_advanced.xml b/config/snort-old/snort_advanced.xml index 1fdddda2..1fdddda2 100644 --- a/config/snort/snort_advanced.xml +++ b/config/snort-old/snort_advanced.xml diff --git a/config/snort-old/snort_alerts.php b/config/snort-old/snort_alerts.php new file mode 100644 index 00000000..e67b9b5f --- /dev/null +++ b/config/snort-old/snort_alerts.php @@ -0,0 +1,124 @@ +<?php +/* $Id$ */ +/* + snort_alerts.php + part of pfSense + + Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>. + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("globals.inc"); +require("guiconfig.inc"); +require("/usr/local/pkg/snort.inc"); + +$snort_logfile = "{$g['varlog_path']}/snort/alert"; + +$nentries = $config['syslog']['nentries']; +if (!$nentries) + $nentries = 50; + +if ($_POST['clear']) { + exec("killall syslogd"); + conf_mount_rw(); + exec("rm {$snort_logfile}; touch {$snort_logfile}"); + conf_mount_ro(); + system_syslogd_start(); + exec("/usr/bin/killall -HUP snort"); + exec("/usr/bin/killall snort2c"); + if ($config['installedpackages']['snort']['config'][0]['blockoffenders'] == 'on') + exec("/usr/local/bin/snort2c -w /var/db/whitelist -a /var/log/snort/alert"); +} + +$pgtitle = "Services: Snort: Snort Alerts"; +include("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<?php +if(!$pgtitle_output) + echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; +?> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td> +<?php + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"),false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), true, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + display_top_tabs($tab_array); +?> + </td></tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> + <tr> + <td colspan="2" class="listtopic"> + Last <?=$nentries;?> Snort Alert entries</td> + </tr> + <?php dump_log_file($snort_logfile, $nentries); ?> + <tr><td><br><form action="snort_alerts.php" method="post"> + <input name="clear" type="submit" class="formbtn" value="Clear log"></td></tr> + </table> + </div> + </form> + </td> + </tr> +</table> +<?php include("fend.inc"); ?> +<meta http-equiv="refresh" content="60;url=<?php print $_SERVER['SCRIPT_NAME']; ?>"> +</body> +</html> +<!-- <?php echo $snort_logfile; ?> --> + +<?php + +function dump_log_file($logfile, $tail, $withorig = true, $grepfor = "", $grepinvert = "") { + global $g, $config; + $logarr = ""; + exec("cat {$logfile} | /usr/bin/tail -n {$tail}", $logarr); + foreach ($logarr as $logent) { + if(!logent) + continue; + $ww_logent = $logent; + $ww_logent = str_replace("[", " [ ", $ww_logent); + $ww_logent = str_replace("]", " ] ", $ww_logent); + echo "<tr valign=\"top\">\n"; + echo "<td colspan=\"2\" class=\"listr\">" . make_clickable($ww_logent) . " </td>\n"; + echo "</tr>\n"; + } +} + +?>
\ No newline at end of file diff --git a/config/snort-old/snort_blocked.php b/config/snort-old/snort_blocked.php new file mode 100644 index 00000000..ff158853 --- /dev/null +++ b/config/snort-old/snort_blocked.php @@ -0,0 +1,174 @@ +<?php +/* $Id$ */ +/* + snort_blocked.php + Copyright (C) 2006 Scott Ullrich + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); +require("/usr/local/pkg/snort.inc"); + +if($_POST['todelete'] or $_GET['todelete']) { + if($_POST['todelete']) + $ip = $_POST['todelete']; + if($_GET['todelete']) + $ip = $_GET['todelete']; + exec("/sbin/pfctl -t snort2c -T delete {$ip}"); +} + +$pgtitle = "Snort: Snort Blocked"; +include("head.inc"); + +?> + +<body link="#000000" vlink="#000000" alink="#000000"> +<?php include("fbegin.inc"); ?> + +<?php +if(!$pgtitle_output) + echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; +?> + +<form action="snort_rulesets.php" method="post" name="iform" id="iform"> +<script src="/row_toggle.js" type="text/javascript"></script> +<script src="/javascript/sorttable.js" type="text/javascript"></script> +<?php if ($savemsg) print_info_box($savemsg); ?> +<table width="99%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> +<?php + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), true, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + display_top_tabs($tab_array); +?> + </td> + </tr> + <tr> + <td> + <div id="mainarea"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <table id="sortabletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr id="frheader"> + <td width="5%" class="listhdrr">Remove</td> + <td class="listhdrr">IP</td> + <td class="listhdrr">Alert Description</td> + </tr> +<?php + + $associatealertip = $config['installedpackages']['snort']['config'][0]['associatealertip']; + $ips = `/sbin/pfctl -t snort2c -T show`; + $ips_array = split("\n", $ips); + $counter = 0; + foreach($ips_array as $ip) { + if(!$ip) + continue; + $ww_ip = str_replace(" ", "", $ip); + $counter++; + if($associatealertip) + $alert_description = get_snort_alert($ww_ip); + else + $alert_description = ""; + echo "\n<tr>"; + echo "\n<td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($ww_ip)) . "'>"; + echo "\n<img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"./themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td>"; + echo "\n<td> {$ww_ip}</td>"; + echo "\n<td> {$alert_description}<!-- |{$ww_ip}| get_snort_alert($ww_ip); --></td>"; + echo "\n</tr>"; + } + echo "\n<tr><td colspan='3'> </td></tr>"; + if($counter < 1) + echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">There are currently no items being blocked by snort.</td></tr>"; + else + echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter} items listed.</td></tr>"; + +?> + + </table> + </td> + </tr> + </table> + </div> + </td> + </tr> +</table> + +</form> + +<p> + +<?php + +$blockedtab_msg_chk = $config['installedpackages']['snort']['config'][0]['rm_blocked']; + if ($blockedtab_msg_chk == "1h_b") { + $blocked_msg = "hour"; + } + if ($blockedtab_msg_chk == "3h_b") { + $blocked_msg = "3 hours"; + } + if ($blockedtab_msg_chk == "6h_b") { + $blocked_msg = "6 hours"; + } + if ($blockedtab_msg_chk == "12h_b") { + $blocked_msg = "12 hours"; + } + if ($blockedtab_msg_chk == "1d_b") { + $blocked_msg = "day"; + } + if ($blockedtab_msg_chk == "4d_b") { + $blocked_msg = "4 days"; + } + if ($blockedtab_msg_chk == "7d_b") { + $blocked_msg = "7 days"; + } + if ($blockedtab_msg_chk == "28d_b") { + $blocked_msg = "28 days"; + } + +echo "This page lists hosts that have been blocked by Snort. Hosts are automatically deleted every $blocked_msg."; + +?> + +<?php include("fend.inc"); ?> + +</body> +</html> + +<?php + +/* write out snort cache */ +write_snort_config_cache($snort_config); + +?>
\ No newline at end of file diff --git a/config/snort-dev/snort_check_for_rule_updates.php b/config/snort-old/snort_check_for_rule_updates.php index 3edaae3e..8d308245 100644 --- a/config/snort-dev/snort_check_for_rule_updates.php +++ b/config/snort-old/snort_check_for_rule_updates.php @@ -3,7 +3,6 @@ /* snort_rulesets.php Copyright (C) 2006 Scott Ullrich - Copyright (C) 2009 Robert Zelaya All rights reserved. Redistribution and use in source and binary forms, with or without @@ -29,8 +28,8 @@ */ /* Setup enviroment */ -$tmpfname = "/tmp/snort_rules_up"; -$snortdir = "/usr/local/etc/snort"; +$tmpfname = "/root/snort_rules_up"; +$snortdir = "/usr/local/etc/snort_bkup"; $snortdir_wan = "/usr/local/etc/snort"; $snort_filename_md5 = "snortrules-snapshot-2.8.tar.gz.md5"; $snort_filename = "snortrules-snapshot-2.8.tar.gz"; @@ -39,70 +38,53 @@ $emergingthreats_filename = "emerging.rules.tar.gz"; $pfsense_rules_filename_md5 = "pfsense_rules.tar.gz.md5"; $pfsense_rules_filename = "pfsense_rules.tar.gz"; +require("/usr/local/pkg/snort.inc"); require_once("config.inc"); -// require("/usr/local/pkg/snort/snort.inc"); -/* define checks */ -$oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; -$snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; -$emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; - -if ($oinkid == "" && $snortdownload != "off") -{ - echo "You must obtain an oinkid from snort.org and set its value in the Snort settings tab.\n"; - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'You must obtain an oinkid from snort.org and set its value in the Snort settings tab.'"); - exit; -} - -if ($snortdownload != "on" && $emergingthreats != "on") -{ - echo 'Snort Global Settings: download snort.org rules = off and download emergingthreat rules = off.\n'; - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'No rules have been selected to download.'"); - exit; -} +?> -conf_mount_rw(); -/* Time stamps define */ -$last_md5_download = $config['installedpackages']['snortglobal']['last_md5_download']; -$last_rules_install = $config['installedpackages']['snortglobal']['last_rules_install']; +<?php $up_date_time = date('l jS \of F Y h:i:s A'); -echo "\n"; -echo "#########################\n"; -echo "$up_date_time\n"; -echo "#########################\n"; -echo "\n\n"; - -exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Checking for needed updates...'"); +echo ""; +echo "#########################"; +echo "$up_date_time"; +echo "#########################"; +echo ""; /* Begin main code */ /* Set user agent to Mozilla */ ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); ini_set("memory_limit","125M"); -/* mark the time update started */ -$config['installedpackages']['snortglobal']['last_md5_download'] = date("Y-M-jS-h:i-A"); - /* send current buffer */ ob_flush(); -conf_mount_rw(); + +/* define oinkid */ +if($config['installedpackages']['snort']) + $oinkid = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; + +/* if missing oinkid exit */ +if(!$oinkid) { + echo "Please add you oink code\n"; + exit; +} /* premium_subscriber check */ //unset($config['installedpackages']['snort']['config'][0]['subscriber']); //write_config(); // Will cause switch back to read-only on nanobsd //conf_mount_rw(); // Uncomment this if the previous line is uncommented +$premium_subscriber_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -$premium_subscriber_chk = $config['installedpackages']['snortglobal']['snortdownload']; - -if ($premium_subscriber_chk == "premium") { +if ($premium_subscriber_chk === on) { $premium_subscriber = "_s"; }else{ $premium_subscriber = ""; } -$premium_url_chk = $config['installedpackages']['snortglobal']['snortdownload']; -if ($premium_url_chk == "premium") { +$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +if ($premium_url_chk === on) { $premium_url = "sub-rules"; }else{ $premium_url = "reg-rules"; @@ -110,23 +92,16 @@ if ($premium_url_chk == "premium") { /* send current buffer */ ob_flush(); -conf_mount_rw(); +conf_mount_rw(); /* remove old $tmpfname files */ if (file_exists("{$tmpfname}")) { - echo "Removing old tmp files...\n"; exec("/bin/rm -r {$tmpfname}"); apc_clear_cache(); } -/* Make shure snortdir exits */ -exec("/bin/mkdir -p {$snortdir}"); -exec("/bin/mkdir -p {$snortdir}/rules"); -exec("/bin/mkdir -p {$snortdir}/signatures"); - /* send current buffer */ ob_flush(); -conf_mount_rw(); /* If tmp dir does not exist create it */ if (file_exists($tmpfname)) { @@ -150,7 +125,7 @@ if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { } /* download md5 sig from emergingthreats.net */ -$emergingthreats_url_chk = $config['installedpackages']['snortglobal']['emergingthreats']; +$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; if ($emergingthreats_url_chk == on) { echo "Downloading md5 file...\n"; ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); @@ -176,11 +151,14 @@ if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) { echo "Done. downloading md5\n"; } +/* Time stamps define */ +$last_md5_download = $config['installedpackages']['snort']['last_md5_download']; +$last_rules_install = $config['installedpackages']['snort']['last_rules_install']; + /* If md5 file is empty wait 15min exit */ if (0 == filesize("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5")){ echo "Please wait... You may only check for New Rules every 15 minutes...\n"; echo "Rules are released every month from snort.org. You may download the Rules at any time.\n"; - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Please wait... You may only check for New Rules every 15 minutes...'"); exit(0); } @@ -190,7 +168,6 @@ if (0 == filesize("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5")){ if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ echo "Please wait... You may only check for New Pfsense Rules every 15 minutes...\n"; echo "Rules are released to support Pfsense packages.\n"; - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Please wait... You may only check for New Pfsense Rules every 15 minutes...'"); exit(0); } @@ -201,18 +178,18 @@ $md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 $md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); $md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; /* Write out time of last sucsessful md5 to cache */ +$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); write_config(); // Will cause switch back to read-only on nanobsd conf_mount_rw(); if ($md5_check_new == $md5_check_old) { echo "Your rules are up to date...\n"; echo "You may start Snort now, check update.\n"; $snort_md5_check_ok = on; - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your snort rules are up to date...'"); } } /* Check if were up to date emergingthreats.net */ -$emergingthreats_url_chk = $config['installedpackages']['snortglobal']['emergingthreats']; +$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; if ($emergingthreats_url_chk == on) { if (file_exists("{$snortdir}/version.txt")){ $emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/version.txt"); @@ -220,13 +197,13 @@ $emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk $emerg_md5_check_old_parse = file_get_contents("{$snortdir}/version.txt"); $emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; /* Write out time of last sucsessful md5 to cache */ +$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); write_config(); // Will cause switch back to read-only on nanobsd conf_mount_rw(); if ($emerg_md5_check_new == $emerg_md5_check_old) { echo "Your emergingthreats rules are up to date...\n"; echo "You may start Snort now, check update.\n"; $emerg_md5_check_chk_ok = on; - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your emergingthreats rules are up to date...'"); } } } @@ -239,65 +216,39 @@ $pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_m $pfsense_md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; if ($pfsense_md5_check_new == $pfsense_md5_check_old) { $pfsense_md5_check_ok = on; - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your pfsense rules are up to date...'"); } } /* Make Clean Snort Directory emergingthreats not checked */ if ($snort_md5_check_ok == on && $emergingthreats_url_chk != on) { - update_status(gettext("Cleaning the snort Directory...")); - update_output_window(gettext("removing...")); - exec("/bin/rm {$snortdir}/rules/emerging*"); + echo "Cleaning the snort Directory...\n"; + echo "removing...\n"; + exec("/bin/rm {$snortdir}/rules/emerging*\n"); exec("/bin/rm {$snortdir}/version.txt"); - exec("/bin/rm {$snortdir_wan}/rules/emerging*"); - exec("/bin/rm {$snortdir_wan}/version.txt"); echo "Done making cleaning emrg direcory.\n"; } /* Check if were up to date exits */ if ($snort_md5_check_ok == on && $emerg_md5_check_chk_ok == on && $pfsense_md5_check_ok == on) { - echo "Your emergingthreats rules are up to date...\n"; - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your emergingthreats rules are up to date...'"); + echo "Your rules are up to date...\n"; + echo "You may start Snort now...\n"; exit(0); } if ($snort_md5_check_ok == on && $pfsense_md5_check_ok == on && $emergingthreats_url_chk != on) { - echo "Your pfsense rules are up to date...\n"; - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your pfsense rules are up to date...'"); + echo "Your rules are up to date...\n"; + echo "You may start Snort now...\n"; exit(0); } /* You are Not Up to date, always stop snort when updating rules for low end machines */; echo "You are NOT up to date...\n"; -echo "Stopping All Snort Package services...\n"; -exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'SNORT RULES ARE OUT OF DATE, UPDATING...'"); -exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Stopping All Snort Package Services...'"); +echo "Stopping Snort service...\n"; $chk_if_snort_up = exec("pgrep -x snort"); if ($chk_if_snort_up != "") { - - - exec("/usr/bin/touch /tmp/snort_download_halt.pid"); - - /* dont flood the syslog code */ - exec("/bin/cp /var/log/system.log /var/log/system.log.bk"); - sleep(3); - - exec("/usr/bin/killall snort"); - exec("/bin/rm /var/run/snort*"); - sleep(2); - exec("/usr/bin/killall barnyard2"); - exec("/bin/rm /var/run/barnyard2*"); - - /* stop syslog flood code */ - exec("/bin/cp /var/log/system.log /var/log/snort/snort_sys_rules_update.log"); - exec("/usr/bin/killall syslogd"); - exec("/usr/sbin/clog -i -s 262144 /var/log/system.log"); - exec("/usr/sbin/syslogd -c -ss -f /var/etc/syslog.conf"); - sleep(2); - exec("/bin/cp /var/log/system.log.bk /var/log/system.log"); - $after_mem = exec("/usr/bin/top | /usr/bin/grep Wired | /usr/bin/awk '{ print $2 }'"); - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'MEM after snort STOP {$after_mem}'"); - + exec("/usr/bin/touch /tmp/snort_download_halt.pid"); + stop_service("snort"); + sleep(2); } /* download snortrules file */ @@ -305,6 +256,7 @@ if ($snort_md5_check_ok != on) { if (file_exists("{$tmpfname}/{$snort_filename}")) { echo "Snortrule tar file exists...\n"; } else { + echo "There is a new set of Snort rules posted. Downloading...\n"; echo "May take 4 to 10 min...\n"; ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); @@ -359,56 +311,28 @@ if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { } } -/* Compair md5 sig to file sig */ - -//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -//if ($premium_url_chk == on) { -//$md5 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); -//$file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; -// if ($md5 == $file_md5_ondisk) { -// update_status(gettext("Valid md5 checksum pass...")); -//} else { -// update_status(gettext("The downloaded file does not match the md5 file...P is ON")); -// update_output_window(gettext("Error md5 Mismatch...")); -// exit(0); -// } -//} - -//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -//if ($premium_url_chk != on) { -//$md55 = `/bin/cat {$tmpfname}/{$snort_filename_md5} | /usr/bin/awk '{ print $4 }'`; -//$file_md5_ondisk2 = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; -// if ($md55 == $file_md5_ondisk2) { -// update_status(gettext("Valid md5 checksum pass...")); -//} else { -// update_status(gettext("The downloaded file does not match the md5 file...Not P")); -// update_output_window(gettext("Error md5 Mismatch...")); -// exit(0); -// } -//} - /* Untar snort rules file individually to help people with low system specs */ if ($snort_md5_check_ok != on) { if (file_exists("{$tmpfname}/{$snort_filename}")) { echo "Extracting rules...\n"; echo "May take a while...\n"; - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} rules/" . - " etc/" . - " so_rules/precompiled/FreeBSD-7.0/i386/2.8.4" . - " so_rules/bad-traffic.rules/" . - " so_rules/chat.rules/" . - " so_rules/dos.rules/" . - " so_rules/exploit.rules/" . - " so_rules/imap.rules/" . - " so_rules/misc.rules/" . - " so_rules/multimedia.rules/" . - " so_rules/netbios.rules/" . - " so_rules/nntp.rules/" . - " so_rules/p2p.rules/" . - " so_rules/smtp.rules/" . - " so_rules/sql.rules/" . - " so_rules/web-client.rules/" . - " so_rules/web-misc.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} etc/"); + exec("`/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/*`"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/chat.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/dos.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/exploit.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/imap.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/misc.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/multimedia.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/netbios.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/nntp.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/p2p.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/smtp.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/sql.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-client.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-misc.rules/"); echo "Done extracting Rules.\n"; } else { echo "The Download rules file missing...\n"; @@ -440,7 +364,7 @@ if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { /* Untar snort signatures */ if ($snort_md5_check_ok != on) { if (file_exists("{$tmpfname}/{$snort_filename}")) { -$signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; +$signature_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['signatureinfo']; if ($premium_url_chk == on) { echo "Extracting Signatures...\n"; echo "May take a while...\n"; @@ -453,8 +377,8 @@ if ($premium_url_chk == on) { /* Make Clean Snort Directory */ //if ($snort_md5_check_ok != on && $emerg_md5_check_chk_ok != on && $pfsense_md5_check_ok != on) { //if (file_exists("{$snortdir}/rules")) { -// update_status(gettext("Cleaning the snort Directory...")); -// update_output_window(gettext("removing...")); +// echo "Cleaning the snort Directory...\n"; +// echo "removing...\n"; // exec("/bin/mkdir -p {$snortdir}"); // exec("/bin/mkdir -p {$snortdir}/rules"); // exec("/bin/mkdir -p {$snortdir}/signatures"); @@ -462,17 +386,16 @@ if ($premium_url_chk == on) { // exec("/bin/rm {$snortdir}/rules/*"); // exec("/bin/rm {$snortdir_wan}/*"); // exec("/bin/rm {$snortdir_wan}/rules/*"); - // exec("/bin/rm /usr/local/lib/snort/dynamicrules/*"); //} else { -// update_status(gettext("Making Snort Directory...")); -// update_output_window(gettext("should be fast...")); -// exec("/bin/mkdir -p {$snortdir}"); -// exec("/bin/mkdir -p {$snortdir}/rules"); -// exec("/bin/rm {$snortdir_wan}/*"); +// echo "Making Snort Directory...\n"; +// echo "should be fast...\n"; +// exec("/bin/mkdir {$snortdir}"); +// exec("/bin/mkdir {$snortdir}/rules"); +// exec("/bin/rm {$snortdir_wan}/\*"); // exec("/bin/rm {$snortdir_wan}/rules/*"); // exec("/bin/rm /usr/local/lib/snort/dynamicrules/\*"); -// update_status(gettext("Done making snort direcory.")); +// echo "Done making snort direcory.\n"; // } //} @@ -481,6 +404,7 @@ if ($snort_md5_check_ok != on) { if (file_exists("{$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { echo "Copying so_rules...\n"; echo "May take a while...\n"; + sleep(2); exec("`/bin/cp -f {$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/`"); exec("/bin/cp {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/bad-traffic.so.rules"); exec("/bin/cp {$snortdir}/so_rules/chat.rules {$snortdir}/rules/chat.so.rules"); @@ -495,26 +419,73 @@ if (file_exists("{$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { exec("/bin/cp {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/smtp.so.rules"); exec("/bin/cp {$snortdir}/so_rules/sql.rules {$snortdir}/rules/sql.so.rules"); exec("/bin/cp {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/web-client.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/web.misc.rules {$snortdir}/rules/web.misc.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/web-misc.rules {$snortdir}/rules/web-misc.so.rules"); exec("/bin/rm -r {$snortdir}/so_rules"); echo "Done copying so_rules.\n"; } else { echo "Directory so_rules does not exist...\n"; - echo "Error copying so_rules...\n"; + echo "Error copping so_rules...\n"; exit(0); } } +/* enable disable setting will carry over with updates */ +/* TODO carry signature changes with the updates */ +if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { + +if (!empty($config['installedpackages']['snort']['rule_sid_on'])) { +$enabled_sid_on = $config['installedpackages']['snort']['rule_sid_on']; +$enabled_sid_on_array = split('\|\|', $enabled_sid_on); +foreach($enabled_sid_on_array as $enabled_item_on) +$selected_sid_on_sections .= "$enabled_item_on\n"; + } + +if (!empty($config['installedpackages']['snort']['rule_sid_off'])) { +$enabled_sid_off = $config['installedpackages']['snort']['rule_sid_off']; +$enabled_sid_off_array = split('\|\|', $enabled_sid_off); +foreach($enabled_sid_off_array as $enabled_item_off) +$selected_sid_off_sections .= "$enabled_item_off\n"; + } + +$snort_sid_text = <<<EOD + +########################################### +# # +# this is auto generated on snort updates # +# # +########################################### + +path = /bin:/usr/bin:/usr/local/bin + +update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ + +url = dir:///usr/local/etc/snort_bkup/rules + +$selected_sid_on_sections + +$selected_sid_off_sections + +EOD; + + /* open snort's threshold.conf for writing */ + $oinkmasterlist = fopen("/usr/local/etc/snort_bkup/oinkmaster.conf", "w"); + + fwrite($oinkmasterlist, "$snort_sid_text"); + + /* close snort's threshold.conf file */ + fclose($oinkmasterlist); + +} + /* Copy configs to snort dir */ if ($snort_md5_check_ok != on) { if (file_exists("{$snortdir}/etc/Makefile.am")) { echo "Copying configs to snort directory...\n"; exec("/bin/cp {$snortdir}/etc/* {$snortdir}"); exec("/bin/rm -r {$snortdir}/etc"); - } else { - echo "The snort config does not exist...\n"; - echo "Error copying config...\n"; + echo "The snort configs does not exist...\n"; + echo "Error copping config...\n"; exit(0); } } @@ -526,7 +497,7 @@ if (file_exists("{$tmpfname}/$snort_filename_md5")) { exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); } else { echo "The md5 file does not exist...\n"; - echo "Error copying config...\n"; + echo "Error copping config...\n"; exit(0); } } @@ -539,7 +510,7 @@ if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) { exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); } else { echo "The emergingthreats md5 file does not exist...\n"; - echo "Error copying config...\n"; + echo "Error copping config...\n"; exit(0); } } @@ -552,14 +523,14 @@ if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) { exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5"); } else { echo "The Pfsense md5 file does not exist...\n"; - echo "Error copying config...\n"; + echo "Error copping config...\n"; exit(0); } } - + /* Copy signatures dir to snort dir */ if ($snort_md5_check_ok != on) { -$signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; +$signature_info_chk = $config['installedpackages']['snort']['config'][0]['signatureinfo']; if ($premium_url_chk == on) { if (file_exists("{$snortdir}/doc/signatures")) { echo "Copying signatures...\n"; @@ -569,22 +540,22 @@ if (file_exists("{$snortdir}/doc/signatures")) { echo "Done copying signatures.\n"; } else { echo "Directory signatures exist...\n"; - echo "Error copying signature...\n"; + echo "Error copping signature...\n"; exit(0); } } } -/* double make shure cleanup emerg rules that dont belong */ -if (file_exists("/usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules")) { +/* double make shure clean up emerg rules that dont belong */ +if (file_exists("/usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules")) { apc_clear_cache(); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-botcc.rules"); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-compromised-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-drop-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-dshield-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-rbn-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-tor-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-compromised-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-drop-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-dshield-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-rbn-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-tor-BLOCK.rules"); } if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) { @@ -592,176 +563,72 @@ if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*"); } -/* make shure default rules are in the right format */ -exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); -exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); -exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - -/* create a msg-map for snort */ echo "Updating Alert Messages...\n"; echo "Please Wait...\n"; -exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/sid-msg.map"); - - -////////////////// - -/* Start the proccess for every interface rule */ -/* TODO: try to make the code smother */ - -if (!empty($config['installedpackages']['snortglobal']['rule'])) { - -$rule_array = $config['installedpackages']['snortglobal']['rule']; -$id = -1; -foreach ($rule_array as $value) { - -$id += 1; - -$result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; -$if_real = convert_friendly_interface_to_real_interface_name($result_lan); - - /* make oinkmaster.conf for each interface rule */ - oinkmaster_conf(); - - /* run oinkmaster for each interface rule */ - oinkmaster_run(); - - } -} - -/* open oinkmaster_conf for writing" function */ -function oinkmaster_conf() { - - global $config, $g, $id, $if_real, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_chk_ok, $pfsense_md5_check_ok; - -/* enable disable setting will carry over with updates */ -/* TODO carry signature changes with the updates */ -if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { - -if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'])) { -$enabled_sid_on = $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']; -$enabled_sid_on_array = split('\|\|', $enabled_sid_on); -foreach($enabled_sid_on_array as $enabled_item_on) -$selected_sid_on_sections .= "$enabled_item_on\n"; - } - -if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { -$enabled_sid_off = $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off']; -$enabled_sid_off_array = split('\|\|', $enabled_sid_off); -foreach($enabled_sid_off_array as $enabled_item_off) -$selected_sid_off_sections .= "$enabled_item_off\n"; - } - -$snort_sid_text = <<<EOD - -########################################### -# # -# this is auto generated on snort updates # -# # -########################################### - -path = /bin:/usr/bin:/usr/local/bin - -update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ - -url = dir:///usr/local/etc/snort/rules - -$selected_sid_on_sections - -$selected_sid_off_sections - -EOD; - - /* open snort's oinkmaster.conf for writing */ - $oinkmasterlist = fopen("/usr/local/etc/snort/oinkmaster_$if_real.conf", "w"); - - fwrite($oinkmasterlist, "$snort_sid_text"); - - /* close snort's oinkmaster.conf file */ - fclose($oinkmasterlist); - - } -} +sleep(2); +exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort_bkup/rules > /usr/local/etc/snort_bkup/sid-msg.map"); /* Run oinkmaster to snort_wan and cp configs */ /* If oinkmaster is not needed cp rules normally */ /* TODO add per interface settings here */ -function oinkmaster_run() { - - global $config, $g, $id, $if_real, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_chk_ok, $pfsense_md5_check_ok; - if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { - if (empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']) || empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { - echo "Your first set of rules are being copied...\n"; - echo "May take a while...\n"; - exec("/bin/echo \"test {$snortdir} {$snortdir_wan} $id$if_real\" >> /root/debug"); - exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/snort_$id$if_real/rules/"); - exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/generators {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/sid {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}/snort_$id$if_real"); + if (empty($config['installedpackages']['snort']['rule_sid_on']) || empty($config['installedpackages']['snort']['rule_sid_off'])) { +echo "Your first set of rules are being copied...\n"; +echo "May take a while...\n"; + + exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); } else { echo "Your enable and disable changes are being applied to your fresh set of rules...\n"; echo "May take a while...\n"; - exec("/bin/echo \"test2 {$snortdir} {$snortdir_wan} $id$if_real\" > /root/debug"); - exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/snort_$id$if_real/rules/"); - exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/generators {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/sid {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); /* oinkmaster.pl will convert saved changes for the new updates then we have to change #alert to # alert for the gui */ /* might have to add a sleep for 3sec for flash drives or old drives */ - exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort/oinkmaster_$id$if_real.conf -o /usr/local/etc/snort/snort_$id$if_real/rules > /usr/local/etc/snort/oinkmaster_$id$if_real.log"); - - } + exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort_bkup/oinkmaster.conf -o /usr/local/etc/snort/rules > /usr/local/etc/snort_bkup/oinkmaster.log"); + exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); + exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); + exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); + } } -////////////// - -/* mark the time update finnished */ -$config['installedpackages']['snortglobal']['last_rules_install'] = date("Y-M-jS-h:i-A"); - /* remove old $tmpfname files */ if (file_exists("{$tmpfname}")) { echo "Cleaning up...\n"; - exec("/bin/rm -r /tmp/snort_rules_up"); -// apc_clear_cache(); + exec("/bin/rm -r /root/snort_rules_up"); } /* php code to flush out cache some people are reportting missing files this might help */ -sleep(2); +sleep(5); apc_clear_cache(); exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync"); - /* make snort the owner */ - exec("/usr/sbin/chown -R snort:snort /var/log/snort"); - exec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort"); - exec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort"); - exec("/bin/chmod -R 755 /var/log/snort"); - exec("/bin/chmod -R 755 /usr/local/etc/snort"); - exec("/bin/chmod -R 755 /usr/local/lib/snort"); - /* if snort is running hardrestart, if snort is not running do nothing */ if (file_exists("/tmp/snort_download_halt.pid")) { - exec("/bin/sh /usr/local/etc/rc.d/snort.sh start"); + start_service("snort"); echo "The Rules update finished...\n"; echo "Snort has restarted with your new set of rules...\n"; - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'SNORT RULE UPDATE FINNISHED...'"); exec("/bin/rm /tmp/snort_download_halt.pid"); } else { echo "The Rules update finished...\n"; - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'SNORT RULE UPDATE FINNISHED...'"); + echo "You may start snort now...\n"; } - conf_mount_ro(); ?> diff --git a/config/snort/snort_define_servers.xml b/config/snort-old/snort_define_servers.xml index 7df880d0..7df880d0 100644 --- a/config/snort/snort_define_servers.xml +++ b/config/snort-old/snort_define_servers.xml diff --git a/config/snort-old/snort_download_rules.php b/config/snort-old/snort_download_rules.php new file mode 100644 index 00000000..9826ba2a --- /dev/null +++ b/config/snort-old/snort_download_rules.php @@ -0,0 +1,790 @@ +<?php +/* $Id$ */ +/* + snort_rulesets.php + Copyright (C) 2006 Scott Ullrich and Robert Zelaya + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* Setup enviroment */ +$tmpfname = "/root/snort_rules_up"; +$snortdir = "/usr/local/etc/snort_bkup"; +$snortdir_wan = "/usr/local/etc/snort"; +$snort_filename_md5 = "snortrules-snapshot-2.8.tar.gz.md5"; +$snort_filename = "snortrules-snapshot-2.8.tar.gz"; +$emergingthreats_filename_md5 = "version.txt"; +$emergingthreats_filename = "emerging.rules.tar.gz"; +$pfsense_rules_filename_md5 = "pfsense_rules.tar.gz.md5"; +$pfsense_rules_filename = "pfsense_rules.tar.gz"; + +require_once("guiconfig.inc"); +require_once("functions.inc"); +require_once("service-utils.inc"); +require("/usr/local/pkg/snort.inc"); + +$pgtitle = "Services: Snort: Update Rules"; + +include("/usr/local/www/head.inc"); + +?> + +<script src="/javascript/scriptaculous/prototype.js" type="text/javascript"></script> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + +<?php include("/usr/local/www/fbegin.inc"); ?> + +<?php +if(!$pgtitle_output) + echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; +?> + +<form action="snort_download_rules.php" method="post"> +<div id="inputerrors"></div> + +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> +<?php + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), true, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + display_top_tabs($tab_array); +?> + </td> + </tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td align="center" valign="top"> + <!-- progress bar --> + <table id="progholder" width='420' style='border-collapse: collapse; border: 1px solid #000000;' cellpadding='2' cellspacing='2'> + <tr> + <td> + <img border='0' src='./themes/<?= $g['theme']; ?>/images/misc/progress_bar.gif' width='280' height='23' name='progressbar' id='progressbar' alt='' /> + </td> + </tr> + </table> + <br /> + <!-- status box --> + <textarea cols="60" rows="2" name="status" id="status" wrap="hard"> + <?=gettext("Initializing...");?> + </textarea> + <!-- command output box --> + <textarea cols="60" rows="2" name="output" id="output" wrap="hard"> + </textarea> + </td> + </tr> + </table> + </div> + </td> + </tr> +</table> +</form> + +<?php include("fend.inc");?> + +<?php + + +/* Begin main code */ +/* Set user agent to Mozilla */ +ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); +ini_set("memory_limit","125M"); + +/* send current buffer */ +ob_flush(); + +/* define oinkid */ +if($config['installedpackages']['snort']) + $oinkid = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; + +/* if missing oinkid exit */ +if(!$oinkid) { + $static_output = gettext("You must obtain an oinkid from snort.org and set its value in the Snort settings tab."); + update_all_status($static_output); + hide_progress_bar_status(); + exit; +} + +/* premium_subscriber check */ +//unset($config['installedpackages']['snort']['config'][0]['subscriber']); +//write_config(); // Will cause switch back to read-only on nanobsd +//conf_mount_rw(); // Uncomment this if the previous line is uncommented + +$premium_subscriber_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; + +if ($premium_subscriber_chk === on) { + $premium_subscriber = "_s"; +}else{ + $premium_subscriber = ""; +} + +$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +if ($premium_url_chk === on) { + $premium_url = "sub-rules"; +}else{ + $premium_url = "reg-rules"; +} + +/* hide progress bar */ +hide_progress_bar_status(); + +/* send current buffer */ +ob_flush(); + +conf_mount_rw(); + +/* remove old $tmpfname files */ +if (file_exists("{$tmpfname}")) { + update_status(gettext("Removing old tmp files...")); + exec("/bin/rm -r {$tmpfname}"); + apc_clear_cache(); +} + +/* Make shure snortdir exits */ +exec("/bin/mkdir -p {$snortdir}"); +exec("/bin/mkdir -p {$snortdir}/rules"); +exec("/bin/mkdir -p {$snortdir}/signatures"); + +/* send current buffer */ +ob_flush(); + +/* If tmp dir does not exist create it */ +if (file_exists($tmpfname)) { + update_status(gettext("The directory tmp exists...")); +} else { + mkdir("{$tmpfname}", 700); +} + +/* unhide progress bar and lets end this party */ +unhide_progress_bar_status(); + +/* download md5 sig from snort.org */ +if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { + update_status(gettext("md5 temp file exists...")); +} else { + update_status(gettext("Downloading md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5?oink_code={$oinkid}"); +// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5"); + $f = fopen("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5", 'w'); + fwrite($f, $image); + fclose($f); + update_status(gettext("Done. downloading md5")); +} + +/* download md5 sig from emergingthreats.net */ +$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; +if ($emergingthreats_url_chk == on) { + update_status(gettext("Downloading md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://www.emergingthreats.net/version.txt"); +// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/version.txt"); + $f = fopen("{$tmpfname}/version.txt", 'w'); + fwrite($f, $image); + fclose($f); + update_status(gettext("Done. downloading md5")); +} + +/* download md5 sig from pfsense.org */ +if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) { + update_status(gettext("md5 temp file exists...")); +} else { + update_status(gettext("Downloading pfsense md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5"); +// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz.md5"); + $f = fopen("{$tmpfname}/pfsense_rules.tar.gz.md5", 'w'); + fwrite($f, $image); + fclose($f); + update_status(gettext("Done. downloading md5")); +} + +/* Time stamps define */ +$last_md5_download = $config['installedpackages']['snort']['last_md5_download']; +$last_rules_install = $config['installedpackages']['snort']['last_rules_install']; + +/* If md5 file is empty wait 15min exit */ +if (0 == filesize("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5")){ + update_status(gettext("Please wait... You may only check for New Rules every 15 minutes...")); + update_output_window(gettext("Rules are released every month from snort.org. You may download the Rules at any time.")); + hide_progress_bar_status(); + /* Display last time of sucsessful md5 check from cache */ + echo "\n<p align=center><b>You last checked for updates: </b>{$last_md5_download}</p>\n"; + echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n"; + echo "\n\n</body>\n</html>\n"; + exit(0); +} + +/* If emergingthreats md5 file is empty wait 15min exit not needed */ + +/* If pfsense md5 file is empty wait 15min exit */ +if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ + update_status(gettext("Please wait... You may only check for New Pfsense Rules every 15 minutes...")); + update_output_window(gettext("Rules are released to support Pfsense packages.")); + hide_progress_bar_status(); + /* Display last time of sucsessful md5 check from cache */ + echo "\n<p align=center><b>You last checked for updates: </b>{$last_md5_download}</p>\n"; + echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n"; + echo "\n\n</body>\n</html>\n"; + exit(0); +} + +/* Check if were up to date snort.org */ +if (file_exists("{$snortdir}/snortrules-snapshot-2.8.tar.gz.md5")){ +$md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); +$md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; +$md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); +$md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; +/* Write out time of last sucsessful md5 to cache */ +$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); +write_config(); // Will cause switch back to read-only on nanobsd +conf_mount_rw(); +if ($md5_check_new == $md5_check_old) { + update_status(gettext("Your rules are up to date...")); + update_output_window(gettext("You may start Snort now, check update.")); + hide_progress_bar_status(); + /* Timestamps to html */ + echo "\n<p align=center><b>You last checked for updates: </b>{$last_md5_download}</p>\n"; + echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n"; +// echo "P is this code {$premium_subscriber}"; + echo "\n\n</body>\n</html>\n"; + $snort_md5_check_ok = on; + } +} + +/* Check if were up to date emergingthreats.net */ +$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; +if ($emergingthreats_url_chk == on) { +if (file_exists("{$snortdir}/version.txt")){ +$emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/version.txt"); +$emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; +$emerg_md5_check_old_parse = file_get_contents("{$snortdir}/version.txt"); +$emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; +/* Write out time of last sucsessful md5 to cache */ +$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); +write_config(); // Will cause switch back to read-only on nanobsd +conf_mount_rw(); +if ($emerg_md5_check_new == $emerg_md5_check_old) { + update_status(gettext("Your emergingthreats rules are up to date...")); + update_output_window(gettext("You may start Snort now, check update.")); + hide_progress_bar_status(); + $emerg_md5_check_chk_ok = on; + } + } +} + +/* Check if were up to date pfsense.org */ +if (file_exists("{$snortdir}/$pfsense_rules_filename_md5")){ +$pfsense_md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); +$pfsense_md5_check_new = `/bin/echo "{$pfsense_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; +$pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); +$pfsense_md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; +if ($pfsense_md5_check_new == $pfsense_md5_check_old) { + $pfsense_md5_check_ok = on; + } +} + +/* Make Clean Snort Directory emergingthreats not checked */ +if ($snort_md5_check_ok == on && $emergingthreats_url_chk != on) { + update_status(gettext("Cleaning the snort Directory...")); + update_output_window(gettext("removing...")); + exec("/bin/rm {$snortdir}/rules/emerging*"); + exec("/bin/rm {$snortdir}/version.txt"); + exec("/bin/rm {$snortdir_wan}/rules/emerging*"); + exec("/bin/rm {$snortdir_wan}/version.txt"); + update_status(gettext("Done making cleaning emrg direcory.")); +} + +/* Check if were up to date exits */ +if ($snort_md5_check_ok == on && $emerg_md5_check_chk_ok == on && $pfsense_md5_check_ok == on) { + update_status(gettext("Your rules are up to date...")); + update_output_window(gettext("You may start Snort now...")); + exit(0); +} + +if ($snort_md5_check_ok == on && $pfsense_md5_check_ok == on && $emergingthreats_url_chk != on) { + update_status(gettext("Your rules are up to date...")); + update_output_window(gettext("You may start Snort now...")); + exit(0); +} + +/* You are Not Up to date, always stop snort when updating rules for low end machines */; +update_status(gettext("You are NOT up to date...")); +update_output_window(gettext("Stopping Snort service...")); +$chk_if_snort_up = exec("pgrep -x snort"); +if ($chk_if_snort_up != "") { + exec("/usr/bin/touch /tmp/snort_download_halt.pid"); + stop_service("snort"); + sleep(2); +} + +/* download snortrules file */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$snort_filename}")) { + update_status(gettext("Snortrule tar file exists...")); +} else { + unhide_progress_bar_status(); + update_status(gettext("There is a new set of Snort rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); +// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz", $tmpfname . "/{$snort_filename}", "read_body_firmware"); + download_file_with_progress_bar("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz?oink_code={$oinkid}", $tmpfname . "/{$snort_filename}", "read_body_firmware"); + update_all_status($static_output); + update_status(gettext("Done downloading rules file.")); + if (150000 > filesize("{$tmpfname}/$snort_filename")){ + update_status(gettext("Error with the snort rules download...")); + update_output_window(gettext("Snort rules file downloaded failed...")); + exit(0); + } + } +} + +/* download emergingthreats rules file */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { + update_status(gettext("Emergingthreats tar file exists...")); +} else { + update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); +// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware"); + download_file_with_progress_bar("http://www.emergingthreats.net/rules/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware"); + update_all_status($static_output); + update_status(gettext("Done downloading Emergingthreats rules file.")); + } + } + } + +/* download pfsense rules file */ +if ($pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { + update_status(gettext("Snortrule tar file exists...")); +} else { + unhide_progress_bar_status(); + update_status(gettext("There is a new set of Pfsense rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); +// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz", $tmpfname . "/{$pfsense_rules_filename}", "read_body_firmware"); + download_file_with_progress_bar("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz", $tmpfname . "/{$pfsense_rules_filename}", "read_body_firmware"); + update_all_status($static_output); + update_status(gettext("Done downloading rules file.")); + } +} + +/* Compair md5 sig to file sig */ + +//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +//if ($premium_url_chk == on) { +//$md5 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); +//$file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; +// if ($md5 == $file_md5_ondisk) { +// update_status(gettext("Valid md5 checksum pass...")); +//} else { +// update_status(gettext("The downloaded file does not match the md5 file...P is ON")); +// update_output_window(gettext("Error md5 Mismatch...")); +// exit(0); +// } +//} + +//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +//if ($premium_url_chk != on) { +//$md55 = `/bin/cat {$tmpfname}/{$snort_filename_md5} | /usr/bin/awk '{ print $4 }'`; +//$file_md5_ondisk2 = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; +// if ($md55 == $file_md5_ondisk2) { +// update_status(gettext("Valid md5 checksum pass...")); +//} else { +// update_status(gettext("The downloaded file does not match the md5 file...Not P")); +// update_output_window(gettext("Error md5 Mismatch...")); +// exit(0); +// } +//} + +/* Untar snort rules file individually to help people with low system specs */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$snort_filename}")) { + update_status(gettext("Extracting rules...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} etc/"); + exec("`/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/*`"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/chat.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/dos.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/exploit.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/imap.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/misc.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/multimedia.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/netbios.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/nntp.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/p2p.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/smtp.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/sql.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-client.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-misc.rules/"); + update_status(gettext("Done extracting Rules.")); +} else { + update_status(gettext("The Download rules file missing...")); + update_output_window(gettext("Error rules extracting failed...")); + exit(0); + } +} + +/* Untar emergingthreats rules to tmp */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { + update_status(gettext("Extracting rules...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir} rules/"); + } + } +} + +/* Untar Pfsense rules to tmp */ +if ($pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { + update_status(gettext("Extracting Pfsense rules...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$pfsense_rules_filename} -C {$snortdir} rules/"); + } +} + +/* Untar snort signatures */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$snort_filename}")) { +$signature_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['signatureinfo']; +if ($premium_url_chk == on) { + update_status(gettext("Extracting Signatures...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); + update_status(gettext("Done extracting Signatures.")); + } + } +} + +/* Make Clean Snort Directory */ +//if ($snort_md5_check_ok != on && $emerg_md5_check_chk_ok != on && $pfsense_md5_check_ok != on) { +//if (file_exists("{$snortdir}/rules")) { +// update_status(gettext("Cleaning the snort Directory...")); +// update_output_window(gettext("removing...")); +// exec("/bin/mkdir -p {$snortdir}"); +// exec("/bin/mkdir -p {$snortdir}/rules"); +// exec("/bin/mkdir -p {$snortdir}/signatures"); +// exec("/bin/rm {$snortdir}/*"); +// exec("/bin/rm {$snortdir}/rules/*"); +// exec("/bin/rm {$snortdir_wan}/*"); +// exec("/bin/rm {$snortdir_wan}/rules/*"); + +// exec("/bin/rm /usr/local/lib/snort/dynamicrules/*"); +//} else { +// update_status(gettext("Making Snort Directory...")); +// update_output_window(gettext("should be fast...")); +// exec("/bin/mkdir -p {$snortdir}"); +// exec("/bin/mkdir -p {$snortdir}/rules"); +// exec("/bin/rm {$snortdir_wan}/*"); +// exec("/bin/rm {$snortdir_wan}/rules/*"); +// exec("/bin/rm /usr/local/lib/snort/dynamicrules/\*"); +// update_status(gettext("Done making snort direcory.")); +// } +//} + +/* Copy so_rules dir to snort lib dir */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { + update_status(gettext("Copying so_rules...")); + update_output_window(gettext("May take a while...")); + exec("`/bin/cp -f {$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/`"); + exec("/bin/cp {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/bad-traffic.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/chat.rules {$snortdir}/rules/chat.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/dos.rules {$snortdir}/rules/dos.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/exploit.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/imap.rules {$snortdir}/rules/imap.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/misc.rules {$snortdir}/rules/misc.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/multimedia.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/netbios.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/nntp.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/p2p.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/smtp.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/sql.rules {$snortdir}/rules/sql.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/web-client.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/web.misc.rules {$snortdir}/rules/web.misc.so.rules"); + exec("/bin/rm -r {$snortdir}/so_rules"); + update_status(gettext("Done copying so_rules.")); +} else { + update_status(gettext("Directory so_rules does not exist...")); + update_output_window(gettext("Error copying so_rules...")); + exit(0); + } +} + +/* enable disable setting will carry over with updates */ +/* TODO carry signature changes with the updates */ +if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { + +if (!empty($config['installedpackages']['snort']['rule_sid_on'])) { +$enabled_sid_on = $config['installedpackages']['snort']['rule_sid_on']; +$enabled_sid_on_array = split('\|\|', $enabled_sid_on); +foreach($enabled_sid_on_array as $enabled_item_on) +$selected_sid_on_sections .= "$enabled_item_on\n"; + } + +if (!empty($config['installedpackages']['snort']['rule_sid_off'])) { +$enabled_sid_off = $config['installedpackages']['snort']['rule_sid_off']; +$enabled_sid_off_array = split('\|\|', $enabled_sid_off); +foreach($enabled_sid_off_array as $enabled_item_off) +$selected_sid_off_sections .= "$enabled_item_off\n"; + } + +$snort_sid_text = <<<EOD + +########################################### +# # +# this is auto generated on snort updates # +# # +########################################### + +path = /bin:/usr/bin:/usr/local/bin + +update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ + +url = dir:///usr/local/etc/snort_bkup/rules + +$selected_sid_on_sections + +$selected_sid_off_sections + +EOD; + + /* open snort's threshold.conf for writing */ + $oinkmasterlist = fopen("/usr/local/etc/snort_bkup/oinkmaster.conf", "w"); + + fwrite($oinkmasterlist, "$snort_sid_text"); + + /* close snort's threshold.conf file */ + fclose($oinkmasterlist); + +} + +/* Copy configs to snort dir */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$snortdir}/etc/Makefile.am")) { + update_status(gettext("Copying configs to snort directory...")); + exec("/bin/cp {$snortdir}/etc/* {$snortdir}"); + exec("/bin/rm -r {$snortdir}/etc"); + +} else { + update_status(gettext("The snort config does not exist...")); + update_output_window(gettext("Error copying config...")); + exit(0); + } +} + +/* Copy md5 sig to snort dir */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/$snort_filename_md5")) { + update_status(gettext("Copying md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); +} else { + update_status(gettext("The md5 file does not exist...")); + update_output_window(gettext("Error copying config...")); + exit(0); + } +} + +/* Copy emergingthreats md5 sig to snort dir */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) { + update_status(gettext("Copying md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); +} else { + update_status(gettext("The emergingthreats md5 file does not exist...")); + update_output_window(gettext("Error copying config...")); + exit(0); + } + } +} + +/* Copy Pfsense md5 sig to snort dir */ +if ($pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) { + update_status(gettext("Copying Pfsense md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5"); +} else { + update_status(gettext("The Pfsense md5 file does not exist...")); + update_output_window(gettext("Error copying config...")); + exit(0); + } +} + +/* Copy signatures dir to snort dir */ +if ($snort_md5_check_ok != on) { +$signature_info_chk = $config['installedpackages']['snort']['config'][0]['signatureinfo']; +if ($premium_url_chk == on) { +if (file_exists("{$snortdir}/doc/signatures")) { + update_status(gettext("Copying signatures...")); + update_output_window(gettext("May take a while...")); + exec("/bin/mv -f {$snortdir}/doc/signatures {$snortdir}/signatures"); + exec("/bin/rm -r {$snortdir}/doc/signatures"); + update_status(gettext("Done copying signatures.")); +} else { + update_status(gettext("Directory signatures exist...")); + update_output_window(gettext("Error copying signature...")); + exit(0); + } + } +} + +/* double make shure cleanup emerg rules that dont belong */ +if (file_exists("/usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules")) { + apc_clear_cache(); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-compromised-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-drop-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-dshield-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-rbn-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-tor-BLOCK.rules"); +} + +if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) { + exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so"); + exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*"); +} + +/* create a msg-map for snort */ +update_status(gettext("Updating Alert Messages...")); +update_output_window(gettext("Please Wait...")); +exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort_bkup/rules > /usr/local/etc/snort_bkup/sid-msg.map"); + +/* Run oinkmaster to snort_wan and cp configs */ +/* If oinkmaster is not needed cp rules normally */ +/* TODO add per interface settings here */ +if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { + + if (empty($config['installedpackages']['snort']['rule_sid_on']) || empty($config['installedpackages']['snort']['rule_sid_off'])) { + update_status(gettext("Your first set of rules are being copied...")); + update_output_window(gettext("May take a while...")); + exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); + +} else { + update_status(gettext("Your enable and disable changes are being applied to your fresh set of rules...")); + update_output_window(gettext("May take a while...")); + exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); + + /* oinkmaster.pl will convert saved changes for the new updates then we have to change #alert to # alert for the gui */ + /* might have to add a sleep for 3sec for flash drives or old drives */ + exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort_bkup/oinkmaster.conf -o /usr/local/etc/snort/rules > /usr/local/etc/snort_bkup/oinkmaster.log"); + exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); + exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); + exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); + + + } +} + +/* remove old $tmpfname files */ +if (file_exists("{$tmpfname}")) { + update_status(gettext("Cleaning up...")); + exec("/bin/rm -r /root/snort_rules_up"); +// apc_clear_cache(); +} + +/* php code to flush out cache some people are reportting missing files this might help */ +sleep(2); +apc_clear_cache(); +exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync"); + +/* if snort is running hardrestart, if snort is not running do nothing */ +if (file_exists("/tmp/snort_download_halt.pid")) { + start_service("snort"); + update_status(gettext("The Rules update finished...")); + update_output_window(gettext("Snort has restarted with your new set of rules...")); + exec("/bin/rm /tmp/snort_download_halt.pid"); +} else { + update_status(gettext("The Rules update finished...")); + update_output_window(gettext("You may start snort now...")); +} + +/* hide progress bar and lets end this party */ +hide_progress_bar_status(); +conf_mount_ro(); +?> + +<?php + +function read_body_firmware($ch, $string) { + global $fout, $file_size, $downloaded, $counter, $version, $latest_version, $current_installed_pfsense_version; + $length = strlen($string); + $downloaded += intval($length); + $downloadProgress = round(100 * (1 - $downloaded / $file_size), 0); + $downloadProgress = 100 - $downloadProgress; + $a = $file_size; + $b = $downloaded; + $c = $downloadProgress; + $text = " Snort download in progress\\n"; + $text .= "----------------------------------------------------\\n"; + $text .= " Downloaded : {$b}\\n"; + $text .= "----------------------------------------------------\\n"; + $counter++; + if($counter > 150) { + update_output_window($text); + update_progress_bar($downloadProgress); + flush(); + $counter = 0; + } + conf_mount_rw(); + fwrite($fout, $string); + conf_mount_ro(); + return $length; +} + +?> + +</body> +</html> diff --git a/config/snort-dev/snort_dynamic_ip_reload.php b/config/snort-old/snort_dynamic_ip_reload.php index dceb84b4..0fad085b 100644 --- a/config/snort-dev/snort_dynamic_ip_reload.php +++ b/config/snort-old/snort_dynamic_ip_reload.php @@ -3,7 +3,7 @@ /* $Id$ */ /* snort_dynamic_ip_reload.php - Copyright (C) 2009 Robert Zeleya + Copyright (C) 2006 Scott Ullrich and Robert Zeleya All rights reserved. Redistribution and use in source and binary forms, with or without @@ -31,27 +31,19 @@ /* NOTE: this file gets included from the pfSense filter.inc plugin process */ /* NOTE: file location /usr/local/pkg/pf, all files in pf dir get exec on filter reloads */ -require_once("/usr/local/pkg/snort/snort.inc"); +require_once("/usr/local/pkg/snort.inc"); +require_once("service-utils.inc"); +require_once("config.inc"); -/* get the varibles from the command line */ -/* Note: snort.sh sould only be using this */ -$id = $_SERVER["argv"][1]; -$if_real = $_SERVER["argv"][2]; -$test_iface = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; - -if ($id == "" || $if_real == "" || $test_iface == "") { - exec("/usr/bin/logger -p daemon.info -i -t SnortDynIP \"ERORR starting snort_dynamic_ip_reload.php\""); - exit; - } - -if ($id != "" && $if_real != "") { - create_snort_conf(); - -/* create barnyard2 configuration file */ -$snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; -if ($snortbarnyardlog_info_chk == on) - create_barnyard2_conf(); +if($config['interfaces']['wan']['ipaddr'] == "pppoe" or + $config['interfaces']['wan']['ipaddr'] == "dhcp") { + create_snort_conf(); + exec("killall -HUP snort"); + /* define snortbarnyardlog_chk */ + $snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; + if ($snortbarnyardlog_info_chk == on) + exec("killall -HUP barnyard2"); } ?>
\ No newline at end of file diff --git a/config/snort-dev/snort_rules.php b/config/snort-old/snort_rules.php index ea0f8a0f..94c99f0e 100644 --- a/config/snort-dev/snort_rules.php +++ b/config/snort-old/snort_rules.php @@ -2,8 +2,7 @@ /* $Id$ */ /* edit_snortrule.php - Copyright (C) 2004, 2005 Scott Ullrich - Copyright (C) 2008, 2009 Robert Zelaya + Copyright (C) 2004, 2005 Scott Ullrich and Rober Zelaya All rights reserved. Redistribution and use in source and binary forms, with or without @@ -29,35 +28,16 @@ */ require("guiconfig.inc"); require("config.inc"); -require("/usr/local/pkg/snort/snort_gui.inc"); -if (!is_array($config['installedpackages']['snortglobal']['rule'])) { - $config['installedpackages']['snortglobal']['rule'] = array(); -} - -//nat_rules_sort(); -$a_nat = &$config['installedpackages']['snortglobal']['rule']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - -if (isset($id) && $a_nat[$id]) { - - $pconfig['enable'] = $a_nat[$id]['enable']; - $pconfig['interface'] = $a_nat[$id]['interface']; - $pconfig['rulesets'] = $a_nat[$id]['rulesets']; +if(!is_dir("/usr/local/etc/snort/rules")) { + conf_mount_rw(); + exec('mkdir /usr/local/etc/snort/rules/'); + conf_mount_ro(); } -/* convert fake interfaces to real */ -$if_real = convert_friendly_interface_to_real_interface_name($pconfig['interface']); - -// if(!is_dir("/usr/local/etc/snort/rules")) -// exec('mkdir /usr/local/etc/snort/rules/'); - /* Check if the rules dir is empy if so warn the user */ /* TODO give the user the option to delete the installed rules rules */ -$isrulesfolderempty = exec("ls -A /usr/local/etc/snort/snort_{$id}{$if_real}/rules/*.rules"); +$isrulesfolderempty = exec('ls -A /usr/local/etc/snort/rules/*.rules'); if ($isrulesfolderempty == "") { include("head.inc"); @@ -71,15 +51,18 @@ echo "<script src=\"/row_toggle.js\" type=\"text/javascript\"></script>\n <tr>\n <td>\n"; - $tab_array = array(); - $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); - $tab_array[] = array("If Settings", false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array("Categories", false, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array("Rules", true, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array("Servers", false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array("Preprocessors", false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array("Barnyard2", false, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), true, "/snort_rules.php"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + display_top_tabs($tab_array); echo "</td>\n </tr>\n @@ -122,6 +105,8 @@ function get_middle($source, $beginning, $ending, $init_pos) { function write_rule_file($content_changed, $received_file) { + conf_mount_rw(); + //read snort file with writing enabled $filehandle = fopen($received_file, "w"); @@ -137,6 +122,7 @@ function write_rule_file($content_changed, $received_file) //close file handle fclose($filehandle); + conf_mount_rw(); } function load_rule_file($incoming_file) @@ -151,9 +137,8 @@ function load_rule_file($incoming_file) //close handler fclose ($filehandle); - //string for populating category select - $currentruleset = basename($rulefile); + $currentruleset = substr($file, 27); //delimiter for each new rule is a new line $delimiter = "\n"; @@ -165,13 +150,10 @@ function load_rule_file($incoming_file) } -$ruledir = "/usr/local/etc/snort/snort_{$id}{$if_real}/rules/"; +$ruledir = "/usr/local/etc/snort/rules/"; $dh = opendir($ruledir); -if ($_GET['openruleset'] != '' && $_GET['ids'] != '') -{ - header("Location: /snort/snort_rules.php?id=$id&openruleset={$_GET['openruleset']}&saved=yes"); -} +$message_reload = "The Snort rule configuration has been changed.<br>You must apply the changes in order for them to take effect."; while (false !== ($filename = readdir($dh))) { @@ -187,22 +169,19 @@ sort($files); if ($_GET['openruleset']) { - $rulefile = $_GET['openruleset']; + $file = $_GET['openruleset']; } else { - $rulefile = $ruledir.$files[0]; + $file = $ruledir.$files[0]; } //Load the rule file -$splitcontents = load_rule_file($rulefile); +$splitcontents = load_rule_file($file); if ($_POST) { - - conf_mount_rw(); - if (!$_POST['apply']) { //retrieve POST data $post_lineid = $_POST['lineid']; @@ -279,20 +258,26 @@ if ($_POST) $splitcontents[$post_lineid] = $tempstring; //write the new .rules file - write_rule_file($splitcontents, $rulefile); + write_rule_file($splitcontents, $file); //once file has been written, reload file - $splitcontents = load_rule_file($rulefile); + $splitcontents = load_rule_file($file); $stopMsg = true; } + + if ($_POST['apply']) { +// stop_service("snort"); +// sleep(2); +// start_service("snort"); + $savemsg = "The snort rules selections have been saved. Please restart snort by clicking save on the settings tab."; + $stopMsg = false; + } + } else if ($_GET['act'] == "toggle") { - - conf_mount_rw(); - - $toggleid = $_GET['ids']; + $toggleid = $_GET['id']; //copy rule contents from array into string $tempstring = $splitcontents[$toggleid]; @@ -326,10 +311,10 @@ else if ($_GET['act'] == "toggle") $splitcontents[$toggleid] = $tempstring; //write the new .rules file - write_rule_file($splitcontents, $rulefile); + write_rule_file($splitcontents, $file); //once file has been written, reload file - $splitcontents = load_rule_file($rulefile); + $splitcontents = load_rule_file($file); $stopMsg = true; @@ -341,22 +326,20 @@ else if ($_GET['act'] == "toggle") // sid being turned off $sid_off = str_replace("sid:", "", $sid_off_cut); // rule_sid_on registers - $sid_on_pieces = $a_nat[$id]['rule_sid_on']; + $sid_on_pieces = $config['installedpackages']['snort']['rule_sid_on']; // if off sid is the same as on sid remove it $sid_on_old = str_replace("||enablesid $sid_off", "", "$sid_on_pieces"); // write the replace sid back as empty - $a_nat[$id]['rule_sid_on'] = $sid_on_old; + $config['installedpackages']['snort']['rule_sid_on'] = $sid_on_old; // rule sid off registers - $sid_off_pieces = $a_nat[$id]['rule_sid_off']; + $sid_off_pieces = $config['installedpackages']['snort']['rule_sid_off']; // if off sid is the same as off sid remove it $sid_off_old = str_replace("||disablesid $sid_off", "", "$sid_off_pieces"); // write the replace sid back as empty - $a_nat[$id]['rule_sid_off'] = $sid_off_old; + $config['installedpackages']['snort']['rule_sid_off'] = $sid_off_old; // add sid off registers to new off sid - $a_nat[$id]['rule_sid_off'] = "||disablesid $sid_off" . $a_nat[$id]['rule_sid_off']; + $config['installedpackages']['snort']['rule_sid_off'] = "||disablesid $sid_off" . $config['installedpackages']['snort']['rule_sid_off']; write_config(); - conf_mount_rw(); - } else { @@ -366,40 +349,26 @@ else if ($_GET['act'] == "toggle") // sid being turned off $sid_on = str_replace("sid:", "", $sid_on_cut); // rule_sid_off registers - $sid_off_pieces = $a_nat[$id]['rule_sid_off']; + $sid_off_pieces = $config['installedpackages']['snort']['rule_sid_off']; // if off sid is the same as on sid remove it $sid_off_old = str_replace("||disablesid $sid_on", "", "$sid_off_pieces"); // write the replace sid back as empty - $a_nat[$id]['rule_sid_off'] = $sid_off_old; + $config['installedpackages']['snort']['rule_sid_off'] = $sid_off_old; // rule sid on registers - $sid_on_pieces = $a_nat[$id]['rule_sid_on']; + $sid_on_pieces = $config['installedpackages']['snort']['rule_sid_on']; // if on sid is the same as on sid remove it $sid_on_old = str_replace("||enablesid $sid_on", "", "$sid_on_pieces"); // write the replace sid back as empty - $a_nat[$id]['rule_sid_on'] = $sid_on_old; + $config['installedpackages']['snort']['rule_sid_on'] = $sid_on_old; // add sid on registers to new on sid - $a_nat[$id]['rule_sid_on'] = "||enablesid $sid_on" . $a_nat[$id]['rule_sid_on']; + $config['installedpackages']['snort']['rule_sid_on'] = "||enablesid $sid_on" . $config['installedpackages']['snort']['rule_sid_on']; write_config(); - conf_mount_rw(); } } -if ($_GET['saved'] == 'yes') -{ - $message = "The Snort rule configuration has been changed.<br>You must restart this snort interface in order for the changes to take effect."; - -// stop_service("snort"); -// sleep(2); -// start_service("snort"); -// $savemsg = ""; -// $stopMsg = false; -} - -$currentruleset = basename($rulefile); -$ifname = strtoupper($pconfig['interface']); -$pgtitle = "Snort: Interface $ifname Rule File $currentruleset"; +$pgtitle = "Snort: Rules"; require("guiconfig.inc"); include("head.inc"); ?> @@ -407,9 +376,12 @@ include("head.inc"); <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> <?php -echo "<form action=\"snort_rules.php?id={$id}\" method=\"post\" name=\"iform\" id=\"iform\">"; +if(!$pgtitle_output) + echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; ?> -<?php if ($_GET['saved'] == 'yes') {print_info_box_np2($message);}?> +<form action="snort_rules.php" method="post" name="iform" id="iform"> +<?php if ($savemsg){print_info_box($savemsg);} else if ($stopMsg){print_info_box_np($message_reload);}?> +<br> </form> <script type="text/javascript" language="javascript" src="row_toggle.js"> <script src="/javascript/sorttable.js" type="text/javascript"> @@ -431,34 +403,22 @@ function go() } // --> </script> -<script type="text/javascript"> -<!-- -function popup(url) -{ - params = 'width='+screen.width; - params += ', height='+screen.height; - params += ', top=0, left=0' - params += ', fullscreen=yes'; - - newwin=window.open(url,'windowname4', params); - if (window.focus) {newwin.focus()} - return false; -} -// --> -</script <table width="99%" border="0" cellpadding="0" cellspacing="0"> <tr> <td> <?php - $tab_array = array(); - $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); - $tab_array[] = array("If Settings", false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array("Categories", false, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array("Rules", true, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array("Servers", false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array("Preprocessors", false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array("Barnyard2", false, "/snort/snort_barnyard.php?id={$id}"); + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), true, "/snort_rules.php"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); display_top_tabs($tab_array); ?> </td> @@ -487,8 +447,7 @@ function popup(url) echo "<br>Category: "; //string for populating category select - $currentruleset = basename($rulefile); - + $currentruleset = substr($file, 27); ?> <form name="forms"> <select name="selectbox" class="formfld" onChange="go()"> @@ -500,7 +459,7 @@ function popup(url) if ($files[$i] === $currentruleset) $selectedruleset = "selected"; ?> - <option value="?id=<?=$id;?>&openruleset=<?=$ruledir;?><?=$files[$i];?>" <?=$selectedruleset;?>><?=$files[$i];?></option>" + <option value="?&openruleset=<?=$ruledir;?><?=$files[$i];?>" <?=$selectedruleset;?>><?=$files[$i];?></option>" <?php $i++; @@ -553,13 +512,7 @@ function popup(url) $textss = $textse = ""; $iconb = "icon_block.gif"; } - - if ($disabled_pos !== false){ - $ischecked = ""; - }else{ - $ischecked = "checked"; - } - + $rule_content = explode(' ', $tempstring); $protocol = $rule_content[$counter2];//protocol location @@ -572,91 +525,87 @@ function popup(url) $counter2++; $destination_port = $rule_content[$counter2];//destination port location - if (strstr($tempstring, 'msg: "')) - $message = get_middle($tempstring, 'msg: "', '";', 0); - if (strstr($tempstring, 'msg:"')) - $message = get_middle($tempstring, 'msg:"', '";', 0); + $message = get_middle($tempstring, 'msg:"', '";', 0); - echo "<tr> - <td class=\"listt\"> - $textss\n"; + echo "<tr>"; + echo "<td class=\"listt\">"; + echo $textss; ?> - <a href="?id=<?=$id;?>&openruleset=<?=$rulefile;?>&act=toggle&ids=<?=$counter;?>"><img src="../themes/<?= $g['theme']; ?>/images/icons/<?=$iconb;?>" width="10" height="10" border="0" title="click to toggle enabled/disabled status"></a> - <input name="enable" type="checkbox" value="yes" <?= $ischecked; ?> onClick="enable_change(false)"> + <a href="?&openruleset=<?=$file;?>&act=toggle&id=<?=$counter;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/<?=$iconb;?>" width="11" height="11" border="0" title="click to toggle enabled/disabled status"></a> <?php - echo "$textse - </td> - <td class=\"listlr\"> - $textss - $sid - $textse - </td> - <td class=\"listlr\"> - $textss - $protocol"; - ?> - <?php + echo $textse; + echo "</td>"; + + + echo "<td class=\"listlr\">"; + echo $textss; + echo $sid; + echo $textse; + echo "</td>"; + + echo "<td class=\"listlr\">"; + echo $textss; + echo $protocol; $printcounter++; - echo "$textse - </td> - <td class=\"listlr\"> - $textss - $source - $textse - </td> - <td class=\"listlr\"> - $textss - $source_port - $textse - </td> - <td class=\"listlr\"> - $textss - $destination - $textse - </td> - <td class=\"listlr\"> - $textss - $destination_port - $textse - </td>"; + echo $textse; + echo "</td>"; + echo "<td class=\"listlr\">"; + echo $textss; + echo $source; + echo $textse; + echo "</td>"; + echo "<td class=\"listlr\">"; + echo $textss; + echo $source_port; + echo $textse; + echo "</td>"; + echo "<td class=\"listlr\">"; + echo $textss; + echo $destination; + echo $textse; + echo "</td>"; + echo "<td class=\"listlr\">"; + echo $textss; + echo $destination_port; + echo $textse; + echo "</td>"; ?> <td class="listbg"><font color="white"> <?php - echo "$textss - $message - $textse - </td>"; + echo $textss; + echo $message; + echo $textse; + echo "</td>"; ?> <td valign="middle" nowrap class="list"> <table border="0" cellspacing="0" cellpadding="1"> <tr> - <td><a href="javascript: void(0)"onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$rulefile;?>&ids=<?=$counter;?>')"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit rule" width="17" height="17" border="0"></a></td> - <!-- Codes by Quackit.com --> + <td><a href="snort_rules_edit.php?openruleset=<?=$file;?>&id=<?=$counter;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit rule" width="17" height="17" border="0"></a></td> </tr> </table> </td> <?php } } - echo " There are $printcounter rules in this category. <br><br>"; + echo " "; + echo "There are "; + echo $printcounter; + echo " rules in this category. <br><br>"; ?> </table> </td> </tr> <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> - <td width="16"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" width="11" height="11"></td> + <td width="16"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" width="11" height="11"></td> <td>Rule Enabled</td> </tr> <tr> - <td><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_block_d.gif" width="11" height="11"></td> + <td><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_block_d.gif" width="11" height="11"></td> <td nowrap>Rule Disabled</td> - </tr> - <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> - <tr> - <td><pre><input name="Submit" type="submit" class="formbtn" value="Save"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()"><pre></td> + + </tr> - </table> <tr> <td colspan="10"> <p> @@ -666,11 +615,12 @@ function popup(url) </tr> </table> </table> + </td> </tr> - </table> + <?php include("fend.inc"); ?> </div></body> -</html> +</html>
\ No newline at end of file diff --git a/config/snort-old/snort_rules_edit.php b/config/snort-old/snort_rules_edit.php new file mode 100644 index 00000000..cbabce73 --- /dev/null +++ b/config/snort-old/snort_rules_edit.php @@ -0,0 +1,207 @@ +<?php +/* $Id$ */ +/* + snort_rules_edit.php + Copyright (C) 2004, 2005 Scott Ullrich + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +function get_middle($source, $beginning, $ending, $init_pos) { + $beginning_pos = strpos($source, $beginning, $init_pos); + $middle_pos = $beginning_pos + strlen($beginning); + $ending_pos = strpos($source, $ending, $beginning_pos); + $middle = substr($source, $middle_pos, $ending_pos - $middle_pos); + return $middle; +} + + +$file = $_GET['openruleset']; + +//read snort file +$filehandle = fopen($file, "r"); + +//get rule id +$lineid = $_GET['id']; + +//read file into string, and get filesize +$contents = fread($filehandle, filesize($file)); + +//close handler +fclose ($filehandle); + +//delimiter for each new rule is a new line +$delimiter = "\n"; + +//split the contents of the string file into an array using the delimiter +$splitcontents = explode($delimiter, $contents); + +//copy rule contents from array into string +$tempstring = $splitcontents[$lineid]; + +//explode rule contents into an array, (delimiter is space) +$rule_content = explode(' ', $tempstring); + +//search string +$findme = "# alert"; //find string for disabled alerts + +//find if alert is disabled +$disabled = strstr($tempstring, $findme); + +//get sid +$sid = get_middle($tempstring, 'sid:', ';', 0); + + +//if find alert is false, then rule is disabled +if ($disabled !== false) +{ + //move counter up 1, so we do not retrieve the # in the rule_content array + $counter2 = 2; +} +else +{ + $counter2 = 1; +} + + +$protocol = $rule_content[$counter2];//protocol location +$counter2++; +$source = $rule_content[$counter2];//source location +$counter2++; +$source_port = $rule_content[$counter2];//source port location +$counter2++; +$direction = $rule_content[$counter2]; +$counter2++; +$destination = $rule_content[$counter2];//destination location +$counter2++; +$destination_port = $rule_content[$counter2];//destination port location +$message = get_middle($tempstring, 'msg:"', '";', 0); + +$content = get_middle($tempstring, 'content:"', '";', 0); +$classtype = get_middle($tempstring, 'classtype:', ';', 0); +$revision = get_middle($tempstring, 'rev:', ';',0); + +$pgtitle = "Snort: Edit Rule"; +require("guiconfig.inc"); +include("head.inc"); +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + +<?php include("fbegin.inc"); ?> +<?php +if(!$pgtitle_output) + echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; +?> +<table width="99%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> +<?php + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), true, "/snort_rules.php?openruleset=/usr/local/etc/snort/rules/attack-responses.rules"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + display_top_tabs($tab_array); +?> + </td> + </tr> + <tr> + <td> + <div id="mainarea"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <form action="snort_rules.php?openruleset=<?=$file;?>&id=<?=$lineid;?>" target="" method="post" name="editform" id="editform"> + <table id="edittable" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="listhdr" width="10%">Enabled: </td> + <td class="listlr" width="30%"><input name="enabled" type="checkbox" id="enabled" value="yes" <?php if ($disabled === false) echo "checked";?>></td> + </tr> + <tr> + <td class="listhdr" width="10%">SID: </td> + <td class="listlr" width="30%"><?php echo $sid; ?></td> + </tr> + <tr> + <td class="listhdr" width="10%">Protocol: </td> + <td class="listlr" width="30%"><?php echo $protocol; ?></td> + </tr> + <tr> + <td class="listhdr" width="10%">Source: </td> + <td class="listlr" width="30%"><input name="src" type="text" id="src" size="20" value="<?php echo $source;?>"></td> + </tr> + <tr> + <td class="listhdr" width="10%">Source Port: </td> + <td class="listlr" width="30%"><input name="srcport" type="text" id="srcport" size="20" value="<?php echo $source_port;?>"></td> + </tr> + <tr> + <td class="listhdr" width="10%">Direction:</td> + <td class="listlr" width="30%"><?php echo $direction;?></td> + </tr> + <tr> + <td class="listhdr" width="10%">Destination:</td> + <td class="listlr" width="30%"><input name="dest" type="text" id="dest" size="20" value="<?php echo $destination;?>"></td> + </tr> + <tr> + <td class="listhdr" width="10%">Destination Port: </td> + <td class="listlr" width="30%"><input name="destport" type="text" id="destport" size="20" value="<?php echo $destination_port;?>"></td> + </tr> + <tr> + <td class="listhdr" width="10%">Message: </td> + <td class="listlr" width="30%"><?php echo $message; ?></td> + </tr> + <tr> + <td class="listhdr" width="10%">Content: </td> + <td class="listlr" width="30%"><?php echo $content; ?></td> + </tr> + <tr> + <td class="listhdr" width="10%">Classtype: </td> + <td class="listlr" width="30%"><?php echo $classtype; ?></td> + </tr> + <tr> + <td class="listhdr" width="10%">Revision: </td> + <td class="listlr" width="30%"><?php echo $revision; ?></td> + </tr> + <tr><td> </td></tr> + <tr> + <td><input name="lineid" type="hidden" value="<?=$lineid;?>"></td> + <td><input class="formbtn" value="Save" type="submit" name="editsave" id="editsave">   <input type="button" class="formbtn" value="Cancel" onclick="history.back()"></td> + </tr> + </table> + </form> + </td> + </tr> + </table> + </td> +</tr> +</table> + +<?php include("fend.inc"); ?> +</div></body> +</html>
\ No newline at end of file diff --git a/config/snort-dev/snort_rulesets.php b/config/snort-old/snort_rulesets.php index 5133183e..d839ae7a 100644 --- a/config/snort-dev/snort_rulesets.php +++ b/config/snort-old/snort_rulesets.php @@ -3,7 +3,6 @@ /* snort_rulesets.php Copyright (C) 2006 Scott Ullrich - Copyright (C) 2009 Robert Zelaya All rights reserved. Redistribution and use in source and binary forms, with or without @@ -29,37 +28,18 @@ */ require("guiconfig.inc"); -require_once("filter.inc"); require_once("service-utils.inc"); +require("/usr/local/pkg/snort.inc"); -if (!is_array($config['installedpackages']['snortglobal']['rule'])) { - $config['installedpackages']['snortglobal']['rule'] = array(); +if(!is_dir("/usr/local/etc/snort/rules")) { + conf_mount_rw(); + exec('mkdir /usr/local/etc/snort/rules/'); + conf_mount_ro(); } -//nat_rules_sort(); -$a_nat = &$config['installedpackages']['snortglobal']['rule']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - - -if (isset($id) && $a_nat[$id]) { - - $pconfig['enable'] = $a_nat[$id]['enable']; - $pconfig['interface'] = $a_nat[$id]['interface']; - $pconfig['rulesets'] = $a_nat[$id]['rulesets']; -} - -/* convert fake interfaces to real */ -$if_real = convert_friendly_interface_to_real_interface_name($pconfig['interface']); - -//if(!is_dir("/usr/local/etc/snort/rules")) -// exec('mkdir /usr/local/etc/snort/rules/'); - /* Check if the rules dir is empy if so warn the user */ /* TODO give the user the option to delete the installed rules rules */ -$isrulesfolderempty = exec("ls -A /usr/local/etc/snort/snort_{$id}{$if_real}/rules/*.rules"); +$isrulesfolderempty = exec('ls -A /usr/local/etc/snort/rules/*.rules'); if ($isrulesfolderempty == "") { include("head.inc"); @@ -73,15 +53,18 @@ echo "<script src=\"/row_toggle.js\" type=\"text/javascript\"></script>\n <tr>\n <td>\n"; - $tab_array = array(); - $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); - $tab_array[] = array("If Settings", false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array("Categories", true, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array("Rules", false, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array("Servers", false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array("Preprocessors", false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array("Barnyard2", false, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), true, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + display_top_tabs($tab_array); echo "</td>\n </tr>\n @@ -91,7 +74,7 @@ echo "</td>\n <table id=\"maintable\" class=\"tabcont\" width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n <tr>\n <td>\n -# The rules directory is empty. /usr/local/etc/snort/snort_{$id}{$if_real}/rules \n +# The rules directory is empty.\n </td>\n </tr>\n </table>\n @@ -104,7 +87,7 @@ echo "</td>\n \n <p>\n\n"; -echo "Please click on the Update Rules tab to install your selected rule sets. $isrulesfolderempty"; +echo "Please click on the Update Rules tab to install your selected rule sets."; include("fend.inc"); echo "</body>"; @@ -117,42 +100,39 @@ exit(0); if($_POST) { $enabled_items = ""; $isfirst = true; - if (is_array($_POST['toenable'])) { foreach($_POST['toenable'] as $toenable) { if(!$isfirst) $enabled_items .= "||"; $enabled_items .= "{$toenable}"; $isfirst = false; } - }else{ - $enabled_items = $_POST['toenable']; - } - $a_nat[$id]['rulesets'] = $enabled_items; + $config['installedpackages']['snort']['rulesets'] = $enabled_items; write_config(); -// stop_service("snort"); -// create_snort_conf(); -// sleep(2); -// start_service("snort"); + stop_service("snort"); + create_snort_conf(); + sleep(2); + start_service("snort"); $savemsg = "The snort ruleset selections have been saved."; } -$enabled_rulesets = $a_nat[$id]['rulesets']; +$enabled_rulesets = $config['installedpackages']['snort']['rulesets']; if($enabled_rulesets) $enabled_rulesets_array = split("\|\|", $enabled_rulesets); -$pgtitle = "Snort: Interface $id$if_real Categories"; +$pgtitle = "Snort: Categories"; include("head.inc"); ?> <body link="#000000" vlink="#000000" alink="#000000"> <?php include("fbegin.inc"); ?> -<?php - -echo "<form action=\"snort_rulesets.php?id={$id}\" method=\"post\" name=\"iform\" id=\"iform\">"; +<?php +if(!$pgtitle_output) + echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; ?> +<form action="snort_rulesets.php" method="post" name="iform" id="iform"> <script src="/row_toggle.js" type="text/javascript"></script> <script src="/javascript/sorttable.js" type="text/javascript"></script> <?php if ($savemsg) print_info_box($savemsg); ?> @@ -160,15 +140,18 @@ echo "<form action=\"snort_rulesets.php?id={$id}\" method=\"post\" name=\"iform\ <tr> <td> <?php - $tab_array = array(); - $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); - $tab_array[] = array("If Settings", false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array("Categories", true, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array("Rules", false, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array("Servers", false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array("Preprocessors", false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array("Barnyard2", false, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), true, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + display_top_tabs($tab_array); ?> </td> </tr> @@ -185,7 +168,7 @@ echo "<form action=\"snort_rulesets.php?id={$id}\" method=\"post\" name=\"iform\ <!-- <td class="listhdrr">Description</td> --> </tr> <?php - $dir = "/usr/local/etc/snort/snort_{$id}{$if_real}/rules/"; + $dir = "/usr/local/etc/snort/rules/"; $dh = opendir($dir); while (false !== ($filename = readdir($dh))) { $files[] = $filename; @@ -207,7 +190,7 @@ echo "<form action=\"snort_rulesets.php?id={$id}\" method=\"post\" name=\"iform\ echo " <input type='checkbox' name='toenable[]' value='$file' {$CHECKED} />"; echo "</td>"; echo "<td>"; - echo "<a href='snort_rules.php?openruleset=/usr/local/etc/snort/snort_{$id}{$if_real}/rules/" . urlencode($file) . "'>{$file}</a>"; + echo "<a href='snort_rules.php?openruleset=/usr/local/etc/snort/rules/" . urlencode($file) . "'>{$file}</a>"; echo "</td>"; //echo "<td>"; //echo "description"; @@ -244,4 +227,4 @@ echo "<form action=\"snort_rulesets.php?id={$id}\" method=\"post\" name=\"iform\ } -?> +?>
\ No newline at end of file diff --git a/config/snort/snort_threshold.xml b/config/snort-old/snort_threshold.xml index f9075d3d..f9075d3d 100644 --- a/config/snort/snort_threshold.xml +++ b/config/snort-old/snort_threshold.xml diff --git a/config/snort-dev/snort_whitelist.xml b/config/snort-old/snort_whitelist.xml index 7e144f47..42769e4e 100644 --- a/config/snort-dev/snort_whitelist.xml +++ b/config/snort-old/snort_whitelist.xml @@ -45,40 +45,52 @@ <description>Describe your package here</description> <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> - <name>snortglobal</name> + <name>snort-whitelist</name> <version>0.1.0</version> <title>Snort: Whitelist</title> - <include_file>/usr/local/pkg/snort/snort.inc</include_file> + <include_file>/usr/local/pkg/snort.inc</include_file> <!-- Menu is where this packages menu will appear --> <tabs> <tab> - <text>Snort Interfaces</text> - <url>/snort/snort_interfaces.php</url> + <text>Settings</text> + <url>/pkg_edit.php?xml=snort.xml&id=0</url> </tab> <tab> - <text>Global Settings</text> - <url>/snort/snort_interfaces_global.php</url> + <text>Update Rules</text> + <url>/snort_download_rules.php</url> </tab> <tab> - <text>Rule Updates</text> - <url>/snort/snort_download_rules.php</url> + <text>Categories</text> + <url>/snort_rulesets.php</url> </tab> <tab> - <text>Alerts</text> - <url>/snort/snort_alerts.php</url> + <text>Rules</text> + <url>/snort_rules.php</url> + </tab> + <tab> + <text>Servers</text> + <url>/pkg_edit.php?xml=snort_define_servers.xml&id=0</url> </tab> <tab> <text>Blocked</text> - <url>/snort/snort_blocked.php</url> + <url>/snort_blocked.php</url> </tab> <tab> <text>Whitelist</text> - <url>/pkg.php?xml=/snort_whitelist.xml</url> + <url>/pkg.php?xml=snort_whitelist.xml</url> <active/> </tab> <tab> - <text>Help Info</text> - <url>/snort/snort_help_info.php</url> + <text>Threshold</text> + <url>/pkg.php?xml=snort_threshold.xml</url> + </tab> + <tab> + <text>Alerts</text> + <url>/snort_alerts.php</url> + </tab> + <tab> + <text>Advanced</text> + <url>/pkg_edit.php?xml=snort_advanced.xml&id=0</url> </tab> </tabs> <adddeleteeditpagefields> @@ -114,4 +126,4 @@ <custom_php_resync_config_command> create_snort_conf(); </custom_php_resync_config_command> -</packagegui> +</packagegui>
\ No newline at end of file diff --git a/config/snort/snort_xmlrpc_sync.php b/config/snort-old/snort_xmlrpc_sync.php index db8b3f3e..db8b3f3e 100644 --- a/config/snort/snort_xmlrpc_sync.php +++ b/config/snort-old/snort_xmlrpc_sync.php diff --git a/config/snort/NOTES.txt b/config/snort/NOTES.txt new file mode 100644 index 00000000..0bfae161 --- /dev/null +++ b/config/snort/NOTES.txt @@ -0,0 +1,15 @@ + + +March 26 2019 +Snort-dev 2.8.5.3 pk v. 18 final + +Final day. + +Odds and ends left. + +Pierre POMES code needs to be added. + +Threshold tab needs to be added. + + +Done. diff --git a/config/snort/bin/7.2.x86/barnyard2 b/config/snort/bin/7.2.x86/barnyard2 Binary files differnew file mode 100644 index 00000000..9266051c --- /dev/null +++ b/config/snort/bin/7.2.x86/barnyard2 diff --git a/config/snort/bin/8.0.x86/barnyard2 b/config/snort/bin/8.0.x86/barnyard2 Binary files differnew file mode 100755 index 00000000..43476338 --- /dev/null +++ b/config/snort/bin/8.0.x86/barnyard2 diff --git a/config/snort/bin/8.0.x86/md5_files b/config/snort/bin/8.0.x86/md5_files new file mode 100644 index 00000000..3b283d80 --- /dev/null +++ b/config/snort/bin/8.0.x86/md5_files @@ -0,0 +1,9 @@ +#For Freebsd 8.0 + + +MD5 (pcre-8.00.tbz) = 8a1ac82500efccefc6418856e27b6cc1 +MD5 (snort-2.8.5.3.tbz) = 826c15872c6d19bcbe2408fb34d165b9 +MD5 (perl-5.10.1.tbz) = f71020a8bd0f197c9bf70eb6d03b92af +MD5 (mysql-client-5.1.45.tbz) = 9cb5878ae922c3d4d0e31efe5712a90a +MD5 (barnyard2) = 4dbff13291a2b8c5018b7ab62f574bc8 + diff --git a/config/snort/bin/8.0.x86/md5_files~ b/config/snort/bin/8.0.x86/md5_files~ new file mode 100644 index 00000000..3b283d80 --- /dev/null +++ b/config/snort/bin/8.0.x86/md5_files~ @@ -0,0 +1,9 @@ +#For Freebsd 8.0 + + +MD5 (pcre-8.00.tbz) = 8a1ac82500efccefc6418856e27b6cc1 +MD5 (snort-2.8.5.3.tbz) = 826c15872c6d19bcbe2408fb34d165b9 +MD5 (perl-5.10.1.tbz) = f71020a8bd0f197c9bf70eb6d03b92af +MD5 (mysql-client-5.1.45.tbz) = 9cb5878ae922c3d4d0e31efe5712a90a +MD5 (barnyard2) = 4dbff13291a2b8c5018b7ab62f574bc8 + diff --git a/config/snort-dev/bin/oinkmaster_contrib/snort_rename.pl b/config/snort/bin/oinkmaster_contrib/snort_rename.pl index e5f0d39e..e5f0d39e 100644 --- a/config/snort-dev/bin/oinkmaster_contrib/snort_rename.pl +++ b/config/snort/bin/oinkmaster_contrib/snort_rename.pl diff --git a/config/snort/bin/snort2c b/config/snort/bin/snort2c Binary files differindex fdc91ac8..fdc91ac8 100755..100644 --- a/config/snort/bin/snort2c +++ b/config/snort/bin/snort2c diff --git a/config/snort-dev/css/style.css b/config/snort/css/style.css index 44568873..44568873 100644 --- a/config/snort-dev/css/style.css +++ b/config/snort/css/style.css diff --git a/config/snort/css/style2.css b/config/snort/css/style2.css new file mode 100644 index 00000000..d7a1616c --- /dev/null +++ b/config/snort/css/style2.css @@ -0,0 +1,111 @@ +/* ----------------------------------- +general +----------------------------------- */ + +body +{ + margin: 0px; + padding: 0px; + font: 100%/1.4 helvetica, arial, sans-serif; + color: #444; + background: #fff; +} + +h1, h2, h3, h4, h5, h6 +{ + margin: 0 0 1em; + line-height: 1.1; +} + +h2, h3 { color: #003d5d; } +h2 { font-size: 218.75%; } + + +p +{ +margin-top: 35pt; +margin-right: 0pt; +margin-bottom: -25px; +margin-left: 0pt; +text-indent: 25px; +} + +img { border: none; } +a:link { color: #035389; } +a:visited { color: #09619C; } + +/* ----------------------------------- +Play Hide the tab +----------------------------------- */ + +div.items p:not(:target) {display: none} +div.items p:target {display: block} + + +/* ----------------------------------- +layout +----------------------------------- */ + +#container +{ + margin: 0 0px; + background: #fff; +} + +#header +{ + background: #fff; +} + +#header h1 { margin: 0; } + +#navigation +{ + float: left; + width: 100%; + background: #333; +} + +#navigation ul +{ + margin: 0; + padding: 0; +} + +#navigation ul li +{ + list-style-type: none; + display: inline; +} + +#navigation li a +{ + display: block; + float: left; + padding: 5px 10px; + color: #fff; + text-decoration: none; + border-right: 1px solid #fff; +} + +#navigation li a:hover +{ + background-color: #3366cc; + background-image: none; + background-repeat: repeat; + background-attachment: scroll; + background-position: 0% 0%; +} + +#content +{ + clear: left; + padding: 20px; +} + +#content h2 +{ + color: #000; + font-size: 160%; + margin: 0 0 .5em; +}
\ No newline at end of file diff --git a/config/snort/help_and_info.php b/config/snort/help_and_info.php new file mode 100644 index 00000000..0f4a0c9f --- /dev/null +++ b/config/snort/help_and_info.php @@ -0,0 +1,196 @@ +<?php + + require_once("guiconfig.inc"); + +echo ' +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> +<title>Help & Info</title> +<base target="main"> +<script src="./javascript/tabs.js" type="text/javascript"></script> +<link href="./css/style2.css" rel="stylesheet" type="text/css" /> +</head> + +<body> + +<style type="text/css"> +</style> + +<div id="container"> + <div id="header"> + <IMG SRC="./images/logo.jpg" width="780px" height="76" ALT="Snort Package"> + </div> + <div class="navigation" id="navigation"> + <ul> + <li><a href="#item1" target="_self">Home</a></li> + <li><a href="#item2" target="_self">About Me</a></li> + <li><a href="#item3" target="_self">Services</a></li> + <li><a href="#item4" target="_self">Change Log</a></li> + <li><a href="#item7" target="_self">Faq</a></li> + <li><a href="#item6" target="_self">Heros</a></li> + <li><a href="#item5" target="_self">Developers</a></li> + </ul> + </div> + <br> +<div class="content" id="item1"> + <p> + <font size="5"><strong>Snort Package</strong></font> is a GUI based front-end for Sourcefire\'s Snort ® IDS/IPS software. The Snort Package goal is to be + the best open-source GUI to manage multiple snort sensors and multiple rule snapshots. The project other goal is to be a highly competitive GUI for + network monitoring for both private and enterprise use. Lastly, this project software development should bring programmers and users together to create + software. + </p> + <p> + <font size="5"><strong>What is Snort ?</strong></font> Used by fortune 500 companies and goverments Snort is the most widely deployed IDS/IPS technology worldwide. It features rules based logging and + can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port + scans, CGI attacks, SMB probes, and much more. + </p> + <p> + <font size="5"><strong>Requirements :</strong></font><br> + Minimum requirement 256 mb ram, 500 MHz CPU.<br> + Recommended 500 mb ram, 1 Ghz CPU.<br> + The more rules you run the more memory you need.<br> + The more interfaces you select the more memory you need.<br><br> + Development is done on a Alix 2D3 system (500 MHz AMD Geode LX800 CPU 256MB DDR DRAM). + </p> +</div> +<div class="content" id="item2"> + <p> +About Me<br><br> +Coming soon............ + +</p> +</div> +<div class="content" id="item3"> + <p> +Services<br><br> +Coming soon............ +</p> +</div> +<div class="content" id="item4"> +<p> +Change Log<br><br> +Coming soon............ +</p> +</div> +<div class="content" id="item5"> +<p> +<font size="5"><strong>PfSense</strong></font> is brought to you by a dedicated group of developers who are security and network professionals by trade. The following people are active developers of the pfSense project. +Username is listed in parenthesis (generally also the person\'s forum username, IRC nickname, etc.).<br><br> + +<font size="5"><strong>Main Snort-dev Package Developer</strong></font><br> +Robert Zelaya<br><br> + +<font size="5"><strong>Founders</strong></font><br> +In alphabetical order<br><br> + +Chris Buechler (cmb)<br> +Scott Ullrich (sullrich)<br><br> + +<font size="5"><strong>Active Developers</strong></font><br> +Listed in order of seniority along with date of first contribution.<br><br> + +Bill Marquette (billm) - February 2005<br> +Holger Bauer (hoba) - May 2005<br> +Erik Kristensen (ekristen) - August 2005<br> +Seth Mos (smos) - November 2005<br> +Scott Dale (sdale) - December 2006<br> +Martin Fuchs (mfuchs) - June 2007<br> +Ermal Luçi (ermal) - January 2008<br> +Matthew Grooms (mgrooms) - July 2008<br> +Mark Crane (mcrane) - October 2008<br> +Jim Pingle (jim-p) - February 2009<br> +Rob Zelaya (robiscool) - March 2009<br> +Renato Botelho (rbgarga) - May 2009<br><br> + +<font size="5"><strong>FreeBSD Developer Assistance</strong></font><br> +We would like to thank the following FreeBSD developers for their assistance.<br><br> + +Max Laier (mlaier)<br> +Christian S.J. Peron (csjp)<br> +Andrew Thompson (thompsa)<br> +Bjoern A. Zeeb (bz)<br><br> + +among many others who help us directly, and everyone who contributes to FreeBSD.<br><br> + +<font size="5"><strong>Inactive Developers</strong></font><br> +The following individuals are no longer active contributors, having moved on because of other commitments, or employers forbidding contributions. We thank them for their past contributions.<br><br> + +Daniel Berlin (dberlin)<br> +Daniel Haischt (dsh)<br> +Espen Johansen (lsf)<br> +Scott Kamp (dingo)<br> +Bachman Kharazmi (bkw)<br> +Fernando Tarlá Cardoso Lemos (fernando)<br> +Kyle Mott (kyle)<br> +Colin Smith (colin)<br> +</p> +</div> +<div class="content" id="item6"> +<p> +Heros<br><br> +Coming soon............ +</p> +</div> +<div class="content" id="item7"> +<p> +=========================<br> + +Q: Do you have a quick install tutorial and tabs explanation.<br> + +A: Yes.<br> + + http://doc.pfsense.org/index.php/Setup_Snort_Package<br> + +=========================<br> + +Q: What interfaces can snort listen on ?<br> + +A: Right now all WAN interfaces and LAN interfaces. But if you select a LAN interface you may need to adjust the snort rules to use the LAN interface.<br> + +==========================<br> + +Q: What logs does the snort package keep. ?<br> + +A: Most of the snort logs are keept in the /var/log/snort.<br> + Snorts syslogs\' are saved to the /var/log/snort/snort_sys_0ng0.<br> + +==========================<br> + +Q: What is the best Performance setting ? or Snort is using 90% cpu and all my memory.<br> + +A: Depends how much memory you have and how many rules you want to run.; lowmem for systems with less than 256 mb memory, ac-bnfa for systems<br> + with over 256 mb of memory. The other options are; ac high memory, best performance, ac-std moderate memory, high performance,acs small<br> + memory, moderate performance,ac-banded small memory,moderate performance,ac-sparsebands small memory, high performance.<br> + + Short version: For most people ac-bnfa is the best setting.<br> + +=========================<br> + +Q: What is the Oinkmaster code ? How do I get the code ?<br> + +A: The Oinkmaster code is your personal password in order to download snort rules.<br> + You get a Oinkmaster code when you register with snort.org. It is free to register.<br> + Goto https://www.snort.org/signup to get your personal code.<br> + +=========================<br> + +Q: What is the Snort.org subscriber option? How do I become a Snort.org subscriber?<br> + +A: Snort.org subscribers get the the latest rule updates 30 days faster than registered users.<br> + Goto http://www.snort.org/vrt/buy-a-subscription/. + It is highly suggested that you get a paid subscription so that you can always have the latest rules.<br> + +=========================<br> + +Q: When did you start working on the snort package.<br> + +A: I started working on the snort package in May 2009.<br> +</p> +</div> +</div> +</body> +</html> +'; +?>
\ No newline at end of file diff --git a/config/snort-dev/images/alert.jpg b/config/snort/images/alert.jpg Binary files differindex 96c24e35..96c24e35 100644 --- a/config/snort-dev/images/alert.jpg +++ b/config/snort/images/alert.jpg diff --git a/config/snort-dev/images/down.gif b/config/snort/images/down.gif Binary files differindex 2b3c99fc..2b3c99fc 100644 --- a/config/snort-dev/images/down.gif +++ b/config/snort/images/down.gif diff --git a/config/snort-dev/images/down2.gif b/config/snort/images/down2.gif Binary files differindex 71bf92eb..71bf92eb 100644 --- a/config/snort-dev/images/down2.gif +++ b/config/snort/images/down2.gif diff --git a/config/snort/images/footer.jpg b/config/snort/images/footer.jpg Binary files differnew file mode 100644 index 00000000..4af05707 --- /dev/null +++ b/config/snort/images/footer.jpg diff --git a/config/snort/images/footer2.jpg b/config/snort/images/footer2.jpg Binary files differnew file mode 100644 index 00000000..3332e085 --- /dev/null +++ b/config/snort/images/footer2.jpg diff --git a/config/snort-dev/images/icon-table-sort-asc.png b/config/snort/images/icon-table-sort-asc.png Binary files differindex 330b3c1f..0c127919 100644 --- a/config/snort-dev/images/icon-table-sort-asc.png +++ b/config/snort/images/icon-table-sort-asc.png diff --git a/config/snort-dev/images/icon-table-sort-desc.png b/config/snort/images/icon-table-sort-desc.png Binary files differindex dc8a92bb..5c52f2d0 100644 --- a/config/snort-dev/images/icon-table-sort-desc.png +++ b/config/snort/images/icon-table-sort-desc.png diff --git a/config/snort-dev/images/icon-table-sort.png b/config/snort/images/icon-table-sort.png Binary files differindex 389169ab..3cae604b 100644 --- a/config/snort-dev/images/icon-table-sort.png +++ b/config/snort/images/icon-table-sort.png diff --git a/config/snort/images/icon_excli.png b/config/snort/images/icon_excli.png Binary files differnew file mode 100644 index 00000000..4b54fa31 --- /dev/null +++ b/config/snort/images/icon_excli.png diff --git a/config/snort/images/logo.jpg b/config/snort/images/logo.jpg Binary files differnew file mode 100644 index 00000000..fa01d818 --- /dev/null +++ b/config/snort/images/logo.jpg diff --git a/config/snort-dev/images/up.gif b/config/snort/images/up.gif Binary files differindex 89596771..89596771 100644 --- a/config/snort-dev/images/up.gif +++ b/config/snort/images/up.gif diff --git a/config/snort-dev/images/up2.gif b/config/snort/images/up2.gif Binary files differindex 21c5a254..21c5a254 100644 --- a/config/snort-dev/images/up2.gif +++ b/config/snort/images/up2.gif diff --git a/config/snort-dev/javascript/jquery-1.3.2.js b/config/snort/javascript/jquery-1.3.2.js index ac191058..59b71d25 100644 --- a/config/snort-dev/javascript/jquery-1.3.2.js +++ b/config/snort/javascript/jquery-1.3.2.js @@ -1,4376 +1,4376 @@ -/*!
- * jQuery JavaScript Library v1.3.2
- * http://jquery.com/
- *
- * Copyright (c) 2009 John Resig
- * Dual licensed under the MIT and GPL licenses.
- * http://docs.jquery.com/License
- *
- * Date: 2009-02-19 17:34:21 -0500 (Thu, 19 Feb 2009)
- * Revision: 6246
- */
-(function(){
-
-var
- // Will speed up references to window, and allows munging its name.
- window = this,
- // Will speed up references to undefined, and allows munging its name.
- undefined,
- // Map over jQuery in case of overwrite
- _jQuery = window.jQuery,
- // Map over the $ in case of overwrite
- _$ = window.$,
-
- jQuery = window.jQuery = window.$ = function( selector, context ) {
- // The jQuery object is actually just the init constructor 'enhanced'
- return new jQuery.fn.init( selector, context );
- },
-
- // A simple way to check for HTML strings or ID strings
- // (both of which we optimize for)
- quickExpr = /^[^<]*(<(.|\s)+>)[^>]*$|^#([\w-]+)$/,
- // Is it a simple selector
- isSimple = /^.[^:#\[\.,]*$/;
-
-jQuery.fn = jQuery.prototype = {
- init: function( selector, context ) {
- // Make sure that a selection was provided
- selector = selector || document;
-
- // Handle $(DOMElement)
- if ( selector.nodeType ) {
- this[0] = selector;
- this.length = 1;
- this.context = selector;
- return this;
- }
- // Handle HTML strings
- if ( typeof selector === "string" ) {
- // Are we dealing with HTML string or an ID?
- var match = quickExpr.exec( selector );
-
- // Verify a match, and that no context was specified for #id
- if ( match && (match[1] || !context) ) {
-
- // HANDLE: $(html) -> $(array)
- if ( match[1] )
- selector = jQuery.clean( [ match[1] ], context );
-
- // HANDLE: $("#id")
- else {
- var elem = document.getElementById( match[3] );
-
- // Handle the case where IE and Opera return items
- // by name instead of ID
- if ( elem && elem.id != match[3] )
- return jQuery().find( selector );
-
- // Otherwise, we inject the element directly into the jQuery object
- var ret = jQuery( elem || [] );
- ret.context = document;
- ret.selector = selector;
- return ret;
- }
-
- // HANDLE: $(expr, [context])
- // (which is just equivalent to: $(content).find(expr)
- } else
- return jQuery( context ).find( selector );
-
- // HANDLE: $(function)
- // Shortcut for document ready
- } else if ( jQuery.isFunction( selector ) )
- return jQuery( document ).ready( selector );
-
- // Make sure that old selector state is passed along
- if ( selector.selector && selector.context ) {
- this.selector = selector.selector;
- this.context = selector.context;
- }
-
- return this.setArray(jQuery.isArray( selector ) ?
- selector :
- jQuery.makeArray(selector));
- },
-
- // Start with an empty selector
- selector: "",
-
- // The current version of jQuery being used
- jquery: "1.3.2",
-
- // The number of elements contained in the matched element set
- size: function() {
- return this.length;
- },
-
- // Get the Nth element in the matched element set OR
- // Get the whole matched element set as a clean array
- get: function( num ) {
- return num === undefined ?
-
- // Return a 'clean' array
- Array.prototype.slice.call( this ) :
-
- // Return just the object
- this[ num ];
- },
-
- // Take an array of elements and push it onto the stack
- // (returning the new matched element set)
- pushStack: function( elems, name, selector ) {
- // Build a new jQuery matched element set
- var ret = jQuery( elems );
-
- // Add the old object onto the stack (as a reference)
- ret.prevObject = this;
-
- ret.context = this.context;
-
- if ( name === "find" )
- ret.selector = this.selector + (this.selector ? " " : "") + selector;
- else if ( name )
- ret.selector = this.selector + "." + name + "(" + selector + ")";
-
- // Return the newly-formed element set
- return ret;
- },
-
- // Force the current matched set of elements to become
- // the specified array of elements (destroying the stack in the process)
- // You should use pushStack() in order to do this, but maintain the stack
- setArray: function( elems ) {
- // Resetting the length to 0, then using the native Array push
- // is a super-fast way to populate an object with array-like properties
- this.length = 0;
- Array.prototype.push.apply( this, elems );
-
- return this;
- },
-
- // Execute a callback for every element in the matched set.
- // (You can seed the arguments with an array of args, but this is
- // only used internally.)
- each: function( callback, args ) {
- return jQuery.each( this, callback, args );
- },
-
- // Determine the position of an element within
- // the matched set of elements
- index: function( elem ) {
- // Locate the position of the desired element
- return jQuery.inArray(
- // If it receives a jQuery object, the first element is used
- elem && elem.jquery ? elem[0] : elem
- , this );
- },
-
- attr: function( name, value, type ) {
- var options = name;
-
- // Look for the case where we're accessing a style value
- if ( typeof name === "string" )
- if ( value === undefined )
- return this[0] && jQuery[ type || "attr" ]( this[0], name );
-
- else {
- options = {};
- options[ name ] = value;
- }
-
- // Check to see if we're setting style values
- return this.each(function(i){
- // Set all the styles
- for ( name in options )
- jQuery.attr(
- type ?
- this.style :
- this,
- name, jQuery.prop( this, options[ name ], type, i, name )
- );
- });
- },
-
- css: function( key, value ) {
- // ignore negative width and height values
- if ( (key == 'width' || key == 'height') && parseFloat(value) < 0 )
- value = undefined;
- return this.attr( key, value, "curCSS" );
- },
-
- text: function( text ) {
- if ( typeof text !== "object" && text != null )
- return this.empty().append( (this[0] && this[0].ownerDocument || document).createTextNode( text ) );
-
- var ret = "";
-
- jQuery.each( text || this, function(){
- jQuery.each( this.childNodes, function(){
- if ( this.nodeType != 8 )
- ret += this.nodeType != 1 ?
- this.nodeValue :
- jQuery.fn.text( [ this ] );
- });
- });
-
- return ret;
- },
-
- wrapAll: function( html ) {
- if ( this[0] ) {
- // The elements to wrap the target around
- var wrap = jQuery( html, this[0].ownerDocument ).clone();
-
- if ( this[0].parentNode )
- wrap.insertBefore( this[0] );
-
- wrap.map(function(){
- var elem = this;
-
- while ( elem.firstChild )
- elem = elem.firstChild;
-
- return elem;
- }).append(this);
- }
-
- return this;
- },
-
- wrapInner: function( html ) {
- return this.each(function(){
- jQuery( this ).contents().wrapAll( html );
- });
- },
-
- wrap: function( html ) {
- return this.each(function(){
- jQuery( this ).wrapAll( html );
- });
- },
-
- append: function() {
- return this.domManip(arguments, true, function(elem){
- if (this.nodeType == 1)
- this.appendChild( elem );
- });
- },
-
- prepend: function() {
- return this.domManip(arguments, true, function(elem){
- if (this.nodeType == 1)
- this.insertBefore( elem, this.firstChild );
- });
- },
-
- before: function() {
- return this.domManip(arguments, false, function(elem){
- this.parentNode.insertBefore( elem, this );
- });
- },
-
- after: function() {
- return this.domManip(arguments, false, function(elem){
- this.parentNode.insertBefore( elem, this.nextSibling );
- });
- },
-
- end: function() {
- return this.prevObject || jQuery( [] );
- },
-
- // For internal use only.
- // Behaves like an Array's method, not like a jQuery method.
- push: [].push,
- sort: [].sort,
- splice: [].splice,
-
- find: function( selector ) {
- if ( this.length === 1 ) {
- var ret = this.pushStack( [], "find", selector );
- ret.length = 0;
- jQuery.find( selector, this[0], ret );
- return ret;
- } else {
- return this.pushStack( jQuery.unique(jQuery.map(this, function(elem){
- return jQuery.find( selector, elem );
- })), "find", selector );
- }
- },
-
- clone: function( events ) {
- // Do the clone
- var ret = this.map(function(){
- if ( !jQuery.support.noCloneEvent && !jQuery.isXMLDoc(this) ) {
- // IE copies events bound via attachEvent when
- // using cloneNode. Calling detachEvent on the
- // clone will also remove the events from the orignal
- // In order to get around this, we use innerHTML.
- // Unfortunately, this means some modifications to
- // attributes in IE that are actually only stored
- // as properties will not be copied (such as the
- // the name attribute on an input).
- var html = this.outerHTML;
- if ( !html ) {
- var div = this.ownerDocument.createElement("div");
- div.appendChild( this.cloneNode(true) );
- html = div.innerHTML;
- }
-
- return jQuery.clean([html.replace(/ jQuery\d+="(?:\d+|null)"/g, "").replace(/^\s*/, "")])[0];
- } else
- return this.cloneNode(true);
- });
-
- // Copy the events from the original to the clone
- if ( events === true ) {
- var orig = this.find("*").andSelf(), i = 0;
-
- ret.find("*").andSelf().each(function(){
- if ( this.nodeName !== orig[i].nodeName )
- return;
-
- var events = jQuery.data( orig[i], "events" );
-
- for ( var type in events ) {
- for ( var handler in events[ type ] ) {
- jQuery.event.add( this, type, events[ type ][ handler ], events[ type ][ handler ].data );
- }
- }
-
- i++;
- });
- }
-
- // Return the cloned set
- return ret;
- },
-
- filter: function( selector ) {
- return this.pushStack(
- jQuery.isFunction( selector ) &&
- jQuery.grep(this, function(elem, i){
- return selector.call( elem, i );
- }) ||
-
- jQuery.multiFilter( selector, jQuery.grep(this, function(elem){
- return elem.nodeType === 1;
- }) ), "filter", selector );
- },
-
- closest: function( selector ) {
- var pos = jQuery.expr.match.POS.test( selector ) ? jQuery(selector) : null,
- closer = 0;
-
- return this.map(function(){
- var cur = this;
- while ( cur && cur.ownerDocument ) {
- if ( pos ? pos.index(cur) > -1 : jQuery(cur).is(selector) ) {
- jQuery.data(cur, "closest", closer);
- return cur;
- }
- cur = cur.parentNode;
- closer++;
- }
- });
- },
-
- not: function( selector ) {
- if ( typeof selector === "string" )
- // test special case where just one selector is passed in
- if ( isSimple.test( selector ) )
- return this.pushStack( jQuery.multiFilter( selector, this, true ), "not", selector );
- else
- selector = jQuery.multiFilter( selector, this );
-
- var isArrayLike = selector.length && selector[selector.length - 1] !== undefined && !selector.nodeType;
- return this.filter(function() {
- return isArrayLike ? jQuery.inArray( this, selector ) < 0 : this != selector;
- });
- },
-
- add: function( selector ) {
- return this.pushStack( jQuery.unique( jQuery.merge(
- this.get(),
- typeof selector === "string" ?
- jQuery( selector ) :
- jQuery.makeArray( selector )
- )));
- },
-
- is: function( selector ) {
- return !!selector && jQuery.multiFilter( selector, this ).length > 0;
- },
-
- hasClass: function( selector ) {
- return !!selector && this.is( "." + selector );
- },
-
- val: function( value ) {
- if ( value === undefined ) {
- var elem = this[0];
-
- if ( elem ) {
- if( jQuery.nodeName( elem, 'option' ) )
- return (elem.attributes.value || {}).specified ? elem.value : elem.text;
-
- // We need to handle select boxes special
- if ( jQuery.nodeName( elem, "select" ) ) {
- var index = elem.selectedIndex,
- values = [],
- options = elem.options,
- one = elem.type == "select-one";
-
- // Nothing was selected
- if ( index < 0 )
- return null;
-
- // Loop through all the selected options
- for ( var i = one ? index : 0, max = one ? index + 1 : options.length; i < max; i++ ) {
- var option = options[ i ];
-
- if ( option.selected ) {
- // Get the specifc value for the option
- value = jQuery(option).val();
-
- // We don't need an array for one selects
- if ( one )
- return value;
-
- // Multi-Selects return an array
- values.push( value );
- }
- }
-
- return values;
- }
-
- // Everything else, we just grab the value
- return (elem.value || "").replace(/\r/g, "");
-
- }
-
- return undefined;
- }
-
- if ( typeof value === "number" )
- value += '';
-
- return this.each(function(){
- if ( this.nodeType != 1 )
- return;
-
- if ( jQuery.isArray(value) && /radio|checkbox/.test( this.type ) )
- this.checked = (jQuery.inArray(this.value, value) >= 0 ||
- jQuery.inArray(this.name, value) >= 0);
-
- else if ( jQuery.nodeName( this, "select" ) ) {
- var values = jQuery.makeArray(value);
-
- jQuery( "option", this ).each(function(){
- this.selected = (jQuery.inArray( this.value, values ) >= 0 ||
- jQuery.inArray( this.text, values ) >= 0);
- });
-
- if ( !values.length )
- this.selectedIndex = -1;
-
- } else
- this.value = value;
- });
- },
-
- html: function( value ) {
- return value === undefined ?
- (this[0] ?
- this[0].innerHTML.replace(/ jQuery\d+="(?:\d+|null)"/g, "") :
- null) :
- this.empty().append( value );
- },
-
- replaceWith: function( value ) {
- return this.after( value ).remove();
- },
-
- eq: function( i ) {
- return this.slice( i, +i + 1 );
- },
-
- slice: function() {
- return this.pushStack( Array.prototype.slice.apply( this, arguments ),
- "slice", Array.prototype.slice.call(arguments).join(",") );
- },
-
- map: function( callback ) {
- return this.pushStack( jQuery.map(this, function(elem, i){
- return callback.call( elem, i, elem );
- }));
- },
-
- andSelf: function() {
- return this.add( this.prevObject );
- },
-
- domManip: function( args, table, callback ) {
- if ( this[0] ) {
- var fragment = (this[0].ownerDocument || this[0]).createDocumentFragment(),
- scripts = jQuery.clean( args, (this[0].ownerDocument || this[0]), fragment ),
- first = fragment.firstChild;
-
- if ( first )
- for ( var i = 0, l = this.length; i < l; i++ )
- callback.call( root(this[i], first), this.length > 1 || i > 0 ?
- fragment.cloneNode(true) : fragment );
-
- if ( scripts )
- jQuery.each( scripts, evalScript );
- }
-
- return this;
-
- function root( elem, cur ) {
- return table && jQuery.nodeName(elem, "table") && jQuery.nodeName(cur, "tr") ?
- (elem.getElementsByTagName("tbody")[0] ||
- elem.appendChild(elem.ownerDocument.createElement("tbody"))) :
- elem;
- }
- }
-};
-
-// Give the init function the jQuery prototype for later instantiation
-jQuery.fn.init.prototype = jQuery.fn;
-
-function evalScript( i, elem ) {
- if ( elem.src )
- jQuery.ajax({
- url: elem.src,
- async: false,
- dataType: "script"
- });
-
- else
- jQuery.globalEval( elem.text || elem.textContent || elem.innerHTML || "" );
-
- if ( elem.parentNode )
- elem.parentNode.removeChild( elem );
-}
-
-function now(){
- return +new Date;
-}
-
-jQuery.extend = jQuery.fn.extend = function() {
- // copy reference to target object
- var target = arguments[0] || {}, i = 1, length = arguments.length, deep = false, options;
-
- // Handle a deep copy situation
- if ( typeof target === "boolean" ) {
- deep = target;
- target = arguments[1] || {};
- // skip the boolean and the target
- i = 2;
- }
-
- // Handle case when target is a string or something (possible in deep copy)
- if ( typeof target !== "object" && !jQuery.isFunction(target) )
- target = {};
-
- // extend jQuery itself if only one argument is passed
- if ( length == i ) {
- target = this;
- --i;
- }
-
- for ( ; i < length; i++ )
- // Only deal with non-null/undefined values
- if ( (options = arguments[ i ]) != null )
- // Extend the base object
- for ( var name in options ) {
- var src = target[ name ], copy = options[ name ];
-
- // Prevent never-ending loop
- if ( target === copy )
- continue;
-
- // Recurse if we're merging object values
- if ( deep && copy && typeof copy === "object" && !copy.nodeType )
- target[ name ] = jQuery.extend( deep,
- // Never move original objects, clone them
- src || ( copy.length != null ? [ ] : { } )
- , copy );
-
- // Don't bring in undefined values
- else if ( copy !== undefined )
- target[ name ] = copy;
-
- }
-
- // Return the modified object
- return target;
-};
-
-// exclude the following css properties to add px
-var exclude = /z-?index|font-?weight|opacity|zoom|line-?height/i,
- // cache defaultView
- defaultView = document.defaultView || {},
- toString = Object.prototype.toString;
-
-jQuery.extend({
- noConflict: function( deep ) {
- window.$ = _$;
-
- if ( deep )
- window.jQuery = _jQuery;
-
- return jQuery;
- },
-
- // See test/unit/core.js for details concerning isFunction.
- // Since version 1.3, DOM methods and functions like alert
- // aren't supported. They return false on IE (#2968).
- isFunction: function( obj ) {
- return toString.call(obj) === "[object Function]";
- },
-
- isArray: function( obj ) {
- return toString.call(obj) === "[object Array]";
- },
-
- // check if an element is in a (or is an) XML document
- isXMLDoc: function( elem ) {
- return elem.nodeType === 9 && elem.documentElement.nodeName !== "HTML" ||
- !!elem.ownerDocument && jQuery.isXMLDoc( elem.ownerDocument );
- },
-
- // Evalulates a script in a global context
- globalEval: function( data ) {
- if ( data && /\S/.test(data) ) {
- // Inspired by code by Andrea Giammarchi
- // http://webreflection.blogspot.com/2007/08/global-scope-evaluation-and-dom.html
- var head = document.getElementsByTagName("head")[0] || document.documentElement,
- script = document.createElement("script");
-
- script.type = "text/javascript";
- if ( jQuery.support.scriptEval )
- script.appendChild( document.createTextNode( data ) );
- else
- script.text = data;
-
- // Use insertBefore instead of appendChild to circumvent an IE6 bug.
- // This arises when a base node is used (#2709).
- head.insertBefore( script, head.firstChild );
- head.removeChild( script );
- }
- },
-
- nodeName: function( elem, name ) {
- return elem.nodeName && elem.nodeName.toUpperCase() == name.toUpperCase();
- },
-
- // args is for internal usage only
- each: function( object, callback, args ) {
- var name, i = 0, length = object.length;
-
- if ( args ) {
- if ( length === undefined ) {
- for ( name in object )
- if ( callback.apply( object[ name ], args ) === false )
- break;
- } else
- for ( ; i < length; )
- if ( callback.apply( object[ i++ ], args ) === false )
- break;
-
- // A special, fast, case for the most common use of each
- } else {
- if ( length === undefined ) {
- for ( name in object )
- if ( callback.call( object[ name ], name, object[ name ] ) === false )
- break;
- } else
- for ( var value = object[0];
- i < length && callback.call( value, i, value ) !== false; value = object[++i] ){}
- }
-
- return object;
- },
-
- prop: function( elem, value, type, i, name ) {
- // Handle executable functions
- if ( jQuery.isFunction( value ) )
- value = value.call( elem, i );
-
- // Handle passing in a number to a CSS property
- return typeof value === "number" && type == "curCSS" && !exclude.test( name ) ?
- value + "px" :
- value;
- },
-
- className: {
- // internal only, use addClass("class")
- add: function( elem, classNames ) {
- jQuery.each((classNames || "").split(/\s+/), function(i, className){
- if ( elem.nodeType == 1 && !jQuery.className.has( elem.className, className ) )
- elem.className += (elem.className ? " " : "") + className;
- });
- },
-
- // internal only, use removeClass("class")
- remove: function( elem, classNames ) {
- if (elem.nodeType == 1)
- elem.className = classNames !== undefined ?
- jQuery.grep(elem.className.split(/\s+/), function(className){
- return !jQuery.className.has( classNames, className );
- }).join(" ") :
- "";
- },
-
- // internal only, use hasClass("class")
- has: function( elem, className ) {
- return elem && jQuery.inArray( className, (elem.className || elem).toString().split(/\s+/) ) > -1;
- }
- },
-
- // A method for quickly swapping in/out CSS properties to get correct calculations
- swap: function( elem, options, callback ) {
- var old = {};
- // Remember the old values, and insert the new ones
- for ( var name in options ) {
- old[ name ] = elem.style[ name ];
- elem.style[ name ] = options[ name ];
- }
-
- callback.call( elem );
-
- // Revert the old values
- for ( var name in options )
- elem.style[ name ] = old[ name ];
- },
-
- css: function( elem, name, force, extra ) {
- if ( name == "width" || name == "height" ) {
- var val, props = { position: "absolute", visibility: "hidden", display:"block" }, which = name == "width" ? [ "Left", "Right" ] : [ "Top", "Bottom" ];
-
- function getWH() {
- val = name == "width" ? elem.offsetWidth : elem.offsetHeight;
-
- if ( extra === "border" )
- return;
-
- jQuery.each( which, function() {
- if ( !extra )
- val -= parseFloat(jQuery.curCSS( elem, "padding" + this, true)) || 0;
- if ( extra === "margin" )
- val += parseFloat(jQuery.curCSS( elem, "margin" + this, true)) || 0;
- else
- val -= parseFloat(jQuery.curCSS( elem, "border" + this + "Width", true)) || 0;
- });
- }
-
- if ( elem.offsetWidth !== 0 )
- getWH();
- else
- jQuery.swap( elem, props, getWH );
-
- return Math.max(0, Math.round(val));
- }
-
- return jQuery.curCSS( elem, name, force );
- },
-
- curCSS: function( elem, name, force ) {
- var ret, style = elem.style;
-
- // We need to handle opacity special in IE
- if ( name == "opacity" && !jQuery.support.opacity ) {
- ret = jQuery.attr( style, "opacity" );
-
- return ret == "" ?
- "1" :
- ret;
- }
-
- // Make sure we're using the right name for getting the float value
- if ( name.match( /float/i ) )
- name = styleFloat;
-
- if ( !force && style && style[ name ] )
- ret = style[ name ];
-
- else if ( defaultView.getComputedStyle ) {
-
- // Only "float" is needed here
- if ( name.match( /float/i ) )
- name = "float";
-
- name = name.replace( /([A-Z])/g, "-$1" ).toLowerCase();
-
- var computedStyle = defaultView.getComputedStyle( elem, null );
-
- if ( computedStyle )
- ret = computedStyle.getPropertyValue( name );
-
- // We should always get a number back from opacity
- if ( name == "opacity" && ret == "" )
- ret = "1";
-
- } else if ( elem.currentStyle ) {
- var camelCase = name.replace(/\-(\w)/g, function(all, letter){
- return letter.toUpperCase();
- });
-
- ret = elem.currentStyle[ name ] || elem.currentStyle[ camelCase ];
-
- // From the awesome hack by Dean Edwards
- // http://erik.eae.net/archives/2007/07/27/18.54.15/#comment-102291
-
- // If we're not dealing with a regular pixel number
- // but a number that has a weird ending, we need to convert it to pixels
- if ( !/^\d+(px)?$/i.test( ret ) && /^\d/.test( ret ) ) {
- // Remember the original values
- var left = style.left, rsLeft = elem.runtimeStyle.left;
-
- // Put in the new values to get a computed value out
- elem.runtimeStyle.left = elem.currentStyle.left;
- style.left = ret || 0;
- ret = style.pixelLeft + "px";
-
- // Revert the changed values
- style.left = left;
- elem.runtimeStyle.left = rsLeft;
- }
- }
-
- return ret;
- },
-
- clean: function( elems, context, fragment ) {
- context = context || document;
-
- // !context.createElement fails in IE with an error but returns typeof 'object'
- if ( typeof context.createElement === "undefined" )
- context = context.ownerDocument || context[0] && context[0].ownerDocument || document;
-
- // If a single string is passed in and it's a single tag
- // just do a createElement and skip the rest
- if ( !fragment && elems.length === 1 && typeof elems[0] === "string" ) {
- var match = /^<(\w+)\s*\/?>$/.exec(elems[0]);
- if ( match )
- return [ context.createElement( match[1] ) ];
- }
-
- var ret = [], scripts = [], div = context.createElement("div");
-
- jQuery.each(elems, function(i, elem){
- if ( typeof elem === "number" )
- elem += '';
-
- if ( !elem )
- return;
-
- // Convert html string into DOM nodes
- if ( typeof elem === "string" ) {
- // Fix "XHTML"-style tags in all browsers
- elem = elem.replace(/(<(\w+)[^>]*?)\/>/g, function(all, front, tag){
- return tag.match(/^(abbr|br|col|img|input|link|meta|param|hr|area|embed)$/i) ?
- all :
- front + "></" + tag + ">";
- });
-
- // Trim whitespace, otherwise indexOf won't work as expected
- var tags = elem.replace(/^\s+/, "").substring(0, 10).toLowerCase();
-
- var wrap =
- // option or optgroup
- !tags.indexOf("<opt") &&
- [ 1, "<select multiple='multiple'>", "</select>" ] ||
-
- !tags.indexOf("<leg") &&
- [ 1, "<fieldset>", "</fieldset>" ] ||
-
- tags.match(/^<(thead|tbody|tfoot|colg|cap)/) &&
- [ 1, "<table>", "</table>" ] ||
-
- !tags.indexOf("<tr") &&
- [ 2, "<table><tbody>", "</tbody></table>" ] ||
-
- // <thead> matched above
- (!tags.indexOf("<td") || !tags.indexOf("<th")) &&
- [ 3, "<table><tbody><tr>", "</tr></tbody></table>" ] ||
-
- !tags.indexOf("<col") &&
- [ 2, "<table><tbody></tbody><colgroup>", "</colgroup></table>" ] ||
-
- // IE can't serialize <link> and <script> tags normally
- !jQuery.support.htmlSerialize &&
- [ 1, "div<div>", "</div>" ] ||
-
- [ 0, "", "" ];
-
- // Go to html and back, then peel off extra wrappers
- div.innerHTML = wrap[1] + elem + wrap[2];
-
- // Move to the right depth
- while ( wrap[0]-- )
- div = div.lastChild;
-
- // Remove IE's autoinserted <tbody> from table fragments
- if ( !jQuery.support.tbody ) {
-
- // String was a <table>, *may* have spurious <tbody>
- var hasBody = /<tbody/i.test(elem),
- tbody = !tags.indexOf("<table") && !hasBody ?
- div.firstChild && div.firstChild.childNodes :
-
- // String was a bare <thead> or <tfoot>
- wrap[1] == "<table>" && !hasBody ?
- div.childNodes :
- [];
-
- for ( var j = tbody.length - 1; j >= 0 ; --j )
- if ( jQuery.nodeName( tbody[ j ], "tbody" ) && !tbody[ j ].childNodes.length )
- tbody[ j ].parentNode.removeChild( tbody[ j ] );
-
- }
-
- // IE completely kills leading whitespace when innerHTML is used
- if ( !jQuery.support.leadingWhitespace && /^\s/.test( elem ) )
- div.insertBefore( context.createTextNode( elem.match(/^\s*/)[0] ), div.firstChild );
-
- elem = jQuery.makeArray( div.childNodes );
- }
-
- if ( elem.nodeType )
- ret.push( elem );
- else
- ret = jQuery.merge( ret, elem );
-
- });
-
- if ( fragment ) {
- for ( var i = 0; ret[i]; i++ ) {
- if ( jQuery.nodeName( ret[i], "script" ) && (!ret[i].type || ret[i].type.toLowerCase() === "text/javascript") ) {
- scripts.push( ret[i].parentNode ? ret[i].parentNode.removeChild( ret[i] ) : ret[i] );
- } else {
- if ( ret[i].nodeType === 1 )
- ret.splice.apply( ret, [i + 1, 0].concat(jQuery.makeArray(ret[i].getElementsByTagName("script"))) );
- fragment.appendChild( ret[i] );
- }
- }
-
- return scripts;
- }
-
- return ret;
- },
-
- attr: function( elem, name, value ) {
- // don't set attributes on text and comment nodes
- if (!elem || elem.nodeType == 3 || elem.nodeType == 8)
- return undefined;
-
- var notxml = !jQuery.isXMLDoc( elem ),
- // Whether we are setting (or getting)
- set = value !== undefined;
-
- // Try to normalize/fix the name
- name = notxml && jQuery.props[ name ] || name;
-
- // Only do all the following if this is a node (faster for style)
- // IE elem.getAttribute passes even for style
- if ( elem.tagName ) {
-
- // These attributes require special treatment
- var special = /href|src|style/.test( name );
-
- // Safari mis-reports the default selected property of a hidden option
- // Accessing the parent's selectedIndex property fixes it
- if ( name == "selected" && elem.parentNode )
- elem.parentNode.selectedIndex;
-
- // If applicable, access the attribute via the DOM 0 way
- if ( name in elem && notxml && !special ) {
- if ( set ){
- // We can't allow the type property to be changed (since it causes problems in IE)
- if ( name == "type" && jQuery.nodeName( elem, "input" ) && elem.parentNode )
- throw "type property can't be changed";
-
- elem[ name ] = value;
- }
-
- // browsers index elements by id/name on forms, give priority to attributes.
- if( jQuery.nodeName( elem, "form" ) && elem.getAttributeNode(name) )
- return elem.getAttributeNode( name ).nodeValue;
-
- // elem.tabIndex doesn't always return the correct value when it hasn't been explicitly set
- // http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript/
- if ( name == "tabIndex" ) {
- var attributeNode = elem.getAttributeNode( "tabIndex" );
- return attributeNode && attributeNode.specified
- ? attributeNode.value
- : elem.nodeName.match(/(button|input|object|select|textarea)/i)
- ? 0
- : elem.nodeName.match(/^(a|area)$/i) && elem.href
- ? 0
- : undefined;
- }
-
- return elem[ name ];
- }
-
- if ( !jQuery.support.style && notxml && name == "style" )
- return jQuery.attr( elem.style, "cssText", value );
-
- if ( set )
- // convert the value to a string (all browsers do this but IE) see #1070
- elem.setAttribute( name, "" + value );
-
- var attr = !jQuery.support.hrefNormalized && notxml && special
- // Some attributes require a special call on IE
- ? elem.getAttribute( name, 2 )
- : elem.getAttribute( name );
-
- // Non-existent attributes return null, we normalize to undefined
- return attr === null ? undefined : attr;
- }
-
- // elem is actually elem.style ... set the style
-
- // IE uses filters for opacity
- if ( !jQuery.support.opacity && name == "opacity" ) {
- if ( set ) {
- // IE has trouble with opacity if it does not have layout
- // Force it by setting the zoom level
- elem.zoom = 1;
-
- // Set the alpha filter to set the opacity
- elem.filter = (elem.filter || "").replace( /alpha\([^)]*\)/, "" ) +
- (parseInt( value ) + '' == "NaN" ? "" : "alpha(opacity=" + value * 100 + ")");
- }
-
- return elem.filter && elem.filter.indexOf("opacity=") >= 0 ?
- (parseFloat( elem.filter.match(/opacity=([^)]*)/)[1] ) / 100) + '':
- "";
- }
-
- name = name.replace(/-([a-z])/ig, function(all, letter){
- return letter.toUpperCase();
- });
-
- if ( set )
- elem[ name ] = value;
-
- return elem[ name ];
- },
-
- trim: function( text ) {
- return (text || "").replace( /^\s+|\s+$/g, "" );
- },
-
- makeArray: function( array ) {
- var ret = [];
-
- if( array != null ){
- var i = array.length;
- // The window, strings (and functions) also have 'length'
- if( i == null || typeof array === "string" || jQuery.isFunction(array) || array.setInterval )
- ret[0] = array;
- else
- while( i )
- ret[--i] = array[i];
- }
-
- return ret;
- },
-
- inArray: function( elem, array ) {
- for ( var i = 0, length = array.length; i < length; i++ )
- // Use === because on IE, window == document
- if ( array[ i ] === elem )
- return i;
-
- return -1;
- },
-
- merge: function( first, second ) {
- // We have to loop this way because IE & Opera overwrite the length
- // expando of getElementsByTagName
- var i = 0, elem, pos = first.length;
- // Also, we need to make sure that the correct elements are being returned
- // (IE returns comment nodes in a '*' query)
- if ( !jQuery.support.getAll ) {
- while ( (elem = second[ i++ ]) != null )
- if ( elem.nodeType != 8 )
- first[ pos++ ] = elem;
-
- } else
- while ( (elem = second[ i++ ]) != null )
- first[ pos++ ] = elem;
-
- return first;
- },
-
- unique: function( array ) {
- var ret = [], done = {};
-
- try {
-
- for ( var i = 0, length = array.length; i < length; i++ ) {
- var id = jQuery.data( array[ i ] );
-
- if ( !done[ id ] ) {
- done[ id ] = true;
- ret.push( array[ i ] );
- }
- }
-
- } catch( e ) {
- ret = array;
- }
-
- return ret;
- },
-
- grep: function( elems, callback, inv ) {
- var ret = [];
-
- // Go through the array, only saving the items
- // that pass the validator function
- for ( var i = 0, length = elems.length; i < length; i++ )
- if ( !inv != !callback( elems[ i ], i ) )
- ret.push( elems[ i ] );
-
- return ret;
- },
-
- map: function( elems, callback ) {
- var ret = [];
-
- // Go through the array, translating each of the items to their
- // new value (or values).
- for ( var i = 0, length = elems.length; i < length; i++ ) {
- var value = callback( elems[ i ], i );
-
- if ( value != null )
- ret[ ret.length ] = value;
- }
-
- return ret.concat.apply( [], ret );
- }
-});
-
-// Use of jQuery.browser is deprecated.
-// It's included for backwards compatibility and plugins,
-// although they should work to migrate away.
-
-var userAgent = navigator.userAgent.toLowerCase();
-
-// Figure out what browser is being used
-jQuery.browser = {
- version: (userAgent.match( /.+(?:rv|it|ra|ie)[\/: ]([\d.]+)/ ) || [0,'0'])[1],
- safari: /webkit/.test( userAgent ),
- opera: /opera/.test( userAgent ),
- msie: /msie/.test( userAgent ) && !/opera/.test( userAgent ),
- mozilla: /mozilla/.test( userAgent ) && !/(compatible|webkit)/.test( userAgent )
-};
-
-jQuery.each({
- parent: function(elem){return elem.parentNode;},
- parents: function(elem){return jQuery.dir(elem,"parentNode");},
- next: function(elem){return jQuery.nth(elem,2,"nextSibling");},
- prev: function(elem){return jQuery.nth(elem,2,"previousSibling");},
- nextAll: function(elem){return jQuery.dir(elem,"nextSibling");},
- prevAll: function(elem){return jQuery.dir(elem,"previousSibling");},
- siblings: function(elem){return jQuery.sibling(elem.parentNode.firstChild,elem);},
- children: function(elem){return jQuery.sibling(elem.firstChild);},
- contents: function(elem){return jQuery.nodeName(elem,"iframe")?elem.contentDocument||elem.contentWindow.document:jQuery.makeArray(elem.childNodes);}
-}, function(name, fn){
- jQuery.fn[ name ] = function( selector ) {
- var ret = jQuery.map( this, fn );
-
- if ( selector && typeof selector == "string" )
- ret = jQuery.multiFilter( selector, ret );
-
- return this.pushStack( jQuery.unique( ret ), name, selector );
- };
-});
-
-jQuery.each({
- appendTo: "append",
- prependTo: "prepend",
- insertBefore: "before",
- insertAfter: "after",
- replaceAll: "replaceWith"
-}, function(name, original){
- jQuery.fn[ name ] = function( selector ) {
- var ret = [], insert = jQuery( selector );
-
- for ( var i = 0, l = insert.length; i < l; i++ ) {
- var elems = (i > 0 ? this.clone(true) : this).get();
- jQuery.fn[ original ].apply( jQuery(insert[i]), elems );
- ret = ret.concat( elems );
- }
-
- return this.pushStack( ret, name, selector );
- };
-});
-
-jQuery.each({
- removeAttr: function( name ) {
- jQuery.attr( this, name, "" );
- if (this.nodeType == 1)
- this.removeAttribute( name );
- },
-
- addClass: function( classNames ) {
- jQuery.className.add( this, classNames );
- },
-
- removeClass: function( classNames ) {
- jQuery.className.remove( this, classNames );
- },
-
- toggleClass: function( classNames, state ) {
- if( typeof state !== "boolean" )
- state = !jQuery.className.has( this, classNames );
- jQuery.className[ state ? "add" : "remove" ]( this, classNames );
- },
-
- remove: function( selector ) {
- if ( !selector || jQuery.filter( selector, [ this ] ).length ) {
- // Prevent memory leaks
- jQuery( "*", this ).add([this]).each(function(){
- jQuery.event.remove(this);
- jQuery.removeData(this);
- });
- if (this.parentNode)
- this.parentNode.removeChild( this );
- }
- },
-
- empty: function() {
- // Remove element nodes and prevent memory leaks
- jQuery(this).children().remove();
-
- // Remove any remaining nodes
- while ( this.firstChild )
- this.removeChild( this.firstChild );
- }
-}, function(name, fn){
- jQuery.fn[ name ] = function(){
- return this.each( fn, arguments );
- };
-});
-
-// Helper function used by the dimensions and offset modules
-function num(elem, prop) {
- return elem[0] && parseInt( jQuery.curCSS(elem[0], prop, true), 10 ) || 0;
-}
-var expando = "jQuery" + now(), uuid = 0, windowData = {};
-
-jQuery.extend({
- cache: {},
-
- data: function( elem, name, data ) {
- elem = elem == window ?
- windowData :
- elem;
-
- var id = elem[ expando ];
-
- // Compute a unique ID for the element
- if ( !id )
- id = elem[ expando ] = ++uuid;
-
- // Only generate the data cache if we're
- // trying to access or manipulate it
- if ( name && !jQuery.cache[ id ] )
- jQuery.cache[ id ] = {};
-
- // Prevent overriding the named cache with undefined values
- if ( data !== undefined )
- jQuery.cache[ id ][ name ] = data;
-
- // Return the named cache data, or the ID for the element
- return name ?
- jQuery.cache[ id ][ name ] :
- id;
- },
-
- removeData: function( elem, name ) {
- elem = elem == window ?
- windowData :
- elem;
-
- var id = elem[ expando ];
-
- // If we want to remove a specific section of the element's data
- if ( name ) {
- if ( jQuery.cache[ id ] ) {
- // Remove the section of cache data
- delete jQuery.cache[ id ][ name ];
-
- // If we've removed all the data, remove the element's cache
- name = "";
-
- for ( name in jQuery.cache[ id ] )
- break;
-
- if ( !name )
- jQuery.removeData( elem );
- }
-
- // Otherwise, we want to remove all of the element's data
- } else {
- // Clean up the element expando
- try {
- delete elem[ expando ];
- } catch(e){
- // IE has trouble directly removing the expando
- // but it's ok with using removeAttribute
- if ( elem.removeAttribute )
- elem.removeAttribute( expando );
- }
-
- // Completely remove the data cache
- delete jQuery.cache[ id ];
- }
- },
- queue: function( elem, type, data ) {
- if ( elem ){
-
- type = (type || "fx") + "queue";
-
- var q = jQuery.data( elem, type );
-
- if ( !q || jQuery.isArray(data) )
- q = jQuery.data( elem, type, jQuery.makeArray(data) );
- else if( data )
- q.push( data );
-
- }
- return q;
- },
-
- dequeue: function( elem, type ){
- var queue = jQuery.queue( elem, type ),
- fn = queue.shift();
-
- if( !type || type === "fx" )
- fn = queue[0];
-
- if( fn !== undefined )
- fn.call(elem);
- }
-});
-
-jQuery.fn.extend({
- data: function( key, value ){
- var parts = key.split(".");
- parts[1] = parts[1] ? "." + parts[1] : "";
-
- if ( value === undefined ) {
- var data = this.triggerHandler("getData" + parts[1] + "!", [parts[0]]);
-
- if ( data === undefined && this.length )
- data = jQuery.data( this[0], key );
-
- return data === undefined && parts[1] ?
- this.data( parts[0] ) :
- data;
- } else
- return this.trigger("setData" + parts[1] + "!", [parts[0], value]).each(function(){
- jQuery.data( this, key, value );
- });
- },
-
- removeData: function( key ){
- return this.each(function(){
- jQuery.removeData( this, key );
- });
- },
- queue: function(type, data){
- if ( typeof type !== "string" ) {
- data = type;
- type = "fx";
- }
-
- if ( data === undefined )
- return jQuery.queue( this[0], type );
-
- return this.each(function(){
- var queue = jQuery.queue( this, type, data );
-
- if( type == "fx" && queue.length == 1 )
- queue[0].call(this);
- });
- },
- dequeue: function(type){
- return this.each(function(){
- jQuery.dequeue( this, type );
- });
- }
-});/*!
- * Sizzle CSS Selector Engine - v0.9.3
- * Copyright 2009, The Dojo Foundation
- * Released under the MIT, BSD, and GPL Licenses.
- * More information: http://sizzlejs.com/
- */
-(function(){
-
-var chunker = /((?:\((?:\([^()]+\)|[^()]+)+\)|\[(?:\[[^[\]]*\]|['"][^'"]*['"]|[^[\]'"]+)+\]|\\.|[^ >+~,(\[\\]+)+|[>+~])(\s*,\s*)?/g,
- done = 0,
- toString = Object.prototype.toString;
-
-var Sizzle = function(selector, context, results, seed) {
- results = results || [];
- context = context || document;
-
- if ( context.nodeType !== 1 && context.nodeType !== 9 )
- return [];
-
- if ( !selector || typeof selector !== "string" ) {
- return results;
- }
-
- var parts = [], m, set, checkSet, check, mode, extra, prune = true;
-
- // Reset the position of the chunker regexp (start from head)
- chunker.lastIndex = 0;
-
- while ( (m = chunker.exec(selector)) !== null ) {
- parts.push( m[1] );
-
- if ( m[2] ) {
- extra = RegExp.rightContext;
- break;
- }
- }
-
- if ( parts.length > 1 && origPOS.exec( selector ) ) {
- if ( parts.length === 2 && Expr.relative[ parts[0] ] ) {
- set = posProcess( parts[0] + parts[1], context );
- } else {
- set = Expr.relative[ parts[0] ] ?
- [ context ] :
- Sizzle( parts.shift(), context );
-
- while ( parts.length ) {
- selector = parts.shift();
-
- if ( Expr.relative[ selector ] )
- selector += parts.shift();
-
- set = posProcess( selector, set );
- }
- }
- } else {
- var ret = seed ?
- { expr: parts.pop(), set: makeArray(seed) } :
- Sizzle.find( parts.pop(), parts.length === 1 && context.parentNode ? context.parentNode : context, isXML(context) );
- set = Sizzle.filter( ret.expr, ret.set );
-
- if ( parts.length > 0 ) {
- checkSet = makeArray(set);
- } else {
- prune = false;
- }
-
- while ( parts.length ) {
- var cur = parts.pop(), pop = cur;
-
- if ( !Expr.relative[ cur ] ) {
- cur = "";
- } else {
- pop = parts.pop();
- }
-
- if ( pop == null ) {
- pop = context;
- }
-
- Expr.relative[ cur ]( checkSet, pop, isXML(context) );
- }
- }
-
- if ( !checkSet ) {
- checkSet = set;
- }
-
- if ( !checkSet ) {
- throw "Syntax error, unrecognized expression: " + (cur || selector);
- }
-
- if ( toString.call(checkSet) === "[object Array]" ) {
- if ( !prune ) {
- results.push.apply( results, checkSet );
- } else if ( context.nodeType === 1 ) {
- for ( var i = 0; checkSet[i] != null; i++ ) {
- if ( checkSet[i] && (checkSet[i] === true || checkSet[i].nodeType === 1 && contains(context, checkSet[i])) ) {
- results.push( set[i] );
- }
- }
- } else {
- for ( var i = 0; checkSet[i] != null; i++ ) {
- if ( checkSet[i] && checkSet[i].nodeType === 1 ) {
- results.push( set[i] );
- }
- }
- }
- } else {
- makeArray( checkSet, results );
- }
-
- if ( extra ) {
- Sizzle( extra, context, results, seed );
-
- if ( sortOrder ) {
- hasDuplicate = false;
- results.sort(sortOrder);
-
- if ( hasDuplicate ) {
- for ( var i = 1; i < results.length; i++ ) {
- if ( results[i] === results[i-1] ) {
- results.splice(i--, 1);
- }
- }
- }
- }
- }
-
- return results;
-};
-
-Sizzle.matches = function(expr, set){
- return Sizzle(expr, null, null, set);
-};
-
-Sizzle.find = function(expr, context, isXML){
- var set, match;
-
- if ( !expr ) {
- return [];
- }
-
- for ( var i = 0, l = Expr.order.length; i < l; i++ ) {
- var type = Expr.order[i], match;
-
- if ( (match = Expr.match[ type ].exec( expr )) ) {
- var left = RegExp.leftContext;
-
- if ( left.substr( left.length - 1 ) !== "\\" ) {
- match[1] = (match[1] || "").replace(/\\/g, "");
- set = Expr.find[ type ]( match, context, isXML );
- if ( set != null ) {
- expr = expr.replace( Expr.match[ type ], "" );
- break;
- }
- }
- }
- }
-
- if ( !set ) {
- set = context.getElementsByTagName("*");
- }
-
- return {set: set, expr: expr};
-};
-
-Sizzle.filter = function(expr, set, inplace, not){
- var old = expr, result = [], curLoop = set, match, anyFound,
- isXMLFilter = set && set[0] && isXML(set[0]);
-
- while ( expr && set.length ) {
- for ( var type in Expr.filter ) {
- if ( (match = Expr.match[ type ].exec( expr )) != null ) {
- var filter = Expr.filter[ type ], found, item;
- anyFound = false;
-
- if ( curLoop == result ) {
- result = [];
- }
-
- if ( Expr.preFilter[ type ] ) {
- match = Expr.preFilter[ type ]( match, curLoop, inplace, result, not, isXMLFilter );
-
- if ( !match ) {
- anyFound = found = true;
- } else if ( match === true ) {
- continue;
- }
- }
-
- if ( match ) {
- for ( var i = 0; (item = curLoop[i]) != null; i++ ) {
- if ( item ) {
- found = filter( item, match, i, curLoop );
- var pass = not ^ !!found;
-
- if ( inplace && found != null ) {
- if ( pass ) {
- anyFound = true;
- } else {
- curLoop[i] = false;
- }
- } else if ( pass ) {
- result.push( item );
- anyFound = true;
- }
- }
- }
- }
-
- if ( found !== undefined ) {
- if ( !inplace ) {
- curLoop = result;
- }
-
- expr = expr.replace( Expr.match[ type ], "" );
-
- if ( !anyFound ) {
- return [];
- }
-
- break;
- }
- }
- }
-
- // Improper expression
- if ( expr == old ) {
- if ( anyFound == null ) {
- throw "Syntax error, unrecognized expression: " + expr;
- } else {
- break;
- }
- }
-
- old = expr;
- }
-
- return curLoop;
-};
-
-var Expr = Sizzle.selectors = {
- order: [ "ID", "NAME", "TAG" ],
- match: {
- ID: /#((?:[\w\u00c0-\uFFFF_-]|\\.)+)/,
- CLASS: /\.((?:[\w\u00c0-\uFFFF_-]|\\.)+)/,
- NAME: /\[name=['"]*((?:[\w\u00c0-\uFFFF_-]|\\.)+)['"]*\]/,
- ATTR: /\[\s*((?:[\w\u00c0-\uFFFF_-]|\\.)+)\s*(?:(\S?=)\s*(['"]*)(.*?)\3|)\s*\]/,
- TAG: /^((?:[\w\u00c0-\uFFFF\*_-]|\\.)+)/,
- CHILD: /:(only|nth|last|first)-child(?:\((even|odd|[\dn+-]*)\))?/,
- POS: /:(nth|eq|gt|lt|first|last|even|odd)(?:\((\d*)\))?(?=[^-]|$)/,
- PSEUDO: /:((?:[\w\u00c0-\uFFFF_-]|\\.)+)(?:\((['"]*)((?:\([^\)]+\)|[^\2\(\)]*)+)\2\))?/
- },
- attrMap: {
- "class": "className",
- "for": "htmlFor"
- },
- attrHandle: {
- href: function(elem){
- return elem.getAttribute("href");
- }
- },
- relative: {
- "+": function(checkSet, part, isXML){
- var isPartStr = typeof part === "string",
- isTag = isPartStr && !/\W/.test(part),
- isPartStrNotTag = isPartStr && !isTag;
-
- if ( isTag && !isXML ) {
- part = part.toUpperCase();
- }
-
- for ( var i = 0, l = checkSet.length, elem; i < l; i++ ) {
- if ( (elem = checkSet[i]) ) {
- while ( (elem = elem.previousSibling) && elem.nodeType !== 1 ) {}
-
- checkSet[i] = isPartStrNotTag || elem && elem.nodeName === part ?
- elem || false :
- elem === part;
- }
- }
-
- if ( isPartStrNotTag ) {
- Sizzle.filter( part, checkSet, true );
- }
- },
- ">": function(checkSet, part, isXML){
- var isPartStr = typeof part === "string";
-
- if ( isPartStr && !/\W/.test(part) ) {
- part = isXML ? part : part.toUpperCase();
-
- for ( var i = 0, l = checkSet.length; i < l; i++ ) {
- var elem = checkSet[i];
- if ( elem ) {
- var parent = elem.parentNode;
- checkSet[i] = parent.nodeName === part ? parent : false;
- }
- }
- } else {
- for ( var i = 0, l = checkSet.length; i < l; i++ ) {
- var elem = checkSet[i];
- if ( elem ) {
- checkSet[i] = isPartStr ?
- elem.parentNode :
- elem.parentNode === part;
- }
- }
-
- if ( isPartStr ) {
- Sizzle.filter( part, checkSet, true );
- }
- }
- },
- "": function(checkSet, part, isXML){
- var doneName = done++, checkFn = dirCheck;
-
- if ( !part.match(/\W/) ) {
- var nodeCheck = part = isXML ? part : part.toUpperCase();
- checkFn = dirNodeCheck;
- }
-
- checkFn("parentNode", part, doneName, checkSet, nodeCheck, isXML);
- },
- "~": function(checkSet, part, isXML){
- var doneName = done++, checkFn = dirCheck;
-
- if ( typeof part === "string" && !part.match(/\W/) ) {
- var nodeCheck = part = isXML ? part : part.toUpperCase();
- checkFn = dirNodeCheck;
- }
-
- checkFn("previousSibling", part, doneName, checkSet, nodeCheck, isXML);
- }
- },
- find: {
- ID: function(match, context, isXML){
- if ( typeof context.getElementById !== "undefined" && !isXML ) {
- var m = context.getElementById(match[1]);
- return m ? [m] : [];
- }
- },
- NAME: function(match, context, isXML){
- if ( typeof context.getElementsByName !== "undefined" ) {
- var ret = [], results = context.getElementsByName(match[1]);
-
- for ( var i = 0, l = results.length; i < l; i++ ) {
- if ( results[i].getAttribute("name") === match[1] ) {
- ret.push( results[i] );
- }
- }
-
- return ret.length === 0 ? null : ret;
- }
- },
- TAG: function(match, context){
- return context.getElementsByTagName(match[1]);
- }
- },
- preFilter: {
- CLASS: function(match, curLoop, inplace, result, not, isXML){
- match = " " + match[1].replace(/\\/g, "") + " ";
-
- if ( isXML ) {
- return match;
- }
-
- for ( var i = 0, elem; (elem = curLoop[i]) != null; i++ ) {
- if ( elem ) {
- if ( not ^ (elem.className && (" " + elem.className + " ").indexOf(match) >= 0) ) {
- if ( !inplace )
- result.push( elem );
- } else if ( inplace ) {
- curLoop[i] = false;
- }
- }
- }
-
- return false;
- },
- ID: function(match){
- return match[1].replace(/\\/g, "");
- },
- TAG: function(match, curLoop){
- for ( var i = 0; curLoop[i] === false; i++ ){}
- return curLoop[i] && isXML(curLoop[i]) ? match[1] : match[1].toUpperCase();
- },
- CHILD: function(match){
- if ( match[1] == "nth" ) {
- // parse equations like 'even', 'odd', '5', '2n', '3n+2', '4n-1', '-n+6'
- var test = /(-?)(\d*)n((?:\+|-)?\d*)/.exec(
- match[2] == "even" && "2n" || match[2] == "odd" && "2n+1" ||
- !/\D/.test( match[2] ) && "0n+" + match[2] || match[2]);
-
- // calculate the numbers (first)n+(last) including if they are negative
- match[2] = (test[1] + (test[2] || 1)) - 0;
- match[3] = test[3] - 0;
- }
-
- // TODO: Move to normal caching system
- match[0] = done++;
-
- return match;
- },
- ATTR: function(match, curLoop, inplace, result, not, isXML){
- var name = match[1].replace(/\\/g, "");
-
- if ( !isXML && Expr.attrMap[name] ) {
- match[1] = Expr.attrMap[name];
- }
-
- if ( match[2] === "~=" ) {
- match[4] = " " + match[4] + " ";
- }
-
- return match;
- },
- PSEUDO: function(match, curLoop, inplace, result, not){
- if ( match[1] === "not" ) {
- // If we're dealing with a complex expression, or a simple one
- if ( match[3].match(chunker).length > 1 || /^\w/.test(match[3]) ) {
- match[3] = Sizzle(match[3], null, null, curLoop);
- } else {
- var ret = Sizzle.filter(match[3], curLoop, inplace, true ^ not);
- if ( !inplace ) {
- result.push.apply( result, ret );
- }
- return false;
- }
- } else if ( Expr.match.POS.test( match[0] ) || Expr.match.CHILD.test( match[0] ) ) {
- return true;
- }
-
- return match;
- },
- POS: function(match){
- match.unshift( true );
- return match;
- }
- },
- filters: {
- enabled: function(elem){
- return elem.disabled === false && elem.type !== "hidden";
- },
- disabled: function(elem){
- return elem.disabled === true;
- },
- checked: function(elem){
- return elem.checked === true;
- },
- selected: function(elem){
- // Accessing this property makes selected-by-default
- // options in Safari work properly
- elem.parentNode.selectedIndex;
- return elem.selected === true;
- },
- parent: function(elem){
- return !!elem.firstChild;
- },
- empty: function(elem){
- return !elem.firstChild;
- },
- has: function(elem, i, match){
- return !!Sizzle( match[3], elem ).length;
- },
- header: function(elem){
- return /h\d/i.test( elem.nodeName );
- },
- text: function(elem){
- return "text" === elem.type;
- },
- radio: function(elem){
- return "radio" === elem.type;
- },
- checkbox: function(elem){
- return "checkbox" === elem.type;
- },
- file: function(elem){
- return "file" === elem.type;
- },
- password: function(elem){
- return "password" === elem.type;
- },
- submit: function(elem){
- return "submit" === elem.type;
- },
- image: function(elem){
- return "image" === elem.type;
- },
- reset: function(elem){
- return "reset" === elem.type;
- },
- button: function(elem){
- return "button" === elem.type || elem.nodeName.toUpperCase() === "BUTTON";
- },
- input: function(elem){
- return /input|select|textarea|button/i.test(elem.nodeName);
- }
- },
- setFilters: {
- first: function(elem, i){
- return i === 0;
- },
- last: function(elem, i, match, array){
- return i === array.length - 1;
- },
- even: function(elem, i){
- return i % 2 === 0;
- },
- odd: function(elem, i){
- return i % 2 === 1;
- },
- lt: function(elem, i, match){
- return i < match[3] - 0;
- },
- gt: function(elem, i, match){
- return i > match[3] - 0;
- },
- nth: function(elem, i, match){
- return match[3] - 0 == i;
- },
- eq: function(elem, i, match){
- return match[3] - 0 == i;
- }
- },
- filter: {
- PSEUDO: function(elem, match, i, array){
- var name = match[1], filter = Expr.filters[ name ];
-
- if ( filter ) {
- return filter( elem, i, match, array );
- } else if ( name === "contains" ) {
- return (elem.textContent || elem.innerText || "").indexOf(match[3]) >= 0;
- } else if ( name === "not" ) {
- var not = match[3];
-
- for ( var i = 0, l = not.length; i < l; i++ ) {
- if ( not[i] === elem ) {
- return false;
- }
- }
-
- return true;
- }
- },
- CHILD: function(elem, match){
- var type = match[1], node = elem;
- switch (type) {
- case 'only':
- case 'first':
- while (node = node.previousSibling) {
- if ( node.nodeType === 1 ) return false;
- }
- if ( type == 'first') return true;
- node = elem;
- case 'last':
- while (node = node.nextSibling) {
- if ( node.nodeType === 1 ) return false;
- }
- return true;
- case 'nth':
- var first = match[2], last = match[3];
-
- if ( first == 1 && last == 0 ) {
- return true;
- }
-
- var doneName = match[0],
- parent = elem.parentNode;
-
- if ( parent && (parent.sizcache !== doneName || !elem.nodeIndex) ) {
- var count = 0;
- for ( node = parent.firstChild; node; node = node.nextSibling ) {
- if ( node.nodeType === 1 ) {
- node.nodeIndex = ++count;
- }
- }
- parent.sizcache = doneName;
- }
-
- var diff = elem.nodeIndex - last;
- if ( first == 0 ) {
- return diff == 0;
- } else {
- return ( diff % first == 0 && diff / first >= 0 );
- }
- }
- },
- ID: function(elem, match){
- return elem.nodeType === 1 && elem.getAttribute("id") === match;
- },
- TAG: function(elem, match){
- return (match === "*" && elem.nodeType === 1) || elem.nodeName === match;
- },
- CLASS: function(elem, match){
- return (" " + (elem.className || elem.getAttribute("class")) + " ")
- .indexOf( match ) > -1;
- },
- ATTR: function(elem, match){
- var name = match[1],
- result = Expr.attrHandle[ name ] ?
- Expr.attrHandle[ name ]( elem ) :
- elem[ name ] != null ?
- elem[ name ] :
- elem.getAttribute( name ),
- value = result + "",
- type = match[2],
- check = match[4];
-
- return result == null ?
- type === "!=" :
- type === "=" ?
- value === check :
- type === "*=" ?
- value.indexOf(check) >= 0 :
- type === "~=" ?
- (" " + value + " ").indexOf(check) >= 0 :
- !check ?
- value && result !== false :
- type === "!=" ?
- value != check :
- type === "^=" ?
- value.indexOf(check) === 0 :
- type === "$=" ?
- value.substr(value.length - check.length) === check :
- type === "|=" ?
- value === check || value.substr(0, check.length + 1) === check + "-" :
- false;
- },
- POS: function(elem, match, i, array){
- var name = match[2], filter = Expr.setFilters[ name ];
-
- if ( filter ) {
- return filter( elem, i, match, array );
- }
- }
- }
-};
-
-var origPOS = Expr.match.POS;
-
-for ( var type in Expr.match ) {
- Expr.match[ type ] = RegExp( Expr.match[ type ].source + /(?![^\[]*\])(?![^\(]*\))/.source );
-}
-
-var makeArray = function(array, results) {
- array = Array.prototype.slice.call( array );
-
- if ( results ) {
- results.push.apply( results, array );
- return results;
- }
-
- return array;
-};
-
-// Perform a simple check to determine if the browser is capable of
-// converting a NodeList to an array using builtin methods.
-try {
- Array.prototype.slice.call( document.documentElement.childNodes );
-
-// Provide a fallback method if it does not work
-} catch(e){
- makeArray = function(array, results) {
- var ret = results || [];
-
- if ( toString.call(array) === "[object Array]" ) {
- Array.prototype.push.apply( ret, array );
- } else {
- if ( typeof array.length === "number" ) {
- for ( var i = 0, l = array.length; i < l; i++ ) {
- ret.push( array[i] );
- }
- } else {
- for ( var i = 0; array[i]; i++ ) {
- ret.push( array[i] );
- }
- }
- }
-
- return ret;
- };
-}
-
-var sortOrder;
-
-if ( document.documentElement.compareDocumentPosition ) {
- sortOrder = function( a, b ) {
- var ret = a.compareDocumentPosition(b) & 4 ? -1 : a === b ? 0 : 1;
- if ( ret === 0 ) {
- hasDuplicate = true;
- }
- return ret;
- };
-} else if ( "sourceIndex" in document.documentElement ) {
- sortOrder = function( a, b ) {
- var ret = a.sourceIndex - b.sourceIndex;
- if ( ret === 0 ) {
- hasDuplicate = true;
- }
- return ret;
- };
-} else if ( document.createRange ) {
- sortOrder = function( a, b ) {
- var aRange = a.ownerDocument.createRange(), bRange = b.ownerDocument.createRange();
- aRange.selectNode(a);
- aRange.collapse(true);
- bRange.selectNode(b);
- bRange.collapse(true);
- var ret = aRange.compareBoundaryPoints(Range.START_TO_END, bRange);
- if ( ret === 0 ) {
- hasDuplicate = true;
- }
- return ret;
- };
-}
-
-// Check to see if the browser returns elements by name when
-// querying by getElementById (and provide a workaround)
-(function(){
- // We're going to inject a fake input element with a specified name
- var form = document.createElement("form"),
- id = "script" + (new Date).getTime();
- form.innerHTML = "<input name='" + id + "'/>";
-
- // Inject it into the root element, check its status, and remove it quickly
- var root = document.documentElement;
- root.insertBefore( form, root.firstChild );
-
- // The workaround has to do additional checks after a getElementById
- // Which slows things down for other browsers (hence the branching)
- if ( !!document.getElementById( id ) ) {
- Expr.find.ID = function(match, context, isXML){
- if ( typeof context.getElementById !== "undefined" && !isXML ) {
- var m = context.getElementById(match[1]);
- return m ? m.id === match[1] || typeof m.getAttributeNode !== "undefined" && m.getAttributeNode("id").nodeValue === match[1] ? [m] : undefined : [];
- }
- };
-
- Expr.filter.ID = function(elem, match){
- var node = typeof elem.getAttributeNode !== "undefined" && elem.getAttributeNode("id");
- return elem.nodeType === 1 && node && node.nodeValue === match;
- };
- }
-
- root.removeChild( form );
-})();
-
-(function(){
- // Check to see if the browser returns only elements
- // when doing getElementsByTagName("*")
-
- // Create a fake element
- var div = document.createElement("div");
- div.appendChild( document.createComment("") );
-
- // Make sure no comments are found
- if ( div.getElementsByTagName("*").length > 0 ) {
- Expr.find.TAG = function(match, context){
- var results = context.getElementsByTagName(match[1]);
-
- // Filter out possible comments
- if ( match[1] === "*" ) {
- var tmp = [];
-
- for ( var i = 0; results[i]; i++ ) {
- if ( results[i].nodeType === 1 ) {
- tmp.push( results[i] );
- }
- }
-
- results = tmp;
- }
-
- return results;
- };
- }
-
- // Check to see if an attribute returns normalized href attributes
- div.innerHTML = "<a href='#'></a>";
- if ( div.firstChild && typeof div.firstChild.getAttribute !== "undefined" &&
- div.firstChild.getAttribute("href") !== "#" ) {
- Expr.attrHandle.href = function(elem){
- return elem.getAttribute("href", 2);
- };
- }
-})();
-
-if ( document.querySelectorAll ) (function(){
- var oldSizzle = Sizzle, div = document.createElement("div");
- div.innerHTML = "<p class='TEST'></p>";
-
- // Safari can't handle uppercase or unicode characters when
- // in quirks mode.
- if ( div.querySelectorAll && div.querySelectorAll(".TEST").length === 0 ) {
- return;
- }
-
- Sizzle = function(query, context, extra, seed){
- context = context || document;
-
- // Only use querySelectorAll on non-XML documents
- // (ID selectors don't work in non-HTML documents)
- if ( !seed && context.nodeType === 9 && !isXML(context) ) {
- try {
- return makeArray( context.querySelectorAll(query), extra );
- } catch(e){}
- }
-
- return oldSizzle(query, context, extra, seed);
- };
-
- Sizzle.find = oldSizzle.find;
- Sizzle.filter = oldSizzle.filter;
- Sizzle.selectors = oldSizzle.selectors;
- Sizzle.matches = oldSizzle.matches;
-})();
-
-if ( document.getElementsByClassName && document.documentElement.getElementsByClassName ) (function(){
- var div = document.createElement("div");
- div.innerHTML = "<div class='test e'></div><div class='test'></div>";
-
- // Opera can't find a second classname (in 9.6)
- if ( div.getElementsByClassName("e").length === 0 )
- return;
-
- // Safari caches class attributes, doesn't catch changes (in 3.2)
- div.lastChild.className = "e";
-
- if ( div.getElementsByClassName("e").length === 1 )
- return;
-
- Expr.order.splice(1, 0, "CLASS");
- Expr.find.CLASS = function(match, context, isXML) {
- if ( typeof context.getElementsByClassName !== "undefined" && !isXML ) {
- return context.getElementsByClassName(match[1]);
- }
- };
-})();
-
-function dirNodeCheck( dir, cur, doneName, checkSet, nodeCheck, isXML ) {
- var sibDir = dir == "previousSibling" && !isXML;
- for ( var i = 0, l = checkSet.length; i < l; i++ ) {
- var elem = checkSet[i];
- if ( elem ) {
- if ( sibDir && elem.nodeType === 1 ){
- elem.sizcache = doneName;
- elem.sizset = i;
- }
- elem = elem[dir];
- var match = false;
-
- while ( elem ) {
- if ( elem.sizcache === doneName ) {
- match = checkSet[elem.sizset];
- break;
- }
-
- if ( elem.nodeType === 1 && !isXML ){
- elem.sizcache = doneName;
- elem.sizset = i;
- }
-
- if ( elem.nodeName === cur ) {
- match = elem;
- break;
- }
-
- elem = elem[dir];
- }
-
- checkSet[i] = match;
- }
- }
-}
-
-function dirCheck( dir, cur, doneName, checkSet, nodeCheck, isXML ) {
- var sibDir = dir == "previousSibling" && !isXML;
- for ( var i = 0, l = checkSet.length; i < l; i++ ) {
- var elem = checkSet[i];
- if ( elem ) {
- if ( sibDir && elem.nodeType === 1 ) {
- elem.sizcache = doneName;
- elem.sizset = i;
- }
- elem = elem[dir];
- var match = false;
-
- while ( elem ) {
- if ( elem.sizcache === doneName ) {
- match = checkSet[elem.sizset];
- break;
- }
-
- if ( elem.nodeType === 1 ) {
- if ( !isXML ) {
- elem.sizcache = doneName;
- elem.sizset = i;
- }
- if ( typeof cur !== "string" ) {
- if ( elem === cur ) {
- match = true;
- break;
- }
-
- } else if ( Sizzle.filter( cur, [elem] ).length > 0 ) {
- match = elem;
- break;
- }
- }
-
- elem = elem[dir];
- }
-
- checkSet[i] = match;
- }
- }
-}
-
-var contains = document.compareDocumentPosition ? function(a, b){
- return a.compareDocumentPosition(b) & 16;
-} : function(a, b){
- return a !== b && (a.contains ? a.contains(b) : true);
-};
-
-var isXML = function(elem){
- return elem.nodeType === 9 && elem.documentElement.nodeName !== "HTML" ||
- !!elem.ownerDocument && isXML( elem.ownerDocument );
-};
-
-var posProcess = function(selector, context){
- var tmpSet = [], later = "", match,
- root = context.nodeType ? [context] : context;
-
- // Position selectors must be done after the filter
- // And so must :not(positional) so we move all PSEUDOs to the end
- while ( (match = Expr.match.PSEUDO.exec( selector )) ) {
- later += match[0];
- selector = selector.replace( Expr.match.PSEUDO, "" );
- }
-
- selector = Expr.relative[selector] ? selector + "*" : selector;
-
- for ( var i = 0, l = root.length; i < l; i++ ) {
- Sizzle( selector, root[i], tmpSet );
- }
-
- return Sizzle.filter( later, tmpSet );
-};
-
-// EXPOSE
-jQuery.find = Sizzle;
-jQuery.filter = Sizzle.filter;
-jQuery.expr = Sizzle.selectors;
-jQuery.expr[":"] = jQuery.expr.filters;
-
-Sizzle.selectors.filters.hidden = function(elem){
- return elem.offsetWidth === 0 || elem.offsetHeight === 0;
-};
-
-Sizzle.selectors.filters.visible = function(elem){
- return elem.offsetWidth > 0 || elem.offsetHeight > 0;
-};
-
-Sizzle.selectors.filters.animated = function(elem){
- return jQuery.grep(jQuery.timers, function(fn){
- return elem === fn.elem;
- }).length;
-};
-
-jQuery.multiFilter = function( expr, elems, not ) {
- if ( not ) {
- expr = ":not(" + expr + ")";
- }
-
- return Sizzle.matches(expr, elems);
-};
-
-jQuery.dir = function( elem, dir ){
- var matched = [], cur = elem[dir];
- while ( cur && cur != document ) {
- if ( cur.nodeType == 1 )
- matched.push( cur );
- cur = cur[dir];
- }
- return matched;
-};
-
-jQuery.nth = function(cur, result, dir, elem){
- result = result || 1;
- var num = 0;
-
- for ( ; cur; cur = cur[dir] )
- if ( cur.nodeType == 1 && ++num == result )
- break;
-
- return cur;
-};
-
-jQuery.sibling = function(n, elem){
- var r = [];
-
- for ( ; n; n = n.nextSibling ) {
- if ( n.nodeType == 1 && n != elem )
- r.push( n );
- }
-
- return r;
-};
-
-return;
-
-window.Sizzle = Sizzle;
-
-})();
-/*
- * A number of helper functions used for managing events.
- * Many of the ideas behind this code originated from
- * Dean Edwards' addEvent library.
- */
-jQuery.event = {
-
- // Bind an event to an element
- // Original by Dean Edwards
- add: function(elem, types, handler, data) {
- if ( elem.nodeType == 3 || elem.nodeType == 8 )
- return;
-
- // For whatever reason, IE has trouble passing the window object
- // around, causing it to be cloned in the process
- if ( elem.setInterval && elem != window )
- elem = window;
-
- // Make sure that the function being executed has a unique ID
- if ( !handler.guid )
- handler.guid = this.guid++;
-
- // if data is passed, bind to handler
- if ( data !== undefined ) {
- // Create temporary function pointer to original handler
- var fn = handler;
-
- // Create unique handler function, wrapped around original handler
- handler = this.proxy( fn );
-
- // Store data in unique handler
- handler.data = data;
- }
-
- // Init the element's event structure
- var events = jQuery.data(elem, "events") || jQuery.data(elem, "events", {}),
- handle = jQuery.data(elem, "handle") || jQuery.data(elem, "handle", function(){
- // Handle the second event of a trigger and when
- // an event is called after a page has unloaded
- return typeof jQuery !== "undefined" && !jQuery.event.triggered ?
- jQuery.event.handle.apply(arguments.callee.elem, arguments) :
- undefined;
- });
- // Add elem as a property of the handle function
- // This is to prevent a memory leak with non-native
- // event in IE.
- handle.elem = elem;
-
- // Handle multiple events separated by a space
- // jQuery(...).bind("mouseover mouseout", fn);
- jQuery.each(types.split(/\s+/), function(index, type) {
- // Namespaced event handlers
- var namespaces = type.split(".");
- type = namespaces.shift();
- handler.type = namespaces.slice().sort().join(".");
-
- // Get the current list of functions bound to this event
- var handlers = events[type];
-
- if ( jQuery.event.specialAll[type] )
- jQuery.event.specialAll[type].setup.call(elem, data, namespaces);
-
- // Init the event handler queue
- if (!handlers) {
- handlers = events[type] = {};
-
- // Check for a special event handler
- // Only use addEventListener/attachEvent if the special
- // events handler returns false
- if ( !jQuery.event.special[type] || jQuery.event.special[type].setup.call(elem, data, namespaces) === false ) {
- // Bind the global event handler to the element
- if (elem.addEventListener)
- elem.addEventListener(type, handle, false);
- else if (elem.attachEvent)
- elem.attachEvent("on" + type, handle);
- }
- }
-
- // Add the function to the element's handler list
- handlers[handler.guid] = handler;
-
- // Keep track of which events have been used, for global triggering
- jQuery.event.global[type] = true;
- });
-
- // Nullify elem to prevent memory leaks in IE
- elem = null;
- },
-
- guid: 1,
- global: {},
-
- // Detach an event or set of events from an element
- remove: function(elem, types, handler) {
- // don't do events on text and comment nodes
- if ( elem.nodeType == 3 || elem.nodeType == 8 )
- return;
-
- var events = jQuery.data(elem, "events"), ret, index;
-
- if ( events ) {
- // Unbind all events for the element
- if ( types === undefined || (typeof types === "string" && types.charAt(0) == ".") )
- for ( var type in events )
- this.remove( elem, type + (types || "") );
- else {
- // types is actually an event object here
- if ( types.type ) {
- handler = types.handler;
- types = types.type;
- }
-
- // Handle multiple events seperated by a space
- // jQuery(...).unbind("mouseover mouseout", fn);
- jQuery.each(types.split(/\s+/), function(index, type){
- // Namespaced event handlers
- var namespaces = type.split(".");
- type = namespaces.shift();
- var namespace = RegExp("(^|\\.)" + namespaces.slice().sort().join(".*\\.") + "(\\.|$)");
-
- if ( events[type] ) {
- // remove the given handler for the given type
- if ( handler )
- delete events[type][handler.guid];
-
- // remove all handlers for the given type
- else
- for ( var handle in events[type] )
- // Handle the removal of namespaced events
- if ( namespace.test(events[type][handle].type) )
- delete events[type][handle];
-
- if ( jQuery.event.specialAll[type] )
- jQuery.event.specialAll[type].teardown.call(elem, namespaces);
-
- // remove generic event handler if no more handlers exist
- for ( ret in events[type] ) break;
- if ( !ret ) {
- if ( !jQuery.event.special[type] || jQuery.event.special[type].teardown.call(elem, namespaces) === false ) {
- if (elem.removeEventListener)
- elem.removeEventListener(type, jQuery.data(elem, "handle"), false);
- else if (elem.detachEvent)
- elem.detachEvent("on" + type, jQuery.data(elem, "handle"));
- }
- ret = null;
- delete events[type];
- }
- }
- });
- }
-
- // Remove the expando if it's no longer used
- for ( ret in events ) break;
- if ( !ret ) {
- var handle = jQuery.data( elem, "handle" );
- if ( handle ) handle.elem = null;
- jQuery.removeData( elem, "events" );
- jQuery.removeData( elem, "handle" );
- }
- }
- },
-
- // bubbling is internal
- trigger: function( event, data, elem, bubbling ) {
- // Event object or event type
- var type = event.type || event;
-
- if( !bubbling ){
- event = typeof event === "object" ?
- // jQuery.Event object
- event[expando] ? event :
- // Object literal
- jQuery.extend( jQuery.Event(type), event ) :
- // Just the event type (string)
- jQuery.Event(type);
-
- if ( type.indexOf("!") >= 0 ) {
- event.type = type = type.slice(0, -1);
- event.exclusive = true;
- }
-
- // Handle a global trigger
- if ( !elem ) {
- // Don't bubble custom events when global (to avoid too much overhead)
- event.stopPropagation();
- // Only trigger if we've ever bound an event for it
- if ( this.global[type] )
- jQuery.each( jQuery.cache, function(){
- if ( this.events && this.events[type] )
- jQuery.event.trigger( event, data, this.handle.elem );
- });
- }
-
- // Handle triggering a single element
-
- // don't do events on text and comment nodes
- if ( !elem || elem.nodeType == 3 || elem.nodeType == 8 )
- return undefined;
-
- // Clean up in case it is reused
- event.result = undefined;
- event.target = elem;
-
- // Clone the incoming data, if any
- data = jQuery.makeArray(data);
- data.unshift( event );
- }
-
- event.currentTarget = elem;
-
- // Trigger the event, it is assumed that "handle" is a function
- var handle = jQuery.data(elem, "handle");
- if ( handle )
- handle.apply( elem, data );
-
- // Handle triggering native .onfoo handlers (and on links since we don't call .click() for links)
- if ( (!elem[type] || (jQuery.nodeName(elem, 'a') && type == "click")) && elem["on"+type] && elem["on"+type].apply( elem, data ) === false )
- event.result = false;
-
- // Trigger the native events (except for clicks on links)
- if ( !bubbling && elem[type] && !event.isDefaultPrevented() && !(jQuery.nodeName(elem, 'a') && type == "click") ) {
- this.triggered = true;
- try {
- elem[ type ]();
- // prevent IE from throwing an error for some hidden elements
- } catch (e) {}
- }
-
- this.triggered = false;
-
- if ( !event.isPropagationStopped() ) {
- var parent = elem.parentNode || elem.ownerDocument;
- if ( parent )
- jQuery.event.trigger(event, data, parent, true);
- }
- },
-
- handle: function(event) {
- // returned undefined or false
- var all, handlers;
-
- event = arguments[0] = jQuery.event.fix( event || window.event );
- event.currentTarget = this;
-
- // Namespaced event handlers
- var namespaces = event.type.split(".");
- event.type = namespaces.shift();
-
- // Cache this now, all = true means, any handler
- all = !namespaces.length && !event.exclusive;
-
- var namespace = RegExp("(^|\\.)" + namespaces.slice().sort().join(".*\\.") + "(\\.|$)");
-
- handlers = ( jQuery.data(this, "events") || {} )[event.type];
-
- for ( var j in handlers ) {
- var handler = handlers[j];
-
- // Filter the functions by class
- if ( all || namespace.test(handler.type) ) {
- // Pass in a reference to the handler function itself
- // So that we can later remove it
- event.handler = handler;
- event.data = handler.data;
-
- var ret = handler.apply(this, arguments);
-
- if( ret !== undefined ){
- event.result = ret;
- if ( ret === false ) {
- event.preventDefault();
- event.stopPropagation();
- }
- }
-
- if( event.isImmediatePropagationStopped() )
- break;
-
- }
- }
- },
-
- props: "altKey attrChange attrName bubbles button cancelable charCode clientX clientY ctrlKey currentTarget data detail eventPhase fromElement handler keyCode metaKey newValue originalTarget pageX pageY prevValue relatedNode relatedTarget screenX screenY shiftKey srcElement target toElement view wheelDelta which".split(" "),
-
- fix: function(event) {
- if ( event[expando] )
- return event;
-
- // store a copy of the original event object
- // and "clone" to set read-only properties
- var originalEvent = event;
- event = jQuery.Event( originalEvent );
-
- for ( var i = this.props.length, prop; i; ){
- prop = this.props[ --i ];
- event[ prop ] = originalEvent[ prop ];
- }
-
- // Fix target property, if necessary
- if ( !event.target )
- event.target = event.srcElement || document; // Fixes #1925 where srcElement might not be defined either
-
- // check if target is a textnode (safari)
- if ( event.target.nodeType == 3 )
- event.target = event.target.parentNode;
-
- // Add relatedTarget, if necessary
- if ( !event.relatedTarget && event.fromElement )
- event.relatedTarget = event.fromElement == event.target ? event.toElement : event.fromElement;
-
- // Calculate pageX/Y if missing and clientX/Y available
- if ( event.pageX == null && event.clientX != null ) {
- var doc = document.documentElement, body = document.body;
- event.pageX = event.clientX + (doc && doc.scrollLeft || body && body.scrollLeft || 0) - (doc.clientLeft || 0);
- event.pageY = event.clientY + (doc && doc.scrollTop || body && body.scrollTop || 0) - (doc.clientTop || 0);
- }
-
- // Add which for key events
- if ( !event.which && ((event.charCode || event.charCode === 0) ? event.charCode : event.keyCode) )
- event.which = event.charCode || event.keyCode;
-
- // Add metaKey to non-Mac browsers (use ctrl for PC's and Meta for Macs)
- if ( !event.metaKey && event.ctrlKey )
- event.metaKey = event.ctrlKey;
-
- // Add which for click: 1 == left; 2 == middle; 3 == right
- // Note: button is not normalized, so don't use it
- if ( !event.which && event.button )
- event.which = (event.button & 1 ? 1 : ( event.button & 2 ? 3 : ( event.button & 4 ? 2 : 0 ) ));
-
- return event;
- },
-
- proxy: function( fn, proxy ){
- proxy = proxy || function(){ return fn.apply(this, arguments); };
- // Set the guid of unique handler to the same of original handler, so it can be removed
- proxy.guid = fn.guid = fn.guid || proxy.guid || this.guid++;
- // So proxy can be declared as an argument
- return proxy;
- },
-
- special: {
- ready: {
- // Make sure the ready event is setup
- setup: bindReady,
- teardown: function() {}
- }
- },
-
- specialAll: {
- live: {
- setup: function( selector, namespaces ){
- jQuery.event.add( this, namespaces[0], liveHandler );
- },
- teardown: function( namespaces ){
- if ( namespaces.length ) {
- var remove = 0, name = RegExp("(^|\\.)" + namespaces[0] + "(\\.|$)");
-
- jQuery.each( (jQuery.data(this, "events").live || {}), function(){
- if ( name.test(this.type) )
- remove++;
- });
-
- if ( remove < 1 )
- jQuery.event.remove( this, namespaces[0], liveHandler );
- }
- }
- }
- }
-};
-
-jQuery.Event = function( src ){
- // Allow instantiation without the 'new' keyword
- if( !this.preventDefault )
- return new jQuery.Event(src);
-
- // Event object
- if( src && src.type ){
- this.originalEvent = src;
- this.type = src.type;
- // Event type
- }else
- this.type = src;
-
- // timeStamp is buggy for some events on Firefox(#3843)
- // So we won't rely on the native value
- this.timeStamp = now();
-
- // Mark it as fixed
- this[expando] = true;
-};
-
-function returnFalse(){
- return false;
-}
-function returnTrue(){
- return true;
-}
-
-// jQuery.Event is based on DOM3 Events as specified by the ECMAScript Language Binding
-// http://www.w3.org/TR/2003/WD-DOM-Level-3-Events-20030331/ecma-script-binding.html
-jQuery.Event.prototype = {
- preventDefault: function() {
- this.isDefaultPrevented = returnTrue;
-
- var e = this.originalEvent;
- if( !e )
- return;
- // if preventDefault exists run it on the original event
- if (e.preventDefault)
- e.preventDefault();
- // otherwise set the returnValue property of the original event to false (IE)
- e.returnValue = false;
- },
- stopPropagation: function() {
- this.isPropagationStopped = returnTrue;
-
- var e = this.originalEvent;
- if( !e )
- return;
- // if stopPropagation exists run it on the original event
- if (e.stopPropagation)
- e.stopPropagation();
- // otherwise set the cancelBubble property of the original event to true (IE)
- e.cancelBubble = true;
- },
- stopImmediatePropagation:function(){
- this.isImmediatePropagationStopped = returnTrue;
- this.stopPropagation();
- },
- isDefaultPrevented: returnFalse,
- isPropagationStopped: returnFalse,
- isImmediatePropagationStopped: returnFalse
-};
-// Checks if an event happened on an element within another element
-// Used in jQuery.event.special.mouseenter and mouseleave handlers
-var withinElement = function(event) {
- // Check if mouse(over|out) are still within the same parent element
- var parent = event.relatedTarget;
- // Traverse up the tree
- while ( parent && parent != this )
- try { parent = parent.parentNode; }
- catch(e) { parent = this; }
-
- if( parent != this ){
- // set the correct event type
- event.type = event.data;
- // handle event if we actually just moused on to a non sub-element
- jQuery.event.handle.apply( this, arguments );
- }
-};
-
-jQuery.each({
- mouseover: 'mouseenter',
- mouseout: 'mouseleave'
-}, function( orig, fix ){
- jQuery.event.special[ fix ] = {
- setup: function(){
- jQuery.event.add( this, orig, withinElement, fix );
- },
- teardown: function(){
- jQuery.event.remove( this, orig, withinElement );
- }
- };
-});
-
-jQuery.fn.extend({
- bind: function( type, data, fn ) {
- return type == "unload" ? this.one(type, data, fn) : this.each(function(){
- jQuery.event.add( this, type, fn || data, fn && data );
- });
- },
-
- one: function( type, data, fn ) {
- var one = jQuery.event.proxy( fn || data, function(event) {
- jQuery(this).unbind(event, one);
- return (fn || data).apply( this, arguments );
- });
- return this.each(function(){
- jQuery.event.add( this, type, one, fn && data);
- });
- },
-
- unbind: function( type, fn ) {
- return this.each(function(){
- jQuery.event.remove( this, type, fn );
- });
- },
-
- trigger: function( type, data ) {
- return this.each(function(){
- jQuery.event.trigger( type, data, this );
- });
- },
-
- triggerHandler: function( type, data ) {
- if( this[0] ){
- var event = jQuery.Event(type);
- event.preventDefault();
- event.stopPropagation();
- jQuery.event.trigger( event, data, this[0] );
- return event.result;
- }
- },
-
- toggle: function( fn ) {
- // Save reference to arguments for access in closure
- var args = arguments, i = 1;
-
- // link all the functions, so any of them can unbind this click handler
- while( i < args.length )
- jQuery.event.proxy( fn, args[i++] );
-
- return this.click( jQuery.event.proxy( fn, function(event) {
- // Figure out which function to execute
- this.lastToggle = ( this.lastToggle || 0 ) % i;
-
- // Make sure that clicks stop
- event.preventDefault();
-
- // and execute the function
- return args[ this.lastToggle++ ].apply( this, arguments ) || false;
- }));
- },
-
- hover: function(fnOver, fnOut) {
- return this.mouseenter(fnOver).mouseleave(fnOut);
- },
-
- ready: function(fn) {
- // Attach the listeners
- bindReady();
-
- // If the DOM is already ready
- if ( jQuery.isReady )
- // Execute the function immediately
- fn.call( document, jQuery );
-
- // Otherwise, remember the function for later
- else
- // Add the function to the wait list
- jQuery.readyList.push( fn );
-
- return this;
- },
-
- live: function( type, fn ){
- var proxy = jQuery.event.proxy( fn );
- proxy.guid += this.selector + type;
-
- jQuery(document).bind( liveConvert(type, this.selector), this.selector, proxy );
-
- return this;
- },
-
- die: function( type, fn ){
- jQuery(document).unbind( liveConvert(type, this.selector), fn ? { guid: fn.guid + this.selector + type } : null );
- return this;
- }
-});
-
-function liveHandler( event ){
- var check = RegExp("(^|\\.)" + event.type + "(\\.|$)"),
- stop = true,
- elems = [];
-
- jQuery.each(jQuery.data(this, "events").live || [], function(i, fn){
- if ( check.test(fn.type) ) {
- var elem = jQuery(event.target).closest(fn.data)[0];
- if ( elem )
- elems.push({ elem: elem, fn: fn });
- }
- });
-
- elems.sort(function(a,b) {
- return jQuery.data(a.elem, "closest") - jQuery.data(b.elem, "closest");
- });
-
- jQuery.each(elems, function(){
- if ( this.fn.call(this.elem, event, this.fn.data) === false )
- return (stop = false);
- });
-
- return stop;
-}
-
-function liveConvert(type, selector){
- return ["live", type, selector.replace(/\./g, "`").replace(/ /g, "|")].join(".");
-}
-
-jQuery.extend({
- isReady: false,
- readyList: [],
- // Handle when the DOM is ready
- ready: function() {
- // Make sure that the DOM is not already loaded
- if ( !jQuery.isReady ) {
- // Remember that the DOM is ready
- jQuery.isReady = true;
-
- // If there are functions bound, to execute
- if ( jQuery.readyList ) {
- // Execute all of them
- jQuery.each( jQuery.readyList, function(){
- this.call( document, jQuery );
- });
-
- // Reset the list of functions
- jQuery.readyList = null;
- }
-
- // Trigger any bound ready events
- jQuery(document).triggerHandler("ready");
- }
- }
-});
-
-var readyBound = false;
-
-function bindReady(){
- if ( readyBound ) return;
- readyBound = true;
-
- // Mozilla, Opera and webkit nightlies currently support this event
- if ( document.addEventListener ) {
- // Use the handy event callback
- document.addEventListener( "DOMContentLoaded", function(){
- document.removeEventListener( "DOMContentLoaded", arguments.callee, false );
- jQuery.ready();
- }, false );
-
- // If IE event model is used
- } else if ( document.attachEvent ) {
- // ensure firing before onload,
- // maybe late but safe also for iframes
- document.attachEvent("onreadystatechange", function(){
- if ( document.readyState === "complete" ) {
- document.detachEvent( "onreadystatechange", arguments.callee );
- jQuery.ready();
- }
- });
-
- // If IE and not an iframe
- // continually check to see if the document is ready
- if ( document.documentElement.doScroll && window == window.top ) (function(){
- if ( jQuery.isReady ) return;
-
- try {
- // If IE is used, use the trick by Diego Perini
- // http://javascript.nwbox.com/IEContentLoaded/
- document.documentElement.doScroll("left");
- } catch( error ) {
- setTimeout( arguments.callee, 0 );
- return;
- }
-
- // and execute any waiting functions
- jQuery.ready();
- })();
- }
-
- // A fallback to window.onload, that will always work
- jQuery.event.add( window, "load", jQuery.ready );
-}
-
-jQuery.each( ("blur,focus,load,resize,scroll,unload,click,dblclick," +
- "mousedown,mouseup,mousemove,mouseover,mouseout,mouseenter,mouseleave," +
- "change,select,submit,keydown,keypress,keyup,error").split(","), function(i, name){
-
- // Handle event binding
- jQuery.fn[name] = function(fn){
- return fn ? this.bind(name, fn) : this.trigger(name);
- };
-});
-
-// Prevent memory leaks in IE
-// And prevent errors on refresh with events like mouseover in other browsers
-// Window isn't included so as not to unbind existing unload events
-jQuery( window ).bind( 'unload', function(){
- for ( var id in jQuery.cache )
- // Skip the window
- if ( id != 1 && jQuery.cache[ id ].handle )
- jQuery.event.remove( jQuery.cache[ id ].handle.elem );
-});
-(function(){
-
- jQuery.support = {};
-
- var root = document.documentElement,
- script = document.createElement("script"),
- div = document.createElement("div"),
- id = "script" + (new Date).getTime();
-
- div.style.display = "none";
- div.innerHTML = ' <link/><table></table><a href="/a" style="color:red;float:left;opacity:.5;">a</a><select><option>text</option></select><object><param/></object>';
-
- var all = div.getElementsByTagName("*"),
- a = div.getElementsByTagName("a")[0];
-
- // Can't get basic test support
- if ( !all || !all.length || !a ) {
- return;
- }
-
- jQuery.support = {
- // IE strips leading whitespace when .innerHTML is used
- leadingWhitespace: div.firstChild.nodeType == 3,
-
- // Make sure that tbody elements aren't automatically inserted
- // IE will insert them into empty tables
- tbody: !div.getElementsByTagName("tbody").length,
-
- // Make sure that you can get all elements in an <object> element
- // IE 7 always returns no results
- objectAll: !!div.getElementsByTagName("object")[0]
- .getElementsByTagName("*").length,
-
- // Make sure that link elements get serialized correctly by innerHTML
- // This requires a wrapper element in IE
- htmlSerialize: !!div.getElementsByTagName("link").length,
-
- // Get the style information from getAttribute
- // (IE uses .cssText insted)
- style: /red/.test( a.getAttribute("style") ),
-
- // Make sure that URLs aren't manipulated
- // (IE normalizes it by default)
- hrefNormalized: a.getAttribute("href") === "/a",
-
- // Make sure that element opacity exists
- // (IE uses filter instead)
- opacity: a.style.opacity === "0.5",
-
- // Verify style float existence
- // (IE uses styleFloat instead of cssFloat)
- cssFloat: !!a.style.cssFloat,
-
- // Will be defined later
- scriptEval: false,
- noCloneEvent: true,
- boxModel: null
- };
-
- script.type = "text/javascript";
- try {
- script.appendChild( document.createTextNode( "window." + id + "=1;" ) );
- } catch(e){}
-
- root.insertBefore( script, root.firstChild );
-
- // Make sure that the execution of code works by injecting a script
- // tag with appendChild/createTextNode
- // (IE doesn't support this, fails, and uses .text instead)
- if ( window[ id ] ) {
- jQuery.support.scriptEval = true;
- delete window[ id ];
- }
-
- root.removeChild( script );
-
- if ( div.attachEvent && div.fireEvent ) {
- div.attachEvent("onclick", function(){
- // Cloning a node shouldn't copy over any
- // bound event handlers (IE does this)
- jQuery.support.noCloneEvent = false;
- div.detachEvent("onclick", arguments.callee);
- });
- div.cloneNode(true).fireEvent("onclick");
- }
-
- // Figure out if the W3C box model works as expected
- // document.body must exist before we can do this
- jQuery(function(){
- var div = document.createElement("div");
- div.style.width = div.style.paddingLeft = "1px";
-
- document.body.appendChild( div );
- jQuery.boxModel = jQuery.support.boxModel = div.offsetWidth === 2;
- document.body.removeChild( div ).style.display = 'none';
- });
-})();
-
-var styleFloat = jQuery.support.cssFloat ? "cssFloat" : "styleFloat";
-
-jQuery.props = {
- "for": "htmlFor",
- "class": "className",
- "float": styleFloat,
- cssFloat: styleFloat,
- styleFloat: styleFloat,
- readonly: "readOnly",
- maxlength: "maxLength",
- cellspacing: "cellSpacing",
- rowspan: "rowSpan",
- tabindex: "tabIndex"
-};
-jQuery.fn.extend({
- // Keep a copy of the old load
- _load: jQuery.fn.load,
-
- load: function( url, params, callback ) {
- if ( typeof url !== "string" )
- return this._load( url );
-
- var off = url.indexOf(" ");
- if ( off >= 0 ) {
- var selector = url.slice(off, url.length);
- url = url.slice(0, off);
- }
-
- // Default to a GET request
- var type = "GET";
-
- // If the second parameter was provided
- if ( params )
- // If it's a function
- if ( jQuery.isFunction( params ) ) {
- // We assume that it's the callback
- callback = params;
- params = null;
-
- // Otherwise, build a param string
- } else if( typeof params === "object" ) {
- params = jQuery.param( params );
- type = "POST";
- }
-
- var self = this;
-
- // Request the remote document
- jQuery.ajax({
- url: url,
- type: type,
- dataType: "html",
- data: params,
- complete: function(res, status){
- // If successful, inject the HTML into all the matched elements
- if ( status == "success" || status == "notmodified" )
- // See if a selector was specified
- self.html( selector ?
- // Create a dummy div to hold the results
- jQuery("<div/>")
- // inject the contents of the document in, removing the scripts
- // to avoid any 'Permission Denied' errors in IE
- .append(res.responseText.replace(/<script(.|\s)*?\/script>/g, ""))
-
- // Locate the specified elements
- .find(selector) :
-
- // If not, just inject the full result
- res.responseText );
-
- if( callback )
- self.each( callback, [res.responseText, status, res] );
- }
- });
- return this;
- },
-
- serialize: function() {
- return jQuery.param(this.serializeArray());
- },
- serializeArray: function() {
- return this.map(function(){
- return this.elements ? jQuery.makeArray(this.elements) : this;
- })
- .filter(function(){
- return this.name && !this.disabled &&
- (this.checked || /select|textarea/i.test(this.nodeName) ||
- /text|hidden|password|search/i.test(this.type));
- })
- .map(function(i, elem){
- var val = jQuery(this).val();
- return val == null ? null :
- jQuery.isArray(val) ?
- jQuery.map( val, function(val, i){
- return {name: elem.name, value: val};
- }) :
- {name: elem.name, value: val};
- }).get();
- }
-});
-
-// Attach a bunch of functions for handling common AJAX events
-jQuery.each( "ajaxStart,ajaxStop,ajaxComplete,ajaxError,ajaxSuccess,ajaxSend".split(","), function(i,o){
- jQuery.fn[o] = function(f){
- return this.bind(o, f);
- };
-});
-
-var jsc = now();
-
-jQuery.extend({
-
- get: function( url, data, callback, type ) {
- // shift arguments if data argument was ommited
- if ( jQuery.isFunction( data ) ) {
- callback = data;
- data = null;
- }
-
- return jQuery.ajax({
- type: "GET",
- url: url,
- data: data,
- success: callback,
- dataType: type
- });
- },
-
- getScript: function( url, callback ) {
- return jQuery.get(url, null, callback, "script");
- },
-
- getJSON: function( url, data, callback ) {
- return jQuery.get(url, data, callback, "json");
- },
-
- post: function( url, data, callback, type ) {
- if ( jQuery.isFunction( data ) ) {
- callback = data;
- data = {};
- }
-
- return jQuery.ajax({
- type: "POST",
- url: url,
- data: data,
- success: callback,
- dataType: type
- });
- },
-
- ajaxSetup: function( settings ) {
- jQuery.extend( jQuery.ajaxSettings, settings );
- },
-
- ajaxSettings: {
- url: location.href,
- global: true,
- type: "GET",
- contentType: "application/x-www-form-urlencoded",
- processData: true,
- async: true,
- /*
- timeout: 0,
- data: null,
- username: null,
- password: null,
- */
- // Create the request object; Microsoft failed to properly
- // implement the XMLHttpRequest in IE7, so we use the ActiveXObject when it is available
- // This function can be overriden by calling jQuery.ajaxSetup
- xhr:function(){
- return window.ActiveXObject ? new ActiveXObject("Microsoft.XMLHTTP") : new XMLHttpRequest();
- },
- accepts: {
- xml: "application/xml, text/xml",
- html: "text/html",
- script: "text/javascript, application/javascript",
- json: "application/json, text/javascript",
- text: "text/plain",
- _default: "*/*"
- }
- },
-
- // Last-Modified header cache for next request
- lastModified: {},
-
- ajax: function( s ) {
- // Extend the settings, but re-extend 's' so that it can be
- // checked again later (in the test suite, specifically)
- s = jQuery.extend(true, s, jQuery.extend(true, {}, jQuery.ajaxSettings, s));
-
- var jsonp, jsre = /=\?(&|$)/g, status, data,
- type = s.type.toUpperCase();
-
- // convert data if not already a string
- if ( s.data && s.processData && typeof s.data !== "string" )
- s.data = jQuery.param(s.data);
-
- // Handle JSONP Parameter Callbacks
- if ( s.dataType == "jsonp" ) {
- if ( type == "GET" ) {
- if ( !s.url.match(jsre) )
- s.url += (s.url.match(/\?/) ? "&" : "?") + (s.jsonp || "callback") + "=?";
- } else if ( !s.data || !s.data.match(jsre) )
- s.data = (s.data ? s.data + "&" : "") + (s.jsonp || "callback") + "=?";
- s.dataType = "json";
- }
-
- // Build temporary JSONP function
- if ( s.dataType == "json" && (s.data && s.data.match(jsre) || s.url.match(jsre)) ) {
- jsonp = "jsonp" + jsc++;
-
- // Replace the =? sequence both in the query string and the data
- if ( s.data )
- s.data = (s.data + "").replace(jsre, "=" + jsonp + "$1");
- s.url = s.url.replace(jsre, "=" + jsonp + "$1");
-
- // We need to make sure
- // that a JSONP style response is executed properly
- s.dataType = "script";
-
- // Handle JSONP-style loading
- window[ jsonp ] = function(tmp){
- data = tmp;
- success();
- complete();
- // Garbage collect
- window[ jsonp ] = undefined;
- try{ delete window[ jsonp ]; } catch(e){}
- if ( head )
- head.removeChild( script );
- };
- }
-
- if ( s.dataType == "script" && s.cache == null )
- s.cache = false;
-
- if ( s.cache === false && type == "GET" ) {
- var ts = now();
- // try replacing _= if it is there
- var ret = s.url.replace(/(\?|&)_=.*?(&|$)/, "$1_=" + ts + "$2");
- // if nothing was replaced, add timestamp to the end
- s.url = ret + ((ret == s.url) ? (s.url.match(/\?/) ? "&" : "?") + "_=" + ts : "");
- }
-
- // If data is available, append data to url for get requests
- if ( s.data && type == "GET" ) {
- s.url += (s.url.match(/\?/) ? "&" : "?") + s.data;
-
- // IE likes to send both get and post data, prevent this
- s.data = null;
- }
-
- // Watch for a new set of requests
- if ( s.global && ! jQuery.active++ )
- jQuery.event.trigger( "ajaxStart" );
-
- // Matches an absolute URL, and saves the domain
- var parts = /^(\w+:)?\/\/([^\/?#]+)/.exec( s.url );
-
- // If we're requesting a remote document
- // and trying to load JSON or Script with a GET
- if ( s.dataType == "script" && type == "GET" && parts
- && ( parts[1] && parts[1] != location.protocol || parts[2] != location.host )){
-
- var head = document.getElementsByTagName("head")[0];
- var script = document.createElement("script");
- script.src = s.url;
- if (s.scriptCharset)
- script.charset = s.scriptCharset;
-
- // Handle Script loading
- if ( !jsonp ) {
- var done = false;
-
- // Attach handlers for all browsers
- script.onload = script.onreadystatechange = function(){
- if ( !done && (!this.readyState ||
- this.readyState == "loaded" || this.readyState == "complete") ) {
- done = true;
- success();
- complete();
-
- // Handle memory leak in IE
- script.onload = script.onreadystatechange = null;
- head.removeChild( script );
- }
- };
- }
-
- head.appendChild(script);
-
- // We handle everything using the script element injection
- return undefined;
- }
-
- var requestDone = false;
-
- // Create the request object
- var xhr = s.xhr();
-
- // Open the socket
- // Passing null username, generates a login popup on Opera (#2865)
- if( s.username )
- xhr.open(type, s.url, s.async, s.username, s.password);
- else
- xhr.open(type, s.url, s.async);
-
- // Need an extra try/catch for cross domain requests in Firefox 3
- try {
- // Set the correct header, if data is being sent
- if ( s.data )
- xhr.setRequestHeader("Content-Type", s.contentType);
-
- // Set the If-Modified-Since header, if ifModified mode.
- if ( s.ifModified )
- xhr.setRequestHeader("If-Modified-Since",
- jQuery.lastModified[s.url] || "Thu, 01 Jan 1970 00:00:00 GMT" );
-
- // Set header so the called script knows that it's an XMLHttpRequest
- xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
-
- // Set the Accepts header for the server, depending on the dataType
- xhr.setRequestHeader("Accept", s.dataType && s.accepts[ s.dataType ] ?
- s.accepts[ s.dataType ] + ", */*" :
- s.accepts._default );
- } catch(e){}
-
- // Allow custom headers/mimetypes and early abort
- if ( s.beforeSend && s.beforeSend(xhr, s) === false ) {
- // Handle the global AJAX counter
- if ( s.global && ! --jQuery.active )
- jQuery.event.trigger( "ajaxStop" );
- // close opended socket
- xhr.abort();
- return false;
- }
-
- if ( s.global )
- jQuery.event.trigger("ajaxSend", [xhr, s]);
-
- // Wait for a response to come back
- var onreadystatechange = function(isTimeout){
- // The request was aborted, clear the interval and decrement jQuery.active
- if (xhr.readyState == 0) {
- if (ival) {
- // clear poll interval
- clearInterval(ival);
- ival = null;
- // Handle the global AJAX counter
- if ( s.global && ! --jQuery.active )
- jQuery.event.trigger( "ajaxStop" );
- }
- // The transfer is complete and the data is available, or the request timed out
- } else if ( !requestDone && xhr && (xhr.readyState == 4 || isTimeout == "timeout") ) {
- requestDone = true;
-
- // clear poll interval
- if (ival) {
- clearInterval(ival);
- ival = null;
- }
-
- status = isTimeout == "timeout" ? "timeout" :
- !jQuery.httpSuccess( xhr ) ? "error" :
- s.ifModified && jQuery.httpNotModified( xhr, s.url ) ? "notmodified" :
- "success";
-
- if ( status == "success" ) {
- // Watch for, and catch, XML document parse errors
- try {
- // process the data (runs the xml through httpData regardless of callback)
- data = jQuery.httpData( xhr, s.dataType, s );
- } catch(e) {
- status = "parsererror";
- }
- }
-
- // Make sure that the request was successful or notmodified
- if ( status == "success" ) {
- // Cache Last-Modified header, if ifModified mode.
- var modRes;
- try {
- modRes = xhr.getResponseHeader("Last-Modified");
- } catch(e) {} // swallow exception thrown by FF if header is not available
-
- if ( s.ifModified && modRes )
- jQuery.lastModified[s.url] = modRes;
-
- // JSONP handles its own success callback
- if ( !jsonp )
- success();
- } else
- jQuery.handleError(s, xhr, status);
-
- // Fire the complete handlers
- complete();
-
- if ( isTimeout )
- xhr.abort();
-
- // Stop memory leaks
- if ( s.async )
- xhr = null;
- }
- };
-
- if ( s.async ) {
- // don't attach the handler to the request, just poll it instead
- var ival = setInterval(onreadystatechange, 13);
-
- // Timeout checker
- if ( s.timeout > 0 )
- setTimeout(function(){
- // Check to see if the request is still happening
- if ( xhr && !requestDone )
- onreadystatechange( "timeout" );
- }, s.timeout);
- }
-
- // Send the data
- try {
- xhr.send(s.data);
- } catch(e) {
- jQuery.handleError(s, xhr, null, e);
- }
-
- // firefox 1.5 doesn't fire statechange for sync requests
- if ( !s.async )
- onreadystatechange();
-
- function success(){
- // If a local callback was specified, fire it and pass it the data
- if ( s.success )
- s.success( data, status );
-
- // Fire the global callback
- if ( s.global )
- jQuery.event.trigger( "ajaxSuccess", [xhr, s] );
- }
-
- function complete(){
- // Process result
- if ( s.complete )
- s.complete(xhr, status);
-
- // The request was completed
- if ( s.global )
- jQuery.event.trigger( "ajaxComplete", [xhr, s] );
-
- // Handle the global AJAX counter
- if ( s.global && ! --jQuery.active )
- jQuery.event.trigger( "ajaxStop" );
- }
-
- // return XMLHttpRequest to allow aborting the request etc.
- return xhr;
- },
-
- handleError: function( s, xhr, status, e ) {
- // If a local callback was specified, fire it
- if ( s.error ) s.error( xhr, status, e );
-
- // Fire the global callback
- if ( s.global )
- jQuery.event.trigger( "ajaxError", [xhr, s, e] );
- },
-
- // Counter for holding the number of active queries
- active: 0,
-
- // Determines if an XMLHttpRequest was successful or not
- httpSuccess: function( xhr ) {
- try {
- // IE error sometimes returns 1223 when it should be 204 so treat it as success, see #1450
- return !xhr.status && location.protocol == "file:" ||
- ( xhr.status >= 200 && xhr.status < 300 ) || xhr.status == 304 || xhr.status == 1223;
- } catch(e){}
- return false;
- },
-
- // Determines if an XMLHttpRequest returns NotModified
- httpNotModified: function( xhr, url ) {
- try {
- var xhrRes = xhr.getResponseHeader("Last-Modified");
-
- // Firefox always returns 200. check Last-Modified date
- return xhr.status == 304 || xhrRes == jQuery.lastModified[url];
- } catch(e){}
- return false;
- },
-
- httpData: function( xhr, type, s ) {
- var ct = xhr.getResponseHeader("content-type"),
- xml = type == "xml" || !type && ct && ct.indexOf("xml") >= 0,
- data = xml ? xhr.responseXML : xhr.responseText;
-
- if ( xml && data.documentElement.tagName == "parsererror" )
- throw "parsererror";
-
- // Allow a pre-filtering function to sanitize the response
- // s != null is checked to keep backwards compatibility
- if( s && s.dataFilter )
- data = s.dataFilter( data, type );
-
- // The filter can actually parse the response
- if( typeof data === "string" ){
-
- // If the type is "script", eval it in global context
- if ( type == "script" )
- jQuery.globalEval( data );
-
- // Get the JavaScript object, if JSON is used.
- if ( type == "json" )
- data = window["eval"]("(" + data + ")");
- }
-
- return data;
- },
-
- // Serialize an array of form elements or a set of
- // key/values into a query string
- param: function( a ) {
- var s = [ ];
-
- function add( key, value ){
- s[ s.length ] = encodeURIComponent(key) + '=' + encodeURIComponent(value);
- };
-
- // If an array was passed in, assume that it is an array
- // of form elements
- if ( jQuery.isArray(a) || a.jquery )
- // Serialize the form elements
- jQuery.each( a, function(){
- add( this.name, this.value );
- });
-
- // Otherwise, assume that it's an object of key/value pairs
- else
- // Serialize the key/values
- for ( var j in a )
- // If the value is an array then the key names need to be repeated
- if ( jQuery.isArray(a[j]) )
- jQuery.each( a[j], function(){
- add( j, this );
- });
- else
- add( j, jQuery.isFunction(a[j]) ? a[j]() : a[j] );
-
- // Return the resulting serialization
- return s.join("&").replace(/%20/g, "+");
- }
-
-});
-var elemdisplay = {},
- timerId,
- fxAttrs = [
- // height animations
- [ "height", "marginTop", "marginBottom", "paddingTop", "paddingBottom" ],
- // width animations
- [ "width", "marginLeft", "marginRight", "paddingLeft", "paddingRight" ],
- // opacity animations
- [ "opacity" ]
- ];
-
-function genFx( type, num ){
- var obj = {};
- jQuery.each( fxAttrs.concat.apply([], fxAttrs.slice(0,num)), function(){
- obj[ this ] = type;
- });
- return obj;
-}
-
-jQuery.fn.extend({
- show: function(speed,callback){
- if ( speed ) {
- return this.animate( genFx("show", 3), speed, callback);
- } else {
- for ( var i = 0, l = this.length; i < l; i++ ){
- var old = jQuery.data(this[i], "olddisplay");
-
- this[i].style.display = old || "";
-
- if ( jQuery.css(this[i], "display") === "none" ) {
- var tagName = this[i].tagName, display;
-
- if ( elemdisplay[ tagName ] ) {
- display = elemdisplay[ tagName ];
- } else {
- var elem = jQuery("<" + tagName + " />").appendTo("body");
-
- display = elem.css("display");
- if ( display === "none" )
- display = "block";
-
- elem.remove();
-
- elemdisplay[ tagName ] = display;
- }
-
- jQuery.data(this[i], "olddisplay", display);
- }
- }
-
- // Set the display of the elements in a second loop
- // to avoid the constant reflow
- for ( var i = 0, l = this.length; i < l; i++ ){
- this[i].style.display = jQuery.data(this[i], "olddisplay") || "";
- }
-
- return this;
- }
- },
-
- hide: function(speed,callback){
- if ( speed ) {
- return this.animate( genFx("hide", 3), speed, callback);
- } else {
- for ( var i = 0, l = this.length; i < l; i++ ){
- var old = jQuery.data(this[i], "olddisplay");
- if ( !old && old !== "none" )
- jQuery.data(this[i], "olddisplay", jQuery.css(this[i], "display"));
- }
-
- // Set the display of the elements in a second loop
- // to avoid the constant reflow
- for ( var i = 0, l = this.length; i < l; i++ ){
- this[i].style.display = "none";
- }
-
- return this;
- }
- },
-
- // Save the old toggle function
- _toggle: jQuery.fn.toggle,
-
- toggle: function( fn, fn2 ){
- var bool = typeof fn === "boolean";
-
- return jQuery.isFunction(fn) && jQuery.isFunction(fn2) ?
- this._toggle.apply( this, arguments ) :
- fn == null || bool ?
- this.each(function(){
- var state = bool ? fn : jQuery(this).is(":hidden");
- jQuery(this)[ state ? "show" : "hide" ]();
- }) :
- this.animate(genFx("toggle", 3), fn, fn2);
- },
-
- fadeTo: function(speed,to,callback){
- return this.animate({opacity: to}, speed, callback);
- },
-
- animate: function( prop, speed, easing, callback ) {
- var optall = jQuery.speed(speed, easing, callback);
-
- return this[ optall.queue === false ? "each" : "queue" ](function(){
-
- var opt = jQuery.extend({}, optall), p,
- hidden = this.nodeType == 1 && jQuery(this).is(":hidden"),
- self = this;
-
- for ( p in prop ) {
- if ( prop[p] == "hide" && hidden || prop[p] == "show" && !hidden )
- return opt.complete.call(this);
-
- if ( ( p == "height" || p == "width" ) && this.style ) {
- // Store display property
- opt.display = jQuery.css(this, "display");
-
- // Make sure that nothing sneaks out
- opt.overflow = this.style.overflow;
- }
- }
-
- if ( opt.overflow != null )
- this.style.overflow = "hidden";
-
- opt.curAnim = jQuery.extend({}, prop);
-
- jQuery.each( prop, function(name, val){
- var e = new jQuery.fx( self, opt, name );
-
- if ( /toggle|show|hide/.test(val) )
- e[ val == "toggle" ? hidden ? "show" : "hide" : val ]( prop );
- else {
- var parts = val.toString().match(/^([+-]=)?([\d+-.]+)(.*)$/),
- start = e.cur(true) || 0;
-
- if ( parts ) {
- var end = parseFloat(parts[2]),
- unit = parts[3] || "px";
-
- // We need to compute starting value
- if ( unit != "px" ) {
- self.style[ name ] = (end || 1) + unit;
- start = ((end || 1) / e.cur(true)) * start;
- self.style[ name ] = start + unit;
- }
-
- // If a +=/-= token was provided, we're doing a relative animation
- if ( parts[1] )
- end = ((parts[1] == "-=" ? -1 : 1) * end) + start;
-
- e.custom( start, end, unit );
- } else
- e.custom( start, val, "" );
- }
- });
-
- // For JS strict compliance
- return true;
- });
- },
-
- stop: function(clearQueue, gotoEnd){
- var timers = jQuery.timers;
-
- if (clearQueue)
- this.queue([]);
-
- this.each(function(){
- // go in reverse order so anything added to the queue during the loop is ignored
- for ( var i = timers.length - 1; i >= 0; i-- )
- if ( timers[i].elem == this ) {
- if (gotoEnd)
- // force the next step to be the last
- timers[i](true);
- timers.splice(i, 1);
- }
- });
-
- // start the next in the queue if the last step wasn't forced
- if (!gotoEnd)
- this.dequeue();
-
- return this;
- }
-
-});
-
-// Generate shortcuts for custom animations
-jQuery.each({
- slideDown: genFx("show", 1),
- slideUp: genFx("hide", 1),
- slideToggle: genFx("toggle", 1),
- fadeIn: { opacity: "show" },
- fadeOut: { opacity: "hide" }
-}, function( name, props ){
- jQuery.fn[ name ] = function( speed, callback ){
- return this.animate( props, speed, callback );
- };
-});
-
-jQuery.extend({
-
- speed: function(speed, easing, fn) {
- var opt = typeof speed === "object" ? speed : {
- complete: fn || !fn && easing ||
- jQuery.isFunction( speed ) && speed,
- duration: speed,
- easing: fn && easing || easing && !jQuery.isFunction(easing) && easing
- };
-
- opt.duration = jQuery.fx.off ? 0 : typeof opt.duration === "number" ? opt.duration :
- jQuery.fx.speeds[opt.duration] || jQuery.fx.speeds._default;
-
- // Queueing
- opt.old = opt.complete;
- opt.complete = function(){
- if ( opt.queue !== false )
- jQuery(this).dequeue();
- if ( jQuery.isFunction( opt.old ) )
- opt.old.call( this );
- };
-
- return opt;
- },
-
- easing: {
- linear: function( p, n, firstNum, diff ) {
- return firstNum + diff * p;
- },
- swing: function( p, n, firstNum, diff ) {
- return ((-Math.cos(p*Math.PI)/2) + 0.5) * diff + firstNum;
- }
- },
-
- timers: [],
-
- fx: function( elem, options, prop ){
- this.options = options;
- this.elem = elem;
- this.prop = prop;
-
- if ( !options.orig )
- options.orig = {};
- }
-
-});
-
-jQuery.fx.prototype = {
-
- // Simple function for setting a style value
- update: function(){
- if ( this.options.step )
- this.options.step.call( this.elem, this.now, this );
-
- (jQuery.fx.step[this.prop] || jQuery.fx.step._default)( this );
-
- // Set display property to block for height/width animations
- if ( ( this.prop == "height" || this.prop == "width" ) && this.elem.style )
- this.elem.style.display = "block";
- },
-
- // Get the current size
- cur: function(force){
- if ( this.elem[this.prop] != null && (!this.elem.style || this.elem.style[this.prop] == null) )
- return this.elem[ this.prop ];
-
- var r = parseFloat(jQuery.css(this.elem, this.prop, force));
- return r && r > -10000 ? r : parseFloat(jQuery.curCSS(this.elem, this.prop)) || 0;
- },
-
- // Start an animation from one number to another
- custom: function(from, to, unit){
- this.startTime = now();
- this.start = from;
- this.end = to;
- this.unit = unit || this.unit || "px";
- this.now = this.start;
- this.pos = this.state = 0;
-
- var self = this;
- function t(gotoEnd){
- return self.step(gotoEnd);
- }
-
- t.elem = this.elem;
-
- if ( t() && jQuery.timers.push(t) && !timerId ) {
- timerId = setInterval(function(){
- var timers = jQuery.timers;
-
- for ( var i = 0; i < timers.length; i++ )
- if ( !timers[i]() )
- timers.splice(i--, 1);
-
- if ( !timers.length ) {
- clearInterval( timerId );
- timerId = undefined;
- }
- }, 13);
- }
- },
-
- // Simple 'show' function
- show: function(){
- // Remember where we started, so that we can go back to it later
- this.options.orig[this.prop] = jQuery.attr( this.elem.style, this.prop );
- this.options.show = true;
-
- // Begin the animation
- // Make sure that we start at a small width/height to avoid any
- // flash of content
- this.custom(this.prop == "width" || this.prop == "height" ? 1 : 0, this.cur());
-
- // Start by showing the element
- jQuery(this.elem).show();
- },
-
- // Simple 'hide' function
- hide: function(){
- // Remember where we started, so that we can go back to it later
- this.options.orig[this.prop] = jQuery.attr( this.elem.style, this.prop );
- this.options.hide = true;
-
- // Begin the animation
- this.custom(this.cur(), 0);
- },
-
- // Each step of an animation
- step: function(gotoEnd){
- var t = now();
-
- if ( gotoEnd || t >= this.options.duration + this.startTime ) {
- this.now = this.end;
- this.pos = this.state = 1;
- this.update();
-
- this.options.curAnim[ this.prop ] = true;
-
- var done = true;
- for ( var i in this.options.curAnim )
- if ( this.options.curAnim[i] !== true )
- done = false;
-
- if ( done ) {
- if ( this.options.display != null ) {
- // Reset the overflow
- this.elem.style.overflow = this.options.overflow;
-
- // Reset the display
- this.elem.style.display = this.options.display;
- if ( jQuery.css(this.elem, "display") == "none" )
- this.elem.style.display = "block";
- }
-
- // Hide the element if the "hide" operation was done
- if ( this.options.hide )
- jQuery(this.elem).hide();
-
- // Reset the properties, if the item has been hidden or shown
- if ( this.options.hide || this.options.show )
- for ( var p in this.options.curAnim )
- jQuery.attr(this.elem.style, p, this.options.orig[p]);
-
- // Execute the complete function
- this.options.complete.call( this.elem );
- }
-
- return false;
- } else {
- var n = t - this.startTime;
- this.state = n / this.options.duration;
-
- // Perform the easing function, defaults to swing
- this.pos = jQuery.easing[this.options.easing || (jQuery.easing.swing ? "swing" : "linear")](this.state, n, 0, 1, this.options.duration);
- this.now = this.start + ((this.end - this.start) * this.pos);
-
- // Perform the next step of the animation
- this.update();
- }
-
- return true;
- }
-
-};
-
-jQuery.extend( jQuery.fx, {
- speeds:{
- slow: 600,
- fast: 200,
- // Default speed
- _default: 400
- },
- step: {
-
- opacity: function(fx){
- jQuery.attr(fx.elem.style, "opacity", fx.now);
- },
-
- _default: function(fx){
- if ( fx.elem.style && fx.elem.style[ fx.prop ] != null )
- fx.elem.style[ fx.prop ] = fx.now + fx.unit;
- else
- fx.elem[ fx.prop ] = fx.now;
- }
- }
-});
-if ( document.documentElement["getBoundingClientRect"] )
- jQuery.fn.offset = function() {
- if ( !this[0] ) return { top: 0, left: 0 };
- if ( this[0] === this[0].ownerDocument.body ) return jQuery.offset.bodyOffset( this[0] );
- var box = this[0].getBoundingClientRect(), doc = this[0].ownerDocument, body = doc.body, docElem = doc.documentElement,
- clientTop = docElem.clientTop || body.clientTop || 0, clientLeft = docElem.clientLeft || body.clientLeft || 0,
- top = box.top + (self.pageYOffset || jQuery.boxModel && docElem.scrollTop || body.scrollTop ) - clientTop,
- left = box.left + (self.pageXOffset || jQuery.boxModel && docElem.scrollLeft || body.scrollLeft) - clientLeft;
- return { top: top, left: left };
- };
-else
- jQuery.fn.offset = function() {
- if ( !this[0] ) return { top: 0, left: 0 };
- if ( this[0] === this[0].ownerDocument.body ) return jQuery.offset.bodyOffset( this[0] );
- jQuery.offset.initialized || jQuery.offset.initialize();
-
- var elem = this[0], offsetParent = elem.offsetParent, prevOffsetParent = elem,
- doc = elem.ownerDocument, computedStyle, docElem = doc.documentElement,
- body = doc.body, defaultView = doc.defaultView,
- prevComputedStyle = defaultView.getComputedStyle(elem, null),
- top = elem.offsetTop, left = elem.offsetLeft;
-
- while ( (elem = elem.parentNode) && elem !== body && elem !== docElem ) {
- computedStyle = defaultView.getComputedStyle(elem, null);
- top -= elem.scrollTop, left -= elem.scrollLeft;
- if ( elem === offsetParent ) {
- top += elem.offsetTop, left += elem.offsetLeft;
- if ( jQuery.offset.doesNotAddBorder && !(jQuery.offset.doesAddBorderForTableAndCells && /^t(able|d|h)$/i.test(elem.tagName)) )
- top += parseInt( computedStyle.borderTopWidth, 10) || 0,
- left += parseInt( computedStyle.borderLeftWidth, 10) || 0;
- prevOffsetParent = offsetParent, offsetParent = elem.offsetParent;
- }
- if ( jQuery.offset.subtractsBorderForOverflowNotVisible && computedStyle.overflow !== "visible" )
- top += parseInt( computedStyle.borderTopWidth, 10) || 0,
- left += parseInt( computedStyle.borderLeftWidth, 10) || 0;
- prevComputedStyle = computedStyle;
- }
-
- if ( prevComputedStyle.position === "relative" || prevComputedStyle.position === "static" )
- top += body.offsetTop,
- left += body.offsetLeft;
-
- if ( prevComputedStyle.position === "fixed" )
- top += Math.max(docElem.scrollTop, body.scrollTop),
- left += Math.max(docElem.scrollLeft, body.scrollLeft);
-
- return { top: top, left: left };
- };
-
-jQuery.offset = {
- initialize: function() {
- if ( this.initialized ) return;
- var body = document.body, container = document.createElement('div'), innerDiv, checkDiv, table, td, rules, prop, bodyMarginTop = body.style.marginTop,
- html = '<div style="position:absolute;top:0;left:0;margin:0;border:5px solid #000;padding:0;width:1px;height:1px;"><div></div></div><table style="position:absolute;top:0;left:0;margin:0;border:5px solid #000;padding:0;width:1px;height:1px;" cellpadding="0" cellspacing="0"><tr><td></td></tr></table>';
-
- rules = { position: 'absolute', top: 0, left: 0, margin: 0, border: 0, width: '1px', height: '1px', visibility: 'hidden' };
- for ( prop in rules ) container.style[prop] = rules[prop];
-
- container.innerHTML = html;
- body.insertBefore(container, body.firstChild);
- innerDiv = container.firstChild, checkDiv = innerDiv.firstChild, td = innerDiv.nextSibling.firstChild.firstChild;
-
- this.doesNotAddBorder = (checkDiv.offsetTop !== 5);
- this.doesAddBorderForTableAndCells = (td.offsetTop === 5);
-
- innerDiv.style.overflow = 'hidden', innerDiv.style.position = 'relative';
- this.subtractsBorderForOverflowNotVisible = (checkDiv.offsetTop === -5);
-
- body.style.marginTop = '1px';
- this.doesNotIncludeMarginInBodyOffset = (body.offsetTop === 0);
- body.style.marginTop = bodyMarginTop;
-
- body.removeChild(container);
- this.initialized = true;
- },
-
- bodyOffset: function(body) {
- jQuery.offset.initialized || jQuery.offset.initialize();
- var top = body.offsetTop, left = body.offsetLeft;
- if ( jQuery.offset.doesNotIncludeMarginInBodyOffset )
- top += parseInt( jQuery.curCSS(body, 'marginTop', true), 10 ) || 0,
- left += parseInt( jQuery.curCSS(body, 'marginLeft', true), 10 ) || 0;
- return { top: top, left: left };
- }
-};
-
-
-jQuery.fn.extend({
- position: function() {
- var left = 0, top = 0, results;
-
- if ( this[0] ) {
- // Get *real* offsetParent
- var offsetParent = this.offsetParent(),
-
- // Get correct offsets
- offset = this.offset(),
- parentOffset = /^body|html$/i.test(offsetParent[0].tagName) ? { top: 0, left: 0 } : offsetParent.offset();
-
- // Subtract element margins
- // note: when an element has margin: auto the offsetLeft and marginLeft
- // are the same in Safari causing offset.left to incorrectly be 0
- offset.top -= num( this, 'marginTop' );
- offset.left -= num( this, 'marginLeft' );
-
- // Add offsetParent borders
- parentOffset.top += num( offsetParent, 'borderTopWidth' );
- parentOffset.left += num( offsetParent, 'borderLeftWidth' );
-
- // Subtract the two offsets
- results = {
- top: offset.top - parentOffset.top,
- left: offset.left - parentOffset.left
- };
- }
-
- return results;
- },
-
- offsetParent: function() {
- var offsetParent = this[0].offsetParent || document.body;
- while ( offsetParent && (!/^body|html$/i.test(offsetParent.tagName) && jQuery.css(offsetParent, 'position') == 'static') )
- offsetParent = offsetParent.offsetParent;
- return jQuery(offsetParent);
- }
-});
-
-
-// Create scrollLeft and scrollTop methods
-jQuery.each( ['Left', 'Top'], function(i, name) {
- var method = 'scroll' + name;
-
- jQuery.fn[ method ] = function(val) {
- if (!this[0]) return null;
-
- return val !== undefined ?
-
- // Set the scroll offset
- this.each(function() {
- this == window || this == document ?
- window.scrollTo(
- !i ? val : jQuery(window).scrollLeft(),
- i ? val : jQuery(window).scrollTop()
- ) :
- this[ method ] = val;
- }) :
-
- // Return the scroll offset
- this[0] == window || this[0] == document ?
- self[ i ? 'pageYOffset' : 'pageXOffset' ] ||
- jQuery.boxModel && document.documentElement[ method ] ||
- document.body[ method ] :
- this[0][ method ];
- };
-});
-// Create innerHeight, innerWidth, outerHeight and outerWidth methods
-jQuery.each([ "Height", "Width" ], function(i, name){
-
- var tl = i ? "Left" : "Top", // top or left
- br = i ? "Right" : "Bottom", // bottom or right
- lower = name.toLowerCase();
-
- // innerHeight and innerWidth
- jQuery.fn["inner" + name] = function(){
- return this[0] ?
- jQuery.css( this[0], lower, false, "padding" ) :
- null;
- };
-
- // outerHeight and outerWidth
- jQuery.fn["outer" + name] = function(margin) {
- return this[0] ?
- jQuery.css( this[0], lower, false, margin ? "margin" : "border" ) :
- null;
- };
-
- var type = name.toLowerCase();
-
- jQuery.fn[ type ] = function( size ) {
- // Get window width or height
- return this[0] == window ?
- // Everyone else use document.documentElement or document.body depending on Quirks vs Standards mode
- document.compatMode == "CSS1Compat" && document.documentElement[ "client" + name ] ||
- document.body[ "client" + name ] :
-
- // Get document width or height
- this[0] == document ?
- // Either scroll[Width/Height] or offset[Width/Height], whichever is greater
- Math.max(
- document.documentElement["client" + name],
- document.body["scroll" + name], document.documentElement["scroll" + name],
- document.body["offset" + name], document.documentElement["offset" + name]
- ) :
-
- // Get or set width or height on the element
- size === undefined ?
- // Get width or height on the element
- (this.length ? jQuery.css( this[0], type ) : null) :
-
- // Set the width or height on the element (default to pixels if value is unitless)
- this.css( type, typeof size === "string" ? size : size + "px" );
- };
-
-});
-})();
+/*! + * jQuery JavaScript Library v1.3.2 + * http://jquery.com/ + * + * Copyright (c) 2009 John Resig + * Dual licensed under the MIT and GPL licenses. + * http://docs.jquery.com/License + * + * Date: 2009-02-19 17:34:21 -0500 (Thu, 19 Feb 2009) + * Revision: 6246 + */ +(function(){ + +var + // Will speed up references to window, and allows munging its name. + window = this, + // Will speed up references to undefined, and allows munging its name. + undefined, + // Map over jQuery in case of overwrite + _jQuery = window.jQuery, + // Map over the $ in case of overwrite + _$ = window.$, + + jQuery = window.jQuery = window.$ = function( selector, context ) { + // The jQuery object is actually just the init constructor 'enhanced' + return new jQuery.fn.init( selector, context ); + }, + + // A simple way to check for HTML strings or ID strings + // (both of which we optimize for) + quickExpr = /^[^<]*(<(.|\s)+>)[^>]*$|^#([\w-]+)$/, + // Is it a simple selector + isSimple = /^.[^:#\[\.,]*$/; + +jQuery.fn = jQuery.prototype = { + init: function( selector, context ) { + // Make sure that a selection was provided + selector = selector || document; + + // Handle $(DOMElement) + if ( selector.nodeType ) { + this[0] = selector; + this.length = 1; + this.context = selector; + return this; + } + // Handle HTML strings + if ( typeof selector === "string" ) { + // Are we dealing with HTML string or an ID? + var match = quickExpr.exec( selector ); + + // Verify a match, and that no context was specified for #id + if ( match && (match[1] || !context) ) { + + // HANDLE: $(html) -> $(array) + if ( match[1] ) + selector = jQuery.clean( [ match[1] ], context ); + + // HANDLE: $("#id") + else { + var elem = document.getElementById( match[3] ); + + // Handle the case where IE and Opera return items + // by name instead of ID + if ( elem && elem.id != match[3] ) + return jQuery().find( selector ); + + // Otherwise, we inject the element directly into the jQuery object + var ret = jQuery( elem || [] ); + ret.context = document; + ret.selector = selector; + return ret; + } + + // HANDLE: $(expr, [context]) + // (which is just equivalent to: $(content).find(expr) + } else + return jQuery( context ).find( selector ); + + // HANDLE: $(function) + // Shortcut for document ready + } else if ( jQuery.isFunction( selector ) ) + return jQuery( document ).ready( selector ); + + // Make sure that old selector state is passed along + if ( selector.selector && selector.context ) { + this.selector = selector.selector; + this.context = selector.context; + } + + return this.setArray(jQuery.isArray( selector ) ? + selector : + jQuery.makeArray(selector)); + }, + + // Start with an empty selector + selector: "", + + // The current version of jQuery being used + jquery: "1.3.2", + + // The number of elements contained in the matched element set + size: function() { + return this.length; + }, + + // Get the Nth element in the matched element set OR + // Get the whole matched element set as a clean array + get: function( num ) { + return num === undefined ? + + // Return a 'clean' array + Array.prototype.slice.call( this ) : + + // Return just the object + this[ num ]; + }, + + // Take an array of elements and push it onto the stack + // (returning the new matched element set) + pushStack: function( elems, name, selector ) { + // Build a new jQuery matched element set + var ret = jQuery( elems ); + + // Add the old object onto the stack (as a reference) + ret.prevObject = this; + + ret.context = this.context; + + if ( name === "find" ) + ret.selector = this.selector + (this.selector ? " " : "") + selector; + else if ( name ) + ret.selector = this.selector + "." + name + "(" + selector + ")"; + + // Return the newly-formed element set + return ret; + }, + + // Force the current matched set of elements to become + // the specified array of elements (destroying the stack in the process) + // You should use pushStack() in order to do this, but maintain the stack + setArray: function( elems ) { + // Resetting the length to 0, then using the native Array push + // is a super-fast way to populate an object with array-like properties + this.length = 0; + Array.prototype.push.apply( this, elems ); + + return this; + }, + + // Execute a callback for every element in the matched set. + // (You can seed the arguments with an array of args, but this is + // only used internally.) + each: function( callback, args ) { + return jQuery.each( this, callback, args ); + }, + + // Determine the position of an element within + // the matched set of elements + index: function( elem ) { + // Locate the position of the desired element + return jQuery.inArray( + // If it receives a jQuery object, the first element is used + elem && elem.jquery ? elem[0] : elem + , this ); + }, + + attr: function( name, value, type ) { + var options = name; + + // Look for the case where we're accessing a style value + if ( typeof name === "string" ) + if ( value === undefined ) + return this[0] && jQuery[ type || "attr" ]( this[0], name ); + + else { + options = {}; + options[ name ] = value; + } + + // Check to see if we're setting style values + return this.each(function(i){ + // Set all the styles + for ( name in options ) + jQuery.attr( + type ? + this.style : + this, + name, jQuery.prop( this, options[ name ], type, i, name ) + ); + }); + }, + + css: function( key, value ) { + // ignore negative width and height values + if ( (key == 'width' || key == 'height') && parseFloat(value) < 0 ) + value = undefined; + return this.attr( key, value, "curCSS" ); + }, + + text: function( text ) { + if ( typeof text !== "object" && text != null ) + return this.empty().append( (this[0] && this[0].ownerDocument || document).createTextNode( text ) ); + + var ret = ""; + + jQuery.each( text || this, function(){ + jQuery.each( this.childNodes, function(){ + if ( this.nodeType != 8 ) + ret += this.nodeType != 1 ? + this.nodeValue : + jQuery.fn.text( [ this ] ); + }); + }); + + return ret; + }, + + wrapAll: function( html ) { + if ( this[0] ) { + // The elements to wrap the target around + var wrap = jQuery( html, this[0].ownerDocument ).clone(); + + if ( this[0].parentNode ) + wrap.insertBefore( this[0] ); + + wrap.map(function(){ + var elem = this; + + while ( elem.firstChild ) + elem = elem.firstChild; + + return elem; + }).append(this); + } + + return this; + }, + + wrapInner: function( html ) { + return this.each(function(){ + jQuery( this ).contents().wrapAll( html ); + }); + }, + + wrap: function( html ) { + return this.each(function(){ + jQuery( this ).wrapAll( html ); + }); + }, + + append: function() { + return this.domManip(arguments, true, function(elem){ + if (this.nodeType == 1) + this.appendChild( elem ); + }); + }, + + prepend: function() { + return this.domManip(arguments, true, function(elem){ + if (this.nodeType == 1) + this.insertBefore( elem, this.firstChild ); + }); + }, + + before: function() { + return this.domManip(arguments, false, function(elem){ + this.parentNode.insertBefore( elem, this ); + }); + }, + + after: function() { + return this.domManip(arguments, false, function(elem){ + this.parentNode.insertBefore( elem, this.nextSibling ); + }); + }, + + end: function() { + return this.prevObject || jQuery( [] ); + }, + + // For internal use only. + // Behaves like an Array's method, not like a jQuery method. + push: [].push, + sort: [].sort, + splice: [].splice, + + find: function( selector ) { + if ( this.length === 1 ) { + var ret = this.pushStack( [], "find", selector ); + ret.length = 0; + jQuery.find( selector, this[0], ret ); + return ret; + } else { + return this.pushStack( jQuery.unique(jQuery.map(this, function(elem){ + return jQuery.find( selector, elem ); + })), "find", selector ); + } + }, + + clone: function( events ) { + // Do the clone + var ret = this.map(function(){ + if ( !jQuery.support.noCloneEvent && !jQuery.isXMLDoc(this) ) { + // IE copies events bound via attachEvent when + // using cloneNode. Calling detachEvent on the + // clone will also remove the events from the orignal + // In order to get around this, we use innerHTML. + // Unfortunately, this means some modifications to + // attributes in IE that are actually only stored + // as properties will not be copied (such as the + // the name attribute on an input). + var html = this.outerHTML; + if ( !html ) { + var div = this.ownerDocument.createElement("div"); + div.appendChild( this.cloneNode(true) ); + html = div.innerHTML; + } + + return jQuery.clean([html.replace(/ jQuery\d+="(?:\d+|null)"/g, "").replace(/^\s*/, "")])[0]; + } else + return this.cloneNode(true); + }); + + // Copy the events from the original to the clone + if ( events === true ) { + var orig = this.find("*").andSelf(), i = 0; + + ret.find("*").andSelf().each(function(){ + if ( this.nodeName !== orig[i].nodeName ) + return; + + var events = jQuery.data( orig[i], "events" ); + + for ( var type in events ) { + for ( var handler in events[ type ] ) { + jQuery.event.add( this, type, events[ type ][ handler ], events[ type ][ handler ].data ); + } + } + + i++; + }); + } + + // Return the cloned set + return ret; + }, + + filter: function( selector ) { + return this.pushStack( + jQuery.isFunction( selector ) && + jQuery.grep(this, function(elem, i){ + return selector.call( elem, i ); + }) || + + jQuery.multiFilter( selector, jQuery.grep(this, function(elem){ + return elem.nodeType === 1; + }) ), "filter", selector ); + }, + + closest: function( selector ) { + var pos = jQuery.expr.match.POS.test( selector ) ? jQuery(selector) : null, + closer = 0; + + return this.map(function(){ + var cur = this; + while ( cur && cur.ownerDocument ) { + if ( pos ? pos.index(cur) > -1 : jQuery(cur).is(selector) ) { + jQuery.data(cur, "closest", closer); + return cur; + } + cur = cur.parentNode; + closer++; + } + }); + }, + + not: function( selector ) { + if ( typeof selector === "string" ) + // test special case where just one selector is passed in + if ( isSimple.test( selector ) ) + return this.pushStack( jQuery.multiFilter( selector, this, true ), "not", selector ); + else + selector = jQuery.multiFilter( selector, this ); + + var isArrayLike = selector.length && selector[selector.length - 1] !== undefined && !selector.nodeType; + return this.filter(function() { + return isArrayLike ? jQuery.inArray( this, selector ) < 0 : this != selector; + }); + }, + + add: function( selector ) { + return this.pushStack( jQuery.unique( jQuery.merge( + this.get(), + typeof selector === "string" ? + jQuery( selector ) : + jQuery.makeArray( selector ) + ))); + }, + + is: function( selector ) { + return !!selector && jQuery.multiFilter( selector, this ).length > 0; + }, + + hasClass: function( selector ) { + return !!selector && this.is( "." + selector ); + }, + + val: function( value ) { + if ( value === undefined ) { + var elem = this[0]; + + if ( elem ) { + if( jQuery.nodeName( elem, 'option' ) ) + return (elem.attributes.value || {}).specified ? elem.value : elem.text; + + // We need to handle select boxes special + if ( jQuery.nodeName( elem, "select" ) ) { + var index = elem.selectedIndex, + values = [], + options = elem.options, + one = elem.type == "select-one"; + + // Nothing was selected + if ( index < 0 ) + return null; + + // Loop through all the selected options + for ( var i = one ? index : 0, max = one ? index + 1 : options.length; i < max; i++ ) { + var option = options[ i ]; + + if ( option.selected ) { + // Get the specifc value for the option + value = jQuery(option).val(); + + // We don't need an array for one selects + if ( one ) + return value; + + // Multi-Selects return an array + values.push( value ); + } + } + + return values; + } + + // Everything else, we just grab the value + return (elem.value || "").replace(/\r/g, ""); + + } + + return undefined; + } + + if ( typeof value === "number" ) + value += ''; + + return this.each(function(){ + if ( this.nodeType != 1 ) + return; + + if ( jQuery.isArray(value) && /radio|checkbox/.test( this.type ) ) + this.checked = (jQuery.inArray(this.value, value) >= 0 || + jQuery.inArray(this.name, value) >= 0); + + else if ( jQuery.nodeName( this, "select" ) ) { + var values = jQuery.makeArray(value); + + jQuery( "option", this ).each(function(){ + this.selected = (jQuery.inArray( this.value, values ) >= 0 || + jQuery.inArray( this.text, values ) >= 0); + }); + + if ( !values.length ) + this.selectedIndex = -1; + + } else + this.value = value; + }); + }, + + html: function( value ) { + return value === undefined ? + (this[0] ? + this[0].innerHTML.replace(/ jQuery\d+="(?:\d+|null)"/g, "") : + null) : + this.empty().append( value ); + }, + + replaceWith: function( value ) { + return this.after( value ).remove(); + }, + + eq: function( i ) { + return this.slice( i, +i + 1 ); + }, + + slice: function() { + return this.pushStack( Array.prototype.slice.apply( this, arguments ), + "slice", Array.prototype.slice.call(arguments).join(",") ); + }, + + map: function( callback ) { + return this.pushStack( jQuery.map(this, function(elem, i){ + return callback.call( elem, i, elem ); + })); + }, + + andSelf: function() { + return this.add( this.prevObject ); + }, + + domManip: function( args, table, callback ) { + if ( this[0] ) { + var fragment = (this[0].ownerDocument || this[0]).createDocumentFragment(), + scripts = jQuery.clean( args, (this[0].ownerDocument || this[0]), fragment ), + first = fragment.firstChild; + + if ( first ) + for ( var i = 0, l = this.length; i < l; i++ ) + callback.call( root(this[i], first), this.length > 1 || i > 0 ? + fragment.cloneNode(true) : fragment ); + + if ( scripts ) + jQuery.each( scripts, evalScript ); + } + + return this; + + function root( elem, cur ) { + return table && jQuery.nodeName(elem, "table") && jQuery.nodeName(cur, "tr") ? + (elem.getElementsByTagName("tbody")[0] || + elem.appendChild(elem.ownerDocument.createElement("tbody"))) : + elem; + } + } +}; + +// Give the init function the jQuery prototype for later instantiation +jQuery.fn.init.prototype = jQuery.fn; + +function evalScript( i, elem ) { + if ( elem.src ) + jQuery.ajax({ + url: elem.src, + async: false, + dataType: "script" + }); + + else + jQuery.globalEval( elem.text || elem.textContent || elem.innerHTML || "" ); + + if ( elem.parentNode ) + elem.parentNode.removeChild( elem ); +} + +function now(){ + return +new Date; +} + +jQuery.extend = jQuery.fn.extend = function() { + // copy reference to target object + var target = arguments[0] || {}, i = 1, length = arguments.length, deep = false, options; + + // Handle a deep copy situation + if ( typeof target === "boolean" ) { + deep = target; + target = arguments[1] || {}; + // skip the boolean and the target + i = 2; + } + + // Handle case when target is a string or something (possible in deep copy) + if ( typeof target !== "object" && !jQuery.isFunction(target) ) + target = {}; + + // extend jQuery itself if only one argument is passed + if ( length == i ) { + target = this; + --i; + } + + for ( ; i < length; i++ ) + // Only deal with non-null/undefined values + if ( (options = arguments[ i ]) != null ) + // Extend the base object + for ( var name in options ) { + var src = target[ name ], copy = options[ name ]; + + // Prevent never-ending loop + if ( target === copy ) + continue; + + // Recurse if we're merging object values + if ( deep && copy && typeof copy === "object" && !copy.nodeType ) + target[ name ] = jQuery.extend( deep, + // Never move original objects, clone them + src || ( copy.length != null ? [ ] : { } ) + , copy ); + + // Don't bring in undefined values + else if ( copy !== undefined ) + target[ name ] = copy; + + } + + // Return the modified object + return target; +}; + +// exclude the following css properties to add px +var exclude = /z-?index|font-?weight|opacity|zoom|line-?height/i, + // cache defaultView + defaultView = document.defaultView || {}, + toString = Object.prototype.toString; + +jQuery.extend({ + noConflict: function( deep ) { + window.$ = _$; + + if ( deep ) + window.jQuery = _jQuery; + + return jQuery; + }, + + // See test/unit/core.js for details concerning isFunction. + // Since version 1.3, DOM methods and functions like alert + // aren't supported. They return false on IE (#2968). + isFunction: function( obj ) { + return toString.call(obj) === "[object Function]"; + }, + + isArray: function( obj ) { + return toString.call(obj) === "[object Array]"; + }, + + // check if an element is in a (or is an) XML document + isXMLDoc: function( elem ) { + return elem.nodeType === 9 && elem.documentElement.nodeName !== "HTML" || + !!elem.ownerDocument && jQuery.isXMLDoc( elem.ownerDocument ); + }, + + // Evalulates a script in a global context + globalEval: function( data ) { + if ( data && /\S/.test(data) ) { + // Inspired by code by Andrea Giammarchi + // http://webreflection.blogspot.com/2007/08/global-scope-evaluation-and-dom.html + var head = document.getElementsByTagName("head")[0] || document.documentElement, + script = document.createElement("script"); + + script.type = "text/javascript"; + if ( jQuery.support.scriptEval ) + script.appendChild( document.createTextNode( data ) ); + else + script.text = data; + + // Use insertBefore instead of appendChild to circumvent an IE6 bug. + // This arises when a base node is used (#2709). + head.insertBefore( script, head.firstChild ); + head.removeChild( script ); + } + }, + + nodeName: function( elem, name ) { + return elem.nodeName && elem.nodeName.toUpperCase() == name.toUpperCase(); + }, + + // args is for internal usage only + each: function( object, callback, args ) { + var name, i = 0, length = object.length; + + if ( args ) { + if ( length === undefined ) { + for ( name in object ) + if ( callback.apply( object[ name ], args ) === false ) + break; + } else + for ( ; i < length; ) + if ( callback.apply( object[ i++ ], args ) === false ) + break; + + // A special, fast, case for the most common use of each + } else { + if ( length === undefined ) { + for ( name in object ) + if ( callback.call( object[ name ], name, object[ name ] ) === false ) + break; + } else + for ( var value = object[0]; + i < length && callback.call( value, i, value ) !== false; value = object[++i] ){} + } + + return object; + }, + + prop: function( elem, value, type, i, name ) { + // Handle executable functions + if ( jQuery.isFunction( value ) ) + value = value.call( elem, i ); + + // Handle passing in a number to a CSS property + return typeof value === "number" && type == "curCSS" && !exclude.test( name ) ? + value + "px" : + value; + }, + + className: { + // internal only, use addClass("class") + add: function( elem, classNames ) { + jQuery.each((classNames || "").split(/\s+/), function(i, className){ + if ( elem.nodeType == 1 && !jQuery.className.has( elem.className, className ) ) + elem.className += (elem.className ? " " : "") + className; + }); + }, + + // internal only, use removeClass("class") + remove: function( elem, classNames ) { + if (elem.nodeType == 1) + elem.className = classNames !== undefined ? + jQuery.grep(elem.className.split(/\s+/), function(className){ + return !jQuery.className.has( classNames, className ); + }).join(" ") : + ""; + }, + + // internal only, use hasClass("class") + has: function( elem, className ) { + return elem && jQuery.inArray( className, (elem.className || elem).toString().split(/\s+/) ) > -1; + } + }, + + // A method for quickly swapping in/out CSS properties to get correct calculations + swap: function( elem, options, callback ) { + var old = {}; + // Remember the old values, and insert the new ones + for ( var name in options ) { + old[ name ] = elem.style[ name ]; + elem.style[ name ] = options[ name ]; + } + + callback.call( elem ); + + // Revert the old values + for ( var name in options ) + elem.style[ name ] = old[ name ]; + }, + + css: function( elem, name, force, extra ) { + if ( name == "width" || name == "height" ) { + var val, props = { position: "absolute", visibility: "hidden", display:"block" }, which = name == "width" ? [ "Left", "Right" ] : [ "Top", "Bottom" ]; + + function getWH() { + val = name == "width" ? elem.offsetWidth : elem.offsetHeight; + + if ( extra === "border" ) + return; + + jQuery.each( which, function() { + if ( !extra ) + val -= parseFloat(jQuery.curCSS( elem, "padding" + this, true)) || 0; + if ( extra === "margin" ) + val += parseFloat(jQuery.curCSS( elem, "margin" + this, true)) || 0; + else + val -= parseFloat(jQuery.curCSS( elem, "border" + this + "Width", true)) || 0; + }); + } + + if ( elem.offsetWidth !== 0 ) + getWH(); + else + jQuery.swap( elem, props, getWH ); + + return Math.max(0, Math.round(val)); + } + + return jQuery.curCSS( elem, name, force ); + }, + + curCSS: function( elem, name, force ) { + var ret, style = elem.style; + + // We need to handle opacity special in IE + if ( name == "opacity" && !jQuery.support.opacity ) { + ret = jQuery.attr( style, "opacity" ); + + return ret == "" ? + "1" : + ret; + } + + // Make sure we're using the right name for getting the float value + if ( name.match( /float/i ) ) + name = styleFloat; + + if ( !force && style && style[ name ] ) + ret = style[ name ]; + + else if ( defaultView.getComputedStyle ) { + + // Only "float" is needed here + if ( name.match( /float/i ) ) + name = "float"; + + name = name.replace( /([A-Z])/g, "-$1" ).toLowerCase(); + + var computedStyle = defaultView.getComputedStyle( elem, null ); + + if ( computedStyle ) + ret = computedStyle.getPropertyValue( name ); + + // We should always get a number back from opacity + if ( name == "opacity" && ret == "" ) + ret = "1"; + + } else if ( elem.currentStyle ) { + var camelCase = name.replace(/\-(\w)/g, function(all, letter){ + return letter.toUpperCase(); + }); + + ret = elem.currentStyle[ name ] || elem.currentStyle[ camelCase ]; + + // From the awesome hack by Dean Edwards + // http://erik.eae.net/archives/2007/07/27/18.54.15/#comment-102291 + + // If we're not dealing with a regular pixel number + // but a number that has a weird ending, we need to convert it to pixels + if ( !/^\d+(px)?$/i.test( ret ) && /^\d/.test( ret ) ) { + // Remember the original values + var left = style.left, rsLeft = elem.runtimeStyle.left; + + // Put in the new values to get a computed value out + elem.runtimeStyle.left = elem.currentStyle.left; + style.left = ret || 0; + ret = style.pixelLeft + "px"; + + // Revert the changed values + style.left = left; + elem.runtimeStyle.left = rsLeft; + } + } + + return ret; + }, + + clean: function( elems, context, fragment ) { + context = context || document; + + // !context.createElement fails in IE with an error but returns typeof 'object' + if ( typeof context.createElement === "undefined" ) + context = context.ownerDocument || context[0] && context[0].ownerDocument || document; + + // If a single string is passed in and it's a single tag + // just do a createElement and skip the rest + if ( !fragment && elems.length === 1 && typeof elems[0] === "string" ) { + var match = /^<(\w+)\s*\/?>$/.exec(elems[0]); + if ( match ) + return [ context.createElement( match[1] ) ]; + } + + var ret = [], scripts = [], div = context.createElement("div"); + + jQuery.each(elems, function(i, elem){ + if ( typeof elem === "number" ) + elem += ''; + + if ( !elem ) + return; + + // Convert html string into DOM nodes + if ( typeof elem === "string" ) { + // Fix "XHTML"-style tags in all browsers + elem = elem.replace(/(<(\w+)[^>]*?)\/>/g, function(all, front, tag){ + return tag.match(/^(abbr|br|col|img|input|link|meta|param|hr|area|embed)$/i) ? + all : + front + "></" + tag + ">"; + }); + + // Trim whitespace, otherwise indexOf won't work as expected + var tags = elem.replace(/^\s+/, "").substring(0, 10).toLowerCase(); + + var wrap = + // option or optgroup + !tags.indexOf("<opt") && + [ 1, "<select multiple='multiple'>", "</select>" ] || + + !tags.indexOf("<leg") && + [ 1, "<fieldset>", "</fieldset>" ] || + + tags.match(/^<(thead|tbody|tfoot|colg|cap)/) && + [ 1, "<table>", "</table>" ] || + + !tags.indexOf("<tr") && + [ 2, "<table><tbody>", "</tbody></table>" ] || + + // <thead> matched above + (!tags.indexOf("<td") || !tags.indexOf("<th")) && + [ 3, "<table><tbody><tr>", "</tr></tbody></table>" ] || + + !tags.indexOf("<col") && + [ 2, "<table><tbody></tbody><colgroup>", "</colgroup></table>" ] || + + // IE can't serialize <link> and <script> tags normally + !jQuery.support.htmlSerialize && + [ 1, "div<div>", "</div>" ] || + + [ 0, "", "" ]; + + // Go to html and back, then peel off extra wrappers + div.innerHTML = wrap[1] + elem + wrap[2]; + + // Move to the right depth + while ( wrap[0]-- ) + div = div.lastChild; + + // Remove IE's autoinserted <tbody> from table fragments + if ( !jQuery.support.tbody ) { + + // String was a <table>, *may* have spurious <tbody> + var hasBody = /<tbody/i.test(elem), + tbody = !tags.indexOf("<table") && !hasBody ? + div.firstChild && div.firstChild.childNodes : + + // String was a bare <thead> or <tfoot> + wrap[1] == "<table>" && !hasBody ? + div.childNodes : + []; + + for ( var j = tbody.length - 1; j >= 0 ; --j ) + if ( jQuery.nodeName( tbody[ j ], "tbody" ) && !tbody[ j ].childNodes.length ) + tbody[ j ].parentNode.removeChild( tbody[ j ] ); + + } + + // IE completely kills leading whitespace when innerHTML is used + if ( !jQuery.support.leadingWhitespace && /^\s/.test( elem ) ) + div.insertBefore( context.createTextNode( elem.match(/^\s*/)[0] ), div.firstChild ); + + elem = jQuery.makeArray( div.childNodes ); + } + + if ( elem.nodeType ) + ret.push( elem ); + else + ret = jQuery.merge( ret, elem ); + + }); + + if ( fragment ) { + for ( var i = 0; ret[i]; i++ ) { + if ( jQuery.nodeName( ret[i], "script" ) && (!ret[i].type || ret[i].type.toLowerCase() === "text/javascript") ) { + scripts.push( ret[i].parentNode ? ret[i].parentNode.removeChild( ret[i] ) : ret[i] ); + } else { + if ( ret[i].nodeType === 1 ) + ret.splice.apply( ret, [i + 1, 0].concat(jQuery.makeArray(ret[i].getElementsByTagName("script"))) ); + fragment.appendChild( ret[i] ); + } + } + + return scripts; + } + + return ret; + }, + + attr: function( elem, name, value ) { + // don't set attributes on text and comment nodes + if (!elem || elem.nodeType == 3 || elem.nodeType == 8) + return undefined; + + var notxml = !jQuery.isXMLDoc( elem ), + // Whether we are setting (or getting) + set = value !== undefined; + + // Try to normalize/fix the name + name = notxml && jQuery.props[ name ] || name; + + // Only do all the following if this is a node (faster for style) + // IE elem.getAttribute passes even for style + if ( elem.tagName ) { + + // These attributes require special treatment + var special = /href|src|style/.test( name ); + + // Safari mis-reports the default selected property of a hidden option + // Accessing the parent's selectedIndex property fixes it + if ( name == "selected" && elem.parentNode ) + elem.parentNode.selectedIndex; + + // If applicable, access the attribute via the DOM 0 way + if ( name in elem && notxml && !special ) { + if ( set ){ + // We can't allow the type property to be changed (since it causes problems in IE) + if ( name == "type" && jQuery.nodeName( elem, "input" ) && elem.parentNode ) + throw "type property can't be changed"; + + elem[ name ] = value; + } + + // browsers index elements by id/name on forms, give priority to attributes. + if( jQuery.nodeName( elem, "form" ) && elem.getAttributeNode(name) ) + return elem.getAttributeNode( name ).nodeValue; + + // elem.tabIndex doesn't always return the correct value when it hasn't been explicitly set + // http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript/ + if ( name == "tabIndex" ) { + var attributeNode = elem.getAttributeNode( "tabIndex" ); + return attributeNode && attributeNode.specified + ? attributeNode.value + : elem.nodeName.match(/(button|input|object|select|textarea)/i) + ? 0 + : elem.nodeName.match(/^(a|area)$/i) && elem.href + ? 0 + : undefined; + } + + return elem[ name ]; + } + + if ( !jQuery.support.style && notxml && name == "style" ) + return jQuery.attr( elem.style, "cssText", value ); + + if ( set ) + // convert the value to a string (all browsers do this but IE) see #1070 + elem.setAttribute( name, "" + value ); + + var attr = !jQuery.support.hrefNormalized && notxml && special + // Some attributes require a special call on IE + ? elem.getAttribute( name, 2 ) + : elem.getAttribute( name ); + + // Non-existent attributes return null, we normalize to undefined + return attr === null ? undefined : attr; + } + + // elem is actually elem.style ... set the style + + // IE uses filters for opacity + if ( !jQuery.support.opacity && name == "opacity" ) { + if ( set ) { + // IE has trouble with opacity if it does not have layout + // Force it by setting the zoom level + elem.zoom = 1; + + // Set the alpha filter to set the opacity + elem.filter = (elem.filter || "").replace( /alpha\([^)]*\)/, "" ) + + (parseInt( value ) + '' == "NaN" ? "" : "alpha(opacity=" + value * 100 + ")"); + } + + return elem.filter && elem.filter.indexOf("opacity=") >= 0 ? + (parseFloat( elem.filter.match(/opacity=([^)]*)/)[1] ) / 100) + '': + ""; + } + + name = name.replace(/-([a-z])/ig, function(all, letter){ + return letter.toUpperCase(); + }); + + if ( set ) + elem[ name ] = value; + + return elem[ name ]; + }, + + trim: function( text ) { + return (text || "").replace( /^\s+|\s+$/g, "" ); + }, + + makeArray: function( array ) { + var ret = []; + + if( array != null ){ + var i = array.length; + // The window, strings (and functions) also have 'length' + if( i == null || typeof array === "string" || jQuery.isFunction(array) || array.setInterval ) + ret[0] = array; + else + while( i ) + ret[--i] = array[i]; + } + + return ret; + }, + + inArray: function( elem, array ) { + for ( var i = 0, length = array.length; i < length; i++ ) + // Use === because on IE, window == document + if ( array[ i ] === elem ) + return i; + + return -1; + }, + + merge: function( first, second ) { + // We have to loop this way because IE & Opera overwrite the length + // expando of getElementsByTagName + var i = 0, elem, pos = first.length; + // Also, we need to make sure that the correct elements are being returned + // (IE returns comment nodes in a '*' query) + if ( !jQuery.support.getAll ) { + while ( (elem = second[ i++ ]) != null ) + if ( elem.nodeType != 8 ) + first[ pos++ ] = elem; + + } else + while ( (elem = second[ i++ ]) != null ) + first[ pos++ ] = elem; + + return first; + }, + + unique: function( array ) { + var ret = [], done = {}; + + try { + + for ( var i = 0, length = array.length; i < length; i++ ) { + var id = jQuery.data( array[ i ] ); + + if ( !done[ id ] ) { + done[ id ] = true; + ret.push( array[ i ] ); + } + } + + } catch( e ) { + ret = array; + } + + return ret; + }, + + grep: function( elems, callback, inv ) { + var ret = []; + + // Go through the array, only saving the items + // that pass the validator function + for ( var i = 0, length = elems.length; i < length; i++ ) + if ( !inv != !callback( elems[ i ], i ) ) + ret.push( elems[ i ] ); + + return ret; + }, + + map: function( elems, callback ) { + var ret = []; + + // Go through the array, translating each of the items to their + // new value (or values). + for ( var i = 0, length = elems.length; i < length; i++ ) { + var value = callback( elems[ i ], i ); + + if ( value != null ) + ret[ ret.length ] = value; + } + + return ret.concat.apply( [], ret ); + } +}); + +// Use of jQuery.browser is deprecated. +// It's included for backwards compatibility and plugins, +// although they should work to migrate away. + +var userAgent = navigator.userAgent.toLowerCase(); + +// Figure out what browser is being used +jQuery.browser = { + version: (userAgent.match( /.+(?:rv|it|ra|ie)[\/: ]([\d.]+)/ ) || [0,'0'])[1], + safari: /webkit/.test( userAgent ), + opera: /opera/.test( userAgent ), + msie: /msie/.test( userAgent ) && !/opera/.test( userAgent ), + mozilla: /mozilla/.test( userAgent ) && !/(compatible|webkit)/.test( userAgent ) +}; + +jQuery.each({ + parent: function(elem){return elem.parentNode;}, + parents: function(elem){return jQuery.dir(elem,"parentNode");}, + next: function(elem){return jQuery.nth(elem,2,"nextSibling");}, + prev: function(elem){return jQuery.nth(elem,2,"previousSibling");}, + nextAll: function(elem){return jQuery.dir(elem,"nextSibling");}, + prevAll: function(elem){return jQuery.dir(elem,"previousSibling");}, + siblings: function(elem){return jQuery.sibling(elem.parentNode.firstChild,elem);}, + children: function(elem){return jQuery.sibling(elem.firstChild);}, + contents: function(elem){return jQuery.nodeName(elem,"iframe")?elem.contentDocument||elem.contentWindow.document:jQuery.makeArray(elem.childNodes);} +}, function(name, fn){ + jQuery.fn[ name ] = function( selector ) { + var ret = jQuery.map( this, fn ); + + if ( selector && typeof selector == "string" ) + ret = jQuery.multiFilter( selector, ret ); + + return this.pushStack( jQuery.unique( ret ), name, selector ); + }; +}); + +jQuery.each({ + appendTo: "append", + prependTo: "prepend", + insertBefore: "before", + insertAfter: "after", + replaceAll: "replaceWith" +}, function(name, original){ + jQuery.fn[ name ] = function( selector ) { + var ret = [], insert = jQuery( selector ); + + for ( var i = 0, l = insert.length; i < l; i++ ) { + var elems = (i > 0 ? this.clone(true) : this).get(); + jQuery.fn[ original ].apply( jQuery(insert[i]), elems ); + ret = ret.concat( elems ); + } + + return this.pushStack( ret, name, selector ); + }; +}); + +jQuery.each({ + removeAttr: function( name ) { + jQuery.attr( this, name, "" ); + if (this.nodeType == 1) + this.removeAttribute( name ); + }, + + addClass: function( classNames ) { + jQuery.className.add( this, classNames ); + }, + + removeClass: function( classNames ) { + jQuery.className.remove( this, classNames ); + }, + + toggleClass: function( classNames, state ) { + if( typeof state !== "boolean" ) + state = !jQuery.className.has( this, classNames ); + jQuery.className[ state ? "add" : "remove" ]( this, classNames ); + }, + + remove: function( selector ) { + if ( !selector || jQuery.filter( selector, [ this ] ).length ) { + // Prevent memory leaks + jQuery( "*", this ).add([this]).each(function(){ + jQuery.event.remove(this); + jQuery.removeData(this); + }); + if (this.parentNode) + this.parentNode.removeChild( this ); + } + }, + + empty: function() { + // Remove element nodes and prevent memory leaks + jQuery(this).children().remove(); + + // Remove any remaining nodes + while ( this.firstChild ) + this.removeChild( this.firstChild ); + } +}, function(name, fn){ + jQuery.fn[ name ] = function(){ + return this.each( fn, arguments ); + }; +}); + +// Helper function used by the dimensions and offset modules +function num(elem, prop) { + return elem[0] && parseInt( jQuery.curCSS(elem[0], prop, true), 10 ) || 0; +} +var expando = "jQuery" + now(), uuid = 0, windowData = {}; + +jQuery.extend({ + cache: {}, + + data: function( elem, name, data ) { + elem = elem == window ? + windowData : + elem; + + var id = elem[ expando ]; + + // Compute a unique ID for the element + if ( !id ) + id = elem[ expando ] = ++uuid; + + // Only generate the data cache if we're + // trying to access or manipulate it + if ( name && !jQuery.cache[ id ] ) + jQuery.cache[ id ] = {}; + + // Prevent overriding the named cache with undefined values + if ( data !== undefined ) + jQuery.cache[ id ][ name ] = data; + + // Return the named cache data, or the ID for the element + return name ? + jQuery.cache[ id ][ name ] : + id; + }, + + removeData: function( elem, name ) { + elem = elem == window ? + windowData : + elem; + + var id = elem[ expando ]; + + // If we want to remove a specific section of the element's data + if ( name ) { + if ( jQuery.cache[ id ] ) { + // Remove the section of cache data + delete jQuery.cache[ id ][ name ]; + + // If we've removed all the data, remove the element's cache + name = ""; + + for ( name in jQuery.cache[ id ] ) + break; + + if ( !name ) + jQuery.removeData( elem ); + } + + // Otherwise, we want to remove all of the element's data + } else { + // Clean up the element expando + try { + delete elem[ expando ]; + } catch(e){ + // IE has trouble directly removing the expando + // but it's ok with using removeAttribute + if ( elem.removeAttribute ) + elem.removeAttribute( expando ); + } + + // Completely remove the data cache + delete jQuery.cache[ id ]; + } + }, + queue: function( elem, type, data ) { + if ( elem ){ + + type = (type || "fx") + "queue"; + + var q = jQuery.data( elem, type ); + + if ( !q || jQuery.isArray(data) ) + q = jQuery.data( elem, type, jQuery.makeArray(data) ); + else if( data ) + q.push( data ); + + } + return q; + }, + + dequeue: function( elem, type ){ + var queue = jQuery.queue( elem, type ), + fn = queue.shift(); + + if( !type || type === "fx" ) + fn = queue[0]; + + if( fn !== undefined ) + fn.call(elem); + } +}); + +jQuery.fn.extend({ + data: function( key, value ){ + var parts = key.split("."); + parts[1] = parts[1] ? "." + parts[1] : ""; + + if ( value === undefined ) { + var data = this.triggerHandler("getData" + parts[1] + "!", [parts[0]]); + + if ( data === undefined && this.length ) + data = jQuery.data( this[0], key ); + + return data === undefined && parts[1] ? + this.data( parts[0] ) : + data; + } else + return this.trigger("setData" + parts[1] + "!", [parts[0], value]).each(function(){ + jQuery.data( this, key, value ); + }); + }, + + removeData: function( key ){ + return this.each(function(){ + jQuery.removeData( this, key ); + }); + }, + queue: function(type, data){ + if ( typeof type !== "string" ) { + data = type; + type = "fx"; + } + + if ( data === undefined ) + return jQuery.queue( this[0], type ); + + return this.each(function(){ + var queue = jQuery.queue( this, type, data ); + + if( type == "fx" && queue.length == 1 ) + queue[0].call(this); + }); + }, + dequeue: function(type){ + return this.each(function(){ + jQuery.dequeue( this, type ); + }); + } +});/*! + * Sizzle CSS Selector Engine - v0.9.3 + * Copyright 2009, The Dojo Foundation + * Released under the MIT, BSD, and GPL Licenses. + * More information: http://sizzlejs.com/ + */ +(function(){ + +var chunker = /((?:\((?:\([^()]+\)|[^()]+)+\)|\[(?:\[[^[\]]*\]|['"][^'"]*['"]|[^[\]'"]+)+\]|\\.|[^ >+~,(\[\\]+)+|[>+~])(\s*,\s*)?/g, + done = 0, + toString = Object.prototype.toString; + +var Sizzle = function(selector, context, results, seed) { + results = results || []; + context = context || document; + + if ( context.nodeType !== 1 && context.nodeType !== 9 ) + return []; + + if ( !selector || typeof selector !== "string" ) { + return results; + } + + var parts = [], m, set, checkSet, check, mode, extra, prune = true; + + // Reset the position of the chunker regexp (start from head) + chunker.lastIndex = 0; + + while ( (m = chunker.exec(selector)) !== null ) { + parts.push( m[1] ); + + if ( m[2] ) { + extra = RegExp.rightContext; + break; + } + } + + if ( parts.length > 1 && origPOS.exec( selector ) ) { + if ( parts.length === 2 && Expr.relative[ parts[0] ] ) { + set = posProcess( parts[0] + parts[1], context ); + } else { + set = Expr.relative[ parts[0] ] ? + [ context ] : + Sizzle( parts.shift(), context ); + + while ( parts.length ) { + selector = parts.shift(); + + if ( Expr.relative[ selector ] ) + selector += parts.shift(); + + set = posProcess( selector, set ); + } + } + } else { + var ret = seed ? + { expr: parts.pop(), set: makeArray(seed) } : + Sizzle.find( parts.pop(), parts.length === 1 && context.parentNode ? context.parentNode : context, isXML(context) ); + set = Sizzle.filter( ret.expr, ret.set ); + + if ( parts.length > 0 ) { + checkSet = makeArray(set); + } else { + prune = false; + } + + while ( parts.length ) { + var cur = parts.pop(), pop = cur; + + if ( !Expr.relative[ cur ] ) { + cur = ""; + } else { + pop = parts.pop(); + } + + if ( pop == null ) { + pop = context; + } + + Expr.relative[ cur ]( checkSet, pop, isXML(context) ); + } + } + + if ( !checkSet ) { + checkSet = set; + } + + if ( !checkSet ) { + throw "Syntax error, unrecognized expression: " + (cur || selector); + } + + if ( toString.call(checkSet) === "[object Array]" ) { + if ( !prune ) { + results.push.apply( results, checkSet ); + } else if ( context.nodeType === 1 ) { + for ( var i = 0; checkSet[i] != null; i++ ) { + if ( checkSet[i] && (checkSet[i] === true || checkSet[i].nodeType === 1 && contains(context, checkSet[i])) ) { + results.push( set[i] ); + } + } + } else { + for ( var i = 0; checkSet[i] != null; i++ ) { + if ( checkSet[i] && checkSet[i].nodeType === 1 ) { + results.push( set[i] ); + } + } + } + } else { + makeArray( checkSet, results ); + } + + if ( extra ) { + Sizzle( extra, context, results, seed ); + + if ( sortOrder ) { + hasDuplicate = false; + results.sort(sortOrder); + + if ( hasDuplicate ) { + for ( var i = 1; i < results.length; i++ ) { + if ( results[i] === results[i-1] ) { + results.splice(i--, 1); + } + } + } + } + } + + return results; +}; + +Sizzle.matches = function(expr, set){ + return Sizzle(expr, null, null, set); +}; + +Sizzle.find = function(expr, context, isXML){ + var set, match; + + if ( !expr ) { + return []; + } + + for ( var i = 0, l = Expr.order.length; i < l; i++ ) { + var type = Expr.order[i], match; + + if ( (match = Expr.match[ type ].exec( expr )) ) { + var left = RegExp.leftContext; + + if ( left.substr( left.length - 1 ) !== "\\" ) { + match[1] = (match[1] || "").replace(/\\/g, ""); + set = Expr.find[ type ]( match, context, isXML ); + if ( set != null ) { + expr = expr.replace( Expr.match[ type ], "" ); + break; + } + } + } + } + + if ( !set ) { + set = context.getElementsByTagName("*"); + } + + return {set: set, expr: expr}; +}; + +Sizzle.filter = function(expr, set, inplace, not){ + var old = expr, result = [], curLoop = set, match, anyFound, + isXMLFilter = set && set[0] && isXML(set[0]); + + while ( expr && set.length ) { + for ( var type in Expr.filter ) { + if ( (match = Expr.match[ type ].exec( expr )) != null ) { + var filter = Expr.filter[ type ], found, item; + anyFound = false; + + if ( curLoop == result ) { + result = []; + } + + if ( Expr.preFilter[ type ] ) { + match = Expr.preFilter[ type ]( match, curLoop, inplace, result, not, isXMLFilter ); + + if ( !match ) { + anyFound = found = true; + } else if ( match === true ) { + continue; + } + } + + if ( match ) { + for ( var i = 0; (item = curLoop[i]) != null; i++ ) { + if ( item ) { + found = filter( item, match, i, curLoop ); + var pass = not ^ !!found; + + if ( inplace && found != null ) { + if ( pass ) { + anyFound = true; + } else { + curLoop[i] = false; + } + } else if ( pass ) { + result.push( item ); + anyFound = true; + } + } + } + } + + if ( found !== undefined ) { + if ( !inplace ) { + curLoop = result; + } + + expr = expr.replace( Expr.match[ type ], "" ); + + if ( !anyFound ) { + return []; + } + + break; + } + } + } + + // Improper expression + if ( expr == old ) { + if ( anyFound == null ) { + throw "Syntax error, unrecognized expression: " + expr; + } else { + break; + } + } + + old = expr; + } + + return curLoop; +}; + +var Expr = Sizzle.selectors = { + order: [ "ID", "NAME", "TAG" ], + match: { + ID: /#((?:[\w\u00c0-\uFFFF_-]|\\.)+)/, + CLASS: /\.((?:[\w\u00c0-\uFFFF_-]|\\.)+)/, + NAME: /\[name=['"]*((?:[\w\u00c0-\uFFFF_-]|\\.)+)['"]*\]/, + ATTR: /\[\s*((?:[\w\u00c0-\uFFFF_-]|\\.)+)\s*(?:(\S?=)\s*(['"]*)(.*?)\3|)\s*\]/, + TAG: /^((?:[\w\u00c0-\uFFFF\*_-]|\\.)+)/, + CHILD: /:(only|nth|last|first)-child(?:\((even|odd|[\dn+-]*)\))?/, + POS: /:(nth|eq|gt|lt|first|last|even|odd)(?:\((\d*)\))?(?=[^-]|$)/, + PSEUDO: /:((?:[\w\u00c0-\uFFFF_-]|\\.)+)(?:\((['"]*)((?:\([^\)]+\)|[^\2\(\)]*)+)\2\))?/ + }, + attrMap: { + "class": "className", + "for": "htmlFor" + }, + attrHandle: { + href: function(elem){ + return elem.getAttribute("href"); + } + }, + relative: { + "+": function(checkSet, part, isXML){ + var isPartStr = typeof part === "string", + isTag = isPartStr && !/\W/.test(part), + isPartStrNotTag = isPartStr && !isTag; + + if ( isTag && !isXML ) { + part = part.toUpperCase(); + } + + for ( var i = 0, l = checkSet.length, elem; i < l; i++ ) { + if ( (elem = checkSet[i]) ) { + while ( (elem = elem.previousSibling) && elem.nodeType !== 1 ) {} + + checkSet[i] = isPartStrNotTag || elem && elem.nodeName === part ? + elem || false : + elem === part; + } + } + + if ( isPartStrNotTag ) { + Sizzle.filter( part, checkSet, true ); + } + }, + ">": function(checkSet, part, isXML){ + var isPartStr = typeof part === "string"; + + if ( isPartStr && !/\W/.test(part) ) { + part = isXML ? part : part.toUpperCase(); + + for ( var i = 0, l = checkSet.length; i < l; i++ ) { + var elem = checkSet[i]; + if ( elem ) { + var parent = elem.parentNode; + checkSet[i] = parent.nodeName === part ? parent : false; + } + } + } else { + for ( var i = 0, l = checkSet.length; i < l; i++ ) { + var elem = checkSet[i]; + if ( elem ) { + checkSet[i] = isPartStr ? + elem.parentNode : + elem.parentNode === part; + } + } + + if ( isPartStr ) { + Sizzle.filter( part, checkSet, true ); + } + } + }, + "": function(checkSet, part, isXML){ + var doneName = done++, checkFn = dirCheck; + + if ( !part.match(/\W/) ) { + var nodeCheck = part = isXML ? part : part.toUpperCase(); + checkFn = dirNodeCheck; + } + + checkFn("parentNode", part, doneName, checkSet, nodeCheck, isXML); + }, + "~": function(checkSet, part, isXML){ + var doneName = done++, checkFn = dirCheck; + + if ( typeof part === "string" && !part.match(/\W/) ) { + var nodeCheck = part = isXML ? part : part.toUpperCase(); + checkFn = dirNodeCheck; + } + + checkFn("previousSibling", part, doneName, checkSet, nodeCheck, isXML); + } + }, + find: { + ID: function(match, context, isXML){ + if ( typeof context.getElementById !== "undefined" && !isXML ) { + var m = context.getElementById(match[1]); + return m ? [m] : []; + } + }, + NAME: function(match, context, isXML){ + if ( typeof context.getElementsByName !== "undefined" ) { + var ret = [], results = context.getElementsByName(match[1]); + + for ( var i = 0, l = results.length; i < l; i++ ) { + if ( results[i].getAttribute("name") === match[1] ) { + ret.push( results[i] ); + } + } + + return ret.length === 0 ? null : ret; + } + }, + TAG: function(match, context){ + return context.getElementsByTagName(match[1]); + } + }, + preFilter: { + CLASS: function(match, curLoop, inplace, result, not, isXML){ + match = " " + match[1].replace(/\\/g, "") + " "; + + if ( isXML ) { + return match; + } + + for ( var i = 0, elem; (elem = curLoop[i]) != null; i++ ) { + if ( elem ) { + if ( not ^ (elem.className && (" " + elem.className + " ").indexOf(match) >= 0) ) { + if ( !inplace ) + result.push( elem ); + } else if ( inplace ) { + curLoop[i] = false; + } + } + } + + return false; + }, + ID: function(match){ + return match[1].replace(/\\/g, ""); + }, + TAG: function(match, curLoop){ + for ( var i = 0; curLoop[i] === false; i++ ){} + return curLoop[i] && isXML(curLoop[i]) ? match[1] : match[1].toUpperCase(); + }, + CHILD: function(match){ + if ( match[1] == "nth" ) { + // parse equations like 'even', 'odd', '5', '2n', '3n+2', '4n-1', '-n+6' + var test = /(-?)(\d*)n((?:\+|-)?\d*)/.exec( + match[2] == "even" && "2n" || match[2] == "odd" && "2n+1" || + !/\D/.test( match[2] ) && "0n+" + match[2] || match[2]); + + // calculate the numbers (first)n+(last) including if they are negative + match[2] = (test[1] + (test[2] || 1)) - 0; + match[3] = test[3] - 0; + } + + // TODO: Move to normal caching system + match[0] = done++; + + return match; + }, + ATTR: function(match, curLoop, inplace, result, not, isXML){ + var name = match[1].replace(/\\/g, ""); + + if ( !isXML && Expr.attrMap[name] ) { + match[1] = Expr.attrMap[name]; + } + + if ( match[2] === "~=" ) { + match[4] = " " + match[4] + " "; + } + + return match; + }, + PSEUDO: function(match, curLoop, inplace, result, not){ + if ( match[1] === "not" ) { + // If we're dealing with a complex expression, or a simple one + if ( match[3].match(chunker).length > 1 || /^\w/.test(match[3]) ) { + match[3] = Sizzle(match[3], null, null, curLoop); + } else { + var ret = Sizzle.filter(match[3], curLoop, inplace, true ^ not); + if ( !inplace ) { + result.push.apply( result, ret ); + } + return false; + } + } else if ( Expr.match.POS.test( match[0] ) || Expr.match.CHILD.test( match[0] ) ) { + return true; + } + + return match; + }, + POS: function(match){ + match.unshift( true ); + return match; + } + }, + filters: { + enabled: function(elem){ + return elem.disabled === false && elem.type !== "hidden"; + }, + disabled: function(elem){ + return elem.disabled === true; + }, + checked: function(elem){ + return elem.checked === true; + }, + selected: function(elem){ + // Accessing this property makes selected-by-default + // options in Safari work properly + elem.parentNode.selectedIndex; + return elem.selected === true; + }, + parent: function(elem){ + return !!elem.firstChild; + }, + empty: function(elem){ + return !elem.firstChild; + }, + has: function(elem, i, match){ + return !!Sizzle( match[3], elem ).length; + }, + header: function(elem){ + return /h\d/i.test( elem.nodeName ); + }, + text: function(elem){ + return "text" === elem.type; + }, + radio: function(elem){ + return "radio" === elem.type; + }, + checkbox: function(elem){ + return "checkbox" === elem.type; + }, + file: function(elem){ + return "file" === elem.type; + }, + password: function(elem){ + return "password" === elem.type; + }, + submit: function(elem){ + return "submit" === elem.type; + }, + image: function(elem){ + return "image" === elem.type; + }, + reset: function(elem){ + return "reset" === elem.type; + }, + button: function(elem){ + return "button" === elem.type || elem.nodeName.toUpperCase() === "BUTTON"; + }, + input: function(elem){ + return /input|select|textarea|button/i.test(elem.nodeName); + } + }, + setFilters: { + first: function(elem, i){ + return i === 0; + }, + last: function(elem, i, match, array){ + return i === array.length - 1; + }, + even: function(elem, i){ + return i % 2 === 0; + }, + odd: function(elem, i){ + return i % 2 === 1; + }, + lt: function(elem, i, match){ + return i < match[3] - 0; + }, + gt: function(elem, i, match){ + return i > match[3] - 0; + }, + nth: function(elem, i, match){ + return match[3] - 0 == i; + }, + eq: function(elem, i, match){ + return match[3] - 0 == i; + } + }, + filter: { + PSEUDO: function(elem, match, i, array){ + var name = match[1], filter = Expr.filters[ name ]; + + if ( filter ) { + return filter( elem, i, match, array ); + } else if ( name === "contains" ) { + return (elem.textContent || elem.innerText || "").indexOf(match[3]) >= 0; + } else if ( name === "not" ) { + var not = match[3]; + + for ( var i = 0, l = not.length; i < l; i++ ) { + if ( not[i] === elem ) { + return false; + } + } + + return true; + } + }, + CHILD: function(elem, match){ + var type = match[1], node = elem; + switch (type) { + case 'only': + case 'first': + while (node = node.previousSibling) { + if ( node.nodeType === 1 ) return false; + } + if ( type == 'first') return true; + node = elem; + case 'last': + while (node = node.nextSibling) { + if ( node.nodeType === 1 ) return false; + } + return true; + case 'nth': + var first = match[2], last = match[3]; + + if ( first == 1 && last == 0 ) { + return true; + } + + var doneName = match[0], + parent = elem.parentNode; + + if ( parent && (parent.sizcache !== doneName || !elem.nodeIndex) ) { + var count = 0; + for ( node = parent.firstChild; node; node = node.nextSibling ) { + if ( node.nodeType === 1 ) { + node.nodeIndex = ++count; + } + } + parent.sizcache = doneName; + } + + var diff = elem.nodeIndex - last; + if ( first == 0 ) { + return diff == 0; + } else { + return ( diff % first == 0 && diff / first >= 0 ); + } + } + }, + ID: function(elem, match){ + return elem.nodeType === 1 && elem.getAttribute("id") === match; + }, + TAG: function(elem, match){ + return (match === "*" && elem.nodeType === 1) || elem.nodeName === match; + }, + CLASS: function(elem, match){ + return (" " + (elem.className || elem.getAttribute("class")) + " ") + .indexOf( match ) > -1; + }, + ATTR: function(elem, match){ + var name = match[1], + result = Expr.attrHandle[ name ] ? + Expr.attrHandle[ name ]( elem ) : + elem[ name ] != null ? + elem[ name ] : + elem.getAttribute( name ), + value = result + "", + type = match[2], + check = match[4]; + + return result == null ? + type === "!=" : + type === "=" ? + value === check : + type === "*=" ? + value.indexOf(check) >= 0 : + type === "~=" ? + (" " + value + " ").indexOf(check) >= 0 : + !check ? + value && result !== false : + type === "!=" ? + value != check : + type === "^=" ? + value.indexOf(check) === 0 : + type === "$=" ? + value.substr(value.length - check.length) === check : + type === "|=" ? + value === check || value.substr(0, check.length + 1) === check + "-" : + false; + }, + POS: function(elem, match, i, array){ + var name = match[2], filter = Expr.setFilters[ name ]; + + if ( filter ) { + return filter( elem, i, match, array ); + } + } + } +}; + +var origPOS = Expr.match.POS; + +for ( var type in Expr.match ) { + Expr.match[ type ] = RegExp( Expr.match[ type ].source + /(?![^\[]*\])(?![^\(]*\))/.source ); +} + +var makeArray = function(array, results) { + array = Array.prototype.slice.call( array ); + + if ( results ) { + results.push.apply( results, array ); + return results; + } + + return array; +}; + +// Perform a simple check to determine if the browser is capable of +// converting a NodeList to an array using builtin methods. +try { + Array.prototype.slice.call( document.documentElement.childNodes ); + +// Provide a fallback method if it does not work +} catch(e){ + makeArray = function(array, results) { + var ret = results || []; + + if ( toString.call(array) === "[object Array]" ) { + Array.prototype.push.apply( ret, array ); + } else { + if ( typeof array.length === "number" ) { + for ( var i = 0, l = array.length; i < l; i++ ) { + ret.push( array[i] ); + } + } else { + for ( var i = 0; array[i]; i++ ) { + ret.push( array[i] ); + } + } + } + + return ret; + }; +} + +var sortOrder; + +if ( document.documentElement.compareDocumentPosition ) { + sortOrder = function( a, b ) { + var ret = a.compareDocumentPosition(b) & 4 ? -1 : a === b ? 0 : 1; + if ( ret === 0 ) { + hasDuplicate = true; + } + return ret; + }; +} else if ( "sourceIndex" in document.documentElement ) { + sortOrder = function( a, b ) { + var ret = a.sourceIndex - b.sourceIndex; + if ( ret === 0 ) { + hasDuplicate = true; + } + return ret; + }; +} else if ( document.createRange ) { + sortOrder = function( a, b ) { + var aRange = a.ownerDocument.createRange(), bRange = b.ownerDocument.createRange(); + aRange.selectNode(a); + aRange.collapse(true); + bRange.selectNode(b); + bRange.collapse(true); + var ret = aRange.compareBoundaryPoints(Range.START_TO_END, bRange); + if ( ret === 0 ) { + hasDuplicate = true; + } + return ret; + }; +} + +// Check to see if the browser returns elements by name when +// querying by getElementById (and provide a workaround) +(function(){ + // We're going to inject a fake input element with a specified name + var form = document.createElement("form"), + id = "script" + (new Date).getTime(); + form.innerHTML = "<input name='" + id + "'/>"; + + // Inject it into the root element, check its status, and remove it quickly + var root = document.documentElement; + root.insertBefore( form, root.firstChild ); + + // The workaround has to do additional checks after a getElementById + // Which slows things down for other browsers (hence the branching) + if ( !!document.getElementById( id ) ) { + Expr.find.ID = function(match, context, isXML){ + if ( typeof context.getElementById !== "undefined" && !isXML ) { + var m = context.getElementById(match[1]); + return m ? m.id === match[1] || typeof m.getAttributeNode !== "undefined" && m.getAttributeNode("id").nodeValue === match[1] ? [m] : undefined : []; + } + }; + + Expr.filter.ID = function(elem, match){ + var node = typeof elem.getAttributeNode !== "undefined" && elem.getAttributeNode("id"); + return elem.nodeType === 1 && node && node.nodeValue === match; + }; + } + + root.removeChild( form ); +})(); + +(function(){ + // Check to see if the browser returns only elements + // when doing getElementsByTagName("*") + + // Create a fake element + var div = document.createElement("div"); + div.appendChild( document.createComment("") ); + + // Make sure no comments are found + if ( div.getElementsByTagName("*").length > 0 ) { + Expr.find.TAG = function(match, context){ + var results = context.getElementsByTagName(match[1]); + + // Filter out possible comments + if ( match[1] === "*" ) { + var tmp = []; + + for ( var i = 0; results[i]; i++ ) { + if ( results[i].nodeType === 1 ) { + tmp.push( results[i] ); + } + } + + results = tmp; + } + + return results; + }; + } + + // Check to see if an attribute returns normalized href attributes + div.innerHTML = "<a href='#'></a>"; + if ( div.firstChild && typeof div.firstChild.getAttribute !== "undefined" && + div.firstChild.getAttribute("href") !== "#" ) { + Expr.attrHandle.href = function(elem){ + return elem.getAttribute("href", 2); + }; + } +})(); + +if ( document.querySelectorAll ) (function(){ + var oldSizzle = Sizzle, div = document.createElement("div"); + div.innerHTML = "<p class='TEST'></p>"; + + // Safari can't handle uppercase or unicode characters when + // in quirks mode. + if ( div.querySelectorAll && div.querySelectorAll(".TEST").length === 0 ) { + return; + } + + Sizzle = function(query, context, extra, seed){ + context = context || document; + + // Only use querySelectorAll on non-XML documents + // (ID selectors don't work in non-HTML documents) + if ( !seed && context.nodeType === 9 && !isXML(context) ) { + try { + return makeArray( context.querySelectorAll(query), extra ); + } catch(e){} + } + + return oldSizzle(query, context, extra, seed); + }; + + Sizzle.find = oldSizzle.find; + Sizzle.filter = oldSizzle.filter; + Sizzle.selectors = oldSizzle.selectors; + Sizzle.matches = oldSizzle.matches; +})(); + +if ( document.getElementsByClassName && document.documentElement.getElementsByClassName ) (function(){ + var div = document.createElement("div"); + div.innerHTML = "<div class='test e'></div><div class='test'></div>"; + + // Opera can't find a second classname (in 9.6) + if ( div.getElementsByClassName("e").length === 0 ) + return; + + // Safari caches class attributes, doesn't catch changes (in 3.2) + div.lastChild.className = "e"; + + if ( div.getElementsByClassName("e").length === 1 ) + return; + + Expr.order.splice(1, 0, "CLASS"); + Expr.find.CLASS = function(match, context, isXML) { + if ( typeof context.getElementsByClassName !== "undefined" && !isXML ) { + return context.getElementsByClassName(match[1]); + } + }; +})(); + +function dirNodeCheck( dir, cur, doneName, checkSet, nodeCheck, isXML ) { + var sibDir = dir == "previousSibling" && !isXML; + for ( var i = 0, l = checkSet.length; i < l; i++ ) { + var elem = checkSet[i]; + if ( elem ) { + if ( sibDir && elem.nodeType === 1 ){ + elem.sizcache = doneName; + elem.sizset = i; + } + elem = elem[dir]; + var match = false; + + while ( elem ) { + if ( elem.sizcache === doneName ) { + match = checkSet[elem.sizset]; + break; + } + + if ( elem.nodeType === 1 && !isXML ){ + elem.sizcache = doneName; + elem.sizset = i; + } + + if ( elem.nodeName === cur ) { + match = elem; + break; + } + + elem = elem[dir]; + } + + checkSet[i] = match; + } + } +} + +function dirCheck( dir, cur, doneName, checkSet, nodeCheck, isXML ) { + var sibDir = dir == "previousSibling" && !isXML; + for ( var i = 0, l = checkSet.length; i < l; i++ ) { + var elem = checkSet[i]; + if ( elem ) { + if ( sibDir && elem.nodeType === 1 ) { + elem.sizcache = doneName; + elem.sizset = i; + } + elem = elem[dir]; + var match = false; + + while ( elem ) { + if ( elem.sizcache === doneName ) { + match = checkSet[elem.sizset]; + break; + } + + if ( elem.nodeType === 1 ) { + if ( !isXML ) { + elem.sizcache = doneName; + elem.sizset = i; + } + if ( typeof cur !== "string" ) { + if ( elem === cur ) { + match = true; + break; + } + + } else if ( Sizzle.filter( cur, [elem] ).length > 0 ) { + match = elem; + break; + } + } + + elem = elem[dir]; + } + + checkSet[i] = match; + } + } +} + +var contains = document.compareDocumentPosition ? function(a, b){ + return a.compareDocumentPosition(b) & 16; +} : function(a, b){ + return a !== b && (a.contains ? a.contains(b) : true); +}; + +var isXML = function(elem){ + return elem.nodeType === 9 && elem.documentElement.nodeName !== "HTML" || + !!elem.ownerDocument && isXML( elem.ownerDocument ); +}; + +var posProcess = function(selector, context){ + var tmpSet = [], later = "", match, + root = context.nodeType ? [context] : context; + + // Position selectors must be done after the filter + // And so must :not(positional) so we move all PSEUDOs to the end + while ( (match = Expr.match.PSEUDO.exec( selector )) ) { + later += match[0]; + selector = selector.replace( Expr.match.PSEUDO, "" ); + } + + selector = Expr.relative[selector] ? selector + "*" : selector; + + for ( var i = 0, l = root.length; i < l; i++ ) { + Sizzle( selector, root[i], tmpSet ); + } + + return Sizzle.filter( later, tmpSet ); +}; + +// EXPOSE +jQuery.find = Sizzle; +jQuery.filter = Sizzle.filter; +jQuery.expr = Sizzle.selectors; +jQuery.expr[":"] = jQuery.expr.filters; + +Sizzle.selectors.filters.hidden = function(elem){ + return elem.offsetWidth === 0 || elem.offsetHeight === 0; +}; + +Sizzle.selectors.filters.visible = function(elem){ + return elem.offsetWidth > 0 || elem.offsetHeight > 0; +}; + +Sizzle.selectors.filters.animated = function(elem){ + return jQuery.grep(jQuery.timers, function(fn){ + return elem === fn.elem; + }).length; +}; + +jQuery.multiFilter = function( expr, elems, not ) { + if ( not ) { + expr = ":not(" + expr + ")"; + } + + return Sizzle.matches(expr, elems); +}; + +jQuery.dir = function( elem, dir ){ + var matched = [], cur = elem[dir]; + while ( cur && cur != document ) { + if ( cur.nodeType == 1 ) + matched.push( cur ); + cur = cur[dir]; + } + return matched; +}; + +jQuery.nth = function(cur, result, dir, elem){ + result = result || 1; + var num = 0; + + for ( ; cur; cur = cur[dir] ) + if ( cur.nodeType == 1 && ++num == result ) + break; + + return cur; +}; + +jQuery.sibling = function(n, elem){ + var r = []; + + for ( ; n; n = n.nextSibling ) { + if ( n.nodeType == 1 && n != elem ) + r.push( n ); + } + + return r; +}; + +return; + +window.Sizzle = Sizzle; + +})(); +/* + * A number of helper functions used for managing events. + * Many of the ideas behind this code originated from + * Dean Edwards' addEvent library. + */ +jQuery.event = { + + // Bind an event to an element + // Original by Dean Edwards + add: function(elem, types, handler, data) { + if ( elem.nodeType == 3 || elem.nodeType == 8 ) + return; + + // For whatever reason, IE has trouble passing the window object + // around, causing it to be cloned in the process + if ( elem.setInterval && elem != window ) + elem = window; + + // Make sure that the function being executed has a unique ID + if ( !handler.guid ) + handler.guid = this.guid++; + + // if data is passed, bind to handler + if ( data !== undefined ) { + // Create temporary function pointer to original handler + var fn = handler; + + // Create unique handler function, wrapped around original handler + handler = this.proxy( fn ); + + // Store data in unique handler + handler.data = data; + } + + // Init the element's event structure + var events = jQuery.data(elem, "events") || jQuery.data(elem, "events", {}), + handle = jQuery.data(elem, "handle") || jQuery.data(elem, "handle", function(){ + // Handle the second event of a trigger and when + // an event is called after a page has unloaded + return typeof jQuery !== "undefined" && !jQuery.event.triggered ? + jQuery.event.handle.apply(arguments.callee.elem, arguments) : + undefined; + }); + // Add elem as a property of the handle function + // This is to prevent a memory leak with non-native + // event in IE. + handle.elem = elem; + + // Handle multiple events separated by a space + // jQuery(...).bind("mouseover mouseout", fn); + jQuery.each(types.split(/\s+/), function(index, type) { + // Namespaced event handlers + var namespaces = type.split("."); + type = namespaces.shift(); + handler.type = namespaces.slice().sort().join("."); + + // Get the current list of functions bound to this event + var handlers = events[type]; + + if ( jQuery.event.specialAll[type] ) + jQuery.event.specialAll[type].setup.call(elem, data, namespaces); + + // Init the event handler queue + if (!handlers) { + handlers = events[type] = {}; + + // Check for a special event handler + // Only use addEventListener/attachEvent if the special + // events handler returns false + if ( !jQuery.event.special[type] || jQuery.event.special[type].setup.call(elem, data, namespaces) === false ) { + // Bind the global event handler to the element + if (elem.addEventListener) + elem.addEventListener(type, handle, false); + else if (elem.attachEvent) + elem.attachEvent("on" + type, handle); + } + } + + // Add the function to the element's handler list + handlers[handler.guid] = handler; + + // Keep track of which events have been used, for global triggering + jQuery.event.global[type] = true; + }); + + // Nullify elem to prevent memory leaks in IE + elem = null; + }, + + guid: 1, + global: {}, + + // Detach an event or set of events from an element + remove: function(elem, types, handler) { + // don't do events on text and comment nodes + if ( elem.nodeType == 3 || elem.nodeType == 8 ) + return; + + var events = jQuery.data(elem, "events"), ret, index; + + if ( events ) { + // Unbind all events for the element + if ( types === undefined || (typeof types === "string" && types.charAt(0) == ".") ) + for ( var type in events ) + this.remove( elem, type + (types || "") ); + else { + // types is actually an event object here + if ( types.type ) { + handler = types.handler; + types = types.type; + } + + // Handle multiple events seperated by a space + // jQuery(...).unbind("mouseover mouseout", fn); + jQuery.each(types.split(/\s+/), function(index, type){ + // Namespaced event handlers + var namespaces = type.split("."); + type = namespaces.shift(); + var namespace = RegExp("(^|\\.)" + namespaces.slice().sort().join(".*\\.") + "(\\.|$)"); + + if ( events[type] ) { + // remove the given handler for the given type + if ( handler ) + delete events[type][handler.guid]; + + // remove all handlers for the given type + else + for ( var handle in events[type] ) + // Handle the removal of namespaced events + if ( namespace.test(events[type][handle].type) ) + delete events[type][handle]; + + if ( jQuery.event.specialAll[type] ) + jQuery.event.specialAll[type].teardown.call(elem, namespaces); + + // remove generic event handler if no more handlers exist + for ( ret in events[type] ) break; + if ( !ret ) { + if ( !jQuery.event.special[type] || jQuery.event.special[type].teardown.call(elem, namespaces) === false ) { + if (elem.removeEventListener) + elem.removeEventListener(type, jQuery.data(elem, "handle"), false); + else if (elem.detachEvent) + elem.detachEvent("on" + type, jQuery.data(elem, "handle")); + } + ret = null; + delete events[type]; + } + } + }); + } + + // Remove the expando if it's no longer used + for ( ret in events ) break; + if ( !ret ) { + var handle = jQuery.data( elem, "handle" ); + if ( handle ) handle.elem = null; + jQuery.removeData( elem, "events" ); + jQuery.removeData( elem, "handle" ); + } + } + }, + + // bubbling is internal + trigger: function( event, data, elem, bubbling ) { + // Event object or event type + var type = event.type || event; + + if( !bubbling ){ + event = typeof event === "object" ? + // jQuery.Event object + event[expando] ? event : + // Object literal + jQuery.extend( jQuery.Event(type), event ) : + // Just the event type (string) + jQuery.Event(type); + + if ( type.indexOf("!") >= 0 ) { + event.type = type = type.slice(0, -1); + event.exclusive = true; + } + + // Handle a global trigger + if ( !elem ) { + // Don't bubble custom events when global (to avoid too much overhead) + event.stopPropagation(); + // Only trigger if we've ever bound an event for it + if ( this.global[type] ) + jQuery.each( jQuery.cache, function(){ + if ( this.events && this.events[type] ) + jQuery.event.trigger( event, data, this.handle.elem ); + }); + } + + // Handle triggering a single element + + // don't do events on text and comment nodes + if ( !elem || elem.nodeType == 3 || elem.nodeType == 8 ) + return undefined; + + // Clean up in case it is reused + event.result = undefined; + event.target = elem; + + // Clone the incoming data, if any + data = jQuery.makeArray(data); + data.unshift( event ); + } + + event.currentTarget = elem; + + // Trigger the event, it is assumed that "handle" is a function + var handle = jQuery.data(elem, "handle"); + if ( handle ) + handle.apply( elem, data ); + + // Handle triggering native .onfoo handlers (and on links since we don't call .click() for links) + if ( (!elem[type] || (jQuery.nodeName(elem, 'a') && type == "click")) && elem["on"+type] && elem["on"+type].apply( elem, data ) === false ) + event.result = false; + + // Trigger the native events (except for clicks on links) + if ( !bubbling && elem[type] && !event.isDefaultPrevented() && !(jQuery.nodeName(elem, 'a') && type == "click") ) { + this.triggered = true; + try { + elem[ type ](); + // prevent IE from throwing an error for some hidden elements + } catch (e) {} + } + + this.triggered = false; + + if ( !event.isPropagationStopped() ) { + var parent = elem.parentNode || elem.ownerDocument; + if ( parent ) + jQuery.event.trigger(event, data, parent, true); + } + }, + + handle: function(event) { + // returned undefined or false + var all, handlers; + + event = arguments[0] = jQuery.event.fix( event || window.event ); + event.currentTarget = this; + + // Namespaced event handlers + var namespaces = event.type.split("."); + event.type = namespaces.shift(); + + // Cache this now, all = true means, any handler + all = !namespaces.length && !event.exclusive; + + var namespace = RegExp("(^|\\.)" + namespaces.slice().sort().join(".*\\.") + "(\\.|$)"); + + handlers = ( jQuery.data(this, "events") || {} )[event.type]; + + for ( var j in handlers ) { + var handler = handlers[j]; + + // Filter the functions by class + if ( all || namespace.test(handler.type) ) { + // Pass in a reference to the handler function itself + // So that we can later remove it + event.handler = handler; + event.data = handler.data; + + var ret = handler.apply(this, arguments); + + if( ret !== undefined ){ + event.result = ret; + if ( ret === false ) { + event.preventDefault(); + event.stopPropagation(); + } + } + + if( event.isImmediatePropagationStopped() ) + break; + + } + } + }, + + props: "altKey attrChange attrName bubbles button cancelable charCode clientX clientY ctrlKey currentTarget data detail eventPhase fromElement handler keyCode metaKey newValue originalTarget pageX pageY prevValue relatedNode relatedTarget screenX screenY shiftKey srcElement target toElement view wheelDelta which".split(" "), + + fix: function(event) { + if ( event[expando] ) + return event; + + // store a copy of the original event object + // and "clone" to set read-only properties + var originalEvent = event; + event = jQuery.Event( originalEvent ); + + for ( var i = this.props.length, prop; i; ){ + prop = this.props[ --i ]; + event[ prop ] = originalEvent[ prop ]; + } + + // Fix target property, if necessary + if ( !event.target ) + event.target = event.srcElement || document; // Fixes #1925 where srcElement might not be defined either + + // check if target is a textnode (safari) + if ( event.target.nodeType == 3 ) + event.target = event.target.parentNode; + + // Add relatedTarget, if necessary + if ( !event.relatedTarget && event.fromElement ) + event.relatedTarget = event.fromElement == event.target ? event.toElement : event.fromElement; + + // Calculate pageX/Y if missing and clientX/Y available + if ( event.pageX == null && event.clientX != null ) { + var doc = document.documentElement, body = document.body; + event.pageX = event.clientX + (doc && doc.scrollLeft || body && body.scrollLeft || 0) - (doc.clientLeft || 0); + event.pageY = event.clientY + (doc && doc.scrollTop || body && body.scrollTop || 0) - (doc.clientTop || 0); + } + + // Add which for key events + if ( !event.which && ((event.charCode || event.charCode === 0) ? event.charCode : event.keyCode) ) + event.which = event.charCode || event.keyCode; + + // Add metaKey to non-Mac browsers (use ctrl for PC's and Meta for Macs) + if ( !event.metaKey && event.ctrlKey ) + event.metaKey = event.ctrlKey; + + // Add which for click: 1 == left; 2 == middle; 3 == right + // Note: button is not normalized, so don't use it + if ( !event.which && event.button ) + event.which = (event.button & 1 ? 1 : ( event.button & 2 ? 3 : ( event.button & 4 ? 2 : 0 ) )); + + return event; + }, + + proxy: function( fn, proxy ){ + proxy = proxy || function(){ return fn.apply(this, arguments); }; + // Set the guid of unique handler to the same of original handler, so it can be removed + proxy.guid = fn.guid = fn.guid || proxy.guid || this.guid++; + // So proxy can be declared as an argument + return proxy; + }, + + special: { + ready: { + // Make sure the ready event is setup + setup: bindReady, + teardown: function() {} + } + }, + + specialAll: { + live: { + setup: function( selector, namespaces ){ + jQuery.event.add( this, namespaces[0], liveHandler ); + }, + teardown: function( namespaces ){ + if ( namespaces.length ) { + var remove = 0, name = RegExp("(^|\\.)" + namespaces[0] + "(\\.|$)"); + + jQuery.each( (jQuery.data(this, "events").live || {}), function(){ + if ( name.test(this.type) ) + remove++; + }); + + if ( remove < 1 ) + jQuery.event.remove( this, namespaces[0], liveHandler ); + } + } + } + } +}; + +jQuery.Event = function( src ){ + // Allow instantiation without the 'new' keyword + if( !this.preventDefault ) + return new jQuery.Event(src); + + // Event object + if( src && src.type ){ + this.originalEvent = src; + this.type = src.type; + // Event type + }else + this.type = src; + + // timeStamp is buggy for some events on Firefox(#3843) + // So we won't rely on the native value + this.timeStamp = now(); + + // Mark it as fixed + this[expando] = true; +}; + +function returnFalse(){ + return false; +} +function returnTrue(){ + return true; +} + +// jQuery.Event is based on DOM3 Events as specified by the ECMAScript Language Binding +// http://www.w3.org/TR/2003/WD-DOM-Level-3-Events-20030331/ecma-script-binding.html +jQuery.Event.prototype = { + preventDefault: function() { + this.isDefaultPrevented = returnTrue; + + var e = this.originalEvent; + if( !e ) + return; + // if preventDefault exists run it on the original event + if (e.preventDefault) + e.preventDefault(); + // otherwise set the returnValue property of the original event to false (IE) + e.returnValue = false; + }, + stopPropagation: function() { + this.isPropagationStopped = returnTrue; + + var e = this.originalEvent; + if( !e ) + return; + // if stopPropagation exists run it on the original event + if (e.stopPropagation) + e.stopPropagation(); + // otherwise set the cancelBubble property of the original event to true (IE) + e.cancelBubble = true; + }, + stopImmediatePropagation:function(){ + this.isImmediatePropagationStopped = returnTrue; + this.stopPropagation(); + }, + isDefaultPrevented: returnFalse, + isPropagationStopped: returnFalse, + isImmediatePropagationStopped: returnFalse +}; +// Checks if an event happened on an element within another element +// Used in jQuery.event.special.mouseenter and mouseleave handlers +var withinElement = function(event) { + // Check if mouse(over|out) are still within the same parent element + var parent = event.relatedTarget; + // Traverse up the tree + while ( parent && parent != this ) + try { parent = parent.parentNode; } + catch(e) { parent = this; } + + if( parent != this ){ + // set the correct event type + event.type = event.data; + // handle event if we actually just moused on to a non sub-element + jQuery.event.handle.apply( this, arguments ); + } +}; + +jQuery.each({ + mouseover: 'mouseenter', + mouseout: 'mouseleave' +}, function( orig, fix ){ + jQuery.event.special[ fix ] = { + setup: function(){ + jQuery.event.add( this, orig, withinElement, fix ); + }, + teardown: function(){ + jQuery.event.remove( this, orig, withinElement ); + } + }; +}); + +jQuery.fn.extend({ + bind: function( type, data, fn ) { + return type == "unload" ? this.one(type, data, fn) : this.each(function(){ + jQuery.event.add( this, type, fn || data, fn && data ); + }); + }, + + one: function( type, data, fn ) { + var one = jQuery.event.proxy( fn || data, function(event) { + jQuery(this).unbind(event, one); + return (fn || data).apply( this, arguments ); + }); + return this.each(function(){ + jQuery.event.add( this, type, one, fn && data); + }); + }, + + unbind: function( type, fn ) { + return this.each(function(){ + jQuery.event.remove( this, type, fn ); + }); + }, + + trigger: function( type, data ) { + return this.each(function(){ + jQuery.event.trigger( type, data, this ); + }); + }, + + triggerHandler: function( type, data ) { + if( this[0] ){ + var event = jQuery.Event(type); + event.preventDefault(); + event.stopPropagation(); + jQuery.event.trigger( event, data, this[0] ); + return event.result; + } + }, + + toggle: function( fn ) { + // Save reference to arguments for access in closure + var args = arguments, i = 1; + + // link all the functions, so any of them can unbind this click handler + while( i < args.length ) + jQuery.event.proxy( fn, args[i++] ); + + return this.click( jQuery.event.proxy( fn, function(event) { + // Figure out which function to execute + this.lastToggle = ( this.lastToggle || 0 ) % i; + + // Make sure that clicks stop + event.preventDefault(); + + // and execute the function + return args[ this.lastToggle++ ].apply( this, arguments ) || false; + })); + }, + + hover: function(fnOver, fnOut) { + return this.mouseenter(fnOver).mouseleave(fnOut); + }, + + ready: function(fn) { + // Attach the listeners + bindReady(); + + // If the DOM is already ready + if ( jQuery.isReady ) + // Execute the function immediately + fn.call( document, jQuery ); + + // Otherwise, remember the function for later + else + // Add the function to the wait list + jQuery.readyList.push( fn ); + + return this; + }, + + live: function( type, fn ){ + var proxy = jQuery.event.proxy( fn ); + proxy.guid += this.selector + type; + + jQuery(document).bind( liveConvert(type, this.selector), this.selector, proxy ); + + return this; + }, + + die: function( type, fn ){ + jQuery(document).unbind( liveConvert(type, this.selector), fn ? { guid: fn.guid + this.selector + type } : null ); + return this; + } +}); + +function liveHandler( event ){ + var check = RegExp("(^|\\.)" + event.type + "(\\.|$)"), + stop = true, + elems = []; + + jQuery.each(jQuery.data(this, "events").live || [], function(i, fn){ + if ( check.test(fn.type) ) { + var elem = jQuery(event.target).closest(fn.data)[0]; + if ( elem ) + elems.push({ elem: elem, fn: fn }); + } + }); + + elems.sort(function(a,b) { + return jQuery.data(a.elem, "closest") - jQuery.data(b.elem, "closest"); + }); + + jQuery.each(elems, function(){ + if ( this.fn.call(this.elem, event, this.fn.data) === false ) + return (stop = false); + }); + + return stop; +} + +function liveConvert(type, selector){ + return ["live", type, selector.replace(/\./g, "`").replace(/ /g, "|")].join("."); +} + +jQuery.extend({ + isReady: false, + readyList: [], + // Handle when the DOM is ready + ready: function() { + // Make sure that the DOM is not already loaded + if ( !jQuery.isReady ) { + // Remember that the DOM is ready + jQuery.isReady = true; + + // If there are functions bound, to execute + if ( jQuery.readyList ) { + // Execute all of them + jQuery.each( jQuery.readyList, function(){ + this.call( document, jQuery ); + }); + + // Reset the list of functions + jQuery.readyList = null; + } + + // Trigger any bound ready events + jQuery(document).triggerHandler("ready"); + } + } +}); + +var readyBound = false; + +function bindReady(){ + if ( readyBound ) return; + readyBound = true; + + // Mozilla, Opera and webkit nightlies currently support this event + if ( document.addEventListener ) { + // Use the handy event callback + document.addEventListener( "DOMContentLoaded", function(){ + document.removeEventListener( "DOMContentLoaded", arguments.callee, false ); + jQuery.ready(); + }, false ); + + // If IE event model is used + } else if ( document.attachEvent ) { + // ensure firing before onload, + // maybe late but safe also for iframes + document.attachEvent("onreadystatechange", function(){ + if ( document.readyState === "complete" ) { + document.detachEvent( "onreadystatechange", arguments.callee ); + jQuery.ready(); + } + }); + + // If IE and not an iframe + // continually check to see if the document is ready + if ( document.documentElement.doScroll && window == window.top ) (function(){ + if ( jQuery.isReady ) return; + + try { + // If IE is used, use the trick by Diego Perini + // http://javascript.nwbox.com/IEContentLoaded/ + document.documentElement.doScroll("left"); + } catch( error ) { + setTimeout( arguments.callee, 0 ); + return; + } + + // and execute any waiting functions + jQuery.ready(); + })(); + } + + // A fallback to window.onload, that will always work + jQuery.event.add( window, "load", jQuery.ready ); +} + +jQuery.each( ("blur,focus,load,resize,scroll,unload,click,dblclick," + + "mousedown,mouseup,mousemove,mouseover,mouseout,mouseenter,mouseleave," + + "change,select,submit,keydown,keypress,keyup,error").split(","), function(i, name){ + + // Handle event binding + jQuery.fn[name] = function(fn){ + return fn ? this.bind(name, fn) : this.trigger(name); + }; +}); + +// Prevent memory leaks in IE +// And prevent errors on refresh with events like mouseover in other browsers +// Window isn't included so as not to unbind existing unload events +jQuery( window ).bind( 'unload', function(){ + for ( var id in jQuery.cache ) + // Skip the window + if ( id != 1 && jQuery.cache[ id ].handle ) + jQuery.event.remove( jQuery.cache[ id ].handle.elem ); +}); +(function(){ + + jQuery.support = {}; + + var root = document.documentElement, + script = document.createElement("script"), + div = document.createElement("div"), + id = "script" + (new Date).getTime(); + + div.style.display = "none"; + div.innerHTML = ' <link/><table></table><a href="/a" style="color:red;float:left;opacity:.5;">a</a><select><option>text</option></select><object><param/></object>'; + + var all = div.getElementsByTagName("*"), + a = div.getElementsByTagName("a")[0]; + + // Can't get basic test support + if ( !all || !all.length || !a ) { + return; + } + + jQuery.support = { + // IE strips leading whitespace when .innerHTML is used + leadingWhitespace: div.firstChild.nodeType == 3, + + // Make sure that tbody elements aren't automatically inserted + // IE will insert them into empty tables + tbody: !div.getElementsByTagName("tbody").length, + + // Make sure that you can get all elements in an <object> element + // IE 7 always returns no results + objectAll: !!div.getElementsByTagName("object")[0] + .getElementsByTagName("*").length, + + // Make sure that link elements get serialized correctly by innerHTML + // This requires a wrapper element in IE + htmlSerialize: !!div.getElementsByTagName("link").length, + + // Get the style information from getAttribute + // (IE uses .cssText insted) + style: /red/.test( a.getAttribute("style") ), + + // Make sure that URLs aren't manipulated + // (IE normalizes it by default) + hrefNormalized: a.getAttribute("href") === "/a", + + // Make sure that element opacity exists + // (IE uses filter instead) + opacity: a.style.opacity === "0.5", + + // Verify style float existence + // (IE uses styleFloat instead of cssFloat) + cssFloat: !!a.style.cssFloat, + + // Will be defined later + scriptEval: false, + noCloneEvent: true, + boxModel: null + }; + + script.type = "text/javascript"; + try { + script.appendChild( document.createTextNode( "window." + id + "=1;" ) ); + } catch(e){} + + root.insertBefore( script, root.firstChild ); + + // Make sure that the execution of code works by injecting a script + // tag with appendChild/createTextNode + // (IE doesn't support this, fails, and uses .text instead) + if ( window[ id ] ) { + jQuery.support.scriptEval = true; + delete window[ id ]; + } + + root.removeChild( script ); + + if ( div.attachEvent && div.fireEvent ) { + div.attachEvent("onclick", function(){ + // Cloning a node shouldn't copy over any + // bound event handlers (IE does this) + jQuery.support.noCloneEvent = false; + div.detachEvent("onclick", arguments.callee); + }); + div.cloneNode(true).fireEvent("onclick"); + } + + // Figure out if the W3C box model works as expected + // document.body must exist before we can do this + jQuery(function(){ + var div = document.createElement("div"); + div.style.width = div.style.paddingLeft = "1px"; + + document.body.appendChild( div ); + jQuery.boxModel = jQuery.support.boxModel = div.offsetWidth === 2; + document.body.removeChild( div ).style.display = 'none'; + }); +})(); + +var styleFloat = jQuery.support.cssFloat ? "cssFloat" : "styleFloat"; + +jQuery.props = { + "for": "htmlFor", + "class": "className", + "float": styleFloat, + cssFloat: styleFloat, + styleFloat: styleFloat, + readonly: "readOnly", + maxlength: "maxLength", + cellspacing: "cellSpacing", + rowspan: "rowSpan", + tabindex: "tabIndex" +}; +jQuery.fn.extend({ + // Keep a copy of the old load + _load: jQuery.fn.load, + + load: function( url, params, callback ) { + if ( typeof url !== "string" ) + return this._load( url ); + + var off = url.indexOf(" "); + if ( off >= 0 ) { + var selector = url.slice(off, url.length); + url = url.slice(0, off); + } + + // Default to a GET request + var type = "GET"; + + // If the second parameter was provided + if ( params ) + // If it's a function + if ( jQuery.isFunction( params ) ) { + // We assume that it's the callback + callback = params; + params = null; + + // Otherwise, build a param string + } else if( typeof params === "object" ) { + params = jQuery.param( params ); + type = "POST"; + } + + var self = this; + + // Request the remote document + jQuery.ajax({ + url: url, + type: type, + dataType: "html", + data: params, + complete: function(res, status){ + // If successful, inject the HTML into all the matched elements + if ( status == "success" || status == "notmodified" ) + // See if a selector was specified + self.html( selector ? + // Create a dummy div to hold the results + jQuery("<div/>") + // inject the contents of the document in, removing the scripts + // to avoid any 'Permission Denied' errors in IE + .append(res.responseText.replace(/<script(.|\s)*?\/script>/g, "")) + + // Locate the specified elements + .find(selector) : + + // If not, just inject the full result + res.responseText ); + + if( callback ) + self.each( callback, [res.responseText, status, res] ); + } + }); + return this; + }, + + serialize: function() { + return jQuery.param(this.serializeArray()); + }, + serializeArray: function() { + return this.map(function(){ + return this.elements ? jQuery.makeArray(this.elements) : this; + }) + .filter(function(){ + return this.name && !this.disabled && + (this.checked || /select|textarea/i.test(this.nodeName) || + /text|hidden|password|search/i.test(this.type)); + }) + .map(function(i, elem){ + var val = jQuery(this).val(); + return val == null ? null : + jQuery.isArray(val) ? + jQuery.map( val, function(val, i){ + return {name: elem.name, value: val}; + }) : + {name: elem.name, value: val}; + }).get(); + } +}); + +// Attach a bunch of functions for handling common AJAX events +jQuery.each( "ajaxStart,ajaxStop,ajaxComplete,ajaxError,ajaxSuccess,ajaxSend".split(","), function(i,o){ + jQuery.fn[o] = function(f){ + return this.bind(o, f); + }; +}); + +var jsc = now(); + +jQuery.extend({ + + get: function( url, data, callback, type ) { + // shift arguments if data argument was ommited + if ( jQuery.isFunction( data ) ) { + callback = data; + data = null; + } + + return jQuery.ajax({ + type: "GET", + url: url, + data: data, + success: callback, + dataType: type + }); + }, + + getScript: function( url, callback ) { + return jQuery.get(url, null, callback, "script"); + }, + + getJSON: function( url, data, callback ) { + return jQuery.get(url, data, callback, "json"); + }, + + post: function( url, data, callback, type ) { + if ( jQuery.isFunction( data ) ) { + callback = data; + data = {}; + } + + return jQuery.ajax({ + type: "POST", + url: url, + data: data, + success: callback, + dataType: type + }); + }, + + ajaxSetup: function( settings ) { + jQuery.extend( jQuery.ajaxSettings, settings ); + }, + + ajaxSettings: { + url: location.href, + global: true, + type: "GET", + contentType: "application/x-www-form-urlencoded", + processData: true, + async: true, + /* + timeout: 0, + data: null, + username: null, + password: null, + */ + // Create the request object; Microsoft failed to properly + // implement the XMLHttpRequest in IE7, so we use the ActiveXObject when it is available + // This function can be overriden by calling jQuery.ajaxSetup + xhr:function(){ + return window.ActiveXObject ? new ActiveXObject("Microsoft.XMLHTTP") : new XMLHttpRequest(); + }, + accepts: { + xml: "application/xml, text/xml", + html: "text/html", + script: "text/javascript, application/javascript", + json: "application/json, text/javascript", + text: "text/plain", + _default: "*/*" + } + }, + + // Last-Modified header cache for next request + lastModified: {}, + + ajax: function( s ) { + // Extend the settings, but re-extend 's' so that it can be + // checked again later (in the test suite, specifically) + s = jQuery.extend(true, s, jQuery.extend(true, {}, jQuery.ajaxSettings, s)); + + var jsonp, jsre = /=\?(&|$)/g, status, data, + type = s.type.toUpperCase(); + + // convert data if not already a string + if ( s.data && s.processData && typeof s.data !== "string" ) + s.data = jQuery.param(s.data); + + // Handle JSONP Parameter Callbacks + if ( s.dataType == "jsonp" ) { + if ( type == "GET" ) { + if ( !s.url.match(jsre) ) + s.url += (s.url.match(/\?/) ? "&" : "?") + (s.jsonp || "callback") + "=?"; + } else if ( !s.data || !s.data.match(jsre) ) + s.data = (s.data ? s.data + "&" : "") + (s.jsonp || "callback") + "=?"; + s.dataType = "json"; + } + + // Build temporary JSONP function + if ( s.dataType == "json" && (s.data && s.data.match(jsre) || s.url.match(jsre)) ) { + jsonp = "jsonp" + jsc++; + + // Replace the =? sequence both in the query string and the data + if ( s.data ) + s.data = (s.data + "").replace(jsre, "=" + jsonp + "$1"); + s.url = s.url.replace(jsre, "=" + jsonp + "$1"); + + // We need to make sure + // that a JSONP style response is executed properly + s.dataType = "script"; + + // Handle JSONP-style loading + window[ jsonp ] = function(tmp){ + data = tmp; + success(); + complete(); + // Garbage collect + window[ jsonp ] = undefined; + try{ delete window[ jsonp ]; } catch(e){} + if ( head ) + head.removeChild( script ); + }; + } + + if ( s.dataType == "script" && s.cache == null ) + s.cache = false; + + if ( s.cache === false && type == "GET" ) { + var ts = now(); + // try replacing _= if it is there + var ret = s.url.replace(/(\?|&)_=.*?(&|$)/, "$1_=" + ts + "$2"); + // if nothing was replaced, add timestamp to the end + s.url = ret + ((ret == s.url) ? (s.url.match(/\?/) ? "&" : "?") + "_=" + ts : ""); + } + + // If data is available, append data to url for get requests + if ( s.data && type == "GET" ) { + s.url += (s.url.match(/\?/) ? "&" : "?") + s.data; + + // IE likes to send both get and post data, prevent this + s.data = null; + } + + // Watch for a new set of requests + if ( s.global && ! jQuery.active++ ) + jQuery.event.trigger( "ajaxStart" ); + + // Matches an absolute URL, and saves the domain + var parts = /^(\w+:)?\/\/([^\/?#]+)/.exec( s.url ); + + // If we're requesting a remote document + // and trying to load JSON or Script with a GET + if ( s.dataType == "script" && type == "GET" && parts + && ( parts[1] && parts[1] != location.protocol || parts[2] != location.host )){ + + var head = document.getElementsByTagName("head")[0]; + var script = document.createElement("script"); + script.src = s.url; + if (s.scriptCharset) + script.charset = s.scriptCharset; + + // Handle Script loading + if ( !jsonp ) { + var done = false; + + // Attach handlers for all browsers + script.onload = script.onreadystatechange = function(){ + if ( !done && (!this.readyState || + this.readyState == "loaded" || this.readyState == "complete") ) { + done = true; + success(); + complete(); + + // Handle memory leak in IE + script.onload = script.onreadystatechange = null; + head.removeChild( script ); + } + }; + } + + head.appendChild(script); + + // We handle everything using the script element injection + return undefined; + } + + var requestDone = false; + + // Create the request object + var xhr = s.xhr(); + + // Open the socket + // Passing null username, generates a login popup on Opera (#2865) + if( s.username ) + xhr.open(type, s.url, s.async, s.username, s.password); + else + xhr.open(type, s.url, s.async); + + // Need an extra try/catch for cross domain requests in Firefox 3 + try { + // Set the correct header, if data is being sent + if ( s.data ) + xhr.setRequestHeader("Content-Type", s.contentType); + + // Set the If-Modified-Since header, if ifModified mode. + if ( s.ifModified ) + xhr.setRequestHeader("If-Modified-Since", + jQuery.lastModified[s.url] || "Thu, 01 Jan 1970 00:00:00 GMT" ); + + // Set header so the called script knows that it's an XMLHttpRequest + xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest"); + + // Set the Accepts header for the server, depending on the dataType + xhr.setRequestHeader("Accept", s.dataType && s.accepts[ s.dataType ] ? + s.accepts[ s.dataType ] + ", */*" : + s.accepts._default ); + } catch(e){} + + // Allow custom headers/mimetypes and early abort + if ( s.beforeSend && s.beforeSend(xhr, s) === false ) { + // Handle the global AJAX counter + if ( s.global && ! --jQuery.active ) + jQuery.event.trigger( "ajaxStop" ); + // close opended socket + xhr.abort(); + return false; + } + + if ( s.global ) + jQuery.event.trigger("ajaxSend", [xhr, s]); + + // Wait for a response to come back + var onreadystatechange = function(isTimeout){ + // The request was aborted, clear the interval and decrement jQuery.active + if (xhr.readyState == 0) { + if (ival) { + // clear poll interval + clearInterval(ival); + ival = null; + // Handle the global AJAX counter + if ( s.global && ! --jQuery.active ) + jQuery.event.trigger( "ajaxStop" ); + } + // The transfer is complete and the data is available, or the request timed out + } else if ( !requestDone && xhr && (xhr.readyState == 4 || isTimeout == "timeout") ) { + requestDone = true; + + // clear poll interval + if (ival) { + clearInterval(ival); + ival = null; + } + + status = isTimeout == "timeout" ? "timeout" : + !jQuery.httpSuccess( xhr ) ? "error" : + s.ifModified && jQuery.httpNotModified( xhr, s.url ) ? "notmodified" : + "success"; + + if ( status == "success" ) { + // Watch for, and catch, XML document parse errors + try { + // process the data (runs the xml through httpData regardless of callback) + data = jQuery.httpData( xhr, s.dataType, s ); + } catch(e) { + status = "parsererror"; + } + } + + // Make sure that the request was successful or notmodified + if ( status == "success" ) { + // Cache Last-Modified header, if ifModified mode. + var modRes; + try { + modRes = xhr.getResponseHeader("Last-Modified"); + } catch(e) {} // swallow exception thrown by FF if header is not available + + if ( s.ifModified && modRes ) + jQuery.lastModified[s.url] = modRes; + + // JSONP handles its own success callback + if ( !jsonp ) + success(); + } else + jQuery.handleError(s, xhr, status); + + // Fire the complete handlers + complete(); + + if ( isTimeout ) + xhr.abort(); + + // Stop memory leaks + if ( s.async ) + xhr = null; + } + }; + + if ( s.async ) { + // don't attach the handler to the request, just poll it instead + var ival = setInterval(onreadystatechange, 13); + + // Timeout checker + if ( s.timeout > 0 ) + setTimeout(function(){ + // Check to see if the request is still happening + if ( xhr && !requestDone ) + onreadystatechange( "timeout" ); + }, s.timeout); + } + + // Send the data + try { + xhr.send(s.data); + } catch(e) { + jQuery.handleError(s, xhr, null, e); + } + + // firefox 1.5 doesn't fire statechange for sync requests + if ( !s.async ) + onreadystatechange(); + + function success(){ + // If a local callback was specified, fire it and pass it the data + if ( s.success ) + s.success( data, status ); + + // Fire the global callback + if ( s.global ) + jQuery.event.trigger( "ajaxSuccess", [xhr, s] ); + } + + function complete(){ + // Process result + if ( s.complete ) + s.complete(xhr, status); + + // The request was completed + if ( s.global ) + jQuery.event.trigger( "ajaxComplete", [xhr, s] ); + + // Handle the global AJAX counter + if ( s.global && ! --jQuery.active ) + jQuery.event.trigger( "ajaxStop" ); + } + + // return XMLHttpRequest to allow aborting the request etc. + return xhr; + }, + + handleError: function( s, xhr, status, e ) { + // If a local callback was specified, fire it + if ( s.error ) s.error( xhr, status, e ); + + // Fire the global callback + if ( s.global ) + jQuery.event.trigger( "ajaxError", [xhr, s, e] ); + }, + + // Counter for holding the number of active queries + active: 0, + + // Determines if an XMLHttpRequest was successful or not + httpSuccess: function( xhr ) { + try { + // IE error sometimes returns 1223 when it should be 204 so treat it as success, see #1450 + return !xhr.status && location.protocol == "file:" || + ( xhr.status >= 200 && xhr.status < 300 ) || xhr.status == 304 || xhr.status == 1223; + } catch(e){} + return false; + }, + + // Determines if an XMLHttpRequest returns NotModified + httpNotModified: function( xhr, url ) { + try { + var xhrRes = xhr.getResponseHeader("Last-Modified"); + + // Firefox always returns 200. check Last-Modified date + return xhr.status == 304 || xhrRes == jQuery.lastModified[url]; + } catch(e){} + return false; + }, + + httpData: function( xhr, type, s ) { + var ct = xhr.getResponseHeader("content-type"), + xml = type == "xml" || !type && ct && ct.indexOf("xml") >= 0, + data = xml ? xhr.responseXML : xhr.responseText; + + if ( xml && data.documentElement.tagName == "parsererror" ) + throw "parsererror"; + + // Allow a pre-filtering function to sanitize the response + // s != null is checked to keep backwards compatibility + if( s && s.dataFilter ) + data = s.dataFilter( data, type ); + + // The filter can actually parse the response + if( typeof data === "string" ){ + + // If the type is "script", eval it in global context + if ( type == "script" ) + jQuery.globalEval( data ); + + // Get the JavaScript object, if JSON is used. + if ( type == "json" ) + data = window["eval"]("(" + data + ")"); + } + + return data; + }, + + // Serialize an array of form elements or a set of + // key/values into a query string + param: function( a ) { + var s = [ ]; + + function add( key, value ){ + s[ s.length ] = encodeURIComponent(key) + '=' + encodeURIComponent(value); + }; + + // If an array was passed in, assume that it is an array + // of form elements + if ( jQuery.isArray(a) || a.jquery ) + // Serialize the form elements + jQuery.each( a, function(){ + add( this.name, this.value ); + }); + + // Otherwise, assume that it's an object of key/value pairs + else + // Serialize the key/values + for ( var j in a ) + // If the value is an array then the key names need to be repeated + if ( jQuery.isArray(a[j]) ) + jQuery.each( a[j], function(){ + add( j, this ); + }); + else + add( j, jQuery.isFunction(a[j]) ? a[j]() : a[j] ); + + // Return the resulting serialization + return s.join("&").replace(/%20/g, "+"); + } + +}); +var elemdisplay = {}, + timerId, + fxAttrs = [ + // height animations + [ "height", "marginTop", "marginBottom", "paddingTop", "paddingBottom" ], + // width animations + [ "width", "marginLeft", "marginRight", "paddingLeft", "paddingRight" ], + // opacity animations + [ "opacity" ] + ]; + +function genFx( type, num ){ + var obj = {}; + jQuery.each( fxAttrs.concat.apply([], fxAttrs.slice(0,num)), function(){ + obj[ this ] = type; + }); + return obj; +} + +jQuery.fn.extend({ + show: function(speed,callback){ + if ( speed ) { + return this.animate( genFx("show", 3), speed, callback); + } else { + for ( var i = 0, l = this.length; i < l; i++ ){ + var old = jQuery.data(this[i], "olddisplay"); + + this[i].style.display = old || ""; + + if ( jQuery.css(this[i], "display") === "none" ) { + var tagName = this[i].tagName, display; + + if ( elemdisplay[ tagName ] ) { + display = elemdisplay[ tagName ]; + } else { + var elem = jQuery("<" + tagName + " />").appendTo("body"); + + display = elem.css("display"); + if ( display === "none" ) + display = "block"; + + elem.remove(); + + elemdisplay[ tagName ] = display; + } + + jQuery.data(this[i], "olddisplay", display); + } + } + + // Set the display of the elements in a second loop + // to avoid the constant reflow + for ( var i = 0, l = this.length; i < l; i++ ){ + this[i].style.display = jQuery.data(this[i], "olddisplay") || ""; + } + + return this; + } + }, + + hide: function(speed,callback){ + if ( speed ) { + return this.animate( genFx("hide", 3), speed, callback); + } else { + for ( var i = 0, l = this.length; i < l; i++ ){ + var old = jQuery.data(this[i], "olddisplay"); + if ( !old && old !== "none" ) + jQuery.data(this[i], "olddisplay", jQuery.css(this[i], "display")); + } + + // Set the display of the elements in a second loop + // to avoid the constant reflow + for ( var i = 0, l = this.length; i < l; i++ ){ + this[i].style.display = "none"; + } + + return this; + } + }, + + // Save the old toggle function + _toggle: jQuery.fn.toggle, + + toggle: function( fn, fn2 ){ + var bool = typeof fn === "boolean"; + + return jQuery.isFunction(fn) && jQuery.isFunction(fn2) ? + this._toggle.apply( this, arguments ) : + fn == null || bool ? + this.each(function(){ + var state = bool ? fn : jQuery(this).is(":hidden"); + jQuery(this)[ state ? "show" : "hide" ](); + }) : + this.animate(genFx("toggle", 3), fn, fn2); + }, + + fadeTo: function(speed,to,callback){ + return this.animate({opacity: to}, speed, callback); + }, + + animate: function( prop, speed, easing, callback ) { + var optall = jQuery.speed(speed, easing, callback); + + return this[ optall.queue === false ? "each" : "queue" ](function(){ + + var opt = jQuery.extend({}, optall), p, + hidden = this.nodeType == 1 && jQuery(this).is(":hidden"), + self = this; + + for ( p in prop ) { + if ( prop[p] == "hide" && hidden || prop[p] == "show" && !hidden ) + return opt.complete.call(this); + + if ( ( p == "height" || p == "width" ) && this.style ) { + // Store display property + opt.display = jQuery.css(this, "display"); + + // Make sure that nothing sneaks out + opt.overflow = this.style.overflow; + } + } + + if ( opt.overflow != null ) + this.style.overflow = "hidden"; + + opt.curAnim = jQuery.extend({}, prop); + + jQuery.each( prop, function(name, val){ + var e = new jQuery.fx( self, opt, name ); + + if ( /toggle|show|hide/.test(val) ) + e[ val == "toggle" ? hidden ? "show" : "hide" : val ]( prop ); + else { + var parts = val.toString().match(/^([+-]=)?([\d+-.]+)(.*)$/), + start = e.cur(true) || 0; + + if ( parts ) { + var end = parseFloat(parts[2]), + unit = parts[3] || "px"; + + // We need to compute starting value + if ( unit != "px" ) { + self.style[ name ] = (end || 1) + unit; + start = ((end || 1) / e.cur(true)) * start; + self.style[ name ] = start + unit; + } + + // If a +=/-= token was provided, we're doing a relative animation + if ( parts[1] ) + end = ((parts[1] == "-=" ? -1 : 1) * end) + start; + + e.custom( start, end, unit ); + } else + e.custom( start, val, "" ); + } + }); + + // For JS strict compliance + return true; + }); + }, + + stop: function(clearQueue, gotoEnd){ + var timers = jQuery.timers; + + if (clearQueue) + this.queue([]); + + this.each(function(){ + // go in reverse order so anything added to the queue during the loop is ignored + for ( var i = timers.length - 1; i >= 0; i-- ) + if ( timers[i].elem == this ) { + if (gotoEnd) + // force the next step to be the last + timers[i](true); + timers.splice(i, 1); + } + }); + + // start the next in the queue if the last step wasn't forced + if (!gotoEnd) + this.dequeue(); + + return this; + } + +}); + +// Generate shortcuts for custom animations +jQuery.each({ + slideDown: genFx("show", 1), + slideUp: genFx("hide", 1), + slideToggle: genFx("toggle", 1), + fadeIn: { opacity: "show" }, + fadeOut: { opacity: "hide" } +}, function( name, props ){ + jQuery.fn[ name ] = function( speed, callback ){ + return this.animate( props, speed, callback ); + }; +}); + +jQuery.extend({ + + speed: function(speed, easing, fn) { + var opt = typeof speed === "object" ? speed : { + complete: fn || !fn && easing || + jQuery.isFunction( speed ) && speed, + duration: speed, + easing: fn && easing || easing && !jQuery.isFunction(easing) && easing + }; + + opt.duration = jQuery.fx.off ? 0 : typeof opt.duration === "number" ? opt.duration : + jQuery.fx.speeds[opt.duration] || jQuery.fx.speeds._default; + + // Queueing + opt.old = opt.complete; + opt.complete = function(){ + if ( opt.queue !== false ) + jQuery(this).dequeue(); + if ( jQuery.isFunction( opt.old ) ) + opt.old.call( this ); + }; + + return opt; + }, + + easing: { + linear: function( p, n, firstNum, diff ) { + return firstNum + diff * p; + }, + swing: function( p, n, firstNum, diff ) { + return ((-Math.cos(p*Math.PI)/2) + 0.5) * diff + firstNum; + } + }, + + timers: [], + + fx: function( elem, options, prop ){ + this.options = options; + this.elem = elem; + this.prop = prop; + + if ( !options.orig ) + options.orig = {}; + } + +}); + +jQuery.fx.prototype = { + + // Simple function for setting a style value + update: function(){ + if ( this.options.step ) + this.options.step.call( this.elem, this.now, this ); + + (jQuery.fx.step[this.prop] || jQuery.fx.step._default)( this ); + + // Set display property to block for height/width animations + if ( ( this.prop == "height" || this.prop == "width" ) && this.elem.style ) + this.elem.style.display = "block"; + }, + + // Get the current size + cur: function(force){ + if ( this.elem[this.prop] != null && (!this.elem.style || this.elem.style[this.prop] == null) ) + return this.elem[ this.prop ]; + + var r = parseFloat(jQuery.css(this.elem, this.prop, force)); + return r && r > -10000 ? r : parseFloat(jQuery.curCSS(this.elem, this.prop)) || 0; + }, + + // Start an animation from one number to another + custom: function(from, to, unit){ + this.startTime = now(); + this.start = from; + this.end = to; + this.unit = unit || this.unit || "px"; + this.now = this.start; + this.pos = this.state = 0; + + var self = this; + function t(gotoEnd){ + return self.step(gotoEnd); + } + + t.elem = this.elem; + + if ( t() && jQuery.timers.push(t) && !timerId ) { + timerId = setInterval(function(){ + var timers = jQuery.timers; + + for ( var i = 0; i < timers.length; i++ ) + if ( !timers[i]() ) + timers.splice(i--, 1); + + if ( !timers.length ) { + clearInterval( timerId ); + timerId = undefined; + } + }, 13); + } + }, + + // Simple 'show' function + show: function(){ + // Remember where we started, so that we can go back to it later + this.options.orig[this.prop] = jQuery.attr( this.elem.style, this.prop ); + this.options.show = true; + + // Begin the animation + // Make sure that we start at a small width/height to avoid any + // flash of content + this.custom(this.prop == "width" || this.prop == "height" ? 1 : 0, this.cur()); + + // Start by showing the element + jQuery(this.elem).show(); + }, + + // Simple 'hide' function + hide: function(){ + // Remember where we started, so that we can go back to it later + this.options.orig[this.prop] = jQuery.attr( this.elem.style, this.prop ); + this.options.hide = true; + + // Begin the animation + this.custom(this.cur(), 0); + }, + + // Each step of an animation + step: function(gotoEnd){ + var t = now(); + + if ( gotoEnd || t >= this.options.duration + this.startTime ) { + this.now = this.end; + this.pos = this.state = 1; + this.update(); + + this.options.curAnim[ this.prop ] = true; + + var done = true; + for ( var i in this.options.curAnim ) + if ( this.options.curAnim[i] !== true ) + done = false; + + if ( done ) { + if ( this.options.display != null ) { + // Reset the overflow + this.elem.style.overflow = this.options.overflow; + + // Reset the display + this.elem.style.display = this.options.display; + if ( jQuery.css(this.elem, "display") == "none" ) + this.elem.style.display = "block"; + } + + // Hide the element if the "hide" operation was done + if ( this.options.hide ) + jQuery(this.elem).hide(); + + // Reset the properties, if the item has been hidden or shown + if ( this.options.hide || this.options.show ) + for ( var p in this.options.curAnim ) + jQuery.attr(this.elem.style, p, this.options.orig[p]); + + // Execute the complete function + this.options.complete.call( this.elem ); + } + + return false; + } else { + var n = t - this.startTime; + this.state = n / this.options.duration; + + // Perform the easing function, defaults to swing + this.pos = jQuery.easing[this.options.easing || (jQuery.easing.swing ? "swing" : "linear")](this.state, n, 0, 1, this.options.duration); + this.now = this.start + ((this.end - this.start) * this.pos); + + // Perform the next step of the animation + this.update(); + } + + return true; + } + +}; + +jQuery.extend( jQuery.fx, { + speeds:{ + slow: 600, + fast: 200, + // Default speed + _default: 400 + }, + step: { + + opacity: function(fx){ + jQuery.attr(fx.elem.style, "opacity", fx.now); + }, + + _default: function(fx){ + if ( fx.elem.style && fx.elem.style[ fx.prop ] != null ) + fx.elem.style[ fx.prop ] = fx.now + fx.unit; + else + fx.elem[ fx.prop ] = fx.now; + } + } +}); +if ( document.documentElement["getBoundingClientRect"] ) + jQuery.fn.offset = function() { + if ( !this[0] ) return { top: 0, left: 0 }; + if ( this[0] === this[0].ownerDocument.body ) return jQuery.offset.bodyOffset( this[0] ); + var box = this[0].getBoundingClientRect(), doc = this[0].ownerDocument, body = doc.body, docElem = doc.documentElement, + clientTop = docElem.clientTop || body.clientTop || 0, clientLeft = docElem.clientLeft || body.clientLeft || 0, + top = box.top + (self.pageYOffset || jQuery.boxModel && docElem.scrollTop || body.scrollTop ) - clientTop, + left = box.left + (self.pageXOffset || jQuery.boxModel && docElem.scrollLeft || body.scrollLeft) - clientLeft; + return { top: top, left: left }; + }; +else + jQuery.fn.offset = function() { + if ( !this[0] ) return { top: 0, left: 0 }; + if ( this[0] === this[0].ownerDocument.body ) return jQuery.offset.bodyOffset( this[0] ); + jQuery.offset.initialized || jQuery.offset.initialize(); + + var elem = this[0], offsetParent = elem.offsetParent, prevOffsetParent = elem, + doc = elem.ownerDocument, computedStyle, docElem = doc.documentElement, + body = doc.body, defaultView = doc.defaultView, + prevComputedStyle = defaultView.getComputedStyle(elem, null), + top = elem.offsetTop, left = elem.offsetLeft; + + while ( (elem = elem.parentNode) && elem !== body && elem !== docElem ) { + computedStyle = defaultView.getComputedStyle(elem, null); + top -= elem.scrollTop, left -= elem.scrollLeft; + if ( elem === offsetParent ) { + top += elem.offsetTop, left += elem.offsetLeft; + if ( jQuery.offset.doesNotAddBorder && !(jQuery.offset.doesAddBorderForTableAndCells && /^t(able|d|h)$/i.test(elem.tagName)) ) + top += parseInt( computedStyle.borderTopWidth, 10) || 0, + left += parseInt( computedStyle.borderLeftWidth, 10) || 0; + prevOffsetParent = offsetParent, offsetParent = elem.offsetParent; + } + if ( jQuery.offset.subtractsBorderForOverflowNotVisible && computedStyle.overflow !== "visible" ) + top += parseInt( computedStyle.borderTopWidth, 10) || 0, + left += parseInt( computedStyle.borderLeftWidth, 10) || 0; + prevComputedStyle = computedStyle; + } + + if ( prevComputedStyle.position === "relative" || prevComputedStyle.position === "static" ) + top += body.offsetTop, + left += body.offsetLeft; + + if ( prevComputedStyle.position === "fixed" ) + top += Math.max(docElem.scrollTop, body.scrollTop), + left += Math.max(docElem.scrollLeft, body.scrollLeft); + + return { top: top, left: left }; + }; + +jQuery.offset = { + initialize: function() { + if ( this.initialized ) return; + var body = document.body, container = document.createElement('div'), innerDiv, checkDiv, table, td, rules, prop, bodyMarginTop = body.style.marginTop, + html = '<div style="position:absolute;top:0;left:0;margin:0;border:5px solid #000;padding:0;width:1px;height:1px;"><div></div></div><table style="position:absolute;top:0;left:0;margin:0;border:5px solid #000;padding:0;width:1px;height:1px;" cellpadding="0" cellspacing="0"><tr><td></td></tr></table>'; + + rules = { position: 'absolute', top: 0, left: 0, margin: 0, border: 0, width: '1px', height: '1px', visibility: 'hidden' }; + for ( prop in rules ) container.style[prop] = rules[prop]; + + container.innerHTML = html; + body.insertBefore(container, body.firstChild); + innerDiv = container.firstChild, checkDiv = innerDiv.firstChild, td = innerDiv.nextSibling.firstChild.firstChild; + + this.doesNotAddBorder = (checkDiv.offsetTop !== 5); + this.doesAddBorderForTableAndCells = (td.offsetTop === 5); + + innerDiv.style.overflow = 'hidden', innerDiv.style.position = 'relative'; + this.subtractsBorderForOverflowNotVisible = (checkDiv.offsetTop === -5); + + body.style.marginTop = '1px'; + this.doesNotIncludeMarginInBodyOffset = (body.offsetTop === 0); + body.style.marginTop = bodyMarginTop; + + body.removeChild(container); + this.initialized = true; + }, + + bodyOffset: function(body) { + jQuery.offset.initialized || jQuery.offset.initialize(); + var top = body.offsetTop, left = body.offsetLeft; + if ( jQuery.offset.doesNotIncludeMarginInBodyOffset ) + top += parseInt( jQuery.curCSS(body, 'marginTop', true), 10 ) || 0, + left += parseInt( jQuery.curCSS(body, 'marginLeft', true), 10 ) || 0; + return { top: top, left: left }; + } +}; + + +jQuery.fn.extend({ + position: function() { + var left = 0, top = 0, results; + + if ( this[0] ) { + // Get *real* offsetParent + var offsetParent = this.offsetParent(), + + // Get correct offsets + offset = this.offset(), + parentOffset = /^body|html$/i.test(offsetParent[0].tagName) ? { top: 0, left: 0 } : offsetParent.offset(); + + // Subtract element margins + // note: when an element has margin: auto the offsetLeft and marginLeft + // are the same in Safari causing offset.left to incorrectly be 0 + offset.top -= num( this, 'marginTop' ); + offset.left -= num( this, 'marginLeft' ); + + // Add offsetParent borders + parentOffset.top += num( offsetParent, 'borderTopWidth' ); + parentOffset.left += num( offsetParent, 'borderLeftWidth' ); + + // Subtract the two offsets + results = { + top: offset.top - parentOffset.top, + left: offset.left - parentOffset.left + }; + } + + return results; + }, + + offsetParent: function() { + var offsetParent = this[0].offsetParent || document.body; + while ( offsetParent && (!/^body|html$/i.test(offsetParent.tagName) && jQuery.css(offsetParent, 'position') == 'static') ) + offsetParent = offsetParent.offsetParent; + return jQuery(offsetParent); + } +}); + + +// Create scrollLeft and scrollTop methods +jQuery.each( ['Left', 'Top'], function(i, name) { + var method = 'scroll' + name; + + jQuery.fn[ method ] = function(val) { + if (!this[0]) return null; + + return val !== undefined ? + + // Set the scroll offset + this.each(function() { + this == window || this == document ? + window.scrollTo( + !i ? val : jQuery(window).scrollLeft(), + i ? val : jQuery(window).scrollTop() + ) : + this[ method ] = val; + }) : + + // Return the scroll offset + this[0] == window || this[0] == document ? + self[ i ? 'pageYOffset' : 'pageXOffset' ] || + jQuery.boxModel && document.documentElement[ method ] || + document.body[ method ] : + this[0][ method ]; + }; +}); +// Create innerHeight, innerWidth, outerHeight and outerWidth methods +jQuery.each([ "Height", "Width" ], function(i, name){ + + var tl = i ? "Left" : "Top", // top or left + br = i ? "Right" : "Bottom", // bottom or right + lower = name.toLowerCase(); + + // innerHeight and innerWidth + jQuery.fn["inner" + name] = function(){ + return this[0] ? + jQuery.css( this[0], lower, false, "padding" ) : + null; + }; + + // outerHeight and outerWidth + jQuery.fn["outer" + name] = function(margin) { + return this[0] ? + jQuery.css( this[0], lower, false, margin ? "margin" : "border" ) : + null; + }; + + var type = name.toLowerCase(); + + jQuery.fn[ type ] = function( size ) { + // Get window width or height + return this[0] == window ? + // Everyone else use document.documentElement or document.body depending on Quirks vs Standards mode + document.compatMode == "CSS1Compat" && document.documentElement[ "client" + name ] || + document.body[ "client" + name ] : + + // Get document width or height + this[0] == document ? + // Either scroll[Width/Height] or offset[Width/Height], whichever is greater + Math.max( + document.documentElement["client" + name], + document.body["scroll" + name], document.documentElement["scroll" + name], + document.body["offset" + name], document.documentElement["offset" + name] + ) : + + // Get or set width or height on the element + size === undefined ? + // Get width or height on the element + (this.length ? jQuery.css( this[0], type ) : null) : + + // Set the width or height on the element (default to pixels if value is unitless) + this.css( type, typeof size === "string" ? size : size + "px" ); + }; + +}); +})(); diff --git a/config/snort-dev/javascript/jquery.blockUI.js b/config/snort/javascript/jquery.blockUI.js index 99e7211d..57318334 100644 --- a/config/snort-dev/javascript/jquery.blockUI.js +++ b/config/snort/javascript/jquery.blockUI.js @@ -1,463 +1,463 @@ -/*!
- * jQuery blockUI plugin
- * Version 2.26 (09-SEP-2009)
- * @requires jQuery v1.2.3 or later
- *
- * Examples at: http://malsup.com/jquery/block/
- * Copyright (c) 2007-2008 M. Alsup
- * Dual licensed under the MIT and GPL licenses:
- * http://www.opensource.org/licenses/mit-license.php
- * http://www.gnu.org/licenses/gpl.html
- *
- * Thanks to Amir-Hossein Sobhi for some excellent contributions!
- */
-
-;(function($) {
-
-if (/1\.(0|1|2)\.(0|1|2)/.test($.fn.jquery) || /^1.1/.test($.fn.jquery)) {
- alert('blockUI requires jQuery v1.2.3 or later! You are using v' + $.fn.jquery);
- return;
-}
-
-$.fn._fadeIn = $.fn.fadeIn;
-
-// this bit is to ensure we don't call setExpression when we shouldn't (with extra muscle to handle
-// retarded userAgent strings on Vista)
-var mode = document.documentMode || 0;
-var setExpr = $.browser.msie && (($.browser.version < 8 && !mode) || mode < 8);
-var ie6 = $.browser.msie && /MSIE 6.0/.test(navigator.userAgent) && !mode;
-
-// global $ methods for blocking/unblocking the entire page
-$.blockUI = function(opts) { install(window, opts); };
-$.unblockUI = function(opts) { remove(window, opts); };
-
-// convenience method for quick growl-like notifications (http://www.google.com/search?q=growl)
-$.growlUI = function(title, message, timeout, onClose) {
- var $m = $('<div class="growlUI"></div>');
- if (title) $m.append('<h1>'+title+'</h1>');
- if (message) $m.append('<h2>'+message+'</h2>');
- if (timeout == undefined) timeout = 3000;
- $.blockUI({
- message: $m, fadeIn: 700, fadeOut: 1000, centerY: false,
- timeout: timeout, showOverlay: false,
- onUnblock: onClose,
- css: $.blockUI.defaults.growlCSS
- });
-};
-
-// plugin method for blocking element content
-$.fn.block = function(opts) {
- return this.unblock({ fadeOut: 0 }).each(function() {
- if ($.css(this,'position') == 'static')
- this.style.position = 'relative';
- if ($.browser.msie)
- this.style.zoom = 1; // force 'hasLayout'
- install(this, opts);
- });
-};
-
-// plugin method for unblocking element content
-$.fn.unblock = function(opts) {
- return this.each(function() {
- remove(this, opts);
- });
-};
-
-$.blockUI.version = 2.26; // 2nd generation blocking at no extra cost!
-
-// override these in your code to change the default behavior and style
-$.blockUI.defaults = {
- // message displayed when blocking (use null for no message)
- message: '<h1>Please wait...</h1>',
-
- title: null, // title string; only used when theme == true
- draggable: true, // only used when theme == true (requires jquery-ui.js to be loaded)
-
- theme: false, // set to true to use with jQuery UI themes
-
- // styles for the message when blocking; if you wish to disable
- // these and use an external stylesheet then do this in your code:
- // $.blockUI.defaults.css = {};
- css: {
- padding: 0,
- margin: 0,
- width: '30%',
- top: '40%',
- left: '35%',
- textAlign: 'center',
- color: '#000',
- border: '3px solid #aaa',
- backgroundColor:'#fff',
- cursor: 'wait'
- },
-
- // minimal style set used when themes are used
- themedCSS: {
- width: '30%',
- top: '40%',
- left: '35%'
- },
-
- // styles for the overlay
- overlayCSS: {
- backgroundColor: '#000',
- opacity: 0.6,
- cursor: 'wait'
- },
-
- // styles applied when using $.growlUI
- growlCSS: {
- width: '350px',
- top: '10px',
- left: '',
- right: '10px',
- border: 'none',
- padding: '5px',
- opacity: 0.6,
- cursor: 'default',
- color: '#fff',
- backgroundColor: '#000',
- '-webkit-border-radius': '10px',
- '-moz-border-radius': '10px'
- },
-
- // IE issues: 'about:blank' fails on HTTPS and javascript:false is s-l-o-w
- // (hat tip to Jorge H. N. de Vasconcelos)
- iframeSrc: /^https/i.test(window.location.href || '') ? 'javascript:false' : 'about:blank',
-
- // force usage of iframe in non-IE browsers (handy for blocking applets)
- forceIframe: false,
-
- // z-index for the blocking overlay
- baseZ: 1000,
-
- // set these to true to have the message automatically centered
- centerX: true, // <-- only effects element blocking (page block controlled via css above)
- centerY: true,
-
- // allow body element to be stetched in ie6; this makes blocking look better
- // on "short" pages. disable if you wish to prevent changes to the body height
- allowBodyStretch: true,
-
- // enable if you want key and mouse events to be disabled for content that is blocked
- bindEvents: true,
-
- // be default blockUI will supress tab navigation from leaving blocking content
- // (if bindEvents is true)
- constrainTabKey: true,
-
- // fadeIn time in millis; set to 0 to disable fadeIn on block
- fadeIn: 200,
-
- // fadeOut time in millis; set to 0 to disable fadeOut on unblock
- fadeOut: 400,
-
- // time in millis to wait before auto-unblocking; set to 0 to disable auto-unblock
- timeout: 0,
-
- // disable if you don't want to show the overlay
- showOverlay: true,
-
- // if true, focus will be placed in the first available input field when
- // page blocking
- focusInput: true,
-
- // suppresses the use of overlay styles on FF/Linux (due to performance issues with opacity)
- applyPlatformOpacityRules: true,
-
- // callback method invoked when unblocking has completed; the callback is
- // passed the element that has been unblocked (which is the window object for page
- // blocks) and the options that were passed to the unblock call:
- // onUnblock(element, options)
- onUnblock: null,
-
- // don't ask; if you really must know: http://groups.google.com/group/jquery-en/browse_thread/thread/36640a8730503595/2f6a79a77a78e493#2f6a79a77a78e493
- quirksmodeOffsetHack: 4
-};
-
-// private data and functions follow...
-
-var pageBlock = null;
-var pageBlockEls = [];
-
-function install(el, opts) {
- var full = (el == window);
- var msg = opts && opts.message !== undefined ? opts.message : undefined;
- opts = $.extend({}, $.blockUI.defaults, opts || {});
- opts.overlayCSS = $.extend({}, $.blockUI.defaults.overlayCSS, opts.overlayCSS || {});
- var css = $.extend({}, $.blockUI.defaults.css, opts.css || {});
- var themedCSS = $.extend({}, $.blockUI.defaults.themedCSS, opts.themedCSS || {});
- msg = msg === undefined ? opts.message : msg;
-
- // remove the current block (if there is one)
- if (full && pageBlock)
- remove(window, {fadeOut:0});
-
- // if an existing element is being used as the blocking content then we capture
- // its current place in the DOM (and current display style) so we can restore
- // it when we unblock
- if (msg && typeof msg != 'string' && (msg.parentNode || msg.jquery)) {
- var node = msg.jquery ? msg[0] : msg;
- var data = {};
- $(el).data('blockUI.history', data);
- data.el = node;
- data.parent = node.parentNode;
- data.display = node.style.display;
- data.position = node.style.position;
- if (data.parent)
- data.parent.removeChild(node);
- }
-
- var z = opts.baseZ;
-
- // blockUI uses 3 layers for blocking, for simplicity they are all used on every platform;
- // layer1 is the iframe layer which is used to supress bleed through of underlying content
- // layer2 is the overlay layer which has opacity and a wait cursor (by default)
- // layer3 is the message content that is displayed while blocking
-
- var lyr1 = ($.browser.msie || opts.forceIframe)
- ? $('<iframe class="blockUI" style="z-index:'+ (z++) +';display:none;border:none;margin:0;padding:0;position:absolute;width:100%;height:100%;top:0;left:0" src="'+opts.iframeSrc+'"></iframe>')
- : $('<div class="blockUI" style="display:none"></div>');
- var lyr2 = $('<div class="blockUI blockOverlay" style="z-index:'+ (z++) +';display:none;border:none;margin:0;padding:0;width:100%;height:100%;top:0;left:0"></div>');
-
- var lyr3;
- if (opts.theme && full) {
- var s = '<div class="blockUI blockMsg blockPage ui-dialog ui-widget ui-corner-all" style="z-index:'+z+';display:none;position:fixed">' +
- '<div class="ui-widget-header ui-dialog-titlebar blockTitle">'+(opts.title || ' ')+'</div>' +
- '<div class="ui-widget-content ui-dialog-content"></div>' +
- '</div>';
- lyr3 = $(s);
- }
- else {
- lyr3 = full ? $('<div class="blockUI blockMsg blockPage" style="z-index:'+z+';display:none;position:fixed"></div>')
- : $('<div class="blockUI blockMsg blockElement" style="z-index:'+z+';display:none;position:absolute"></div>');
- }
-
- // if we have a message, style it
- if (msg) {
- if (opts.theme) {
- lyr3.css(themedCSS);
- lyr3.addClass('ui-widget-content');
- }
- else
- lyr3.css(css);
- }
-
- // style the overlay
- if (!opts.applyPlatformOpacityRules || !($.browser.mozilla && /Linux/.test(navigator.platform)))
- lyr2.css(opts.overlayCSS);
- lyr2.css('position', full ? 'fixed' : 'absolute');
-
- // make iframe layer transparent in IE
- if ($.browser.msie || opts.forceIframe)
- lyr1.css('opacity',0.0);
-
- $([lyr1[0],lyr2[0],lyr3[0]]).appendTo(full ? 'body' : el);
-
- if (opts.theme && opts.draggable && $.fn.draggable) {
- lyr3.draggable({
- handle: '.ui-dialog-titlebar',
- cancel: 'li'
- });
- }
-
- // ie7 must use absolute positioning in quirks mode and to account for activex issues (when scrolling)
- var expr = setExpr && (!$.boxModel || $('object,embed', full ? null : el).length > 0);
- if (ie6 || expr) {
- // give body 100% height
- if (full && opts.allowBodyStretch && $.boxModel)
- $('html,body').css('height','100%');
-
- // fix ie6 issue when blocked element has a border width
- if ((ie6 || !$.boxModel) && !full) {
- var t = sz(el,'borderTopWidth'), l = sz(el,'borderLeftWidth');
- var fixT = t ? '(0 - '+t+')' : 0;
- var fixL = l ? '(0 - '+l+')' : 0;
- }
-
- // simulate fixed position
- $.each([lyr1,lyr2,lyr3], function(i,o) {
- var s = o[0].style;
- s.position = 'absolute';
- if (i < 2) {
- full ? s.setExpression('height','Math.max(document.body.scrollHeight, document.body.offsetHeight) - (jQuery.boxModel?0:'+opts.quirksmodeOffsetHack+') + "px"')
- : s.setExpression('height','this.parentNode.offsetHeight + "px"');
- full ? s.setExpression('width','jQuery.boxModel && document.documentElement.clientWidth || document.body.clientWidth + "px"')
- : s.setExpression('width','this.parentNode.offsetWidth + "px"');
- if (fixL) s.setExpression('left', fixL);
- if (fixT) s.setExpression('top', fixT);
- }
- else if (opts.centerY) {
- if (full) s.setExpression('top','(document.documentElement.clientHeight || document.body.clientHeight) / 2 - (this.offsetHeight / 2) + (blah = document.documentElement.scrollTop ? document.documentElement.scrollTop : document.body.scrollTop) + "px"');
- s.marginTop = 0;
- }
- else if (!opts.centerY && full) {
- var top = (opts.css && opts.css.top) ? parseInt(opts.css.top) : 0;
- var expression = '((document.documentElement.scrollTop ? document.documentElement.scrollTop : document.body.scrollTop) + '+top+') + "px"';
- s.setExpression('top',expression);
- }
- });
- }
-
- // show the message
- if (msg) {
- if (opts.theme)
- lyr3.find('.ui-widget-content').append(msg);
- else
- lyr3.append(msg);
- if (msg.jquery || msg.nodeType)
- $(msg).show();
- }
-
- if (($.browser.msie || opts.forceIframe) && opts.showOverlay)
- lyr1.show(); // opacity is zero
- if (opts.fadeIn) {
- if (opts.showOverlay)
- lyr2._fadeIn(opts.fadeIn);
- if (msg)
- lyr3.fadeIn(opts.fadeIn);
- }
- else {
- if (opts.showOverlay)
- lyr2.show();
- if (msg)
- lyr3.show();
- }
-
- // bind key and mouse events
- bind(1, el, opts);
-
- if (full) {
- pageBlock = lyr3[0];
- pageBlockEls = $(':input:enabled:visible',pageBlock);
- if (opts.focusInput)
- setTimeout(focus, 20);
- }
- else
- center(lyr3[0], opts.centerX, opts.centerY);
-
- if (opts.timeout) {
- // auto-unblock
- var to = setTimeout(function() {
- full ? $.unblockUI(opts) : $(el).unblock(opts);
- }, opts.timeout);
- $(el).data('blockUI.timeout', to);
- }
-};
-
-// remove the block
-function remove(el, opts) {
- var full = (el == window);
- var $el = $(el);
- var data = $el.data('blockUI.history');
- var to = $el.data('blockUI.timeout');
- if (to) {
- clearTimeout(to);
- $el.removeData('blockUI.timeout');
- }
- opts = $.extend({}, $.blockUI.defaults, opts || {});
- bind(0, el, opts); // unbind events
-
- var els;
- if (full) // crazy selector to handle odd field errors in ie6/7
- els = $('body').children().filter('.blockUI').add('body > .blockUI');
- else
- els = $('.blockUI', el);
-
- if (full)
- pageBlock = pageBlockEls = null;
-
- if (opts.fadeOut) {
- els.fadeOut(opts.fadeOut);
- setTimeout(function() { reset(els,data,opts,el); }, opts.fadeOut);
- }
- else
- reset(els, data, opts, el);
-};
-
-// move blocking element back into the DOM where it started
-function reset(els,data,opts,el) {
- els.each(function(i,o) {
- // remove via DOM calls so we don't lose event handlers
- if (this.parentNode)
- this.parentNode.removeChild(this);
- });
-
- if (data && data.el) {
- data.el.style.display = data.display;
- data.el.style.position = data.position;
- if (data.parent)
- data.parent.appendChild(data.el);
- $(data.el).removeData('blockUI.history');
- }
-
- if (typeof opts.onUnblock == 'function')
- opts.onUnblock(el,opts);
-};
-
-// bind/unbind the handler
-function bind(b, el, opts) {
- var full = el == window, $el = $(el);
-
- // don't bother unbinding if there is nothing to unbind
- if (!b && (full && !pageBlock || !full && !$el.data('blockUI.isBlocked')))
- return;
- if (!full)
- $el.data('blockUI.isBlocked', b);
-
- // don't bind events when overlay is not in use or if bindEvents is false
- if (!opts.bindEvents || (b && !opts.showOverlay))
- return;
-
- // bind anchors and inputs for mouse and key events
- var events = 'mousedown mouseup keydown keypress';
- b ? $(document).bind(events, opts, handler) : $(document).unbind(events, handler);
-
-// former impl...
-// var $e = $('a,:input');
-// b ? $e.bind(events, opts, handler) : $e.unbind(events, handler);
-};
-
-// event handler to suppress keyboard/mouse events when blocking
-function handler(e) {
- // allow tab navigation (conditionally)
- if (e.keyCode && e.keyCode == 9) {
- if (pageBlock && e.data.constrainTabKey) {
- var els = pageBlockEls;
- var fwd = !e.shiftKey && e.target == els[els.length-1];
- var back = e.shiftKey && e.target == els[0];
- if (fwd || back) {
- setTimeout(function(){focus(back)},10);
- return false;
- }
- }
- }
- // allow events within the message content
- if ($(e.target).parents('div.blockMsg').length > 0)
- return true;
-
- // allow events for content that is not being blocked
- return $(e.target).parents().children().filter('div.blockUI').length == 0;
-};
-
-function focus(back) {
- if (!pageBlockEls)
- return;
- var e = pageBlockEls[back===true ? pageBlockEls.length-1 : 0];
- if (e)
- e.focus();
-};
-
-function center(el, x, y) {
- var p = el.parentNode, s = el.style;
- var l = ((p.offsetWidth - el.offsetWidth)/2) - sz(p,'borderLeftWidth');
- var t = ((p.offsetHeight - el.offsetHeight)/2) - sz(p,'borderTopWidth');
- if (x) s.left = l > 0 ? (l+'px') : '0';
- if (y) s.top = t > 0 ? (t+'px') : '0';
-};
-
-function sz(el, p) {
- return parseInt($.css(el,p))||0;
-};
-
-})(jQuery);
+/*! + * jQuery blockUI plugin + * Version 2.26 (09-SEP-2009) + * @requires jQuery v1.2.3 or later + * + * Examples at: http://malsup.com/jquery/block/ + * Copyright (c) 2007-2008 M. Alsup + * Dual licensed under the MIT and GPL licenses: + * http://www.opensource.org/licenses/mit-license.php + * http://www.gnu.org/licenses/gpl.html + * + * Thanks to Amir-Hossein Sobhi for some excellent contributions! + */ + +;(function($) { + +if (/1\.(0|1|2)\.(0|1|2)/.test($.fn.jquery) || /^1.1/.test($.fn.jquery)) { + alert('blockUI requires jQuery v1.2.3 or later! You are using v' + $.fn.jquery); + return; +} + +$.fn._fadeIn = $.fn.fadeIn; + +// this bit is to ensure we don't call setExpression when we shouldn't (with extra muscle to handle +// retarded userAgent strings on Vista) +var mode = document.documentMode || 0; +var setExpr = $.browser.msie && (($.browser.version < 8 && !mode) || mode < 8); +var ie6 = $.browser.msie && /MSIE 6.0/.test(navigator.userAgent) && !mode; + +// global $ methods for blocking/unblocking the entire page +$.blockUI = function(opts) { install(window, opts); }; +$.unblockUI = function(opts) { remove(window, opts); }; + +// convenience method for quick growl-like notifications (http://www.google.com/search?q=growl) +$.growlUI = function(title, message, timeout, onClose) { + var $m = $('<div class="growlUI"></div>'); + if (title) $m.append('<h1>'+title+'</h1>'); + if (message) $m.append('<h2>'+message+'</h2>'); + if (timeout == undefined) timeout = 3000; + $.blockUI({ + message: $m, fadeIn: 700, fadeOut: 1000, centerY: false, + timeout: timeout, showOverlay: false, + onUnblock: onClose, + css: $.blockUI.defaults.growlCSS + }); +}; + +// plugin method for blocking element content +$.fn.block = function(opts) { + return this.unblock({ fadeOut: 0 }).each(function() { + if ($.css(this,'position') == 'static') + this.style.position = 'relative'; + if ($.browser.msie) + this.style.zoom = 1; // force 'hasLayout' + install(this, opts); + }); +}; + +// plugin method for unblocking element content +$.fn.unblock = function(opts) { + return this.each(function() { + remove(this, opts); + }); +}; + +$.blockUI.version = 2.26; // 2nd generation blocking at no extra cost! + +// override these in your code to change the default behavior and style +$.blockUI.defaults = { + // message displayed when blocking (use null for no message) + message: '<h1>Please wait...</h1>', + + title: null, // title string; only used when theme == true + draggable: true, // only used when theme == true (requires jquery-ui.js to be loaded) + + theme: false, // set to true to use with jQuery UI themes + + // styles for the message when blocking; if you wish to disable + // these and use an external stylesheet then do this in your code: + // $.blockUI.defaults.css = {}; + css: { + padding: 0, + margin: 0, + width: '30%', + top: '40%', + left: '35%', + textAlign: 'center', + color: '#000', + border: '3px solid #aaa', + backgroundColor:'#fff', + cursor: 'wait' + }, + + // minimal style set used when themes are used + themedCSS: { + width: '30%', + top: '40%', + left: '35%' + }, + + // styles for the overlay + overlayCSS: { + backgroundColor: '#000', + opacity: 0.6, + cursor: 'wait' + }, + + // styles applied when using $.growlUI + growlCSS: { + width: '350px', + top: '10px', + left: '', + right: '10px', + border: 'none', + padding: '5px', + opacity: 0.6, + cursor: 'default', + color: '#fff', + backgroundColor: '#000', + '-webkit-border-radius': '10px', + '-moz-border-radius': '10px' + }, + + // IE issues: 'about:blank' fails on HTTPS and javascript:false is s-l-o-w + // (hat tip to Jorge H. N. de Vasconcelos) + iframeSrc: /^https/i.test(window.location.href || '') ? 'javascript:false' : 'about:blank', + + // force usage of iframe in non-IE browsers (handy for blocking applets) + forceIframe: false, + + // z-index for the blocking overlay + baseZ: 1000, + + // set these to true to have the message automatically centered + centerX: true, // <-- only effects element blocking (page block controlled via css above) + centerY: true, + + // allow body element to be stetched in ie6; this makes blocking look better + // on "short" pages. disable if you wish to prevent changes to the body height + allowBodyStretch: true, + + // enable if you want key and mouse events to be disabled for content that is blocked + bindEvents: true, + + // be default blockUI will supress tab navigation from leaving blocking content + // (if bindEvents is true) + constrainTabKey: true, + + // fadeIn time in millis; set to 0 to disable fadeIn on block + fadeIn: 200, + + // fadeOut time in millis; set to 0 to disable fadeOut on unblock + fadeOut: 400, + + // time in millis to wait before auto-unblocking; set to 0 to disable auto-unblock + timeout: 0, + + // disable if you don't want to show the overlay + showOverlay: true, + + // if true, focus will be placed in the first available input field when + // page blocking + focusInput: true, + + // suppresses the use of overlay styles on FF/Linux (due to performance issues with opacity) + applyPlatformOpacityRules: true, + + // callback method invoked when unblocking has completed; the callback is + // passed the element that has been unblocked (which is the window object for page + // blocks) and the options that were passed to the unblock call: + // onUnblock(element, options) + onUnblock: null, + + // don't ask; if you really must know: http://groups.google.com/group/jquery-en/browse_thread/thread/36640a8730503595/2f6a79a77a78e493#2f6a79a77a78e493 + quirksmodeOffsetHack: 4 +}; + +// private data and functions follow... + +var pageBlock = null; +var pageBlockEls = []; + +function install(el, opts) { + var full = (el == window); + var msg = opts && opts.message !== undefined ? opts.message : undefined; + opts = $.extend({}, $.blockUI.defaults, opts || {}); + opts.overlayCSS = $.extend({}, $.blockUI.defaults.overlayCSS, opts.overlayCSS || {}); + var css = $.extend({}, $.blockUI.defaults.css, opts.css || {}); + var themedCSS = $.extend({}, $.blockUI.defaults.themedCSS, opts.themedCSS || {}); + msg = msg === undefined ? opts.message : msg; + + // remove the current block (if there is one) + if (full && pageBlock) + remove(window, {fadeOut:0}); + + // if an existing element is being used as the blocking content then we capture + // its current place in the DOM (and current display style) so we can restore + // it when we unblock + if (msg && typeof msg != 'string' && (msg.parentNode || msg.jquery)) { + var node = msg.jquery ? msg[0] : msg; + var data = {}; + $(el).data('blockUI.history', data); + data.el = node; + data.parent = node.parentNode; + data.display = node.style.display; + data.position = node.style.position; + if (data.parent) + data.parent.removeChild(node); + } + + var z = opts.baseZ; + + // blockUI uses 3 layers for blocking, for simplicity they are all used on every platform; + // layer1 is the iframe layer which is used to supress bleed through of underlying content + // layer2 is the overlay layer which has opacity and a wait cursor (by default) + // layer3 is the message content that is displayed while blocking + + var lyr1 = ($.browser.msie || opts.forceIframe) + ? $('<iframe class="blockUI" style="z-index:'+ (z++) +';display:none;border:none;margin:0;padding:0;position:absolute;width:100%;height:100%;top:0;left:0" src="'+opts.iframeSrc+'"></iframe>') + : $('<div class="blockUI" style="display:none"></div>'); + var lyr2 = $('<div class="blockUI blockOverlay" style="z-index:'+ (z++) +';display:none;border:none;margin:0;padding:0;width:100%;height:100%;top:0;left:0"></div>'); + + var lyr3; + if (opts.theme && full) { + var s = '<div class="blockUI blockMsg blockPage ui-dialog ui-widget ui-corner-all" style="z-index:'+z+';display:none;position:fixed">' + + '<div class="ui-widget-header ui-dialog-titlebar blockTitle">'+(opts.title || ' ')+'</div>' + + '<div class="ui-widget-content ui-dialog-content"></div>' + + '</div>'; + lyr3 = $(s); + } + else { + lyr3 = full ? $('<div class="blockUI blockMsg blockPage" style="z-index:'+z+';display:none;position:fixed"></div>') + : $('<div class="blockUI blockMsg blockElement" style="z-index:'+z+';display:none;position:absolute"></div>'); + } + + // if we have a message, style it + if (msg) { + if (opts.theme) { + lyr3.css(themedCSS); + lyr3.addClass('ui-widget-content'); + } + else + lyr3.css(css); + } + + // style the overlay + if (!opts.applyPlatformOpacityRules || !($.browser.mozilla && /Linux/.test(navigator.platform))) + lyr2.css(opts.overlayCSS); + lyr2.css('position', full ? 'fixed' : 'absolute'); + + // make iframe layer transparent in IE + if ($.browser.msie || opts.forceIframe) + lyr1.css('opacity',0.0); + + $([lyr1[0],lyr2[0],lyr3[0]]).appendTo(full ? 'body' : el); + + if (opts.theme && opts.draggable && $.fn.draggable) { + lyr3.draggable({ + handle: '.ui-dialog-titlebar', + cancel: 'li' + }); + } + + // ie7 must use absolute positioning in quirks mode and to account for activex issues (when scrolling) + var expr = setExpr && (!$.boxModel || $('object,embed', full ? null : el).length > 0); + if (ie6 || expr) { + // give body 100% height + if (full && opts.allowBodyStretch && $.boxModel) + $('html,body').css('height','100%'); + + // fix ie6 issue when blocked element has a border width + if ((ie6 || !$.boxModel) && !full) { + var t = sz(el,'borderTopWidth'), l = sz(el,'borderLeftWidth'); + var fixT = t ? '(0 - '+t+')' : 0; + var fixL = l ? '(0 - '+l+')' : 0; + } + + // simulate fixed position + $.each([lyr1,lyr2,lyr3], function(i,o) { + var s = o[0].style; + s.position = 'absolute'; + if (i < 2) { + full ? s.setExpression('height','Math.max(document.body.scrollHeight, document.body.offsetHeight) - (jQuery.boxModel?0:'+opts.quirksmodeOffsetHack+') + "px"') + : s.setExpression('height','this.parentNode.offsetHeight + "px"'); + full ? s.setExpression('width','jQuery.boxModel && document.documentElement.clientWidth || document.body.clientWidth + "px"') + : s.setExpression('width','this.parentNode.offsetWidth + "px"'); + if (fixL) s.setExpression('left', fixL); + if (fixT) s.setExpression('top', fixT); + } + else if (opts.centerY) { + if (full) s.setExpression('top','(document.documentElement.clientHeight || document.body.clientHeight) / 2 - (this.offsetHeight / 2) + (blah = document.documentElement.scrollTop ? document.documentElement.scrollTop : document.body.scrollTop) + "px"'); + s.marginTop = 0; + } + else if (!opts.centerY && full) { + var top = (opts.css && opts.css.top) ? parseInt(opts.css.top) : 0; + var expression = '((document.documentElement.scrollTop ? document.documentElement.scrollTop : document.body.scrollTop) + '+top+') + "px"'; + s.setExpression('top',expression); + } + }); + } + + // show the message + if (msg) { + if (opts.theme) + lyr3.find('.ui-widget-content').append(msg); + else + lyr3.append(msg); + if (msg.jquery || msg.nodeType) + $(msg).show(); + } + + if (($.browser.msie || opts.forceIframe) && opts.showOverlay) + lyr1.show(); // opacity is zero + if (opts.fadeIn) { + if (opts.showOverlay) + lyr2._fadeIn(opts.fadeIn); + if (msg) + lyr3.fadeIn(opts.fadeIn); + } + else { + if (opts.showOverlay) + lyr2.show(); + if (msg) + lyr3.show(); + } + + // bind key and mouse events + bind(1, el, opts); + + if (full) { + pageBlock = lyr3[0]; + pageBlockEls = $(':input:enabled:visible',pageBlock); + if (opts.focusInput) + setTimeout(focus, 20); + } + else + center(lyr3[0], opts.centerX, opts.centerY); + + if (opts.timeout) { + // auto-unblock + var to = setTimeout(function() { + full ? $.unblockUI(opts) : $(el).unblock(opts); + }, opts.timeout); + $(el).data('blockUI.timeout', to); + } +}; + +// remove the block +function remove(el, opts) { + var full = (el == window); + var $el = $(el); + var data = $el.data('blockUI.history'); + var to = $el.data('blockUI.timeout'); + if (to) { + clearTimeout(to); + $el.removeData('blockUI.timeout'); + } + opts = $.extend({}, $.blockUI.defaults, opts || {}); + bind(0, el, opts); // unbind events + + var els; + if (full) // crazy selector to handle odd field errors in ie6/7 + els = $('body').children().filter('.blockUI').add('body > .blockUI'); + else + els = $('.blockUI', el); + + if (full) + pageBlock = pageBlockEls = null; + + if (opts.fadeOut) { + els.fadeOut(opts.fadeOut); + setTimeout(function() { reset(els,data,opts,el); }, opts.fadeOut); + } + else + reset(els, data, opts, el); +}; + +// move blocking element back into the DOM where it started +function reset(els,data,opts,el) { + els.each(function(i,o) { + // remove via DOM calls so we don't lose event handlers + if (this.parentNode) + this.parentNode.removeChild(this); + }); + + if (data && data.el) { + data.el.style.display = data.display; + data.el.style.position = data.position; + if (data.parent) + data.parent.appendChild(data.el); + $(data.el).removeData('blockUI.history'); + } + + if (typeof opts.onUnblock == 'function') + opts.onUnblock(el,opts); +}; + +// bind/unbind the handler +function bind(b, el, opts) { + var full = el == window, $el = $(el); + + // don't bother unbinding if there is nothing to unbind + if (!b && (full && !pageBlock || !full && !$el.data('blockUI.isBlocked'))) + return; + if (!full) + $el.data('blockUI.isBlocked', b); + + // don't bind events when overlay is not in use or if bindEvents is false + if (!opts.bindEvents || (b && !opts.showOverlay)) + return; + + // bind anchors and inputs for mouse and key events + var events = 'mousedown mouseup keydown keypress'; + b ? $(document).bind(events, opts, handler) : $(document).unbind(events, handler); + +// former impl... +// var $e = $('a,:input'); +// b ? $e.bind(events, opts, handler) : $e.unbind(events, handler); +}; + +// event handler to suppress keyboard/mouse events when blocking +function handler(e) { + // allow tab navigation (conditionally) + if (e.keyCode && e.keyCode == 9) { + if (pageBlock && e.data.constrainTabKey) { + var els = pageBlockEls; + var fwd = !e.shiftKey && e.target == els[els.length-1]; + var back = e.shiftKey && e.target == els[0]; + if (fwd || back) { + setTimeout(function(){focus(back)},10); + return false; + } + } + } + // allow events within the message content + if ($(e.target).parents('div.blockMsg').length > 0) + return true; + + // allow events for content that is not being blocked + return $(e.target).parents().children().filter('div.blockUI').length == 0; +}; + +function focus(back) { + if (!pageBlockEls) + return; + var e = pageBlockEls[back===true ? pageBlockEls.length-1 : 0]; + if (e) + e.focus(); +}; + +function center(el, x, y) { + var p = el.parentNode, s = el.style; + var l = ((p.offsetWidth - el.offsetWidth)/2) - sz(p,'borderLeftWidth'); + var t = ((p.offsetHeight - el.offsetHeight)/2) - sz(p,'borderTopWidth'); + if (x) s.left = l > 0 ? (l+'px') : '0'; + if (y) s.top = t > 0 ? (t+'px') : '0'; +}; + +function sz(el, p) { + return parseInt($.css(el,p))||0; +}; + +})(jQuery); diff --git a/config/snort-dev/javascript/mootools.js b/config/snort/javascript/mootools.js index e058db83..e058db83 100644 --- a/config/snort-dev/javascript/mootools.js +++ b/config/snort/javascript/mootools.js diff --git a/config/snort-dev/javascript/sortableTable.js b/config/snort/javascript/sortableTable.js index 02c83ab5..096f8d4c 100644 --- a/config/snort-dev/javascript/sortableTable.js +++ b/config/snort/javascript/sortableTable.js @@ -1,288 +1,288 @@ -
-
-/**************************************************************
-
- Script : Sortable Table
- Version : 1.4
- Authors : Samuel Birch
- Desc : Sorts and filters table elements
- Licence : Open Source MIT Licence
-
-**************************************************************/
-
-var sortableTable = new Class({
-
- getOptions: function(){
- return {
- overCls: false,
- onClick: false,
- sortOn: 0,
- sortBy: 'ASC',
- filterHide: true,
- filterHideCls: 'hide',
- filterSelectedCls: 'selected'
- };
- },
-
- initialize: function(table, options){
- this.setOptions(this.getOptions(), options);
- this.table = $(table);
- this.tHead = this.table.getElement('thead');
- this.tBody = this.table.getElement('tbody');
- this.tFoot = this.table.getElement('tfoot');
- this.elements = this.tBody.getElements('tr');
- this.filtered = false;
-
- /*for(i=0;i<10;i++){
- this.elements.clone().injectInside(this.tBody);
- }
- this.elements = this.tBody.getElements('tr');*/
-
- this.elements.each(function(el,i){
- if(this.options.overCls){
- el.addEvent('mouseover', function(){
- el.addClass(options.overCls);
- }, this);
- el.addEvent('mouseout', function(){
- el.removeClass(options.overCls);
- });
- }
- if(this.options.onClick){
- el.addEvent('click', options.onClick);
- }
- }, this);
-
- //setup header
- this.tHead.getElements('th').each(function(el,i){
- if(el.axis){
- el.addEvent('click', this.sort.bind(this,i));
- el.addEvent('mouseover', function(){
- el.addClass('tableHeaderOver');
- });
- el.addEvent('mouseout', function(){
- el.removeClass('tableHeaderOver');
- });
- el.getdate = function(str){
- // inner util function to convert 2-digit years to 4
- function fixYear(yr) {
- yr = +yr;
- if (yr<50) { yr += 2000; }
- else if (yr<100) { yr += 1900; }
- return yr;
- };
- var ret;
- //
- if (str.length>12){
- strtime = str.substring(str.lastIndexOf(' ')+1);
- strtime = strtime.substring(0,2)+strtime.substr(-2)
- }else{
- strtime = '0000';
- }
- //
- // YYYY-MM-DD
- if (ret=str.match(/(\d{2,4})-(\d{1,2})-(\d{1,2})/)) {
- return (fixYear(ret[1])*10000) + (ret[2]*100) + (+ret[3]) + strtime;
- }
- // DD/MM/YY[YY] or DD-MM-YY[YY]
- if (ret=str.match(/(\d{1,2})[\/-](\d{1,2})[\/-](\d{2,4})/)) {
- return (fixYear(ret[3])*10000) + (ret[2]*100) + (+ret[1]) + strtime;
- }
- return 999999990000; // So non-parsed dates will be last, not first
- };
- //
- el.findData = function(elem){
- var child = elem.getFirst();
- if(child){
- return el.findData(child);
- }else{
- return elem.innerHTML.trim();
- }
- };
- //
- el.compare = function(a,b){
- var1 = el.findData(a.getChildren()[i]);
- var2 = el.findData(b.getChildren()[i]);
- //var1 = a.getChildren()[i].firstChild.data;
- //var2 = b.getChildren()[i].firstChild.data;
-
- if(el.axis == 'number'){
- var1 = parseFloat(var1);
- var2 = parseFloat(var2);
-
- if(el.sortBy == 'ASC'){
- return var1-var2;
- }else{
- return var2-var1;
- }
-
- }else if(el.axis == 'string'){
- var1 = var1.toUpperCase();
- var2 = var2.toUpperCase();
-
- if(var1==var2){return 0};
- if(el.sortBy == 'ASC'){
- if(var1<var2){return -1};
- }else{
- if(var1>var2){return -1};
- }
- return 1;
-
- }else if(el.axis == 'date'){
- var1 = parseFloat(el.getdate(var1));
- var2 = parseFloat(el.getdate(var2));
-
- if(el.sortBy == 'ASC'){
- return var1-var2;
- }else{
- return var2-var1;
- }
-
- }else if(el.axis == 'currency'){
- var1 = parseFloat(var1.substr(1).replace(',',''));
- var2 = parseFloat(var2.substr(1).replace(',',''));
-
- if(el.sortBy == 'ASC'){
- return var1-var2;
- }else{
- return var2-var1;
- }
-
- }
-
- }
-
- if(i == this.options.sortOn){
- el.fireEvent('click');
- }
- }
- }, this);
- },
-
- sort: function(index){
- if(this.options.onStart){
- this.fireEvent('onStart');
- }
- //
- this.options.sortOn = index;
- var header = this.tHead.getElements('th');
- var el = header[index];
-
- header.each(function(e,i){
- if(i != index){
- e.removeClass('sortedASC');
- e.removeClass('sortedDESC');
- }
- });
-
- if(el.hasClass('sortedASC')){
- el.removeClass('sortedASC');
- el.addClass('sortedDESC');
- el.sortBy = 'DESC';
- }else if(el.hasClass('sortedDESC')){
- el.removeClass('sortedDESC');
- el.addClass('sortedASC');
- el.sortBy = 'ASC';
- }else{
- if(this.options.sortBy == 'ASC'){
- el.addClass('sortedASC');
- el.sortBy = 'ASC';
- }else if(this.options.sortBy == 'DESC'){
- el.addClass('sortedDESC');
- el.sortBy = 'DESC';
- }
- }
- //
- this.elements.sort(el.compare);
- this.elements.injectInside(this.tBody);
- //
- if(this.filtered){
- this.filteredAltRow();
- }else{
- this.altRow();
- }
-
- //
- if(this.options.onComplete){
- this.fireEvent('onComplete');
- }
- },
-
- altRow: function(){
- this.elements.each(function(el,i){
- if(i % 2){
- el.removeClass('altRow');
- }else{
- el.addClass('altRow');
- }
- });
- },
-
- filteredAltRow: function(){
- this.table.getElements('.'+this.options.filterSelectedCls).each(function(el,i){
- if(i % 2){
- el.removeClass('altRow');
- }else{
- el.addClass('altRow');
- }
- });
- },
-
- filter: function(form){
- var form = $(form);
- var col = 0;
- var key = '';
-
- form.getChildren().each(function(el,i){
- if(el.id == 'column'){
- col = Number(el.value);
- }
- if(el.id == 'keyword'){
- key = el.value.toLowerCase();
- }
- if(el.type == 'reset'){
- el.addEvent('click',this.clearFilter.bind(this));
- }
- }, this);
-
- if(key){
- this.elements.each(function(el,i){
- if(this.options.filterHide){
- el.removeClass('altRow');
- }
- if(el.getChildren()[col].firstChild.data.toLowerCase().indexOf(key) > -1){
- el.addClass(this.options.filterSelectedCls);
- if(this.options.filterHide){
- el.removeClass(this.options.filterHideCls);
- }
- }else{
- el.removeClass(this.options.filterSelectedCls);
- if(this.options.filterHide){
- el.addClass(this.options.filterHideCls);
- }
- }
- }, this);
- if(this.options.filterHide){
- this.filteredAltRow();
- this.filtered = true;
- }
- }
- },
-
- clearFilter: function(){
- this.elements.each(function(el,i){
- el.removeClass(this.options.filterSelectedCls);
- if(this.options.filterHide){
- el.removeClass(this.options.filterHideCls);
- }
- }, this);
- if(this.options.filterHide){
- this.altRow();
- this.filtered = false;
- }
- }
-
-});
-sortableTable.implement(new Events);
-sortableTable.implement(new Options);
-
-/*************************************************************/
+ + +/************************************************************** + + Script : Sortable Table + Version : 1.4 + Authors : Samuel Birch + Desc : Sorts and filters table elements + Licence : Open Source MIT Licence + +**************************************************************/ + +var sortableTable = new Class({ + + getOptions: function(){ + return { + overCls: false, + onClick: false, + sortOn: 0, + sortBy: 'ASC', + filterHide: true, + filterHideCls: 'hide', + filterSelectedCls: 'selected' + }; + }, + + initialize: function(table, options){ + this.setOptions(this.getOptions(), options); + this.table = $(table); + this.tHead = this.table.getElement('thead'); + this.tBody = this.table.getElement('tbody'); + this.tFoot = this.table.getElement('tfoot'); + this.elements = this.tBody.getElements('tr'); + this.filtered = false; + + /*for(i=0;i<10;i++){ + this.elements.clone().injectInside(this.tBody); + } + this.elements = this.tBody.getElements('tr');*/ + + this.elements.each(function(el,i){ + if(this.options.overCls){ + el.addEvent('mouseover', function(){ + el.addClass(options.overCls); + }, this); + el.addEvent('mouseout', function(){ + el.removeClass(options.overCls); + }); + } + if(this.options.onClick){ + el.addEvent('click', options.onClick); + } + }, this); + + //setup header + this.tHead.getElements('th').each(function(el,i){ + if(el.axis){ + el.addEvent('click', this.sort.bind(this,i)); + el.addEvent('mouseover', function(){ + el.addClass('tableHeaderOver'); + }); + el.addEvent('mouseout', function(){ + el.removeClass('tableHeaderOver'); + }); + el.getdate = function(str){ + // inner util function to convert 2-digit years to 4 + function fixYear(yr) { + yr = +yr; + if (yr<50) { yr += 2000; } + else if (yr<100) { yr += 1900; } + return yr; + }; + var ret; + // + if (str.length>12){ + strtime = str.substring(str.lastIndexOf(' ')+1); + strtime = strtime.substring(0,2)+strtime.substr(-2) + }else{ + strtime = '0000'; + } + // + // YYYY-MM-DD + if (ret=str.match(/(\d{2,4})-(\d{1,2})-(\d{1,2})/)) { + return (fixYear(ret[1])*10000) + (ret[2]*100) + (+ret[3]) + strtime; + } + // DD/MM/YY[YY] or DD-MM-YY[YY] + if (ret=str.match(/(\d{1,2})[\/-](\d{1,2})[\/-](\d{2,4})/)) { + return (fixYear(ret[3])*10000) + (ret[2]*100) + (+ret[1]) + strtime; + } + return 999999990000; // So non-parsed dates will be last, not first + }; + // + el.findData = function(elem){ + var child = elem.getFirst(); + if(child){ + return el.findData(child); + }else{ + return elem.innerHTML.trim(); + } + }; + // + el.compare = function(a,b){ + var1 = el.findData(a.getChildren()[i]); + var2 = el.findData(b.getChildren()[i]); + //var1 = a.getChildren()[i].firstChild.data; + //var2 = b.getChildren()[i].firstChild.data; + + if(el.axis == 'number'){ + var1 = parseFloat(var1); + var2 = parseFloat(var2); + + if(el.sortBy == 'ASC'){ + return var1-var2; + }else{ + return var2-var1; + } + + }else if(el.axis == 'string'){ + var1 = var1.toUpperCase(); + var2 = var2.toUpperCase(); + + if(var1==var2){return 0}; + if(el.sortBy == 'ASC'){ + if(var1<var2){return -1}; + }else{ + if(var1>var2){return -1}; + } + return 1; + + }else if(el.axis == 'date'){ + var1 = parseFloat(el.getdate(var1)); + var2 = parseFloat(el.getdate(var2)); + + if(el.sortBy == 'ASC'){ + return var1-var2; + }else{ + return var2-var1; + } + + }else if(el.axis == 'currency'){ + var1 = parseFloat(var1.substr(1).replace(',','')); + var2 = parseFloat(var2.substr(1).replace(',','')); + + if(el.sortBy == 'ASC'){ + return var1-var2; + }else{ + return var2-var1; + } + + } + + } + + if(i == this.options.sortOn){ + el.fireEvent('click'); + } + } + }, this); + }, + + sort: function(index){ + if(this.options.onStart){ + this.fireEvent('onStart'); + } + // + this.options.sortOn = index; + var header = this.tHead.getElements('th'); + var el = header[index]; + + header.each(function(e,i){ + if(i != index){ + e.removeClass('sortedASC'); + e.removeClass('sortedDESC'); + } + }); + + if(el.hasClass('sortedASC')){ + el.removeClass('sortedASC'); + el.addClass('sortedDESC'); + el.sortBy = 'DESC'; + }else if(el.hasClass('sortedDESC')){ + el.removeClass('sortedDESC'); + el.addClass('sortedASC'); + el.sortBy = 'ASC'; + }else{ + if(this.options.sortBy == 'ASC'){ + el.addClass('sortedASC'); + el.sortBy = 'ASC'; + }else if(this.options.sortBy == 'DESC'){ + el.addClass('sortedDESC'); + el.sortBy = 'DESC'; + } + } + // + this.elements.sort(el.compare); + this.elements.injectInside(this.tBody); + // + if(this.filtered){ + this.filteredAltRow(); + }else{ + this.altRow(); + } + + // + if(this.options.onComplete){ + this.fireEvent('onComplete'); + } + }, + + altRow: function(){ + this.elements.each(function(el,i){ + if(i % 2){ + el.removeClass('altRow'); + }else{ + el.addClass('altRow'); + } + }); + }, + + filteredAltRow: function(){ + this.table.getElements('.'+this.options.filterSelectedCls).each(function(el,i){ + if(i % 2){ + el.removeClass('altRow'); + }else{ + el.addClass('altRow'); + } + }); + }, + + filter: function(form){ + var form = $(form); + var col = 0; + var key = ''; + + form.getChildren().each(function(el,i){ + if(el.id == 'column'){ + col = Number(el.value); + } + if(el.id == 'keyword'){ + key = el.value.toLowerCase(); + } + if(el.type == 'reset'){ + el.addEvent('click',this.clearFilter.bind(this)); + } + }, this); + + if(key){ + this.elements.each(function(el,i){ + if(this.options.filterHide){ + el.removeClass('altRow'); + } + if(el.getChildren()[col].firstChild.data.toLowerCase().indexOf(key) > -1){ + el.addClass(this.options.filterSelectedCls); + if(this.options.filterHide){ + el.removeClass(this.options.filterHideCls); + } + }else{ + el.removeClass(this.options.filterSelectedCls); + if(this.options.filterHide){ + el.addClass(this.options.filterHideCls); + } + } + }, this); + if(this.options.filterHide){ + this.filteredAltRow(); + this.filtered = true; + } + } + }, + + clearFilter: function(){ + this.elements.each(function(el,i){ + el.removeClass(this.options.filterSelectedCls); + if(this.options.filterHide){ + el.removeClass(this.options.filterHideCls); + } + }, this); + if(this.options.filterHide){ + this.altRow(); + this.filtered = false; + } + } + +}); +sortableTable.implement(new Events); +sortableTable.implement(new Options); + +/*************************************************************/ diff --git a/config/snort/javascript/tabs.js b/config/snort/javascript/tabs.js new file mode 100644 index 00000000..40e54f0e --- /dev/null +++ b/config/snort/javascript/tabs.js @@ -0,0 +1,123 @@ +// CSS helper functions +CSS = { + // Adds a class to an element. + AddClass: function (e, c) { + if (!e.className.match(new RegExp("\\b" + c + "\\b", "i"))) + e.className += (e.className ? " " : "") + c; + }, + + // Removes a class from an element. + RemoveClass: function (e, c) { + e.className = e.className.replace(new RegExp(" \\b" + c + "\\b|\\b" + c + "\\b ?", "gi"), ""); + } +}; + +// Functions for handling tabs. +Tabs = { + // Changes to the tab with the specified ID. + GoTo: function (contentId, skipReplace) { + // This variable will be true if a tab for the specified + // content ID was found. + var foundTab = false; + + // Get the TOC element. + var toc = document.getElementById("toc"); + if (toc) { + var lis = toc.getElementsByTagName("li"); + for (var j = 0; j < lis.length; j++) { + var li = lis[j]; + + // Give the current tab link the class "current" and + // remove the class from any other TOC links. + var anchors = li.getElementsByTagName("a"); + for (var k = 0; k < anchors.length; k++) { + if (anchors[k].hash == "#" + contentId) { + CSS.AddClass(li, "current"); + foundTab = true; + break; + } else { + CSS.RemoveClass(li, "current"); + } + } + } + } + + // Show the content with the specified ID. + var divsToHide = []; + var divs = document.getElementsByTagName("div"); + for (var i = 0; i < divs.length; i++) { + var div = divs[i]; + + if (div.className.match(/\bcontent\b/i)) { + if (div.id == "_" + contentId) + div.style.display = "block"; + else + divsToHide.push(div); + } + } + + // Hide the other content boxes. + for (var i = 0; i < divsToHide.length; i++) + divsToHide[i].style.display = "none"; + + // Change the address bar. + if (!skipReplace) window.location.replace("#" + contentId); + }, + + OnClickHandler: function (e) { + // Stop the event (to stop it from scrolling or + // making an entry in the history). + if (!e) e = window.event; + if (e.preventDefault) e.preventDefault(); else e.returnValue = false; + + // Get the name of the anchor of the link that was clicked. + Tabs.GoTo(this.hash.substring(1)); + }, + + Init: function () { + if (!document.getElementsByTagName) return; + + // Attach an onclick event to all the anchor links on the page. + var anchors = document.getElementsByTagName("a"); + for (var i = 0; i < anchors.length; i++) { + var a = anchors[i]; + if (a.hash) a.onclick = Tabs.OnClickHandler; + } + + var contentId; + if (window.location.hash) contentId = window.location.hash.substring(1); + + var divs = document.getElementsByTagName("div"); + for (var i = 0; i < divs.length; i++) { + var div = divs[i]; + + if (div.className.match(/\bcontent\b/i)) { + if (!contentId) contentId = div.id; + div.id = "_" + div.id; + } + } + + if (contentId) Tabs.GoTo(contentId, true); + } +}; + +// Hook up the OnLoad event to the tab initialization function. +window.onload = Tabs.Init; + +// Hide the content while waiting for the onload event to trigger. +var contentId = window.location.hash || "#Introduction"; + +if (document.createStyleSheet) { + var style = document.createStyleSheet(); + style.addRule("div.content", "display: none;"); + style.addRule("div" + contentId, "display: block;"); +} else { + var head = document.getElementsByTagName("head")[0]; + if (head) { + var style = document.createElement("style"); + style.setAttribute("type", "text/css"); + style.appendChild(document.createTextNode("div.content { display: none; }")); + style.appendChild(document.createTextNode("div" + contentId + " { display: block; }")); + head.appendChild(style); + } +}
\ No newline at end of file diff --git a/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 b/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 index 83d5bdae..0aede4a0 100644 --- a/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 +++ b/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 @@ -1 +1 @@ -10002
\ No newline at end of file +102
\ No newline at end of file diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 00a86c35..104c1a5a 100755..100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -3,6 +3,7 @@ /* snort.inc Copyright (C) 2006 Scott Ullrich + Copyright (C) 2009 Robert Zelaya part of pfSense All rights reserved. @@ -29,215 +30,1050 @@ */ require_once("pfsense-utils.inc"); +require_once("config.inc"); +require_once("functions.inc"); -// Needed on 2.0 because of get_vpns_list() -require_once("filter.inc"); +// Needed on 2.0 because of filter_get_vpns_list() +require_once("filter.inc"); + +/* find out if were in 1.2.3-RELEASE */ +$pfsense_ver_chk = exec('/bin/cat /etc/version'); +if ($pfsense_ver_chk == '1.2.3-RELEASE') +{ + $pfsense_stable = 'yes'; +}else{ + $pfsense_stable = 'no'; +} + +/* tell me my theme */ +$pfsense_theme_is = $config['theme']; + +/* checks to see if snort is running yes/no and stop/start */ + function Running_Ck($snort_uuid, $if_real, $id) { + global $config; + + $snort_up_ck = exec("/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep snort | /usr/bin/awk '{print \$2;}' | sed 1q"); + + if(snort_up_ck == ''){ + $snort_up = 'no'; + return $snort_up; + } + + if(snort_up_ck != ''){ + + //$snort_up_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_uuid}_{$if_real}\" | awk '{print \$1;}'"); + //$snort_up_s = exec("/usr/bin/top -U snort -u | grep snort | grep {$snort_up_pre} | /usr/bin/awk '{print \$1;}'"); + //$snort_up_r = exec("/usr/bin/top -U root -u | grep snort | grep {$snort_up_pre} | /usr/bin/awk '{print \$1;}'"); + + /* use ob_clean to clear output buffer, this code needs to be watched */ + ob_clean(); + $snort_up_prell = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_uuid}{$if_real}\" | awk '{print \$1;}'", $retval); + + if ($snort_up_prell != "") { + $snort_uph = 'yes'; + }else{ + $snort_uph = 'no'; + } + } + + return $snort_uph; + } + +/* checks to see if barnyard2 is running yes/no */ + function Running_Ck_b($snort_uuid, $if_real, $id) { + global $config; + + $snort_up_ck_b = exec("/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep barnyard2 | /usr/bin/awk '{print \$2;}' | sed 1q"); + + if($snort_up_ck_b == ''){ + $snort_up_b = 'no'; + return $snort_up_b; + } + + if(snort_up_ck_b != ''){ + + //$snort_up_pre_b = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"f snort_{$snort_uuid}_{$if_real}.u2\" | awk '{print \$1;}'"); + //$snort_up_s_b = exec("/usr/bin/top -U snort -u | grep barnyard2 | grep {$snort_up_pre_b} | /usr/bin/awk '{print \$1;}'"); + //$snort_up_r_b = exec("/usr/bin/top -U root -u | grep barnyard2 | grep {$snort_up_pre_b} | /usr/bin/awk '{print \$1;}'"); + + /* use ob_clean to clear output buffer, this code needs to be watched */ + ob_clean(); + $snort_up_pre_b = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"f snort_{$snort_uuid}_{$if_real}.u2\" | awk '{print \$1;}'"); + + if ($snort_up_pre_b != '') { + $snort_up_b = 'yes'; + }else{ + $snort_up_b = 'no'; + } + } + + return $snort_up_b; + } + + function Running_Stop($snort_uuid, $if_real, $id) { + global $config; + + $start_up_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_uuid}{$if_real}\" | awk '{print \$1;}'"); + $start_up_s = exec("/usr/bin/top -U snort -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); + $start_up_r = exec("/usr/bin/top -U root -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); + + $start2_upb_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"snort_{$snort_uuid}_{$if_real}.u2\" | awk '{print \$1;}'"); + $start2_upb_s = exec("/usr/bin/top -U snort -u | grep barnyard2 | grep {$start2_upb_pre} | awk '{ print $1; }'"); + $start2_upb_r = exec("/usr/bin/top -U root -u | grep barnyard2 | grep {$start2_upb_pre} | awk '{ print $1; }'"); + + if ($start_up_s != "" || $start_up_r != "" || $start2_upb_s != "" || $start2_upb_r != "") + { + if ($start_up_s != "") + { + exec("/bin/kill {$start_up_s}"); + exec("/bin/rm /var/run/snort_{$snort_uuid}_{$if_real}*"); + } + + if ($start2_upb_s != "") + { + exec("/bin/kill {$start2_upb_s}"); + exec("/bin/rm /var/run/barnyard2_{$snort_uuid}_{$if_real}*"); + } + + if ($start_up_r != "") + { + exec("/bin/kill {$start_up_r}"); + exec("/bin/rm /var/run/snort_{$snort_uuid}_{$if_real}*"); + } + + if ($start2_upb_r != "") + { + exec("/bin/kill {$start2_upb_r}"); + exec("/bin/rm /var/run/barnyard2_{$snort_uuid}_{$if_real}*"); + } + + /* Log Iface stop */ + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule STOP for {$snort_uuid}_{$if_real}...'"); + } + } + + + function Running_Start($snort_uuid, $if_real, $id) { + global $config; + + $snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable']; + if ($snort_info_chk == 'on') { + exec("/usr/local/bin/snort -u snort -g snort -R \"{$snort_uuid}{$if_real}\" -D -q -l /var/log/snort -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); + } + /* define snortbarnyardlog_chk */ + /* top will have trouble if the uuid is to far back */ + $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; + $snortbarnyardlog_mysql_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; + if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '' && $snort_info_chk == 'on') { + exec("/usr/local/bin/barnyard2 -f \"snort_{$snort_uuid}_{$if_real}.u2\" -u snort -g snort -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -w /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.waldo -D -q"); + } + + /* Log Iface stop */ + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule START for {$id}_{$snort_uuid}_{$if_real}...'"); + } + +/* get the real iface name of wan */ +function convert_friendly_interface_to_real_interface_name2($interface) +{ + global $config; + + $lc_interface = strtolower($interface); + if($lc_interface == "lan") return $config['interfaces']['lan']['if']; + if($lc_interface == "wan") return $config['interfaces']['wan']['if']; + $ifdescrs = array(); + for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) + $ifdescrs['opt' . $j] = "opt" . $j; + foreach ($ifdescrs as $ifdescr => $ifname) + { + if(strtolower($ifname) == $lc_interface) + return $config['interfaces'][$ifname]['if']; + if(strtolower($config['interfaces'][$ifname]['descr']) == $lc_interface) + return $config['interfaces'][$ifname]['if']; + } + + return $interface; +} + +//$if_real_wan = convert_friendly_interface_to_real_interface_name2($interface_fake); /* Allow additional execution time 0 = no limit. */ ini_set('max_execution_time', '9999'); ini_set('max_input_time', '9999'); /* define oinkid */ -if($config['installedpackages']['snort']) - $oinkid = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; +if($config['installedpackages']['snortglobal']) + $oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; + +function snort_postinstall() +{ + global $config; + conf_mount_rw(); + + if(!file_exists('/var/log/snort/')) { + mwexec('mkdir -p /var/log/snort/'); + mwexec('mkdir -p /var/log/snort/barnyard2'); + } + + if(!file_exists('/var/log/snort/alert')) { + touch('/var/log/snort/alert'); + }else{ + exec('/bin/rm -rf /var/log/snort/*'); + touch('/var/log/snort/alert'); + } + + + /* snort -> advanced features */ + $bpfbufsize = $config['installedpackages']['snortglobal']['bpfbufsize']; + $bpfmaxbufsize = $config['installedpackages']['snortglobal']['bpfmaxbufsize']; + $bpfmaxinsns = $config['installedpackages']['snortglobal']['bpfmaxinsns']; + + + /* create a few directories and ensure the sample files are in place */ + exec('/bin/mkdir -p /usr/local/etc/snort'); + exec('/bin/mkdir -p /var/log/snort'); + exec('/bin/mkdir -p /usr/local/etc/snort/rules'); + if(file_exists('/usr/local/etc/snort/snort.conf-sample')) + { + exec('/bin/rm /usr/local/etc/snort/snort.conf-sample'); + exec('/bin/rm /usr/local/etc/snort/threshold.conf-sample'); + exec('/bin/rm /usr/local/etc/snort/sid-msg.map-sample'); + exec('/bin/rm /usr/local/etc/snort/unicode.map-sample'); + exec('/bin/rm /usr/local/etc/snort/classification.config-sample'); + exec('/bin/rm /usr/local/etc/snort/generators-sample'); + exec('/bin/rm /usr/local/etc/snort/reference.config-sample'); + exec('/bin/rm /usr/local/etc/snort/gen-msg.map-sample'); + exec('/bin/rm /usr/local/etc/snort/sid'); + exec('/bin/rm /usr/local/etc/rc.d/snort'); + exec('/bin/rm /usr/local/etc/rc.d/bardyard2'); + } + + if(!file_exists('/usr/local/etc/snort/custom_rules')) + { + exec('/bin/mkdir -p /usr/local/etc/snort/custom_rules/'); + } + + exec('/usr/sbin/pw groupadd snort -g 920'); + exec('/usr/sbin/pw useradd snort -u 920 -c "Snort User" -d /nonexistent -g snort -s /sbin/nologin'); + exec('/usr/sbin/chown -R snort:snort /var/log/snort'); + exec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort'); + exec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort'); + exec('/bin/chmod -R 755 /var/log/snort'); + exec('/bin/chmod -R 755 /usr/local/etc/snort'); + exec('/bin/chmod -R 755 /usr/local/lib/snort'); + + + /* remove example files */ + if(file_exists('/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0')) + { + exec('/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*'); + } + + if(file_exists('/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so')) + { + exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*'); + } + + /* find out if were in 1.2.3-RELEASE */ + $pfsense_ver_chk = exec('/bin/cat /etc/version'); + if ($pfsense_ver_chk == '1.2.3-RELEASE') + { + $pfsense_stable = 'yes'; + }else{ + $pfsense_stable = 'no'; + } + + /* move files around, make it look clean */ + exec('/bin/mkdir -p /usr/local/www/snort/css'); + exec('/bin/mkdir -p /usr/local/www/snort/images'); + exec('/bin/mkdir -p /usr/local/www/snort/javascript'); + + chdir ("/usr/local/www/snort/css/"); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/css/style.css'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/css/style2.css'); + chdir ("/usr/local/www/snort/images/"); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/alert.jpg'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/down.gif'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/down2.gif'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon-table-sort.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon-table-sort-asc.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon-table-sort-desc.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/up.gif'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/up2.gif'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/logo.jpg'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/footer.jpg'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/footer2.jpg'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon_excli.png'); + chdir ("/usr/local/www/snort/javascript/"); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/javascript/jquery.blockUI.js'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/javascript/jquery-1.3.2.js'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/javascript/mootools.js'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/javascript/sortableTable.js'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/javascript/tabs.js'); + + /* install barnyard2 for 2.0 and 1.2.3 */ + chdir ("/usr/local/bin/"); + if ($pfsense_stable == 'yes') { + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/bin/7.2.x86/barnyard2'); + }else{ + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/bin/8.0.x86/barnyard2'); + } + exec('/bin/chmod 077 /usr/local/bin/barnyard2'); + + /* back to default */ + chdir ("/root/"); + + /* make sure snort-pld is deinstalled */ + /* remove when snort-old is removed */ + unset($config['installedpackages']['snort']); + unset($config['installedpackages']['snortdefservers']); + unset($config['installedpackages']['snortwhitelist']); + unset($config['installedpackages']['snortthreshold']); + unset($config['installedpackages']['snortadvanced']); + write_config(); + conf_mount_rw(); + + conf_mount_ro(); + +} + function sync_package_snort_reinstall() { global $config; - if(!$config['installedpackages']['snort']) + conf_mount_rw(); + + if(!$config['installedpackages']['snortglobal']) return; /* create snort configuration file */ create_snort_conf(); /* start snort service */ - start_service("snort"); + // start_service("snort"); // do not start, may be needed latter. + + conf_mount_ro(); } -function sync_package_snort() + +/* func for updating cron */ +function snort_rm_blocked_install_cron($should_install) +{ + global $config, $g; + + if ($g['booting']==true) + return; + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) + { + if (strstr($item['command'], "snort2c")) + { + $is_installed = true; + break; + } + $x++; + } + + $snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked']; + if ($snort_rm_blocked_info_ck == "1h_b") + { + $snort_rm_blocked_min = "*/5"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "3600"; + } + if ($snort_rm_blocked_info_ck == "3h_b") + { + $snort_rm_blocked_min = "*/15"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "10800"; + } + if ($snort_rm_blocked_info_ck == "6h_b") + { + $snort_rm_blocked_min = "*/30"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "21600"; + } + if ($snort_rm_blocked_info_ck == "12h_b") + { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/1"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "43200"; + } + if ($snort_rm_blocked_info_ck == "1d_b") + { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/2"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "86400"; + } + if ($snort_rm_blocked_info_ck == "4d_b") + { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/8"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "345600"; + } + if ($snort_rm_blocked_info_ck == "7d_b") + { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/14"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "604800"; + } + if ($snort_rm_blocked_info_ck == "28d_b") + { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "0"; + $snort_rm_blocked_mday = "*/2"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "2419200"; + } + switch($should_install) + { + case true: + if(!$is_installed) + { + $cron_item = array(); + $cron_item['minute'] = "$snort_rm_blocked_min"; + $cron_item['hour'] = "$snort_rm_blocked_hr"; + $cron_item['mday'] = "$snort_rm_blocked_mday"; + $cron_item['month'] = "$snort_rm_blocked_month"; + $cron_item['wday'] = "$snort_rm_blocked_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; + $config['cron']['item'][] = $cron_item; + write_config("Installed $snort_rm_blocked_info_ck minute filter reload for Time Based Rules"); + configure_cron(); + } + break; + case false: + if($is_installed == true) + { + if($x > 0) + { + unset($config['cron']['item'][$x]); + write_config(); + conf_mount_rw(); + } + configure_cron(); + } + break; + } +} + +/* func to install snort update */ +function snort_rules_up_install_cron($should_install) { + global $config, $g; + + if ($g['booting']==true) + return; + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort_check_for_rule_updates.php")) { + $is_installed = true; + break; + } + $x++; + } + $snort_rules_up_info_ck = $config['installedpackages']['snortglobal']['autorulesupdate7']; + if ($snort_rules_up_info_ck == "6h_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "*/6"; + $snort_rules_up_mday = "*"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "12h_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "*/12"; + $snort_rules_up_mday = "*"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "1d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/1"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "4d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/4"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "7d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/7"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "28d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/28"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "$snort_rules_up_min"; + $cron_item['hour'] = "$snort_rules_up_hr"; + $cron_item['mday'] = "$snort_rules_up_mday"; + $cron_item['month'] = "$snort_rules_up_month"; + $cron_item['wday'] = "$snort_rules_up_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /usr/local/etc/snort/snort_update.log"; + $config['cron']['item'][] = $cron_item; + write_config("Installed 15 minute filter reload for Time Based Rules"); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + conf_mount_rw(); + } + configure_cron(); + } + break; + } +} + +function sync_snort_package_remove_old() +{ + + global $config, $g; + +$snort_dir_scan = '/usr/local/etc/snort'; + +// scan dirm might have to make this into a funtion +$dh_scan = opendir($snort_dir_scan); +while (false !== ($dir_filename = readdir($dh_scan))) { + $list_dir_files[] = $dir_filename; +} + +// find patern in a array, very cool code +class array_ereg { + function array_ereg($pattern) { $this->pattern = $pattern; } + function ereg($string) { + return ereg($this->pattern, $string); + } +} + + $rule_array2 = $config['installedpackages']['snortglobal']['rule']; + $id2 = -1; + foreach ($rule_array2 as $value) + { + + $id += 1; + + $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); + + $snort_rules_list[] = "snort_$id$if_real"; + + } + + +$snort_dir_filter = array_filter($list_dir_files, array(new array_ereg("snort_"), 'ereg')); +$snort_dir_filter_search_result = array_diff($snort_dir_filter, $snort_rules_list); + + foreach ($snort_dir_filter_search_result as $value) + { + exec("rm -r /usr/local/etc/snort/$value"); + } + +} + +/* make sure this func on writes to files and does not start snort */ +function sync_snort_package() { global $config, $g; conf_mount_rw(); - mwexec("mkdir -p /var/log/snort/"); + /* all new files are for the user snort nologin */ + if(!file_exists("/var/log/snort")) + { + exec("/bin/mkdir -p /var/log/snort"); + } + + exec("/usr/sbin/chown -R snort:snort /var/log/snort"); + exec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort"); + exec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort"); + exec("/bin/chmod -R 755 /var/log/snort"); + exec("/bin/chmod -R 755 /usr/local/etc/snort"); + exec("/bin/chmod -R 755 /usr/local/lib/snort"); - if(!file_exists("/var/log/snort/alert")) - touch("/var/log/snort/alert"); - /* snort -> advanced features */ - $bpfbufsize = $config['installedpackages']['snortadvanced']['config'][0]['bpfbufsize']; - $bpfmaxbufsize = $config['installedpackages']['snortadvanced']['config'][0]['bpfmaxbufsize']; - $bpfmaxinsns = $config['installedpackages']['snortadvanced']['config'][0]['bpfmaxinsns']; + conf_mount_ro(); +} - /* set the snort performance model */ - if($config['installedpackages']['snort']['config'][0]['performance']) - $snort_performance = $config['installedpackages']['snort']['config'][0]['performance']; - else - $snort_performance = "ac-bnfa"; +/* only run when a single iface needs to sync */ +function sync_snort_package_all($id, $if_real, $snort_uuid) +{ + //global $config, $g, $id, $if_real, $snort_uuid, $interface_fake; + global $config, $g; - /* create a few directories and ensure the sample files are in place */ - exec("/bin/mkdir -p /usr/local/etc/snort"); - exec("/bin/mkdir -p /var/log/snort"); - exec("/bin/mkdir -p /usr/local/etc/snort/rules"); - exec("/bin/rm /usr/local/etc/snort/snort.conf-sample"); - exec("/bin/rm /usr/local/etc/snort/threshold.conf-sample"); - exec("/bin/rm /usr/local/etc/snort/sid-msg.map-sample"); - exec("/bin/rm /usr/local/etc/snort/unicode.map-sample"); - exec("/bin/rm /usr/local/etc/snort/classification.config-sample"); - exec("/bin/rm /usr/local/etc/snort/generators-sample"); - exec("/bin/rm /usr/local/etc/snort/reference.config-sample"); - exec("/bin/rm /usr/local/etc/snort/gen-msg.map-sample"); - exec("/bin/rm /usr/local/etc/snort/sid"); - exec("/bin/rm -f /usr/local/etc/rc.d/snort"); - - $first = 0; - $snortInterfaces = array(); /* -gtm */ - - $if_list = $config['installedpackages']['snort']['config'][0]['iface_array']; - $if_array = split(',', $if_list); - //print_r($if_array); - if($if_array) { - foreach($if_array as $iface) { - $if = convert_friendly_interface_to_real_interface_name($iface); - - if($config['interfaces'][$iface]['ipaddr'] == "pppoe") { - $if = "ng0"; +/* RedDevil suggested code */ +/* TODO: more testing needs to be done */ +exec("/sbin/sysctl net.bpf.bufsize=8388608"); +exec("/sbin/sysctl net.bpf.maxbufsize=4194304"); +exec("/sbin/sysctl net.bpf.maxinsns=512"); +exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); + +# Error checking +if ($id != '' && $if_real != '') //new +{ + /* do not start config build if rules is empty */ + if (!empty($config['installedpackages']['snortglobal']['rule'])) + { + + conf_mount_rw(); + + $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; + $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); + + /* create snort configuration file */ + create_snort_conf($id, $if_real, $snort_uuid); + + /* if rules exist cp rules to each iface */ + create_rules_iface($id, $if_real, $snort_uuid); + + /* create snort bootup file snort.sh only create once */ + create_snort_sh(); + + /* create barnyard2 configuration file */ + $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; + if ($snortbarnyardlog_info_chk == 'on') + create_barnyard2_conf($id, $if_real, $snort_uuid); + + sync_snort_package(); + + conf_mount_ro(); + } + } +} + +/* only run when all ifaces needed to sync */ +function sync_snort_package_empty() +{ + global $config, $g; + conf_mount_rw(); + + /* do not start config build if rules is empty */ + if (!empty($config['installedpackages']['snortglobal']['rule'])) + { + if ($id == "") + { + + $rule_array = $config['installedpackages']['snortglobal']['rule']; + $id = -1; + foreach ($rule_array as $value) + { + + if ($id == '') { + $id = 0; + } + + $id += 1; + + $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); + $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; + + if ($if_real != '' && $snort_uuid != '') { + /* create snort configuration file */ + create_snort_conf($id, $if_real, $snort_uuid); + + /* if rules exist cp rules to each iface */ + create_rules_iface($id, $if_real, $snort_uuid); + + /* create barnyard2 configuration file */ + $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; + if ($snortbarnyardlog_info_chk == 'on') + create_barnyard2_conf($id, $if_real, $snort_uuid); + } } - - /* build a list of user specified interfaces -gtm */ - if($if){ - array_push($snortInterfaces, $if); - $first = 1; + + /* create snort bootup file snort.sh only create once */ + create_snort_sh(); + + sync_snort_package(); + + conf_mount_ro(); + + } + } +} + +/* only bootup and ip refresh */ +function sync_snort_package_config() +{ + global $config, $g; + conf_mount_rw(); + + /* do not start config build if rules is empty */ + if (!empty($config['installedpackages']['snortglobal']['rule'])) + { + if ($id == "") + { + + $rule_array = $config['installedpackages']['snortglobal']['rule']; + $id = -1; + foreach ($rule_array as $value) + { + + if ($id == '') { + $id = 0; + } + + $id += 1; + + $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); + $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; + + if ($if_real != '' && $snort_uuid != '') { + /* create snort configuration file */ + create_snort_conf($id, $if_real, $snort_uuid); + + /* create barnyard2 configuration file */ + $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; + if ($snortbarnyardlog_info_chk == 'on') + create_barnyard2_conf($id, $if_real, $snort_uuid); + } } - } - - if (count($snortInterfaces) < 1) { - log_error("Snort will not start. You must select an interface for it to listen on."); - return; + + sync_snort_package(); + + conf_mount_ro(); + } } - //print_r($snortInterfaces); - - /* create log directory */ - $start = "/bin/mkdir -p /var/log/snort\n"; - - /* snort advanced features - bpf tuning */ - if($bpfbufsize) - $start .= "sysctl net.bpf.bufsize={$bpfbufsize}\n"; - if($bpfmaxbufsize) - $start .= "sysctl net.bpf.maxbufsize={$bpfmaxbufsize}\n"; - if($bpfmaxinsns) - $start .= "sysctl net.bpf.maxinsns={$bpfmaxinsns}\n"; - - /* go ahead and issue bpf changes */ - if($bpfbufsize) - mwexec_bg("sysctl net.bpf.bufsize={$bpfbufsize}"); - if($bpfmaxbufsize) - mwexec_bg("sysctl net.bpf.maxbufsize={$bpfmaxbufsize}"); - if($bpfmaxinsns) - mwexec_bg("sysctl net.bpf.maxinsns={$bpfmaxinsns}"); - - /* always stop barnyard2 before starting snort -gtm */ - $start .= "/usr/bin/killall barnyard2\n"; - - /* start a snort process for each interface -gtm */ - /* Note the sleep delay. Seems to help getting mult interfaces to start -gtm */ - /* snort start options are; config file, log file, demon, interface, packet flow, alert type, quiet */ - /* TODO; get snort to start under nologin shell */ - foreach($snortInterfaces as $snortIf) +} + + +/* Start of main config files */ +/* Start of main config files */ + + +/* open snort.sh for writing" */ +function create_snort_sh() +{ + # Don not add $id or this will break + + global $config, $g; + conf_mount_rw(); + + /* do not start config build if rules is empty */ + if (!empty($config['installedpackages']['snortglobal']['rule'])) { - $start .= "sleep 4\n"; - $start .= "/usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i {$snortIf} -q\n"; - /* define snortbarnyardlog_chk */ - $snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; - if ($snortbarnyardlog_info_chk == on) - $start .= "\nsleep 4;/usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D -q\n"; - } - $check_if_snort_runs = "\n\tif [ \"`ls -A /usr/local/etc/snort/rules`\" ] ; then\n\techo \"rules exist\"\n\telse\n\techo \"rules DONT exist\"\n\texit 2\n\tfi \n\n\tif [ \"`pgrep -x snort`\" = \"\" ] ; then\n\t/bin/rm /tmp/snort.sh.pid\n\tfi \n\n\tif [ \"`pgrep -x snort`\" != \"\" ] ; then\n\tlogger -p daemon.info -i -t SnortStartup \"Snort already running...\"\n\t/usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php\n\texit 1\n\tfi\n\n"; - $if_snort_pid = "\nif ls /tmp/snort.sh.pid > /dev/null\nthen\n echo \"snort.sh is running\"\n exit 0\nelse\n echo \"snort.sh is not running\"\nfi\n"; - $echo_snort_sh_pid = "\necho \"snort.sh run\" > /tmp/snort.sh.pid\n"; - $echo_snort_sh_startup_log = "\necho \"snort.sh run\" >> /tmp/snort.sh_startup.log\n"; - $del_old_pids = "\nrm -f /var/run/snort_*\n"; - $sample_before = "BEFORE_MEM=`top | grep Wired | awk '{print \$12}'`\n"; - $sample_after = "\n\tAFTER_MEM=`top | grep Wired | awk '{print \$12}'`\n"; - if ($snort_performance == "ac-bnfa") - $sleep_before_final = "\necho \"Sleeping before final memory sampling...\"\nWAITSECURE=60\n"; - else - $sleep_before_final = "\necho \"Sleeping before final memory sampling...\"\nWAITSECURE=300\n"; - $sleep_before_final .= "while [ \"\$MYSNORTLOG\" = \"\" -a \$WAITSECURE -gt 0 ] ; do\n\tsleep 2\n\tMYSNORTLOG=`/usr/sbin/clog /var/log/system.log | grep snort | tail | grep 'Snort initialization completed successfully'`\n\tWAITSECURE=`expr \$WAITSECURE - 1`\ndone\n"; - $total_used_after = "TOTAL_USAGE=`top | grep snort | grep -v grep | awk '{ print \$6 }'`\n"; - $echo_usage .= $sample_after . "\t" . $total_used_after . "\techo \"Ram free BEFORE starting Snort: \$BEFORE_MEM -- Ram free AFTER starting Snort: \$AFTER_MEM -- Mode " . $snort_performance . " -- Snort memory usage: \$TOTAL_USAGE\" | logger -p daemon.info -i -t SnortStartup\n\n"; + if ($id == "") + { + + $rule_array = $config['installedpackages']['snortglobal']['rule']; + $id = -1; + foreach ($rule_array as $value) + { + + $id += 1; + + $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; + $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); + + /* define snortbarnyardlog_chk */ + $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; + $snortbarnyardlog_mysql_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; + + if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '') { + $start_barnyard2 = "sleep 4;/usr/local/bin/barnyard2 -f snort_{$snort_uuid}_{$if_real}.u2 -u snort -g snort -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -w /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.waldo -D -q"; + } + +/* Get all interface startup commands ready */ + +$snort_sh_text2[] = <<<EOD +###### For Each Iface + + # If Snort proc is NOT running + if [ "`/bin/ps -auwx | grep -v grep | grep "R {$snort_uuid}{$if_real}" | awk '{print $2;}'`" = "" ]; then + + /bin/echo "snort.sh run" > /tmp/snort.sh.pid - /* write out rc.d start/stop file */ - write_rcfile(array( - "file" => "snort.sh", - "start" => "{$check_if_snort_runs}{$if_snort_pid}{$echo_snort_sh_pid}{$echo_snort_sh_startup_log}{$del_old_pids}{$sample_before}{$start}{$sleep_before_final}{$echo_usage}", - "stop" => "/usr/bin/killall snort; killall barnyard2" - ) - ); + # Start snort and barnyard2 + /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid + /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid.lck - /* create snort configuration file */ - create_snort_conf(); + /usr/local/bin/snort -u snort -g snort -R {$snort_uuid}{$if_real} -D -q -l /var/log/snort -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} + $start_barnyard2 -/* create barnyard2 configuration file */ -$snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; -if ($snortbarnyardlog_info_chk == on) - create_barnyard2_conf(); + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD Reload For {$snort_uuid}_{$if_real}..." - /* snort will not start on install untill setting are set */ -if ($config['installedpackages']['snort']['config'][0]['autorulesupdate7'] != "") { - /* start snort service */ - conf_mount_ro(); - start_service("snort"); + fi +EOD; + +$snort_sh_text3[] = <<<EOE + +###### For Each Iface + + #### Fake start only used on bootup and Pfsense IP changes + #### Only try to restart if snort is running on Iface + if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print $2;}'`" != "" ]; then + + snort_pid="`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print $2;}'`" + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort already running, soft restart" + + #### Restart Iface + /bin/kill -HUP \${snort_pid} + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Soft Reload For {$snort_uuid}_{$if_real}..." + + fi + +EOE; + +$snort_sh_text4[] = <<<EOF + + pid_s=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}{$if_real}" | /usr/bin/awk '{print \$2;}'` + sleep 3 + pid_b=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "snort_{$snort_uuid}_{$if_real}.u2" | /usr/bin/awk '{print \$2;}'` + + if [ \${pid_s} ] ; then + + /bin/echo "snort.sh run" > /tmp/snort.sh.pid + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD STOP For {$snort_uuid}_{$if_real}..." + + /bin/kill \${pid_s} + sleep 3 + /bin/kill \${pid_b} + + /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid.lck + /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid + + fi + +EOF; + + } + } } + + +$start_snort_iface_start = implode("\n\n", $snort_sh_text2); + +$start_snort_iface_restart = implode("\n\n", $snort_sh_text3); + +$start_snort_iface_stop = implode("\n\n", $snort_sh_text4); + +/* open snort.sh for writing" */ +conf_mount_rw(); + +$snort_sh_text = <<<EOD +#!/bin/sh +######## +# This file was automatically generated +# by the pfSense service handler. +# Code added to protect from double starts on pfSense bootup +######## Begining of Main snort.sh + +rc_start() { + + #### Check for double starts, Pfsense has problems with that + if /bin/ls /tmp/snort.sh.pid > /dev/null ; then + + /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" + exit 0 + + fi + + /bin/echo "snort.sh run" > /tmp/snort.sh.pid + + #### Remake the configs on boot Important! + /usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php & + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Startup files Sync..." + +$start_snort_iface_restart + + /bin/rm /tmp/snort.sh.pid + + #### If on Fake start snort is NOT running DO a real start. + if [ "`/bin/ps -auwx | grep -v grep | grep "R {$snort_uuid}{$if_real}" | awk '{print $2;}'`" = "" ]; then + + rc_start_real + + fi +} + +rc_start_real() { + + #### Check for double starts, Pfsense has problems with that + if /bin/ls /tmp/snort.sh.pid > /dev/null ; then + /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" + exit 0 + fi + +$start_snort_iface_start + + /bin/rm /tmp/snort.sh.pid + +} + +rc_stop() { + + #### Check for double starts, Pfsense has problems with that + if /bin/ls /tmp/snort.sh.pid > /dev/null ; then + /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" + exit 0 + fi + +$start_snort_iface_stop + + /bin/rm /tmp/snort.sh.pid + /bin/rm /var/run/snort* + +} + +case $1 in + start) + rc_start + ;; + start_real) + rc_start_real + ;; + stop) + rc_stop + ;; + restart) + rc_stop + rc_start_real + ;; +esac + +EOD; + + /* write out snort.sh */ + $bconf = fopen("/usr/local/etc/rc.d/snort.sh", "w"); + if(!$bconf) { + log_error("Could not open /usr/local/etc/rc.d/snort.sh for writing."); + exit; + } + /* write snort.sh */ + fwrite($bconf, $snort_sh_text); + fclose($bconf); + +} + + +///////////////////////// >>>>>>>>>>>> + +/* if rules exist copy to new interfaces */ +function create_rules_iface($id, $if_real, $snort_uuid) +{ + + global $config, $g; + conf_mount_rw(); + + $if_rule_dir = "/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"; + $folder_chk = (count(glob("$if_rule_dir/*")) === 0) ? 'empty' : 'full'; + + if ($folder_chk == "empty") + { + exec("/bin/cp -R /usr/local/etc/snort/rules /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); + if (file_exists("/usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules")) + { + exec("/bin/cp /usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules/local_{$snort_uuid}_{$if_real}.rules"); + } + } + } /* open barnyard2.conf for writing */ -function create_barnyard2_conf() { - global $bconfig, $bg; +function create_barnyard2_conf($id, $if_real, $snort_uuid) { + global $bconfig, $g; /* write out barnyard2_conf */ - conf_mount_rw(); - $barnyard2_conf_text = generate_barnyard2_conf(); - $bconf = fopen("/usr/local/etc/barnyard2.conf", "w"); + + if(!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf")) + { + exec("/bin//usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); + } + + $barnyard2_conf_text = generate_barnyard2_conf($id, $if_real, $snort_uuid); + $bconf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", "w"); if(!$bconf) { - log_error("Could not open /usr/local/etc/barnyard2.conf for writing."); + log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf for writing."); exit; } fwrite($bconf, $barnyard2_conf_text); fclose($bconf); - conf_mount_ro(); } + /* open barnyard2.conf for writing" */ -function generate_barnyard2_conf() { +function generate_barnyard2_conf($id, $if_real, $snort_uuid) { global $config, $g; conf_mount_rw(); /* define snortbarnyardlog */ -/* TODO add support for the other 5 output plugins */ +/* TODO: add support for the other 5 output plugins */ -$snortbarnyardlog_database_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_database']; -$snortbarnyardlog_hostname_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_hostname']; -$snortbarnyardlog_interface_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_interface']; +$snortbarnyardlog_database_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; +$snortbarnyardlog_hostname_info_chk = exec("/bin/hostname"); +/* user add arguments */ +$snortbarnyardlog_config_pass_thru = str_replace("\r", "", base64_decode($config['installedpackages']['snortglobal']['rule'][$id]['barnconfigpassthru'])); $barnyard2_conf_text = <<<EOD # barnyard2.conf # barnyard2 can be found at http://www.securixlive.com/barnyard2/index.php - +# # Copyright (C) 2006 Robert Zelaya # part of pfSense # All rights reserved. - -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: - +# # 1. Redistributions of source code must retain the above copyright notice, # this list of conditions and the following disclaimer. - +# # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. - +# # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE @@ -248,93 +1084,134 @@ $barnyard2_conf_text = <<<EOD # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. +# # set the appropriate paths to the file(s) your Snort process is using -config reference-map: /usr/local/etc/snort/reference.config -config class-map: /usr/local/etc/snort/classification.config -config gen-msg-map: /usr/local/etc/snort/gen-msg.map -config sid-msg-map: /usr/local/etc/snort/sid-msg.map + +config reference_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config +config classification_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config +config gen_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map +config sid_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/sid-msg.map config hostname: $snortbarnyardlog_hostname_info_chk -config interface: $snortbarnyardlog_interface_info_chk +config interface: {$snort_uuid}_{$if_real} + +## START user pass through ## + +{$snortbarnyardlog_config_pass_thru} + +## END user pass through ## # Step 2: setup the input plugins input unified2 +config logdir: /var/log/snort + # database: log to a variety of databases # output database: log, mysql, user=xxxx password=xxxxxx dbname=xxxx host=xxx.xxx.xxx.xxxx $snortbarnyardlog_database_info_chk EOD; - conf_mount_rw(); + return $barnyard2_conf_text; } -function create_snort_conf() { +function create_snort_conf($id, $if_real, $snort_uuid) +{ global $config, $g; /* write out snort.conf */ - $snort_conf_text = generate_snort_conf(); + + if ($if_real != '' && $snort_uuid != '') { + + $snort_conf_text = generate_snort_conf($id, $if_real, $snort_uuid); conf_mount_rw(); - $conf = fopen("/usr/local/etc/snort/snort.conf", "w"); + $conf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf", "w"); if(!$conf) { - log_error("Could not open /usr/local/etc/snort/snort.conf for writing."); + log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf for writing."); exit; } fwrite($conf, $snort_conf_text); fclose($conf); conf_mount_ro(); + } } -function snort_deinstall() { +function snort_deinstall() +{ global $config, $g; + conf_mount_rw(); /* remove custom sysctl */ remove_text_from_file("/etc/sysctl.conf", "sysctl net.bpf.bufsize=20480"); /* decrease bpf buffers back to 4096, from 20480 */ - exec("/sbin/sysctl net.bpf.bufsize=4096"); - exec("/usr/bin/killall snort"); - sleep(5); - exec("/usr/bin/killall -9 snort"); - exec("rm -f /usr/local/etc/rc.d/snort*"); - exec("rm -rf /usr/local/etc/snort*"); + exec('/sbin/sysctl net.bpf.bufsize=4096'); + exec('/usr/usr/bin/killall snort'); + sleep(2); + exec('/usr/usr/bin/killall -9 snort'); + sleep(2); + exec('/usr/usr/bin/killall barnyard2'); + sleep(2); + exec('/usr/usr/bin/killall -9 barnyard2'); + sleep(2); + exec('/usr/sbin/pw userdel snort'); + exec('/usr/sbin/pw groupdel snort'); + exec('rm -rf /usr/local/etc/snort*'); + exec('rm -rf /usr/local/pkg/snort*'); + exec('rm -rf /usr/local/pkg/pf/snort*'); + //exec("cd /var/db/pkg && pkg_delete `ls | grep barnyard2`"); exec("cd /var/db/pkg && pkg_delete `ls | grep snort`"); - exec("cd /var/db/pkg && pkg_delete `ls | grep mysql-client`"); - exec("cd /var/db/pkg && pkg_delete `ls | grep libdnet`"); - exec("/usr/bin/killall -9 snort"); - exec("/usr/bin/killall snort"); + /* TODO: figure out how to detect pfsense packages that use the same freebsd pkckages and not deinstall */ + //exec("cd /var/db/pkg && pkg_delete `ls | grep mysql`"); + //exec("cd /var/db/pkg && pkg_delete `ls | grep pcre`"); + //exec("cd /var/db/pkg && pkg_delete `ls | grep perl`"); /* Remove snort cron entries Ugly code needs smoothness*/ - - function snort_rm_blocked_deinstall_cron($should_install) { + +function snort_rm_blocked_deinstall_cron($should_install) +{ global $config, $g; + conf_mount_rw(); $is_installed = false; if(!$config['cron']['item']) - return; + return; $x=0; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort2c")) { - $is_installed = true; - break; - } - $x++; - } - if($is_installed == true) { - if($x > 0) { - unset($config['cron']['item'][$x]); - write_config(); - } - configure_cron(); - } + foreach($config['cron']['item'] as $item) + { + if (strstr($item['command'], "snort2c")) + { + $is_installed = true; + break; + } + + $x++; + } - - function snort_rules_up_deinstall_cron($should_install) { + if($is_installed == true) + { + if($x > 0) + { + unset($config['cron']['item'][$x]); + write_config(); + conf_mount_rw(); + } + + configure_cron(); + + } + conf_mount_ro(); + +} + + function snort_rules_up_deinstall_cron($should_install) +{ global $config, $g; + conf_mount_rw(); $is_installed = false; @@ -353,10 +1230,11 @@ function snort_deinstall() { if($x > 0) { unset($config['cron']['item'][$x]); write_config(); + conf_mount_rw(); } configure_cron(); } - } +} snort_rm_blocked_deinstall_cron(""); snort_rules_up_deinstall_cron(""); @@ -364,177 +1242,204 @@ snort_rules_up_deinstall_cron(""); /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */ /* Keep this as a last step */ - unset($config['installedpackages']['snort']['config'][0]['autorulesupdate7']); - unset($config['installedpackages']['snort']['config'][0]['rm_blocked']); + unset($config['installedpackages']['snortglobal']); write_config(); + conf_mount_rw(); + exec('rm -rf /usr/local/www/snort'); + exec('rm -rf /usr/local/pkg/snort'); + exec('rm -rf /usr/local/lib/snort/'); + exec('rm -rf /var/log/snort/'); + exec('rm -rf /usr/local/pkg/snort*'); + + conf_mount_ro(); + } -function generate_snort_conf() { +function generate_snort_conf($id, $if_real, $snort_uuid) +{ global $config, $g; + conf_mount_rw(); + /* obtain external interface */ /* XXX: make multi wan friendly */ - $snort_ext_int = $config['installedpackages']['snort']['config'][0]['iface_array'][0]; + $snort_ext_int = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; - $snort_config_pass_thru = $config['installedpackages']['snortadvanced']['config'][0]['configpassthru']; + /* user added arguments */ + $snort_config_pass_thru = str_replace("\r", "", base64_decode($config['installedpackages']['snortglobal']['rule'][$id]['configpassthru'])); + + /* create basic files */ + if(!file_exists("/usr/local/etc/snort/snort/snort_{$snort_uuid}_{$if_real}")) + { + exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/"); + exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"); + + if(!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map")) + { + exec("/bin/cp /usr/local/etc/snort/classification.config /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config"); + exec("/bin/cp /usr/local/etc/snort/gen-msg.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map"); + exec("/bin/cp /usr/local/etc/snort/reference.config /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config"); + exec("/bin/cp /usr/local/etc/snort/sid-msg.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/sid-msg.map"); + exec("/bin/cp /usr/local/etc/snort/unicode.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/unicode.map"); + exec("/bin/cp /usr/local/etc/snort/threshold.conf /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/threshold.conf"); + exec("/bin/cp /usr/local/etc/snort/snort.conf /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf"); + exec("/bin/cp/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); + exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"); + } + } /* define snortalertlogtype */ -$snortalertlogtype = $config['installedpackages']['snortadvanced']['config'][0]['snortalertlogtype']; +$snortalertlogtype = $config['installedpackages']['snortglobal']['snortalertlogtype']; if ($snortalertlogtype == fast) $snortalertlogtype_type = "output alert_fast: alert"; else $snortalertlogtype_type = "output alert_full: alert"; /* define alertsystemlog */ -$alertsystemlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['alertsystemlog']; +$alertsystemlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['alertsystemlog']; if ($alertsystemlog_info_chk == on) $alertsystemlog_type = "output alert_syslog: log_alert"; /* define tcpdumplog */ -$tcpdumplog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['tcpdumplog']; +$tcpdumplog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['tcpdumplog']; if ($tcpdumplog_info_chk == on) $tcpdumplog_type = "output log_tcpdump: snorttcpd.log"; -/* define snortbarnyardlog_chk */ -$snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; -if ($snortbarnyardlog_info_chk == on) - $snortbarnyardlog_type = "barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D"; - /* define snortunifiedlog */ -$snortunifiedlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortunifiedlog']; +$snortunifiedlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['snortunifiedlog']; if ($snortunifiedlog_info_chk == on) - $snortunifiedlog_type = "output unified2: filename snort.u2, limit 128"; + $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, limit 128"; -/* define spoink */ -$spoink_info_chk = $config['installedpackages']['snort']['config'][0]['blockoffenders7']; +/* define spoink (DISABLED)*/ +$spoink_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['blockoffenders7']; if ($spoink_info_chk == on) $spoink_type = "output alert_pf: /var/db/whitelist,snort2c"; /* define servers and ports snortdefservers */ /* def DNS_SERVSERS */ -$def_dns_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_dns_servers']; +$def_dns_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_dns_servers']; if ($def_dns_servers_info_chk == "") $def_dns_servers_type = "\$HOME_NET"; else $def_dns_servers_type = "$def_dns_servers_info_chk"; /* def DNS_PORTS */ -$def_dns_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_dns_ports']; +$def_dns_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_dns_ports']; if ($def_dns_ports_info_chk == "") $def_dns_ports_type = "53"; else $def_dns_ports_type = "$def_dns_ports_info_chk"; /* def SMTP_SERVSERS */ -$def_smtp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_smtp_servers']; +$def_smtp_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_smtp_servers']; if ($def_smtp_servers_info_chk == "") $def_smtp_servers_type = "\$HOME_NET"; else $def_smtp_servers_type = "$def_smtp_servers_info_chk"; /* def SMTP_PORTS */ -$def_smtp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_smtp_ports']; +$def_smtp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_smtp_ports']; if ($def_smtp_ports_info_chk == "") $def_smtp_ports_type = "25"; else $def_smtp_ports_type = "$def_smtp_ports_info_chk"; /* def MAIL_PORTS */ -$def_mail_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_mail_ports']; +$def_mail_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_mail_ports']; if ($def_mail_ports_info_chk == "") $def_mail_ports_type = "25,143,465,691"; else $def_mail_ports_type = "$def_mail_ports_info_chk"; /* def HTTP_SERVSERS */ -$def_http_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_http_servers']; +$def_http_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_http_servers']; if ($def_http_servers_info_chk == "") $def_http_servers_type = "\$HOME_NET"; else $def_http_servers_type = "$def_http_servers_info_chk"; /* def WWW_SERVSERS */ -$def_www_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_www_servers']; +$def_www_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_www_servers']; if ($def_www_servers_info_chk == "") $def_www_servers_type = "\$HOME_NET"; else $def_www_servers_type = "$def_www_servers_info_chk"; /* def HTTP_PORTS */ -$def_http_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_http_ports']; +$def_http_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_http_ports']; if ($def_http_ports_info_chk == "") $def_http_ports_type = "80"; else $def_http_ports_type = "$def_http_ports_info_chk"; /* def SQL_SERVSERS */ -$def_sql_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sql_servers']; +$def_sql_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_sql_servers']; if ($def_sql_servers_info_chk == "") $def_sql_servers_type = "\$HOME_NET"; else $def_sql_servers_type = "$def_sql_servers_info_chk"; /* def ORACLE_PORTS */ -$def_oracle_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_oracle_ports']; +$def_oracle_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_oracle_ports']; if ($def_oracle_ports_info_chk == "") $def_oracle_ports_type = "1521"; else $def_oracle_ports_type = "$def_oracle_ports_info_chk"; /* def MSSQL_PORTS */ -$def_mssql_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_mssql_ports']; +$def_mssql_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_mssql_ports']; if ($def_mssql_ports_info_chk == "") $def_mssql_ports_type = "1433"; else $def_mssql_ports_type = "$def_mssql_ports_info_chk"; /* def TELNET_SERVSERS */ -$def_telnet_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_telnet_servers']; +$def_telnet_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_telnet_servers']; if ($def_telnet_servers_info_chk == "") $def_telnet_servers_type = "\$HOME_NET"; else $def_telnet_servers_type = "$def_telnet_servers_info_chk"; /* def TELNET_PORTS */ -$def_telnet_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_telnet_ports']; +$def_telnet_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_telnet_ports']; if ($def_telnet_ports_info_chk == "") $def_telnet_ports_type = "23"; else $def_telnet_ports_type = "$def_telnet_ports_info_chk"; /* def SNMP_SERVSERS */ -$def_snmp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_snmp_servers']; +$def_snmp_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_snmp_servers']; if ($def_snmp_servers_info_chk == "") $def_snmp_servers_type = "\$HOME_NET"; else $def_snmp_servers_type = "$def_snmp_servers_info_chk"; /* def SNMP_PORTS */ -$def_snmp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_snmp_ports']; +$def_snmp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_snmp_ports']; if ($def_snmp_ports_info_chk == "") $def_snmp_ports_type = "161"; else $def_snmp_ports_type = "$def_snmp_ports_info_chk"; /* def FTP_SERVSERS */ -$def_ftp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ftp_servers']; +$def_ftp_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ftp_servers']; if ($def_ftp_servers_info_chk == "") $def_ftp_servers_type = "\$HOME_NET"; else $def_ftp_servers_type = "$def_ftp_servers_info_chk"; /* def FTP_PORTS */ -$def_ftp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ftp_ports']; +$def_ftp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ftp_ports']; if ($def_ftp_ports_info_chk == "") $def_ftp_ports_type = "21"; else $def_ftp_ports_type = "$def_ftp_ports_info_chk"; /* def SSH_SERVSERS */ -$def_ssh_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssh_servers']; +$def_ssh_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssh_servers']; if ($def_ssh_servers_info_chk == "") $def_ssh_servers_type = "\$HOME_NET"; else @@ -547,360 +1452,124 @@ else $ssh_port = "22"; /* def SSH_PORTS */ -$def_ssh_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssh_ports']; +$def_ssh_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssh_ports']; if ($def_ssh_ports_info_chk == "") $def_ssh_ports_type = "{$ssh_port}"; else $def_ssh_ports_type = "$def_ssh_ports_info_chk"; /* def POP_SERVSERS */ -$def_pop_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop_servers']; +$def_pop_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_pop_servers']; if ($def_pop_servers_info_chk == "") $def_pop_servers_type = "\$HOME_NET"; else $def_pop_servers_type = "$def_pop_servers_info_chk"; /* def POP2_PORTS */ -$def_pop2_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop2_ports']; +$def_pop2_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_pop2_ports']; if ($def_pop2_ports_info_chk == "") $def_pop2_ports_type = "109"; else $def_pop2_ports_type = "$def_pop2_ports_info_chk"; /* def POP3_PORTS */ -$def_pop3_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop3_ports']; +$def_pop3_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_pop3_ports']; if ($def_pop3_ports_info_chk == "") $def_pop3_ports_type = "110"; else $def_pop3_ports_type = "$def_pop3_ports_info_chk"; /* def IMAP_SERVSERS */ -$def_imap_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_imap_servers']; +$def_imap_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_imap_servers']; if ($def_imap_servers_info_chk == "") $def_imap_servers_type = "\$HOME_NET"; else $def_imap_servers_type = "$def_imap_servers_info_chk"; /* def IMAP_PORTS */ -$def_imap_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_imap_ports']; +$def_imap_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_imap_ports']; if ($def_imap_ports_info_chk == "") $def_imap_ports_type = "143"; else $def_imap_ports_type = "$def_imap_ports_info_chk"; /* def SIP_PROXY_IP */ -$def_sip_proxy_ip_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sip_proxy_ip']; +$def_sip_proxy_ip_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_sip_proxy_ip']; if ($def_sip_proxy_ip_info_chk == "") $def_sip_proxy_ip_type = "\$HOME_NET"; else $def_sip_proxy_ip_type = "$def_sip_proxy_ip_info_chk"; /* def SIP_PROXY_PORTS */ -$def_sip_proxy_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sip_proxy_ports']; +$def_sip_proxy_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_sip_proxy_ports']; if ($def_sip_proxy_ports_info_chk == "") $def_sip_proxy_ports_type = "5060:5090,16384:32768"; else $def_sip_proxy_ports_type = "$def_sip_proxy_ports_info_chk"; /* def AUTH_PORTS */ -$def_auth_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_auth_ports']; +$def_auth_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_auth_ports']; if ($def_auth_ports_info_chk == "") $def_auth_ports_type = "113"; else $def_auth_ports_type = "$def_auth_ports_info_chk"; /* def FINGER_PORTS */ -$def_finger_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_finger_ports']; +$def_finger_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_finger_ports']; if ($def_finger_ports_info_chk == "") $def_finger_ports_type = "79"; else $def_finger_ports_type = "$def_finger_ports_info_chk"; /* def IRC_PORTS */ -$def_irc_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_irc_ports']; +$def_irc_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_irc_ports']; if ($def_irc_ports_info_chk == "") $def_irc_ports_type = "6665,6666,6667,6668,6669,7000"; else $def_irc_ports_type = "$def_irc_ports_info_chk"; /* def NNTP_PORTS */ -$def_nntp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_nntp_ports']; +$def_nntp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_nntp_ports']; if ($def_nntp_ports_info_chk == "") $def_nntp_ports_type = "119"; else $def_nntp_ports_type = "$def_nntp_ports_info_chk"; /* def RLOGIN_PORTS */ -$def_rlogin_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_rlogin_ports']; +$def_rlogin_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_rlogin_ports']; if ($def_rlogin_ports_info_chk == "") $def_rlogin_ports_type = "513"; else $def_rlogin_ports_type = "$def_rlogin_ports_info_chk"; /* def RSH_PORTS */ -$def_rsh_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_rsh_ports']; +$def_rsh_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_rsh_ports']; if ($def_rsh_ports_info_chk == "") $def_rsh_ports_type = "514"; else $def_rsh_ports_type = "$def_rsh_ports_info_chk"; /* def SSL_PORTS */ -$def_ssl_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssl_ports']; +$def_ssl_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssl_ports']; if ($def_ssl_ports_info_chk == "") - $def_ssl_ports_type = "25,443,465,636,993,995"; + $def_ssl_ports_type = "443,465,563,636,989,990,992,993,994,995"; else $def_ssl_ports_type = "$def_ssl_ports_info_chk"; - /* add auto update scripts to /etc/crontab */ -// $text_ww = "*/60\t* \t 1\t *\t *\t root\t /usr/bin/nice -n20 /usr/local/pkg/snort_check_for_rule_updates.php"; -// $filenamea = "/etc/crontab"; -// remove_text_from_file($filenamea, $text_ww); -// add_text_to_file($filenamea, $text_ww); -// exec("killall -HUP cron"); */ - /* should we install a automatic update crontab entry? */ - $automaticrulesupdate = $config['installedpackages']['snort']['config'][0]['automaticrulesupdate']; + $automaticrulesupdate = $config['installedpackages']['snortglobal']['automaticrulesupdate7']; /* if user is on pppoe, we really want to use ng0 interface */ if($config['interfaces'][$snort_ext_int]['ipaddr'] == "pppoe") $snort_ext_int = "ng0"; /* set the snort performance model */ - if($config['installedpackages']['snort']['config'][0]['performance']) - $snort_performance = $config['installedpackages']['snort']['config'][0]['performance']; + if($config['installedpackages']['snortglobal']['rule'][$id]['performance']) + $snort_performance = $config['installedpackages']['snortglobal']['rule'][$id]['performance']; else $snort_performance = "ac-bnfa"; - /* set the snort block hosts time IMPORTANT snort has trouble installing if snort_rm_blocked_info_ck != "" */ - $snort_rm_blocked_info_ck = $config['installedpackages']['snort']['config'][0]['rm_blocked']; - if ($snort_rm_blocked_info_ck == "never_b") - $snort_rm_blocked_false = ""; - else - $snort_rm_blocked_false = "true"; - -if ($snort_rm_blocked_info_ck != "") { -function snort_rm_blocked_install_cron($should_install) { - global $config, $g; - conf_mount_rw(); - if ($g['booting']==true) - return; - - $is_installed = false; - - if(!$config['cron']['item']) - return; - - $x=0; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort2c")) { - $is_installed = true; - break; - } - $x++; - } - $snort_rm_blocked_info_ck = $config['installedpackages']['snort']['config'][0]['rm_blocked']; - if ($snort_rm_blocked_info_ck == "1h_b") { - $snort_rm_blocked_min = "*/5"; - $snort_rm_blocked_hr = "*"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "3600"; - } - if ($snort_rm_blocked_info_ck == "3h_b") { - $snort_rm_blocked_min = "*/15"; - $snort_rm_blocked_hr = "*"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "10800"; - } - if ($snort_rm_blocked_info_ck == "6h_b") { - $snort_rm_blocked_min = "*/30"; - $snort_rm_blocked_hr = "*"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "21600"; - } - if ($snort_rm_blocked_info_ck == "12h_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/1"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "43200"; - } - if ($snort_rm_blocked_info_ck == "1d_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/2"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "86400"; - } - if ($snort_rm_blocked_info_ck == "4d_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/8"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "345600"; - } - if ($snort_rm_blocked_info_ck == "7d_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/14"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "604800"; - } - if ($snort_rm_blocked_info_ck == "28d_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "0"; - $snort_rm_blocked_mday = "*/2"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "2419200"; - } - switch($should_install) { - case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['minute'] = "$snort_rm_blocked_min"; - $cron_item['hour'] = "$snort_rm_blocked_hr"; - $cron_item['mday'] = "$snort_rm_blocked_mday"; - $cron_item['month'] = "$snort_rm_blocked_month"; - $cron_item['wday'] = "$snort_rm_blocked_wday"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; - $config['cron']['item'][] = $cron_item; - write_config("Installed 15 minute filter reload for Time Based Rules"); - conf_mount_rw(); - configure_cron(); - } - break; - case false: - if($is_installed == true) { - if($x > 0) { - unset($config['cron']['item'][$x]); - write_config(); - conf_mount_rw(); - } - configure_cron(); - } - break; - } - } - snort_rm_blocked_install_cron(""); - snort_rm_blocked_install_cron($snort_rm_blocked_false); -} - - /* set the snort rules update time */ - $snort_rules_up_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; - if ($snort_rules_up_info_ck == "never_up") - $snort_rules_up_false = ""; - else - $snort_rules_up_false = "true"; - -if ($snort_rules_up_info_ck != "") { -function snort_rules_up_install_cron($should_install) { - global $config, $g; - conf_mount_rw(); - if ($g['booting']==true) - return; - - $is_installed = false; - - if(!$config['cron']['item']) - return; - - $x=0; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort_check_for_rule_updates.php")) { - $is_installed = true; - break; - } - $x++; - } - $snort_rules_up_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; - if ($snort_rules_up_info_ck == "6h_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "*/6"; - $snort_rules_up_mday = "*"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "12h_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "*/12"; - $snort_rules_up_mday = "*"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "1d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/1"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "4d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/4"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "7d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/7"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "28d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/28"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - switch($should_install) { - case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['minute'] = "$snort_rules_up_min"; - $cron_item['hour'] = "$snort_rules_up_hr"; - $cron_item['mday'] = "$snort_rules_up_mday"; - $cron_item['month'] = "$snort_rules_up_month"; - $cron_item['wday'] = "$snort_rules_up_wday"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort_check_for_rule_updates.php >> /usr/local/etc/snort_bkup/snort_update.log"; - $config['cron']['item'][] = $cron_item; - write_config("Installed 15 minute filter reload for Time Based Rules"); - conf_mount_rw(); - configure_cron(); - } - break; - case false: - if($is_installed == true) { - if($x > 0) { - unset($config['cron']['item'][$x]); - write_config(); - conf_mount_rw(); - } - configure_cron(); - } - break; - } - } - snort_rules_up_install_cron(""); - snort_rules_up_install_cron($snort_rules_up_false); -} - /* Be sure we're really rw before writing */ - conf_mount_rw(); - /* open snort2c's whitelist for writing */ + /* open snort's whitelist for writing */ $whitelist = fopen("/var/db/whitelist", "w"); if(!$whitelist) { log_error("Could not open /var/db/whitelist for writing."); @@ -940,7 +1609,7 @@ function snort_rules_up_install_cron($should_install) { $home_net .= "{$ip} "; /* Add Gateway on WAN interface to whitelist (For RRD graphs) */ - $int = convert_friendly_interface_to_real_interface_name("WAN"); + $int = convert_friendly_interface_to_real_interface_name2("WAN"); $gw = get_interface_gateway($int); if($gw) $home_net .= "{$gw} "; @@ -956,13 +1625,14 @@ function snort_rules_up_install_cron($should_install) { $home_net .= "127.0.0.1 "; /* iterate all vips and add to whitelist */ + if($config['virtualip']) foreach($config['virtualip']['vip'] as $vip) if($vip['subnet']) $home_net .= $vip['subnet'] . " "; - if($config['installedpackages']['snortwhitelist']) - foreach($config['installedpackages']['snortwhitelist']['config'] as $snort) + if($config['installedpackages']['snortglobal']['config']) + foreach($config['installedpackages']['snortglobal']['config'] as $snort) if($snort['ip']) $home_net .= $snort['ip'] . " "; @@ -982,11 +1652,19 @@ function snort_rules_up_install_cron($should_install) { fwrite($whitelist, trim($wl) . "\n"); /* should we whitelist vpns? */ - $whitelistvpns = $config['installedpackages']['snort']['config'][0]['whitelistvpns']; + $whitelistvpns = $config['installedpackages']['snortglobal']['whitelistvpns']; /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */ if($whitelistvpns) { - $vpns_list = get_vpns_list(); + if ($pfsense_stable == 'yes') // chk what pfsense version were on + { + $vpns_list = get_vpns_list(); + } + if ($pfsense_stable == 'no') // chk what pfsense version were on + { + $vpns_list = filter_get_vpns_list(); + } + $whitelist_vpns = split(" ", $vpns_list); foreach($whitelist_vpns as $wl) if(trim($wl)) @@ -995,34 +1673,9 @@ function snort_rules_up_install_cron($should_install) { /* close file */ fclose($whitelist); - - /* Be sure we're really rw before writing */ - conf_mount_rw(); - /* open snort's threshold.conf for writing */ - $threshlist = fopen("/usr/local/etc/snort/threshold.conf", "w"); - if(!$threshlist) { - log_error("Could not open /usr/local/etc/snort/threshold.conf for writing."); - return; - } - - /* list all entries to new lines */ - if($config['installedpackages']['snortthreshold']) - foreach($config['installedpackages']['snortthreshold']['config'] as $snortthreshlist) - if($snortthreshlist['threshrule']) - $snortthreshlist_r .= $snortthreshlist['threshrule'] . "\n"; - - - /* foreach through threshlist, writing out to file */ - $threshlist_split = split("\n", $snortthreshlist_r); - foreach($threshlist_split as $wl) - if(trim($wl)) - fwrite($threshlist, trim($wl) . "\n"); - - /* close snort's threshold.conf file */ - fclose($threshlist); - + /* generate rule sections to load */ - $enabled_rulesets = $config['installedpackages']['snort']['rulesets']; + $enabled_rulesets = $config['installedpackages']['snortglobal']['rule'][$id]['rulesets']; if($enabled_rulesets) { $selected_rules_sections = ""; $enabled_rulesets_array = split("\|\|", $enabled_rulesets); @@ -1032,6 +1685,256 @@ function snort_rules_up_install_cron($should_install) { conf_mount_ro(); +///////////////////////////// + +/* preprocessor code */ + +/* def perform_stat */ +$snort_perform_stat = <<<EOD +########################## + # +# NEW # +# Performance Statistics # + # +########################## + +preprocessor perfmonitor: time 300 file /var/log/snort/snort_{$snort_uuid}_{$if_real}.stats pktcnt 10000 + +EOD; + +$def_perform_stat_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['perform_stat']; +if ($def_perform_stat_info_chk == "on") + $def_perform_stat_type = "$snort_perform_stat"; +else + $def_perform_stat_type = ""; + +$def_flow_depth_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['flow_depth']; +if ($def_flow_depth_info_chk == '') + $def_flow_depth_type = '0'; +else + $def_flow_depth_type = $config['installedpackages']['snortglobal']['rule'][$id]['flow_depth']; + +/* def http_inspect */ +$snort_http_inspect = <<<EOD +################# + # +# HTTP Inspect # + # +################# + +preprocessor http_inspect: global iis_unicode_map unicode.map 1252 + +preprocessor http_inspect_server: server default \ + ports { 80 8080 } \ + non_strict \ + non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ + flow_depth {$def_flow_depth_type} \ + apache_whitespace no \ + directory no \ + iis_backslash no \ + u_encode yes \ + ascii no \ + chunk_length 500000 \ + bare_byte yes \ + double_decode yes \ + iis_unicode no \ + iis_delimiter no \ + multi_slash no + +EOD; + +$def_http_inspect_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['http_inspect']; +if ($def_http_inspect_info_chk == "on") + $def_http_inspect_type = "$snort_http_inspect"; +else + $def_http_inspect_type = ""; + +/* def other_preprocs */ +$snort_other_preprocs = <<<EOD +################## + # +# Other preprocs # + # +################## + +preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 +preprocessor bo + +EOD; + +$def_other_preprocs_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['other_preprocs']; +if ($def_other_preprocs_info_chk == "on") + $def_other_preprocs_type = "$snort_other_preprocs"; +else + $def_other_preprocs_type = ""; + +/* def ftp_preprocessor */ +$snort_ftp_preprocessor = <<<EOD +##################### + # +# ftp preprocessor # + # +##################### + +preprocessor ftp_telnet: global \ +inspection_type stateless + +preprocessor ftp_telnet_protocol: telnet \ + normalize \ + ayt_attack_thresh 200 + +preprocessor ftp_telnet_protocol: \ + ftp server default \ + def_max_param_len 100 \ + ports { 21 } \ + ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \ + ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \ + ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ + ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ + ftp_cmds { FEAT CEL CMD MACB } \ + ftp_cmds { MDTM REST SIZE MLST MLSD } \ + ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ + alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ + alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \ + alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \ + alt_max_param_len 256 { RNTO CWD } \ + alt_max_param_len 400 { PORT } \ + alt_max_param_len 512 { SIZE } \ + chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \ + chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \ + chk_str_fmt { LIST NLST SITE SYST STAT HELP } \ + chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \ + chk_str_fmt { FEAT CEL CMD } \ + chk_str_fmt { MDTM REST SIZE MLST MLSD } \ + chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ + cmd_validity MODE < char ASBCZ > \ + cmd_validity STRU < char FRP > \ + cmd_validity ALLO < int [ char R int ] > \ + cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ + cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ + cmd_validity PORT < host_port > + +preprocessor ftp_telnet_protocol: ftp client default \ + max_resp_len 256 \ + bounce yes \ + telnet_cmds yes + +EOD; + +$def_ftp_preprocessor_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['ftp_preprocessor']; +if ($def_ftp_preprocessor_info_chk == "on") + $def_ftp_preprocessor_type = "$snort_ftp_preprocessor"; +else + $def_ftp_preprocessor_type = ""; + +/* def smtp_preprocessor */ +$snort_smtp_preprocessor = <<<EOD +##################### + # +# SMTP preprocessor # + # +##################### + +preprocessor SMTP: \ + ports { 25 465 691 } \ + inspection_type stateful \ + normalize cmds \ + valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \ +CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \ +PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + max_header_line_len 1000 \ + max_response_line_len 512 \ + alt_max_command_line_len 260 { MAIL } \ + alt_max_command_line_len 300 { RCPT } \ + alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ + alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ + alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ + alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ + alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + xlink2state { enable } + +EOD; + +$def_smtp_preprocessor_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['smtp_preprocessor']; +if ($def_smtp_preprocessor_info_chk == "on") + $def_smtp_preprocessor_type = "$snort_smtp_preprocessor"; +else + $def_smtp_preprocessor_type = ""; + +/* def sf_portscan */ +$snort_sf_portscan = <<<EOD +################ + # +# sf Portscan # + # +################ + +preprocessor sfportscan: scan_type { all } \ + proto { all } \ + memcap { 10000000 } \ + sense_level { medium } \ + ignore_scanners { \$HOME_NET } + +EOD; + +$def_sf_portscan_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['sf_portscan']; +if ($def_sf_portscan_info_chk == "on") + $def_sf_portscan_type = "$snort_sf_portscan"; +else + $def_sf_portscan_type = ""; + +/* def dce_rpc_2 */ +$snort_dce_rpc_2 = <<<EOD +############### + # +# NEW # +# DCE/RPC 2 # + # +############### + +preprocessor dcerpc2: memcap 102400, events [smb, co, cl] +preprocessor dcerpc2_server: default, policy WinXP, \ + detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ + autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ + smb_max_chain 3 + +EOD; + +$def_dce_rpc_2_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['dce_rpc_2']; +if ($def_dce_rpc_2_info_chk == "on") + $def_dce_rpc_2_type = "$snort_dce_rpc_2"; +else + $def_dce_rpc_2_type = ""; + +/* def dns_preprocessor */ +$snort_dns_preprocessor = <<<EOD +#################### + # +# DNS preprocessor # + # +#################### + +preprocessor dns: \ + ports { 53 } \ + enable_rdata_overflow + +EOD; + +$def_dns_preprocessor_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['dns_preprocessor']; +if ($def_dns_preprocessor_info_chk == "on") + $def_dns_preprocessor_type = "$snort_dns_preprocessor"; +else + $def_dns_preprocessor_type = ""; + +/* def SSL_PORTS IGNORE */ +$def_ssl_ports_ignore_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssl_ports_ignore']; +if ($def_ssl_ports_ignore_info_chk == "") + $def_ssl_ports_ignore_type = "443 465 563 636 989 990 992 993 994 995"; +else + $def_ssl_ports_ignore_type = "$def_ssl_ports_ignore_info_chk"; + +////////////////////////////////////////////////////////////////// /* build snort configuration file */ /* TODO; feed back from pfsense users to reduce false positives */ $snort_conf_text = <<<EOD @@ -1043,21 +1946,21 @@ function snort_rules_up_install_cron($should_install) { # for more information # snort.conf # Snort can be found at http://www.snort.org/ - -# Copyright (C) 2006 Robert Zelaya +# +# Copyright (C) 2009 Robert Zelaya # part of pfSense # All rights reserved. - +# # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are met: - +# # 1. Redistributions of source code must retain the above copyright notice, # this list of conditions and the following disclaimer. - +# # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. - +# # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE @@ -1146,7 +2049,7 @@ portvar DCERPC_BRIGHTSTORE [6503,6504] # ##################### -var RULE_PATH /usr/local/etc/snort/rules +var RULE_PATH /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules # var PREPROC_RULE_PATH ./preproc_rules ################################ @@ -1171,8 +2074,7 @@ config disable_decode_drops # ################################### -config detection: search-method {$snort_performance} -config detection: max_queue_events 5 +config detection: search-method {$snort_performance} max_queue_events 5 config event_queue: max_queue 8 log 3 order_events content_length #Configure dynamic loaded libraries @@ -1187,150 +2089,25 @@ dynamicdetection directory /usr/local/lib/snort/dynamicrules/ ################### preprocessor frag3_global: max_frags 8192 -preprocessor frag3_engine: policy windows -preprocessor frag3_engine: policy linux -preprocessor frag3_engine: policy first preprocessor frag3_engine: policy bsd detect_anomalies preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp yes, track_icmp yes -preprocessor stream5_tcp: bind_to any, policy windows -preprocessor stream5_tcp: bind_to any, policy linux -preprocessor stream5_tcp: bind_to any, policy vista -preprocessor stream5_tcp: bind_to any, policy macos preprocessor stream5_tcp: policy BSD, ports both all, use_static_footprint_sizes -preprocessor stream5_udp -preprocessor stream5_icmp +preprocessor stream5_udp: +preprocessor stream5_icmp: -########################## - # -# NEW # -# Performance Statistics # - # -########################## +{$def_perform_stat_type} -preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 10000 +{$def_http_inspect_type} -################# - # -# HTTP Inspect # - # -################# +{$def_other_preprocs_type} -preprocessor http_inspect: global iis_unicode_map unicode.map 1252 +{$def_ftp_preprocessor_type} -preprocessor http_inspect_server: server default \ - ports { 80 8080 } \ - no_alerts \ - non_strict \ - non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ - flow_depth 0 \ - apache_whitespace yes \ - directory no \ - iis_backslash no \ - u_encode yes \ - ascii yes \ - chunk_length 500000 \ - bare_byte yes \ - double_decode yes \ - iis_unicode yes \ - iis_delimiter yes \ - multi_slash no - -################## - # -# Other preprocs # - # -################## - -preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 -preprocessor bo - -##################### - # -# ftp preprocessor # - # -##################### - -preprocessor ftp_telnet: global \ -inspection_type stateless - -preprocessor ftp_telnet_protocol: telnet \ - normalize \ - ayt_attack_thresh 200 - -preprocessor ftp_telnet_protocol: \ - ftp server default \ - def_max_param_len 100 \ - ports { 21 } \ - ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \ - ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \ - ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ - ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ - ftp_cmds { FEAT CEL CMD MACB } \ - ftp_cmds { MDTM REST SIZE MLST MLSD } \ - ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ - alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ - alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \ - alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \ - alt_max_param_len 256 { RNTO CWD } \ - alt_max_param_len 400 { PORT } \ - alt_max_param_len 512 { SIZE } \ - chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \ - chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \ - chk_str_fmt { LIST NLST SITE SYST STAT HELP } \ - chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \ - chk_str_fmt { FEAT CEL CMD } \ - chk_str_fmt { MDTM REST SIZE MLST MLSD } \ - chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ - cmd_validity MODE < char ASBCZ > \ - cmd_validity STRU < char FRP > \ - cmd_validity ALLO < int [ char R int ] > \ - cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ - cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ - cmd_validity PORT < host_port > - -preprocessor ftp_telnet_protocol: ftp client default \ - max_resp_len 256 \ - bounce yes \ - telnet_cmds yes - -##################### - # -# SMTP preprocessor # - # -##################### - -preprocessor SMTP: \ - ports { 25 465 691 } \ - inspection_type stateful \ - normalize cmds \ - valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \ -CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \ -PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - max_header_line_len 1000 \ - max_response_line_len 512 \ - alt_max_command_line_len 260 { MAIL } \ - alt_max_command_line_len 300 { RCPT } \ - alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ - alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ - alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ - alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ - alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - xlink2state { enable } - -################ - # -# sf Portscan # - # -################ +{$def_smtp_preprocessor_type} -preprocessor sfportscan: scan_type { all } \ - proto { all } \ - memcap { 10000000 } \ - sense_level { medium } \ - ignore_scanners { \$HOME_NET } +{$def_sf_portscan_type} ############################ # @@ -1342,28 +2119,9 @@ preprocessor sfportscan: scan_type { all } \ # ############################ -############### - # -# NEW # -# DCE/RPC 2 # - # -############### +{$def_dce_rpc_2_type} -preprocessor dcerpc2: memcap 102400, events [smb, co, cl] -preprocessor dcerpc2_server: default, policy WinXP, \ - detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ - autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ - smb_max_chain 3 - -#################### - # -# DNS preprocessor # - # -#################### - -preprocessor dns: \ - ports { 53 } \ - enable_rdata_overflow +{$def_dns_preprocessor_type} ############################## # @@ -1372,7 +2130,7 @@ preprocessor dns: \ # ############################## -preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 }, trustservers, noinspect_encrypted +preprocessor ssl: ports { {$def_ssl_ports_ignore_type} }, trustservers, noinspect_encrypted ##################### # @@ -1393,9 +2151,9 @@ $spoink_type # ################# -include /usr/local/etc/snort/reference.config -include /usr/local/etc/snort/classification.config -include /usr/local/etc/snort/threshold.conf +include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config +include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config +include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/threshold.conf # Snort user pass through configuration {$snort_config_pass_thru} @@ -1409,17 +2167,19 @@ include /usr/local/etc/snort/threshold.conf {$selected_rules_sections} EOD; - conf_mount_ro(); + return $snort_conf_text; } /* check downloaded text from snort.org to make sure that an error did not occur * for example, if you are not a premium subscriber you can only download rules - * so often, etc. + * so often, etc. TO BE: Removed unneeded. */ + function check_for_common_errors($filename) { global $snort_filename, $snort_filename_md5, $console_mode; - ob_flush(); + +// ob_flush(); $contents = file_get_contents($filename); if(stristr($contents, "You don't have permission")) { if(!$console_mode) { @@ -1427,7 +2187,6 @@ function check_for_common_errors($filename) { hide_progress_bar_status(); } else { log_error("An error occured. Scroll down to inspect it's contents."); - echo "An error occured. Scroll down to inspect it's contents."; } if(!$console_mode) { update_output_window(strip_tags("$contents")); @@ -1470,14 +2229,12 @@ function verify_downloaded_file($filename) { } exit; } - update_all_status("Verifyied {$filename}."); + update_all_status("Verified {$filename}."); } /* extract rules */ function extract_snort_rules_md5($tmpfname) { global $snort_filename, $snort_filename_md5, $console_mode; - ini_set("memory_limit","64M"); - conf_mount_rw(); ob_flush(); if(!$console_mode) { $static_output = gettext("Extracting snort rules..."); @@ -1500,7 +2257,6 @@ function extract_snort_rules_md5($tmpfname) { log_error("Snort rules extracted."); echo "Snort rules extracted."; } - conf_mount_ro(); } /* verify MD5 against downloaded item */ @@ -1513,7 +2269,7 @@ function verify_snort_rules_md5($tmpfname) { } $md555 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); - $md5 = `/bin/echo "{$md555}" | /usr/bin/awk '{ print $4 }'`; + $md5 = `echo "{$md555}" | /usr/bin/awk '{ print $4 }'`; $file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; if($md5 == $file_md5_ondisk) { if(!$console_mode) { @@ -1569,7 +2325,7 @@ function get_snort_alert($ip) { if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) $alert_title = $matches[2]; if (preg_match("/(\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)/", $fileline, $matches)) - $alert_ip = $matches[0]; + $alert_ip = $matches[$id]; if($alert_ip == $ip) { if(!$snort_config[$ip]) $snort_config[$ip] = $alert_title; @@ -1582,7 +2338,7 @@ function get_snort_alert($ip) { function make_clickable($buffer) { global $config, $g; /* if clickable urls is disabled, simply return buffer back to caller */ - $clickablalerteurls = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; + $clickablalerteurls = $config['installedpackages']['snort']['config'][$id]['oinkmastercode']; if(!$clickablalerteurls) return $buffer; $buffer = eregi_replace("(^|[ \n\r\t])((http(s?)://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $buffer); diff --git a/config/snort-dev/snort.sh b/config/snort/snort.sh index 5b725cfe..5b725cfe 100755..100644 --- a/config/snort-dev/snort.sh +++ b/config/snort/snort.sh diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 763f65eb..0a3eb7a3 100644 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -46,73 +46,32 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>Snort</name> - <version>2.8.4.1_5</version> - <title>Services: Snort 2.8.4.1_5 pkg v. 1.6</title> - <include_file>/usr/local/pkg/snort.inc</include_file> + <version>2.8.5.3</version> + <title>Services: Snort 2.8.5.2 pkg v. 1.19</title> + <include_file>/usr/local/pkg/snort/snort.inc</include_file> <menu> <name>Snort</name> <tooltiptext>Setup snort specific settings</tooltiptext> <section>Services</section> - <url>/pkg_edit.php?xml=snort.xml&id=0</url> + <url>/snort/snort_interfaces.php</url> </menu> <service> <name>snort</name> <rcfile>snort.sh</rcfile> <executable>snort</executable> - <description>Snort is the most widely deployed IDS/IPS technology worldwide..</description> + <description>Snort is the most widely deployed IDS/IPS technology worldwide.</description> </service> <tabs> - <tab> - <text>Settings</text> - <url>/pkg_edit.php?xml=snort.xml&id=0</url> - <active/> - </tab> - <tab> - <text>Update Rules</text> - <url>/snort_download_rules.php</url> - </tab> - <tab> - <text>Categories</text> - <url>/snort_rulesets.php</url> - </tab> - <tab> - <text>Rules</text> - <url>/snort_rules.php</url> - </tab> - <tab> - <text>Servers</text> - <url>/pkg_edit.php?xml=snort_define_servers.xml&id=0</url> - </tab> - <tab> - <text>Blocked</text> - <url>/snort_blocked.php</url> - </tab> - <tab> - <text>Whitelist</text> - <url>/pkg.php?xml=snort_whitelist.xml</url> - </tab> - <tab> - <text>Threshold</text> - <url>/pkg.php?xml=snort_threshold.xml</url> - </tab> - <tab> - <text>Alerts</text> - <url>/snort_alerts.php</url> - </tab> - <tab> - <text>Advanced</text> - <url>/pkg_edit.php?xml=snort_advanced.xml&id=0</url> - </tab> </tabs> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> + <prefix>/usr/local/pkg/snort/</prefix> <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort/snort.inc</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/bin/</prefix> + <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/bin/barnyard2</item> + <item>http://www.pfsense.com/packages/config/snort/snort_fbegin.inc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/bin/</prefix> @@ -123,256 +82,118 @@ <prefix>/usr/local/bin/</prefix> <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort/bin/oinkmaster_contrib/oinkmaster.pl</item> - </additional_files_needed> + </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/</prefix> + <prefix>/usr/local/bin/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_download_rules.php</item> + <item>http://www.pfsense.com/packages/config/snort/bin/oinkmaster_contrib/snort_rename.pl</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/</prefix> + <prefix>/usr/local/pkg/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_rules.php</item> + <item>http://www.pfsense.com/packages/config/snort/snort_gui.inc</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/</prefix> + <prefix>/usr/local/pkg/pf/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_rules_edit.php</item> + <item>http://www.pfsense.com/packages/config/snort/snort_dynamic_ip_reload.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/</prefix> + <prefix>/usr/local/pkg/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_rulesets.php</item> + <item>http://www.pfsense.com/packages/config/snort/snort_whitelist.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> + <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_whitelist.xml</item> + <item>http://www.pfsense.com/packages/config/snort/snort_alerts.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_barnyard.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/</prefix> + <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort/snort_blocked.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_define_servers.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_download_rules.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/snort/</prefix> <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort/snort_check_for_rule_updates.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/</prefix> + <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_alerts.php</item> + <item>http://www.pfsense.com/packages/config/snort/snort_help_info.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/pf/</prefix> + <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_dynamic_ip_reload.php</item> + <item>http://www.pfsense.com/packages/config/snort/help_and_info.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_interfaces.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_interfaces_edit.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_interfaces_global.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> + <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_advanced.xml</item> + <item>http://www.pfsense.com/packages/config/snort/snort_rules.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> + <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_define_servers.xml</item> + <item>http://www.pfsense.com/packages/config/snort/snort_rules_edit.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> + <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_threshold.xml</item> + <item>http://www.pfsense.com/packages/config/snort/snort_rulesets.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> + <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/pfsense_rules/local.rules</item> + <item>http://www.pfsense.com/packages/config/snort/snort_preprocessors.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/etc/rc.d/</prefix> + <chmod>755</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort.sh</item> </additional_files_needed> <fields> - <field> - <fielddescr>Interface</fielddescr> - <fieldname>iface_array</fieldname> - <description>Select the interface(s) Snort will listen on.</description> - <type>interfaces_selection</type> - <size>3</size> - <value>lan</value> - <multiple>true</multiple> - </field> - <field> - <fielddescr>Memory Performance</fielddescr> - <fieldname>performance</fieldname> - <description>Lowmem and ac-bnfa are recommended for low end systems, Ac: high memory, best performance, ac-std: moderate memory,high performance, acs: small memory, moderateperformance, ac-banded: small memory,moderate performance, ac-sparsebands: small memory, high performance.</description> - <type>select</type> - <options> - <option> - <name>ac-bnfa</name> - <value>ac-bnfa</value> - </option> - <option> - <name>lowmem</name> - <value>lowmem</value> - </option> - <option> - <name>ac-std</name> - <value>ac-std</value> - </option> - <option> - <name>ac</name> - <value>ac</value> - </option> - <option> - <name>ac-banded</name> - <value>ac-banded</value> - </option> - <option> - <name>ac-sparsebands</name> - <value>ac-sparsebands</value> - </option> - <option> - <name>acs</name> - <value>acs</value> - </option> - </options> - </field> - <field> - <fielddescr>Oinkmaster code</fielddescr> - <fieldname>oinkmastercode</fieldname> - <description>Obtain a snort.org Oinkmaster code and paste here.</description> - <type>input</type> - <size>60</size> - <value></value> - </field> - <field> - <fielddescr>Snort.org subscriber</fielddescr> - <fieldname>subscriber</fieldname> - <description>Check this box if you are a Snort.org subscriber (premium rules).</description> - <type>checkbox</type> - <size>60</size> - </field> - <field> - <fielddescr>Block offenders</fielddescr> - <fieldname>blockoffenders7</fieldname> - <description>Checking this option will automatically block hosts that generate a snort alert.</description> - <type>checkbox</type> - <size>60</size> - </field> - <field> - <fielddescr>Remove blocked hosts every</fielddescr> - <fieldname>rm_blocked</fieldname> - <description>Please select the amount of time hosts are blocked</description> - <type>select</type> - <options> - <option> - <name>never</name> - <value>never_b</value> - </option> - <option> - <name>1 hour</name> - <value>1h_b</value> - </option> - <option> - <name>3 hours</name> - <value>3h_b</value> - </option> - <option> - <name>6 hours</name> - <value>6h_b</value> - </option> - <option> - <name>12 hours</name> - <value>12h_b</value> - </option> - <option> - <name>1 day</name> - <value>1d_b</value> - </option> - <option> - <name>4 days</name> - <value>4d_b</value> - </option> - <option> - <name>7 days</name> - <value>7d_b</value> - </option> - <option> - <name>28 days</name> - <value>28d_b</value> - </option> - </options> - </field> - <field> - </field> - <field> - <fielddescr>Update rules automatically</fielddescr> - <fieldname>autorulesupdate7</fieldname> - <description>Please select the update times for rules.</description> - <type>select</type> - <options> - <option> - <name>never</name> - <value>never_up</value> - </option> - <option> - <name>6 hours</name> - <value>6h_up</value> - </option> - <option> - <name>12 hours</name> - <value>12h_up</value> - </option> - <option> - <name>1 day</name> - <value>1d_up</value> - </option> - <option> - <name>4 days</name> - <value>4d_up</value> - </option> - <option> - <name>7 days</name> - <value>7d_up</value> - </option> - <option> - <name>28 days</name> - <value>28d_up</value> - </option> - </options> - </field> - <field> - <fielddescr>Whitelist VPNs automatically</fielddescr> - <fieldname>whitelistvpns</fieldname> - <description>Checking this option will install whitelists for all VPNs.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Convert Snort alerts urls to clickable links</fielddescr> - <fieldname>clickablalerteurls</fieldname> - <description>Checking this option will automatically convert URLs in the Snort alerts tab to clickable links.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Associate events on Blocked tab</fielddescr> - <fieldname>associatealertip</fieldname> - <description>Checking this option will automatically associate the blocked reason from the snort alerts file.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Install emergingthreats rules.</fielddescr> - <fieldname>emergingthreats</fieldname> - <description>Emerging Threats is an open source community that produces fastest moving and diverse Snort Rules.</description> - <type>checkbox</type> - </field> - </fields> - <custom_php_resync_config_command> - sync_package_snort(); - </custom_php_resync_config_command> + </fields> <custom_add_php_command> </custom_add_php_command> - <custom_php_install_command> - sync_package_snort_reinstall(); - </custom_php_install_command> + <custom_php_resync_config_command> + sync_snort_package(); + </custom_php_resync_config_command> + <custom_php_install_command> + snort_postinstall(); + </custom_php_install_command> <custom_php_deinstall_command> snort_deinstall(); </custom_php_deinstall_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index e67b9b5f..4f0ddb03 100644 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -6,7 +6,11 @@ Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>. Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + Copyright (C) 2006 Scott Ullrich All rights reserved. + + Modified for the Pfsense snort package v. 1.8+ + Copyright (C) 2009 Robert Zelaya Sr. Developer Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -30,95 +34,597 @@ POSSIBILITY OF SUCH DAMAGE. */ -require("globals.inc"); -require("guiconfig.inc"); -require("/usr/local/pkg/snort.inc"); +require_once("globals.inc"); +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); -$snort_logfile = "{$g['varlog_path']}/snort/alert"; +$snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype']; +$snort_logfile = '/var/log/snort/alert'; -$nentries = $config['syslog']['nentries']; -if (!$nentries) - $nentries = 50; +$pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh']; +$pconfig['alertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber']; + +if ($pconfig['alertnumber'] == '' || $pconfig['alertnumber'] == '0') +{ + $anentries = '250'; +}else{ + $anentries = $pconfig['alertnumber']; +} + +if ($_POST['save']) +{ + + //unset($input_errors); + //$pconfig = $_POST; + + /* input validation */ + if ($_POST['save']) + { + + // if (($_POST['radiusacctport'] && !is_port($_POST['radiusacctport']))) { + // $input_errors[] = "A valid port number must be specified. [".$_POST['radiusacctport']."]"; + // } + + } + + /* no errors */ + if (!$input_errors) + { + + $config['installedpackages']['snortglobal']['alertsblocks']['arefresh'] = $_POST['arefresh'] ? on : off; + $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber'] = $_POST['alertnumber']; + + conf_mount_rw(); + write_config(); + //conf_mount_ro(); + sleep(2); + + header("Location: /snort/snort_alerts.php"); + + } + +} + + +if ($_POST['delete']) +{ -if ($_POST['clear']) { exec("killall syslogd"); conf_mount_rw(); - exec("rm {$snort_logfile}; touch {$snort_logfile}"); + if(file_exists("/var/log/snort/alert")) + { + exec('/bin/rm /var/log/snort/*'); + exec('/usr/bin/touch /var/log/snort/alert'); + } conf_mount_ro(); system_syslogd_start(); - exec("/usr/bin/killall -HUP snort"); - exec("/usr/bin/killall snort2c"); - if ($config['installedpackages']['snort']['config'][0]['blockoffenders'] == 'on') - exec("/usr/local/bin/snort2c -w /var/db/whitelist -a /var/log/snort/alert"); + //exec("/usr/bin/killall -HUP snort"); + +} + +if ($_POST['download']) +{ + + ob_start(); //importanr or other post will fail + $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); + $file_name = "snort_logs_{$save_date}.tar.gz"; + exec("/usr/bin/tar cfz /tmp/snort_logs_{$save_date}.tar.gz /var/log/snort"); + + if(file_exists("/tmp/snort_logs_{$save_date}.tar.gz")) + { + $file = "/tmp/snort_logs_{$save_date}.tar.gz"; + header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); + header("Pragma: private"); // needed for IE + header("Cache-Control: private, must-revalidate"); // needed for IE + header('Content-type: application/force-download'); + header('Content-Transfer-Encoding: Binary'); + header("Content-length: ".filesize($file)); + header("Content-disposition: attachment; filename = {$file_name}"); + readfile("$file"); + exec("/bin/rm /tmp/snort_logs_{$save_date}.tar.gz"); + od_end_clean(); //importanr or other post will fail + }else{ + echo 'Error no saved file.'; + } + +} + + +/* WARNING: took me forever to figure reg expression, dont lose */ +// $fileline = '12/09-18:12:02.086733 [**] [122:6:0] (portscan) TCP Filtered Decoy Portscan [**] [Priority: 3] {PROTO:255} 125.135.214.166 -> 70.61.243.50'; + +function get_snort_alert_date($fileline) +{ + /* date full date \d+\/\d+-\d+:\d+:\d+\.\d+\s */ + if (preg_match("/\d+\/\d+-\d+:\d+:\d\d/", $fileline, $matches1)) + { + $alert_date = "$matches1[0]"; + } + +return $alert_date; + +} + +function get_snort_alert_disc($fileline) +{ + /* disc */ + if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) + { + $alert_disc = "$matches[2]"; + } + +return $alert_disc; + +} + +function get_snort_alert_class($fileline) +{ + /* class */ + if (preg_match('/\[Classification:\s.+[^\d]\]/', $fileline, $matches2)) + { + $alert_class = "$matches2[0]"; + } + +return $alert_class; + +} + +function get_snort_alert_priority($fileline) +{ + /* Priority */ + if (preg_match('/Priority:\s\d/', $fileline, $matches3)) + { + $alert_priority = "$matches3[0]"; + } + +return $alert_priority; + +} + +function get_snort_alert_proto($fileline) +{ + /* Priority */ + if (preg_match('/\{.+\}/', $fileline, $matches3)) + { + $alert_proto = "$matches3[0]"; + } + +return $alert_proto; + +} + +function get_snort_alert_proto_full($fileline) +{ + /* Protocal full */ + if (preg_match('/.+\sTTL/', $fileline, $matches2)) + { + $alert_proto_full = "$matches2[0]"; + } + +return $alert_proto_full; + +} + +function get_snort_alert_ip_src($fileline) +{ + /* SRC IP */ + $re1='.*?'; # Non-greedy match on filler + $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 + + if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4)) + { + $alert_ip_src = $matches4[1][0]; + } + +return $alert_ip_src; + +} + +function get_snort_alert_src_p($fileline) +{ + /* source port */ + if (preg_match('/:\d+\s-/', $fileline, $matches5)) + { + $alert_src_p = "$matches5[0]"; + } + +return $alert_src_p; + +} + +function get_snort_alert_flow($fileline) +{ + /* source port */ + if (preg_match('/(->|<-)/', $fileline, $matches5)) + { + $alert_flow = "$matches5[0]"; + } + +return $alert_flow; + +} + +function get_snort_alert_ip_dst($fileline) +{ + /* DST IP */ + $re1dp='.*?'; # Non-greedy match on filler + $re2dp='(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?![\\d])'; # Uninteresting: ipaddress + $re3dp='.*?'; # Non-greedy match on filler + $re4dp='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 + + if ($c=preg_match_all ("/".$re1dp.$re2dp.$re3dp.$re4dp."/is", $fileline, $matches6)) + { + $alert_ip_dst = $matches6[1][0]; + } + +return $alert_ip_dst; + } + +function get_snort_alert_dst_p($fileline) +{ + /* dst port */ + if (preg_match('/:\d+$/', $fileline, $matches7)) + { + $alert_dst_p = "$matches7[0]"; + } + +return $alert_dst_p; + +} + +function get_snort_alert_dst_p_full($fileline) +{ + /* dst port full */ + if (preg_match('/:\d+\n[A-Z]+\sTTL/', $fileline, $matches7)) + { + $alert_dst_p = "$matches7[0]"; + } + +return $alert_dst_p; + +} + +function get_snort_alert_sid($fileline) +{ + /* SID */ + if (preg_match('/\[\d+:\d+:\d+\]/', $fileline, $matches8)) + { + $alert_sid = "$matches8[0]"; + } + +return $alert_sid; + +} + +// $pgtitle = "Services: Snort: Snort Alerts"; include("head.inc"); ?> +<link rel="stylesheet" href="/snort/css/style.css" type="text/css" media="all"> +<script type="text/javascript" src="/snort/javascript/mootools.js"></script> +<script type="text/javascript" src="/snort/javascript/sortableTable.js"></script> + <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<?php -if(!$pgtitle_output) - echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; +<?php + +include("./snort_fbegin.inc"); + +echo "<p class=\"pgtitle\">"; +if($pfsense_stable == 'yes'){echo $pgtitle;} +echo "</p>\n"; + +/* refresh every 60 secs */ +if ($pconfig['arefresh'] == 'on' || $pconfig['arefresh'] == '') +{ + echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_alerts.php\" />\n"; +} ?> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"),false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), true, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); + $tab_array[] = array("Global Settings", false, "/snort/snort_interfaces_global.php"); + $tab_array[] = array("Rule Updates", false, "/snort/snort_download_rules.php"); + $tab_array[] = array("Alerts", true, "/snort/snort_alerts.php"); + $tab_array[] = array("Blocked", false, "/snort/snort_blocked.php"); + $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml"); + $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); display_top_tabs($tab_array); ?> - </td></tr> - <tr> - <td> +</td> +</tr> + <tr> + <td> <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> + <table class="tabcont" width="100%" border="1" cellspacing="0" cellpadding="0"> <tr> - <td colspan="2" class="listtopic"> - Last <?=$nentries;?> Snort Alert entries</td> + <td width="22%" colspan="0" class="listtopic"> + Last <?=$anentries;?> Alert Entries. + </td> + <td width="78%" class="listtopic"> + Latest Alert Entries Are Listed First. + </td> </tr> - <?php dump_log_file($snort_logfile, $nentries); ?> - <tr><td><br><form action="snort_alerts.php" method="post"> - <input name="clear" type="submit" class="formbtn" value="Clear log"></td></tr> + <tr> + <td width="22%" class="vncell">Save or Remove Logs</td> + <td width="78%" class="vtable"> + <form action="/snort/snort_alerts.php" method="post"> + <input name="download" type="submit" class="formbtn" value="Download"> + All log files will be saved. + <input name="delete" type="submit" class="formbtn" value="Clear"> + <span class="red"><strong>Warning:</strong></span> all log files will be deleted. + </form> + </td> + </tr> + <tr> + <td width="22%" class="vncell">Auto Refresh and Log View</td> + <td width="78%" class="vtable"> + <form action="/snort/snort_alerts.php" method="post"> + <input name="save" type="submit" class="formbtn" value="Save"> + Refresh + <input name="arefresh" type="checkbox" value="on" <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['arefresh']=="on") echo "checked"; ?>> + <strong>Default</strong> is <strong>ON</strong>. + <input name="alertnumber" type="text" class="formfld" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>"> + Enter the number of log entries to view. <strong>Default</strong> is <strong>250</strong>. + </form> + </td> + </tr> </table> </div> - </form> </td> </tr> </table> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <td width="100%"> + <br> + <div class="tableFilter"> + <form id="tableFilter" onsubmit="myTable.filter(this.id); return false;">Filter: + <select id="column"> + <option value="1">PRIORITY</option> + <option value="2">PROTO</option> + <option value="3">DESCRIPTION</option> + <option value="4">CLASS</option> + <option value="5">SRC</option> + <option value="6">SRC PORT</option> + <option value="7">FLOW</option> + <option value="8">DST</option> + <option value="9">DST PORT</option> + <option value="10">SID</option> + <option value="11">Date</option> + </select> + <input type="text" id="keyword" /> + <input type="submit" value="Submit" /> + <input type="reset" value="Clear" /> + </form> + </div> +<table class="allRow" id="myTable" width="100%" border="2" cellpadding="1" cellspacing="1"> + <thead> + <th axis="number">#</th> + <th axis="string">PRI</th> + <th axis="string">PROTO</th> + <th axis="string">DESCRIPTION</th> + <th axis="string">CLASS</th> + <th axis="string">SRC</th> + <th axis="string">SPORT</th> + <th axis="string">FLOW</th> + <th axis="string">DST</th> + <th axis="string">DPORT</th> + <th axis="string">SID</th> + <th axis="date">Date</th> + </thead> + <tbody> +<?php + + /* make sure alert file exists */ + if(!file_exists('/var/log/snort/alert')) + { + conf_mount_rw(); + exec('/usr/bin/touch /var/log/snort/alert'); + conf_mount_ro(); + } + + $logent = $anentries; + + /* detect the alert file type */ + if ($snortalertlogt == 'full') + { + $alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents('/var/log/snort/alert')))); + }else{ + $alerts_array = array_reverse(array_filter(split("\n", file_get_contents('/var/log/snort/alert')))); + } + + + +if (is_array($alerts_array)) +{ + + $counter = 0; + foreach($alerts_array as $fileline) + { + + if($logent <= $counter) + continue; + + $counter++; + + /* Date */ + $alert_date_str = get_snort_alert_date($fileline); + + if($alert_date_str != '') + { + $alert_date = $alert_date_str; + }else{ + $alert_date = 'empty'; + } + + /* Discription */ + $alert_disc_str = get_snort_alert_disc($fileline); + + if($alert_disc_str != '') + { + $alert_disc = $alert_disc_str; + }else{ + $alert_disc = 'empty'; + } + + /* Classification */ + $alert_class_str = get_snort_alert_class($fileline); + + if($alert_class_str != '') + { + + $alert_class_match = array('[Classification:',']'); + $alert_class = str_replace($alert_class_match, '', "$alert_class_str"); + }else{ + $alert_class = 'Prep'; + } + + /* Priority */ + $alert_priority_str = get_snort_alert_priority($fileline); + + if($alert_priority_str != '') + { + $alert_priority_match = array('Priority: ',']'); + $alert_priority = str_replace($alert_priority_match, '', "$alert_priority_str"); + }else{ + $alert_priority = 'empty'; + } + + /* Protocol */ + /* Detect alert file type */ + if ($snortalertlogt == 'full') + { + $alert_proto_str = get_snort_alert_proto_full($fileline); + }else{ + $alert_proto_str = get_snort_alert_proto($fileline); + } + + if($alert_proto_str != '') + { + $alert_proto_match = array(" TTL",'{','}'); + $alert_proto = str_replace($alert_proto_match, '', "$alert_proto_str"); + }else{ + $alert_proto = 'empty'; + } + + /* IP SRC */ + $alert_ip_src_str = get_snort_alert_ip_src($fileline); + + if($alert_ip_src_str != '') + { + $alert_ip_src = $alert_ip_src_str; + }else{ + $alert_ip_src = 'empty'; + } + + /* IP SRC Port */ + $alert_src_p_str = get_snort_alert_src_p($fileline); + + if($alert_src_p_str != '') + { + $alert_src_p_match = array(' -',':'); + $alert_src_p = str_replace($alert_src_p_match, '', "$alert_src_p_str"); + }else{ + $alert_src_p = 'empty'; + } + + /* Flow */ + $alert_flow_str = get_snort_alert_flow($fileline); + + if($alert_flow_str != '') + { + $alert_flow = $alert_flow_str; + }else{ + $alert_flow = 'empty'; + } + + /* IP Destination */ + $alert_ip_dst_str = get_snort_alert_ip_dst($fileline); + + if($alert_ip_dst_str != '') + { + $alert_ip_dst = $alert_ip_dst_str; + }else{ + $alert_ip_dst = 'empty'; + } + + /* IP DST Port */ + if ($snortalertlogt == 'full') + { + $alert_dst_p_str = get_snort_alert_dst_p_full($fileline); + }else{ + $alert_dst_p_str = get_snort_alert_dst_p($fileline); + } + + if($alert_dst_p_str != '') + { + $alert_dst_p_match = array(':',"\n"," TTL"); + $alert_dst_p_str2 = str_replace($alert_dst_p_match, '', "$alert_dst_p_str"); + $alert_dst_p_match2 = array('/[A-Z]/'); + $alert_dst_p = preg_replace($alert_dst_p_match2, '', "$alert_dst_p_str2"); + }else{ + $alert_dst_p = 'empty'; + } + + /* SID */ + $alert_sid_str = get_snort_alert_sid($fileline); + + if($alert_sid_str != '') + { + $alert_sid_match = array('[',']'); + $alert_sid = str_replace($alert_sid_match, '', "$alert_sid_str"); + }else{ + $alert_sid_str = 'empty'; + } + + /* NOTE: using one echo improves performance by 2x */ + if ($alert_disc != 'empty') + { + echo "<tr id=\"{$counter}\"> + <td class=\"centerAlign\">{$counter}</td> + <td class=\"centerAlign\">{$alert_priority}</td> + <td class=\"centerAlign\">{$alert_proto}</td> + <td>{$alert_disc}</td> + <td class=\"centerAlign\">{$alert_class}</td> + <td>{$alert_ip_src}</td> + <td class=\"centerAlign\">{$alert_src_p}</td> + <td class=\"centerAlign\">{$alert_flow}</td> + <td>{$alert_ip_dst}</td> + <td class=\"centerAlign\">{$alert_dst_p}</td> + <td class=\"centerAlign\">{$alert_sid}</td> + <td>{$alert_date}</td> + </tr>\n"; + } + +// <script type="text/javascript"> +// var myTable = {}; +// window.addEvent('domready', function(){ +// myTable = new sortableTable('myTable', {overCls: 'over', onClick: function(){alert(this.id)}}); +// }); +// </script> + + } +} + +?> + </tbody> + </table> + </td> +</table> + <?php include("fend.inc"); ?> -<meta http-equiv="refresh" content="60;url=<?php print $_SERVER['SCRIPT_NAME']; ?>"> -</body> -</html> -<!-- <?php echo $snort_logfile; ?> --> -<?php + <script type="text/javascript"> + var myTable = {}; + window.addEvent('domready', function(){ + myTable = new sortableTable('myTable', {overCls: 'over'}); + }); + </script> -function dump_log_file($logfile, $tail, $withorig = true, $grepfor = "", $grepinvert = "") { - global $g, $config; - $logarr = ""; - exec("cat {$logfile} | /usr/bin/tail -n {$tail}", $logarr); - foreach ($logarr as $logent) { - if(!logent) - continue; - $ww_logent = $logent; - $ww_logent = str_replace("[", " [ ", $ww_logent); - $ww_logent = str_replace("]", " ] ", $ww_logent); - echo "<tr valign=\"top\">\n"; - echo "<td colspan=\"2\" class=\"listr\">" . make_clickable($ww_logent) . " </td>\n"; - echo "</tr>\n"; - } -} - -?>
\ No newline at end of file +</body> +</html> diff --git a/config/snort-dev/snort_barnyard.php b/config/snort/snort_barnyard.php index 884eec5b..103fba0e 100644 --- a/config/snort-dev/snort_barnyard.php +++ b/config/snort/snort_barnyard.php @@ -38,7 +38,10 @@ Important add error checking */ -require("guiconfig.inc"); +require_once("globals.inc"); +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); if (!is_array($config['installedpackages']['snortglobal']['rule'])) { $config['installedpackages']['snortglobal']['rule'] = array(); @@ -93,7 +96,7 @@ if (isset($id) && $a_nat[$id]) { $pconfig['def_imap_servers'] = $a_nat[$id]['def_imap_servers']; $pconfig['def_imap_ports'] = $a_nat[$id]['def_imap_ports']; $pconfig['def_sip_proxy_ip'] = $a_nat[$id]['def_sip_proxy_ip']; - $pconfig['ip def_sip_proxy_ports'] = $a_nat[$id]['ip def_sip_proxy_ports']; + $pconfig['def_sip_proxy_ports'] = $a_nat[$id]['def_sip_proxy_ports']; $pconfig['def_auth_ports'] = $a_nat[$id]['def_auth_ports']; $pconfig['def_finger_ports'] = $a_nat[$id]['def_finger_ports']; $pconfig['def_irc_ports'] = $a_nat[$id]['def_irc_ports']; @@ -104,13 +107,16 @@ if (isset($id) && $a_nat[$id]) { $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; $pconfig['enable'] = $a_nat[$id]['enable']; + $pconfig['uuid'] = $a_nat[$id]['uuid']; $pconfig['interface'] = $a_nat[$id]['interface']; $pconfig['descr'] = $a_nat[$id]['descr']; $pconfig['performance'] = $a_nat[$id]['performance']; $pconfig['blockoffenders7'] = $a_nat[$id]['blockoffenders7']; $pconfig['alertsystemlog'] = $a_nat[$id]['alertsystemlog']; $pconfig['tcpdumplog'] = $a_nat[$id]['tcpdumplog']; - $pconfig['snortunifiedlog'] = $a_nat[$id]['snortunifiedlog']; + $pconfig['snortunifiedlog'] = $a_nat[$id]['snortunifiedlog']; + $pconfig['configpassthru'] = $a_nat[$id]['configpassthru']; + $pconfig['barnconfigpassthru'] = base64_decode($a_nat[$id]['barnconfigpassthru']); $pconfig['rulesets'] = $a_nat[$id]['rulesets']; $pconfig['rule_sid_off'] = $a_nat[$id]['rule_sid_off']; $pconfig['rule_sid_on'] = $a_nat[$id]['rule_sid_on']; @@ -124,9 +130,31 @@ if (isset($id) && $a_nat[$id]) { if (isset($_GET['dup'])) unset($id); -$if_real = convert_friendly_interface_to_real_interface_name($pconfig['interface']); +$if_real = convert_friendly_interface_to_real_interface_name2($pconfig['interface']); +$snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; -if ($_POST) { + + /* alert file */ +$d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; + + /* this will exec when alert says apply */ + if ($_POST['apply']) { + + if (file_exists($d_snortconfdirty_path)) { + + write_config(); + + sync_snort_package_all($id, $if_real, $snort_uuid); + sync_snort_package(); + + unlink($d_snortconfdirty_path); + + } + + } + + + if ($_POST["Submit"]) { /* check for overlaps */ foreach ($a_nat as $natent) { @@ -143,6 +171,7 @@ if ($_POST) { if ($pconfig['interface'] != "") { $natent['interface'] = $pconfig['interface']; } if ($pconfig['enable'] != "") { $natent['enable'] = $pconfig['enable']; } + if ($pconfig['uuid'] != "") { $natent['uuid'] = $pconfig['uuid']; } if ($pconfig['descr'] != "") { $natent['descr'] = $pconfig['descr']; } if ($pconfig['performance'] != "") { $natent['performance'] = $pconfig['performance']; } if ($pconfig['blockoffenders7'] != "") { $natent['blockoffenders7'] = $pconfig['blockoffenders7']; } @@ -184,7 +213,7 @@ if ($_POST) { if ($pconfig['def_imap_servers'] != "") { $natent['def_imap_servers'] = $pconfig['def_imap_servers']; } if ($pconfig['def_imap_ports'] != "") { $natent['def_imap_ports'] = $pconfig['def_imap_ports']; } if ($pconfig['def_sip_proxy_ip'] != "") { $natent['def_sip_proxy_ip'] = $pconfig['def_sip_proxy_ip']; } - if ($pconfig['ip def_sip_proxy_ports'] != "") { $natent['ip def_sip_proxy_ports'] = $pconfig['ip def_sip_proxy_ports']; } + if ($pconfig['def_sip_proxy_ports'] != "") { $natent['def_sip_proxy_ports'] = $pconfig['def_sip_proxy_ports']; } if ($pconfig['def_auth_ports'] != "") { $natent['def_auth_ports'] = $pconfig['def_auth_ports']; } if ($pconfig['def_finger_ports'] != "") { $natent['def_finger_ports'] = $pconfig['def_finger_ports']; } if ($pconfig['def_irc_ports'] != "") { $natent['def_irc_ports'] = $pconfig['def_irc_ports']; } @@ -192,6 +221,8 @@ if ($_POST) { if ($pconfig['def_rlogin_ports'] != "") { $natent['def_rlogin_ports'] = $pconfig['def_rlogin_ports']; } if ($pconfig['def_rsh_ports'] != "") { $natent['def_rsh_ports'] = $pconfig['def_rsh_ports']; } if ($pconfig['def_ssl_ports'] != "") { $natent['def_ssl_ports'] = $pconfig['def_ssl_ports']; } + if ($pconfig['snortunifiedlog'] != "") { $natent['snortunifiedlog'] = $pconfig['snortunifiedlog']; } + if ($pconfig['configpassthru'] != "") { $natent['configpassthru'] = $pconfig['configpassthru']; } if ($pconfig['rulesets'] != "") { $natent['rulesets'] = $pconfig['rulesets']; } if ($pconfig['rule_sid_off'] != "") { $natent['rule_sid_off'] = $pconfig['rule_sid_off']; } if ($pconfig['rule_sid_on'] != "") { $natent['rule_sid_on'] = $pconfig['rule_sid_on']; } @@ -199,6 +230,7 @@ if ($_POST) { /* post new options */ $natent['barnyard_enable'] = $_POST['barnyard_enable'] ? on : off; $natent['barnyard_mysql'] = $_POST['barnyard_mysql'] ? $_POST['barnyard_mysql'] : $pconfig['barnyard_mysql']; + $natent['barnconfigpassthru'] = base64_encode($_POST['barnconfigpassthru']) ? base64_encode($_POST['barnconfigpassthru']) : $pconfig['barnconfigpassthru']; if ($_POST['barnyard_enable'] == "on") { $natent['snortunifiedlog'] = on; }else{ $natent['snortunifiedlog'] = off; } if ($_POST['barnyard_enable'] == "") { $natent['snortunifiedlog'] = off; } if (isset($id) && $a_nat[$id]) @@ -210,12 +242,16 @@ if ($_POST) { $a_nat[] = $natent; } - /* enable this if you want the user to aprove changes */ - // touch($d_natconfdirty_path); - write_config(); /* after click go to this page */ + touch($d_snortconfdirty_path); + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + sleep(2); header("Location: snort_barnyard.php?id=$id"); exit; } @@ -227,8 +263,9 @@ include("head.inc"); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php -include("fbegin.inc"); +include("./snort_fbegin.inc"); ?> +<p class="pgtitle"><?if($pfsense_stable == 'yes'){echo $pgtitle;}?></p> <style type="text/css"> .alert { position:absolute; @@ -261,13 +298,39 @@ echo " } ?> document.iform.barnyard_mysql.disabled = endis; + document.iform.barnconfigpassthru.disabled = endis; } //--> </script> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php if ($input_errors) print_input_errors($input_errors); ?> -<?php if ($savemsg) print_info_box($savemsg); ?> <form action="snort_barnyard.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> + +<?php + + /* Display Alert message */ + if ($input_errors) { + print_input_errors($input_errors); // TODO: add checks + } + + if ($savemsg) { + print_info_box2($savemsg); + } + + if (file_exists($d_snortconfdirty_path)) { + echo '<p>'; + + if($savemsg) { + print_info_box_np2("{$savemsg}"); + }else{ + print_info_box_np2(' + The Snort configuration has changed and snort needs to be restarted on this interface.<br> + You must apply the changes in order for them to take effect.<br> + '); + } + } + +?> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td class="tabnavtbl"> <?php @@ -352,13 +415,21 @@ if($id != "") <tr> <td width="22%" valign="top" class="vncell">Log to a Mysql Database</td> <td width="78%" class="vtable"> - <input name="barnyard_mysql" type="text" class="formfld" id="barnyard_mysql" size="40" value="<?=htmlspecialchars($pconfig['barnyard_mysql']);?>"> - <br> <span class="vexpl">Example: output database: log, mysql, dbname=snort user=snort host=localhost password=xyz</span></td> + <input name="barnyard_mysql" type="text" class="formfld" id="barnyard_mysql" size="100" value="<?=htmlspecialchars($pconfig['barnyard_mysql']);?>"> + <br> <span class="vexpl">Example: output database: alert, mysql, dbname=snort user=snort host=localhost password=xyz<br> + Example: output database: log, mysql, dbname=snort user=snort host=localhost password=xyz</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Advanced configuration pass through</td> + <td width="78%" class="vtable"> + <textarea name="barnconfigpassthru" cols="100" rows="7" id="barnconfigpassthru" class="formpre"><?=htmlspecialchars($pconfig['barnconfigpassthru']);?></textarea> + <br> + Arguments here will be automatically inserted into the running barnyard2 configuration.</td> </tr> <tr> <td width="22%" valign="top"> </td> <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> <input name="Submit2" type="submit" class="formbtn" value="Start" onClick="enable_change(true)"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()"> + <input name="Submit" type="submit" class="formbtn" value="Save"><input type="button" class="formbtn" value="Cancel" onclick="history.back()"> <?php if (isset($id) && $a_nat[$id]): ?> <input name="id" type="hidden" value="<?=$id;?>"> <?php endif; ?> diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index ff158853..293679d9 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -5,6 +5,9 @@ Copyright (C) 2006 Scott Ullrich All rights reserved. + Modified for the Pfsense snort package v. 1.8+ + Copyright (C) 2009 Robert Zelaya Sr. Developer + Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -27,8 +30,19 @@ POSSIBILITY OF SUCH DAMAGE. */ -require("guiconfig.inc"); -require("/usr/local/pkg/snort.inc"); +require_once("globals.inc"); +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +$pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']; +$pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber']; + +if ($pconfig['blertnumber'] == '' || $pconfig['blertnumber'] == '0') +{ + $bnentries = '500'; +}else{ + $bnentries = $pconfig['blertnumber']; +} if($_POST['todelete'] or $_GET['todelete']) { if($_POST['todelete']) @@ -38,100 +52,147 @@ if($_POST['todelete'] or $_GET['todelete']) { exec("/sbin/pfctl -t snort2c -T delete {$ip}"); } -$pgtitle = "Snort: Snort Blocked"; -include("head.inc"); +if ($_POST['remove']) { -?> +exec("/sbin/pfctl -t snort2c -T flush"); +sleep(1); +header("Location: /snort/snort_blocked.php"); -<body link="#000000" vlink="#000000" alink="#000000"> -<?php include("fbegin.inc"); ?> +} -<?php -if(!$pgtitle_output) - echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; -?> +/* TODO: build a file with block ip and disc */ +if ($_POST['download']) +{ -<form action="snort_rulesets.php" method="post" name="iform" id="iform"> -<script src="/row_toggle.js" type="text/javascript"></script> -<script src="/javascript/sorttable.js" type="text/javascript"></script> -<?php if ($savemsg) print_info_box($savemsg); ?> -<table width="99%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> -<?php - $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), true, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); - display_top_tabs($tab_array); -?> - </td> - </tr> - <tr> - <td> - <div id="mainarea"> - <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> - <table id="sortabletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr id="frheader"> - <td width="5%" class="listhdrr">Remove</td> - <td class="listhdrr">IP</td> - <td class="listhdrr">Alert Description</td> - </tr> -<?php + ob_start(); //important or other posts will fail + $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); + $file_name = "snort_blocked_{$save_date}.tar.gz"; + exec('/bin/mkdir /tmp/snort_blocked'); + exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.pf'); + + $blocked_ips_array_save = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.pf')))); + + if ($blocked_ips_array_save[0] != '') + { - $associatealertip = $config['installedpackages']['snort']['config'][0]['associatealertip']; - $ips = `/sbin/pfctl -t snort2c -T show`; - $ips_array = split("\n", $ips); - $counter = 0; - foreach($ips_array as $ip) { - if(!$ip) - continue; - $ww_ip = str_replace(" ", "", $ip); - $counter++; - if($associatealertip) - $alert_description = get_snort_alert($ww_ip); - else - $alert_description = ""; - echo "\n<tr>"; - echo "\n<td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($ww_ip)) . "'>"; - echo "\n<img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"./themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td>"; - echo "\n<td> {$ww_ip}</td>"; - echo "\n<td> {$alert_description}<!-- |{$ww_ip}| get_snort_alert($ww_ip); --></td>"; - echo "\n</tr>"; + /* build the list */ + $counter = 0; + foreach($blocked_ips_array_save as $fileline3) + { + + $counter++; + + exec("/bin/echo $fileline3 >> /tmp/snort_blocked/snort_block.pf"); + + } } - echo "\n<tr><td colspan='3'> </td></tr>"; - if($counter < 1) - echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">There are currently no items being blocked by snort.</td></tr>"; - else - echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter} items listed.</td></tr>"; -?> + exec("/usr/bin/tar cfz /tmp/snort_blocked_{$save_date}.tar.gz /tmp/snort_blocked"); - </table> - </td> - </tr> - </table> - </div> - </td> - </tr> -</table> + if(file_exists("/tmp/snort_blocked_{$save_date}.tar.gz")) + { + $file = "/tmp/snort_blocked_{$save_date}.tar.gz"; + header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); + header("Pragma: private"); // needed for IE + header("Cache-Control: private, must-revalidate"); // needed for IE + header('Content-type: application/force-download'); + header('Content-Transfer-Encoding: Binary'); + header("Content-length: ".filesize($file)); + header("Content-disposition: attachment; filename = {$file_name}"); + readfile("$file"); + exec("/bin/rm /tmp/snort_blocked_{$save_date}.tar.gz"); + exec("/bin/rm /tmp/snort_block.pf"); + exec("/bin/rm /tmp/snort_blocked/snort_block.pf"); + od_end_clean(); //importanr or other post will fail + }else{ + echo 'Error no saved file.'; + } -</form> +} -<p> +if ($_POST['save']) +{ -<?php + /* input validation */ + if ($_POST['save']) + { + + + } + + /* no errors */ + if (!$input_errors) + { + + $config['installedpackages']['snortglobal']['alertsblocks']['brefresh'] = $_POST['brefresh'] ? on : off; + $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'] = $_POST['blertnumber']; + + conf_mount_rw(); + write_config(); + //conf_mount_ro(); + sleep(2); + + header("Location: /snort/snort_blocked.php"); + + } + +} + +/* build filter funcs */ +function get_snort_alert_ip_src($fileline) +{ + /* SRC IP */ + $re1='.*?'; # Non-greedy match on filler + $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 + + if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4)) + { + $alert_ip_src = $matches4[1][0]; + } + +return $alert_ip_src; + +} -$blockedtab_msg_chk = $config['installedpackages']['snort']['config'][0]['rm_blocked']; +function get_snort_alert_disc($fileline) +{ + /* disc */ + if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) + { + $alert_disc = "$matches[2]"; + } + +return $alert_disc; + +} + +/* build sec filters */ +function get_snort_block_ip($fileline) +{ + /* ip */ + if (preg_match("/\[\d+\.\d+\.\d+\.\d+\]/", $fileline, $matches)) + { + $alert_block_ip = "$matches[0]"; + } + +return $alert_block_ip; + +} + +function get_snort_block_disc($fileline) +{ + /* disc */ + if (preg_match("/\]\s\[.+\]$/", $fileline, $matches)) + { + $alert_block_disc = "$matches[0]"; + } + +return $alert_block_disc; + +} + +/* tell the user what settings they have */ +$blockedtab_msg_chk = $config['installedpackages']['snortglobal']['rm_blocked']; if ($blockedtab_msg_chk == "1h_b") { $blocked_msg = "hour"; } @@ -157,18 +218,228 @@ $blockedtab_msg_chk = $config['installedpackages']['snort']['config'][0]['rm_blo $blocked_msg = "28 days"; } -echo "This page lists hosts that have been blocked by Snort. Hosts are automatically deleted every $blocked_msg."; +if ($blockedtab_msg_chk != "never_b") +{ +$blocked_msg_txt = "Hosts are removed every <strong>$blocked_msg</strong>."; +}else{ +$blocked_msg_txt = "Settings are set to never <strong>remove</strong> hosts."; +} + +$pgtitle = "Services: Snort Blocked Hosts"; +include("head.inc"); ?> -<?php include("fend.inc"); ?> +<body link="#000000" vlink="#000000" alink="#000000"> +<?php -</body> -</html> +include("./snort_fbegin.inc"); + +echo "<p class=\"pgtitle\">"; +if($pfsense_stable == 'yes'){echo $pgtitle;} +echo "</p>\n"; + +/* refresh every 60 secs */ +if ($pconfig['brefresh'] == 'on' || $pconfig['brefresh'] == '') +{ + echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_blocked.php\" />\n"; +} +?> + +<script src="/row_toggle.js" type="text/javascript"></script> +<script src="/javascript/sorttable.js" type="text/javascript"></script> +<?php if ($savemsg) print_info_box($savemsg); ?> +<table width="99%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> +<?php + $tab_array = array(); + $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); + $tab_array[] = array("Global Settings", false, "/snort/snort_interfaces_global.php"); + $tab_array[] = array("Rule Updates", false, "/snort/snort_download_rules.php"); + $tab_array[] = array("Alerts", false, "/snort/snort_alerts.php"); + $tab_array[] = array("Blocked", true, "/snort/snort_blocked.php"); + $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml"); + $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); + display_top_tabs($tab_array); +?> + </td> + </tr> + <tr> + <td> + <div id="mainarea"> + + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td width="22%" colspan="0" class="listtopic"> + Last <?=$bnentries;?> Blocked. + </td> + <td width="78%" class="listtopic"> + This page lists hosts that have been blocked by Snort. <?=$blocked_msg_txt;?> + </td> + </tr> + <tr> + <td width="22%" class="vncell">Save or Remove Hosts</td> + <td width="78%" class="vtable"> + <form action="/snort/snort_blocked.php" method="post"> + <input name="download" type="submit" class="formbtn" value="Download"> + All blocked hosts will be saved. + <input name="remove" type="submit" class="formbtn" value="Clear"> + <span class="red"><strong>Warning:</strong></span> all hosts will be removed. + </form> + </td> + </tr> + <tr> + <td width="22%" class="vncell">Auto Refresh and Log View</td> + <td width="78%" class="vtable"> + <form action="/snort/snort_blocked.php" method="post"> + <input name="save" type="submit" class="formbtn" value="Save"> + Refresh + <input name="brefresh" type="checkbox" value="on" <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=="on" || $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=='') echo "checked"; ?>> + <strong>Default</strong> is <strong>ON</strong>. + <input name="blertnumber" type="text" class="formfld" id="blertnumber" size="5" value="<?=htmlspecialchars($bnentries);?>"> + Enter the number of blocked entries to view. <strong>Default</strong> is <strong>500</strong>. + </form> + </td> + </tr> + </table> + + </div> + </td> + </tr> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> + <tr> + <td> + <table id="sortabletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr id="frheader"> + <td width="5%" class="listhdrr">Remove</td> + <td class="listhdrr">#</td> + <td class="listhdrr">IP</td> + <td class="listhdrr">Alert Description</td> + </tr> <?php -/* write out snort cache */ -write_snort_config_cache($snort_config); +/* set the arrays */ +exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache'); +$alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents('/var/log/snort/alert')))); +$blocked_ips_array = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.cache')))); + +$logent = $bnentries; + +if ($blocked_ips_array[0] != '' && $alerts_array[0] != '') +{ + + /* build the list and compare blocks to alerts */ + $counter = 0; + foreach($alerts_array as $fileline) + { + + $counter++; -?>
\ No newline at end of file + $alert_ip_src = get_snort_alert_ip_src($fileline); + $alert_ip_disc = get_snort_alert_disc($fileline); + $alert_ip_src_array[] = get_snort_alert_ip_src($fileline); + + if (in_array("$alert_ip_src", $blocked_ips_array)) + { + $input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n"; + } + } + + foreach($blocked_ips_array as $alert_block_ip) + { + + if (!in_array($alert_block_ip, $alert_ip_src_array)) + { + $input[] = "[$alert_block_ip] " . "[N\A]\n"; + } + } + + /* reduce double occurrences */ + $result = array_unique($input); + + /* buil final list, preg_match, buld html */ + $counter2 = 0; + + foreach($result as $fileline2) + { + if($logent <= $counter2) + continue; + + $counter2++; + + $alert_block_ip_str = get_snort_block_ip($fileline2); + + if($alert_block_ip_str != '') + { + $alert_block_ip_match = array('[',']'); + $alert_block_ip = str_replace($alert_block_ip_match, '', "$alert_block_ip_str"); + }else{ + $alert_block_ip = 'empty'; + } + + $alert_block_disc_str = get_snort_block_disc($fileline2); + + if($alert_block_disc_str != '') + { + $alert_block_disc_match = array('] [',']'); + $alert_block_disc = str_replace($alert_block_disc_match, '', "$alert_block_disc_str"); + }else{ + $alert_block_disc = 'empty'; + } + + /* use one echo to do the magic*/ + echo "<tr> + <td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($alert_block_ip)) . "'> + <img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td> + <td> {$counter2}</td> + <td> {$alert_block_ip}</td> + <td> {$alert_block_disc}</td> + </tr>\n"; + + } + +}else{ + + /* if alerts file is empty and blocked table is not empty */ + $counter2 = 0; + + foreach($blocked_ips_array as $alert_block_ip) + { + if($logent <= $counter2) + continue; + + $counter2++; + + $alert_block_disc = 'N/A'; + + /* use one echo to do the magic*/ + echo "<tr> + <td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($alert_block_ip)) . "'> + <img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td> + <td> {$counter2}</td> + <td> {$alert_block_ip}</td> + <td> {$alert_block_disc}</td> + </tr>\n"; + } +} + +if ($blocked_ips_array[0] == '') +{ + echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\"><br><strong>There are currently no items being blocked by snort.</strong></td></tr>"; +}else{ + echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter2} items listed.</td></tr>"; +} + +?> + </table> + </td> + </tr> + </table> + </td> + </tr> +</table> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 8d308245..3c4e98eb 100644 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -3,6 +3,7 @@ /* snort_rulesets.php Copyright (C) 2006 Scott Ullrich + Copyright (C) 2009 Robert Zelaya All rights reserved. Redistribution and use in source and binary forms, with or without @@ -28,8 +29,8 @@ */ /* Setup enviroment */ -$tmpfname = "/root/snort_rules_up"; -$snortdir = "/usr/local/etc/snort_bkup"; +$tmpfname = "/tmp/snort_rules_up"; +$snortdir = "/usr/local/etc/snort"; $snortdir_wan = "/usr/local/etc/snort"; $snort_filename_md5 = "snortrules-snapshot-2.8.tar.gz.md5"; $snort_filename = "snortrules-snapshot-2.8.tar.gz"; @@ -38,53 +39,71 @@ $emergingthreats_filename = "emerging.rules.tar.gz"; $pfsense_rules_filename_md5 = "pfsense_rules.tar.gz.md5"; $pfsense_rules_filename = "pfsense_rules.tar.gz"; -require("/usr/local/pkg/snort.inc"); -require_once("config.inc"); +require_once("globals.inc"); +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); -?> +/* define checks */ +$oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; +$snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; +$emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; +if ($oinkid == "" && $snortdownload != "off") +{ + echo "You must obtain an oinkid from snort.org and set its value in the Snort settings tab.\n"; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'You must obtain an oinkid from snort.org and set its value in the Snort settings tab.'"); + exit; +} -<?php +if ($snortdownload != "on" && $emergingthreats != "on") +{ + echo 'Snort Global Settings: download snort.org rules = off and download emergingthreat rules = off.\n'; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'No rules have been selected to download.'"); + exit; +} + +conf_mount_rw(); + +/* Time stamps define */ +$last_md5_download = $config['installedpackages']['snortglobal']['last_md5_download']; +$last_rules_install = $config['installedpackages']['snortglobal']['last_rules_install']; $up_date_time = date('l jS \of F Y h:i:s A'); -echo ""; -echo "#########################"; -echo "$up_date_time"; -echo "#########################"; -echo ""; +echo "\n"; +echo "#########################\n"; +echo "$up_date_time\n"; +echo "#########################\n"; +echo "\n\n"; + +exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Checking for needed updates...'"); /* Begin main code */ /* Set user agent to Mozilla */ ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); ini_set("memory_limit","125M"); +/* mark the time update started */ +$config['installedpackages']['snortglobal']['last_md5_download'] = date("Y-M-jS-h:i-A"); + /* send current buffer */ ob_flush(); - -/* define oinkid */ -if($config['installedpackages']['snort']) - $oinkid = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; - -/* if missing oinkid exit */ -if(!$oinkid) { - echo "Please add you oink code\n"; - exit; -} +conf_mount_rw(); /* premium_subscriber check */ //unset($config['installedpackages']['snort']['config'][0]['subscriber']); //write_config(); // Will cause switch back to read-only on nanobsd //conf_mount_rw(); // Uncomment this if the previous line is uncommented -$premium_subscriber_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -if ($premium_subscriber_chk === on) { +$premium_subscriber_chk = $config['installedpackages']['snortglobal']['snortdownload']; + +if ($premium_subscriber_chk == "premium") { $premium_subscriber = "_s"; }else{ $premium_subscriber = ""; } -$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -if ($premium_url_chk === on) { +$premium_url_chk = $config['installedpackages']['snortglobal']['snortdownload']; +if ($premium_url_chk == "premium") { $premium_url = "sub-rules"; }else{ $premium_url = "reg-rules"; @@ -92,16 +111,23 @@ if ($premium_url_chk === on) { /* send current buffer */ ob_flush(); - conf_mount_rw(); + /* remove old $tmpfname files */ if (file_exists("{$tmpfname}")) { + echo "Removing old tmp files...\n"; exec("/bin/rm -r {$tmpfname}"); apc_clear_cache(); } +/* Make shure snortdir exits */ +exec("/bin/mkdir -p {$snortdir}"); +exec("/bin/mkdir -p {$snortdir}/rules"); +exec("/bin/mkdir -p {$snortdir}/signatures"); + /* send current buffer */ ob_flush(); +conf_mount_rw(); /* If tmp dir does not exist create it */ if (file_exists($tmpfname)) { @@ -125,7 +151,7 @@ if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { } /* download md5 sig from emergingthreats.net */ -$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; +$emergingthreats_url_chk = $config['installedpackages']['snortglobal']['emergingthreats']; if ($emergingthreats_url_chk == on) { echo "Downloading md5 file...\n"; ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); @@ -151,14 +177,11 @@ if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) { echo "Done. downloading md5\n"; } -/* Time stamps define */ -$last_md5_download = $config['installedpackages']['snort']['last_md5_download']; -$last_rules_install = $config['installedpackages']['snort']['last_rules_install']; - /* If md5 file is empty wait 15min exit */ if (0 == filesize("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5")){ echo "Please wait... You may only check for New Rules every 15 minutes...\n"; echo "Rules are released every month from snort.org. You may download the Rules at any time.\n"; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Please wait... You may only check for New Rules every 15 minutes...'"); exit(0); } @@ -168,6 +191,7 @@ if (0 == filesize("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5")){ if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ echo "Please wait... You may only check for New Pfsense Rules every 15 minutes...\n"; echo "Rules are released to support Pfsense packages.\n"; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Please wait... You may only check for New Pfsense Rules every 15 minutes...'"); exit(0); } @@ -178,18 +202,18 @@ $md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 $md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); $md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; /* Write out time of last sucsessful md5 to cache */ -$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); write_config(); // Will cause switch back to read-only on nanobsd conf_mount_rw(); if ($md5_check_new == $md5_check_old) { echo "Your rules are up to date...\n"; echo "You may start Snort now, check update.\n"; $snort_md5_check_ok = on; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your snort rules are up to date...'"); } } /* Check if were up to date emergingthreats.net */ -$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; +$emergingthreats_url_chk = $config['installedpackages']['snortglobal']['emergingthreats']; if ($emergingthreats_url_chk == on) { if (file_exists("{$snortdir}/version.txt")){ $emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/version.txt"); @@ -197,13 +221,13 @@ $emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk $emerg_md5_check_old_parse = file_get_contents("{$snortdir}/version.txt"); $emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; /* Write out time of last sucsessful md5 to cache */ -$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); write_config(); // Will cause switch back to read-only on nanobsd conf_mount_rw(); if ($emerg_md5_check_new == $emerg_md5_check_old) { echo "Your emergingthreats rules are up to date...\n"; echo "You may start Snort now, check update.\n"; $emerg_md5_check_chk_ok = on; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your emergingthreats rules are up to date...'"); } } } @@ -216,39 +240,65 @@ $pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_m $pfsense_md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; if ($pfsense_md5_check_new == $pfsense_md5_check_old) { $pfsense_md5_check_ok = on; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your pfsense rules are up to date...'"); } } /* Make Clean Snort Directory emergingthreats not checked */ if ($snort_md5_check_ok == on && $emergingthreats_url_chk != on) { - echo "Cleaning the snort Directory...\n"; - echo "removing...\n"; - exec("/bin/rm {$snortdir}/rules/emerging*\n"); + update_status(gettext("Cleaning the snort Directory...")); + update_output_window(gettext("removing...")); + exec("/bin/rm {$snortdir}/rules/emerging*"); exec("/bin/rm {$snortdir}/version.txt"); + exec("/bin/rm {$snortdir_wan}/rules/emerging*"); + exec("/bin/rm {$snortdir_wan}/version.txt"); echo "Done making cleaning emrg direcory.\n"; } /* Check if were up to date exits */ if ($snort_md5_check_ok == on && $emerg_md5_check_chk_ok == on && $pfsense_md5_check_ok == on) { - echo "Your rules are up to date...\n"; - echo "You may start Snort now...\n"; + echo "Your emergingthreats rules are up to date...\n"; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your emergingthreats rules are up to date...'"); exit(0); } if ($snort_md5_check_ok == on && $pfsense_md5_check_ok == on && $emergingthreats_url_chk != on) { - echo "Your rules are up to date...\n"; - echo "You may start Snort now...\n"; + echo "Your pfsense rules are up to date...\n"; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your pfsense rules are up to date...'"); exit(0); } /* You are Not Up to date, always stop snort when updating rules for low end machines */; echo "You are NOT up to date...\n"; -echo "Stopping Snort service...\n"; +echo "Stopping All Snort Package services...\n"; +exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'SNORT RULES ARE OUT OF DATE, UPDATING...'"); +exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Stopping All Snort Package Services...'"); $chk_if_snort_up = exec("pgrep -x snort"); if ($chk_if_snort_up != "") { - exec("/usr/bin/touch /tmp/snort_download_halt.pid"); - stop_service("snort"); - sleep(2); + + + exec("/usr/bin/touch /tmp/snort_download_halt.pid"); + + /* dont flood the syslog code */ + exec("/bin/cp /var/log/system.log /var/log/system.log.bk"); + sleep(3); + + exec("/usr/bin/killall snort"); + exec("/bin/rm /var/run/snort*"); + sleep(2); + exec("/usr/bin/killall barnyard2"); + exec("/bin/rm /var/run/barnyard2*"); + + /* stop syslog flood code */ + exec("/bin/cp /var/log/system.log /var/log/snort/snort_sys_rules_update.log"); + exec("/usr/bin/killall syslogd"); + exec("/usr/sbin/clog -i -s 262144 /var/log/system.log"); + exec("/usr/sbin/syslogd -c -ss -f /var/etc/syslog.conf"); + sleep(2); + exec("/bin/cp /var/log/system.log.bk /var/log/system.log"); + $after_mem = exec("/usr/bin/top | /usr/bin/grep Wired | /usr/bin/awk '{ print $2 }'"); + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'MEM after snort STOP {$after_mem}'"); + } /* download snortrules file */ @@ -256,7 +306,6 @@ if ($snort_md5_check_ok != on) { if (file_exists("{$tmpfname}/{$snort_filename}")) { echo "Snortrule tar file exists...\n"; } else { - echo "There is a new set of Snort rules posted. Downloading...\n"; echo "May take 4 to 10 min...\n"; ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); @@ -311,28 +360,56 @@ if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { } } +/* Compair md5 sig to file sig */ + +//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +//if ($premium_url_chk == on) { +//$md5 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); +//$file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; +// if ($md5 == $file_md5_ondisk) { +// update_status(gettext("Valid md5 checksum pass...")); +//} else { +// update_status(gettext("The downloaded file does not match the md5 file...P is ON")); +// update_output_window(gettext("Error md5 Mismatch...")); +// exit(0); +// } +//} + +//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +//if ($premium_url_chk != on) { +//$md55 = `/bin/cat {$tmpfname}/{$snort_filename_md5} | /usr/bin/awk '{ print $4 }'`; +//$file_md5_ondisk2 = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; +// if ($md55 == $file_md5_ondisk2) { +// update_status(gettext("Valid md5 checksum pass...")); +//} else { +// update_status(gettext("The downloaded file does not match the md5 file...Not P")); +// update_output_window(gettext("Error md5 Mismatch...")); +// exit(0); +// } +//} + /* Untar snort rules file individually to help people with low system specs */ if ($snort_md5_check_ok != on) { if (file_exists("{$tmpfname}/{$snort_filename}")) { echo "Extracting rules...\n"; echo "May take a while...\n"; - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} etc/"); - exec("`/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/*`"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/chat.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/dos.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/exploit.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/imap.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/misc.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/multimedia.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/netbios.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/nntp.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/p2p.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/smtp.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/sql.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-client.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-misc.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} rules/" . + " etc/" . + " so_rules/precompiled/FreeBSD-7.0/i386/2.8.4" . + " so_rules/bad-traffic.rules/" . + " so_rules/chat.rules/" . + " so_rules/dos.rules/" . + " so_rules/exploit.rules/" . + " so_rules/imap.rules/" . + " so_rules/misc.rules/" . + " so_rules/multimedia.rules/" . + " so_rules/netbios.rules/" . + " so_rules/nntp.rules/" . + " so_rules/p2p.rules/" . + " so_rules/smtp.rules/" . + " so_rules/sql.rules/" . + " so_rules/web-client.rules/" . + " so_rules/web-misc.rules/"); echo "Done extracting Rules.\n"; } else { echo "The Download rules file missing...\n"; @@ -364,7 +441,7 @@ if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { /* Untar snort signatures */ if ($snort_md5_check_ok != on) { if (file_exists("{$tmpfname}/{$snort_filename}")) { -$signature_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['signatureinfo']; +$signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; if ($premium_url_chk == on) { echo "Extracting Signatures...\n"; echo "May take a while...\n"; @@ -377,8 +454,8 @@ if ($premium_url_chk == on) { /* Make Clean Snort Directory */ //if ($snort_md5_check_ok != on && $emerg_md5_check_chk_ok != on && $pfsense_md5_check_ok != on) { //if (file_exists("{$snortdir}/rules")) { -// echo "Cleaning the snort Directory...\n"; -// echo "removing...\n"; +// update_status(gettext("Cleaning the snort Directory...")); +// update_output_window(gettext("removing...")); // exec("/bin/mkdir -p {$snortdir}"); // exec("/bin/mkdir -p {$snortdir}/rules"); // exec("/bin/mkdir -p {$snortdir}/signatures"); @@ -386,96 +463,49 @@ if ($premium_url_chk == on) { // exec("/bin/rm {$snortdir}/rules/*"); // exec("/bin/rm {$snortdir_wan}/*"); // exec("/bin/rm {$snortdir_wan}/rules/*"); + // exec("/bin/rm /usr/local/lib/snort/dynamicrules/*"); //} else { -// echo "Making Snort Directory...\n"; -// echo "should be fast...\n"; -// exec("/bin/mkdir {$snortdir}"); -// exec("/bin/mkdir {$snortdir}/rules"); -// exec("/bin/rm {$snortdir_wan}/\*"); +// update_status(gettext("Making Snort Directory...")); +// update_output_window(gettext("should be fast...")); +// exec("/bin/mkdir -p {$snortdir}"); +// exec("/bin/mkdir -p {$snortdir}/rules"); +// exec("/bin/rm {$snortdir_wan}/*"); // exec("/bin/rm {$snortdir_wan}/rules/*"); // exec("/bin/rm /usr/local/lib/snort/dynamicrules/\*"); -// echo "Done making snort direcory.\n"; +// update_status(gettext("Done making snort direcory.")); // } //} -/* Copy so_rules dir to snort lib dir */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { - echo "Copying so_rules...\n"; - echo "May take a while...\n"; - sleep(2); - exec("`/bin/cp -f {$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/`"); - exec("/bin/cp {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/bad-traffic.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/chat.rules {$snortdir}/rules/chat.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/dos.rules {$snortdir}/rules/dos.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/exploit.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/imap.rules {$snortdir}/rules/imap.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/misc.rules {$snortdir}/rules/misc.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/multimedia.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/netbios.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/nntp.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/p2p.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/smtp.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/sql.rules {$snortdir}/rules/sql.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/web-client.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/web-misc.rules {$snortdir}/rules/web-misc.so.rules"); - exec("/bin/rm -r {$snortdir}/so_rules"); - echo "Done copying so_rules.\n"; -} else { - echo "Directory so_rules does not exist...\n"; - echo "Error copping so_rules...\n"; - exit(0); - } -} - -/* enable disable setting will carry over with updates */ -/* TODO carry signature changes with the updates */ -if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { - -if (!empty($config['installedpackages']['snort']['rule_sid_on'])) { -$enabled_sid_on = $config['installedpackages']['snort']['rule_sid_on']; -$enabled_sid_on_array = split('\|\|', $enabled_sid_on); -foreach($enabled_sid_on_array as $enabled_item_on) -$selected_sid_on_sections .= "$enabled_item_on\n"; - } - -if (!empty($config['installedpackages']['snort']['rule_sid_off'])) { -$enabled_sid_off = $config['installedpackages']['snort']['rule_sid_off']; -$enabled_sid_off_array = split('\|\|', $enabled_sid_off); -foreach($enabled_sid_off_array as $enabled_item_off) -$selected_sid_off_sections .= "$enabled_item_off\n"; - } - -$snort_sid_text = <<<EOD - -########################################### -# # -# this is auto generated on snort updates # -# # -########################################### - -path = /bin:/usr/bin:/usr/local/bin - -update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ - -url = dir:///usr/local/etc/snort_bkup/rules - -$selected_sid_on_sections - -$selected_sid_off_sections - -EOD; - - /* open snort's threshold.conf for writing */ - $oinkmasterlist = fopen("/usr/local/etc/snort_bkup/oinkmaster.conf", "w"); - - fwrite($oinkmasterlist, "$snort_sid_text"); - - /* close snort's threshold.conf file */ - fclose($oinkmasterlist); - -} +/* Copy so_rules dir to snort lib dir */ +/* Disabled untill I figure out why there is a segment falut core dump on 2.8.5.3 */ +//if ($snort_md5_check_ok != on) { +//if (file_exists("{$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { +// echo "Copying so_rules...\n"; +// echo "May take a while...\n"; +// exec("`/bin/cp -f {$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/`"); +// exec("/bin/cp {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/bad-traffic.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/chat.rules {$snortdir}/rules/chat.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/dos.rules {$snortdir}/rules/dos.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/exploit.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/imap.rules {$snortdir}/rules/imap.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/misc.rules {$snortdir}/rules/misc.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/multimedia.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/netbios.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/nntp.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/p2p.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/smtp.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/sql.rules {$snortdir}/rules/sql.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/web-client.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/web.misc.rules {$snortdir}/rules/web.misc.so.rules"); +// exec("/bin/rm -r {$snortdir}/so_rules"); +// echo "Done copying so_rules.\n"; +//} else { +// echo "Directory so_rules does not exist...\n"; +// echo "Error copying so_rules...\n"; +// exit(0); +// } +//} /* Copy configs to snort dir */ if ($snort_md5_check_ok != on) { @@ -483,9 +513,10 @@ if (file_exists("{$snortdir}/etc/Makefile.am")) { echo "Copying configs to snort directory...\n"; exec("/bin/cp {$snortdir}/etc/* {$snortdir}"); exec("/bin/rm -r {$snortdir}/etc"); + } else { - echo "The snort configs does not exist...\n"; - echo "Error copping config...\n"; + echo "The snort config does not exist...\n"; + echo "Error copying config...\n"; exit(0); } } @@ -497,7 +528,7 @@ if (file_exists("{$tmpfname}/$snort_filename_md5")) { exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); } else { echo "The md5 file does not exist...\n"; - echo "Error copping config...\n"; + echo "Error copying config...\n"; exit(0); } } @@ -510,7 +541,7 @@ if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) { exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); } else { echo "The emergingthreats md5 file does not exist...\n"; - echo "Error copping config...\n"; + echo "Error copying config...\n"; exit(0); } } @@ -523,14 +554,14 @@ if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) { exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5"); } else { echo "The Pfsense md5 file does not exist...\n"; - echo "Error copping config...\n"; + echo "Error copying config...\n"; exit(0); } } - + /* Copy signatures dir to snort dir */ if ($snort_md5_check_ok != on) { -$signature_info_chk = $config['installedpackages']['snort']['config'][0]['signatureinfo']; +$signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; if ($premium_url_chk == on) { if (file_exists("{$snortdir}/doc/signatures")) { echo "Copying signatures...\n"; @@ -540,22 +571,22 @@ if (file_exists("{$snortdir}/doc/signatures")) { echo "Done copying signatures.\n"; } else { echo "Directory signatures exist...\n"; - echo "Error copping signature...\n"; + echo "Error copying signature...\n"; exit(0); } } } -/* double make shure clean up emerg rules that dont belong */ -if (file_exists("/usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules")) { +/* double make shure cleanup emerg rules that dont belong */ +if (file_exists("/usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules")) { apc_clear_cache(); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-compromised-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-drop-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-dshield-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-rbn-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-tor-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-botcc.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-compromised-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-drop-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-dshield-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-rbn-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-tor-BLOCK.rules"); } if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) { @@ -563,72 +594,176 @@ if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*"); } +/* make shure default rules are in the right format */ +exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); +exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); +exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); + +/* create a msg-map for snort */ echo "Updating Alert Messages...\n"; echo "Please Wait...\n"; -sleep(2); -exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort_bkup/rules > /usr/local/etc/snort_bkup/sid-msg.map"); +exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/sid-msg.map"); + + +////////////////// + +/* Start the proccess for every interface rule */ +/* TODO: try to make the code smother */ + +if (!empty($config['installedpackages']['snortglobal']['rule'])) { + +$rule_array = $config['installedpackages']['snortglobal']['rule']; +$id = -1; +foreach ($rule_array as $value) { + +$id += 1; + +$result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; +$if_real = convert_friendly_interface_to_real_interface_name2($result_lan); + + /* make oinkmaster.conf for each interface rule */ + oinkmaster_conf(); + + /* run oinkmaster for each interface rule */ + oinkmaster_run(); + + } +} + +/* open oinkmaster_conf for writing" function */ +function oinkmaster_conf() { + + global $config, $g, $id, $if_real, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_chk_ok, $pfsense_md5_check_ok; + +/* enable disable setting will carry over with updates */ +/* TODO carry signature changes with the updates */ +if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { + +if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'])) { +$enabled_sid_on = $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']; +$enabled_sid_on_array = split('\|\|', $enabled_sid_on); +foreach($enabled_sid_on_array as $enabled_item_on) +$selected_sid_on_sections .= "$enabled_item_on\n"; + } + +if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { +$enabled_sid_off = $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off']; +$enabled_sid_off_array = split('\|\|', $enabled_sid_off); +foreach($enabled_sid_off_array as $enabled_item_off) +$selected_sid_off_sections .= "$enabled_item_off\n"; + } + +$snort_sid_text = <<<EOD + +########################################### +# # +# this is auto generated on snort updates # +# # +########################################### + +path = /bin:/usr/bin:/usr/local/bin + +update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ + +url = dir:///usr/local/etc/snort/rules + +$selected_sid_on_sections + +$selected_sid_off_sections + +EOD; + + /* open snort's oinkmaster.conf for writing */ + $oinkmasterlist = fopen("/usr/local/etc/snort/oinkmaster_$if_real.conf", "w"); + + fwrite($oinkmasterlist, "$snort_sid_text"); + + /* close snort's oinkmaster.conf file */ + fclose($oinkmasterlist); + + } +} /* Run oinkmaster to snort_wan and cp configs */ /* If oinkmaster is not needed cp rules normally */ /* TODO add per interface settings here */ -if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { +function oinkmaster_run() { - if (empty($config['installedpackages']['snort']['rule_sid_on']) || empty($config['installedpackages']['snort']['rule_sid_off'])) { -echo "Your first set of rules are being copied...\n"; -echo "May take a while...\n"; + global $config, $g, $id, $if_real, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_chk_ok, $pfsense_md5_check_ok; - exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); - exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); +if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { + + if (empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']) || empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { + echo "Your first set of rules are being copied...\n"; + echo "May take a while...\n"; + exec("/bin/echo \"test {$snortdir} {$snortdir_wan} $id$if_real\" >> /root/debug"); + exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/snort_$id$if_real/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}/snort_$id$if_real"); } else { echo "Your enable and disable changes are being applied to your fresh set of rules...\n"; echo "May take a while...\n"; - exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); - exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); + exec("/bin/echo \"test2 {$snortdir} {$snortdir_wan} $id$if_real\" > /root/debug"); + exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/snort_$id$if_real/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}/snort_$id$if_real"); /* oinkmaster.pl will convert saved changes for the new updates then we have to change #alert to # alert for the gui */ /* might have to add a sleep for 3sec for flash drives or old drives */ - exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort_bkup/oinkmaster.conf -o /usr/local/etc/snort/rules > /usr/local/etc/snort_bkup/oinkmaster.log"); - exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - + exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort/oinkmaster_$id$if_real.conf -o /usr/local/etc/snort/snort_$id$if_real/rules > /usr/local/etc/snort/oinkmaster_$id$if_real.log"); + + } } } +////////////// + +/* mark the time update finnished */ +$config['installedpackages']['snortglobal']['last_rules_install'] = date("Y-M-jS-h:i-A"); + /* remove old $tmpfname files */ if (file_exists("{$tmpfname}")) { echo "Cleaning up...\n"; - exec("/bin/rm -r /root/snort_rules_up"); + exec("/bin/rm -r /tmp/snort_rules_up"); +// apc_clear_cache(); } /* php code to flush out cache some people are reportting missing files this might help */ -sleep(5); +sleep(2); apc_clear_cache(); exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync"); + /* make snort the owner */ + exec("/usr/sbin/chown -R snort:snort /var/log/snort"); + exec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort"); + exec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort"); + exec("/bin/chmod -R 755 /var/log/snort"); + exec("/bin/chmod -R 755 /usr/local/etc/snort"); + exec("/bin/chmod -R 755 /usr/local/lib/snort"); + /* if snort is running hardrestart, if snort is not running do nothing */ if (file_exists("/tmp/snort_download_halt.pid")) { - start_service("snort"); + exec("/bin/sh /usr/local/etc/rc.d/snort.sh start"); echo "The Rules update finished...\n"; echo "Snort has restarted with your new set of rules...\n"; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'SNORT RULE UPDATE FINNISHED...'"); exec("/bin/rm /tmp/snort_download_halt.pid"); } else { echo "The Rules update finished...\n"; - echo "You may start snort now...\n"; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'SNORT RULE UPDATE FINNISHED...'"); } + conf_mount_ro(); ?> diff --git a/config/snort-dev/snort_define_servers.php b/config/snort/snort_define_servers.php index 0602edf1..9641b767 100644 --- a/config/snort-dev/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -38,11 +38,15 @@ Important add error checking */ -require("guiconfig.inc"); +//require_once("globals.inc"); +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); if (!is_array($config['installedpackages']['snortglobal']['rule'])) { $config['installedpackages']['snortglobal']['rule'] = array(); } + //nat_rules_sort(); $a_nat = &$config['installedpackages']['snortglobal']['rule']; @@ -55,6 +59,7 @@ if (isset($_GET['dup'])) { $after = $_GET['dup']; } + if (isset($id) && $a_nat[$id]) { /* old options */ @@ -93,7 +98,7 @@ if (isset($id) && $a_nat[$id]) { $pconfig['def_imap_servers'] = $a_nat[$id]['def_imap_servers']; $pconfig['def_imap_ports'] = $a_nat[$id]['def_imap_ports']; $pconfig['def_sip_proxy_ip'] = $a_nat[$id]['def_sip_proxy_ip']; - $pconfig['ip def_sip_proxy_ports'] = $a_nat[$id]['ip def_sip_proxy_ports']; + $pconfig['def_sip_proxy_ports'] = $a_nat[$id]['def_sip_proxy_ports']; $pconfig['def_auth_ports'] = $a_nat[$id]['def_auth_ports']; $pconfig['def_finger_ports'] = $a_nat[$id]['def_finger_ports']; $pconfig['def_irc_ports'] = $a_nat[$id]['def_irc_ports']; @@ -104,6 +109,7 @@ if (isset($id) && $a_nat[$id]) { $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; $pconfig['enable'] = $a_nat[$id]['enable']; + $pconfig['uuid'] = $a_nat[$id]['uuid']; $pconfig['interface'] = $a_nat[$id]['interface']; $pconfig['descr'] = $a_nat[$id]['descr']; $pconfig['performance'] = $a_nat[$id]['performance']; @@ -111,6 +117,8 @@ if (isset($id) && $a_nat[$id]) { $pconfig['alertsystemlog'] = $a_nat[$id]['alertsystemlog']; $pconfig['tcpdumplog'] = $a_nat[$id]['tcpdumplog']; $pconfig['snortunifiedlog'] = $a_nat[$id]['snortunifiedlog']; + $pconfig['configpassthru'] = $a_nat[$id]['configpassthru']; + $pconfig['barnconfigpassthru'] = $a_nat[$id]['barnconfigpassthru']; $pconfig['rulesets'] = $a_nat[$id]['rulesets']; $pconfig['rule_sid_off'] = $a_nat[$id]['rule_sid_off']; $pconfig['rule_sid_on'] = $a_nat[$id]['rule_sid_on']; @@ -120,9 +128,15 @@ if (isset($_GET['dup'])) } /* convert fake interfaces to real */ -$if_real = convert_friendly_interface_to_real_interface_name($pconfig['interface']); +$if_real = convert_friendly_interface_to_real_interface_name2($pconfig['interface']); + +$snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; + +/* alert file */ +$d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; -if ($_POST) { + + if ($_POST["Submit"]) { /* check for overlaps */ @@ -132,6 +146,7 @@ if ($_POST) { /* repost the options already in conf */ if ($pconfig['interface'] != "") { $natent['interface'] = $pconfig['interface']; } if ($pconfig['enable'] != "") { $natent['enable'] = $pconfig['enable']; } + if ($pconfig['uuid'] != "") { $natent['uuid'] = $pconfig['uuid']; } if ($pconfig['descr'] != "") { $natent['descr'] = $pconfig['descr']; } if ($pconfig['performance'] != "") { $natent['performance'] = $pconfig['performance']; } if ($pconfig['blockoffenders7'] != "") { $natent['blockoffenders7'] = $pconfig['blockoffenders7']; } @@ -152,8 +167,9 @@ if ($_POST) { if ($pconfig['barnyard_mysql'] != "") { $natent['barnyard_mysql'] = $pconfig['barnyard_mysql']; } if ($pconfig['rulesets'] != "") { $natent['rulesets'] = $pconfig['rulesets']; } if ($pconfig['rule_sid_off'] != "") { $natent['rule_sid_off'] = $pconfig['rule_sid_off']; } - if ($pconfig['rule_sid_on'] != "") { $natent['rule_sid_on'] = $pconfig['brule_sid_on']; } - + if ($pconfig['rule_sid_on'] != "") { $natent['rule_sid_on'] = $pconfig['rule_sid_on']; } + if ($pconfig['configpassthru'] != "") { $natent['configpassthru'] = $pconfig['configpassthru']; } + if ($pconfig['barnconfigpassthru'] != "") { $natent['barnconfigpassthru'] = $pconfig['barnconfigpassthru']; } /* post new options */ if ($_POST['def_dns_servers'] != "") { $natent['def_dns_servers'] = $_POST['def_dns_servers']; }else{ $natent['def_dns_servers'] = ""; } @@ -200,16 +216,40 @@ if ($_POST) { $a_nat[] = $natent; } - /* enable this if you want the user to aprove changes */ - // touch($d_natconfdirty_path); - write_config(); /* after click go to this page */ + + touch($d_snortconfdirty_path); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + sleep(2); + header("Location: snort_define_servers.php?id=$id"); + exit; } } + + /* this will exec when alert says apply */ + if ($_POST['apply']) { + + if (file_exists($d_snortconfdirty_path)) { + + write_config(); + + sync_snort_package_all($id, $if_real, $snort_uuid); + sync_snort_package(); + + unlink($d_snortconfdirty_path); + + } + + } $pgtitle = "Snort: Interface $id$if_real Define Servers"; include("head.inc"); @@ -217,8 +257,9 @@ include("head.inc"); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php -include("fbegin.inc"); +include("./snort_fbegin.inc"); ?> +<p class="pgtitle"><?if($pfsense_stable == 'yes'){echo $pgtitle;}?></p> <style type="text/css"> .alert { position:absolute; @@ -235,9 +276,37 @@ padding: 15px 10px 85% 50px; <noscript><div class="alert" ALIGN=CENTER><img src="/themes/nervecenter/images/icons/icon_alert.gif"/><strong>Please enable JavaScript to view this content</CENTER></div></noscript> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php if ($input_errors) print_input_errors($input_errors); ?> -<?php if ($savemsg) print_info_box($savemsg); ?> + <form action="snort_define_servers.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> + +<?php + + /* Display Alert message */ + + if ($input_errors) { + print_input_errors($input_errors); // TODO: add checks + } + + if ($savemsg) { + print_info_box2($savemsg); + } + + //if (file_exists($d_snortconfdirty_path)) { + if (file_exists($d_snortconfdirty_path) || file_exists("/var/run/snort_conf_{$snort_uuid}_.dirty")) { + echo '<p>'; + + if($savemsg) { + print_info_box_np2("{$savemsg}"); + }else{ + print_info_box_np2(' + The Snort configuration has changed and snort needs to be restarted on this interface.<br> + You must apply the changes in order for them to take effect.<br> + '); + } + } + +?> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td class="tabnavtbl"> <?php @@ -507,11 +576,7 @@ if($id != "") </table> </form> -<script language="JavaScript"> -<!-- -enable_change(false); -//--> -</script> + <?php include("fend.inc"); ?> </body> </html> diff --git a/config/snort/snort_download_rules.php b/config/snort/snort_download_rules.php index 9826ba2a..b3b20582 100644 --- a/config/snort/snort_download_rules.php +++ b/config/snort/snort_download_rules.php @@ -2,7 +2,8 @@ /* $Id$ */ /* snort_rulesets.php - Copyright (C) 2006 Scott Ullrich and Robert Zelaya + Copyright (C) 2006 Scott Ullrich + Copyright (C) 2009 Robert Zelaya All rights reserved. Redistribution and use in source and binary forms, with or without @@ -28,8 +29,15 @@ */ /* Setup enviroment */ -$tmpfname = "/root/snort_rules_up"; -$snortdir = "/usr/local/etc/snort_bkup"; + +/* TODO: review if include files are needed */ +require_once("guiconfig.inc"); +require_once("functions.inc"); +require_once("service-utils.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +$tmpfname = "/tmp/snort_rules_up"; +$snortdir = "/usr/local/etc/snort"; $snortdir_wan = "/usr/local/etc/snort"; $snort_filename_md5 = "snortrules-snapshot-2.8.tar.gz.md5"; $snort_filename = "snortrules-snapshot-2.8.tar.gz"; @@ -38,27 +46,213 @@ $emergingthreats_filename = "emerging.rules.tar.gz"; $pfsense_rules_filename_md5 = "pfsense_rules.tar.gz.md5"; $pfsense_rules_filename = "pfsense_rules.tar.gz"; -require_once("guiconfig.inc"); -require_once("functions.inc"); -require_once("service-utils.inc"); -require("/usr/local/pkg/snort.inc"); +$id_d = $_GET['id_d']; +if (isset($_POST['id_d'])) + $id_d = $_POST['id_d']; + +/* Time stamps define */ +$last_md5_download = $config['installedpackages']['snortglobal']['last_md5_download']; +$last_rules_install = $config['installedpackages']['snortglobal']['last_rules_install']; + +/* define checks */ +$oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; +$snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; +$emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; + + + if ($snortdownload == "off" && $emergingthreats != "on") + { + $snort_emrging_info = "stop"; + } + + if ($oinkid == "" && $snortdownload != "off") + { + $snort_oinkid_info = "stop"; + } + + + /* check if main rule directory is empty */ + $if_mrule_dir = "/usr/local/etc/snort/rules"; + $mfolder_chk = (count(glob("$if_mrule_dir/*")) === 0) ? 'empty' : 'full'; + + +if (file_exists('/var/run/snort.conf.dirty')) { + $snort_dirty_d = 'stop'; +} + + + +/* If no id show the user a button */ +if ($id_d == "" || $snort_emrging_info == "stop" || $snort_oinkid_info == "stop" || $snort_dirty_d == 'stop') { + +$pgtitle = "Services: Snort: Rule Updates"; + +include("head.inc"); +include("./snort_fbegin.inc"); +echo "<p class=\"pgtitle\">"; +if($pfsense_stable == 'yes'){echo $pgtitle;} +echo "</p>\n"; + + echo "<table height=\"32\" width=\"100%\">\n"; + echo " <tr>\n"; + echo " <td>\n"; + echo " <div style='background-color:#E0E0E0' id='redbox'>\n"; + echo " <table width='100%'><tr><td width='8%'>\n"; + echo " <img style='vertical-align:middle' src=\"/snort/images/icon_excli.png\" width=\"40\" height=\"32\">\n"; + echo " </td>\n"; + echo " <td width='70%'><font color='#FF850A'><b>NOTE:</b></font><font color='#000000'> Snort.org and Emergingthreats.net will go down from time to time. Please be patient.</font>\n"; + echo " </td>"; + echo " </tr></table>\n"; + echo " </div>\n"; + echo " </td>\n"; + echo "</table>\n"; + echo "<script type=\"text/javascript\">\n"; + echo "NiftyCheck();\n"; + echo "Rounded(\"div#redbox\",\"all\",\"#FFF\",\"#E0E0E0\",\"smooth\");\n"; + echo "Rounded(\"td#blackbox\",\"all\",\"#FFF\",\"#000000\",\"smooth\");\n"; + echo "</script>\n"; + echo "\n<br>\n"; + +/* make sure user has javascript on */ +echo "<style type=\"text/css\"> +.alert { + position:absolute; + top:10px; + left:0px; + width:94%; +background:#FCE9C0; +background-position: 15px; +border-top:2px solid #DBAC48; +border-bottom:2px solid #DBAC48; +padding: 15px 10px 85% 50px; +} +</style> +<noscript><div class=\"alert\" ALIGN=CENTER><img src=\"/themes/nervecenter/images/icons/icon_alert.gif\"/><strong>Please enable JavaScript to view this content</CENTER></div></noscript>\n"; +echo "<body link=\"#000000\" vlink=\"#000000\" alink=\"#000000\">\n"; + +echo "<script src=\"/row_toggle.js\" type=\"text/javascript\"></script>\n +<script src=\"/javascript/sorttable.js\" type=\"text/javascript\"></script>\n +<table width=\"99%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n + <tr>\n + <td>\n"; + + $tab_array = array(); + $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); + $tab_array[] = array("Global Settings", false, "/snort/snort_interfaces_global.php"); + $tab_array[] = array("Rule Updates", true, "/snort/snort_download_rules.php"); + $tab_array[] = array("Alerts", false, "/snort/snort_alerts.php"); + $tab_array[] = array("Blocked", false, "/snort/snort_blocked.php"); + $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml"); + $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); + display_top_tabs($tab_array); + +if ($snort_emrging_info == "stop" && $snort_oinkid_info == "stop") { +$disable_enable_button = 'onclick="this.disabled=true"'; +}else{ +$disable_enable_button = "onClick=\"parent.location='/snort/snort_download_rules.php?id_d=up'\""; +} +echo "</td>\n + </tr>\n + <tr>\n + <td>\n + <div id=\"mainarea\">\n + <table id=\"maintable\" class=\"tabcont\" width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n + <tr>\n + <td>\n +<input name=\"Submit\" type=\"submit\" class=\"formbtn\" $disable_enable_button value=\"Update Rules\" $disable_button> <br><br> \n"; + +if ($mfolder_chk == "empty") +{ +echo "<span class=\"red\"><strong>WARNING:</strong></span> The main rules <strong>directory</strong> is <strong>empty</strong>. /usr/local/etc/snort/rules <br><br>\n"; +} + +if ($snort_emrging_info == "stop") { +echo "<span class=\"red\"><strong>WARNING:</strong></span> Click on the <strong>\"Global Settings\"</strong> tab and select ether snort.org or enmergingthreats.net rules to download. <br><br> \n"; +} + +if ($snort_oinkid_info == "stop") { +echo "<span class=\"red\"><strong>WARNING:</strong></span> Click on the <strong>\"Global Settings\"</strong> tab and enter a <strong>oinkmaster</strong> code. <br><br> \n"; +} + +if ($snort_dirty_d == "stop") { +echo "<span class=\"red\"><strong>WARNING:</span> CHANGES HAVE NOT BEEN APPLIED</strong> Click on the <strong>\"Apply Settings\"</strong> button at the main interface tab.<br><br> \n"; +} + +echo " </td>\n + </tr>\n + </table>\n + </div>\n + </td>\n + </tr>\n +</table>\n +\n +</form>\n +\n +<p>\n\n"; + +if ($id_d == "") +echo "Click on the <strong>\"Update Rules\"</strong> button to start the updates. <br><br> \n"; + +if ($config['installedpackages']['snortglobal']['last_md5_download'] != "") +echo "The last time the updates were started <strong>$last_md5_download</strong>. <br><br> \n"; + +if ($config['installedpackages']['snortglobal']['last_rules_install'] != "") +echo "The last time the updates were installed <strong>$last_rules_install</strong>. <br><br> \n"; + +include("fend.inc"); + +echo "</body>"; +echo "</html>"; + +exit(0); + +} $pgtitle = "Services: Snort: Update Rules"; include("/usr/local/www/head.inc"); ?> - <script src="/javascript/scriptaculous/prototype.js" type="text/javascript"></script> +<script type="text/javascript" src="/snort/javascript/jquery-1.3.2.js"></script> +<script type="text/javascript" src="/snort/javascript/jquery.blockUI.js?v2.28"></script> + +<script type="text/javascript"> +<!-- + +function displaymessage() +{ + + $.blockUI.defaults.message = "Please be patient...."; + + $.blockUI({ + + css: { + border: 'none', + padding: '15px', + backgroundColor: '#000', + '-webkit-border-radius': '10px', + '-moz-border-radius': '10px', + opacity: .5, + color: '#fff', + } + }); + +} -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +function displaymessagestop() +{ -<?php include("/usr/local/www/fbegin.inc"); ?> +setTimeout($.unblockUI, 2000); -<?php -if(!$pgtitle_output) - echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; -?> +} + +// --> +</script> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("./snort_fbegin.inc"); ?> +<p class="pgtitle"><?if($pfsense_stable == 'yes'){echo $pgtitle;}?></p> <form action="snort_download_rules.php" method="post"> <div id="inputerrors"></div> @@ -67,23 +261,28 @@ if(!$pgtitle_output) <tr> <td> <?php - $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), true, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); - display_top_tabs($tab_array); + $tab_array = array(); + $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); + $tab_array[] = array("Global Settings", false, "/snort/snort_interfaces_global.php"); + $tab_array[] = array("Rule Updates", true, "/snort/snort_download_rules.php"); + $tab_array[] = array("Alerts", false, "/snort/snort_alerts.php"); + $tab_array[] = array("Blocked", false, "/snort/snort_blocked.php"); + $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml"); + $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); + display_top_tabs($tab_array); ?> - </td> - </tr> - <tr> - <td> + +<script type="text/javascript"> +<!-- + displaymessage(); +// --> +</script> + +</td> +</tr> + <br> + <tr> + <td> <div id="mainarea"> <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> @@ -92,7 +291,7 @@ if(!$pgtitle_output) <table id="progholder" width='420' style='border-collapse: collapse; border: 1px solid #000000;' cellpadding='2' cellspacing='2'> <tr> <td> - <img border='0' src='./themes/<?= $g['theme']; ?>/images/misc/progress_bar.gif' width='280' height='23' name='progressbar' id='progressbar' alt='' /> + <img border='0' src='../themes/<?= $g['theme']; ?>/images/misc/progress_bar.gif' width='280' height='23' name='progressbar' id='progressbar' alt='' /> </td> </tr> </table> @@ -112,47 +311,34 @@ if(!$pgtitle_output) </tr> </table> </form> - <?php include("fend.inc");?> <?php +conf_mount_rw(); /* Begin main code */ /* Set user agent to Mozilla */ ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); ini_set("memory_limit","125M"); +/* mark the time update started */ +$config['installedpackages']['snortglobal']['last_md5_download'] = date("Y-M-jS-h:i-A"); + /* send current buffer */ ob_flush(); +conf_mount_rw(); -/* define oinkid */ -if($config['installedpackages']['snort']) - $oinkid = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; - -/* if missing oinkid exit */ -if(!$oinkid) { - $static_output = gettext("You must obtain an oinkid from snort.org and set its value in the Snort settings tab."); - update_all_status($static_output); - hide_progress_bar_status(); - exit; -} - -/* premium_subscriber check */ -//unset($config['installedpackages']['snort']['config'][0]['subscriber']); -//write_config(); // Will cause switch back to read-only on nanobsd -//conf_mount_rw(); // Uncomment this if the previous line is uncommented - -$premium_subscriber_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +$premium_subscriber_chk = $config['installedpackages']['snortglobal']['snortdownload']; -if ($premium_subscriber_chk === on) { +if ($premium_subscriber_chk == "premium") { $premium_subscriber = "_s"; }else{ $premium_subscriber = ""; } -$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -if ($premium_url_chk === on) { +$premium_url_chk = $config['installedpackages']['snortglobal']['snortdownload']; +if ($premium_url_chk == "premium") { $premium_url = "sub-rules"; }else{ $premium_url = "reg-rules"; @@ -163,7 +349,6 @@ hide_progress_bar_status(); /* send current buffer */ ob_flush(); - conf_mount_rw(); /* remove old $tmpfname files */ @@ -177,9 +362,11 @@ if (file_exists("{$tmpfname}")) { exec("/bin/mkdir -p {$snortdir}"); exec("/bin/mkdir -p {$snortdir}/rules"); exec("/bin/mkdir -p {$snortdir}/signatures"); +exec("/bin/mkdir -p /usr/local/lib/snort/dynamicrules/"); /* send current buffer */ ob_flush(); +conf_mount_rw(); /* If tmp dir does not exist create it */ if (file_exists($tmpfname)) { @@ -192,35 +379,39 @@ if (file_exists($tmpfname)) { unhide_progress_bar_status(); /* download md5 sig from snort.org */ -if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { - update_status(gettext("md5 temp file exists...")); -} else { - update_status(gettext("Downloading md5 file...")); - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - $image = @file_get_contents("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5?oink_code={$oinkid}"); +if ($snortdownload == "basic" || $snortdownload == "premium") +{ + if (file_exists("{$tmpfname}/{$snort_filename_md5}") && + filesize("{$tmpfname}/{$snort_filename_md5}") > 0) { + update_status(gettext("snort.org md5 temp file exists...")); + } else { + update_status(gettext("Downloading snort.org md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5?oink_code={$oinkid}"); // $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5"); - $f = fopen("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5", 'w'); - fwrite($f, $image); - fclose($f); - update_status(gettext("Done. downloading md5")); + $f = fopen("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5", 'w'); + fwrite($f, $image); + fclose($f); + update_status(gettext("Done downloading snort.org md5")); + } } /* download md5 sig from emergingthreats.net */ -$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; -if ($emergingthreats_url_chk == on) { - update_status(gettext("Downloading md5 file...")); - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - $image = @file_get_contents("http://www.emergingthreats.net/version.txt"); +if ($emergingthreats == "on") +{ + update_status(gettext("Downloading emergingthreats md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://www.emergingthreats.net/version.txt"); // $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/version.txt"); - $f = fopen("{$tmpfname}/version.txt", 'w'); - fwrite($f, $image); - fclose($f); - update_status(gettext("Done. downloading md5")); + $f = fopen("{$tmpfname}/version.txt", 'w'); + fwrite($f, $image); + fclose($f); + update_status(gettext("Done downloading emergingthreats md5")); } /* download md5 sig from pfsense.org */ if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) { - update_status(gettext("md5 temp file exists...")); + update_status(gettext("pfsense md5 temp file exists...")); } else { update_status(gettext("Downloading pfsense md5 file...")); ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); @@ -229,23 +420,30 @@ if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) { $f = fopen("{$tmpfname}/pfsense_rules.tar.gz.md5", 'w'); fwrite($f, $image); fclose($f); - update_status(gettext("Done. downloading md5")); + update_status(gettext("Done downloading pfsense md5.")); } -/* Time stamps define */ -$last_md5_download = $config['installedpackages']['snort']['last_md5_download']; -$last_rules_install = $config['installedpackages']['snort']['last_rules_install']; - /* If md5 file is empty wait 15min exit */ -if (0 == filesize("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5")){ - update_status(gettext("Please wait... You may only check for New Rules every 15 minutes...")); - update_output_window(gettext("Rules are released every month from snort.org. You may download the Rules at any time.")); - hide_progress_bar_status(); - /* Display last time of sucsessful md5 check from cache */ - echo "\n<p align=center><b>You last checked for updates: </b>{$last_md5_download}</p>\n"; - echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n"; - echo "\n\n</body>\n</html>\n"; - exit(0); +if ($snortdownload != "off") +{ + if (0 == filesize("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5")) + { + update_status(gettext("Please wait... You may only check for New Rules every 15 minutes...")); + update_output_window(gettext("Rules are released every month from snort.org. You may download the Rules at any time.")); + hide_progress_bar_status(); + /* Display last time of sucsessful md5 check from cache */ + echo "\n\n</body>\n</html>\n"; + echo ' +<script type="text/javascript"> +<!-- + displaymessagestop(); +// --> +</script>'; +echo "</body>"; +echo "</html>"; +conf_mount_ro(); + exit(0); + } } /* If emergingthreats md5 file is empty wait 15min exit not needed */ @@ -256,89 +454,138 @@ if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ update_output_window(gettext("Rules are released to support Pfsense packages.")); hide_progress_bar_status(); /* Display last time of sucsessful md5 check from cache */ - echo "\n<p align=center><b>You last checked for updates: </b>{$last_md5_download}</p>\n"; - echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n"; echo "\n\n</body>\n</html>\n"; + echo ' +<script type="text/javascript"> +<!-- + displaymessagestop(); +// --> +</script>'; +echo "</body>"; +echo "</html>"; +conf_mount_ro(); exit(0); } /* Check if were up to date snort.org */ -if (file_exists("{$snortdir}/snortrules-snapshot-2.8.tar.gz.md5")){ -$md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); -$md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; -$md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); -$md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; -/* Write out time of last sucsessful md5 to cache */ -$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); -write_config(); // Will cause switch back to read-only on nanobsd -conf_mount_rw(); -if ($md5_check_new == $md5_check_old) { - update_status(gettext("Your rules are up to date...")); - update_output_window(gettext("You may start Snort now, check update.")); - hide_progress_bar_status(); - /* Timestamps to html */ - echo "\n<p align=center><b>You last checked for updates: </b>{$last_md5_download}</p>\n"; - echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n"; -// echo "P is this code {$premium_subscriber}"; +if ($snortdownload != "off") +{ + if (file_exists("{$snortdir}/snortrules-snapshot-2.8.tar.gz.md5")) + { + $md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); + $md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; + $md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); + $md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; + /* Write out time of last sucsessful md5 to cache */ + write_config(); // Will cause switch back to read-only on nanobsd + conf_mount_rw(); + if ($md5_check_new == $md5_check_old) + { + update_status(gettext("Your rules are up to date...")); + update_output_window(gettext("You may start Snort now, check update.")); + hide_progress_bar_status(); echo "\n\n</body>\n</html>\n"; $snort_md5_check_ok = on; - } + } + } } /* Check if were up to date emergingthreats.net */ -$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; -if ($emergingthreats_url_chk == on) { -if (file_exists("{$snortdir}/version.txt")){ -$emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/version.txt"); -$emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; -$emerg_md5_check_old_parse = file_get_contents("{$snortdir}/version.txt"); -$emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; -/* Write out time of last sucsessful md5 to cache */ -$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); -write_config(); // Will cause switch back to read-only on nanobsd -conf_mount_rw(); -if ($emerg_md5_check_new == $emerg_md5_check_old) { - update_status(gettext("Your emergingthreats rules are up to date...")); - update_output_window(gettext("You may start Snort now, check update.")); +if ($emergingthreats == "on") +{ + if (file_exists("{$snortdir}/version.txt")) + { + $emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/version.txt"); + $emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; + $emerg_md5_check_old_parse = file_get_contents("{$snortdir}/version.txt"); + $emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; + /* Write out time of last sucsessful md5 to cache */ + // Will cause switch back to read-only on nanobsd + write_config(); + conf_mount_rw(); + if ($emerg_md5_check_new == $emerg_md5_check_old) + { hide_progress_bar_status(); - $emerg_md5_check_chk_ok = on; - } - } + $emerg_md5_check_ok = on; + } + } } /* Check if were up to date pfsense.org */ -if (file_exists("{$snortdir}/$pfsense_rules_filename_md5")){ -$pfsense_md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); -$pfsense_md5_check_new = `/bin/echo "{$pfsense_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; -$pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); -$pfsense_md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; -if ($pfsense_md5_check_new == $pfsense_md5_check_old) { + if (file_exists("{$snortdir}/pfsense_rules.tar.gz.md5")) + { + $pfsense_check_new_parse = file_get_contents("{$tmpfname}/pfsense_rules.tar.gz.md5"); + $pfsense_md5_check_new = `/bin/echo "{$pfsense_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; + $pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/pfsense_rules.tar.gz.md5"); + $pfsense_md5_check_old = `/bin/echo "{$pfsense_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; + /* Write out time of last sucsessful md5 to cache */ + // Will cause switch back to read-only on nanobsd + write_config(); + conf_mount_rw(); + if ($pfsense_md5_check_new == $pfsense_md5_check_old) + { + hide_progress_bar_status(); $pfsense_md5_check_ok = on; - } -} + } + } -/* Make Clean Snort Directory emergingthreats not checked */ -if ($snort_md5_check_ok == on && $emergingthreats_url_chk != on) { - update_status(gettext("Cleaning the snort Directory...")); - update_output_window(gettext("removing...")); - exec("/bin/rm {$snortdir}/rules/emerging*"); - exec("/bin/rm {$snortdir}/version.txt"); - exec("/bin/rm {$snortdir_wan}/rules/emerging*"); - exec("/bin/rm {$snortdir_wan}/version.txt"); - update_status(gettext("Done making cleaning emrg direcory.")); +/* Check if were up to date is so, exit */ +/* WARNING This code needs constant checks */ +if ($snortdownload != "off" && $emergingthreats != "off") +{ + if ($snort_md5_check_ok == "on" && $emerg_md5_check_ok == "on") + { + update_status(gettext("All your rules are up to date...")); + update_output_window(gettext("You may start Snort now...")); + echo ' + <script type="text/javascript"> + <!-- + displaymessagestop(); + // --> + </script>'; + echo "</body>"; + echo "</html>"; + conf_mount_ro(); + exit(0); + } } -/* Check if were up to date exits */ -if ($snort_md5_check_ok == on && $emerg_md5_check_chk_ok == on && $pfsense_md5_check_ok == on) { - update_status(gettext("Your rules are up to date...")); - update_output_window(gettext("You may start Snort now...")); - exit(0); +if ($snortdownload == "on" && $emergingthreats == "off") +{ + if ($snort_md5_check_ok == "on") + { + update_status(gettext("Your snort.org rules are up to date...")); + update_output_window(gettext("You may start Snort now...")); + echo ' + <script type="text/javascript"> + <!-- + displaymessagestop(); + // --> + </script>'; + echo "</body>"; + echo "</html>"; + conf_mount_ro(); + exit(0); + } } -if ($snort_md5_check_ok == on && $pfsense_md5_check_ok == on && $emergingthreats_url_chk != on) { - update_status(gettext("Your rules are up to date...")); - update_output_window(gettext("You may start Snort now...")); - exit(0); +if ($snortdownload == "off" && $emergingthreats == "on") +{ + if ($emerg_md5_check_ok == "on") + { + update_status(gettext("Your Emergingthreats rules are up to date...")); + update_output_window(gettext("You may start Snort now...")); + echo ' + <script type="text/javascript"> + <!-- + displaymessagestop(); + // --> + </script>'; + echo "</body>"; + echo "</html>"; + conf_mount_ro(); + exit(0); + } } /* You are Not Up to date, always stop snort when updating rules for low end machines */; @@ -347,45 +594,60 @@ update_output_window(gettext("Stopping Snort service...")); $chk_if_snort_up = exec("pgrep -x snort"); if ($chk_if_snort_up != "") { exec("/usr/bin/touch /tmp/snort_download_halt.pid"); - stop_service("snort"); + exec("/bin/sh /usr/local/etc/rc.d/snort.sh stop"); sleep(2); } /* download snortrules file */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$snort_filename}")) { - update_status(gettext("Snortrule tar file exists...")); -} else { - unhide_progress_bar_status(); - update_status(gettext("There is a new set of Snort rules posted. Downloading...")); - update_output_window(gettext("May take 4 to 10 min...")); +if ($snortdownload != "off") +{ + if ($snort_md5_check_ok != on) { + if (file_exists("{$tmpfname}/{$snort_filename}")) { + update_status(gettext("Snortrule tar file exists...")); + } else { + unhide_progress_bar_status(); + update_status(gettext("There is a new set of Snort rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); // download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz", $tmpfname . "/{$snort_filename}", "read_body_firmware"); - download_file_with_progress_bar("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz?oink_code={$oinkid}", $tmpfname . "/{$snort_filename}", "read_body_firmware"); - update_all_status($static_output); - update_status(gettext("Done downloading rules file.")); - if (150000 > filesize("{$tmpfname}/$snort_filename")){ - update_status(gettext("Error with the snort rules download...")); - update_output_window(gettext("Snort rules file downloaded failed...")); - exit(0); - } - } + download_file_with_progress_bar("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz?oink_code={$oinkid}", $tmpfname . "/{$snort_filename}", "read_body_firmware"); + update_all_status($static_output); + update_status(gettext("Done downloading rules file.")); + if (150000 > filesize("{$tmpfname}/$snort_filename")){ + update_status(gettext("Error with the snort rules download...")); + update_output_window(gettext("Snort rules file downloaded failed...")); + echo ' +<script type="text/javascript"> +<!-- + displaymessagestop(); +// --> +</script>'; +echo "</body>"; +echo "</html>"; +conf_mount_ro(); + exit(0); + } + } + } } - + /* download emergingthreats rules file */ -if ($emergingthreats_url_chk == on) { -if ($emerg_md5_check_chk_ok != on) { -if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { - update_status(gettext("Emergingthreats tar file exists...")); -} else { - update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); - update_output_window(gettext("May take 4 to 10 min...")); +if ($emergingthreats == "on") +{ + if ($emerg_md5_check_ok != on) + { + if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) + { + update_status(gettext("Emergingthreats tar file exists...")); + }else{ + update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); // download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware"); - download_file_with_progress_bar("http://www.emergingthreats.net/rules/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware"); - update_all_status($static_output); - update_status(gettext("Done downloading Emergingthreats rules file.")); - } - } - } + download_file_with_progress_bar("http://www.emergingthreats.net/rules/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware"); + update_all_status($static_output); + update_status(gettext("Done downloading Emergingthreats rules file.")); + } + } +} /* download pfsense rules file */ if ($pfsense_md5_check_ok != on) { @@ -431,44 +693,65 @@ if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { //} /* Untar snort rules file individually to help people with low system specs */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$snort_filename}")) { - update_status(gettext("Extracting rules...")); - update_output_window(gettext("May take a while...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} etc/"); - exec("`/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/*`"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/chat.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/dos.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/exploit.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/imap.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/misc.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/multimedia.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/netbios.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/nntp.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/p2p.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/smtp.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/sql.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-client.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-misc.rules/"); - update_status(gettext("Done extracting Rules.")); -} else { - update_status(gettext("The Download rules file missing...")); - update_output_window(gettext("Error rules extracting failed...")); - exit(0); - } +if ($snortdownload != "off") +{ + if ($snort_md5_check_ok != on) { + if (file_exists("{$tmpfname}/{$snort_filename}")) { + update_status(gettext("Extracting rules...")); + update_output_window(gettext("May take a while...")); + exec("/bin/mkdir -p {$snortdir}/rules_bk/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/rules_bk rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} etc/" . + " so_rules/precompiled/FreeBSD-7.0/i386/2.8.5.1/" . + " so_rules/bad-traffic.rules/" . + " so_rules/chat.rules/" . + " so_rules/dos.rules/" . + " so_rules/exploit.rules/" . + " so_rules/imap.rules/" . + " so_rules/misc.rules/" . + " so_rules/multimedia.rules/" . + " so_rules/netbios.rules/" . + " so_rules/nntp.rules/" . + " so_rules/p2p.rules/" . + " so_rules/smtp.rules/" . + " so_rules/sql.rules/" . + " so_rules/web-client.rules/" . + " so_rules/web-misc.rules/"); + /* add prefix to all snort.org files */ + /* remove this part and make it all php with the simplst code posible */ + chdir ("/usr/local/etc/snort/rules_bk/rules"); + sleep(2); + exec('/usr/local/bin/perl /usr/local/bin/snort_rename.pl s/^/snort_/ *.rules'); + update_status(gettext("Done extracting Rules.")); + }else{ + update_status(gettext("The Download rules file missing...")); + update_output_window(gettext("Error rules extracting failed...")); + echo ' +<script type="text/javascript"> +<!-- + displaymessagestop(); +// --> +</script>'; +echo "</body>"; +echo "</html>"; +conf_mount_ro(); + exit(0); + } + } } /* Untar emergingthreats rules to tmp */ -if ($emergingthreats_url_chk == on) { -if ($emerg_md5_check_chk_ok != on) { -if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { - update_status(gettext("Extracting rules...")); - update_output_window(gettext("May take a while...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir} rules/"); - } - } +if ($emergingthreats == "on") +{ + if ($emerg_md5_check_ok != on) + { + if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) + { + update_status(gettext("Extracting rules...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir} rules/"); + } + } } /* Untar Pfsense rules to tmp */ @@ -483,7 +766,7 @@ if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { /* Untar snort signatures */ if ($snort_md5_check_ok != on) { if (file_exists("{$tmpfname}/{$snort_filename}")) { -$signature_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['signatureinfo']; +$signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; if ($premium_url_chk == on) { update_status(gettext("Extracting Signatures...")); update_output_window(gettext("May take a while...")); @@ -493,74 +776,250 @@ if ($premium_url_chk == on) { } } -/* Make Clean Snort Directory */ -//if ($snort_md5_check_ok != on && $emerg_md5_check_chk_ok != on && $pfsense_md5_check_ok != on) { -//if (file_exists("{$snortdir}/rules")) { -// update_status(gettext("Cleaning the snort Directory...")); -// update_output_window(gettext("removing...")); -// exec("/bin/mkdir -p {$snortdir}"); -// exec("/bin/mkdir -p {$snortdir}/rules"); -// exec("/bin/mkdir -p {$snortdir}/signatures"); -// exec("/bin/rm {$snortdir}/*"); -// exec("/bin/rm {$snortdir}/rules/*"); -// exec("/bin/rm {$snortdir_wan}/*"); -// exec("/bin/rm {$snortdir_wan}/rules/*"); +/* Copy so_rules dir to snort lib dir */ +/* Disabed untill I find out why there is a segment failt coredump when using these rules on 2.8.5.3 */ +if ($snortdownload != "off") +{ + if ($snort_md5_check_ok != on) { + if (file_exists("{$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.5.1")) { + update_status(gettext("Copying so_rules...")); + update_output_window(gettext("May take a while...")); + exec("/bin/cp -f {$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.5.1/* /usr/local/lib/snort/dynamicrules/"); + exec("/bin/cp {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/snort_bad-traffic.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/chat.rules {$snortdir}/rules/snort_chat.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/dos.rules {$snortdir}/rules/snort_dos.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/snort_exploit.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/imap.rules {$snortdir}/rules/snort_imap.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/misc.rules {$snortdir}/rules/snort_misc.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/snort_multimedia.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/snort_netbios.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/snort_nntp.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/snort_p2p.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/snort_smtp.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/sql.rules {$snortdir}/rules/snort_sql.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/web-activex.rules {$snortdir}/rules/snort_web-activex.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/snort_web-client.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/web-iis.rules {$snortdir}/rules/snort_web-iis.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/web.misc.rules {$snortdir}/rules/snort_web.misc.so.rules"); + exec("/bin/rm -r {$snortdir}/so_rules"); + update_status(gettext("Done copying so_rules.")); + }else{ + update_status(gettext("Directory so_rules does not exist...")); + update_output_window(gettext("Error copying so_rules...")); + echo ' +<script type="text/javascript"> +<!-- + displaymessagestop(); +// --> +</script>'; + echo "</body>"; + echo "</html>"; + conf_mount_ro(); + exit(0); + } + } +} + +/* Copy renamed snort.org rules to snort dir */ +if ($snortdownload != "off") +{ + if ($snort_md5_check_ok != on) + { + if (file_exists("{$snortdir}/rules_bk/rules/Makefile.am")) + { + update_status(gettext("Copying renamed snort.org rules to snort directory...")); + exec("/bin/cp {$snortdir}/rules_bk/rules/* {$snortdir}/rules/"); + }else{ + update_status(gettext("The renamed snort.org rules do not exist...")); + update_output_window(gettext("Error copying config...")); + echo ' +<script type="text/javascript"> +<!-- + displaymessagestop(); +// --> +</script>'; + echo "</body>"; + echo "</html>"; + conf_mount_ro(); + exit(0); + } + } +} + +/* Copy configs to snort dir */ +if ($snortdownload != "off") +{ + if ($snort_md5_check_ok != on) + { + if (file_exists("{$snortdir}/etc/Makefile.am")) { + update_status(gettext("Copying configs to snort directory...")); + exec("/bin/cp {$snortdir}/etc/* {$snortdir}"); + exec("/bin/rm -r {$snortdir}/etc"); + }else{ + update_status(gettext("The snort config does not exist...")); + update_output_window(gettext("Error copying config...")); + echo ' +<script type="text/javascript"> +<!-- + displaymessagestop(); +// --> +</script>'; +echo "</body>"; +echo "</html>"; +conf_mount_ro(); + exit(0); + } + } +} + + +/* Copy md5 sig to snort dir */ +if ($snortdownload != "off") +{ + if ($snort_md5_check_ok != on) { + if (file_exists("{$tmpfname}/$snort_filename_md5")) { + update_status(gettext("Copying md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); + }else{ + update_status(gettext("The md5 file does not exist...")); + update_output_window(gettext("Error copying config...")); + echo ' +<script type="text/javascript"> +<!-- + displaymessagestop(); +// --> +</script>'; + echo "</body>"; + echo "</html>"; + conf_mount_ro(); + exit(0); + } + } +} -// exec("/bin/rm /usr/local/lib/snort/dynamicrules/*"); -//} else { -// update_status(gettext("Making Snort Directory...")); -// update_output_window(gettext("should be fast...")); -// exec("/bin/mkdir -p {$snortdir}"); -// exec("/bin/mkdir -p {$snortdir}/rules"); -// exec("/bin/rm {$snortdir_wan}/*"); -// exec("/bin/rm {$snortdir_wan}/rules/*"); -// exec("/bin/rm /usr/local/lib/snort/dynamicrules/\*"); -// update_status(gettext("Done making snort direcory.")); -// } -//} +/* Copy emergingthreats md5 sig to snort dir */ +if ($emergingthreats == "on") +{ + if ($emerg_md5_check_ok != on) + { + if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) + { + update_status(gettext("Copying md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); + }else{ + update_status(gettext("The emergingthreats md5 file does not exist...")); + update_output_window(gettext("Error copying config...")); + echo "</body>"; + echo "</html>"; + conf_mount_ro(); + exit(0); + } + } +} -/* Copy so_rules dir to snort lib dir */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { - update_status(gettext("Copying so_rules...")); - update_output_window(gettext("May take a while...")); - exec("`/bin/cp -f {$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/`"); - exec("/bin/cp {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/bad-traffic.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/chat.rules {$snortdir}/rules/chat.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/dos.rules {$snortdir}/rules/dos.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/exploit.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/imap.rules {$snortdir}/rules/imap.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/misc.rules {$snortdir}/rules/misc.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/multimedia.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/netbios.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/nntp.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/p2p.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/smtp.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/sql.rules {$snortdir}/rules/sql.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/web-client.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/web.misc.rules {$snortdir}/rules/web.misc.so.rules"); - exec("/bin/rm -r {$snortdir}/so_rules"); - update_status(gettext("Done copying so_rules.")); +/* Copy Pfsense md5 sig to snort dir */ +if ($pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) { + update_status(gettext("Copying Pfsense md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5"); } else { - update_status(gettext("Directory so_rules does not exist...")); - update_output_window(gettext("Error copying so_rules...")); - exit(0); + update_status(gettext("The Pfsense md5 file does not exist...")); + update_output_window(gettext("Error copying config...")); + echo ' +<script type="text/javascript"> +<!-- + displaymessagestop(); +// --> +</script>'; + echo "</body>"; + echo "</html>"; + conf_mount_ro(); + exit(0); } } + +/* Copy signatures dir to snort dir */ +if ($snortdownload != "off") +{ + if ($snort_md5_check_ok != on) + { + $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; + if ($premium_url_chk == on) + { + if (file_exists("{$snortdir}/doc/signatures")) { + update_status(gettext("Copying signatures...")); + update_output_window(gettext("May take a while...")); + exec("/bin/mv -f {$snortdir}/doc/signatures {$snortdir}/signatures"); + exec("/bin/rm -r {$snortdir}/doc/signatures"); + update_status(gettext("Done copying signatures.")); + }else{ + update_status(gettext("Directory signatures exist...")); + update_output_window(gettext("Error copying signature...")); + echo ' +<script type="text/javascript"> +<!-- + displaymessagestop(); +// --> +</script>'; +echo "</body>"; +echo "</html>"; +conf_mount_ro(); + exit(0); + } + } + } +} + +/* double make shure cleanup emerg rules that dont belong */ +if (file_exists("/usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules")) { + apc_clear_cache(); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-botcc.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-compromised-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-drop-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-dshield-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-rbn-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-tor-BLOCK.rules"); +} + +if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) { + exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so"); + exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*"); +} + +/* make shure default rules are in the right format */ +exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); +exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); +exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); +/* create a msg-map for snort */ +update_status(gettext("Updating Alert Messages...")); +update_output_window(gettext("Please Wait...")); +exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/sid-msg.map"); + + +////////////////// + +/* open oinkmaster_conf for writing" function */ +function oinkmaster_conf($id, $if_real, $iface_uuid) +{ + + global $config, $g, $id, $if_real, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; + conf_mount_rw(); + /* enable disable setting will carry over with updates */ /* TODO carry signature changes with the updates */ -if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { +if ($snort_md5_check_ok != on || $emerg_md5_check_ok != on || $pfsense_md5_check_ok != on) { -if (!empty($config['installedpackages']['snort']['rule_sid_on'])) { -$enabled_sid_on = $config['installedpackages']['snort']['rule_sid_on']; +if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'])) { +$enabled_sid_on = $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']; $enabled_sid_on_array = split('\|\|', $enabled_sid_on); foreach($enabled_sid_on_array as $enabled_item_on) $selected_sid_on_sections .= "$enabled_item_on\n"; } -if (!empty($config['installedpackages']['snort']['rule_sid_off'])) { -$enabled_sid_off = $config['installedpackages']['snort']['rule_sid_off']; +if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { +$enabled_sid_off = $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off']; $enabled_sid_off_array = split('\|\|', $enabled_sid_off); foreach($enabled_sid_off_array as $enabled_item_off) $selected_sid_off_sections .= "$enabled_item_off\n"; @@ -578,7 +1037,7 @@ path = /bin:/usr/bin:/usr/local/bin update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ -url = dir:///usr/local/etc/snort_bkup/rules +url = dir:///usr/local/etc/snort/rules $selected_sid_on_sections @@ -586,153 +1045,99 @@ $selected_sid_off_sections EOD; - /* open snort's threshold.conf for writing */ - $oinkmasterlist = fopen("/usr/local/etc/snort_bkup/oinkmaster.conf", "w"); + /* open snort's oinkmaster.conf for writing */ + $oinkmasterlist = fopen("/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf", "w"); fwrite($oinkmasterlist, "$snort_sid_text"); - /* close snort's threshold.conf file */ + /* close snort's oinkmaster.conf file */ fclose($oinkmasterlist); + } } -/* Copy configs to snort dir */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$snortdir}/etc/Makefile.am")) { - update_status(gettext("Copying configs to snort directory...")); - exec("/bin/cp {$snortdir}/etc/* {$snortdir}"); - exec("/bin/rm -r {$snortdir}/etc"); - -} else { - update_status(gettext("The snort config does not exist...")); - update_output_window(gettext("Error copying config...")); - exit(0); - } -} +/* Run oinkmaster to snort_wan and cp configs */ +/* If oinkmaster is not needed cp rules normally */ +/* TODO add per interface settings here */ +function oinkmaster_run($id, $if_real, $iface_uuid) +{ -/* Copy md5 sig to snort dir */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$tmpfname}/$snort_filename_md5")) { - update_status(gettext("Copying md5 sig to snort directory...")); - exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); -} else { - update_status(gettext("The md5 file does not exist...")); - update_output_window(gettext("Error copying config...")); - exit(0); - } -} + global $config, $g, $id, $if_real, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; + conf_mount_rw(); -/* Copy emergingthreats md5 sig to snort dir */ -if ($emergingthreats_url_chk == on) { -if ($emerg_md5_check_chk_ok != on) { -if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) { - update_status(gettext("Copying md5 sig to snort directory...")); - exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); -} else { - update_status(gettext("The emergingthreats md5 file does not exist...")); - update_output_window(gettext("Error copying config...")); - exit(0); - } - } -} + if ($snort_md5_check_ok != on || $emerg_md5_check_ok != on || $pfsense_md5_check_ok != on) + { -/* Copy Pfsense md5 sig to snort dir */ -if ($pfsense_md5_check_ok != on) { -if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) { - update_status(gettext("Copying Pfsense md5 sig to snort directory...")); - exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5"); -} else { - update_status(gettext("The Pfsense md5 file does not exist...")); - update_output_window(gettext("Error copying config...")); - exit(0); - } -} - -/* Copy signatures dir to snort dir */ -if ($snort_md5_check_ok != on) { -$signature_info_chk = $config['installedpackages']['snort']['config'][0]['signatureinfo']; -if ($premium_url_chk == on) { -if (file_exists("{$snortdir}/doc/signatures")) { - update_status(gettext("Copying signatures...")); - update_output_window(gettext("May take a while...")); - exec("/bin/mv -f {$snortdir}/doc/signatures {$snortdir}/signatures"); - exec("/bin/rm -r {$snortdir}/doc/signatures"); - update_status(gettext("Done copying signatures.")); -} else { - update_status(gettext("Directory signatures exist...")); - update_output_window(gettext("Error copying signature...")); - exit(0); - } - } -} + if ($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'] == '' && $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'] == '') + { + update_status(gettext("Your first set of rules are being copied...")); + update_output_window(gettext("May take a while...")); + exec("/bin/echo \"test {$snortdir} {$snortdir_wan} {$iface_uuid}_{$if_real}\" > /root/debug"); + exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + }else{ + update_status(gettext("Your enable and disable changes are being applied to your fresh set of rules...")); + update_output_window(gettext("May take a while...")); + exec("/bin/echo \"test2 {$snortdir} {$snortdir_wan} {$iface_uuid}_{$if_real}\" > /root/debug"); + exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); -/* double make shure cleanup emerg rules that dont belong */ -if (file_exists("/usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules")) { - apc_clear_cache(); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-compromised-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-drop-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-dshield-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-rbn-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-tor-BLOCK.rules"); + /* might have to add a sleep for 3sec for flash drives or old drives */ + exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf -o /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules > /usr/local/etc/snort/oinkmaster_{$iface_uuid}_{$if_real}.log"); + } + } } -if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) { - exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so"); - exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*"); -} +/* Start the proccess for every interface rule */ +/* TODO: try to make the code smother */ -/* create a msg-map for snort */ -update_status(gettext("Updating Alert Messages...")); -update_output_window(gettext("Please Wait...")); -exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort_bkup/rules > /usr/local/etc/snort_bkup/sid-msg.map"); +if (!empty($config['installedpackages']['snortglobal']['rule'])) +{ -/* Run oinkmaster to snort_wan and cp configs */ -/* If oinkmaster is not needed cp rules normally */ -/* TODO add per interface settings here */ -if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { + $rule_array = $config['installedpackages']['snortglobal']['rule']; + $id = -1; + foreach ($rule_array as $value) { - if (empty($config['installedpackages']['snort']['rule_sid_on']) || empty($config['installedpackages']['snort']['rule_sid_off'])) { - update_status(gettext("Your first set of rules are being copied...")); - update_output_window(gettext("May take a while...")); - exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); - exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); + $id += 1; + + $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); + $iface_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; + + /* make oinkmaster.conf for each interface rule */ + oinkmaster_conf($id, $if_real, $iface_uuid); + + /* run oinkmaster for each interface rule */ + oinkmaster_run($id, $if_real, $iface_uuid); -} else { - update_status(gettext("Your enable and disable changes are being applied to your fresh set of rules...")); - update_output_window(gettext("May take a while...")); - exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); - exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); - - /* oinkmaster.pl will convert saved changes for the new updates then we have to change #alert to # alert for the gui */ - /* might have to add a sleep for 3sec for flash drives or old drives */ - exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort_bkup/oinkmaster.conf -o /usr/local/etc/snort/rules > /usr/local/etc/snort_bkup/oinkmaster.log"); - exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - - } } +////////////// + +/* mark the time update finnished */ +$config['installedpackages']['snortglobal']['last_rules_install'] = date("Y-M-jS-h:i-A"); + /* remove old $tmpfname files */ -if (file_exists("{$tmpfname}")) { - update_status(gettext("Cleaning up...")); - exec("/bin/rm -r /root/snort_rules_up"); -// apc_clear_cache(); +if (file_exists("{$tmpfname}")) +{ + update_status(gettext("Cleaning up...")); + exec("/bin/rm -r /tmp/snort_rules_up"); + sleep(2); + exec("/bin/rm -r {$snortdir}/rules_bk/rules/"); + apc_clear_cache(); } /* php code to flush out cache some people are reportting missing files this might help */ @@ -740,9 +1145,18 @@ sleep(2); apc_clear_cache(); exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync"); +/* make all dirs snorts */ +exec("/usr/sbin/chown -R snort:snort /var/log/snort"); +exec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort"); +exec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort"); +exec("/bin/chmod -R 755 /var/log/snort"); +exec("/bin/chmod -R 755 /usr/local/etc/snort"); +exec("/bin/chmod -R 755 /usr/local/lib/snort"); + + /* if snort is running hardrestart, if snort is not running do nothing */ if (file_exists("/tmp/snort_download_halt.pid")) { - start_service("snort"); + exec("/bin/sh /usr/local/etc/rc.d/snort.sh start"); update_status(gettext("The Rules update finished...")); update_output_window(gettext("Snort has restarted with your new set of rules...")); exec("/bin/rm /tmp/snort_download_halt.pid"); @@ -751,6 +1165,13 @@ if (file_exists("/tmp/snort_download_halt.pid")) { update_output_window(gettext("You may start snort now...")); } +echo ' +<script type="text/javascript"> +<!-- + displaymessagestop(); +// --> +</script>'; + /* hide progress bar and lets end this party */ hide_progress_bar_status(); conf_mount_ro(); diff --git a/config/snort/snort_dynamic_ip_reload.php b/config/snort/snort_dynamic_ip_reload.php index 0fad085b..615302e8 100644 --- a/config/snort/snort_dynamic_ip_reload.php +++ b/config/snort/snort_dynamic_ip_reload.php @@ -3,7 +3,7 @@ /* $Id$ */ /* snort_dynamic_ip_reload.php - Copyright (C) 2006 Scott Ullrich and Robert Zeleya + Copyright (C) 2009 Robert Zeleya All rights reserved. Redistribution and use in source and binary forms, with or without @@ -31,19 +31,17 @@ /* NOTE: this file gets included from the pfSense filter.inc plugin process */ /* NOTE: file location /usr/local/pkg/pf, all files in pf dir get exec on filter reloads */ -require_once("/usr/local/pkg/snort.inc"); -require_once("service-utils.inc"); -require_once("config.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); - -if($config['interfaces']['wan']['ipaddr'] == "pppoe" or - $config['interfaces']['wan']['ipaddr'] == "dhcp") { - create_snort_conf(); - exec("killall -HUP snort"); - /* define snortbarnyardlog_chk */ - $snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; - if ($snortbarnyardlog_info_chk == on) - exec("killall -HUP barnyard2"); +if (file_exists('/var/run/snort_dynamic_ip_reload.dirty')) { + exit(); } +exec('/usr/bin/touch /var/run/snort_dynamic_ip_reload.dirty'); + +sync_snort_package_config(); +sync_snort_package(); + +exec('/bin/rm /var/run/snort_dynamic_ip_reload.dirty'); + ?>
\ No newline at end of file diff --git a/config/snort/snort_fbegin.inc b/config/snort/snort_fbegin.inc new file mode 100644 index 00000000..b8faff09 --- /dev/null +++ b/config/snort/snort_fbegin.inc @@ -0,0 +1,288 @@ +<?php + +require_once("globals.inc"); +require_once("notices.inc"); +/* $Id$ */ + function return_ext_menu($section) { + global $config; + $htmltext = ""; + if($config['installedpackages']['menu'] <> "") { + foreach($config['installedpackages']['menu'] as $menuitem) { + if($menuitem['section'] != $section) continue; + if($menuitem['url'] <> "") { + $addresswithport = getenv("HTTP_HOST"); + $colonpos = strpos($addresswithport, ":"); + if ($colonpos !== False){ + //my url is actually just the IP address of the pfsense box + $myurl = substr($addresswithport, 0, $colonpos); + } + else + { + $myurl = $addresswithport; + } + + $description = str_replace('$myurl', $myurl, $menuitem['url']); + } else { + $description = '/pkg.php?xml=' . $menuitem['configfile']; + } + $htmltext .= '<li><a href="' . $description . ' "class="navlnk">' . $menuitem['name'] . '</a></li>' . "\n"; + } + } + return $htmltext; + } + + + + + /* NOTICE ACKNOWLEDGE CODE by Erik Kristensen */ + if ($_REQUEST['noticeaction'] == 'acknowledge') { + $notice_id = $_REQUEST['noticeid']; + close_notice($notice_id); + } + /**********************************************/ +?> + +<div id="wrapper"> + + <div id="header"> + <div id="header-left"><a href="../index.php" id="status-link"><img src="/themes/<?= $g['theme']; ?>/images/transparent.gif" border="0"></img></a></div> + <div id="header-right"> + <div class="container"> + <div class="left">webConfigurator</div> + <div class="right"> +<? + if (are_notices_pending()) { + $notices = get_notices(); + + $requests=array(); + + ## Get Query Arguments from URL ### + foreach ($_REQUEST as $key => $value) { + if ($key != "PHPSESSID") + $requests[] = $key.'='.$value; + } + if(is_array($requests)) + $request_string = implode("&", $requests); + + if(is_array($notices)) { + foreach ($notices as $key => $value) { + $date = date("m-d-y H:i:s", $key); + $noticemsg = str_replace("'", "", $value['notice']); + $noticemsg = str_replace('"', "", $noticemsg); + $noticemsg = str_replace("\n", "", $noticemsg); + $noticemsg = str_replace("<p>", "", $noticemsg); + $noticemsg = str_replace("<pre>", "", $noticemsg); + $noticemsg = str_replace("</pre>", "", $noticemsg); + $noticemsg = str_replace("</p>", "", $noticemsg); + $noticemsg = str_replace("<br>", "", $noticemsg); + $extra_args = ""; + if($_GET['xml']) + $extraargs="&xml=" . $_GET['xml']; + if($_POST['xml']) + $extraargs="&xml=" . $_POST['xml']; + if($_GET['id']) + $extraargs="&xml=" . $_GET['id']; + if($_POST['id']) + $extraargs="&xml=" . $_POST['id']; + $notice_msgs = '<a href="?noticeaction=acknowledge¬iceid=all' . $extraargs . '">Acknowledge All</a> .:. '; + if ($value['url']) { + $notice_msgs .= $date.' - <a href="'.$url.'?'.$request_string.'¬iceaction=acknowledge¬iceid='.$key.'">['.$value['id'].']</a>'; + } else { + $notice_msgs .= $date.' - <a href="?'.$request_string.'¬iceaction=acknowledge¬iceid='.$key.'">['.$value['id'].']'.$noticemsg.'</a>'; + } + $notice_msgs .= " .:. "; + } + } +?> + <div id="alerts"> + <script type="text/javascript"> + var content='<div id="marquee-text"><?= $notice_msgs; ?></div>' + </script> + <script type="text/javascript" src="/ticker.js"></script> + </div> +<? + } else { +?> + <div id="hostname"> + <? print $config['system']['hostname'] . "." . $config['system']['domain']; ?> + </div> +<? + } +?> + </div> + </div> + </div> + </div> <!-- Header DIV --> + <div id="content"> + <div id="left"> + <div id="navigation" style="z-index:1000"> + <ul id="menu"> + <li class="firstdrop"> + <div>System</div> + <ul class="subdrop"> + <li><a href="/system_advanced.php" class="navlnk">Advanced</a></li> + <li><a href="/system_firmware.php" class="navlnk">Firmware</a></li> + <li><a href="/system.php" class="navlnk">General Setup</a></li> + <?php if($g['platform'] == "pfSense" or $g['platform'] == "nanobsd"): ?> + <li><a href="/pkg_mgr.php" class="navlnk">Packages</a></li> + <?php endif; ?> + <li><a href="/wizard.php?xml=setup_wizard.xml" class="navlnk">Setup wizard</a></li> + <li><a href="/system_routes.php" class="navlnk">Static routes</a></li> + </ul> + </li> + <li class="drop"> + <div>Interfaces</div> + <ul class="subdrop"> + <?php if (!isset($config['system']['webgui']['noassigninterfaces'])): ?><li><a href="/interfaces_assign.php" class="navlnks">(assign)</a></li><?php endif; ?> + <li><a href="/interfaces_wan.php" class="navlnk">WAN</a></li> + <li><a href="/interfaces_lan.php" class="navlnk">LAN</a></li> + <?php for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++): if (!isset($config['interfaces']['opt' . $i]['ovpn'])): ?> + <li><a href="/interfaces_opt.php?index=<?=$i;?>" class="navlnk"><?=htmlspecialchars($config['interfaces']['opt' . $i]['descr']);?></a></li> + <?php endif; endfor; ?> + <?php echo return_ext_menu("Interfaces"); ?> + </ul> + </li> +<?php + if($config['system']['shapertype'] <> "m0n0") + $shaper = "firewall_shaper.php"; + else + $shaper = "m0n0/firewall_shaper.php"; +?> + <li class="drop"> + <div>Firewall</div> + <ul class="subdrop"> + <li><a href="/firewall_aliases.php" class="navlnk">Aliases</a></li> + <li><a href="/firewall_nat.php" class="navlnk">NAT</a></li> + <li><a href="/firewall_rules.php" class="navlnk">Rules</a></li> + <li><a href="/firewall_schedule.php" class="navlnk">Schedules</a></li> + <li><a href="<?=$shaper?>" class="navlnk">Traffic Shaper</a></li> + <li><a href="/firewall_virtual_ip.php" class="navlnk">Virtual IPs</a></li> + <?php echo return_ext_menu("Firewall"); ?> + </ul> + </li> + <li class="drop"> + <div>Services</div> + <ul class="subdrop"> + <li><a href="/services_captiveportal.php" class="navlnk">Captive portal</a></li> + <li><a href="/services_dnsmasq.php" class="navlnk">DNS forwarder</a></li> + <li><a href="/services_dhcp_relay.php" class="navlnk">DHCP relay</a></li> + <li><a href="/services_dhcp.php" class="navlnk">DHCP server</a></li> + <li><a href="/services_dyndns.php" class="navlnk">Dynamic DNS</a></li> + <li><a href="/load_balancer_pool.php" class="navlnk">Load Balancer</a></li> + <li><a href="/pkg_edit.php?xml=olsrd.xml&id=0" class="navlnk">OLSR</a></li> + <li><a href="/vpn_pppoe.php" class="navlnk">PPPoE Server</a></li> + <li><a href="/pkg_edit.php?xml=routed/routed.xml&id=0" class="navlnk">RIP</a></li> + <li><a href="/services_snmp.php" class="navlnk">SNMP</a></li> + <li><a href="/pkg_edit.php?xml=miniupnpd.xml&id=0" class="navlnk">UPnP</a></li> + <li><a href="/pkg_edit.php?xml=openntpd.xml&id=0" class="navlnk">OpenNTPD</a></li> + <li><a href="/services_wol.php" class="navlnk">Wake on LAN</a></li> + <?php echo return_ext_menu("Services"); ?> + </ul> + </li> + <li class="drop"> + <div>VPN</div> + <ul class="subdrop"> + <li><a href="/vpn_ipsec.php" class="navlnk">IPsec</a></li> + <li><a href="/pkg.php?xml=openvpn.xml" class="navlnk">OpenVPN</a></li> + <li><a href="/vpn_pptp.php" class="navlnk">PPTP</a></li> + <?php echo return_ext_menu("VPN"); ?> + </ul> + </li> + <li class="drop"> + <div>Status</div> + <ul class="subdrop"> + <?php if (isset($config['captiveportal']['enable'])): ?> + <li><a href="/status_captiveportal.php" class="navlnk">Captive portal</a></li> + <?php endif; ?> + <li><a href="/carp_status.php" class="navlnk">CARP (failover)</a></li> + <li><a href="/diag_dhcp_leases.php" class="navlnk">DHCP leases</a></li> + <li><a href="/status_filter_reload.php" class="navlnk">Filter Reload Status</a></li> + <li><a href="/status_interfaces.php" class="navlnk">Interfaces</a></li> + <li><a href="/diag_ipsec.php" class="navlnk">IPsec</a></li> + <li><a href="/status_slbd_pool.php" class="navlnk">Load Balancer</a></li> + <?php if($g['platform'] == "pfSense"): ?> + <li><a href="/diag_pkglogs.php" class="navlnk">Package logs</a></li> + <?php endif; ?> + <li><a href="/status_queues.php" class="navlnk">Queues</a></li> + <li><a href="/status_rrd_graph.php" class="navlnk">RRD Graphs</a></li> + <li><a href="/status_services.php" class="navlnk">Services</a></li> + <li><a href="/index.php" class="navlnk">System</a></li> + <li><a href="/diag_logs.php" class="navlnk">System logs</a></li> + <li><a href="/status_graph.php?if=wan" class="navlnk">Traffic graph</a></li> + <li><a href="/status_upnp.php" class="navlnk">UPnP</a></li> + <?php $i = 0; $ifdescrs = array(); + if (is_array($config['interfaces']['wan']['wireless']) && + preg_match($g['wireless_regex'], $config['interfaces']['wan']['if'])) + $ifdescrs['wan'] = 'WAN'; + if (is_array($config['interfaces']['lan']['wireless']) && + preg_match($g['wireless_regex'], $config['interfaces']['lan']['if'])) + $ifdescrs['lan'] = 'LAN'; + for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) { + if (is_array($config['interfaces']['opt' . $j]['wireless']) && + isset($config['interfaces']['opt' . $j]['enable']) && + preg_match($g['wireless_regex'], $config['interfaces']['opt' . $j]['if'])) + $ifdescrs['opt' . $j] = $config['interfaces']['opt' . $j]['descr']; + } + if (count($ifdescrs) > 0): ?> + <li><a href="/status_wireless.php" class="navlnk">Wireless</a></li> + <?php endif; ?> + <?php echo return_ext_menu("Status"); ?> + </ul> + </li> + <li class="lastdrop"> + <div>Diagnostics</div> + <ul id="diag" class="subdrop"> + <li><a href="/diag_arp.php" class="navlnk">ARP Tables</a></li> + <li><a href="/diag_backup.php" class="navlnk">Backup/Restore</a></li> + <li><a href="/exec.php" class="navlnk">Command Prompt</a></li> + <li><a href="/edit.php" class="navlnk">Edit File</a></li> + <li><a href="/diag_defaults.php" class="navlnk">Factory defaults </a></li> + <li><a href="/halt.php" class="navlnk">Halt system</a></li> +<?php if($g['platform']=="nanobsd"): ?> + <li><a href="/diag_nanobsd.php" class="navlnk">NanoBSD</a></li> +<?php endif; ?> + <li><a href="/diag_ping.php" class="navlnk">Ping</a></li> + <li><a href="/reboot.php" class="navlnk">Reboot system</a></li> + <li><a href="/diag_routes.php" class="navlnk">Routes</a></li> + <li><a href="/diag_dump_states.php" class="navlnk">States</a></li> + <li><a href="/diag_traceroute.php" class="navlnk">Traceroute</a></li> + <li><a href="/diag_packet_capture.php" class="navlnk">Packet Capture</a></li> + <?php echo return_ext_menu("Diagnostics"); ?> + <?php if(isset($config['system']['developer'])): ?> + <li><hr width="80%"/></li> + <li><a href="/restart_httpd.php" class="navlnk">Restart HTTPD</a></li> + <?php endif; ?> + </ul> + </li> + </ul> + </div> + + </div> <!-- Left DIV --> + + <div id="right"> + + +<?php + /* display a top alert bar if need be */ + $need_alert_display = false; + $found_notices = are_notices_pending(); + if($found_notices == true) { + $notices = get_notices(); + if(!$notices) { + $need_alert_display = true; + $display_text = print_notices() . "<br>"; + } + } + if($need_alert_display == true) { + echo "<div style=\"background-color:#000000\" id=\"roundalert\">"; + echo "<table>"; + echo "<tr><td><font color=\"#ffffff\">"; + echo " <img align=\"middle\" src=\"/top_notification.gif\"> "; + echo $display_text; + echo "</td>"; + echo "</tr>"; + echo "</table>"; + echo "</div>"; + } + +?>
\ No newline at end of file diff --git a/config/snort-dev/snort_gui.inc b/config/snort/snort_gui.inc index 1746ab54..95a0e597 100644 --- a/config/snort-dev/snort_gui.inc +++ b/config/snort/snort_gui.inc @@ -29,37 +29,38 @@ POSSIBILITY OF SUCH DAMAGE. */ -function print_info_box_np2($msg) { - global $g; - echo "<table height=\"32\" width=\"100%\">\n"; - echo " <tr>\n"; - echo " <td>\n"; - echo " <div style='background-color:#990000' id='redbox'>\n"; - echo " <table width='100%'><tr><td width='8%'>\n"; - echo " <img style='vertical-align:middle' src=\"/snort/images/alert.jpg\" width=\"32\" height=\"28\">\n"; - echo " </td>\n"; - echo " <td width='70%'><font color='white'><b>{$msg}</b></font>\n"; - echo " </td>"; - echo " </tr></table>\n"; - echo " </div>\n"; - echo " </td>\n"; - echo "</table>\n"; - echo "<script type=\"text/javascript\">\n"; - echo "NiftyCheck();\n"; - echo "Rounded(\"div#redbox\",\"all\",\"#FFF\",\"#990000\",\"smooth\");\n"; - echo "Rounded(\"td#blackbox\",\"all\",\"#FFF\",\"#000000\",\"smooth\");\n"; - echo "</script>\n"; - echo "\n<br>\n"; -} - - - - - - +include_once("/usr/local/pkg/snort/snort.inc"); +function print_info_box_np2($msg) { + global $config, $g; + + echo "<table height=\"32\" width=\"100%\">\n"; + echo " <tr>\n"; + echo " <td>\n"; + echo " <div style='background-color:#990000' id='redbox'>\n"; + echo " <table width='100%'><tr><td width='8%'>\n"; + echo " <img style='vertical-align:middle' src=\"/snort/images/alert.jpg\" width=\"32\" height=\"28\">\n"; + echo " </td>\n"; + echo " <td width='70%'><font color='white'><b>{$msg}</b></font>\n"; + echo " </td>"; + if(stristr($msg, "apply") == true) { + echo " <td>"; + echo " <input name=\"apply\" type=\"submit\" class=\"formbtn\" id=\"apply\" value=\"Apply changes\">\n"; + echo " </td>"; + } + echo " </tr></table>\n"; + echo " </div>\n"; + echo " </td>\n"; + echo "</table>\n"; + echo "<script type=\"text/javascript\">\n"; + echo "NiftyCheck();\n"; + echo "Rounded(\"div#redbox\",\"all\",\"#FFF\",\"#990000\",\"smooth\");\n"; + echo "Rounded(\"td#blackbox\",\"all\",\"#FFF\",\"#000000\",\"smooth\");\n"; + echo "</script>\n"; + echo "\n<br>\n"; +} -?>
\ No newline at end of file +?> diff --git a/config/snort/snort_head.inc b/config/snort/snort_head.inc new file mode 100644 index 00000000..56a96df2 --- /dev/null +++ b/config/snort/snort_head.inc @@ -0,0 +1,61 @@ +<?php
+/*
+ * if user has selected a custom template, use it.
+ * otherwise default to pfsense tempalte
+ */
+if($config['theme'] <> "")
+ $g['theme'] = $config['theme'];
+else
+ $g['theme'] = "pfsense";
+
+$apple_ua = array("iPhone","iPod");
+foreach($apple_ua as $useragent)
+ if(strstr($_SERVER['HTTP_USER_AGENT'], $useragent))
+ $g['theme'] = "pfsense";
+?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html>
+<head>
+ <title><?=gentitle($pgtitle);?></title>
+ <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
+ <link rel=â€apple-touch-icon†href=â€/themes/<?php echo $g['theme']; ?>/apple-touch-icon.pngâ€/>
+ <?php if (strpos($_SERVER["SCRIPT_FILENAME"], "wizard.php") !== false &&
+ file_exists("{$g['www_path']}/themes/{$g['theme']}/wizard.css")): ?>
+ <link rel="stylesheet" href="/themes/<?php echo $g['theme']; ?>/wizard.css" media="all" />
+ <?php else: ?>
+ <link rel="stylesheet" href="/themes/<?php echo $g['theme']; ?>/all.css" media="all" />
+ <?php endif; ?>
+ <link rel="stylesheet" type="text/css" href="/niftycssprintCode.css" media="print" />
+ <script type="text/javascript">var theme = "<?php echo $g['theme']; ?>"</script>
+ <script type="text/javascript" src="/themes/<?php echo $g['theme']; ?>/loader.js"></script>
+
+<?
+ /*
+ * Find all javascript files that need to be included
+ * for this page ... from the arrays ... :)
+ * Coded by: Erik Kristensen
+ */
+
+ $dir = trim(basename($_SERVER["SCRIPT_FILENAME"]), '.php');
+ $path = "/usr/local/www/javascript/" . $dir . "/";
+ if (is_dir($path)) {
+ if ($dh = opendir($path)) {
+ while (($file = readdir($dh)) !== false) {
+ if (is_dir($file)) continue;
+ echo "\t".'<script type="text/javascript" src="/javascript/'.$dir.'/'.$file.'"></script>'."\n";
+ }
+ closedir($dh);
+ }
+ }
+
+ if ($oSajax):
+?>
+ <script language="javascript" type="text/javascript">
+ <?php $oSajax->sajax_show_javascript(); ?>
+ </script>
+<? endif; ?>
+
+<?php if (!isset($closehead)){ ?>
+</head>
+<?php } ?>
diff --git a/config/snort/snort_help_info.php b/config/snort/snort_help_info.php new file mode 100644 index 00000000..5355ec77 --- /dev/null +++ b/config/snort/snort_help_info.php @@ -0,0 +1,191 @@ +<?php +/* $Id$ */ +/* + halt.php + part of pfSense + Copyright (C) 2004 Scott Ullrich + All rights reserved. + + part of m0n0wall as reboot.php (http://m0n0.ch/wall) + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +header("snort_help_info.php"); +header( "Expires: Mon, 20 Dec 1998 01:00:00 GMT" ); +header( "Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT" ); +header( "Cache-Control: no-cache, must-revalidate" ); +header( "Pragma: no-cache" ); + +$pgtitle = "Snort: Services: Help and Info"; +include('head.inc'); +?> +<style type="text/css"> +iframe +{ + border: 0; +} + +#footer2 +{ + +top: 135px; +position: relative; +background-color: #FFFFFF; +background-image: url("./images/footer.jpg"); +background-repeat: no-repeat; +background-attachment: scroll; +background-position: 0px 0px; +bottom: 0px; +width: 780px; +height: 63px; +color: #000000; +text-align: center; +font-size: 0.8em; +padding-top:64px; +padding-left: 0px; +clear: both; + +} + +</style> +<body> +<?php include("./snort_fbegin.inc"); ?> + +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> +<?php + $tab_array = array(); + $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); + $tab_array[] = array("Global Settings", false, "/snort/snort_interfaces_global.php"); + $tab_array[] = array("Rule Updates", false, "/snort/snort_download_rules.php"); + $tab_array[] = array("Alerts", false, "/snort/snort_alerts.php"); + $tab_array[] = array("Blocked", false, "/snort/snort_blocked.php"); + $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml"); + $tab_array[] = array("Help & Info", true, "/snort/snort_help_info.php"); + display_top_tabs($tab_array); +?> + </td> +</tr> +</table> + +<?php +/* TODO: remove when 2.0 stable */ +if ($pfsense_stable == 'yes') { + +$footer2 = " + +<style type=\"text/css\"> + +#footer2 +{ + position: relative; + top: 27px; + background-color: #cccccc; + background-image: none; + background-repeat: repeat; + background-attachment: scroll; + background-position: 0% 0%; + width: 810px; + right: 15px; + font-size: 0.8em; + text-align: center; + padding-top: 0px; + padding-right: 0px; + padding-bottom: 0px; + padding-left: 0px; + clear: both; +} + +</style> + + <div id=\"footer2\"> + <IMG SRC=\"./images/footer2.jpg\" width=\"800px\" height=\"35\" ALT=\"Apps\"> + Snort is a registered trademark of Sourcefire, Inc, Barnyard2 is a registered trademark of securixlive.com, Orion copyright Robert Zelaya, + Emergingthreats is a registered trademark of emergingthreats.net, Mysql is a registered trademark of Mysql.com + </div>\n"; +} + +if ($pfsense_stable != 'yes') { +$footer3 = " + +<style type=\"text/css\"> + +#footer3 +{ + +top: 105px; +position: relative; +background-color: #FFFFFF; +background-image: url(\"./images/footer2.jpg\"); +background-repeat: no-repeat; +background-attachment: scroll; +background-position: 0px 0px; +bottom: 0px; +width: 770px; +height: 35px; +color: #000000; +text-align: center; +font-size: 0.8em; +padding-top: 35px; +padding-left: 0px; +clear: both; + +} + +</style> + + <div id=\"footer3\"> + Snort is a registered trademark of Sourcefire, Inc, Barnyard2 is a registered trademark of securixlive.com, Orion copyright Robert Zelaya, + Emergingthreats is a registered trademark of emergingthreats.net, Mysql is a registered trademark of Mysql.com + </div>\n"; +} +?> + + +<div> + <iframe style="width: 780px; height: 600px; overflow-x: hidden;" src='/snort/help_and_info.php'></iframe> +</div> + +<?php echo $footer2;?> + +</div> +</div> + +<?php //echo $footer3;?> + + <div id="footer"> + <a target="_blank" href="http://www.pfsense.org/?gui12" class="redlnk">pfSense</a> is © + 2004 - 2009 by <a href="http://www.bsdperimeter.com" class="tblnk">BSD Perimeter LLC</a>. All Rights Reserved. + <a href="/license.php" class="tblnk">view license</a>] + <br/> + + <a target="_blank" href="https://portal.pfsense.org/?guilead=true" class="tblnk">Commercial Support Available</a> + </div> <!-- Footer DIV --> +</body> +</html> diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php new file mode 100644 index 00000000..5f42725f --- /dev/null +++ b/config/snort/snort_interfaces.php @@ -0,0 +1,594 @@ +<?php +/* $Id$ */ +/* + + originally part of m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + Copyright (C) 2008-2009 Robert Zelaya. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); + +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +if (isset($config['installedpackages']['snortglobal']['rule'])) { +$id_gen = count($config['installedpackages']['snortglobal']['rule']); +}else{ +$id_gen = '0'; +} + + +/* alert file */ +$d_snortconfdirty_path_ls = exec('/bin/ls /var/run/snort_conf_*.dirty'); + + /* this will exec when alert says apply */ + if ($_POST['apply']) { + + if ($d_snortconfdirty_path_ls != '') { + + write_config(); + + sync_snort_package_empty(); + sync_snort_package(); + + exec('/bin/rm /var/run/snort_conf_*.dirty'); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + sleep(2); + header("Location: /snort/snort_interfaces.php"); + + exit; + + } + + } + + + +if (isset($_POST['del_x'])) { + /* delete selected rules */ + if (is_array($_POST['rule']) && count($_POST['rule'])) { + foreach ($_POST['rule'] as $rulei) { + + /* convert fake interfaces to real */ + $if_real = convert_friendly_interface_to_real_interface_name2($a_nat[$rulei]['interface']); + $snort_uuid = $a_nat[$rulei]['uuid']; + + /* cool code to check if any snort is up */ + $snort_up_ck = exec("/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep snort | /usr/bin/awk '{print \$2;}' | sed 1q"); + + if ($snort_up_ck != "") + { + + $start_up_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_uuid}{$if_real}\" | awk '{print \$1;}'"); + $start_up_s = exec("/usr/bin/top -U snort -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); + $start_up_r = exec("/usr/bin/top -U root -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); + + $start2_upb_pre = exec("/bin/cat /var/run/barnyard2_{$snort_uuid}_{$if_real}.pid"); + $start2_upb_s = exec("/usr/bin/top -U snort -u | grep barnyard2 | grep {$start2_upb_pre} | awk '{ print $1; }'"); + $start2_upb_r = exec("/usr/bin/top -U root -u | grep barnyard2 | grep {$start2_upb_pre} | awk '{ print $1; }'"); + + + if ($start_up_s != "" || $start_up_r != "" || $start2_upb_s != "" || $start2_upb_r != "") + { + + /* dont flood the syslog code */ + //exec("/bin/cp /var/log/system.log /var/log/system.log.bk"); + //sleep(3); + + + /* remove only running instances */ + if ($start_up_s != "") + { + exec("/bin/kill {$start_up_s}"); + exec("/bin/rm /var/run/snort_{$snort_uuid}_{$if_real}*"); + } + + if ($start2_upb_s != "") + { + exec("/bin/kill {$start2_upb_s}"); + exec("/bin/rm /var/run/barnyard2_{$snort_uuid}_{$if_real}*"); + } + + if ($start_up_r != "") + { + exec("/bin/kill {$start_up_r}"); + exec("/bin/rm /var/run/snort_{$snort_uuid}_{$if_real}*"); + } + + if ($start2_upb_r != "") + { + exec("/bin/kill {$start2_upb_r}"); + exec("/bin/rm /var/run/barnyard2_{$snort_uuid}_{$if_real}*"); + } + + /* stop syslog flood code */ + //$if_real_wan_rulei = $a_nat[$rulei]['interface']; + //$if_real_wan_rulei2 = convert_friendly_interface_to_real_interface_name2($if_real_wan_rulei); + //exec("/sbin/ifconfig $if_real_wan_rulei2 -promisc"); + //exec("/bin/cp /var/log/system.log /var/log/snort/snort_sys_$rulei$if_real.log"); + //exec("/usr/bin/killall syslogd"); + //exec("/usr/sbin/clog -i -s 262144 /var/log/system.log"); + //exec("/usr/sbin/syslogd -c -ss -f /var/etc/syslog.conf"); + //sleep(2); + //exec("/bin/cp /var/log/system.log.bk /var/log/system.log"); + //$after_mem = exec("/usr/bin/top | /usr/bin/grep Wired | /usr/bin/awk '{ print $2 }'"); + //exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'MEM after {$rulei}{$if_real} STOP {$after_mem}'"); + //exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule removed for {$rulei}{$if_real}...'"); + + } + + } + + /* for every iface do these steps */ + conf_mount_rw(); + exec("/bin/rm /var/log/snort/snort.u2_{$snort_uuid}_{$if_real}*"); + exec("/bin/rm -r /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); + + conf_mount_ro(); + + unset($a_nat[$rulei]); + + } + + write_config(); + sleep(2); + + /* if there are no ifaces do not create snort.sh */ + if (isset($config['installedpackages']['snortglobal']['rule'][0]['enable'])) { + create_snort_sh(); + }else{ + conf_mount_rw(); + exec('/bin/rm /usr/local/etc/rc.d/snort.sh'); + conf_mount_ro(); + } + + //touch("/var/run/snort_conf_delete.dirty"); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + sleep(2); + header("Location: /snort/snort_interfaces.php"); + //exit; + } + +} + + +/* start/stop snort */ +if ($_GET['act'] == 'toggle' && $_GET['id'] != '') +{ + + $if_real = convert_friendly_interface_to_real_interface_name2($config['installedpackages']['snortglobal']['rule'][$id]['interface']); + $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; + + /* Log Iface stop */ + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Toggle for {$snort_uuid}_{$if_real}...'"); + + $tester2 = Running_Ck($snort_uuid, $if_real, $id); + + if ($tester2 == 'yes') { + + /* Log Iface stop */ + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup '{$tester2} yn for {$snort_uuid}_{$if_real}...'"); + + Running_Stop($snort_uuid, $if_real, $id); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + sleep(2); + header("Location: /snort/snort_interfaces.php"); + + }else{ + + sync_snort_package_all($id, $if_real, $snort_uuid); + sync_snort_package(); + + Running_Start($snort_uuid, $if_real, $id); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + sleep(2); + header("Location: /snort/snort_interfaces.php"); + } +} + + + +$pgtitle = "Services: Snort 2.8.5.3 pkg v. 1.21"; +include("head.inc"); + +?> +<body link="#000000" vlink="#000000" alink="#000000"> +<?php include("./snort_fbegin.inc"); ?> +<p class="pgtitle"><?if($pfsense_stable == 'yes'){echo $pgtitle;}?></p> +<style type="text/css"> + +.alert { + position:absolute; + top:10px; + left:0px; + width:94%; +background:#FCE9C0; +background-position: 15px; +border-top:2px solid #DBAC48; +border-bottom:2px solid #DBAC48; +padding: 15px 10px 50% 50px; +} +.listbg2 { + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + font-size: 11px; + background-color: #090; + color: #000; + padding-right: 16px; + padding-left: 6px; + padding-top: 4px; + padding-bottom: 4px; +} +.listbg3 { + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + font-size: 11px; + background-color: #777777; + color: #000; + padding-right: 16px; + padding-left: 6px; + padding-top: 4px; + padding-bottom: 4px; +} + +</style> + + + +<noscript><div class="alert" ALIGN=CENTER><img src="../themes/nervecenter/images/icons/icon_alert.gif"/><strong>Please enable JavaScript to view this content</CENTER></div></noscript> +<form action="/snort/snort_interfaces.php" method="post" name="iform"> + +<?php + + /* Display Alert message */ + + if ($input_errors) { + print_input_errors($input_errors); // TODO: add checks + } + + if ($savemsg) { + print_info_box2($savemsg); + } + + //if (file_exists($d_snortconfdirty_path)) { + if ($d_snortconfdirty_path_ls != '') { + echo '<p>'; + + if($savemsg) { + print_info_box_np2("{$savemsg}"); + }else{ + print_info_box_np2(' + The Snort configuration has changed for one or more interfaces.<br> + You must apply the changes in order for them to take effect.<br> + '); + } + } + +?> + +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td> +<?php + $tab_array = array(); + $tab_array[] = array("Snort Interfaces", true, "/snort/snort_interfaces.php"); + $tab_array[] = array("Global Settings", false, "/snort/snort_interfaces_global.php"); + $tab_array[] = array("Rule Updates", false, "/snort/snort_download_rules.php"); + $tab_array[] = array("Alerts", false, "/snort/snort_alerts.php"); + $tab_array[] = array("Blocked", false, "/snort/snort_blocked.php"); + $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml"); + $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); + display_top_tabs($tab_array); +?> + </td></tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr id="frheader"> + <td width="5%" class="list"> </td> + <td width="1%" class="list"> </td> + <td width="10%" class="listhdrr">If</td> + <td width="10%" class="listhdrr">Snort</td> + <td width="10%" class="listhdrr">Performance</td> + <td width="10%" class="listhdrr">Block</td> + <td width="10%" class="listhdrr">Barnyard2</td> + <td width="50%" class="listhdr">Description</td> + <td width="3%" class="list"> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td width="17"></td> + <td><a href="snort_interfaces_edit.php?id=<?php echo $id_gen;?>"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> + </tr> + </table> + </td> + </tr> + <?php $nnats = $i = 0; foreach ($a_nat as $natent): ?> + <tr valign="top" id="fr<?=$nnats;?>"> + <?php + + /* convert fake interfaces to real and check if iface is up */ + /* There has to be a smarter way to do this */ + $if_real = convert_friendly_interface_to_real_interface_name2($natent['interface']); + $snort_uuid = $natent['uuid']; + + $tester2 = Running_Ck($snort_uuid, $if_real, $id); + + if ($tester2 == 'no') + { + $iconfn = 'pass'; + $class_color_up = 'listbg'; + }else{ + $class_color_up = 'listbg2'; + $iconfn = 'block'; + } + + ?> + <td class="listt"><a href="?act=toggle&id=<?=$i;?>"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_<?=$iconfn;?>.gif" width="13" height="13" border="0" title="click to toggle start/stop snort"></a><input type="checkbox" id="frc<?=$nnats;?>" name="rule[]" value="<?=$i;?>" onClick="fr_bgcolor('<?=$nnats;?>')" style="margin: 0; padding: 0;"></td> + <td class="listt" align="center"></td> + <td class="<?=$class_color_up;?>" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> + <?php + if (!$natent['interface'] || ($natent['interface'] == "wan")) + echo "WAN"; + else if(strtolower($natent['interface']) == "lan") + echo "LAN"; + else if(strtolower($natent['interface']) == "pppoe") + echo "PPPoE"; + else if(strtolower($natent['interface']) == "pptp") + echo "PPTP"; + else + echo strtoupper($natent['interface']); + ?> + </td> + <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> + <?php + $check_snort_info = $config['installedpackages']['snortglobal']['rule'][$nnats]['enable']; + if ($check_snort_info == "on") + { + $check_snort = enabled; + } else { + $check_snort = disabled; + } + ?> + <?=strtoupper($check_snort);?> + </td> + <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> + <?php + $check_performance_info = $config['installedpackages']['snortglobal']['rule'][$nnats]['performance']; + if ($check_performance_info != "") { + $check_performance = $check_performance_info; + }else{ + $check_performance = "lowmem"; + } + ?> + <?=strtoupper($check_performance);?> + </td> + <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> + <?php + $check_blockoffenders_info = $config['installedpackages']['snortglobal']['rule'][$nnats]['blockoffenders7']; + if ($check_blockoffenders_info == "on") + { + $check_blockoffenders = enabled; + } else { + $check_blockoffenders = disabled; + } + ?> + <?=strtoupper($check_blockoffenders);?> + </td> + <?php + + $color2_upb = Running_Ck_b($snort_uuid, $if_real, $id); + + if ($color2_upb == 'yes') { + $class_color_upb = 'listbg2'; + }else{ + $class_color_upb = 'listbg'; + } + + ?> + <td class="<?=$class_color_upb;?>" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> + <?php + $check_snortbarnyardlog_info = $config['installedpackages']['snortglobal']['rule'][$nnats]['barnyard_enable']; + if ($check_snortbarnyardlog_info == "on") + { + $check_snortbarnyardlog = strtoupper(enabled); + }else{ + $check_snortbarnyardlog = strtoupper(disabled); + } + ?> + <?php echo "$check_snortbarnyardlog";?> + </td> + <td class="listbg3" onClick="fr_toggle(<?=$nnats;?>)" ondblclick="document.location='snort_interfaces_edit.php?id=<?=$nnats;?>';"> + <font color="#ffffff"> + <?=htmlspecialchars($natent['descr']);?> + </td> + <td valign="middle" class="list" nowrap> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td><a href="snort_interfaces_edit.php?id=<?=$i;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0" title="edit rule"></a></td> + </tr> + </table> + </tr> + <?php $i++; $nnats++; endforeach; ?> + <tr> + <td class="list" colspan="8"></td> + <td class="list" valign="middle" nowrap> + <table border="0" cellspacing="0" cellpadding="1"> + <tr> + <td><?php if ($nnats == 0): ?><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" width="17" height="17" title="delete selected rules" border="0"><?php else: ?><input name="del" type="image" src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" title="delete selected mappings" onclick="return confirm('Do you really want to delete the selected Snort Rule?')"><?php endif; ?></td> + </tr> + </table> + </td> + </tr> + </table> + </div> + </td> + </tr> +</table> + +<br> + <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <td width="100%"><span class="vexpl"><span class="red"><strong>Note:</strong></span> + <br> + This is the <strong>Snort Menu</strong> where you can see an over view of all your interface settings. + <br> + Please edit the <strong>Global Settings</strong> tab before adding an interface. + <br><br> + <strong>Click</strong> on the <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0" title="Add Icon"> icon to add a interface.<strong>Click</strong> on the <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_pass.gif" width="13" height="13" border="0" title="Start Icon"> icon to <strong>start</strong> snort and barnyard. + <br> + <strong>Click</strong> on the <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0" title="Edit Icon"> icon to edit a interface and settings.<strong>Click</strong> on the <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" width="13" height="13" border="0" title="Stop Icon"> icon to <strong>stop</strong> snort and barnyard. + <br> + <strong> Click</strong> on the <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" title="Delete Icon"> icon to delete a interface and settings. +</td> + </table> + +<?php +if ($pkg['tabs'] <> "") { + echo "</td></tr></table>"; +} +?> + +</form> + +<?php +/* TODO: remove when 2.0 stable */ +if ($pfsense_theme_is == 'nervecenter') { + +$footer2 = " + +<style type=\"text/css\"> + +#footer2 +{ + position: relative; + top: -17px; + background-color: #cccccc; + background-image: none; + background-repeat: repeat; + background-attachment: scroll; + background-position: 0% 0%; + font-size: 0.8em; + text-align: center; + padding-top: 0px; + padding-right: 0px; + padding-bottom: 0px; + padding-left: 10px; + clear: both; +} + +</style> + + <div id=\"footer2\"> + <IMG SRC=\"./images/footer2.jpg\" width=\"780px\" height=\"35\" ALT=\"Apps\"> + Snort is a registered trademark of Sourcefire, Inc, Barnyard2 is a registered trademark of securixlive.com, Orion copyright Robert Zelaya, + Emergingthreats is a registered trademark of emergingthreats.net, Mysql is a registered trademark of Mysql.com + </div>\n"; +} + +if ($pfsense_theme_is == 'pfsense_ng') { +$footer3 = " + +<style type=\"text/css\"> + +#footer3 +{ + +top: 105px; +position: relative; +background-color: #FFFFFF; +background-image: url(\"./images/footer2.jpg\"); +background-repeat: no-repeat; +background-attachment: scroll; +background-position: 0px 0px; +bottom: 0px; +width: 770px; +height: 35px; +color: #000000; +text-align: center; +font-size: 0.8em; +padding-top: 35px; +padding-left: 0px; +clear: both; + +} + +</style> + + <div id=\"footer3\"> + Snort is a registered trademark of Sourcefire, Inc, Barnyard2 is a registered trademark of securixlive.com, Orion copyright Robert Zelaya, + Emergingthreats is a registered trademark of emergingthreats.net, Mysql is a registered trademark of Mysql.com + </div>\n"; +} +?> + +<?php echo $footer3;?> + +</div> <!-- Right DIV --> +</div> <!-- Content DIV --> + +<?php echo $footer2;?> + + <div id="footer"> + <a target="_blank" href="http://www.pfsense.org/?gui12" class="redlnk">pfSense</a> is © + 2004 - 2009 by <a href="http://www.bsdperimeter.com" class="tblnk">BSD Perimeter LLC</a>. All Rights Reserved. + [<a href="/license.php" class="tblnk">view license</a>] + <br/> + [<a target="_blank" href="https://portal.pfsense.org/?guilead=true" class="tblnk">Commercial Support Available</a>] + </div> <!-- Footer DIV --> + +</div> <!-- Wrapper Div --> +<script type="text/javascript" src="/themes/nervecenter/bottom-loader.js"></script> +</body> +</html> diff --git a/config/snort-dev/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index ab83f83f..b63bbfbd 100644 --- a/config/snort-dev/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -30,8 +30,10 @@ POSSIBILITY OF SUCH DAMAGE. */ -require("guiconfig.inc"); -include_once("/usr/local/pkg/snort/snort.inc"); +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); + if (!is_array($config['installedpackages']['snortglobal']['rule'])) { $config['installedpackages']['snortglobal']['rule'] = array(); @@ -48,6 +50,36 @@ if (isset($_GET['dup'])) { $after = $_GET['dup']; } + +/* always have a limit of (65535) numbers only or snort will not start do to id limits */ +/* TODO: When inline gets added make the uuid the port number lisstening */ +//function gen_snort_uuid($fileline) +//{ + /* return the first 5 */ + //if (preg_match("/...../", $fileline, $matches1)) + //{ + //$uuid_final = "$matches1[0]"; + //} +//return $uuid_final; +//} + +/* gen uuid for each iface !inportant */ +if ($config['installedpackages']['snortglobal']['rule'][$id]['uuid'] == '') { + //$snort_uuid = gen_snort_uuid(strrev(uniqid(true))); +$snort_uuid = 0; +while ($snort_uuid > 65535 || $snort_uuid == 0) { + $snort_uuid = mt_rand(1, 65535); + $pconfig['uuid'] = $snort_uuid; + } +} + +/* convert fake interfaces to real */ +$if_real = convert_friendly_interface_to_real_interface_name2($a_nat[$id]['interface']); + +if ($config['installedpackages']['snortglobal']['rule'][$id]['uuid'] != '') { + $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; +} + if (isset($id) && $a_nat[$id]) { /* old options */ @@ -86,7 +118,7 @@ if (isset($id) && $a_nat[$id]) { $pconfig['def_imap_servers'] = $a_nat[$id]['def_imap_servers']; $pconfig['def_imap_ports'] = $a_nat[$id]['def_imap_ports']; $pconfig['def_sip_proxy_ip'] = $a_nat[$id]['def_sip_proxy_ip']; - $pconfig['ip def_sip_proxy_ports'] = $a_nat[$id]['ip def_sip_proxy_ports']; + $pconfig['def_sip_proxy_ports'] = $a_nat[$id]['def_sip_proxy_ports']; $pconfig['def_auth_ports'] = $a_nat[$id]['def_auth_ports']; $pconfig['def_finger_ports'] = $a_nat[$id]['def_finger_ports']; $pconfig['def_irc_ports'] = $a_nat[$id]['def_irc_ports']; @@ -97,13 +129,17 @@ if (isset($id) && $a_nat[$id]) { $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; $pconfig['enable'] = $a_nat[$id]['enable']; + $pconfig['uuid'] = $a_nat[$id]['uuid']; $pconfig['interface'] = $a_nat[$id]['interface']; $pconfig['descr'] = $a_nat[$id]['descr']; $pconfig['performance'] = $a_nat[$id]['performance']; $pconfig['blockoffenders7'] = $a_nat[$id]['blockoffenders7']; + $pconfig['snortalertlogtype'] = $a_nat[$id]['snortalertlogtype']; $pconfig['alertsystemlog'] = $a_nat[$id]['alertsystemlog']; $pconfig['tcpdumplog'] = $a_nat[$id]['tcpdumplog']; $pconfig['snortunifiedlog'] = $a_nat[$id]['snortunifiedlog']; + $pconfig['configpassthru'] = base64_decode($a_nat[$id]['configpassthru']); + $pconfig['barnconfigpassthru'] = $a_nat[$id]['barnconfigpassthru']; $pconfig['rulesets'] = $a_nat[$id]['rulesets']; $pconfig['rule_sid_off'] = $a_nat[$id]['rule_sid_off']; $pconfig['rule_sid_on'] = $a_nat[$id]['rule_sid_on']; @@ -117,76 +153,64 @@ if (isset($id) && $a_nat[$id]) { if (isset($_GET['dup'])) unset($id); - -/* convert fake interfaces to real */ -$if_real = convert_friendly_interface_to_real_interface_name($pconfig['interface']); - -if ($_POST["Submit"]) { - - /* input validation */ -// if(strtoupper($_POST['proto']) == "TCP" or strtoupper($_POST['proto']) == "UDP" or strtoupper($_POST['proto']) == "TCP/UDP") { -// $reqdfields = explode(" ", "interface proto beginport endport localip localbeginport"); -// $reqdfieldsn = explode(",", "Interface,Protocol,External port from,External port to,NAT IP,Local port"); -// } else { -// $reqdfields = explode(" ", "interface proto localip"); -// $reqdfieldsn = explode(",", "Interface,Protocol,NAT IP"); -// } - -// do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - -// if (($_POST['localip'] && !is_ipaddroralias($_POST['localip']))) { -// $input_errors[] = "\"{$_POST['localip']}\" is not valid NAT IP address or host alias."; -// } - - /* only validate the ports if the protocol is TCP, UDP or TCP/UDP */ -// if(strtoupper($_POST['proto']) == "TCP" or strtoupper($_POST['proto']) == "UDP" or strtoupper($_POST['proto']) == "TCP/UDP") { - -// if (($_POST['beginport'] && !is_ipaddroralias($_POST['beginport']) && !is_port($_POST['beginport']))) { -// $input_errors[] = "The start port must be an integer between 1 and 65535."; -// } -// if (($_POST['endport'] && !is_ipaddroralias($_POST['endport']) && !is_port($_POST['endport']))) { -// $input_errors[] = "The end port must be an integer between 1 and 65535."; -// } +/* alert file */ +$d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; + + /* this will exec when alert says apply */ + if ($_POST['apply']) { + + if (file_exists("/var/run/snort_conf_{$snort_uuid}_.dirty")) { + + write_config(); + + $if_real = convert_friendly_interface_to_real_interface_name2($a_nat[$id]['interface']); -// if (($_POST['localbeginport'] && !is_ipaddroralias($_POST['localbeginport']) && !is_port($_POST['localbeginport']))) { -// $input_errors[] = "The local port must be an integer between 1 and 65535."; -// } + sync_snort_package_all($id, $if_real, $snort_uuid); + sync_snort_package(); + + unlink("/var/run/snort_conf_{$snort_uuid}_.dirty"); + + } + + if (file_exists($d_snortconfdirty_path)) { + + write_config(); + + sync_snort_package_all($id, $if_real, $snort_uuid); + sync_snort_package(); -// if ($_POST['beginport'] > $_POST['endport']) { - /* swap */ -// $tmp = $_POST['endport']; -// $_POST['endport'] = $_POST['beginport']; -// $_POST['beginport'] = $tmp; -// } + unlink($d_snortconfdirty_path); + + } + + } -// if (!$input_errors) { -// if (($_POST['endport'] - $_POST['beginport'] + $_POST['localbeginport']) > 65535) -// $input_errors[] = "The target port range must be an integer between 1 and 65535."; -// } +if ($_POST["Submit"]) { - + + // if ($config['installedpackages']['snortglobal']['rule']) { -// if ($_POST['descr'] == "") { -// $input_errors[] = "Please enter a description for your reference."; -// } + if ($_POST['descr'] == '' && $pconfig['descr'] == '') { + $input_errors[] = "Please enter a description for your reference."; + } -// if ($id == "" && $config['installedpackages']['snortglobal']['rule'][0]['interface'] != "") { + if ($id == "" && $config['installedpackages']['snortglobal']['rule'][0]['interface'] != "") { -// $rule_array = $config['installedpackages']['snortglobal']['rule']; -// $id_c = -1; -// foreach ($rule_array as $value) { + $rule_array = $config['installedpackages']['snortglobal']['rule']; + $id_c = -1; + foreach ($rule_array as $value) { -// $id_c += 1; + $id_c += 1; -// $result_lan = $config['installedpackages']['snortglobal']['rule'][$id_c]['interface']; -// $if_real = convert_friendly_interface_to_real_interface_name($result_lan); + $result_lan = $config['installedpackages']['snortglobal']['rule'][$id_c]['interface']; + $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); -// if ($_POST['interface'] == $result_lan) { -// $input_errors[] = "Interface $result_lan is in use. Please select another interface."; -// } -// } -// } + if ($_POST['interface'] == $result_lan) { + $input_errors[] = "Interface $result_lan is in use. Please select another interface."; + } + } + } /* check for overlaps */ foreach ($a_nat as $natent) { @@ -204,13 +228,16 @@ if ($_POST["Submit"]) { $natent['interface'] = $_POST['interface'] ? $_POST['interface'] : $pconfig['interface']; /* if post write to conf or rewite the answer */ $natent['enable'] = $_POST['enable'] ? on : off; + $natent['uuid'] = $pconfig['uuid']; $natent['descr'] = $_POST['descr'] ? $_POST['descr'] : $pconfig['descr']; $natent['performance'] = $_POST['performance'] ? $_POST['performance'] : $pconfig['performance']; /* if post = on use on off or rewrite the conf */ if ($_POST['blockoffenders7'] == "on") { $natent['blockoffenders7'] = on; }else{ $natent['blockoffenders7'] = off; } if ($_POST['enable'] == "") { $natent['blockoffenders7'] = $pconfig['blockoffenders7']; } + $natent['snortalertlogtype'] = $_POST['snortalertlogtype'] ? $_POST['snortalertlogtype'] : $pconfig['snortalertlogtype']; if ($_POST['alertsystemlog'] == "on") { $natent['alertsystemlog'] = on; }else{ $natent['alertsystemlog'] = off; } if ($_POST['enable'] == "") { $natent['alertsystemlog'] = $pconfig['alertsystemlog']; } if ($_POST['tcpdumplog'] == "on") { $natent['tcpdumplog'] = on; }else{ $natent['tcpdumplog'] = off; } if ($_POST['enable'] == "") { $natent['tcpdumplog'] = $pconfig['tcpdumplog']; } if ($_POST['snortunifiedlog'] == "on") { $natent['snortunifiedlog'] = on; }else{ $natent['snortunifiedlog'] = off; } if ($_POST['enable'] == "") { $natent['snortunifiedlog'] = $pconfig['snortunifiedlog']; } + $natent['configpassthru'] = base64_encode($_POST['configpassthru']) ? base64_encode($_POST['configpassthru']) : $pconfig['configpassthru']; /* if optiion = 0 then the old descr way will not work */ /* rewrite the options that are not in post */ @@ -250,7 +277,7 @@ if ($_POST["Submit"]) { if ($pconfig['def_imap_servers'] != "") { $natent['def_imap_servers'] = $pconfig['def_imap_servers']; } if ($pconfig['def_imap_ports'] != "") { $natent['def_imap_ports'] = $pconfig['def_imap_ports']; } if ($pconfig['def_sip_proxy_ip'] != "") { $natent['def_sip_proxy_ip'] = $pconfig['def_sip_proxy_ip']; } - if ($pconfig['ip def_sip_proxy_ports'] != "") { $natent['ip def_sip_proxy_ports'] = $pconfig['ip def_sip_proxy_ports']; } + if ($pconfig['def_sip_proxy_ports'] != "") { $natent['def_sip_proxy_ports'] = $pconfig['def_sip_proxy_ports']; } if ($pconfig['def_auth_ports'] != "") { $natent['def_auth_ports'] = $pconfig['def_auth_ports']; } if ($pconfig['def_finger_ports'] != "") { $natent['def_finger_ports'] = $pconfig['def_finger_ports']; } if ($pconfig['def_irc_ports'] != "") { $natent['def_irc_ports'] = $pconfig['def_irc_ports']; } @@ -260,6 +287,7 @@ if ($_POST["Submit"]) { if ($pconfig['def_ssl_ports'] != "") { $natent['def_ssl_ports'] = $pconfig['def_ssl_ports']; } if ($pconfig['barnyard_enable'] != "") { $natent['barnyard_enable'] = $pconfig['barnyard_enable']; } if ($pconfig['barnyard_mysql'] != "") { $natent['barnyard_mysql'] = $pconfig['barnyard_mysql']; } + if ($pconfig['barnconfigpassthru'] != "") { $natent['barnconfigpassthru'] = $pconfig['barnconfigpassthru']; } if ($pconfig['rulesets'] != "") { $natent['rulesets'] = $pconfig['rulesets']; } if ($pconfig['rule_sid_off'] != "") { $natent['rule_sid_off'] = $pconfig['rule_sid_off']; } if ($pconfig['rule_sid_on'] != "") { $natent['rule_sid_on'] = $pconfig['rule_sid_on']; } @@ -275,38 +303,77 @@ if ($_POST["Submit"]) { } write_config(); - // stop_service("snort"); - - if ($pconfig['interface'] != "") { - sync_snort_package_all(); - } - if ($pconfig['interface'] != "") { + touch("$d_snortconfdirty_path"); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + sleep(2); header("Location: /snort/snort_interfaces_edit.php?id=$id"); - }else{ - touch($d_natconfdirty_path); - header("Location: /snort/snort_interfaces.php"); - } + exit; } } - + if ($_POST["Submit2"]) { - sync_snort_package_all(); + + sync_snort_package_all($id, $if_real, $snort_uuid); + sync_snort_package(); sleep(1); - exec("/bin/sh /usr/local/etc/rc.d/snort.sh restart {$id}{$if_real}"); + + Running_Start($snort_uuid, $if_real, $id); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + sleep(2); header("Location: /snort/snort_interfaces_edit.php?id=$id"); - exit; } -$ifname = strtoupper($pconfig['interface']); -$pgtitle = "Snort: Interface: {$ifname} Settings Edit"; + if ($_POST["Submit3"]) + { + + Running_Stop($snort_uuid, $if_real, $id); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + sleep(2); + header("Location: /snort/snort_interfaces_edit.php?id=$id"); + + } + + /* This code needs to be below headers */ + if (isset($config['installedpackages']['snortglobal']['rule'][$id]['interface'])) + { + + $snort_up_ck2_info = Running_Ck($snort_uuid, $if_real, $id); + + if ($snort_up_ck2_info == 'no') { + $snort_up_ck = '<input name="Submit2" type="submit" class="formbtn" value="Start" onClick="enable_change(true)">'; + }else{ + $snort_up_ck = '<input name="Submit3" type="submit" class="formbtn" value="Stop" onClick="enable_change(true)">'; + } + + }else{ + $snort_up_ck = ''; + } + + +$pgtitle = "Snort: Interface Edit: $id $snort_uuid $if_real"; include("head.inc"); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php -include("fbegin.inc"); +include("./snort_fbegin.inc"); ?> <style type="text/css"> .alert { @@ -321,7 +388,7 @@ border-bottom:2px solid #DBAC48; padding: 15px 10px 85% 50px; } </style> -<noscript><div class="alert" ALIGN=CENTER><img src="/themes/nervecenter/images/icons/icon_alert.gif"/><strong>Please enable JavaScript to view this content</CENTER></div></noscript> +<noscript><div class="alert" ALIGN=CENTER><img src="/themes/nervecenter/images/icons/icon_alert.gif"/><strong>Please enable JavaScript to view this content</strong></div></noscript> <script language="JavaScript"> <!-- @@ -333,7 +400,7 @@ function enable_change(enable_change) { <?php /* make shure all the settings exist or function hide will not work */ /* if $id is emty allow if and discr to be open */ -if($id != "") +if($config['installedpackages']['snortglobal']['rule'][$id]['interface'] != '') { echo " document.iform.interface.disabled = endis2; @@ -345,19 +412,47 @@ echo " document.iform.alertsystemlog.disabled = endis; document.iform.tcpdumplog.disabled = endis; document.iform.snortunifiedlog.disabled = endis; + document.iform.configpassthru.disabled = endis; } //--> </script> +<p class="pgtitle"><?php if($pfsense_stable == 'yes'){echo $pgtitle;}?></p> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php if ($input_errors) print_input_errors($input_errors); ?> -<?php if ($savemsg) print_info_box($savemsg); ?> -<form action="snort_interfaces_edit.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> + +<form action="snort_interfaces_edit.php<?php echo "?id=$id";?>" method="post" enctype="multipart/form-data" name="iform" id="iform"> + +<?php + + /* Display Alert message */ + + if ($input_errors) { + print_input_errors($input_errors); // TODO: add checks + } + + if ($savemsg) { + print_info_box2($savemsg); + } + + //if (file_exists($d_snortconfdirty_path)) { + if (file_exists($d_snortconfdirty_path) || file_exists("/var/run/snort_conf_{$snort_uuid}_.dirty")) { + echo '<p>'; + + if($savemsg) { + print_info_box_np2("{$savemsg}"); + }else{ + print_info_box_np2(' + The Snort configuration has changed and snort needs to be restarted on this interface.<br> + You must apply the changes in order for them to take effect.<br> + '); + } + } + +?> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td class="tabnavtbl"> <?php -if($id != "") -{ - +if ($a_nat[$id]['interface'] != '') { /* get the interface name */ $first = 0; $snortInterfaces = array(); /* -gtm */ @@ -367,7 +462,7 @@ if($id != "") //print_r($if_array); if($if_array) { foreach($if_array as $iface2) { - $if2 = convert_friendly_interface_to_real_interface_name($iface2); + $if2 = convert_friendly_interface_to_real_interface_name2($iface2); if($config['interfaces'][$iface2]['ipaddr'] == "pppoe") { $if2 = "ng0"; @@ -385,48 +480,32 @@ if($id != "") return; } } - - /* do for the selected interface */ - foreach($snortInterfaces as $snortIf) - { - - /* if base directories dont exist create them */ - if(!file_exists("/usr/local/etc/snort/snort_{$id}{$if_real}/")) { - exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$id}{$if_real}/"); - } +} $tab_array = array(); + if (!file_exists("/var/run/snort_conf_{$snort_uuid}_.dirty")) { $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); + } $tab_array[] = array("If Settings", true, "/snort/snort_interfaces_edit.php?id={$id}"); + /* hide user tabs when no settings have be saved */ + if ($config['installedpackages']['snortglobal']['rule'][$id]['interface'] != '') { + if (!file_exists("/var/run/snort_conf_{$snort_uuid}_.dirty")) { + //$tab_array[] = array("upload", false, "/snort/snort_conf_upload.php?id={$id}"); $tab_array[] = array("Categories", false, "/snort/snort_rulesets.php?id={$id}"); $tab_array[] = array("Rules", false, "/snort/snort_rules.php?id={$id}"); $tab_array[] = array("Servers", false, "/snort/snort_define_servers.php?id={$id}"); $tab_array[] = array("Preprocessors", false, "/snort/snort_preprocessors.php?id={$id}"); $tab_array[] = array("Barnyard2", false, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); } -} + } + display_top_tabs($tab_array); + ?> </td> </tr> <tr> <td class="tabcont"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <?php - if($id == "") - { - echo " - <tr> - <td width=\"22%\" valign=\"top\"> </td> - <td width=\"78%\"><span class=\"vexpl\"><span class=\"red\"><strong>Note:</strong></span><br> - You will be redirected to the Snort Interfaces Menu to approve changes.<br> - After approval, interface options will be made available. - <br><br> - Please select an interface and a description. - </td> - </tr>\n"; - } - ?> <tr> <td width="22%" valign="top" class="vtable"> </td> <td width="78%" class="vtable"> @@ -435,10 +514,9 @@ if($id != "") // care with spaces if ($pconfig['enable'] == "on") $checked = checked; - if($id != "") - { + $onclick_enable = "onClick=\"enable_change(false)\">"; - } + echo " <input name=\"enable\" type=\"checkbox\" value=\"on\" $checked $onclick_enable <strong>Enable Interface</strong></td>\n\n"; @@ -499,7 +577,7 @@ if($id != "") <td width="22%" valign="top" class="vncell">Log to a Tcpdump file</td> <td width="78%" class="vtable"> <input name="tcpdumplog" type="checkbox" value="on" <?php if ($pconfig['tcpdumplog'] == "on") echo "checked"; ?> onClick="enable_change(false)"><br> - Snort will log packets to a tcpdump-formatted file. The file then can be analyzed by an application such as Wireshark which understands pcap file formats. WARNING: File may become large.</td> + Snort will log packets to a tcpdump-formatted file. The file then can be analyzed by an application such as Wireshark which understands pcap file formats. <span class="red"><strong>WARNING:</strong></span> File may become large.</td> </tr> <tr> <td width="22%" valign="top" class="vncell">Log Alerts to a snort unified2 file</td> @@ -507,10 +585,17 @@ if($id != "") <input name="snortunifiedlog" type="checkbox" value="on" <?php if ($pconfig['snortunifiedlog'] == "on") echo "checked"; ?> onClick="enable_change(false)"><br> Snort will log Alerts to a file in the UNIFIED2 format. This is a requirement for barnyard2.</td> </tr> + <tr> + <td width="22%" valign="top" class="vncell">Advanced configuration pass through</td> + <td width="78%" class="vtable"> + <textarea name="configpassthru" cols="100" rows="7" id="configpassthru" class="formpre"><?=htmlspecialchars($pconfig['configpassthru']);?></textarea> + <br> + Arguments here will be automatically inserted into the running snort configuration.</td> + </tr> <tr> - <td width="22%" valign="top"> </td> + <td width="22%" valign="top"></td> <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> <input name="Submit2" type="submit" class="formbtn" value="Start" onClick="enable_change(true)"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()"> + <input name="Submit" type="submit" class="formbtn" value="Save"> <?php echo $snort_up_ck; ?> <input type="button" class="formbtn" value="Cancel" onclick="history.back()"> <?php if (isset($id) && $a_nat[$id]): ?> <input name="id" type="hidden" value="<?=$id;?>"> <?php endif; ?> diff --git a/config/snort-dev/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php index 50ae9aec..3c487ce0 100644 --- a/config/snort-dev/snort_interfaces_global.php +++ b/config/snort/snort_interfaces_global.php @@ -32,9 +32,9 @@ POSSIBILITY OF SUCH DAMAGE. */ -$pgtitle = "Services:[Snort][Global Settings]"; -require("guiconfig.inc"); -require("/usr/local/pkg/snort/snort.inc"); +$pgtitle = "Services: Snort: Global Settings"; +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); /* make things short */ $pconfig['snortdownload'] = $config['installedpackages']['snortglobal']['snortdownload']; @@ -57,38 +57,13 @@ if ($_POST) { if ($_POST['enable']) { -// if ($_POST['timeout'] && (!is_numeric($_POST['timeout']) || ($_POST['timeout'] < 1))) { -// $input_errors[] = "The timeout must be at least 1 minute."; -// } -// if ($_POST['idletimeout'] && (!is_numeric($_POST['idletimeout']) || ($_POST['idletimeout'] < 1))) { -// $input_errors[] = "The idle timeout must be at least 1 minute."; -// } -// if (($_POST['radiusip'] && !is_ipaddr($_POST['radiusip']))) { -// $input_errors[] = "A valid IP address must be specified. [".$_POST['radiusip']."]"; -// } -// if (($_POST['radiusip2'] && !is_ipaddr($_POST['radiusip2']))) { -// $input_errors[] = "A valid IP address must be specified. [".$_POST['radiusip2']."]"; -// } -// if (($_POST['radiusport'] && !is_port($_POST['radiusport']))) { -// $input_errors[] = "A valid port number must be specified. [".$_POST['radiusport']."]"; -// } -// if (($_POST['radiusport2'] && !is_port($_POST['radiusport2']))) { -// $input_errors[] = "A valid port number must be specified. [".$_POST['radiusport2']."]"; -// } -// if (($_POST['radiusacctport'] && !is_port($_POST['radiusacctport']))) { -// $input_errors[] = "A valid port number must be specified. [".$_POST['radiusacctport']."]"; -// } -// if ($_POST['maxproc'] && (!is_numeric($_POST['maxproc']) || ($_POST['maxproc'] < 4) || ($_POST['maxproc'] > 100))) { -// $input_errors[] = "The total maximum number of concurrent connections must be between 4 and 100."; -// } -// $mymaxproc = $_POST['maxproc'] ? $_POST['maxproc'] : 16; -// if ($_POST['maxprocperip'] && (!is_numeric($_POST['maxprocperip']) || ($_POST['maxprocperip'] > $mymaxproc))) { -// $input_errors[] = "The maximum number of concurrent connections per client IP address may not be larger than the global maximum."; -// } +/* TODO:a dd check user input code. */ } if (!$input_errors) { + + if ($_POST["Submit"]) { $config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload']; $config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode']; @@ -134,11 +109,139 @@ if ($_POST) { $savemsg = get_std_save_message($retval); + + } + + sync_snort_package(); + +} + + + if ($_POST["Reset"]) { + +//////>>>>>>>>> + + function snort_deinstall_settings() +{ + + global $config, $g, $id, $if_real; + conf_mount_rw(); + + + exec("/usr/usr/bin/killall snort"); + sleep(2); + exec("/usr/usr/bin/killall -9 snort"); + sleep(2); + exec("/usr/usr/bin/killall barnyard2"); + sleep(2); + exec("/usr/usr/bin/killall -9 barnyard2"); + sleep(2); + + /* Remove snort cron entries Ugly code needs smoothness*/ +function snort_rm_blocked_deinstall_cron($should_install) +{ + global $config, $g; + conf_mount_rw(); + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) + { + if (strstr($item['command'], "snort2c")) + { + $is_installed = true; + break; + } + + $x++; + + } + if($is_installed == true) + { + if($x > 0) + { + unset($config['cron']['item'][$x]); + write_config(); + conf_mount_rw(); + } + + configure_cron(); + + } + conf_mount_ro(); + +} + + function snort_rules_up_deinstall_cron($should_install) +{ + global $config, $g; + conf_mount_rw(); + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort_check_for_rule_updates.php")) { + $is_installed = true; + break; + } + $x++; + } + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + conf_mount_rw(); + } + configure_cron(); + } +} + +snort_rm_blocked_deinstall_cron(""); +snort_rules_up_deinstall_cron(""); + + + /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */ + /* Keep this as a last step */ + unset($config['installedpackages']['snortglobal']); + write_config(); + conf_mount_rw(); + + /* remove all snort iface dir */ + exec('rm -r /usr/local/etc/snort/snort_*'); + exec('rm /var/log/snort/*'); + + conf_mount_ro(); + +} + + snort_deinstall_settings(); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + sleep(2); + header("Location: /snort/snort_interfaces_global.php"); + + exit; + +//////>>>>>>>>> } } + include("head.inc"); ?> -<?php include("fbegin.inc"); ?> +<?php include("./snort_fbegin.inc"); ?> +<p class="pgtitle"><?if($pfsense_stable == 'yes'){echo $pgtitle;}?></p> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php if ($input_errors) print_input_errors($input_errors); ?> @@ -153,14 +256,14 @@ include("head.inc"); $tab_array[] = array("Rule Updates", false, "/snort/snort_download_rules.php"); $tab_array[] = array("Alerts", false, "/snort/snort_alerts.php"); $tab_array[] = array("Blocked", false, "/snort/snort_blocked.php"); - $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort_whitelist.xml"); + $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml"); $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); display_top_tabs($tab_array); ?> </td></tr> - <tr> - <td class="tabcont"> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> +<tr> +<td class="tabcont"> +<table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> <td width="22%" valign="top" class="vncell">Install Snort.org rules</td> <td width="78%" class="vtable"> <table cellpadding="0" cellspacing="0"> @@ -189,7 +292,6 @@ include("head.inc"); <td class="vncell" valign="top">Code</td> <td class="vtable"><input name="oinkmastercode" type="text" class="formfld" id="oinkmastercode" size="52" value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>"><br> Obtain a snort.org Oinkmaster code and paste here.</td> - </td> </table> </tr> <tr> @@ -249,16 +351,12 @@ include("head.inc"); <span class="vexpl">Please choose the type of Alert logging you will like see in your alert file.<br> Hint: Best pratice is to chose full logging.</span> <span class="red"><strong>WARNING:</strong></span> <strong>On change, alert file will be cleared.</strong></td> </tr> - <tr> - <td width="22%" valign="top" class="vncell">Associate events on Blocked tab</td> - <td width="78%" class="vtable"> - <input name="associatealertip" type="checkbox" value="yes" <?php if ($config['installedpackages']['snortglobal']['associatealertip'] == "on") echo "checked"; ?> onClick="enable_change(false)"><br> - Checking this option will automatically associate the blocked reason from the snort alerts file.</td> - </tr> <tr> - <td width="22%" valign="top"> </td> + <td width="22%" valign="top"><input name="Reset" type="submit" class="formbtn" value="Reset" onclick="return confirm('Do you really want to delete all global and interface settings?')"><span class="red"><strong> WARNING:</strong><br> + This will reset all global and interface settings.</span> + </td> <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save" onClick="enable_change(true)"> + <input name="Submit" type="submit" class="formbtn" value="Save" onClick="enable_change(true)"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()"> </td> </tr> <tr> @@ -271,11 +369,7 @@ include("head.inc"); </tr> </table> </form> -<script language="JavaScript"> -<!-- -enable_change(false); -//--> -</script> + <?php include("fend.inc"); ?> </body> </html> diff --git a/config/snort-dev/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 945de8e5..1d3abf0b 100644 --- a/config/snort-dev/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -30,15 +30,10 @@ POSSIBILITY OF SUCH DAMAGE. */ -/* -TODO: Nov 12 09 -Clean this code up its ugly -Important add error checking - -*/ - -require("guiconfig.inc"); +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); if (!is_array($config['installedpackages']['snortglobal']['rule'])) { $config['installedpackages']['snortglobal']['rule'] = array(); @@ -95,7 +90,7 @@ if (isset($id) && $a_nat[$id]) { $pconfig['def_imap_servers'] = $a_nat[$id]['def_imap_servers']; $pconfig['def_imap_ports'] = $a_nat[$id]['def_imap_ports']; $pconfig['def_sip_proxy_ip'] = $a_nat[$id]['def_sip_proxy_ip']; - $pconfig['ip def_sip_proxy_ports'] = $a_nat[$id]['ip def_sip_proxy_ports']; + $pconfig['def_sip_proxy_ports'] = $a_nat[$id]['def_sip_proxy_ports']; $pconfig['def_auth_ports'] = $a_nat[$id]['def_auth_ports']; $pconfig['def_finger_ports'] = $a_nat[$id]['def_finger_ports']; $pconfig['def_irc_ports'] = $a_nat[$id]['def_irc_ports']; @@ -106,6 +101,7 @@ if (isset($id) && $a_nat[$id]) { $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; $pconfig['enable'] = $a_nat[$id]['enable']; + $pconfig['uuid'] = $a_nat[$id]['uuid']; $pconfig['interface'] = $a_nat[$id]['interface']; $pconfig['descr'] = $a_nat[$id]['descr']; $pconfig['performance'] = $a_nat[$id]['performance']; @@ -114,6 +110,8 @@ if (isset($id) && $a_nat[$id]) { $pconfig['tcpdumplog'] = $a_nat[$id]['tcpdumplog']; $pconfig['snortunifiedlog'] = $a_nat[$id]['snortunifiedlog']; $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; + $pconfig['configpassthru'] = $a_nat[$id]['configpassthru']; + $pconfig['barnconfigpassthru'] = $a_nat[$id]['barnconfigpassthru']; $pconfig['rulesets'] = $a_nat[$id]['rulesets']; $pconfig['rule_sid_off'] = $a_nat[$id]['rule_sid_off']; $pconfig['rule_sid_on'] = $a_nat[$id]['rule_sid_on']; @@ -123,9 +121,31 @@ if (isset($_GET['dup'])) } /* convert fake interfaces to real */ -$if_real = convert_friendly_interface_to_real_interface_name($pconfig['interface']); +$if_real = convert_friendly_interface_to_real_interface_name2($pconfig['interface']); + +$snort_uuid = $pconfig['uuid']; + + /* alert file */ +$d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; + + /* this will exec when alert says apply */ + if ($_POST['apply']) { + + if (file_exists($d_snortconfdirty_path)) { + + write_config(); + + sync_snort_package_all($id, $if_real, $snort_uuid); + sync_snort_package(); + + unlink($d_snortconfdirty_path); + + } + + } + -if ($_POST) { + if ($_POST["Submit"]) { /* check for overlaps */ @@ -135,6 +155,7 @@ if ($_POST) { /* repost the options already in conf */ if ($pconfig['interface'] != "") { $natent['interface'] = $pconfig['interface']; } if ($pconfig['enable'] != "") { $natent['enable'] = $pconfig['enable']; } + if ($pconfig['uuid'] != "") { $natent['uuid'] = $pconfig['uuid']; } if ($pconfig['descr'] != "") { $natent['descr'] = $pconfig['descr']; } if ($pconfig['performance'] != "") { $natent['performance'] = $pconfig['performance']; } if ($pconfig['blockoffenders7'] != "") { $natent['blockoffenders7'] = $pconfig['blockoffenders7']; } @@ -168,7 +189,7 @@ if ($_POST) { if ($pconfig['def_imap_servers'] != "") { $natent['def_imap_servers'] = $pconfig['def_imap_servers']; } if ($pconfig['def_imap_ports'] != "") { $natent['def_imap_ports'] = $pconfig['def_imap_ports']; } if ($pconfig['def_sip_proxy_ip'] != "") { $natent['def_sip_proxy_ip'] = $pconfig['def_sip_proxy_ip']; } - if ($pconfig['ip def_sip_proxy_ports'] != "") { $natent['ip def_sip_proxy_ports'] = $pconfig['ip def_sip_proxy_ports']; } + if ($pconfig['def_sip_proxy_ports'] != "") { $natent['def_sip_proxy_ports'] = $pconfig['def_sip_proxy_ports']; } if ($pconfig['def_auth_ports'] != "") { $natent['def_auth_ports'] = $pconfig['def_auth_ports']; } if ($pconfig['def_finger_ports'] != "") { $natent['def_finger_ports'] = $pconfig['def_finger_ports']; } if ($pconfig['def_irc_ports'] != "") { $natent['def_irc_ports'] = $pconfig['def_irc_ports']; } @@ -176,6 +197,8 @@ if ($_POST) { if ($pconfig['def_rlogin_ports'] != "") { $natent['def_rlogin_ports'] = $pconfig['def_rlogin_ports']; } if ($pconfig['def_rsh_ports'] != "") { $natent['def_rsh_ports'] = $pconfig['def_rsh_ports']; } if ($pconfig['def_ssl_ports'] != "") { $natent['def_ssl_ports'] = $pconfig['def_ssl_ports']; } + if ($pconfig['configpassthru'] != "") { $natent['configpassthru'] = $pconfig['configpassthru']; } + if ($pconfig['barnconfigpassthru'] != "") { $natent['barnconfigpassthru'] = $pconfig['barnconfigpassthru']; } if ($pconfig['rulesets'] != "") { $natent['rulesets'] = $pconfig['rulesets']; } if ($pconfig['rule_sid_off'] != "") { $natent['rule_sid_off'] = $pconfig['rule_sid_off']; } if ($pconfig['rule_sid_on'] != "") { $natent['rule_sid_on'] = $pconfig['rule_sid_on']; } @@ -193,7 +216,7 @@ if ($_POST) { $natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? on : off; $natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? on : off; - if (isset($id) && $a_nat[$id]) + if (isset($id) && $a_nat[$id]) $a_nat[$id] = $natent; else { if (is_numeric($after)) @@ -201,13 +224,17 @@ if ($_POST) { else $a_nat[] = $natent; } - - /* enable this if you want the user to aprove changes */ - // touch($d_natconfdirty_path); - + write_config(); /* after click go to this page */ + touch($d_snortconfdirty_path); + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + sleep(2); header("Location: snort_preprocessors.php?id=$id"); exit; } @@ -219,8 +246,9 @@ include("head.inc"); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php -include("fbegin.inc"); +include("./snort_fbegin.inc"); ?> +<p class="pgtitle"><?if($pfsense_stable == 'yes'){echo $pgtitle;}?></p> <style type="text/css"> .alert { position:absolute; @@ -237,9 +265,35 @@ padding: 15px 10px 85% 50px; <noscript><div class="alert" ALIGN=CENTER><img src="../themes/nervecenter/images/icons/icon_alert.gif"/><strong>Please enable JavaScript to view this content</CENTER></div></noscript> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php if ($input_errors) print_input_errors($input_errors); ?> -<?php if ($savemsg) print_info_box($savemsg); ?> <form action="snort_preprocessors.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> + +<?php + + /* Display Alert message */ + + if ($input_errors) { + print_input_errors($input_errors); // TODO: add checks + } + + if ($savemsg) { + print_info_box2($savemsg); + } + + if (file_exists($d_snortconfdirty_path)) { + echo '<p>'; + + if($savemsg) { + print_info_box_np2("{$savemsg}"); + }else{ + print_info_box_np2(' + The Snort configuration has changed and snort needs to be restarted on this interface.<br> + You must apply the changes in order for them to take effect.<br> + '); + } + } + +?> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td class="tabnavtbl"> <?php @@ -323,10 +377,10 @@ if($id != "") Normalize/Decode RPC traffic and detects Back Orifice traffic on the network.</td> </tr> <tr> - <td width="22%" valign="top" class="vncell">Enable <br>FTP & Telnet Normalizer</td> + <td width="22%" valign="top" class="vncell">Enable <br>FTP and Telnet Normalizer</td> <td width="78%" class="vtable"> <input name="ftp_preprocessor" type="checkbox" value="on" <?php if ($pconfig['ftp_preprocessor']=="on") echo "checked"; ?> onClick="enable_change(false)"><br> - Normalize/Decode FTP & Telnet traffic and protocol anomalies.</td> + Normalize/Decode FTP and Telnet traffic and protocol anomalies.</td> </tr> <tr> <td width="22%" valign="top" class="vncell">Enable <br>SMTP Normalizer</td> @@ -378,11 +432,6 @@ if($id != "") </table> </form> -<script language="JavaScript"> -<!-- -enable_change(false); -//--> -</script> <?php include("fend.inc"); ?> </body> </html> diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index 94c99f0e..b5fa2fb2 100644 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -2,7 +2,8 @@ /* $Id$ */ /* edit_snortrule.php - Copyright (C) 2004, 2005 Scott Ullrich and Rober Zelaya + Copyright (C) 2004, 2005 Scott Ullrich + Copyright (C) 2008, 2009 Robert Zelaya All rights reserved. Redistribution and use in source and binary forms, with or without @@ -26,22 +27,45 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -require("guiconfig.inc"); -require("config.inc"); -if(!is_dir("/usr/local/etc/snort/rules")) { - conf_mount_rw(); - exec('mkdir /usr/local/etc/snort/rules/'); - conf_mount_ro(); + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} + +//nat_rules_sort(); +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_nat[$id]) { + + $pconfig['enable'] = $a_nat[$id]['enable']; + $pconfig['interface'] = $a_nat[$id]['interface']; + $pconfig['rulesets'] = $a_nat[$id]['rulesets']; } +/* convert fake interfaces to real */ +$if_real = convert_friendly_interface_to_real_interface_name2($pconfig['interface']); + +$iface_uuid = $a_nat[$id]['uuid']; + +// if(!is_dir("/usr/local/etc/snort/rules")) +// exec('mkdir /usr/local/etc/snort/rules/'); + /* Check if the rules dir is empy if so warn the user */ /* TODO give the user the option to delete the installed rules rules */ -$isrulesfolderempty = exec('ls -A /usr/local/etc/snort/rules/*.rules'); +$isrulesfolderempty = exec("ls -A /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/*.rules"); if ($isrulesfolderempty == "") { include("head.inc"); -include("fbegin.inc"); +include("./snort_fbegin.inc"); echo "<body link=\"#000000\" vlink=\"#000000\" alink=\"#000000\">"; @@ -51,18 +75,15 @@ echo "<script src=\"/row_toggle.js\" type=\"text/javascript\"></script>\n <tr>\n <td>\n"; - $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), true, "/snort_rules.php"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); - display_top_tabs($tab_array); + $tab_array = array(); + $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); + $tab_array[] = array("If Settings", false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array("Categories", false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array("Rules", true, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array("Servers", false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array("Preprocessors", false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array("Barnyard2", false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); echo "</td>\n </tr>\n @@ -105,8 +126,6 @@ function get_middle($source, $beginning, $ending, $init_pos) { function write_rule_file($content_changed, $received_file) { - conf_mount_rw(); - //read snort file with writing enabled $filehandle = fopen($received_file, "w"); @@ -122,7 +141,6 @@ function write_rule_file($content_changed, $received_file) //close file handle fclose($filehandle); - conf_mount_rw(); } function load_rule_file($incoming_file) @@ -137,8 +155,9 @@ function load_rule_file($incoming_file) //close handler fclose ($filehandle); + //string for populating category select - $currentruleset = substr($file, 27); + $currentruleset = basename($rulefile); //delimiter for each new rule is a new line $delimiter = "\n"; @@ -150,10 +169,13 @@ function load_rule_file($incoming_file) } -$ruledir = "/usr/local/etc/snort/rules/"; +$ruledir = "/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/"; $dh = opendir($ruledir); -$message_reload = "The Snort rule configuration has been changed.<br>You must apply the changes in order for them to take effect."; +if ($_GET['openruleset'] != '' && $_GET['ids'] != '') +{ + header("Location: /snort/snort_rules.php?id=$id&openruleset={$_GET['openruleset']}&saved=yes"); +} while (false !== ($filename = readdir($dh))) { @@ -169,19 +191,22 @@ sort($files); if ($_GET['openruleset']) { - $file = $_GET['openruleset']; + $rulefile = $_GET['openruleset']; } else { - $file = $ruledir.$files[0]; + $rulefile = $ruledir.$files[0]; } //Load the rule file -$splitcontents = load_rule_file($file); +$splitcontents = load_rule_file($rulefile); if ($_POST) { + + conf_mount_rw(); + if (!$_POST['apply']) { //retrieve POST data $post_lineid = $_POST['lineid']; @@ -258,26 +283,20 @@ if ($_POST) $splitcontents[$post_lineid] = $tempstring; //write the new .rules file - write_rule_file($splitcontents, $file); + write_rule_file($splitcontents, $rulefile); //once file has been written, reload file - $splitcontents = load_rule_file($file); + $splitcontents = load_rule_file($rulefile); $stopMsg = true; } - - if ($_POST['apply']) { -// stop_service("snort"); -// sleep(2); -// start_service("snort"); - $savemsg = "The snort rules selections have been saved. Please restart snort by clicking save on the settings tab."; - $stopMsg = false; - } - } else if ($_GET['act'] == "toggle") { - $toggleid = $_GET['id']; + + conf_mount_rw(); + + $toggleid = $_GET['ids']; //copy rule contents from array into string $tempstring = $splitcontents[$toggleid]; @@ -311,10 +330,10 @@ else if ($_GET['act'] == "toggle") $splitcontents[$toggleid] = $tempstring; //write the new .rules file - write_rule_file($splitcontents, $file); + write_rule_file($splitcontents, $rulefile); //once file has been written, reload file - $splitcontents = load_rule_file($file); + $splitcontents = load_rule_file($rulefile); $stopMsg = true; @@ -326,20 +345,22 @@ else if ($_GET['act'] == "toggle") // sid being turned off $sid_off = str_replace("sid:", "", $sid_off_cut); // rule_sid_on registers - $sid_on_pieces = $config['installedpackages']['snort']['rule_sid_on']; + $sid_on_pieces = $a_nat[$id]['rule_sid_on']; // if off sid is the same as on sid remove it $sid_on_old = str_replace("||enablesid $sid_off", "", "$sid_on_pieces"); // write the replace sid back as empty - $config['installedpackages']['snort']['rule_sid_on'] = $sid_on_old; + $a_nat[$id]['rule_sid_on'] = $sid_on_old; // rule sid off registers - $sid_off_pieces = $config['installedpackages']['snort']['rule_sid_off']; + $sid_off_pieces = $a_nat[$id]['rule_sid_off']; // if off sid is the same as off sid remove it $sid_off_old = str_replace("||disablesid $sid_off", "", "$sid_off_pieces"); // write the replace sid back as empty - $config['installedpackages']['snort']['rule_sid_off'] = $sid_off_old; + $a_nat[$id]['rule_sid_off'] = $sid_off_old; // add sid off registers to new off sid - $config['installedpackages']['snort']['rule_sid_off'] = "||disablesid $sid_off" . $config['installedpackages']['snort']['rule_sid_off']; + $a_nat[$id]['rule_sid_off'] = "||disablesid $sid_off" . $a_nat[$id]['rule_sid_off']; write_config(); + conf_mount_rw(); + } else { @@ -349,39 +370,55 @@ else if ($_GET['act'] == "toggle") // sid being turned off $sid_on = str_replace("sid:", "", $sid_on_cut); // rule_sid_off registers - $sid_off_pieces = $config['installedpackages']['snort']['rule_sid_off']; + $sid_off_pieces = $a_nat[$id]['rule_sid_off']; // if off sid is the same as on sid remove it $sid_off_old = str_replace("||disablesid $sid_on", "", "$sid_off_pieces"); // write the replace sid back as empty - $config['installedpackages']['snort']['rule_sid_off'] = $sid_off_old; + $a_nat[$id]['rule_sid_off'] = $sid_off_old; // rule sid on registers - $sid_on_pieces = $config['installedpackages']['snort']['rule_sid_on']; + $sid_on_pieces = $a_nat[$id]['rule_sid_on']; // if on sid is the same as on sid remove it $sid_on_old = str_replace("||enablesid $sid_on", "", "$sid_on_pieces"); // write the replace sid back as empty - $config['installedpackages']['snort']['rule_sid_on'] = $sid_on_old; + $a_nat[$id]['rule_sid_on'] = $sid_on_old; // add sid on registers to new on sid - $config['installedpackages']['snort']['rule_sid_on'] = "||enablesid $sid_on" . $config['installedpackages']['snort']['rule_sid_on']; + $a_nat[$id]['rule_sid_on'] = "||enablesid $sid_on" . $a_nat[$id]['rule_sid_on']; write_config(); + conf_mount_rw(); } } +if ($_GET['saved'] == 'yes') +{ + $message = "The Snort rule configuration has been changed.<br>You must restart this snort interface in order for the changes to take effect."; + +// stop_service("snort"); +// sleep(2); +// start_service("snort"); +// $savemsg = ""; +// $stopMsg = false; +} + +$currentruleset = basename($rulefile); + +$ifname = strtoupper($pconfig['interface']); -$pgtitle = "Snort: Rules"; require("guiconfig.inc"); include("head.inc"); + +$pgtitle = "Snort: $id $iface_uuid $if_real Category: $currentruleset"; + ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> +<?php include("./snort_fbegin.inc"); ?> +<p class="pgtitle"><?if($pfsense_stable == 'yes'){echo $pgtitle;}?></p> + <?php -if(!$pgtitle_output) - echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; +echo "<form action=\"snort_rules.php?id={$id}\" method=\"post\" name=\"iform\" id=\"iform\">"; ?> -<form action="snort_rules.php" method="post" name="iform" id="iform"> -<?php if ($savemsg){print_info_box($savemsg);} else if ($stopMsg){print_info_box_np($message_reload);}?> -<br> +<?php if ($_GET['saved'] == 'yes') {print_info_box_np2($message);}?> </form> <script type="text/javascript" language="javascript" src="row_toggle.js"> <script src="/javascript/sorttable.js" type="text/javascript"> @@ -403,28 +440,40 @@ function go() } // --> </script> +<script type="text/javascript"> +<!-- +function popup(url) +{ + params = 'width='+screen.width; + params += ', height='+screen.height; + params += ', top=0, left=0' + params += ', fullscreen=yes'; + + newwin=window.open(url,'windowname4', params); + if (window.focus) {newwin.focus()} + return false; +} +// --> +</script> <table width="99%" border="0" cellpadding="0" cellspacing="0"> <tr> <td> <?php - $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), true, "/snort_rules.php"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + $tab_array = array(); + $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); + $tab_array[] = array("If Settings", false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array("Categories", false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array("Rules", true, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array("Servers", false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array("Preprocessors", false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array("Barnyard2", false, "/snort/snort_barnyard.php?id={$id}"); display_top_tabs($tab_array); ?> - </td> - </tr> - <tr> - <td> + </td> + </tr> + <tr> + <td> <div id="mainarea"> <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> @@ -447,7 +496,8 @@ function go() echo "<br>Category: "; //string for populating category select - $currentruleset = substr($file, 27); + $currentruleset = basename($rulefile); + ?> <form name="forms"> <select name="selectbox" class="formfld" onChange="go()"> @@ -459,7 +509,7 @@ function go() if ($files[$i] === $currentruleset) $selectedruleset = "selected"; ?> - <option value="?&openruleset=<?=$ruledir;?><?=$files[$i];?>" <?=$selectedruleset;?>><?=$files[$i];?></option>" + <option value="?id=<?=$id;?>&openruleset=<?=$ruledir;?><?=$files[$i];?>" <?=$selectedruleset;?>><?=$files[$i];?></option>" <?php $i++; @@ -512,7 +562,13 @@ function go() $textss = $textse = ""; $iconb = "icon_block.gif"; } - + + if ($disabled_pos !== false){ + $ischecked = ""; + }else{ + $ischecked = "checked"; + } + $rule_content = explode(' ', $tempstring); $protocol = $rule_content[$counter2];//protocol location @@ -525,87 +581,93 @@ function go() $counter2++; $destination_port = $rule_content[$counter2];//destination port location - $message = get_middle($tempstring, 'msg:"', '";', 0); + if (strstr($tempstring, 'msg: "')) + $message = get_middle($tempstring, 'msg: "', '";', 0); + if (strstr($tempstring, 'msg:"')) + $message = get_middle($tempstring, 'msg:"', '";', 0); - echo "<tr>"; - echo "<td class=\"listt\">"; - echo $textss; + echo "<tr> + <td class=\"listt\"> + $textss\n"; ?> - <a href="?&openruleset=<?=$file;?>&act=toggle&id=<?=$counter;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/<?=$iconb;?>" width="11" height="11" border="0" title="click to toggle enabled/disabled status"></a> + <a href="?id=<?=$id;?>&openruleset=<?=$rulefile;?>&act=toggle&ids=<?=$counter;?>"><img src="../themes/<?= $g['theme']; ?>/images/icons/<?=$iconb;?>" width="10" height="10" border="0" title="click to toggle enabled/disabled status"></a> + <!-- <input name="enable" type="checkbox" value="yes" <?= $ischecked; ?> onClick="enable_change(false)"> --> + <!-- TODO: add checkbox and save so that that disabling is nicer --> <?php - echo $textse; - echo "</td>"; - - - echo "<td class=\"listlr\">"; - echo $textss; - echo $sid; - echo $textse; - echo "</td>"; - - echo "<td class=\"listlr\">"; - echo $textss; - echo $protocol; + echo "$textse + </td> + <td class=\"listlr\"> + $textss + $sid + $textse + </td> + <td class=\"listlr\"> + $textss + $protocol"; + ?> + <?php $printcounter++; - echo $textse; - echo "</td>"; - echo "<td class=\"listlr\">"; - echo $textss; - echo $source; - echo $textse; - echo "</td>"; - echo "<td class=\"listlr\">"; - echo $textss; - echo $source_port; - echo $textse; - echo "</td>"; - echo "<td class=\"listlr\">"; - echo $textss; - echo $destination; - echo $textse; - echo "</td>"; - echo "<td class=\"listlr\">"; - echo $textss; - echo $destination_port; - echo $textse; - echo "</td>"; + echo "$textse + </td> + <td class=\"listlr\"> + $textss + $source + $textse + </td> + <td class=\"listlr\"> + $textss + $source_port + $textse + </td> + <td class=\"listlr\"> + $textss + $destination + $textse + </td> + <td class=\"listlr\"> + $textss + $destination_port + $textse + </td>"; ?> <td class="listbg"><font color="white"> <?php - echo $textss; - echo $message; - echo $textse; - echo "</td>"; + echo "$textss + $message + $textse + </td>"; ?> <td valign="middle" nowrap class="list"> <table border="0" cellspacing="0" cellpadding="1"> <tr> - <td><a href="snort_rules_edit.php?openruleset=<?=$file;?>&id=<?=$counter;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit rule" width="17" height="17" border="0"></a></td> + <td><a href="javascript: void(0)"onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$rulefile;?>&ids=<?=$counter;?>')"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit rule" width="17" height="17" border="0"></a></td> + <!-- Codes by Quackit.com --> </tr> </table> </td> <?php } } - echo " "; - echo "There are "; - echo $printcounter; - echo " rules in this category. <br><br>"; + echo " There are $printcounter rules in this category. <br><br>"; ?> </table> </td> </tr> <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> - <td width="16"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" width="11" height="11"></td> + <td width="16"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" width="11" height="11"></td> <td>Rule Enabled</td> </tr> <tr> - <td><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_block_d.gif" width="11" height="11"></td> + <td><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_block_d.gif" width="11" height="11"></td> <td nowrap>Rule Disabled</td> - - + </tr> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> + <tr> + <!-- TODO: add save and cancel for checkbox options --> + <!-- <td><pre><input name="Submit" type="submit" class="formbtn" value="Save"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()"><pre></td> --> </tr> + </table> <tr> <td colspan="10"> <p> @@ -615,12 +677,11 @@ function go() </tr> </table> </table> - </td> </tr> + </table> - <?php include("fend.inc"); ?> </div></body> -</html>
\ No newline at end of file +</html> diff --git a/config/snort/snort_rules_edit.php b/config/snort/snort_rules_edit.php index cbabce73..759193c8 100644 --- a/config/snort/snort_rules_edit.php +++ b/config/snort/snort_rules_edit.php @@ -1,40 +1,72 @@ +#!/usr/local/bin/php <?php -/* $Id$ */ /* - snort_rules_edit.php - Copyright (C) 2004, 2005 Scott Ullrich - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. + system_edit.php + Copyright (C) 2004, 2005 Scott Ullrich + All rights reserved. + + Adapted for FreeNAS by Volker Theile (votdev@gmx.de) + Copyright (C) 2006-2009 Volker Theile + + Adapted for Pfsense Snort package by Robert Zelaya + Copyright (C) 2008-2009 Robert Zelaya + + Using dp.SyntaxHighlighter for syntax highlighting + http://www.dreamprojections.com/SyntaxHighlighter + Copyright (C) 2004-2006 Alex Gorbatchev. All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. */ -function get_middle($source, $beginning, $ending, $init_pos) { - $beginning_pos = strpos($source, $beginning, $init_pos); - $middle_pos = $beginning_pos + strlen($beginning); - $ending_pos = strpos($source, $ending, $beginning_pos); - $middle = substr($source, $middle_pos, $ending_pos - $middle_pos); - return $middle; +require_once("guiconfig.inc"); +require_once("config.inc"); + + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} + +//nat_rules_sort(); +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +$ids = $_GET['ids']; +if (isset($_POST['ids'])) + $ids = $_POST['ids']; + + +if (isset($id) && $a_nat[$id]) { + + $pconfig['enable'] = $a_nat[$id]['enable']; + $pconfig['interface'] = $a_nat[$id]['interface']; + $pconfig['rulesets'] = $a_nat[$id]['rulesets']; } +/* convert fake interfaces to real */ +$if_real = convert_friendly_interface_to_real_interface_name2($pconfig['interface']); + $file = $_GET['openruleset']; @@ -42,10 +74,10 @@ $file = $_GET['openruleset']; $filehandle = fopen($file, "r"); //get rule id -$lineid = $_GET['id']; +$lineid = $_GET['ids']; //read file into string, and get filesize -$contents = fread($filehandle, filesize($file)); +$contents2 = fread($filehandle, filesize($file)); //close handler fclose ($filehandle); @@ -54,154 +86,158 @@ fclose ($filehandle); $delimiter = "\n"; //split the contents of the string file into an array using the delimiter -$splitcontents = explode($delimiter, $contents); +$splitcontents = explode($delimiter, $contents2); //copy rule contents from array into string $tempstring = $splitcontents[$lineid]; -//explode rule contents into an array, (delimiter is space) -$rule_content = explode(' ', $tempstring); +function write_rule_file($content_changed, $received_file) +{ + //read snort file with writing enabled + $filehandle = fopen($received_file, "w"); + + //delimiter for each new rule is a new line + $delimiter = "\n"; -//search string -$findme = "# alert"; //find string for disabled alerts + //implode the array back into a string for writing purposes + $fullfile = implode($delimiter, $content_changed); -//find if alert is disabled -$disabled = strstr($tempstring, $findme); + //write data to file + fwrite($filehandle, $fullfile); -//get sid -$sid = get_middle($tempstring, 'sid:', ';', 0); + //close file handle + fclose($filehandle); +} -//if find alert is false, then rule is disabled -if ($disabled !== false) -{ - //move counter up 1, so we do not retrieve the # in the rule_content array - $counter2 = 2; + + +if($_POST['highlight'] <> "") { + if($_POST['highlight'] == "yes" or + $_POST['highlight'] == "enabled") { + $highlight = "yes"; + } else { + $highlight = "no"; + } +} else { + $highlight = "no"; } + +if($_POST['rows'] <> "") + $rows = $_POST['rows']; else + $rows = 1; + +if($_POST['cols'] <> "") + $cols = $_POST['cols']; +else + $cols = 66; + +if ($_POST) { - $counter2 = 1; + if ($_POST['save']) { + + /* get the changes */ + $rule_content2 = $_POST['code']; + + //copy string into file array for writing + $splitcontents[$lineid] = $rule_content2; + + //write the new .rules file + write_rule_file($splitcontents, $file); + + header("Location: /snort/snort_rules_edit.php?id=$id&openruleset=$file&ids=$ids"); + + } } +$pgtitle = array(gettext("Advanced"), gettext("File Editor")); -$protocol = $rule_content[$counter2];//protocol location -$counter2++; -$source = $rule_content[$counter2];//source location -$counter2++; -$source_port = $rule_content[$counter2];//source port location -$counter2++; -$direction = $rule_content[$counter2]; -$counter2++; -$destination = $rule_content[$counter2];//destination location -$counter2++; -$destination_port = $rule_content[$counter2];//destination port location -$message = get_middle($tempstring, 'msg:"', '";', 0); - -$content = get_middle($tempstring, 'content:"', '";', 0); -$classtype = get_middle($tempstring, 'classtype:', ';', 0); -$revision = get_middle($tempstring, 'rev:', ';',0); - -$pgtitle = "Snort: Edit Rule"; -require("guiconfig.inc"); -include("head.inc"); +// ?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> - -<?php include("fbegin.inc"); ?> -<?php -if(!$pgtitle_output) - echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; -?> -<table width="99%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> -<?php - $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), true, "/snort_rules.php?openruleset=/usr/local/etc/snort/rules/attack-responses.rules"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); - display_top_tabs($tab_array); -?> - </td> - </tr> - <tr> - <td> - <div id="mainarea"> - <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> - <form action="snort_rules.php?openruleset=<?=$file;?>&id=<?=$lineid;?>" target="" method="post" name="editform" id="editform"> - <table id="edittable" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td class="listhdr" width="10%">Enabled: </td> - <td class="listlr" width="30%"><input name="enabled" type="checkbox" id="enabled" value="yes" <?php if ($disabled === false) echo "checked";?>></td> - </tr> - <tr> - <td class="listhdr" width="10%">SID: </td> - <td class="listlr" width="30%"><?php echo $sid; ?></td> - </tr> - <tr> - <td class="listhdr" width="10%">Protocol: </td> - <td class="listlr" width="30%"><?php echo $protocol; ?></td> - </tr> - <tr> - <td class="listhdr" width="10%">Source: </td> - <td class="listlr" width="30%"><input name="src" type="text" id="src" size="20" value="<?php echo $source;?>"></td> - </tr> - <tr> - <td class="listhdr" width="10%">Source Port: </td> - <td class="listlr" width="30%"><input name="srcport" type="text" id="srcport" size="20" value="<?php echo $source_port;?>"></td> - </tr> - <tr> - <td class="listhdr" width="10%">Direction:</td> - <td class="listlr" width="30%"><?php echo $direction;?></td> - </tr> - <tr> - <td class="listhdr" width="10%">Destination:</td> - <td class="listlr" width="30%"><input name="dest" type="text" id="dest" size="20" value="<?php echo $destination;?>"></td> - </tr> - <tr> - <td class="listhdr" width="10%">Destination Port: </td> - <td class="listlr" width="30%"><input name="destport" type="text" id="destport" size="20" value="<?php echo $destination_port;?>"></td> - </tr> - <tr> - <td class="listhdr" width="10%">Message: </td> - <td class="listlr" width="30%"><?php echo $message; ?></td> - </tr> - <tr> - <td class="listhdr" width="10%">Content: </td> - <td class="listlr" width="30%"><?php echo $content; ?></td> - </tr> - <tr> - <td class="listhdr" width="10%">Classtype: </td> - <td class="listlr" width="30%"><?php echo $classtype; ?></td> - </tr> - <tr> - <td class="listhdr" width="10%">Revision: </td> - <td class="listlr" width="30%"><?php echo $revision; ?></td> - </tr> - <tr><td> </td></tr> - <tr> - <td><input name="lineid" type="hidden" value="<?=$lineid;?>"></td> - <td><input class="formbtn" value="Save" type="submit" name="editsave" id="editsave">   <input type="button" class="formbtn" value="Cancel" onclick="history.back()"></td> - </tr> - </table> - </form> - </td> - </tr> - </table> - </td> -</tr> +<?php include("head.inc");?> + +<body link="#000000" vlink="#000000" alink="#000000"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="tabcont"> + <form action="snort_rules_edit.php?id=<?=$id; ?>&openruleset=<?=$file; ?>&ids=<?=$ids; ?>" method="post"> + <?php if ($savemsg) print_info_box($savemsg);?> + <table width="100%" cellpadding='9' cellspacing='9' bgcolor='#eeeeee'> + <tr> + <td> + <input name="save" type="submit" class="formbtn" id="save" value="save" /> <input type="button" class="formbtn" value="Cancel" onclick="history.back()"> + <hr noshade="noshade" /> + <?=gettext("Disable original rule"); ?>: + <input id="highlighting_enabled" name="highlight2" type="radio" value="yes" <?php if($highlight == "yes") echo " checked=\"checked\""; ?> /> + <label for="highlighting_enabled"><?=gettext("Enabled"); ?></label> + <input id="highlighting_disabled" name="highlight2" type="radio" value="no"<?php if($highlight == "no") echo " checked=\"checked\""; ?> /> + <label for="highlighting_disabled"><?=gettext("Disabled"); ?></label> + </td> + </tr> + </table> + <table width='100%'> + <tr> + <td valign="top" class="label"> + <div style="background: #eeeeee;" id="textareaitem"> + <!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> + <textarea wrap="off" style="width: 98%; margin: 7px;" class="<?php echo $language; ?>:showcolumns" rows="<?php echo $rows; ?>" cols="<?php echo $cols; ?>" name="code"><?php echo $tempstring;?></textarea> + </div> + </td> + </tr> + </table> + <table width='100%'> + <tr> + <td valign="top" class="label"> + <div style="background: #eeeeee;" id="textareaitem"> + <!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> + <textarea disabled wrap="off" style="width: 98%; margin: 7px;" class="<?php echo $language; ?>:showcolumns" rows="33" cols="<?php echo $cols; ?>" name="code2"><?php echo $contents2;?></textarea> + </div> + </td> + </tr> + </table> + <?php // include("formend.inc");?> + </form> + </td> + </tr> </table> +<script class="javascript" src="/snort/syntaxhighlighter/shCore.js"></script> +<script class="javascript" src="/snort/syntaxhighlighter/shBrushCSharp.js"></script> +<script class="javascript" src="/snort/syntaxhighlighter/shBrushPhp.js"></script> +<script class="javascript" src="/snort/syntaxhighlighter/shBrushJScript.js"></script> +<script class="javascript" src="/snort/syntaxhighlighter/shBrushJava.js"></script> +<script class="javascript" src="/snort/syntaxhighlighter/shBrushVb.js"></script> +<script class="javascript" src="/snort/syntaxhighlighter/shBrushSql.js"></script> +<script class="javascript" src="/snort/syntaxhighlighter/shBrushXml.js"></script> +<script class="javascript" src="/snort/syntaxhighlighter/shBrushDelphi.js"></script> +<script class="javascript" src="/snort/syntaxhighlighter/shBrushPython.js"></script> +<script class="javascript" src="/snort/syntaxhighlighter/shBrushRuby.js"></script> +<script class="javascript" src="/snort/syntaxhighlighter/shBrushCss.js"></script> +<script class="javascript"> +<!-- + // Set focus. + document.forms[0].savetopath.focus(); + + // Append css for syntax highlighter. + var head = document.getElementsByTagName("head")[0]; + var linkObj = document.createElement("link"); + linkObj.setAttribute("type","text/css"); + linkObj.setAttribute("rel","stylesheet"); + linkObj.setAttribute("href","/snort/syntaxhighlighter/SyntaxHighlighter.css"); + head.appendChild(linkObj); + + // Activate dp.SyntaxHighlighter? + <?php + if($_POST['highlight'] == "yes") { + echo "dp.SyntaxHighlighter.HighlightAll('code', true, true);\n"; + // Disable 'Save' button. + echo "document.forms[0].Save.disabled = 1;\n"; + } +?> +//--> +</script> +<?php //include("fend.inc");?> -<?php include("fend.inc"); ?> -</div></body> -</html>
\ No newline at end of file +</body> +</html> diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index d839ae7a..d232c097 100644 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -3,6 +3,7 @@ /* snort_rulesets.php Copyright (C) 2006 Scott Ullrich + Copyright (C) 2009 Robert Zelaya All rights reserved. Redistribution and use in source and binary forms, with or without @@ -28,43 +29,68 @@ */ require("guiconfig.inc"); -require_once("service-utils.inc"); -require("/usr/local/pkg/snort.inc"); +//require_once("filter.inc"); +//require_once("service-utils.inc"); +include_once("/usr/local/pkg/snort/snort.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); -if(!is_dir("/usr/local/etc/snort/rules")) { - conf_mount_rw(); - exec('mkdir /usr/local/etc/snort/rules/'); - conf_mount_ro(); + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} + +//nat_rules_sort(); +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + + +if (isset($id) && $a_nat[$id]) { + + $pconfig['enable'] = $a_nat[$id]['enable']; + $pconfig['interface'] = $a_nat[$id]['interface']; + $pconfig['rulesets'] = $a_nat[$id]['rulesets']; } +/* convert fake interfaces to real */ +$if_real = convert_friendly_interface_to_real_interface_name2($pconfig['interface']); + + +$iface_uuid = $a_nat[$id]['uuid']; + +$pgtitle = "Snort: Interface $id $iface_uuid $if_real Categories"; + + /* Check if the rules dir is empy if so warn the user */ /* TODO give the user the option to delete the installed rules rules */ -$isrulesfolderempty = exec('ls -A /usr/local/etc/snort/rules/*.rules'); +$isrulesfolderempty = exec("ls -A /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/*.rules"); if ($isrulesfolderempty == "") { include("head.inc"); -include("fbegin.inc"); +include("./snort_fbegin.inc"); + +echo "<p class=\"pgtitle\">"; +if($pfsense_stable == 'yes'){echo $pgtitle;} +echo "</p>\n"; echo "<body link=\"#000000\" vlink=\"#000000\" alink=\"#000000\">"; -echo "<script src=\"/row_toggle.js\" type=\"text/javascript\"></script>\n -<script src=\"/javascript/sorttable.js\" type=\"text/javascript\"></script>\n +echo " <table width=\"99%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n <tr>\n <td>\n"; - $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), true, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); - display_top_tabs($tab_array); + $tab_array = array(); + $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); + $tab_array[] = array("If Settings", false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array("Categories", true, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array("Rules", false, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array("Servers", false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array("Preprocessors", false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array("Barnyard2", false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); echo "</td>\n </tr>\n @@ -74,7 +100,7 @@ echo "</td>\n <table id=\"maintable\" class=\"tabcont\" width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n <tr>\n <td>\n -# The rules directory is empty.\n +# The rules directory is empty. /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules \n </td>\n </tr>\n </table>\n @@ -87,7 +113,7 @@ echo "</td>\n \n <p>\n\n"; -echo "Please click on the Update Rules tab to install your selected rule sets."; +echo "Please click on the Update Rules tab to install your selected rule sets. $isrulesfolderempty"; include("fend.inc"); echo "</body>"; @@ -97,66 +123,117 @@ exit(0); } -if($_POST) { + /* alert file */ +$d_snortconfdirty_path = "/var/run/snort_conf_{$iface_uuid}_{$if_real}.dirty"; + + /* this will exec when alert says apply */ + if ($_POST['apply']) { + + if (file_exists($d_snortconfdirty_path)) { + + write_config(); + + sync_snort_package_all($id, $if_real, $iface_uuid); + sync_snort_package(); + + unlink($d_snortconfdirty_path); + + } + + } + + if ($_POST["Submit"]) { $enabled_items = ""; $isfirst = true; + if (is_array($_POST['toenable'])) { foreach($_POST['toenable'] as $toenable) { if(!$isfirst) $enabled_items .= "||"; $enabled_items .= "{$toenable}"; $isfirst = false; } - $config['installedpackages']['snort']['rulesets'] = $enabled_items; + }else{ + $enabled_items = $_POST['toenable']; + } + $a_nat[$id]['rulesets'] = $enabled_items; + write_config(); - stop_service("snort"); - create_snort_conf(); - sleep(2); - start_service("snort"); - $savemsg = "The snort ruleset selections have been saved."; + + touch($d_snortconfdirty_path); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + sleep(2); + sync_snort_package_all($id, $if_real, $iface_uuid); + header("Location: /snort/snort_rulesets.php?id=$id"); + } -$enabled_rulesets = $config['installedpackages']['snort']['rulesets']; +$enabled_rulesets = $a_nat[$id]['rulesets']; if($enabled_rulesets) $enabled_rulesets_array = split("\|\|", $enabled_rulesets); -$pgtitle = "Snort: Categories"; include("head.inc"); ?> <body link="#000000" vlink="#000000" alink="#000000"> -<?php include("fbegin.inc"); ?> +<?php include("./snort_fbegin.inc"); ?> +<p class="pgtitle"><?php if($pfsense_stable == 'yes'){echo $pgtitle;}?></p> +<?php + +echo "<form action=\"snort_rulesets.php?id={$id}\" method=\"post\" name=\"iform\" id=\"iform\">"; + +?> <?php -if(!$pgtitle_output) - echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; + + /* Display message */ + + if ($input_errors) { + print_input_errors($input_errors); // TODO: add checks + } + + if ($savemsg) { + print_info_box2($savemsg); + } + + if (file_exists($d_snortconfdirty_path)) { + echo '<p>'; + + if($savemsg) { + print_info_box_np2("{$savemsg}"); + }else{ + print_info_box_np2(' + The Snort configuration has changed and snort needs to be restarted on this interface.<br> + You must apply the changes in order for them to take effect.<br> + '); + } + } + ?> -<form action="snort_rulesets.php" method="post" name="iform" id="iform"> -<script src="/row_toggle.js" type="text/javascript"></script> -<script src="/javascript/sorttable.js" type="text/javascript"></script> -<?php if ($savemsg) print_info_box($savemsg); ?> <table width="99%" border="0" cellpadding="0" cellspacing="0"> <tr> <td> <?php - $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), true, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); - display_top_tabs($tab_array); + $tab_array = array(); + $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); + $tab_array[] = array("If Settings", false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array("Categories", true, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array("Rules", false, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array("Servers", false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array("Preprocessors", false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array("Barnyard2", false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); ?> - </td> - </tr> - <tr> - <td> + </td> + </tr> + <tr> + <td> <div id="mainarea"> <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> @@ -168,7 +245,7 @@ if(!$pgtitle_output) <!-- <td class="listhdrr">Description</td> --> </tr> <?php - $dir = "/usr/local/etc/snort/rules/"; + $dir = "/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/"; $dh = opendir($dir); while (false !== ($filename = readdir($dh))) { $files[] = $filename; @@ -177,7 +254,7 @@ if(!$pgtitle_output) foreach($files as $file) { if(!stristr($file, ".rules")) continue; - echo "<tr>"; + echo "<tr>\n"; echo "<td align=\"center\" valign=\"top\">"; if(is_array($enabled_rulesets_array)) if(in_array($file, $enabled_rulesets_array)) { @@ -187,11 +264,11 @@ if(!$pgtitle_output) } else $CHECKED = ""; - echo " <input type='checkbox' name='toenable[]' value='$file' {$CHECKED} />"; - echo "</td>"; - echo "<td>"; - echo "<a href='snort_rules.php?openruleset=/usr/local/etc/snort/rules/" . urlencode($file) . "'>{$file}</a>"; - echo "</td>"; + echo " \n<input type='checkbox' name='toenable[]' value='$file' {$CHECKED} />\n"; + echo "</td>\n"; + echo "<td>\n"; + echo "<a href='snort_rules.php?id={$id}&openruleset=/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/" . urlencode($file) . "'>{$file}</a>\n"; + echo "</td>\n</tr>\n\n"; //echo "<td>"; //echo "description"; //echo "</td>"; @@ -204,7 +281,7 @@ if(!$pgtitle_output) <tr><td> </td></tr> <tr><td>Check the rulesets that you would like Snort to load at startup.</td></tr> <tr><td> </td></tr> - <tr><td><input value="Save" type="submit" name="save" id="save" /></td></tr> + <tr><td><input value="Save" type="submit" name="Submit" id="Submit" /></td></tr> </table> </div> </td> @@ -227,4 +304,4 @@ if(!$pgtitle_output) } -?>
\ No newline at end of file +?> diff --git a/config/snort/snort_whitelist.xml b/config/snort/snort_whitelist.xml index 42769e4e..d98f83fa 100644 --- a/config/snort/snort_whitelist.xml +++ b/config/snort/snort_whitelist.xml @@ -45,52 +45,40 @@ <description>Describe your package here</description> <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> - <name>snort-whitelist</name> + <name>snortglobal</name> <version>0.1.0</version> <title>Snort: Whitelist</title> - <include_file>/usr/local/pkg/snort.inc</include_file> + <include_file>/usr/local/pkg/snort/snort.inc</include_file> <!-- Menu is where this packages menu will appear --> <tabs> <tab> - <text>Settings</text> - <url>/pkg_edit.php?xml=snort.xml&id=0</url> + <text>Snort Interfaces</text> + <url>/snort/snort_interfaces.php</url> </tab> <tab> - <text>Update Rules</text> - <url>/snort_download_rules.php</url> + <text>Global Settings</text> + <url>/snort/snort_interfaces_global.php</url> </tab> <tab> - <text>Categories</text> - <url>/snort_rulesets.php</url> + <text>Rule Updates</text> + <url>/snort/snort_download_rules.php</url> </tab> <tab> - <text>Rules</text> - <url>/snort_rules.php</url> - </tab> - <tab> - <text>Servers</text> - <url>/pkg_edit.php?xml=snort_define_servers.xml&id=0</url> + <text>Alerts</text> + <url>/snort/snort_alerts.php</url> </tab> <tab> <text>Blocked</text> - <url>/snort_blocked.php</url> + <url>/snort/snort_blocked.php</url> </tab> <tab> <text>Whitelist</text> - <url>/pkg.php?xml=snort_whitelist.xml</url> + <url>/pkg.php?xml=/snort/snort_whitelist.xml</url> <active/> </tab> <tab> - <text>Threshold</text> - <url>/pkg.php?xml=snort_threshold.xml</url> - </tab> - <tab> - <text>Alerts</text> - <url>/snort_alerts.php</url> - </tab> - <tab> - <text>Advanced</text> - <url>/pkg_edit.php?xml=snort_advanced.xml&id=0</url> + <text>Help Info</text> + <url>/snort/snort_help_info.php</url> </tab> </tabs> <adddeleteeditpagefields> @@ -124,6 +112,6 @@ <custom_delete_php_command> </custom_delete_php_command> <custom_php_resync_config_command> - create_snort_conf(); + sync_snort_package_empty(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/spamd.inc b/config/spamd/spamd.inc index 8747df29..e6b89051 100644 --- a/config/spamd.inc +++ b/config/spamd/spamd.inc @@ -153,6 +153,7 @@ function sync_package_spamd() { log_error("Restart cron"); mwexec("killall -HUP cron"); log_error("Setting up spamd.conf symlink"); + mwexec("rm -f /usr/local/etc/spamd/spamd.conf"); mwexec("ln -s /etc/spamd.conf /usr/local/etc/spamd/spamd.conf"); log_error("Stopping spamd"); mwexec("/usr/local/etc/rc.d/spamd.sh stop"); @@ -245,7 +246,10 @@ function custom_php_install_command() { system("touch /var/db/whitelist.txt"); system("touch /var/db/blacklist.txt"); sync_package_spamd(); - exec("pw user mod_spamd -u 0"); + conf_mount_rw(); + exec("/usr/sbin/pw usermod _spamd -g proxy -G _spamd,proxy"); + exec("/bin/cp /usr/local/etc/spamd/spamd.conf.sample /usr/local/etc/spamd/spamd.conf"); + conf_mount_ro(); } function custom_php_deinstall_command() { @@ -320,4 +324,4 @@ function spamd_validate_input($post, $input_errors) { } } -?>
\ No newline at end of file +?> diff --git a/config/spamd.xml b/config/spamd/spamd.xml index 5bbc5d71..b03cd737 100644 --- a/config/spamd.xml +++ b/config/spamd/spamd.xml @@ -95,42 +95,42 @@ <additional_files_needed> <prefix>/usr/local/www/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.com/packages/config/spamd_rules.php</item> + <item>http://www.pfsense.com/packages/config/spamd/spamd_rules.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.com/packages/config/spamd_whitelist.xml</item> + <item>http://www.pfsense.com/packages/config/spamd/spamd_whitelist.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.com/packages/config/spamd_outlook.xml</item> + <item>http://www.pfsense.com/packages/config/spamd/spamd_outlook.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.com/packages/config/spamd.inc</item> + <item>http://www.pfsense.com/packages/config/spamd/spamd.inc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.com/packages/config/spamd_settings.xml</item> + <item>http://www.pfsense.com/packages/config/spamd/spamd_settings.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.com/packages/config/spamd_db.php</item> + <item>http://www.pfsense.com/packages/config/spamd/spamd_db.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.com/packages/config/spamd_db_ext.php</item> + <item>http://www.pfsense.com/packages/config/spamd/spamd_db_ext.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/bin/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.com/packages/config/spamd_gather_stats.php</item> + <item>http://www.pfsense.com/packages/config/spamd/spamd_gather_stats.php</item> </additional_files_needed> <!-- fields gets invoked when the user adds or edits a item. the following items diff --git a/config/spamd_db.php b/config/spamd/spamd_db.php index 112fdd71..112fdd71 100644 --- a/config/spamd_db.php +++ b/config/spamd/spamd_db.php diff --git a/config/spamd_db_ext.php b/config/spamd/spamd_db_ext.php index e029f676..e029f676 100644 --- a/config/spamd_db_ext.php +++ b/config/spamd/spamd_db_ext.php diff --git a/config/spamd_exchexp.asp b/config/spamd/spamd_exchexp.asp index 56b0c629..56b0c629 100644 --- a/config/spamd_exchexp.asp +++ b/config/spamd/spamd_exchexp.asp diff --git a/config/spamd_gather_stats.php b/config/spamd/spamd_gather_stats.php index a95e2596..a95e2596 100644 --- a/config/spamd_gather_stats.php +++ b/config/spamd/spamd_gather_stats.php diff --git a/config/spamd_outlook.xml b/config/spamd/spamd_outlook.xml index 5e94701f..5e94701f 100644 --- a/config/spamd_outlook.xml +++ b/config/spamd/spamd_outlook.xml diff --git a/config/spamd_rules.php b/config/spamd/spamd_rules.php index 27ac850a..27ac850a 100644 --- a/config/spamd_rules.php +++ b/config/spamd/spamd_rules.php diff --git a/config/spamd_settings.xml b/config/spamd/spamd_settings.xml index 95c343d1..95c343d1 100644 --- a/config/spamd_settings.xml +++ b/config/spamd/spamd_settings.xml diff --git a/config/spamd_verify_to_address.php b/config/spamd/spamd_verify_to_address.php index 56821370..56821370 100644 --- a/config/spamd_verify_to_address.php +++ b/config/spamd/spamd_verify_to_address.php diff --git a/config/spamd_whitelist.xml b/config/spamd/spamd_whitelist.xml index f7b3f4fe..f7b3f4fe 100644 --- a/config/spamd_whitelist.xml +++ b/config/spamd/spamd_whitelist.xml diff --git a/config/squid-8/proxy_monitor.sh b/config/squid-8/proxy_monitor.sh new file mode 100644 index 00000000..fab2ee54 --- /dev/null +++ b/config/squid-8/proxy_monitor.sh @@ -0,0 +1,72 @@ +#!/bin/sh +# $Id$ */ +# +# proxy_monitor.sh +# Copyright (C) 2006 Scott Ullrich +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +set -e + +LOOP_SLEEP=55 + +if [ -f /var/run/squid_alarm ]; then + rm /var/run/squid_alarm +fi + +# Sleep 5 seconds on startup not to mangle with existing boot scripts. +sleep 5 + +# Squid monitor 1.2 +while [ /bin/true ]; do + if [ ! -f /var/run/squid_alarm ]; then + NUM_PROCS=`ps auxw | grep "[s]quid -D"|awk '{print $2}'| wc -l | awk '{ print $1 }'` + if [ $NUM_PROCS -lt 1 ]; then + # squid is down + echo "Squid has exited. Reconfiguring filter." | \ + logger -p daemon.info -i -t Squid_Alarm + echo "Attempting restart..." | logger -p daemon.info -i -t Squid_Alarm + /usr/local/etc/rc.d/squid.sh start + sleep 3 + echo "Reconfiguring filter..." | logger -p daemon.info -i -t Squid_Alarm + /etc/rc.filter_configure_sync + touch /var/run/squid_alarm + fi + fi + NUM_PROCS=`ps auxw | grep "[s]quid -D"|awk '{print $2}'| wc -l | awk '{ print $1 }'` + if [ $NUM_PROCS -gt 0 ]; then + if [ -f /var/run/squid_alarm ]; then + echo "Squid has resumed. Reconfiguring filter." | \ + logger -p daemon.info -i -t Squid_Alarm + /etc/rc.filter_configure_sync + rm /var/run/squid_alarm + fi + fi + sleep $LOOP_SLEEP +done + +if [ -f /var/run/squid_alarm ]; then + rm /var/run/squid_alarm +fi + diff --git a/config/squid-8/squid.inc b/config/squid-8/squid.inc new file mode 100644 index 00000000..1f264a64 --- /dev/null +++ b/config/squid-8/squid.inc @@ -0,0 +1,1319 @@ +<?php +/* $Id$ */ +/* + squid.inc + Copyright (C) 2006-2009 Scott Ullrich + Copyright (C) 2006 Fernando Lemos + Copyright (C) 2008 Martin Fuchs + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require_once('globals.inc'); +require_once('config.inc'); +require_once('util.inc'); +require_once('pfsense-utils.inc'); +require_once('pkg-utils.inc'); +require_once('service-utils.inc'); + +if(!function_exists("filter_configure")) + require_once("filter.inc"); + +define('SQUID_CONFBASE', '/usr/local/etc/squid'); +define('SQUID_ACLDIR', '/var/squid/acl'); +define('SQUID_PASSWD', '/var/etc/squid.passwd'); + +$valid_acls = array(); + +function squid_get_real_interface_address($iface) { + global $config; + + $iface = convert_friendly_interface_to_real_interface_name($iface); + $line = trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6")); + list($dummy, $ip, $dummy2, $netmask) = explode(" ", $line); + + return array($ip, long2ip(hexdec($netmask))); +} + +function squid_chown_recursive($dir, $user, $group) { + chown($dir, $user); + chgrp($dir, $group); + $handle = opendir($dir) ; + while (($item = readdir($handle)) !== false) { + if (($item != ".") && ($item != "..")) { + $path = "$dir/$item"; + if (is_dir($path)) + squid_chown_recursive($path, $user, $group); + else { + chown($path, $user); + chgrp($path, $group); + } + } + } +} + +/* setup cache */ +function squid_dash_z() { + global $config; + $settings = $config['installedpackages']['squidcache']['config'][0]; + $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); + + if(!is_dir($cachedir.'/')) { + log_error("Creating Squid cache dir $cachedir"); + make_dirs($cachedir); + squid_chown_recursive($cachedir, 'proxy', 'proxy'); + } + + if(!is_dir($cachedir.'/00/')) { + log_error("Creating squid cache subdirs in $cachedir"); + mwexec("/usr/local/sbin/squid -k shutdown"); + sleep(5); + mwexec("/usr/local/sbin/squid -k kill"); + mwexec("/usr/local/sbin/squid -z"); + } + + if(file_exists("/var/squid/cache/swap.state")) + exec("chmod a+rw /var/squid/cache/swap.state"); + +} + +function squid_is_valid_acl($acl) { + global $valid_acls; + if(!is_array($valid_acls)) + return; + return in_array($acl, $valid_acls); +} + +function squid_install_command() { + global $config; + /* migrate existing csv config fields */ + $settingsauth = $config['installedpackages']['squidauth']['config'][0]; + $settingscache = $config['installedpackages']['squidcache']['config'][0]; + $settingsnac = $config['installedpackages']['squidnac']['config'][0]; + + /* migrate auth settings */ + if (!empty($settingsauth['no_auth_hosts'])) { + if(strstr($settingsauth['no_auth_hosts'], ",")) { + $settingsauth['no_auth_hosts'] = base64_encode(implode("\n", explode(",", $settingsauth['no_auth_hosts']))); + $config['installedpackages']['squidauth']['config'][0]['no_auth_hosts'] = $settingsauth['no_auth_hosts']; + } + } + + /* migrate cache settings */ + if (!empty($settingscache['donotcache'])) { + if(strstr($settingscache['donotcache'], ",")) { + $settingscache['donotcache'] = base64_encode(implode("\n", explode(",", $settingscache['donotcache']))); + $config['installedpackages']['squidcache']['config'][0]['donotcache'] = $settingscache['donotcache']; + } + } + + /* migrate nac settings */ + if(! empty($settingsnac['allowed_subnets'])) { + if(strstr($settingsnac['allowed_subnets'], ",")) { + $settingsnac['allowed_subnets'] = base64_encode(implode("\n", explode(",", $settingsnac['allowed_subnets']))); + $config['installedpackages']['squidnac']['config'][0]['allowed_subnets'] = $settingsnac['allowed_subnets']; + } + } + + if(! empty($settingsnac['banned_hosts'])) { + if(strstr($settingsnac['banned_hosts'], ",")) { + $settingsnac['banned_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_hosts']))); + $config['installedpackages']['squidnac']['config'][0]['banned_hosts'] = $settingsnac['banned_hosts']; + } + } + + if(! empty($settingsnac['banned_macs'])) { + if(strstr($settingsnac['banned_macs'], ",")) { + $settingsnac['banned_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_macs']))); + $config['installedpackages']['squidnac']['config'][0]['banned_macs'] = $settingsnac['banned_macs']; + } + } + + if(! empty($settingsnac['unrestricted_hosts'])) { + if(strstr($settingsnac['unrestricted_hosts'], ",")) { + $settingsnac['unrestricted_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_hosts']))); + $config['installedpackages']['squidnac']['config'][0]['unrestricted_hosts'] = $settingsnac['unrestricted_hosts']; + } + } + + if(! empty($settingsnac['unrestricted_macs'])) { + if(strstr($settingsnac['unrestricted_macs'], ",")) { + $settingsnac['unrestricted_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_macs']))); + $config['installedpackages']['squidnac']['config'][0]['unrestricted_macs'] = $settingsnac['unrestricted_macs']; + } + } + + if(! empty($settingsnac['whitelist'])) { + if(strstr($settingsnac['whitelist'], ",")) { + $settingsnac['whitelist'] = base64_encode(implode("\n", explode(",", $settingsnac['whitelist']))); + $config['installedpackages']['squidnac']['config'][0]['whitelist'] = $settingsnac['whitelist']; + } + } + + if(! empty($settingsnac['blacklist'])) { + if(strstr($settingsnac['blacklist'], ",")) { + $settingsnac['blacklist'] = base64_encode(implode("\n", explode(",", $settingsnac['blacklist']))); + $config['installedpackages']['squidnac']['config'][0]['blacklist'] = $settingsnac['blacklist']; + } + } + + update_status("Writing configuration... One moment please..."); + + write_config(); + + /* create cache */ + update_status("Creating squid cache pools... One moment please..."); + squid_dash_z(); + /* make sure pinger is executable */ + if(file_exists("/usr/local/libexec/squid/pinger")) + exec("/bin/chmod a+x /usr/local/libexec/squid/pinger"); + if(file_exists("/usr/local/etc/rc.d/squid")) + exec("/bin/rm /usr/local/etc/rc.d/squid"); + $rc = array(); + $rc['file'] = 'squid.sh'; + $rc['start'] = <<<EOD +if [ -z "`ps auxw | grep "[s]quid -D"|awk '{print $2}'`" ];then + /usr/local/sbin/squid -D +fi + +EOD; + $rc['stop'] = <<<EOD +/usr/local/sbin/squid -k shutdown +# Just to be sure... +sleep 5 +killall -9 squid 2>/dev/null +killall pinger 2>/dev/null + +EOD; + $rc['restart'] = <<<EOD +if [ -z "`ps auxw | grep "[s]quid -D"|awk '{print $2}'`" ];then + /usr/local/sbin/squid -D + else + /usr/local/sbin/squid -k reconfigure + fi + +EOD; + update_status("Writing rc.d files... One moment please..."); + write_rcfile($rc); + + exec("chmod a+rx /usr/local/libexec/squid/dnsserver"); + + foreach (array( SQUID_CONFBASE, + SQUID_ACLDIR, + ) as $dir) { + make_dirs($dir); + squid_chown_recursive($dir, 'proxy', 'proxy'); + } + + /* kill any running proxy alarm scripts */ + update_status("Checking for running processes... One moment please..."); + log_error("Stopping any running proxy monitors"); + mwexec("ps awux | grep \"proxy_monitor\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill"); + sleep(1); + + if (!file_exists(SQUID_CONFBASE . '/mime.conf') && file_exists(SQUID_CONFBASE . '/mime.conf.default')) + copy(SQUID_CONFBASE . '/mime.conf.default', SQUID_CONFBASE . '/mime.conf'); + + update_status("Checking cache... One moment please..."); + squid_dash_z(); + + if (!is_service_running('squid')) { + update_status("Starting... One moment please..."); + log_error("Starting Squid"); + mwexec_bg("/usr/local/sbin/squid -D"); + } else { + update_status("Reloading Squid for configuration sync... One moment please..."); + log_error("Reloading Squid for configuration sync"); + mwexec("/usr/local/sbin/squid -k reconfigure"); + } + + /* restart proxy alarm scripts */ + log_error("Starting a proxy monitor script"); + mwexec_bg("/usr/local/etc/rc.d/proxy_monitor.sh"); + + update_status("Reconfiguring filter... One moment please..."); + filter_configure(); +} + +function squid_deinstall_command() { + global $config, $g; + $plswait_txt = "This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."; + squid_install_cron(false); + $settings = &$config['installedpackages']['squidcache']['config'][0]; + $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); + $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/log'); + update_status("Removing swap.state ... One moment please..."); + update_output_window("$plswait_txt"); + mwexec('rm -rf $cachedir/swap.state'); + mwexec('rm -rf $logdir'); + update_status("Finishing package cleanup."); + mwexec('rm -f /usr/local/etc/rc.d/proxy_monitor.sh'); + mwexec("ps awux | grep \"proxy_monitor\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill"); + mwexec("ps awux | grep \"squid\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); + mwexec("ps awux | grep \"dnsserver\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); + mwexec("ps awux | grep \"unlinkd\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); + update_status("Reloading filter..."); + filter_configure_sync(); +} + +function squid_before_form_general($pkg) { + $values = get_dir(SQUID_CONFBASE . '/errors/'); + // Get rid of '..' and '.' + array_shift($values); + array_shift($values); + $name = array(); + foreach ($values as $value) + $names[] = implode(" ", explode("_", $value)); + + $i = 0; + foreach ($pkg['fields']['field'] as $field) { + if ($field['fieldname'] == 'error_language') + break; + $i++; + } + $field = &$pkg['fields']['field'][$i]; + + for ($i = 0; $i < count($values) - 1; $i++) + $field['options']['option'][] = array('name' => $names[$i], 'value' => $values[$i]); +} + +function squid_validate_general($post, $input_errors) { + global $config; + $settings = $config['installedpackages']['squid']['config'][0]; + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); + $port = $post['proxy_port'] ? $post['proxy_port'] : $port; + + $icp_port = trim($post['icp_port']); + if (!empty($icp_port) && !is_port($icp_port)) + $input_errors[] = 'You must enter a valid port number in the \'ICP port\' field'; + + if (substr($post['log_dir'], -1, 1) == '/') + $input_errors[] = 'You may not end log location with an / mark'; + + if ($post['log_dir']{0} != '/') + $input_errors[] = 'You must start log location with a / mark'; + if (strlen($post['log_dir']) <= 3) + $input_errors[] = "That is not a valid log location dir"; + + $log_rotate = trim($post['log_rotate']); + if (!empty($log_rotate) && (!is_numeric($log_rotate) or ($log_rotate < 1))) + $input_errors[] = 'You must enter a valid number of days \'Log rotate\' field'; + + $webgui_port = $config['system']['webgui']['port']; + if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "http")) { + $webgui_port = 80; + } + if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "https")) { + $webgui_port = 443; + } + + if (($post['transparent_proxy'] != 'on') && ($port == $webgui_port)) { + $input_errors[] = "You can not run squid on the same port as the webgui"; + } + + if (($post['transparent_proxy'] != 'on') && ($post['private_subnet_proxy_off'] == 'on')) { + $input_errors[] = "You can not bypass traffic to private subnets without using the transparent proxy."; + } + + if (($post['transparent_proxy'] != 'on') && !empty($post['defined_ip_proxy_off'])) { + $input_errors[] = "You can not bypass traffic from specific IPs without using the transparent proxy."; + } + + foreach (array('defined_ip_proxy_off') as $hosts) { + foreach (explode(";", $post[$hosts]) as $host) { + $host = trim($host); + if (!empty($host) && !is_ipaddr($host)) + $input_errors[] = "The entry '$host' is not a valid IP address"; + } + } + + if(!empty($post['dns_nameservers'])) { + $altdns = explode(";", ($post['dns_nameservers'])); + foreach ($altdns as $dnssrv) { + if (!is_ipaddr($dnssrv)) + $input_errors[] = 'You must enter a valid IP address in the \'Alternate DNS servers\' field'; + }} +} + +function squid_validate_upstream($post, $input_errors) { + if ($post['proxy_forwarding'] == 'on') { + $addr = trim($post['proxy_addr']); + if (empty($addr)) + $input_errors[] = 'The field \'Hostname\' is required'; + else { + if (!is_ipaddr($addr) && !is_domain($addr)) + $input_errors[] = 'You must enter a valid IP address or host name in the \'Proxy hostname\' field'; + } + + foreach (array('proxy_port' => 'TCP port', 'icp_port' => 'ICP port') as $field => $name) { + $port = trim($post[$field]); + if (empty($port)) + $input_errors[] = "The field '$name' is required"; + else { + if (!is_port($port)) + $input_errors[] = "The field '$name' must contain a valid port number, between 0 and 65535"; + } + } + } +} + +function squid_validate_cache($post, $input_errors) { + $num_fields = array( 'harddisk_cache_size' => 'Hard disk cache size', + 'memory_cache_size' => 'Memory cache size', + 'maximum_object_size' => 'Maximum object size', + ); + foreach ($num_fields as $field => $name) { + $value = trim($post[$field]); + if (!is_numeric($value) || ($value < 0)) + $input_errors[] = "You must enter a valid value for '$field'"; + } + + $value = trim($post['minimum_object_size']); + if (!is_numeric($value) || ($value < 0)) + $input_errors[] = 'You must enter a valid value for \'Minimum object size\''; + + if (!empty($post['cache_swap_low'])) { + $value = trim($post['cache_swap_low']); + if (!is_numeric($value) || ($value > 100)) + $input_errors[] = 'You must enter a valid value for \'Low-water-mark\''; + } + + if (!empty($post['cache_swap_high'])) { + $value = trim($post['cache_swap_high']); + if (!is_numeric($value) || ($value > 100)) + $input_errors[] = 'You must enter a valid value for \'High-water-mark\''; + } + + if ($post['donotcache'] != "") { + foreach (split("\n", $post['donotcache']) as $host) { + $host = trim($host); + if (!is_ipaddr($host) && !is_domain($host)) + $input_errors[] = "The host '$host' is not a valid IP or host name"; + } + } + + squid_dash_z(); + +} + +function squid_validate_nac($post, $input_errors) { + $allowed_subnets = explode("\n", $post['allowed_subnets']); + foreach ($allowed_subnets as $subnet) { + $subnet = trim($subnet); + if (!empty($subnet) && !is_subnet($subnet)) + $input_errors[] = "The subnet '$subnet' is not a valid CIDR range"; + } + + foreach (array( 'unrestricted_hosts', 'banned_hosts') as $hosts) { + foreach (explode("\n", $post[$hosts]) as $host) { + $host = trim($host); + if (!empty($host) && !is_ipaddr($host)) + $input_errors[] = "The host '$host' is not a valid IP address"; + } + } + + foreach (array('unrestricted_macs', 'banned_macs') as $macs) { + foreach (explode("\n", $post[$macs]) as $mac) { + $mac = trim($mac); + if (!empty($mac) && !is_macaddr($mac)) + $input_errors[] = "The mac '$mac' is not a valid MAC address"; + } + } + + foreach (explode(",", $post['timelist']) as $time) { + $time = trim($time); + if (!empty($time) && !squid_is_timerange($time)) + $input_errors[] = "The time range '$time' is not a valid time range"; + } + + if(!empty($post['ext_cachemanager'])) { + $extmgr = explode(";", ($post['ext_cachemanager'])); + foreach ($extmgr as $mgr) { + if (!is_ipaddr($mgr)) + $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field'; + }} +} + +function squid_validate_traffic($post, $input_errors) { + $num_fields = array( 'max_download_size' => 'Maximum download size', + 'max_upload_size' => 'Maximum upload size', + 'perhost_throttling' => 'Per-host bandwidth throttling', + 'overall_throttling' => 'Overall bandwidth throttling', + ); + foreach ($num_fields as $field => $name) { + $value = trim($post[$field]); + if (!is_numeric($value) || ($value < 0)) + $input_errors[] = "The field '$name' must contain a positive number"; + } + + if (!empty($post['quick_abort_min'])) { + $value = trim($post['quick_abort_min']); + if (!is_numeric($value)) + $input_errors[] = "The field 'Finish when remaining KB' must contain a positive number"; + } + + if (!empty($post['quick_abort_max'])) { + $value = trim($post['quick_abort_max']); + if (!is_numeric($value)) + $input_errors[] = "The field 'Abort when remaining KB' must contain a positive number"; + } + + if (!empty($post['quick_abort_pct'])) { + $value = trim($post['quick_abort_pct']); + if (!is_numeric($value) || ($value > 100)) + $input_errors[] = "The field 'Finish when remaining %' must contain a percentaged value"; + } + +} + +function squid_validate_auth($post, $input_errors) { + $num_fields = array( array('auth_processes', 'Authentication processes', 1), + array('auth_ttl', 'Authentication TTL', 0), + ); + foreach ($num_fields as $field) { + $value = trim($post[$field[0]]); + if (!empty($value) && (!is_numeric($value) || ($value < $field[2]))) + $input_errors[] = "The field '{$field[1]}' must contain a valid number greater than {$field[2]}"; + } + + $auth_method = $post['auth_method']; + if (($auth_method != 'none') && ($auth_method != 'local')) { + $server = trim($post['auth_server']); + if (empty($server)) + $input_errors[] = 'The field \'Authentication server\' is required'; + else if (!is_ipaddr($server) && !is_domain($server)) + $input_errors[] = 'The field \'Authentication server\' must contain a valid IP address or domain name'; + + $port = trim($post['auth_server_port']); + if (!empty($port) && !is_port($port)) + $input_errors[] = 'The field \'Authentication server port\' must contain a valid port number'; + + switch ($auth_method) { + case 'ldap': + $user = trim($post['ldap_user']); + if (empty($user)) + $input_errors[] = 'The field \'LDAP server user DN\' is required'; + else if (!$user) + $input_errors[] = 'The field \'LDAP server user DN\' must be a valid domain name'; + break; + case 'radius': + $secret = trim($post['radius_secret']); + if (empty($secret)) + $input_errors[] = 'The field \'RADIUS secret\' is required'; + break; + case 'msnt': + foreach (explode(",", trim($post['msnt_secondary'])) as $server) { + if (!empty($server) && !is_ipaddr($server) && !is_domain($server)) + $input_errors[] = "The host '$server' is not a valid IP address or domain name"; + } + break; + } + + $no_auth = explode("\n", $post['no_auth_hosts']); + foreach ($no_auth as $host) { + $host = trim($host); + if (!empty($host) && !is_subnet($host)) + $input_errors[] = "The host '$host' is not a valid CIDR range"; + } + } +} + +function squid_install_cron($should_install) { + global $config, $g; + if($g['booting']==true) + return; + $is_installed = false; + if(!$config['cron']['item']) + return; + $x=0; + foreach($config['cron']['item'] as $item) { + if(strstr($item['command'], "/usr/local/sbin/squid")) { + $is_installed = true; + break; + } + $x++; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "0"; + $cron_item['hour'] = "0"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/local/sbin/squid -k rotate"; + $config['cron']['item'][] = $cron_item; + parse_config(true); + write_config("Squid Log Rotation"); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + parse_config(true); + write_config(); + } + configure_cron(); + } + break; + } +} + +function squid_resync_general() { + global $g, $config, $valid_acls; + + $settings = $config['installedpackages']['squid']['config'][0]; + $conf = "# This file is automatically generated by pfSense\n"; + $conf = "# Do not edit manually !\n"; + + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); + $ifaces = ($settings['active_interface'] ? $settings['active_interface'] : 'lan'); + $real_ifaces = array(); + foreach (explode(",", $ifaces) as $i => $iface) { + $real_ifaces[] = squid_get_real_interface_address($iface); + if($real_ifaces[$i][0]) { + $conf .= "http_port {$real_ifaces[$i][0]}:$port\n"; + } + } + if (($settings['transparent_proxy'] == 'on')) { + $conf .= "http_port 127.0.0.1:80 transparent\n"; + } + $icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 0); + + $pidfile = "{$g['varrun_path']}/squid.pid"; + $language = ($settings['error_language'] ? $settings['error_language'] : 'English'); + $errordir = SQUID_CONFBASE . '/errors/' . $language; + $icondir = SQUID_CONFBASE . '/icons'; + $hostname = ($settings['visible_hostname'] ? $settings['visible_hostname'] : 'localhost'); + $email = ($settings['admin_email'] ? $settings['admin_email'] : 'admin@localhost'); + + $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/log'); + + $logdir_cache = $logdir . '/cache.log'; + $logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null'); + + $conf .= <<<EOD +icp_port $icp_port + +pid_filename $pidfile +cache_effective_user proxy +cache_effective_group proxy +error_directory $errordir +icon_directory $icondir +visible_hostname $hostname +cache_mgr $email +access_log $logdir_access +cache_log $logdir_cache +cache_store_log none + +EOD; + + if (!empty($settings['log_rotate'])) { + $conf .= "logfile_rotate {$settings['log_rotate']}\n"; + squid_install_cron(true); + } + else { + squid_install_cron(false); + } + + $conf .= <<<EOD +shutdown_lifetime 3 seconds + +EOD; + + if ($settings['allow_interface'] == 'on') { + $src = ''; + foreach ($real_ifaces as $iface) { + list($ip, $mask) = $iface; + $ip = long2ip(ip2long($ip) & ip2long($mask)); + $src .= " $ip/$mask"; + } + $conf .= "# Allow local network(s) on interface(s)\n"; + $conf .= "acl localnet src $src\n"; + $valid_acls[] = 'localnet'; + } + if ($settings['disable_xforward']) $conf .= "forwarded_for off\n"; + if ($settings['disable_via']) $conf .= "via off\n"; + if ($settings['disable_squidversion']) $conf .= "httpd_suppress_version_string on\n"; + if (!empty($settings['uri_whitespace'])) $conf .= "uri_whitespace {$settings['uri_whitespace']}\n"; + else $conf .= "uri_whitespace strip\n"; //only used for first run + + if(!empty($settings['dns_nameservers'])) { + $altdns = explode(";", ($settings['dns_nameservers'])); + $conf .= "dns_nameservers "; + foreach ($altdns as $dnssrv) { + $conf .= $dnssrv." "; + } +// $conf .= "\n"; //Kill blank line after DNS-Servers + } + + return $conf; +} + + +function squid_resync_cache() { + global $config; + + $settings = $config['installedpackages']['squidcache']['config'][0]; + + $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); + $disk_cache_size = ($settings['harddisk_cache_size'] ? $settings['harddisk_cache_size'] : 100); + $disk_cache_system = ($settings['harddisk_cache_system'] ? $settings['harddisk_cache_system'] : 'aufs'); + $level1 = ($settings['level1_subdirs'] ? $settings['level1_subdirs'] : 16); + $memory_cache_size = ($settings['memory_cache_size'] ? $settings['memory_cache_size'] : 8); + $max_objsize = ($settings['maximum_object_size'] ? $settings['maximum_object_size'] : 10); + $min_objsize = ($settings['minimum_object_size'] ? $settings['minimum_object_size'] : 0); + $cache_policy = ($settings['cache_replacement_policy'] ? $settings['cache_replacement_policy'] : 'heap LFUDA'); + $memory_policy = ($settings['memory_replacement_policy'] ? $settings['memory_replacement_policy'] : 'heap GDSF'); + $offline_mode = ($settings['enable_offline'] == 'on' ? 'on' : 'off'); + + $conf = <<<EOD +cache_mem $memory_cache_size MB +maximum_object_size_in_memory 32 KB +memory_replacement_policy $memory_policy +cache_replacement_policy $cache_policy +cache_dir $disk_cache_system $cachedir $disk_cache_size $level1 256 +minimum_object_size $min_objsize KB +maximum_object_size $max_objsize KB +offline_mode $offline_mode + +EOD; + + if (!empty($settings['cache_swap_low'])) $conf .= "cache_swap_low {$settings['cache_swap_low']}\n"; + if (!empty($settings['cache_swap_high'])) $conf .= "cache_swap_high {$settings['cache_swap_high']}\n"; + + $donotcache = base64_decode($settings['donotcache']); + if (!empty($donotcache)) { + file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache); + $conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n"; + $conf .= 'cache deny donotcache'; + } + elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) { + unlink(SQUID_ACLDIR . '/donotcache.acl'); + } + + return $conf; +} + +function squid_resync_upstream() { + global $config; + $settings = $config['installedpackages']['squidupstream']['config'][0]; + + $conf = ''; + if ($settings['proxy_forwarding'] == 'on') { + $conf .= "cache_peer {$settings['proxy_addr']} parent {$settings['proxy_port']} "; + if ($settings['icp_port'] == '7') + $conf .= "{$settings['icp_port']} no-query"; + else + $conf .= "{$settings['icp_port']}"; + + if (!empty($settings['username'])) + $conf .= " login={$settings['username']}"; + if (!empty($settings['password'])) + $conf .= ":{$settings['password']}"; + } + + return $conf; +} + +function squid_resync_redirector() { + global $config; + + $httpav_enabled = ($config['installedpackages']['clamav']['config'][0]['scan_http'] == 'on'); + if ($httpav_enabled) { + $conf = "url_rewrite_program /usr/local/bin/squirm\n"; + } else { + $conf = "# No redirector configured\n"; + } + return $conf; +} + +function squid_resync_nac() { + global $config, $valid_acls; + + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); + $settings = $config['installedpackages']['squidnac']['config'][0]; + $webgui_port = $config['system']['webgui']['port']; + + $conf = <<<EOD + +# Setup some default acls +acl all src 0.0.0.0/0.0.0.0 +acl localhost src 127.0.0.1/255.255.255.255 +acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 $webgui_port $port 1025-65535 +acl sslports port 443 563 $webgui_port +acl manager proto cache_object +acl purge method PURGE +acl connect method CONNECT +acl dynamic urlpath_regex cgi-bin \? + +EOD; + + $allowed_subnets = explode("\n", base64_decode($settings['allowed_subnets'])); + $allowed = ""; + foreach ($allowed_subnets as $subnet) { + if(!empty($subnet)) { + $subnet = trim($subnet); + $allowed .= "$subnet "; + } + } + if (!empty($allowed)) { + $conf .= "acl allowed_subnets src $allowed\n"; + $valid_acls[] = 'allowed_subnets'; + } + + $options = array( 'unrestricted_hosts' => 'src', + 'banned_hosts' => 'src', + 'whitelist' => 'dstdom_regex -i', + 'blacklist' => 'dstdom_regex -i', + ); + foreach ($options as $option => $directive) { + $contents = base64_decode($settings[$option]); + if (!empty($contents)) { + file_put_contents(SQUID_ACLDIR . "/$option.acl", $contents); + $conf .= "acl $option $directive \"" . SQUID_ACLDIR . "/$option.acl\"\n"; + $valid_acls[] = $option; + } + elseif (file_exists(SQUID_ACLDIR . "/$option.acl")) { + unlink(SQUID_ACLDIR . "/$option.acl"); + } + } + + $conf .= <<<EOD +cache deny dynamic +http_access allow manager localhost + +EOD; + + if(!empty($settings['ext_cachemanager'])) { + $extmgr = explode(";", ($settings['ext_cachemanager'])); + $count = 1; + $conf .= "\n# Allow external cache managers\n"; +// $conf .= "acl ext_manager src ".$settings['ext_cachemanager']."\n"; + foreach ($extmgr as $mgr) { + $conf .= "acl ext_manager_".$count." src "; + $conf .= $mgr." "; + $conf .= "\n"; + $conf .= "http_access allow manager ext_manager_".$count."\n"; + $count += 1; + }} + + $conf .= <<<EOD + +http_access deny manager +http_access allow purge localhost +http_access deny purge +http_access deny !safeports +http_access deny CONNECT !sslports + +# Always allow localhost connections +http_access allow localhost + +EOD; + + return $conf; +} + +function squid_resync_traffic() { + global $config, $valid_acls; + if(!is_array($valid_acls)) + return; + $settings = $config['installedpackages']['squidtraffic']['config'][0]; + $conf = ''; + + if (!empty($settings['quick_abort_min']) || ($settings['quick_abort_min']) == "0") $conf .= "quick_abort_min {$settings['quick_abort_min']} KB\n"; + if (!empty($settings['quick_abort_max']) || ($settings['quick_abort_max']) == "0") $conf .= "quick_abort_max {$settings['quick_abort_max']} KB\n"; + if (!empty($settings['quick_abort_pct'])) $conf .= "quick_abort_pct {$settings['quick_abort_pct']}\n"; + + $up_limit = ($settings['max_upload_size'] ? $settings['max_upload_size'] : 0); + $down_limit = ($settings['max_download_size'] ? $settings['max_download_size'] : 0); + $conf .= "request_body_max_size $up_limit KB\n"; + $conf .= 'reply_body_max_size ' . ($down_limit * 1024) . " allow all\n"; + + // Only apply throttling past 10MB + // XXX: Should this really be hardcoded? + $threshold = 10 * 1024 * 1024; + $overall = $settings['overall_throttling']; + if (!isset($overall) || ($overall == 0)) + $overall = -1; + else + $overall *= 1024; + $perhost = $settings['perhost_throttling']; + if (!isset($perhost) || ($perhost == 0)) + $perhost = -1; + else + $perhost *= 1024; + $conf .= <<<EOD +delay_pools 1 +delay_class 1 2 +delay_parameters 1 $overall/$overall $perhost/$perhost +delay_initial_bucket_level 100 + +EOD; + + if(! empty($settings['unrestricted_hosts'])) { + foreach (array('unrestricted_hosts') as $item) { + if (in_array($item, $valid_acls)) + $conf .= "# Do not throttle unrestricted hosts\n"; + $conf .= "delay_access 1 deny $item\n"; + } + } + + if ($settings['throttle_specific'] == 'on') { + $exts = array(); + $binaries = 'bin,cab,sea,ar,arj,tar,tgz,gz,tbz,bz2,zip,7z,exe,com'; + $cdimages = 'iso,bin,mds,nrg,gho,bwt,b5t,pqi'; + $multimedia = 'aiff?,asf,avi,divx,mov,mp3,mp4,wmv,mpe?g,qt,ra?m'; + foreach (array( 'throttle_binaries' => $binaries, + 'throttle_cdimages' => $cdimages, + 'throttle_multimedia' => $multimedia) as $field => $set) { + if ($settings[$field] == 'on') + $exts = array_merge($exts, explode(",", $set)); + } + + foreach (explode(",", $settings['throttle_others']) as $ext) { + if (!empty($ext)) $exts[] = $ext; + } + + $contents = ''; + foreach ($exts as $ext) + $contents .= "\.$ext\$\n"; + file_put_contents(SQUID_ACLDIR . '/throttle_exts.acl', $contents); + + $conf .= "# Throttle extensions matched in the url\n"; + $conf .= "acl throttle_exts urlpath_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n"; + $conf .= "delay_access 1 allow throttle_exts\n"; + $conf .= "delay_access 1 deny all\n"; + } + else + $conf .= "delay_access 1 allow all\n"; + + return $conf; +} + +function squid_resync_auth() { + global $config, $valid_acls; + + $settings = $config['installedpackages']['squidauth']['config'][0]; + $settingsnac = $config['installedpackages']['squidnac']['config'][0]; + $settingsconfig = $config['installedpackages']['squid']['config'][0]; + $conf = ''; + + // Deny the banned guys before allowing the good guys + if(! empty($settingsnac['banned_hosts'])) { + if (squid_is_valid_acl('banned_hosts')) { + $conf .= "# These hosts are banned\n"; + $conf .= "http_access deny banned_hosts\n"; + } + } + if(! empty($settingsnac['banned_macs'])) { + if (squid_is_valid_acl('banned_macs')) { + $conf .= "# These macs are banned\n"; + $conf .= "http_access deny banned_macs\n"; + } + } + + // Unrestricted hosts take precendence over blacklist + if(! empty($settingsnac['unrestricted_hosts'])) { + if (squid_is_valid_acl('unrestricted_hosts')) { + $conf .= "# These hosts do not have any restrictions\n"; + $conf .= "http_access allow unrestricted_hosts\n"; + } + } + if(! empty($settingsnac['unrestricted_macs'])) { + if (squid_is_valid_acl('unrestricted_macs')) { + $conf .= "# These hosts do not have any restrictions\n"; + $conf .= "http_access allow unrestricted_macs\n"; + } + } + + // Whitelist and blacklist also take precendence over other allow rules + if(! empty($settingsnac['whitelist'])) { + if (squid_is_valid_acl('whitelist')) { + $conf .= "# Always allow access to whitelist domains\n"; + $conf .= "http_access allow whitelist\n"; + } + } + if(! empty($settingsnac['blacklist'])) { + if (squid_is_valid_acl('blacklist')) { + $conf .= "# Block access to blacklist domains\n"; + $conf .= "http_access deny blacklist\n"; + } + } + + $transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on'); + $auth_method = (($settings['auth_method'] && !$transparent_proxy) ? $settings['auth_method'] : 'none'); + // Allow the remaining ACLs if no authentication is set + if ($auth_method == 'none') { + if ($settingsconfig['allow_interface'] == 'on') { + $conf .= "# Allow local network(s) on interface(s)\n"; + $allowed = array('localnet', 'allowed_subnets'); + $allowed = array_filter($allowed, 'squid_is_valid_acl'); + foreach ($allowed as $acl) + $conf .= "http_access allow $acl\n"; + } + } + else { + $noauth = implode(' ', explode("\n", base64_decode($settings['no_auth_hosts']))); + if (!empty($noauth)) { + $conf .= "acl noauth src $noauth\n"; + $valid_acls[] = 'noauth'; + } + + // Set up the external authentication programs + $auth_ttl = ($settings['auth_ttl'] ? $settings['auth_ttl'] : 60); + $processes = ($settings['auth_processes'] ? $settings['auth_processes'] : 5); + $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy'); + switch ($auth_method) { + case 'local': + $conf .= 'auth_param basic program /usr/local/libexec/squid/ncsa_auth ' . SQUID_PASSWD . "\n"; + break; + case 'ldap': + $port = (isset($settings['auth_port']) ? ":{$settings['auth_port']}" : ''); + $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); + $conf .= "auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u uid -P {$settings['auth_server']}$port\n"; + break; + case 'radius': + $port = (isset($settings['auth_port']) ? "-p {$settings['auth_server_port']}" : ''); + $conf .= "auth_param basic program /usr/local/libexec/squid/squid_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; + break; + case 'msnt': + $conf .= "auth_param basic program /usr/local/libexec/squid/msnt_auth\n"; + break; + } + $conf .= <<<EOD +auth_param basic children $processes +auth_param basic realm $prompt +auth_param basic credentialsttl $auth_ttl minutes +acl password proxy_auth REQUIRED + +EOD; + + // Onto the ACLs + $password = array('localnet', 'allowed_subnets'); + $passwordless = array('unrestricted_hosts'); + if ($settings['unrestricted_auth'] == 'on') { + // Even the unrestricted hosts should authenticate + $password = array_merge($password, $passwordless); + $passwordless = array(); + } + $passwordless[] = 'noauth'; + $password = array_filter($password, 'squid_is_valid_acl'); + $passwordless = array_filter($passwordless, 'squid_is_valid_acl'); + + // Allow the ACLs that don't need to authenticate + foreach ($passwordless as $acl) + $conf .= "http_access allow $acl\n"; + + // Allow the other ACLs as long as they authenticate + foreach ($password as $acl) + $conf .= "http_access allow password $acl\n"; + } + + if(!empty($config['installedpackages']['squid']['config'][0]['custom_options'])) { + $custopts = explode(";", ($config['installedpackages']['squid']['config'][0]['custom_options'])); + $conf .= "# Custom options\n"; + foreach ($custopts as $custopt) { + $conf .= $custopt."\n"; + } + } + + $conf .= "# Default block all to be sure\n"; + $conf .= "http_access deny all\n"; + + return $conf; +} + +function squid_resync_users() { + global $config; + + $users = $config['installedpackages']['squidusers']['config']; + $contents = ''; + if (is_array($users)) { + foreach ($users as $user) + $contents .= $user['username'] . ':' . crypt($user['password'], base64_encode($user['password'])) . "\n"; + } + file_put_contents(SQUID_PASSWD, $contents); + chown(SQUID_PASSWD, 'proxy'); + chmod(SQUID_PASSWD, 0600); +} + +function squid_resync() { + global $config; + conf_mount_rw(); + $conf = squid_resync_general() . "\n"; + $conf .= squid_resync_cache() . "\n"; + $conf .= squid_resync_redirector() . "\n"; + $conf .= squid_resync_upstream() . "\n"; + $conf .= squid_resync_nac() . "\n"; + $conf .= squid_resync_traffic() . "\n"; + $conf .= squid_resync_auth(); + squid_resync_users(); + + /* make sure pinger is executable */ + if(file_exists("/usr/local/libexec/squid/pinger")) + exec("chmod a+x /usr/local/libexec/squid/pinger"); + + foreach (array( SQUID_CONFBASE, + SQUID_ACLDIR, + ) as $dir) { + make_dirs($dir); + squid_chown_recursive($dir, 'proxy', 'proxy'); + } + + file_put_contents(SQUID_CONFBASE . '/squid.conf', $conf); + + $log_dir = $config['installedpackages']['squid']['config'][0]['log_dir'].'/'; + + if(!is_dir($log_dir)) { + log_error("Creating squid log dir $log_dir"); + make_dirs($log_dir); + squid_chown_recursive($log_dir, 'proxy', 'proxy'); + } + + squid_dash_z(); + + if (!is_service_running('squid')) { + log_error("Starting Squid"); + mwexec_bg("/usr/local/sbin/squid -D"); + } else { + log_error("Reloading Squid for configuration sync"); + mwexec("/usr/local/sbin/squid -k reconfigure"); + } + + filter_configure(); + conf_mount_ro(); +} + +function squid_print_javascript_auth() { + global $config; + $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); + + // No authentication for transparent proxy + if ($transparent_proxy) { + $javascript = <<<EOD +<script language="JavaScript"> +<!-- +function on_auth_method_changed() { + document.iform.auth_method.disabled = 1; + document.iform.auth_server.disabled = 1; + document.iform.auth_server_port.disabled = 1; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_password.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + document.iform.auth_prompt.disabled = 1; + document.iform.auth_processes.disabled = 1; + document.iform.auth_ttl.disabled = 1; + document.iform.unrestricted_auth.disabled = 1; + document.iform.no_auth_hosts.disabled = 1; +} +--> +</script> + +EOD; + } + else { + $javascript = <<<EOD +<script language="JavaScript"> +<!-- +function on_auth_method_changed() { + var field = document.iform.auth_method; + var auth_method = field.options[field.selectedIndex].value; + + if (auth_method == 'none') { + document.iform.auth_server.disabled = 1; + document.iform.auth_server_port.disabled = 1; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_password.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + document.iform.auth_prompt.disabled = 1; + document.iform.auth_processes.disabled = 1; + document.iform.auth_ttl.disabled = 1; + document.iform.unrestricted_auth.disabled = 1; + document.iform.no_auth_hosts.disabled = 1; + } + else { + document.iform.auth_prompt.disabled = 0; + document.iform.auth_processes.disabled = 0; + document.iform.auth_ttl.disabled = 0; + document.iform.unrestricted_auth.disabled = 0; + document.iform.no_auth_hosts.disabled = 0; + } + + switch (auth_method) { + case 'local': + document.iform.auth_server.disabled = 1; + document.iform.auth_server_port.disabled = 1; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_password.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + break; + case 'ldap': + document.iform.auth_server.disabled = 0; + document.iform.auth_server_port.disabled = 0; + document.iform.ldap_user.disabled = 0; + document.iform.ldap_password.disabled = 0; + document.iform.ldap_version.disabled = 0; + document.iform.ldap_filter.disabled = 0; + document.iform.ldap_basedomain.disabled = 0; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + break; + case 'radius': + document.iform.auth_server.disabled = 0; + document.iform.auth_server_port.disabled = 0; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_password.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 0; + document.iform.msnt_secondary.disabled = 1; + break; + case 'msnt': + document.iform.auth_server.disabled = 0; + document.iform.auth_server_port.disabled = 1; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_password.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 0; + break; + } +} +--> +</script> + +EOD; + } + + print($javascript); +} + +function squid_print_javascript_auth2() { + print("<script language=\"JavaScript\">on_auth_method_changed()</script>\n"); +} + +function squid_generate_rules($type) { + global $config; + + $squid_conf = $config['installedpackages']['squid']['config'][0]; + if (!is_service_running('squid')) { + log_error("SQUID is installed but not started. Not installing redirect rules."); + return; + } + + if (($squid_conf['transparent_proxy'] != 'on') || ($squid_conf['allow_interface'] != 'on')) { + return; + } + + $ifaces = explode(",", $squid_conf['active_interface']); + $ifaces = array_map('convert_friendly_interface_to_real_interface_name', $ifaces); + $port = ($squid_conf['proxy_port'] ? $squid_conf['proxy_port'] : 3128); + + $fw_aliases = filter_generate_aliases(); + if(strstr($fw_aliases, "pptp =")) + $PPTP_ALIAS = "\$pptp"; + else + $PPTP_ALIAS = "\$PPTP"; + if(strstr($fw_aliases, "PPPoE =")) + $PPPOE_ALIAS = "\$PPPoE"; + else + $PPPOE_ALIAS = "\$pppoe"; + + switch($type) { + case 'nat': + $rules .= "\n# Setup Squid proxy redirect\n"; + if ($squid_conf['private_subnet_proxy_off'] == 'on') { + foreach ($ifaces as $iface) { + $rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80\n"; + } + } + if (!empty($squid_conf['defined_ip_proxy_off'])) { + $defined_ip_proxy_off = explode(";", $squid_conf['defined_ip_proxy_off']); + $exempt_ip = ""; + foreach ($defined_ip_proxy_off as $ip_proxy_off) { + if(!empty($ip_proxy_off)) { + $ip_proxy_off = trim($ip_proxy_off); + $exempt_ip .= ", $ip_proxy_off"; + } + } + $exempt_ip = substr($exempt_ip,2); + foreach ($ifaces as $iface) { + $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port 80\n"; + } + } + foreach ($ifaces as $iface) { + $rules .= "rdr on $iface proto tcp from any to !($iface) port 80 -> 127.0.0.1 port 80\n"; + } + /* Handle PPPOE case */ + if($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) { + $rules .= "rdr on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port 80 -> 127.0.0.1 port 80\n"; + } + /* Handle PPTP case */ + if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "rdr on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port 80 -> 127.0.0.1 port 80\n"; + } + $rules .= "\n"; + break; + case 'filter': + case 'rule': + foreach ($ifaces as $iface) { + $rules .= "# Setup squid pass rules for proxy\n"; + $rules .= "pass in quick on $iface proto tcp from any to !($iface) port 80 flags S/SA keep state\n"; + $rules .= "pass in quick on $iface proto tcp from any to !($iface) port $port flags S/SA keep state\n"; + $rules .= "\n"; + }; + if($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) { + $rules .= "pass in quick on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port $port flags S/SA keep state\n"; + } + if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "pass in quick on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port $port flags S/SA keep state\n"; + } + break; + default: + break; + } + + return $rules; +} + +?> diff --git a/config/squid-8/squid.xml b/config/squid-8/squid.xml new file mode 100644 index 00000000..f79cc8d2 --- /dev/null +++ b/config/squid-8/squid.xml @@ -0,0 +1,334 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squid</name> + <version>2.6.STABLE18</version> + <title>Proxy server: General settings</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <menu> + <name>Proxy server</name> + <tooltiptext>Modify the proxy server's settings</tooltiptext> + <section>Services</section> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </menu> + <service> + <name>squid</name> + <rcfile>squid.sh</rcfile> + <executable>squid</executable> + <description>Proxy server Service</description> + </service> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Upstream Proxy</text> + <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + </tab> + <tab> + <text>Cache Mgmt</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>Access Control</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Auth Settings</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Local Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + </tab> + </tabs> + <!-- Installation --> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid-8/squid.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid-8/squid_cache.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid-8/squid_nac.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid-8/squid_ng.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid-8/squid_traffic.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid-8/squid_upstream.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid-8/squid_auth.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid-8/squid_users.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/etc/rc.d/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid-8/proxy_monitor.sh</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid-8/squid_cache.xml</item> + </additional_files_needed> + <fields> + <field> + <fielddescr>Proxy interface</fielddescr> + <fieldname>active_interface</fieldname> + <description>The interface(s) the proxy server will bind to.</description> + <type>interfaces_selection</type> + <required/> + <default_value>lan</default_value> + <multiple/> + </field> + <field> + <fielddescr>Allow users on interface</fielddescr> + <fieldname>allow_interface</fieldname> + <description>If this field is checked, the users connected to the interface selected in the 'Proxy interface' field will be allowed to use the proxy, i.e., there will be no need to add the interface's subnet to the list of allowed subnets. This is just a shortcut.</description> + <type>checkbox</type> + <required/> + <default_value>on</default_value> + </field> + <field> + <fielddescr>Transparent proxy</fielddescr> + <fieldname>transparent_proxy</fieldname> + <description>If transparent mode is enabled, all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary.</description> + <type>checkbox</type> + <required/> + </field> + <field> + <fielddescr>Bypass proxy for Private Address Space (RFC 1918) destination</fielddescr> + <fieldname>private_subnet_proxy_off</fieldname> + <description>Do not forward traffic to Private Address Space (RFC 1918) <b>destination</b> through the proxy server but directly through the firewall.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Bypass proxy for these source IPs</fielddescr> + <fieldname>defined_ip_proxy_off</fieldname> + <description>Do not forward traffic from these <b>source</b> IPs through the proxy server but directly through the firewall. Separate by semi-colons (;).</description> + <type>input</type> + <size>80</size> + </field> + <field> + <fielddescr>Enabled logging</fielddescr> + <fieldname>log_enabled</fieldname> + <description>This will enable the access log. Don't switch this on if you don't have much disk space left.</description> + <type>checkbox</type> + <enablefields>log_query_terms,log_user_agents</enablefields> + </field> + <field> + <fielddescr>Log store directory</fielddescr> + <fieldname>log_dir</fieldname> + <description>The directory where the log will be stored (note: do not end with a / mark)</description> + <type>input</type> + <size>60</size> + <required/> + <default_value>/var/squid/log</default_value> + </field> + <field> + <fielddescr>Log rotate</fielddescr> + <fieldname>log_rotate</fieldname> + <description>Defines how many days of logfiles will be kept. Rotation is disabled if left empty.</description> + <type>input</type> + <size>5</size> + </field> + <field> + <fielddescr>Proxy port</fielddescr> + <fieldname>proxy_port</fieldname> + <description>This is the port the proxy server will listen on.</description> + <type>input</type> + <size>5</size> + <required/> + <default_value>3128</default_value> + </field> + <field> + <fielddescr>ICP port</fielddescr> + <fieldname>icp_port</fieldname> + <description>This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. Leave this blank if you don't want the proxy server to communicate with neighbor caches through ICP.</description> + <type>input</type> + <size>5</size> + </field> + <field> + <fielddescr>Visible hostname</fielddescr> + <fieldname>visible_hostname</fieldname> + <description>This is the URL to be displayed in proxy server error messages.</description> + <type>input</type> + <size>60</size> + <default_value>localhost</default_value> + </field> + <field> + <fielddescr>Administrator email</fielddescr> + <fieldname>admin_email</fieldname> + <description>This is the email address displayed in error messages to the users.</description> + <type>input</type> + <size>60</size> + <default_value>admin@localhost</default_value> + </field> + <field> + <fielddescr>Language</fielddescr> + <fieldname>error_language</fieldname> + <description>Select the language in which the proxy server will display error messages to users.</description> + <type>select</type> + <default_value>English</default_value> + </field> + <field> + <fielddescr>Disable X-Forward</fielddescr> + <fieldname>disable_xforward</fieldname> + <description>If not set, Squid will include your system's IP address or name in the HTTP requests it forwards.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Disable VIA</fielddescr> + <fieldname>disable_via</fieldname> + <description>If not set, Squid will include a Via header in requests and replies as required by RFC2616.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>What to do with requests that have whitespace characters in the URI</fielddescr> + <fieldname>uri_whitespace</fieldname> + <description><b> strip:</b> The whitespace characters are stripped out of the URL. This is the behavior recommended by RFC2396. <p> <b> deny:</b> The request is denied. The user receives an "Invalid Request" message.<p> <b> allow:</b> The request is allowed and the URI is not changed. The whitespace characters remain in the URI.<p> <b> encode:</b> The request is allowed and the whitespace characters are encoded according to RFC1738.<p> <b> chop:</b> The request is allowed and the URI is chopped at the first whitespace.</description> + <type>select</type> + <default_value>strip</default_value> + <options> + <option> + <name>strip</name> + <value>strip</value> + </option> + <option> + <name>deny</name> + <value>deny</value> + </option> + <option> + <name>allow</name> + <value>allow</value> + </option> + <option> + <name>encode</name> + <value>encode</value> + </option> + <option> + <name>chop</name> + <value>chop</value> + </option> + </options> + </field> + <field> + <fielddescr>Use alternate DNS-servers for the proxy-server</fielddescr> + <fieldname>dns_nameservers</fieldname> + <description>If you want to use other DNS-servers than the DNS-forwarder, enter the IPs here, separated by semi-colons (;).</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>Suppress Squid Version</fielddescr> + <fieldname>disable_squidversion</fieldname> + <description>If set, suppress Squid version string info in HTTP headers and HTML error pages.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Custom Options</fielddescr> + <fieldname>custom_options</fieldname> + <description>You can put your own custom options here, separated by semi-colons (;). They'll be added to the configuration. They need to be squid.conf native options, otherwise squid will NOT work.</description> + <type>textarea</type> + <cols>65</cols> + <rows>5</rows> + </field> + </fields> + <custom_php_command_before_form> + squid_before_form_general(&$pkg); + </custom_php_command_before_form> + <custom_add_php_command> + squid_resync(); + </custom_add_php_command> + <custom_php_validation_command> + squid_validate_general($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + exec("/bin/rm -f /usr/local/etc/rc.d/squid"); + </custom_php_resync_config_command> + <custom_php_install_command> + update_status("Checking Squid cache... One moment please..."); + update_output_window("This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."); + squid_install_command(); + squid_resync(); + exec("/bin/rm -f /usr/local/etc/rc.d/squid"); + </custom_php_install_command> + <custom_php_deinstall_command> + squid_deinstall_command(); + exec("/bin/rm -f /usr/local/etc/rc.d/squid*"); + </custom_php_deinstall_command> + <filter_rules_needed>squid_generate_rules</filter_rules_needed> +</packagegui> diff --git a/config/squid-8/squid_auth.inc b/config/squid-8/squid_auth.inc new file mode 100644 index 00000000..7c99a01b --- /dev/null +++ b/config/squid-8/squid_auth.inc @@ -0,0 +1,446 @@ +<?php +/* $Id$ */ + +/* + squid_auth.inc + part of pfSense (www.pfSense.com) + + Copyright (C) 2005 Michael Capp <michael.capp@gmail.com> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +*/ + +function global_eval_auth_options() +{ + global $config; + conf_mount_rw(); + config_lock(); + + switch ($config['installedpackages']['squidauth']['config'][0]['auth_method']) { + case "none": + dynamic_auth_content("pkg_edit"); + dynamic_no_auth(); + break; + case "local_auth": + dynamic_auth_content("pkg"); + /* create empty passwd file to prevent stat error with squid reload */ + touch ("/usr/local/etc/squid/advanced/ncsa/passwd"); + dynamic_local_auth(); + break; + case "ldap_bind": + dynamic_auth_content("pkg_edit"); + dynamic_ldap_auth(); + break; + case "domain_auth": + $filecontents = file("/usr/local/pkg/squid_auth.xml"); + dynamic_auth_content("pkg_edit"); + dynamic_domain_auth(); + break; + case "radius_auth": + $filecontents = file("/usr/local/pkg/squid_auth.xml"); + dynamic_auth_content("pkg_edit"); + dynamic_radius_auth(); + break; + default: + $filecontents = file("/usr/local/pkg/squid_auth.xml"); + dynamic_auth_content("pkg_edit"); + dynamic_no_auth(); + break; + } + + config_unlock(); + conf_mount_ro(); + +} /* end function global_eval_auth_options */ + +function dynamic_no_auth() { + global $config; + conf_mount_rw(); + $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); + fwrite($fout, "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n"); + fwrite($fout, "<packagegui>\n"); + fwrite($fout, " <name>squidextnoauth</name>\n"); + fwrite($fout, " <title>Services: Proxy Server -> Extended Authentication Settings</title>\n"); + fwrite($fout, " <configpath>installedpackages->package->squidextnoauth->configuration->settings</configpath>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&id=0</aftersaveredirect>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tabs>\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>General Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Upstream Proxy</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Cache Mgmt</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Network Access Control</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Traffic Mgmt</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Auth Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Extended Auth Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); + fwrite($fout, " <active/>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " </tabs>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <fields>\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>No Authentication Defined</fielddescr>\n"); + fwrite($fout, " <fieldname>no_auth</fieldname>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, " </fields>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <custom_add_php_command_late>\n"); + fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");"); + fwrite($fout, "\n"); + fwrite($fout, " global_write_squid_config();\n"); + fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n"); + fwrite($fout, " </custom_add_php_command_late>\n"); + fwrite($fout, "\n"); + fwrite($fout, "</packagegui>\n"); + fclose($fout); + + /* mount filesystem read-only */ + conf_mount_ro(); +} + +function dynamic_local_auth() { + global $config; + conf_mount_rw(); + + $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); + + fwrite($fout, "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n"); + fwrite($fout, "\n"); + fwrite($fout, "<packagegui>\n"); + fwrite($fout, " <name>squidextlocalauth</name>\n"); + fwrite($fout, " <title>Services: Proxy Server -> Extended Auth Settings</title>\n"); + fwrite($fout, " <version>2.5.10_4</version>\n"); + fwrite($fout, " <configpath>installedpackages->package->squidextlocalauth->configuration->settings</configpath>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <files></files>\n"); + fwrite($fout, " <menu></menu>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <aftersaveredirect>/pkg.php?xml=squid_extauth.xml&id=0</aftersaveredirect>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tabs>\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>General Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Upstream Proxy</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Cache Mgmt</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Network Access Control</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Traffic Mgmt</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Auth Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Extended Auth Settings</text>\n"); + fwrite($fout, " <url>/pkg.php?xml=squid_extauth.xml&id=0</url>\n"); + fwrite($fout, " <active/>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " </tabs>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <adddeleteeditpagefields>\n"); + fwrite($fout, " <columnitem>\n"); + fwrite($fout, " <fielddescr>Username</fielddescr>\n"); + fwrite($fout, " <fieldname>username</fieldname>\n"); + fwrite($fout, " </columnitem>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <columnitem>\n"); + fwrite($fout, " <fielddescr>Description</fielddescr>\n"); + fwrite($fout, " <fieldname>description</fieldname>\n"); + fwrite($fout, " </columnitem>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <columnitem>\n"); + fwrite($fout, " <fielddescr>Restriction Group</fielddescr>\n"); + fwrite($fout, " <fieldname>group</fieldname>\n"); + fwrite($fout, " </columnitem>\n"); + fwrite($fout, " </adddeleteeditpagefields>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <fields>\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Username</fielddescr>\n"); + fwrite($fout, " <fieldname>username</fieldname>\n"); + fwrite($fout, " <type>input</type>\n"); + fwrite($fout, " <size>15</size>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Password</fielddescr>\n"); + fwrite($fout, " <fieldname>password</fieldname>\n"); + fwrite($fout, " <type>password</type>\n"); + fwrite($fout, " <size>8</size>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Description (Optional)</fielddescr>\n"); + fwrite($fout, " <fieldname>description</fieldname>\n"); + fwrite($fout, " <type>input</type>\n"); + fwrite($fout, " <size>30</size>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Restriction Group</fielddescr>\n"); + fwrite($fout, " <fieldname>group</fieldname>\n"); + fwrite($fout, " <type>select</type>\n"); + fwrite($fout, " <options>\n"); + fwrite($fout, " <option><name>Standard</name><value>Standard</value></option>\n"); + fwrite($fout, " <option><name>Extended</name><value>Extended</value></option>\n"); + fwrite($fout, " </options>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " </fields>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <custom_add_php_command_late>\n"); + fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");\n"); + fwrite($fout, "\n"); + fwrite($fout, " mod_htpasswd();\n"); + fwrite($fout, " global_write_squid_config();\n"); + fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n"); + fwrite($fout, " </custom_add_php_command_late>\n"); + fwrite($fout, "\n"); + fwrite($fout, "</packagegui>\n"); + + fclose($fout); + + /* mount filesystem read-only */ + conf_mount_ro(); +} + +function dynamic_ldap_auth() { + global $config; + conf_mount_rw(); + + $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); + + fwrite($fout, "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n"); + fwrite($fout, "\n"); + fwrite($fout, "<packagegui>\n"); + fwrite($fout, " <name>squidextldapauth</name>\n"); + fwrite($fout, " <title>Services: Proxy Server -> Extended Auth Settings</title>\n"); + fwrite($fout, " <version>2.5.11</version>\n"); + fwrite($fout, " <configpath>installedpackages->package->squidextldapauth->configuration->settings</configpath>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <files></files>\n"); + fwrite($fout, " <menu></menu>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&id=0</aftersaveredirect>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tabs>\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>General Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Upstream Proxy</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Cache Mgmt</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Network Access Control</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Traffic Mgmt</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Auth Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Extended Auth Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); + fwrite($fout, " <active/>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " </tabs>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <fields>\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Base DN</fielddescr>\n"); + fwrite($fout, " <fieldname>ldap_basedn</fieldname>\n"); + fwrite($fout, " <description>This is the base where the LDAP search starts. All subsequent organizational units (OUs)will be included. Example: \"ou=users,o=company\" will search for users in and under the specified company.</description>\n"); + fwrite($fout, " <type>input</type>\n"); + fwrite($fout, " <size>50</size>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>LDAP Server</fielddescr>\n"); + fwrite($fout, " <fieldname>ldap_server</fieldname>\n"); + fwrite($fout, " <description>This is the LDAP server that the bind will be attempted against.</description>\n"); + fwrite($fout, " <type>input</type>\n"); + fwrite($fout, " <size>20</size>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>LDAP Type</fielddescr>\n"); + fwrite($fout, " <fieldname>ldap_type</fieldname>\n"); + fwrite($fout, " <description>This specifies the supported LDAP types.</description>\n"); + fwrite($fout, " <type>select</type>\n"); + fwrite($fout, " <options>\n"); + fwrite($fout, " <option><name>Active Directory</name><value>active_directory</value></option>\n"); + fwrite($fout, " <option><name>Novell eDirectory</name><value>novell_edirectory</value></option>\n"); + fwrite($fout, " <option><name>LDAP v2</name><value>ldap_v2</value></option>\n"); + fwrite($fout, " <option><name>LDAP v3</name><value>ldap_v3</value></option>\n"); + fwrite($fout, " </options>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>LDAP Port</fielddescr>\n"); + fwrite($fout, " <fieldname>ldap_port</fieldname>\n"); + fwrite($fout, " <description>This is the port that LDAP bind will attempt on. The default is \"389\".</description>\n"); + fwrite($fout, " <type>input</type>\n"); + fwrite($fout, " <size>5</size>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Bind DN Username</fielddescr>\n"); + fwrite($fout, " <fieldname>bind_dn_username</fieldname>\n"); + fwrite($fout, " <description>If \"anonymous bind\" is not supported, please specify the bind username that can access the Base DN hierarchy.</description>\n"); + fwrite($fout, " <type>input</type>\n"); + fwrite($fout, " <size>30</size>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Bind DN Password</fielddescr>\n"); + fwrite($fout, " <fieldname>bind_dn_password</fieldname>\n"); + fwrite($fout, " <description>This is the associated password with the Bind DN Username previously specified.</description>\n"); + fwrite($fout, " <type>password</type>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " </fields>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <custom_add_php_command_late>\n"); + fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");\n"); + fwrite($fout, "\n"); + fwrite($fout, " mod_htpasswd();\n"); + fwrite($fout, "\n"); + fwrite($fout, " global_write_squid_config();\n"); + fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n"); + fwrite($fout, " </custom_add_php_command_late>\n"); + fwrite($fout, "\n"); + fwrite($fout, "</packagegui>\n"); + + fclose($fout); + + /* mount filesystem read-only */ + conf_mount_ro(); +} + +/* dynamically re-writes all squid xml files to handle adddeletecolumnitems properly */ +function dynamic_auth_content($pkgvar) { + + switch ($pkgvar) { + case "pkg": + if ($handle = opendir("/usr/local/pkg")) { + while (($file = readdir($handle)) != false) { + if (stristr($file, "squid_") && stristr($file, ".xml")) { + $filecontents = file("/usr/local/pkg/" . $file); + $fout = fopen("/usr/local/pkg/" . $file, "w"); + foreach($filecontents as $line) { + if (stristr($line, "<url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>")) { + fwrite($fout, " <url>/pkg.php?xml=squid_extauth.xml&id=0</url>\n"); + } else { + fwrite($fout, $line); + } + } + } + } + } + break; + + case "pkg_edit": + if ($handle = opendir("/usr/local/pkg")) { + while (($file = readdir($handle)) != false) { + if (stristr($file, "squid_") && stristr($file, ".xml")) { + $filecontents = file("/usr/local/pkg/" . $file); + $fout = fopen("/usr/local/pkg/" . $file,"w"); + foreach($filecontents as $line) { + if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&id=0</url>")) { + fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); + } else { + fwrite($fout, $line); + } + } + } + } + } + break; + } + +} /* end function dynamic_auth_content */ +?>
\ No newline at end of file diff --git a/config/squid-8/squid_auth.xml b/config/squid-8/squid_auth.xml new file mode 100644 index 00000000..33317d4a --- /dev/null +++ b/config/squid-8/squid_auth.xml @@ -0,0 +1,225 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidauth</name> + <version>none</version> + <title>Proxy server: Authentication</title> + <include_file>squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </tab> + <tab> + <text>Upstream Proxy</text> + <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + </tab> + <tab> + <text>Cache Mgmt</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>Access Control</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Auth Settings</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Local Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + </tab> + </tabs> + <fields> + <field> + <fielddescr>Authentication method</fielddescr> + <fieldname>auth_method</fieldname> + <description>Select an authentication method. This will allow users to be authenticated by local or external services.</description> + <type>select</type> + <required/> + <default_value>none</default_value> + <options> + <option><name>None</name><value>none</value></option> + <option><name>Local</name><value>local</value></option> + <option><name>LDAP</name><value>ldap</value></option> + <option><name>RADIUS</name><value>radius</value></option> + <option><name>NT domain</name><value>msnt</value></option> + </options> + <onchange>on_auth_method_changed()</onchange> + </field> + <field> + <fielddescr>LDAP version</fielddescr> + <fieldname>ldap_version</fieldname> + <description>Enter LDAP protocol version (2 or 3).</description> + <type>select</type> + <default_value>2</default_value> + <options> + <option><name>2</name><value>2</value></option> + <option><name>3</name><value>3</value></option> + </options> + </field> + <field> + <fielddescr>Authentication server</fielddescr> + <fieldname>auth_server</fieldname> + <description>Enter here the IP or hostname of the server that will perform the authentication.</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>Authentication server port</fielddescr> + <fieldname>auth_server_port</fieldname> + <description>Enter here the port to use to connect to the authentication server. Leave this field blank to use the authentication method's default port.</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>LDAP server user DN</fielddescr> + <fieldname>ldap_user</fieldname> + <description>Enter here the user DN to use to connect to the LDAP server.</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>LDAP password</fielddescr> + <fieldname>ldap_pass</fieldname> + <description>Enter here the password to use to connect to the LDAP server.</description> + <type>password</type> + <size>60</size> + </field> + <field> + <fielddescr>LDAP base domain</fielddescr> + <fieldname>ldap_basedomain</fieldname> + <description>For LDAP authentication, enter here the base domain in the LDAP server.</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>LDAP search filter</fielddescr> + <fieldname>ldap_filter</fieldname> + <description>Enter LDAP search filter.</description> + <type>input</type> + <size>60</size> + <default_value>(&(objectClass=person)(uid=%s))</default_value> + </field> + <field> + <fielddescr>RADIUS secret</fielddescr> + <fieldname>radius_secret</fieldname> + <description>The RADIUS secret for RADIUS authentication.</description> + <type>password</type> + <size>60</size> + </field> + <field> + <fielddescr>Secondary NT servers</fielddescr> + <fieldname>msnt_secondary</fieldname> + <description>Comma-separated list of secondary servers to be used for NT domain authentication.</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>Authentication prompt</fielddescr> + <fieldname>auth_prompt</fieldname> + <description>This string will be displayed at the top of the authentication request window.</description> + <type>input</type> + <default_value>Please enter your credentials to access the proxy</default_value> + </field> + <field> + <fielddescr>Authentication processes</fielddescr> + <fieldname>auth_processes</fieldname> + <description>The number of authenticator processes to spawn. If many authentications are expected within a short timeframe, increase this number accordingly.</description> + <type>input</type> + <size>60</size> + <default_value>5</default_value> + </field> + <field> + <fielddescr>Authentication TTL</fielddescr> + <fieldname>auth_ttl</fieldname> + <description>This specifies for how long (in minutes) the proxy server assumes an externally validated username and password combination is valid (Time To Live). When the TTL expires, the user will be prompted for credentials again.</description> + <type>input</type> + <size>60</size> + <default_value>60</default_value> + </field> + <field> + <fielddescr>Requiere authentication for unrestricted hosts</fielddescr> + <fieldname>unrestricted_auth</fieldname> + <description>If this option is enabled, even users tagged as unrestricted through access control are required to authenticate to use the proxy.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Subnets that don't need authentication</fielddescr> + <fieldname>no_auth_hosts</fieldname> + <description>Enter each subnet or IP address on a new line (in CIDR format, e.g.: 10.5.0.0/16, 192.168.1.50/32) that should not be asked for authentication to access the proxy.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + </fields> + <custom_php_validation_command> + squid_validate_auth($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_after_form_command> + squid_print_javascript_auth2(); + </custom_php_after_form_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> + <custom_php_before_form_command> + squid_print_javascript_auth2(); + </custom_php_before_form_command> + <custom_php_after_head_command> + $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); + if($transparent_proxy) + $input_errors[] = "Authentication cannot be enabled while transparent proxy mode is enabled"; + squid_print_javascript_auth(); + </custom_php_after_head_command> +</packagegui> diff --git a/config/squid-8/squid_cache.xml b/config/squid-8/squid_cache.xml new file mode 100644 index 00000000..2a4b7e3d --- /dev/null +++ b/config/squid-8/squid_cache.xml @@ -0,0 +1,224 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidcache</name> + <version>none</version> + <title>Proxy server: Cache management</title> + <include_file>squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </tab> + <tab> + <text>Upstream Proxy</text> + <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + </tab> + <tab> + <text>Cache Mgmt</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Access Control</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Auth Settings</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Local Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + </tab> + </tabs> + <fields> + <field> + <fielddescr>Hard disk cache size</fielddescr> + <fieldname>harddisk_cache_size</fieldname> + <description>This is the amount of disk space (in megabytes) to use for cached objects.</description> + <type>input</type> + <required/> + <default_value>100</default_value> + </field> + <field> + <fielddescr>Hard disk cache system</fielddescr> + <fieldname>harddisk_cache_system</fieldname> + <description>This specifies the kind of storage system to use. <p> <b> ufs </b> is the old well-known Squid storage format that has always been there. <p> <b> aufs </b> uses POSIX-threads to avoid blocking the main Squid process on disk-I/O. (Formerly known as async-io.) <p> <b> diskd </b> uses a separate process to avoid blocking the main Squid process on disk-I/O. <p> <b> null </b> Does not use any storage.</description> + <type>select</type> + <default_value>aufs</default_value> + <options> + <option><name>ufs</name><value>ufs</value></option> + <option><name>aufs</name><value>aufs</value></option> + <option><name>diskd</name><value>diskd</value></option> + <option><name>null</name><value>null</value></option> + </options> + </field> + <field> + <fielddescr>Hard disk cache location</fielddescr> + <fieldname>harddisk_cache_location</fieldname> + <description>This is the directory where the cache will be stored. (note: do not end with a /). If you change this location, squid needs to make a new cache, this could take a while</description> + <type>input</type> + <size>60</size> + <required/> + <default_value>/var/squid/cache</default_value> + </field> + <field> + <fielddescr>Memory cache size</fielddescr> + <fieldname>memory_cache_size</fieldname> + <description>This is the amount of physical RAM (in megabytes) to be used for negative cache and in-transit objects. This value should not exceed more than 50% of the installed RAM. The minimum value is 1MB.</description> + <type>input</type> + <required/> + <default_value>8</default_value> + </field> + <field> + <fielddescr>Minimum object size</fielddescr> + <fieldname>minimum_object_size</fieldname> + <description>Objects smaller than the size specified (in kilobytes) will not be saved on disk. The default value is 0, meaning there is no minimum.</description> + <type>input</type> + <required /> + <default_value>0</default_value> + </field> + <field> + <fielddescr>Maximum object size</fielddescr> + <fieldname>maximum_object_size</fieldname> + <description>Objects larger than the size specified (in kilobytes) will not be saved on disk. If you wish to increase speed more than you want to save bandwidth, this should be set to a low value.</description> + <type>input</type> + <required/> + <default_value>4</default_value> + </field> + <field> + <fielddescr>Level 1 subdirectories</fielddescr> + <fieldname>level1_subdirs</fieldname> + <description>Each level-1 directory contains 256 subdirectories, so a value of 256 level-1 directories will use a total of 65536 directories for the hard disk cache. This will significantly slow down the startup process of the proxy service, but can speed up the caching under certain conditions.</description> + <type>select</type> + <default_value>16</default_value> + <options> + <option><name>4</name><value>4</value></option> + <option><name>8</name><value>8</value></option> + <option><name>16</name><value>16</value></option> + <option><name>32</name><value>32</value></option> + <option><name>64</name><value>64</value></option> + <option><name>128</name><value>128</value></option> + <option><name>256</name><value>256</value></option> + </options> + </field> + <field> + <fielddescr>Memory replacement policy</fielddescr> + <fieldname>memory_replacement_policy</fieldname> + <description>The memory replacement policy determines which objects are purged from memory when space is needed. The default policy for memory replacement is GDSF. <p> <b> LRU: Last Recently Used Policy </b> - The LRU policies keep recently referenced objects. i.e., it replaces the object that has not been accessed for the longest time. <p> <b> Heap GDSF: Greedy-Dual Size Frequency </b> - The Heap GDSF policy optimizes object-hit rate by keeping smaller, popular objects in cache. It achieves a lower byte hit rate than LFUDA though, since it evicts larger (possibly popular) objects. <p> <b> Heap LFUDA: Least Frequently Used with Dynamic Aging </b> - The Heap LFUDA policy keeps popular objects in cache regardless of their size and thus optimizes byte hit rate at the expense of hit rate since one large, popular object will prevent many smaller, slightly less popular objects from being cached. <p> <b> Heap LRU: Last Recently Used </b> - Works like LRU, but uses a heap instead. <p> Note: If using the LFUDA replacement policy, the value of Maximum Object Size should be increased above its default of 12KB to maximize the potential byte hit rate improvement of LFUDA.</description> + <type>select</type> + <default_value>heap GDSF</default_value> + <options> + <option><name>LRU</name><value>lru</value></option> + <option><name>Heap LFUDA</name><value>heap LFUDA</value></option> + <option><name>Heap GDSF</name><value>heap GDSF</value></option> + <option><name>Heap LRU</name><value>heap LRU</value></option> + </options> + </field> + <field> + <fielddescr>Cache replacement policy</fielddescr> + <fieldname>cache_replacement_policy</fieldname> + <description>The cache replacement policy decides which objects will remain in cache and which objects are replaced to create space for the new objects. The default policy for cache replacement is LFUDA. Please see the type descriptions specified in the memory replacement policy for additional detail.</description> + <type>select</type> + <default_value>heap LFUDA</default_value> + <options> + <option><name>LRU</name><value>lru</value></option> + <option><name>Heap LFUDA</name><value>heap LFUDA</value></option> + <option><name>Heap GDSF</name><value>heap GDSF</value></option> + <option><name>Heap LRU</name><value>heap LRU</value></option> + </options> + </field> + <field> + <fielddescr>Low-water-mark in %</fielddescr> + <fieldname>cache_swap_low</fieldname> + <description>Cache replacement begins when the swap usage is above the low-low-water mark and attempts to maintain utilisation near the low-water-mark.</description> + <type>input</type> + <default_value>90</default_value> + </field> + <field> + <fielddescr>High-water-mark in %</fielddescr> + <fieldname>cache_swap_high</fieldname> + <description>As swap utilisation gets close to the high-water-mark object eviction becomes more aggressive.</description> + <type>input</type> + <default_value>95</default_value> + </field> + <field> + <fielddescr>Do not cache</fielddescr> + <fieldname>donotcache</fieldname> + <description>Enter each domain or IP address on a new line that should never be cached.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Enable offline mode</fielddescr> + <fieldname>enable_offline</fieldname> + <description>Enable this option and the proxy server will never try to validate cached objects. The offline mode gives access to more cached information than the proposed feature would allow (stale cached versions, where the origin server should have been contacted).</description> + <type>checkbox</type> + <required/> + </field> + </fields> + <custom_php_command_before_form> + if($_POST['harddisk_cache_size'] != $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']) { + $needs_dash_z = true; + } + </custom_php_command_before_form> + <custom_php_validation_command> + squid_validate_cache($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + if($needs_dash_z) + squid_dash_z(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squid-8/squid_extauth.xml b/config/squid-8/squid_extauth.xml new file mode 100644 index 00000000..41d9f633 --- /dev/null +++ b/config/squid-8/squid_extauth.xml @@ -0,0 +1,106 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidextnoauth</name> + <version>none</version> + <title>Services: Proxy Server -> Extended Authentication Settings</title> + <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&id=0</aftersaveredirect> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url> + </tab> + + <tab> + <text>Upstream Proxy</text> + <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + </tab> + + <tab> + <text>Cache Mgmt</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + + <tab> + <text>Access Control</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + + <tab> + <text>Auth</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + + <tab> + <text>Extended Auth</text> + <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url> + <active/> + </tab> + + </tabs> + <configpath>installedpackages->package->squidextnoauth->configuration->settings</configpath> + <fields> + <field> + <fielddescr>No Authentication Defined</fielddescr> + <fieldname>no_auth</fieldname> + <type>text</type> + </field> + </fields> + + <custom_add_php_command_late> + require_once("/usr/local/pkg/squid_ng.inc"); + + global_write_squid_config(); + mwexec("/usr/local/sbin/squid -k reconfigure"); + </custom_add_php_command_late> + +</packagegui> diff --git a/config/squid-8/squid_nac.xml b/config/squid-8/squid_nac.xml new file mode 100644 index 00000000..193a89c6 --- /dev/null +++ b/config/squid-8/squid_nac.xml @@ -0,0 +1,143 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidnac</name> + <version>none</version> + <title>Proxy server: Access control</title> + <include_file>squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </tab> + <tab> + <text>Upstream Proxy</text> + <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + </tab> + <tab> + <text>Cache Mgmt</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>Access Control</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Auth Settings</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Local Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + </tab> + </tabs> + <fields> + <field> + <fielddescr>Allowed subnets</fielddescr> + <fieldname>allowed_subnets</fieldname> + <description>Enter each subnet on a new line that is allowed to use the proxy. The subnets must be expressed as CIDR ranges (e.g.: 192.168.1.0/24). Note that the proxy interface subnet is already an allowed subnet. All the other subnets won't be able to use the proxy.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Unrestricted IPs</fielddescr> + <fieldname>unrestricted_hosts</fieldname> + <description>Enter each unrestricted IP address on a new line that is not to be filtered out by the other access control directives set in this page.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Banned host addresses</fielddescr> + <fieldname>banned_hosts</fieldname> + <description>Enter each IP address on a new line that is not to be allowed to use the proxy.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Whitelist</fielddescr> + <fieldname>whitelist</fieldname> + <description>Enter each destination domain on a new line that will be accessable to the users that are allowed to use the proxy. You also can use regular expressions.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Blacklist</fielddescr> + <fieldname>blacklist</fieldname> + <description>Enter each destination domain on a new line that will be blocked to the users that are allowed to use the proxy. You also can use regular expressions.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>External Cache-Managers</fielddescr> + <fieldname>ext_cachemanager</fieldname> + <description>Enter the IPs for the external Cache Managers to be allowed here, separated by semi-colons (;).</description> + <type>input</type> + <size>60</size> + </field> + </fields> + <custom_php_validation_command> + squid_validate_nac($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squid-8/squid_ng.inc b/config/squid-8/squid_ng.inc new file mode 100644 index 00000000..03f6d48c --- /dev/null +++ b/config/squid-8/squid_ng.inc @@ -0,0 +1,1070 @@ +<?php +/* $Id$ */ + +/* + squid_ng.inc + part of pfSense (www.pfSense.com) + + Copyright (C) 2005 Michael Capp <michael.capp@gmail.com> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +*/ + +if(!function_exists("filter_configure")) + require_once("filter.inc"); + +function global_write_squid_config() +{ + global $config; + conf_mount_rw(); + config_lock(); + + /* define squid configuration file in variable for replace function */ + $squidconfig = "/usr/local/etc/squid/squid.conf"; + + /* squid.xml values */ + $active_interface = $config['installedpackages']['squid']['config'][0]['active_interface']; + $transparent_proxy = $config['installedpackages']['squid']['config'][0]['transparent_proxy']; + $log_enabled = $config['installedpackages']['squid']['config'][0]['log_enabled']; + $urlfier_enable = $config['installedpackages']['squid']['config'][0]['urlfilter_enable']; + $accesslog_disabled = $config['installedpackages']['squid']['config'][0]['accesslog_disabled']; + $log_query_terms = $config['installedpackages']['squid']['config'][0]['log_query_terms']; + $log_user_agents = $config['installedpackages']['squid']['config'][0]['log_user_agents']; + $proxy_port = $config['installedpackages']['squid']['config'][0]['proxy_port']; + $visible_hostname = $config['installedpackages']['squid']['config'][0]['visible_hostname']; + $cache_admin_email = $config['installedpackages']['squid']['config'][0]['cache_admin_email']; + $error_language = $config['installedpackages']['squid']['config'][0]['error_language']; + $cachemgr_enabled = $config['installedpackages']['squid']['config'][0]['cachemgr_enabled']; + + /* squid_upstream.xml values */ + $proxy_forwarding = $config['installedpackages']['squidupstream']['config'][0]['proxy_forwarding']; + $client_ip_forwarding = $config['installedpackages']['squidupstream']['config'][0]['client_ip_forwarding']; + $user_forwarding = $config['installedpackages']['squidupstream']['config'][0]['user_forwarding']; + $upstream_proxy = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy']; + $upstream_proxy_port = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy_port']; + $upstream_username = $config['installedpackages']['squidupstream']['config'][0]['upstream_username']; + $upstream_password = $config['installedpackages']['squidupstream']['config'][0]['upstream_psasword']; + + /* squid_cache.xml values */ + $memory_cache_size = $config['installedpackages']['squidcache']['config'][0]['memory_cache_size']; + $harddisk_cache_size = $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']; + $minimum_object_size = $config['installedpackages']['squidcache']['config'][0]['minimum_object_size']; + $maximum_object_size = $config['installedpackages']['squidcache']['config'][0]['maximum_object_size']; + $level_subdirs = $config['installedpackages']['squidcache']['config'][0]['level_subdirs']; + $memory_replacement = $config['installedpackages']['squidcache']['config'][0]['memory_replacement']; + $cache_replacement = $config['installedpackages']['squidcache']['config'][0]['cache_replacement']; + $domain = $config['installedpackages']['squidcache']['config'][0]['domain']; + $enable_offline = $config['installedpackages']['squidcache']['config'][0]['enable_offline']; + + /* squid_nac.xml values */ + $allowed_subnets = $config['installedpackages']['squidnac']['config'][0]['allowed_subnets']; + $unrestricted_ip_addr = $config['installedpackages']['squidnac']['config'][0]['unrestricted_ip_address']; + $unrestricted_mac_addr = $config['installedpackages']['squidnac']['config'][0]['unrestricted_mac_addresses']; + $banned_ip_addr = $config['installedpackages']['squidnac']['config'][0]['banned_ip_addresses']; + $banned_mac_addr = $config['installedpackages']['squidnac']['config'][0]['banned_mac_addresses']; + $override_hosts = $config['installedpackages']['squidnac']['config'][0]['override_hosts']; + + /* squid_traffic.xml values */ + $max_download_size = $config['installedpackages']['squidtraffic']['config'][0]['max_download_size']; + $max_upload_size = $config['installedpackages']['squidtraffic']['config'][0]['max_upload_size']; + $dl_overall = $config['installedpackages']['squidtraffic']['config'][0]['dl_overall']; + $dl_per_host = $config['installedpackages']['squidtraffic']['config'][0]['dl_per_host']; + $throttle_binary_files = $config['installedpackages']['squidtraffic']['config'][0]['throttle_binary_files']; + $throttle_cd_images = $config['installedpackages']['squidtraffic']['config'][0]['throttle_cd_images']; + $throttle_multimedia = $config['installedpackages']['squidtraffic']['config'][0]['throttle_multimedia']; + + /* squid_auth.xml values */ + $auth_method = $config['installedpackages']['squidauth']['config'][0]['auth_method']; + $auth_processes = $config['installedpackages']['squidauth']['config'][0]['auth_processes']; + $auth_cache_ttl = $config['installedpackages']['squidauth']['config'][0]['auth_cache_ttl']; + $limit_ip_addr = $config['installedpackages']['squidauth']['config'][0]['limit_ip_addr']; + $user_ip_cache_ttl = $config['installedpackages']['squidauth']['config'][0]['user_ip_cache_ttl']; + $req_unrestricted_auth = $config['installedpackages']['squidauth']['config'][0]['req_unrestricted_auth']; + $auth_realm_prompt = $config['installedpackages']['squidauth']['config'][0]['auth_realm_prompt']; + $no_domain_auth = $config['installedpackages']['squidauth']['config'][0]['no_domain_auth']; + $min_pass_length = $config['installedpackages']['squidauth']['config'][0]['min_pass_length']; + $bypass_extended = $config['installedpackages']['squidauth']['config'][0]['bypass_extended']; + + /* squid_extauth.xml (ldap) values */ + $ldap_basedn = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_basedn']; + $ldap_server = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_server']; + $ldap_type = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_type']; + $ldap_port = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_port']; + $bind_dn_username = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_username']; + $bind_dn_password = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_password']; + + /* squid_extauth.xml (radius) values */ + $radius_server = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_server']; + $radius_port = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_port']; + $radius_identifier = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_identifier']; + $radius_secret = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_secret']; + + /* static variable assignments for directory mapping */ + $acldir = "/usr/local/etc/squid/advanced/acls"; + $ncsadir = "/usr/local/etc/squid/advanced/ncsa"; + $ntlmdir = "/usr/local/etc/squid/advanced/ntlm"; + $radiusdir = "/usr/local/etc/squid/advanced/radius"; + + $fout = fopen($squidconfig, "w"); + + $config_array = array('shutdown_lifetime 5 seconds' . "\n\n"); + + if (isset($cachemgr_enabled) && ($cachemgr_enabled == "on")) { + mwexec("cp /usr/local/libexec/squid/cachemgr.cgi /usr/local/www/cachemgr.cgi"); + mwexec("chmod a+rx /usr/local/www/cachemgr.cgi"); + } else { + mwexec("rm -f /usr/local/www/cachemgr.cgi"); + } + unset($cachemgr_enabled); + + if (!isset($icp_port) or ($icp_port == "")) { + $icp_port = "3130"; + } + $config_array[] = 'icp_port ' . $icp_port . "\n"; + unset($icp_port); + + if(!isset($proxy_port) or ($proxy_port == "")) { + $proxy_port = "3128"; + } + + if (isset($transparent_proxy) && ($transparent_proxy != "on")) { + $int = convert_friendly_interface_to_real_interface_name($active_interface); + $listen_ip = find_interface_ip($int); + + $config_array[] = 'http_port ' . $listen_ip . ':' . $proxy_port . "\n\n"; + $config_array[] = 'acl QUERY urlpath_regex cgi-bin \?' . "\n"; + $config_array[] = 'no_cache deny QUERY' . "\n\n"; + } + $config_array[] = 'http_port 127.0.0.1:' . $proxy_port . "\n\n"; + unset($proxy_port); + + if (isset($domain) && ($domain !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/dst_nocache.acl","w"); + + $domain_array = split("; ",$domain); + foreach ($domain_array as $no_cache_domain) { + fwrite($aclout, $no_cache_domain . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl no_cache_domains dstdomain "' . $acldir . '/dst_nocache.acl"' . "\n"; + $config_array[] = 'no_cache deny no_cache_domains' . "\n\n"; + } + unset($no_cache_domain); + unset($domain_array); + unset($domain); + + $config_array[] = 'cache_effective_user squid' . "\n"; + $config_array[] = 'cache_effective_group squid' . "\n\n"; + $config_array[] = 'pid_filename /var/run/squid.pid' . "\n\n"; + + if (!isset($memory_cache_size) or ($memory_cache_size == "")) { + $memory_cache_size = "8"; + } + $config_array[] = 'cache_mem ' . $memory_cache_size . ' MB' . "\n"; + unset($memory_cache_size); + + if (!isset($harddisk_cache_size) or ($harddisk_cache_size == "")) { + $harddisk_cache_size = "500"; + } + + if (!isset($level_subdirs) or ($level_subdirs == "")) { + $level_subdirs = "16"; + } + + $config_array[] = 'cache_dir diskd /var/squid/cache ' . $harddisk_cache_size . ' ' . $level_subdirs . ' 256' . "\n\n"; + unset($harddisk_cache_size); + unset($level_subdirs); + + if (!isset($error_language) or ($error_language == "")) { + $error_language = "English"; + } + $config_array[] = 'error_directory /usr/local/etc/squid/errors/' . $error_language . "\n\n"; + unset($error_language); + + if (isset($offline_mode) && ($offline_mode == "on")) { + $config_array[] = 'offline_mode on' . "\n\n"; + } else { + $config_array[] = 'offline_mode off' . "\n\n"; + } + + if (!isset($memory_replacement) or ($memory_replacement == "")) { + $memory_replacement = "heap GDSF"; + } + $config_array[] = 'memory_replacement_policy ' . $memory_replacement . "\n"; + unset($memory_replacement); + + if (!isset($cache_replacement) or ($cache_replacement == "")) { + $cache_replacement="heap GDSF"; + } + $config_array[] = 'cache_replacement_policy ' . $cache_replacement . "\n\n"; + unset($cache_replacement); + + if (isset($accesslog_disabled) && ($accesslog_disabled == "on")) { + $config_array[] = 'cache_access_log none' . "\n"; + } else { + $config_array[] = 'cache_access_log /var/log/access.log' . "\n"; + } + $config_array[] = 'cache_log /var/log/cache.log' . "\n"; + $config_array[] = 'cache_store_log none' . "\n"; + unset($accesslog_disabled); + unset($log_enabled); + + if (isset($log_query_terms) && ($log_query_terms == "on")) { + $config_array[] = 'strip_query_terms off' . "\n"; + } else { + $config_array[] = 'strip_query_terms on' . "\n"; + } + unset($log_query_terms); + + $config_array[] = 'useragent_log /var/log/useragent.log' . "\n\n"; + unset($log_user_agents); + + $config_array[] = 'log_mime_hdrs off' . "\n"; + $config_array[] = 'emulate_httpd_log on' . "\n"; + + switch ($user_forwarding) { + case "on": + $config_array[] = 'forwarded_for on' . "\n\n"; + break; + case "off": + $config_array[] = 'forwarded_for off' . "\n\n"; + break; + default: + $config_array[] = 'forwarded_for off' . "\n\n"; + break; + } + unset($user_forwarding); + + switch ($auth_method) { + case "none": + break; + case "local_auth": + $config_array[] = 'auth_param basic program /usr/local/libexec/squid/ncsa_auth /usr/local/etc/squid/advanced/ncsa/passwd' . "\n"; + if (!isset($auth_processes) or ($auth_processes == "")) { + $auth_processes = "5"; + } + $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; + + if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { + $auth_realm_prompt = "pfSense Advanced Proxy"; + } + $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; + + if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { + $auth_cache_ttl = "60"; + } + $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; + $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; + + unset($auth_realm_prompt); + unset($auth_processes); + unset($auth_cache_ttl); + + break; + case "radius_auth"; + $config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_rad_auth -h ' . $radius_server . ' -p ' . $radius_port . ' -i ' . $radius_identifier . ' -w ' . $radius_secret . "\n"; + if (!isset($auth_processes) or ($auth_processes == "")) { + $auth_processes = "5"; + } + $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; + + if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { + $auth_realm_prompt = "pfSense Advanced Proxy"; + } + $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; + + if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { + $auth_cache_ttl = "60"; + } + $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; + $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; + + unset($auth_realm_prompt); + unset($auth_processes); + unset($auth_cache_ttl); + + break; + case "ldap_bind"; + $config_array[] = 'auth_param basic program /usr/local/libexec/squid_ldap_auth -b "' . $ldap_basedn . '" -D "' . $bind_dn_username . '" -w "' . $bind_dn_password . '" -f "(&(objectClass=person)(cn=%s))" -u -cn -P "' . $ldap_server . ":" . $ldap_port . "\n"; + $config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_ldap_auth'; + $config_array[] = ' -b "' . $ldap_basedn . '"'; + $config_array[] = ' -D "' . $bind_dn_username . '"'; + $config_array[] = " -w " . $bind_dn_password; + $config_array[] = ' -f "(&(objectClass=person)(cn=%s))"'; + $config_array[] = " -u cn -P " . $ldap_server . ":" . $ldap_port . "\n"; + + if (!isset($auth_processes) or ($auth_processes == "")) { + $auth_processes = "5"; + } + $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; + + if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { + $auth_realm_prompt = "pfSense Advanced Proxy"; + } + $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; + + if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { + $auth_cache_ttl = "60"; + } + $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; + $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; + + unset($auth_realm_prompt); + unset($auth_processes); + unset($auth_cache_ttl); + + break; + case "windows_auth"; + break; + } + + if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $binary_out = "\.bin$\n\.cab$\n\.gz$\n\.rar$\n\.sea$\n\.tar$\n\.tgz$\n\.zip$\n"; + + $throttle_out = fopen($acldir . "/dst_throttle_binary.acl", "w"); + fwrite($throttle_out, $binary_out); + fclose($throttle_out); + $config_array[] = 'acl for_throttled_binary url_regex -i "' . $acldir . '/dst_throttle_binary.acl"' . "\n"; + } else { + if (file_exists($acldir . "/dst_throttle_binary.acl")) unlink($acldir . "/dst_throttle_binary.acl"); + } + unset($throttle_binary_files); + unset($throttle_out); + unset($binary_out); + + if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $cd_out = "\.b5t$\n\.bin$\n\.bwt$\n\.cdi$\n\.cue$\n\.gho$\n\.img$\n\.iso$\n\.mds$\n\.nrg$\n\.pqi$\n"; + + $throttle_out = fopen($acldir . "/dst_throttle_cd.acl","w"); + fwrite($throttle_out, $cd_out); + fclose($throttle_out); + $config_array[] = 'acl for_throttled_cd url_regex -i "' . $acldir . '/dst_throttle_cd.acl"' . "\n"; + } else { + if (file_exists($acldir . "/dst_throttle_cd.acl")) { + unlink($acldir . "/dst_throttle_cd.acl"); + } + } + unset($throttle_cd_images); + unset($throttle_out); + unset($cd_out); + + if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $multimedia_out = "\.aiff?$\n\.asf$\n\.avi$\n\.divx$\n\.mov$\n\.mp3$\n\.mpe?g$\n\.qt$\n\.ra?m$\n"; + + $throttle_out = fopen($acldir . "/dst_throttle_multimedia.acl","w"); + fwrite($throttle_out, $multimedia_out); + fclose($throttle_out); + $config_array[] = 'acl for_throttled_multimedia url_regex -i "' . $acldir . '/dst_throttle_multimedia.acl"' . "\n"; + } else { + if (file_exists($acldir . "/dst_throttle_multimedia.acl")) { + unlink($acldir . "/dst_throttle_multimedia.acl"); + } + } + unset($throttle_multimedia); + unset($multimedia_out); + unset($throttle_out); + + $config_array[] = 'acl within_timeframe time MTWHFAS 00:00-24:00' . "\n\n"; + + /* obtain interface subnet and address for Squid rules */ + $lactive_interface = strtolower($active_interface); + + $lancfg = $config['interfaces'][$lactive_interface]; + $lanif = $lancfg['if']; + $lanip = $lancfg['ipaddr']; + $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); + $lansn = $lancfg['subnet']; + + $config_array[] = 'acl all src 0.0.0.0/0.0.0.0' . "\n"; + $config_array[] = 'acl localnet src ' . $lansa . '/' . $lansn . "\n"; + $config_array[] = 'acl localhost src 127.0.0.1/255.255.255.255' . "\n"; + $config_array[] = 'acl SSL_ports port 443 563 873 # https, snews, rsync' . "\n"; + $config_array[] = 'acl Safe_ports port 80 # http' . "\n"; + $config_array[] = 'acl Safe_ports port 21 # ftp' . "\n"; + $config_array[] = 'acl Safe_ports port 443 563 873 # https, snews, rsync' . "\n"; + $config_array[] = 'acl Safe_ports port 70 # gopher' . "\n"; + $config_array[] = 'acl Safe_ports port 210 # wais' . "\n"; + $config_array[] = 'acl Safe_ports port 1025-65535 # unregistered ports' . "\n"; + $config_array[] = 'acl Safe_ports port 280 # http-mgmt' . "\n"; + $config_array[] = 'acl Safe_ports port 488 # gss-http' . "\n"; + $config_array[] = 'acl Safe_ports port 591 # filemaker' . "\n"; + $config_array[] = 'acl Safe_ports port 777 # multiling http' . "\n"; + $config_array[] = 'acl Safe_ports port 800 # Squids port (for icons)' . "\n\n"; + + /* allow access through proxy for custom admin port */ + $custom_port = $config['system']['webgui']['port']; + if (isset($custom_port) && ($custom_port !== "")) { + $config_array[] = 'acl pf_admin_port port ' . $custom_port . "\n"; + unset($custom_port); + } else { + $admin_protocol = $config['system']['webgui']['protocol']; + switch ($admin_protocol) { + case "http"; + $config_array[] = 'acl pf_admin_port port 80' ."\n"; + break; + case "https"; + $config_array[] = 'acl pf_admin_port port 443' . "\n"; + break; + default; + $config_array[] = 'acl pf_admin_port port 80' . "\n"; + break; + } + unset($admin_protocol); + } + + /* define override hosts as specified in squid_nac.xml */ + if (isset($override_hosts) && ($override_hosts !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_override_hosts.acl", "w"); + + $override_hosts_array = split("; ", $override_hosts); + foreach ($override_hosts_array as $ind_override_host) { + fwrite($aclout, $ind_override_host . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl override_hosts src "/usr/local/etc/squid/advanced/acls/src_override_hosts.acl"' . "\n"; + } + /* clear variables */ + unset($override_hosts_array); + unset($ind_override_host); + unset($override_hosts); + + /* define subnets allowed to utilize proxy service */ + if (isset($allowed_subnets) && ($allowed_subnets !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + mwexec("touch {$acldir}/src_subnets.acl"); + } + + $aclout = fopen($acldir . "/src_subnets.acl","w"); + + $allowed_subnets_array = split("; ",$allowed_subnets); + foreach ($allowed_subnets_array as $ind_allowed_subnets) { + fwrite($aclout, $ind_allowed_subnets . "\n"); + } + + fclose($aclout); + } else { + + $aclout = fopen($acldir . "/src_subnets.acl","w"); + fwrite($aclout, $lansa . "/" . $lansn . "\n"); + fclose($aclout); + } + + $config_array[] = 'acl pf_networks src "/usr/local/etc/squid/advanced/acls/src_subnets.acl"' . "\n"; + + unset($allowed_subnets_array); + unset($ind_allowed_subnets); + unset($allowed_subnets); + + /* define ip addresses that have 'unrestricted' access */ + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_unrestricted_ip.acl","w"); + + $unrestricted_ip_array = split("; ",$unrestricted_ip_addr); + foreach ($unrestricted_ip_array as $ind_unrestricted_ip) { + fwrite($aclout, $ind_unrestricted_ip . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl pf_unrestricted_ip src "/usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"' . "\n"; + } + unset($unrestricted_ip_array); + unset($unrestricted_ip_addr); + unset($ind_unrestricted_ip); + + /* define mac addresses that have 'unrestricted' access */ + if (isset($unrestricted_mac_addr) && ($unrestricted_mac_addr !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_unrestricted_mac.acl","w"); + + $unrestricted_mac_array = split("; ",$unrestricted_mac_addr); + foreach ($unrestricted_mac_array as $ind_unrestricted_mac) { + fwrite($aclout, $ind_unrestricted_mac . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl pf_unrestricted_mac src "/usr/local/etc/squid/advanced/acls/src_unrestricted_mac.acl"' . "\n"; + } + unset($unrestricted_mac_array); + unset($unrestricted_mac_addr); + unset($ind_unrestricted_mac); + + /* define ip addresses that are banned from using the proxy service */ + if (isset($banned_ip_addr) && ($banned_ip_addr !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_banned_ip.acl","w"); + + $banned_ip_array = split("; ",$banned_ip_addr); + foreach ($banned_ip_array as $ind_banned_ip) { + fwrite($aclout, $ind_banned_ip . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl pf_banned_ip src "/usr/local/etc/squid/advanced/acls/src_banned_ip.acl"' . "\n"; + } + unset($banned_ip_addr); + unset($banned_ip_addr); + unset($ind_banned_ip); + + /* define mac addresses that are banned from using the proxy service */ + if (isset($banned_mac_addr) && ($banned_mac_addr !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_banned_mac.acl","w"); + + $banned_mac_array = split("; ",$banned_mac_addr); + foreach ($banned_mac_array as $ind_banned_mac) { + fwrite($aclout, $ind_banned_mac . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl pf_banned_mac src "/usr/local/etc/squid/advanced/acls/src_banned_mac.acl"' . "\n"; + } + unset($banned_mac_array); + unset($banned_mac_addr); + unset($ind_banned_mac); + + $config_array[] = 'acl pf_ips dst ' . $lanip . "\n"; + $config_array[] = 'acl CONNECT method CONNECT' . "\n\n"; + + if (isset($auth_method) && ($auth_method == "none")) { + $config_array[] = 'http_access allow localnet' . "\n"; + } + $config_array[] = 'http_access allow localhost' . "\n"; + + if (isset($override_hosts) && ($override_hosts !== "")) { + $config_array[] = 'http_access allow override_hosts' . "\n"; + } + $config_array[] = "\n"; + + switch ($config['system']['webgui']['protocol']) { + case "http": + $config_array[] = 'http_access allow pf_ips' . "\n"; + $config_array[] = 'http_access allow pf_admin_port' . "\n"; + $config_array[] = 'http_access deny !pf_networks' . "\n\n"; + break; + case "https": + $config_array[] = 'http_access allow CONNECT pf_ips' . "\n"; + $config_array[] = 'http_access allow CONNECT pf_admin_port' . "\n"; + $config_array[] = 'http_access deny CONNECT !pf_networks' . "\n\n"; + break; + } + + $config_array[] = 'http_access deny !Safe_ports' . "\n"; + $config_array[] = 'http_access deny CONNECT !SSL_ports' . "\n\n"; + + if (isset($auth_method) && ($auth_method != "none")) { + $config_array[] = 'http_access allow pf_networks for_inetusers within_timeframe' . "\n"; + } + + $config_array[] = 'http_access deny all' . "\n\n"; + + if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "")) { + $config_array[] = 'delay_pools 1' . "\n"; + $config_array[] = 'delay_class 1 3' . "\n"; + + if ($dl_overall == "unlimited") { + $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . "\n"; + } else { + $config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n"; + } + + /* if no unrestricted ip addresses are defined; this line is ignored */ + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr == "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; + + /* this will define bandwidth delay restrictions for specified throttles */ + if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) { + $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; + } + if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) { + $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; + } + if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) { + $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n"; + } else { + $config_array[] = 'delay_access 1 allow all' . "\n"; + } + $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n"; + } + + if (isset($dl_per_host) && ($dl_per_host !== "") and isset($dl_overall) && ($dl_overall == "")) { + $config_array[] = 'delay_pools 1' . "\n"; + $config_array[] = 'delay_class 1 3' . "\n"; + + if ($dl_per_host == "unlimited") { + $config_array[] = 'delay_parameters 1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . '-1/-1 -1/-1' . "\n"; + } else { + $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . "\n"; + } + + /* if no unrestricted ip addresses are defined; this line is ignored */ + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; + + /* this will define bandwidth delay restrictions for specified throttles */ + if ($throttle_binary_files == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; + } + if ($throttle_cd_images == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; + } + if ($throttle_multimedia == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' ."\n"; + } else { + $config_array[] = 'delay_access 1 allow all' . "\n"; + } + $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n\n"; + } + + if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host !== "")) { + /* if no bandwidth restrictions are specified, then these parameters are not necessary */ + if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") { + + if ((isset($dl_overall) && ($dl_overall == "unlimited")) and (isset($dl_per_host) && ($dl_per_host !== ""))) { + $config_array[] = 'delay_pools 1' . "\n"; + $config_array[] = 'delay_class 1 3' . "\n"; + $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_overall * 250) . "\n"; + } elseif (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "unlimited")) { + $config_array[] = 'delay_pools 1' . "\n"; + $config_array[] = 'delay_class 1 3' . "\n"; + $config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n"; + } + } + + if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") { + + /* if no unrestricted ip addresses are defined; this line is ignored */ + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; + + /* this will define bandwidth delay restrictions for specified throttles */ + if ($throttle_binary_files == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; + } + if ($throttle_cd_images == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; + } + if ($throttle_multimedia == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n"; + } else { + $config_array[] = 'delay_access 1 allow all' . "\n"; + } + $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n"; + } + } + + $config_array[] = 'header_access X-Forwarded-For deny all' . "\n"; + $config_array[] = 'header_access Via deny all' . "\n\n"; + + /* TODO: acl customization for snmp support */ + /* fwrite($fout, "\n"); */ + + if (isset($urlfilter_enable) && ($urlfilter_enable == "on")) { + $config_array[] = 'redirect_program /usr/sbin/squidGuard' . "\n"; + $config_array[] = 'redirect_children 5' . "\n\n"; + } + + if (isset($max_upload_size) && ($max_upload_size != "")) { + $config_array[] = 'request_body_max_size ' . $max_download_size . 'KB' . "\n"; + } + + if (isset($max_download_size) && ($max_download_size != "")) { + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'reply_body_max_size 0 allow pf_unrestricted_ip' . "\n"; + /* fwrite($fout, "#reply_body_max_size 0 allow for_extended_users\n"); */ + $config_array[] = 'reply_body_max_size ' . $max_download_size * 1024 . ' allow all' . "\n\n"; + } + + /* set default value for maximum_object_size */ + if (!isset($maximum_object_size) or ($maximum_object_size == "")) { + $maximum_object_size = "4096"; + } + + /* set default value for minimum_object_size */ + if (!isset($minimum_object_size) or ($minimum_object_size == "")) { + $minimum_object_size = "0"; + } + $config_array[] = 'maximum_object_size ' . $maximum_object_size . ' KB' . "\n"; + $config_array[] = 'minimum_object_size ' . $minimum_object_size . ' KB' . "\n\n"; + + if (isset($proxy_forwarding) && ($proxy_forwarding == "on")) { + $config_array[] = 'cache_peer ' . $upstream_proxy . ' parent ' . $upstream_proxy_port . ' 3130 login=' . upstream_username . ':' . upstream_password . ' default no-query' . "\n"; + $config_array[] = 'never_direct allow all' . "\n"; + } + unset($proxy_forwarding); + + + /* define default ruleset for transparent proxy operation */ + if (isset($transparent_proxy) && ($transparent_proxy == "on")) { + $config_array[] = 'httpd_accel_host virtual' . "\n"; + $config_array[] = 'httpd_accel_port 80' . "\n"; + $config_array[] = 'httpd_accel_with_proxy on' . "\n"; + $config_array[] = 'httpd_accel_uses_host_header on' . "\n\n"; + } + unset($transparent_proxy); + + + /* define visible hostname */ + if (isset($visible_hostname) && ($visible_hostname !== "")) { + $config_array[] = 'visible_hostname ' . $visible_hostname . "\n"; + } + unset($visible_hostname); + + /* define cache administrators email address within error messages */ + if (isset($cache_admin_email) && ($cache_admin_email !== "")) { + $config_array[] = 'cache_mgr ' . $cache_admin_email . "\n\n"; + } + unset($cache_admin_email); + + /* write configuration file */ + foreach ($config_array as $config_item) + { + fwrite($fout, trim($config_item)); + + if (stristr($config_item, "\n")) + { + for ($i = 1; $i < count(explode("\n", $config_item)); $i++) + { + fwrite($fout, "\n"); + } + } + + } + fclose($fout); + + conf_mount_ro(); + config_unlock(); + + touch($squidconfig); +} /* end function write_squid_config */ + +function custom_php_install_command() { + /* write initial static config for transparent proxy */ + write_static_squid_config(); + + touch("/tmp/custom_php_install_command"); + + /* make sure this all exists, see: + * http://forum.pfsense.org/index.php?topic=23.msg2391#msg2391 + */ + update_output_window("Setting up Squid environment..."); + mwexec("mkdir -p /var/squid"); + mwexec("chown squid:squid /var/squid"); + mwexec("mkdir -p /var/squid/logs"); + mwexec("chown squid:squid /var/squid/logs"); + mwexec("mkdir -p /var/squid/cache"); + mwexec("chown squid:squid /var/squid/cache"); + mwexec("mkdir -p /usr/local/etc/squid/advanced"); + mwexec("chown squid:squid /usr/local/etc/squid/advanced"); + mwexec("mkdir -p /usr/local/etc/squid/advanced/acls"); + mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls"); + mwexec("touch /usr/local/etc/squid/advanced/acls/src_subnets.acl"); + mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_subnets.acl"); + mwexec("touch /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"); + mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"); + mwexec("cp /usr/local/etc/squid/mime.conf.default /usr/local/etc/squid/mime.conf"); + + + /* set a few extra items noted by regan */ + update_output_window("Creating logs and setting user information..."); + $fdsquid = fopen("/usr/local/etc/rc.d/aSquid.sh", "w"); + fwrite($fdsquid, "#/bin/sh\n"); + fwrite($fdsquid, "# \n"); + fwrite($fdsquid, "# This file was created by the pfSense package system\n"); + fwrite($fdsquid, "# Sets up squid option on each bootup that are not persistent\n"); + fwrite($fdsquid, "# \n\n"); + fwrite($fdsquid, "chown squid:wheel /dev/pf\n"); + fwrite($fdsquid, "chmod ug+rw /dev/pf\n"); + fwrite($fdsquid, "touch /var/log/useragent.log\n"); + fwrite($fdsquid, "touch /var/log/access.log\n"); + fwrite($fdsquid, "touch /var/log/cache.log\n"); + fwrite($fdsquid, "chown squid:wheel /var/log/cache.log\n"); + fwrite($fdsquid, "chown squid:wheel /var/log/access.log\n"); + fwrite($fdsquid, "chown squid:wheel /var/log/useragent.log\n"); + fwrite($fdsquid, "\n"); + fclose($fdsquid); + mwexec("chmod a+rx /usr/local/etc/rc.d/aSquid.sh"); + mwexec("/usr/local/etc/rc.d/aSquid.sh"); + + update_output_window("Creating Proxy Server initialization scripts..."); + $start = "touch /tmp/ro_root_mount; /usr/local/sbin/squid -D; touch /tmp/filter_dirty"; + $stop = "/usr/local/sbin/squid -k shutdown"; + write_rcfile(array( + "file" => "squid.sh", + "start" => $start, + "stop" => $stop + ) + ); + + mwexec("chmod 755 /usr/local/etc/rc.d/squid.sh"); + + /* create log directory hierarchies if they don't exist */ + update_output_window("Creating required directory hierarchies..."); + + if (!file_exists("/var/squid/logs")) { + mwexec("mkdir -p /var/squid/logs"); + } + mwexec("/usr/sbin/chown squid:squid /var/squid/logs"); + + + if (!file_exists("/var/squid/cache")) { + mwexec("mkdir -p /var/squid/cache"); + } + mwexec("/usr/sbin/chown squid:squid /var/squid/cache"); + + if (!file_exists("/usr/local/etc/squid/advanced/acls")) { + mwexec("mkdir -p /usr/local/etc/squid/advanced/acls"); + } + mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/acls"); + + if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) { + mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa"); + } + mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ncsa"); + + if (!file_exists("/usr/local/etc/squid/advanced/ntlm")) { + mwexec("mkdir -p /usr/local/etc/squid/advanced/ntlm"); + } + mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ntlm"); + + if (!file_exists("/usr/local/etc/squid/advanced/radius")) { + mwexec("mkdir -p /usr/local/etc/squid/advanced/radius"); + } + mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/radius"); + + $devfs_file = fopen("/etc/devfs.conf", "a"); + fwrite($devfs_file, "\n# Allow squid to query the packet filter bymaking is group-accessable. "); + fwrite($devfs_file, "own pf root:squid"); + fwrite($devfs_file, "perm pf 0640"); + fclose($devfs_file); + + update_output_window("Initializing Cache... This may take a moment..."); + mwexec("/usr/local/sbin/squid -z"); + + update_output_window("Starting Proxy Server..."); + start_service("squid"); +} + +function custom_php_deinstall_command() { + update_output_window("Stopping proxy service..."); + stop_service("squid"); + sleep(1); + /* brute force any remaining squid processes out */ + mwexec("/usr/bin/killall squid"); + mwexec("/usr/bin/killall pinger"); + update_output_window("Recursively removing directories hierarchies. If existant, log files in /var/squid/logs will remain..."); + mwexec("rm -rf /var/squid/cache"); + update_output_window("Removing configuration files..."); + unlink_if_exists("/usr/local/etc/rc.d/squid.sh"); + unlink_if_exists("/usr/local/libexec/squid"); + unlink_if_exists("/usr/local/etc/rc.d/aSquid.sh"); + mwexec("rm -f /usr/local/etc/rc.d/squid*"); + mwexec("rm -f /usr/local/www/cachemgr.cgi"); + filter_configure(); +} + +function write_static_squid_config() { + touch("/tmp/write_static_squid_config"); + global $config; + $lancfg = $config['interfaces']['lan']; + $lanif = $lancfg['if']; + $lanip = $lancfg['ipaddr']; + $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); + $lansn = $lancfg['subnet']; + + $fout = fopen("/usr/local/etc/squid/squid.conf","w"); + fwrite($fout, "#\n"); + fwrite($fout, "# This file was automatically generated by the pfSense package manager.\n"); + fwrite($fout, "# This default policy enables transparent proxy with no local disk logging.\n"); + fwrite($fout, "#\n"); + + /* set # of dns children */ + fwrite($fout, "dns_children 15\n"); + + fwrite($fout, "shutdown_lifetime 5 seconds\n"); + fwrite($fout, "icp_port 0\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n"); + fwrite($fout, "no_cache deny QUERY\n"); + fwrite($fout, "\n"); + + fwrite($fout, "pid_filename /var/run/squid.pid\n"); + fwrite($fout, "\n"); + + fwrite($fout, "cache_mem 24 MB\n"); + fwrite($fout, "cache_dir diskd /var/squid/cache 500 16 256\n"); + fwrite($fout, "\n"); + + fwrite($fout, "error_directory /usr/local/etc/squid/errors/English\n"); + fwrite($fout, "\n"); + + fwrite($fout, "memory_replacement_policy heap GDSF\n"); + fwrite($fout, "cache_replacement_policy heap GDSF\n"); + fwrite($fout, "\n"); + + fwrite($fout, "cache_access_log none\n"); + fwrite($fout, "cache_log none\n"); + fwrite($fout, "cache_store_log none\n"); + fwrite($fout, "\n"); + + fwrite($fout, "log_mime_hdrs off\n"); + fwrite($fout, "emulate_httpd_log on\n"); + fwrite($fout, "forwarded_for off\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl within_timeframe time MTWHFAS 00:00-24:00\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl all src 0.0.0.0/0.0.0.0\n"); + fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n"); + fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n"); + fwrite($fout, "acl SSL_ports port 443 563 873 # https, snews, rsync\n"); + fwrite($fout, "acl Safe_ports port 80 # http\n"); + fwrite($fout, "acl Safe_ports port 21 # ftp\n"); + fwrite($fout, "acl Safe_ports port 443 563 873 # https, snews, rsync\n"); + fwrite($fout, "acl Safe_ports port 70 # gopher\n"); + fwrite($fout, "acl Safe_ports port 210 # wais\n"); + fwrite($fout, "acl Safe_ports port 1025-65535 # unregistered ports\n"); + fwrite($fout, "acl Safe_ports port 280 # http-mgmt\n"); + fwrite($fout, "acl Safe_ports port 488 # gss-http\n"); + fwrite($fout, "acl Safe_ports port 591 # filemaker\n"); + fwrite($fout, "acl Safe_ports port 777 # multiling http\n"); + fwrite($fout, "acl Safe_ports port 800 # Squids port (for icons)\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl CONNECT method CONNECT\n"); + fwrite($fout, "\n"); + + fwrite($fout, "#access to squid; local machine; no restrictions\n"); + fwrite($fout, "http_access allow localnet\n"); + fwrite($fout, "http_access allow localhost\n"); + fwrite($fout, "\n"); + + fwrite($fout, "#Deny non web services\n"); + fwrite($fout, "http_access deny !Safe_ports\n"); + fwrite($fout, "http_access deny CONNECT !SSL_ports\n"); + fwrite($fout, "\n"); + + fwrite($fout, "#Set custom configured ACLs\n"); + fwrite($fout, "http_access deny all\n"); + fwrite($fout, "visible_hostname pfSense\n"); + fwrite($fout, "\n"); + + fwrite($fout, "cache_effective_user squid\n"); + fwrite($fout, "cache_effective_group squid\n"); + fwrite($fout, "\n"); + + fwrite($fout, "maximum_object_size 4096 KB\n"); + fwrite($fout, "minimum_object_size 0 KB\n"); + fwrite($fout, "\n"); + + fwrite($fout, "request_body_max_size 0 KB\n"); + fwrite($fout, "reply_body_max_size 0 allow all\n"); + fwrite($fout, "\n"); + + fwrite($fout, "httpd_accel_host virtual\n"); + fwrite($fout, "httpd_accel_port 80\n"); + fwrite($fout, "httpd_accel_with_proxy on\n"); + fwrite($fout, "httpd_accel_uses_host_header on\n"); + + fclose($fout); +} + +function mod_htpasswd() { + global $config; + conf_mount_rw(); + config_lock(); + + if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa"); + + $passfile = fopen("/usr/local/etc/squid/advanced/ncsa/passwd", "w+"); + + if (isset($config['installedpackages']['squidextlocalauth']['config']) && $config['installedpackages']['squidextlocalauth']['config'] != "") { + foreach($config['installedpackages']['squidextlocalauth']['config'] as $rowhelper) { + $encpass = generate_htpasswd($rowhelper['username'], $rowhelper['password']); + fwrite($passfile, $rowhelper['username'] . ":" . $encpass . "\n"); + } + } + + fclose($passfile); + + conf_mount_ro(); + config_unlock(); +} + +function generate_htpasswd($username, $password) { + $all = explode( " ", + "a b c d e f g h i j k l m n o p q r s t u v w x y z " + . "A B C D E F G H I J K L M N O P Q R S T U V W X Y Z " + . "0 1 2 3 4 5 6 7 8 9"); + + for ($i = 0; $i < 9; $i++) { + srand((double)microtime()*1000000); + $randy = rand(0,61); + $seed .= $all[$randy]; + } + + $crypt = crypt($password, "$1$$seed"); + return $crypt; +} + +?> diff --git a/config/squid-8/squid_ng.xml b/config/squid-8/squid_ng.xml new file mode 100644 index 00000000..5d956387 --- /dev/null +++ b/config/squid-8/squid_ng.xml @@ -0,0 +1,267 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squid</name> + <version>2.5.12_4</version> + <title>Services: Proxy Server</title> + <category>Security</category> + <aftersaveredirect>/pkg_edit.php?xml=squid_ng.xml&id=0</aftersaveredirect> + <include_file>/usr/local/pkg/squid_ng.inc</include_file> + <menu> + <name>Squid</name> + <tooltiptext>Modify settings for Proxy Server</tooltiptext> + <section>Services</section> + <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url> + </menu> + <menu> + <name>Squid stats</name> + <tooltiptext>Show Squid statistics</tooltiptext> + <section>Services</section> + <url>/cachemgr.cgi</url> + </menu> + <service> + <name>squid</name> + <rcfile>squid.sh</rcfile> + </service> + <tabs> + <tab> + <text>General Settings</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Upstream Proxy</text> + <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + </tab> + <tab> + <text>Cache Mgmt</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>Network Access Control</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Auth</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Extended Auth</text> + <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url> + </tab> + </tabs> + <configpath>installedpackages->package->squidng->configuration->settings</configpath> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid/squid_cache.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid/squid_nac.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid/squid_ng.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid/squid_traffic.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid/squid_upstream.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid/squid_auth.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid/squid_auth.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid/squid_extauth.xml</item> + </additional_files_needed> + <fields> + <field> + <fielddescr>Proxy Listening Interface</fielddescr> + <fieldname>active_interface</fieldname> + <description>This defines the active listening interface to which the proxy server will listen for its requests.</description> + <type>interfaces_selection</type> + </field> + <field> + <fielddescr>Transparent Proxy</fielddescr> + <fieldname>transparent_proxy</fieldname> + <description>If transparent mode is enabled; all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>URL Filtering Enabled</fielddescr> + <fieldname>urlfilter_enable</fieldname> + <description>This enables the advanced functionality in conjunction with squidGuard to provide an array of URL filtering options. This squidGuard functionality can be additionally configured from Services -> Advanced Proxy Filtering</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Disable Access Log</fielddescr> + <fieldname>accesslog_disabled</fieldname> + <description>Disable the access log entirely. By default, Squid keeps a log of all requests it processes in /var/log/access.log. This can grow to be fairly large. If you do not require this logging, check this box to disable.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Log Query Terms</fielddescr> + <fieldname>log_query_terms</fieldname> + <description>This will log the complete URL rather than the part of the URL containing dynamic queries.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Log User Agents</fielddescr> + <fieldname>log_user_agents</fieldname> + <description>This will enable the useragent string to be written to a separate log. The results are not shown in the GUI and should only be used for debugging purposes.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Proxy Port</fielddescr> + <fieldname>proxy_port</fieldname> + <description>This is the port the Proxy Server will listen for client requests on. The default is 3128.</description> + <type>input</type> + <size>4</size> + <combinefieldsend>true</combinefieldsend> + </field> + <field> + <fielddescr>ICP Port</fielddescr> + <fieldname>icp_port</fieldname> + <description>This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. The default value is 0, which means this function is disabled.</description> + <type>input</type> + <size>4</size> + </field> + <field> + <fielddescr>Visible Hostname</fielddescr> + <fieldname>visible_hostname</fieldname> + <description>This URL is displayed on the Proxy Server error messages.</description> + <type>input</type> + <size>35</size> + </field> + <field> + <fielddescr>Cache Administrator E-Mail</fielddescr> + <fieldname>cache_admin_email</fieldname> + <description>This E-Mail address is displayed on the Proxy Server error messages.</description> + <type>input</type> + <size>35</size> + </field> + <field> + <fielddescr>Error Messages Language</fielddescr> + <fieldname>error_language</fieldname> + <description>Select the language in which the Proxy Server shall display error messages to users.</description> + <type>select</type> + <options> + <option><name>Bulgarian</name><value>Bulgarian</value></option> + <option><name>Catalan</name><value>Catalan</value></option> + <option><name>Czech</name><value>Czech</value></option> + <option><name>Danish</name><value>Danish</value></option> + <option><name>Dutch</name><value>Dutch</value></option> + <option><name>English</name><value>English</value></option> + <option><name>Estonian</name><value>Estonian</value></option> + <option><name>Finnish</name><value>Finnish</value></option> + <option><name>French</name><value>French</value></option> + <option><name>German</name><value>German</value></option> + <option><name>Hebrew</name><value>Hebrew</value></option> + <option><name>Hungarian</name><value>Hungarian</value></option> + <option><name>Italian</name><value>Italian</value></option> + <option><name>Japanese</name><value>Japanese</value></option> + <option><name>Korean</name><value>Korean</value></option> + <option><name>Lithuanian</name><value>Lithuanian</value></option> + <option><name>Polish</name><value>Polish</value></option> + <option><name>Portuguese</name><value>Portuguese</value></option> + <option><name>Romanian</name><value>Romanian</value></option> + <option><name>Russian-1251</name><value>Russian-1251</value></option> + <option><name>Russian-koi8-r</name><value>Russian-koi8-r</value></option> + <option><name>Serbian</name><value>Serbian</value></option> + <option><name>Simplify Chinese</name><value>Simplify Chinese</value></option> + <option><name>Slovak</name><value>Slovak</value></option> + <option><name>Spanish</name><value>Spanish</value></option> + <option><name>Swedish</name><value>Swedish</value></option> + <option><name>Traditional Chinese</name><value>Traditional Chinese</value></option> + <option><name>Turkish</name><value>Turkish</value></option> + </options> + </field> + <field> + <fielddescr>Enable cachemgr</fielddescr> + <fieldname>cachemgr_enabled</fieldname> + <description>Enable Squid's cachemgr.cgi to provide stats. Once enabled you can access this from the pfSense menus. <b>Note:</b> This page is not secured by pfSense, any user with access to the pfSense admin port can view the stats. The page prompts for a password but it only required for shutting down Squid.</description> + <type>checkbox</type> + </field> + + </fields> + <custom_add_php_command_late> + global_write_squid_config(); + mwexec("/usr/local/sbin/squid -k reconfigure"); + start_service("squid"); + </custom_add_php_command_late> + <custom_php_install_command> + custom_php_install_command(); + write_static_squid_config(); + mwexec("/usr/local/sbin/squid -k reconfigure"); + start_service("squid"); + </custom_php_install_command> + <custom_php_deinstall_command> + custom_php_deinstall_command(); + stop_service("squid"); + </custom_php_deinstall_command> +</packagegui> diff --git a/config/squid-8/squid_traffic.xml b/config/squid-8/squid_traffic.xml new file mode 100644 index 00000000..d560a7ad --- /dev/null +++ b/config/squid-8/squid_traffic.xml @@ -0,0 +1,177 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidtraffic</name> + <version>none</version> + <title>Proxy server: Traffic management</title> + <include_file>squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </tab> + <tab> + <text>Upstream Proxy</text> + <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + </tab> + <tab> + <text>Cache Mgmt</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>Access Control</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Auth Settings</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Local Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + </tab> + </tabs> + <fields> + <field> + <fielddescr>Maximum download size</fielddescr> + <fieldname>max_download_size</fieldname> + <description>Limit the maximum total download size to the size specified here (in kilobytes). Set to 0 to disable.</description> + <type>input</type> + <required/> + <default_value>0</default_value> + </field> + <field> + <fielddescr>Maximum upload size</fielddescr> + <fieldname>max_upload_size</fieldname> + <description>Limit the maximum total upload size to the size specified here (in kilobytes). Set to 0 to disable.</description> + <type>input</type> + <required/> + <default_value>0</default_value> + </field> + <field> + <fielddescr>Overall bandwidth throttling</fielddescr> + <fieldname>overall_throttling</fieldname> + <description>This value specifies (in kilobytes per second) the bandwidth throttle for downloads. Users will gradually have their download speed increased according to this value. Set to 0 to disable bandwidth throttling.</description> + <type>input</type> + <required/> + <default_value>0</default_value> + </field> + <field> + <fielddescr>Per-host throttling</fielddescr> + <fieldname>perhost_throttling</fieldname> + <description>This value specifies the download throttling per host. Set to 0 to disable this.</description> + <type>input</type> + <required/> + <default_value>0</default_value> + </field> + <field> + <fielddescr>Throttle only specific extensions</fielddescr> + <fieldname>throttle_specific</fieldname> + <description>Leave this checked to be able to choose the extensions that throttling will be applied to. Otherwise, all files will be throttled.</description> + <type>checkbox</type> + <enablefields>throttle_binaries,throttle_cdimages,throttle_multimedia,throttle_others</enablefields> + <default_value>on</default_value> + </field> + <field> + <fielddescr>Throttle binary files</fielddescr> + <fieldname>throttle_binaries</fieldname> + <description>Check this to apply bandwidth throttle to binary files. This includes compressed archives and executables.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Throttle CD images</fielddescr> + <fieldname>throttle_cdimages</fieldname> + <description>Check this to apply bandwidth throttle to CD image files.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Throttle multimedia files</fielddescr> + <fieldname>throttle_multimedia</fieldname> + <description>Check this to apply bandwidth throttle to multimedia files, such as movies or songs.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Throttle other extensions</fielddescr> + <fieldname>throttle_others</fieldname> + <description>Comma-separated list of extensions to apply bandwidth throttle to.</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>Finish transfer if less than x KB remaining</fielddescr> + <fieldname>quick_abort_min</fieldname> + <description>If the transfer has less than x KB remaining, it will finish the retrieval. Set to 0 to abort the transfer immediately.</description> + <type>input</type> + <default_value>0</default_value> + </field> + <field> + <fielddescr>Abort transfer if more than x KB remaining</fielddescr> + <fieldname>quick_abort_max</fieldname> + <description>If the transfer has more than x KB remaining, it will abort the retrieval. Set to 0 to abort the transfer immediately.</description> + <type>input</type> + <default_value>0</default_value> + </field> + <field> + <fielddescr>Finish transfer if more than x % finished</fielddescr> + <fieldname>quick_abort_pct</fieldname> + <description>If more than x % of the transfer has completed, it will finish the retrieval.</description> + <type>input</type> + <default_value>0</default_value> + </field> + </fields> + <custom_php_validation_command> + squid_validate_traffic($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squid-8/squid_upstream.xml b/config/squid-8/squid_upstream.xml new file mode 100644 index 00000000..ad494524 --- /dev/null +++ b/config/squid-8/squid_upstream.xml @@ -0,0 +1,133 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidupstream</name> + <version>none</version> + <title>Proxy server: Upstream proxy settings</title> + <include_file>squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </tab> + <tab> + <text>Upstream Proxy</text> + <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Cache Mgmt</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>Access Control</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Auth Settings</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Local Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + </tab> + </tabs> + <fields> + <field> + <fielddescr>Enable forwarding</fielddescr> + <fieldname>proxy_forwarding</fieldname> + <description>This option enables the proxy server to forward requests to an upstream server.</description> + <type>checkbox</type> + <enablefields>proxy_addr,proxy_port,icp_port,username,password</enablefields> + <required/> + </field> + <field> + <fielddescr>Hostname</fielddescr> + <fieldname>proxy_addr</fieldname> + <description>Enter here the IP address or host name of the upstream proxy.</description> + <type>input</type> + </field> + <field> + <fielddescr>TCP port</fielddescr> + <fieldname>proxy_port</fieldname> + <description>Enter the port to use to connect to the upstream proxy.</description> + <type>input</type> + <size>5</size> + <default_value>3128</default_value> + </field> + <field> + <fielddescr>ICP port</fielddescr> + <fieldname>icp_port</fieldname> + <description>Enter the port to connect to the upstream proxy for the ICP protocol. Use port number 7 to disable ICP communication between the proxies.</description> + <type>input</type> + <size>5</size> + <default_value>7</default_value> + </field> + <field> + <fielddescr>Username</fielddescr> + <fieldname>username</fieldname> + <description>If the upstream proxy requires a username, specify it here.</description> + <type>input</type> + </field> + <field> + <fielddescr>Password</fielddescr> + <fieldname>password</fieldname> + <description>If the upstream proxy requires a password, specify it here.</description> + <type>password</type> + </field> + </fields> + <custom_php_validation_command> + squid_validate_upstream($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squid-8/squid_users.xml b/config/squid-8/squid_users.xml new file mode 100644 index 00000000..eef6389f --- /dev/null +++ b/config/squid-8/squid_users.xml @@ -0,0 +1,120 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidusers</name> + <version>none</version> + <title>Proxy server: Local users</title> + <include_file>squid.inc</include_file> + <delete_string>A proxy server user has been deleted.</delete_string> + <addedit_string>A proxy server user has been created/modified.</addedit_string> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </tab> + <tab> + <text>Upstream Proxy</text> + <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + </tab> + <tab> + <text>Cache Mgmt</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>Access Control</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Auth Settings</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Local Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + <active/> + </tab> + </tabs> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>Username</fielddescr> + <fieldname>username</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <fielddescr>Username</fielddescr> + <fieldname>username</fieldname> + <description>Enter the username here.</description> + <type>input</type> + <required/> + </field> + <field> + <fielddescr>Password</fielddescr> + <fieldname>password</fieldname> + <description>Enter the password here.</description> + <type>password</type> + <required/> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description>You may enter a description here for your reference (not parsed).</description> + <type>input</type> + </field> + </fields> + <custom_php_resync_config_command> + squid_resync_users(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/tinydns/tinydns.inc b/config/tinydns/tinydns.inc index 9d0cf2d3..5e730156 100644 --- a/config/tinydns/tinydns.inc +++ b/config/tinydns/tinydns.inc @@ -33,6 +33,15 @@ if(!function_exists("filter_configure")) require_once("filter.inc"); +function tinydns_validate() { + global $input_errors, $config; + + if ($config['installedpackages']['tinydns']['config'][0]['enableforwarding']) { + if (isset($config['dnsmasq']['enable'])) + $input_errors[] = "You have system dns-forwarder active. Disable it before enabling DNS-Cache Forwarders."; + } +} + function tinydns_custom_php_install_command() { global $g, $config; conf_mount_rw(); @@ -80,7 +89,7 @@ name="svscan" rcvar=`set_rcvar` command="/usr/local/bin/svscan" svscan_enable=\${svscan_enable-"YES"} -svscan_servicedir=\${svscan_servicedir-"/service"} +svscan_servicedir=\${svscan_servicedir-"{$g['varrun_path']}/service"} start_cmd="svscan_start" stop_postcmd="svscan_stop_post" @@ -90,18 +99,18 @@ load_rc_config \$name required_dirs="\${svscan_servicedir}" svscan_start () { + global $g; + echo "Starting svscan." /usr/bin/env \ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \ /usr/sbin/daemon -f /bin/sh -c "\$command \$svscan_servicedir 2>&1 | /usr/local/bin/readproctitle service errors: ................................................................................................................................................................................................................................................................................................................................................................................................................ &" > /dev/null - minicron {$refreshinterval} /var/run/ping_hosts.pid "/etc/ping_hosts.sh; cd /etc/tinydns/root && /usr/local/bin/tinydns-data" + minicron {$refreshinterval} {$g['varrun_path']}/ping_hosts.pid "/etc/ping_hosts.sh; cd {$g['varetc_path']}/etc/tinydns/root && /usr/local/bin/tinydns-data" } svscan_stop_post () { echo "Stopping svscan." find -L "\$svscan_servicedir" -mindepth 1 -maxdepth 2 -type d \( \! -path "\$svscan_servicedir/*/*" -or -name 'log' \) -print0 | xargs -0 /usr/local/bin/svc -dx - PIDTOKILL=`cat /var/run/ping_hosts.pid` - kill $PIDTOKILL } run_rc_command "\$1" @@ -110,18 +119,48 @@ EOD; fwrite($fd, $svscan); fclose($fd); - conf_mount_ro(); - filter_configure(); + $filename = "tinydns.sh"; + $start = "/usr/local/bin/php -q -d auto_prepend_file=config.inc <<ENDPHP +<?php + require_once(\"/usr/local/pkg/tinydns.inc\"); tinydns_custom_php_changeip_command(); + tinydns_create_zone_file(); + tinydns_setup_ping_items(); +?> +ENDPHP\n"; + + $stop = ""; + $interfaces = explode(",", $config['installedpackages']['tinydns']['config'][0]['interface']); + foreach ($interfaces as $dnsidx => $dnsif) + $stop .= "\t/usr/local/bin/svc -dx {$g['varrun_path']}/service/dnscache{$dnsidx}\n"; + - exec("/usr/local/etc/rc.d/svscan.sh start"); + $stop .= <<<ENDSH + /usr/local/bin/svc -dx {$g['varrun_path']}/service/tinydns + /usr/local/bin/svc -dx {$g['varrun_path']}/service/axfrdns + /bin/rm -rf {$g['varrun_path']}/service/tinydns {$g['varetc_path']}/tinydns {$g['varrun_path']}/dnscache* {$g['varetc_path']}/dnscache* {$g['varetc_path']}/axfrdns {$g['varrun_path']}/axfrdns + /bin/pkill -F /var/run/ping_hosts.pid +ENDSH; + + write_rcfile(array( + "file" => $filename, + "start" => $start, + "stop" => $stop + ) + ); + + conf_mount_ro(); + filter_configure(); } function tinydns_custom_php_deinstall_command() { global $g, $config; + conf_mount_rw(); /* destroy all daemontools items */ + exec("/usr/local/etc/rc.d/tinydns.sh stop"); + exec("/usr/local/etc/rc.d/svscan.sh stop"); exec("/usr/bin/killall supervise"); exec("/usr/bin/killall tinydns"); exec("/usr/sbin/pw groupdel Gtinydns"); @@ -134,7 +173,8 @@ function tinydns_custom_php_deinstall_command() { exec("rm /usr/local/www/*tinydns*"); exec("rm /usr/local/pkg/*tinydns*"); exec("rm /usr/local/pkg/pf/*tinydns*"); - exec("rm -rf /etc/tinydns"); + exec("rm -rf {$g['varetc_path']}/etc/tinydns {$g['varrun_path']}/service/tinydns {$g['varetc_path']}/axfrdns"); + exec("rm -rf {$g['varetc_path']}/etc/dnscache* {$g['varrun_path']}/service/dnscache*"); filter_configure(); conf_mount_ro(); } @@ -143,12 +183,6 @@ function tinydns_custom_php_changeip_command() { global $g, $config; conf_mount_rw(); - $ip = $config['interfaces']['lan']['ipaddr']; - $ipmask = $config['interfaces']['lan']['subnet']; - $arr = tinydns_get_ip_subnet_arpa($ip, $ipmask); - $dnscacheip = $ip; - $dnsuserip = $arr[0]; - /* For now force $dnsserverip to to 127.0.0.1 unless a separate IP is specified */ $localhost = "127.0.0.1"; $dnsserverip = $localhost; @@ -156,6 +190,8 @@ function tinydns_custom_php_changeip_command() { $dnsserverip = $config['installedpackages']['tinydns']['config'][0]['ipaddress']; if($config['installedpackages']['tinydns']['config'][0]['regdhcpstatic'] OR $config['installedpackages']['tinydns']['config'][0]['regdhcp']) $dnsserverip = $localhost; + if (!is_ipaddr($dnsserverip)) + $dnsserverip = $localhost; $config['installedpackages']['tinydns']['config'][0]['ipaddress'] = $dnsserverip; $updatecron = $config['installedpackages']['tinydns']['config'][0]['updatecron']; @@ -164,48 +200,66 @@ function tinydns_custom_php_changeip_command() { $ztipaddress = populate_zt_array(); /* setup daemon tools service area */ - if(!is_dir("/service")) - exec("/bin/mkdir /service"); + if(!is_dir("{$g['varrun_path']}/service")) + exec("/bin/mkdir -p {$g['varrun_path']}/service"); exec("/usr/sbin/pw useradd Gtinydns"); exec("/usr/sbin/pw useradd Gdnslog"); exec("/usr/sbin/pw useradd Gdnscache"); exec("/usr/sbin/pw useradd Gaxfrdns"); + exec("/bin/rm -r {$g['varetc_path']}/etc/dnscache*"); + exec("/bin/rm -r {$g['varrun_path']}/service/dnscache*"); /* TinyDNS Server */ - exec("/usr/local/bin/tinydns-conf Gtinydns Gdnslog /etc/tinydns {$dnsserverip}"); - exec("/bin/ln -s /etc/tinydns /service/"); + exec("/usr/local/bin/tinydns-conf Gtinydns Gdnslog {$g['varetc_path']}/etc/tinydns {$dnsserverip}"); + exec("/bin/ln -s {$g['varetc_path']}/etc/tinydns {$g['varrun_path']}/service/"); /* AXFRDNS - Zone transfers */ if(is_array($ztipaddress)) - exec("/usr/local/bin/axfrdns-conf Gaxfrdns Gdnslog /etc/axfrdns /etc/tinydns {$dnsserverip}"); - exec("/bin/ln -s /etc/axfrdns /service/"); + exec("/usr/local/bin/axfrdns-conf Gaxfrdns Gdnslog {$g['varetc_path']}/etc/axfrdns {$g['varetc_path']}/etc/tinydns {$dnsserverip}"); + exec("/bin/ln -s {$g['varetc_path']}/etc/axfrdns {$g['varrun_path']}/service/"); - exec("echo {$dnsserverip} > /etc/tinydns/env/IP"); + exec("echo {$dnsserverip} > {$g['varetc_path']}/etc/tinydns/env/IP"); exec("/usr/bin/killall -9 tinydns"); if($config['installedpackages']['tinydns']['config'][0]['enableforwarding']) { - if(!is_dir("/service/dnscache")) { - exec("/usr/sbin/pw useradd Gdnscache"); - exec("/usr/local/bin/dnscache-conf Gdnscache Gdnslog /etc/dnscache {$dnscacheip}"); - exec("/bin/ln -s /etc/dnscache /service/"); - exec("/bin/cp /var/etc/resolv.conf /var/etc/resolv.conf.original"); - exec("/bin/cp /var/etc/resolv.conf /var/etc/resolv.conf.dnscache"); + $interfaces = explode(",", $config['installedpackages']['tinydns']['config'][0]['interface']); + exec("/bin/cp {$g['varetc_path']}/resolv.conf {$g['varetc_path']}/resolv.conf.original"); + exec("/bin/cp {$g['varetc_path']}/resolv.conf {$g['varetc_path']}/resolv.conf.dnscache"); + exec("echo domain {$config['system']['domain']} > {$g['varetc_path']}/resolv.conf"); + exec("rm -rf {$g['varetc_path']}/etc/dnscache* {$g['varrun_path']}/service/dnscache*"); + foreach ($interfaces as $dnsidx => $dnsif) { + $dnscacheif = convert_friendly_interface_to_real_interface_name($dnsif); + $dnscacheip = find_interface_ip($dnscacheif); + if (intval($config['version']) >= 6) + $ipmask = find_interface_subnet($dnscacheif); + else + $ipmask = $config['interfaces'][$dnsif]['subnet']; + $arr = tinydns_get_ip_subnet_arpa($dnscacheip, $ipmask); + $dnsuserip = $arr[0]; + exec("/bin/mkdir -p {$g['varetc_path']}/etc/dnscache{$dnsidx}"); + exec("/usr/local/bin/dnscache-conf Gdnscache Gdnslog {$g['varetc_path']}/etc/dnscache{$dnsidx} {$dnscacheip}"); + exec("/bin/ln -s {$g['varetc_path']}/etc/dnscache{$dnsidx} {$g['varrun_path']}/service/"); + if (!is_dir("{$g['varetc_path']}/etc/dnscache{$dnsidx}/env/IP")) + exec("/bin/mkdir -p {$g['varetc_path']}/etc/dnscache{$dnsidx}/env"); + exec("echo {$dnscacheip} > {$g['varetc_path']}/etc/dnscache{$dnsidx}/env/IP"); + tinydns_dnscache_forwarding_servers($dnsidx); + if (!is_dir("{$g['varetc_path']}/etc/dnscache{$dnsidx}/root/ip")) + exec("/bin/mkdir -p {$g['varetc_path']}/etc/dnscache{$dnsidx}/root/ip"); + exec("/usr/bin/touch {$g['varetc_path']}/etc/dnscache{$dnsidx}/root/ip/{$dnsuserip}"); + tinydns_create_soa_domain_list($dnsserverip, $dnsidx); + exec("echo nameserver {$dnscacheip} >> {$g['varetc_path']}/resolv.conf"); } - exec("echo {$dnscacheip} > /etc/dnscache/env/IP"); - tinydns_dnscache_forwarding_servers(); - exec("touch /etc/dnscache/root/ip/{$dnsuserip}"); - tinydns_create_soa_domain_list($dnsserverip); - exec("echo domain {$config['system']['domain']} > /var/etc/resolv.conf"); - exec("echo nameserver {$dnscacheip} >> /var/etc/resolv.conf"); exec("/usr/bin/killall -9 dnscache"); } else { if(file_exists("/var/etc/resolv.conf.original")) - exec("/bin/cp /var/etc/resolv.conf.original /var/etc/resolv.conf"); - if(is_dir("/etc/dnscache")) { - dnscache_use_root_servers(); - exec("/usr/bin/killall -9 dnscache"); + exec("/bin/cp {$g['varetc_path']}/resolv.conf.original {$g['varetc_path']}/resolv.conf"); + $interfaces = explode(",", $$config['installedpackages']['tinydns']['config'][0]['interface']); + foreach ($interfaces as $dnsidx => $dnsif) { + if(is_dir("{$g['varetc_path']}/etc/dnscache{$dnsidx}")) + dnscache_use_root_servers($dnsidx); } + exec("/usr/bin/killall -9 dnscache"); } conf_mount_ro(); filter_configure(); @@ -228,13 +282,14 @@ function populate_zt_array() { function tinydns_setup_axfrdns() { global $g, $config; + /* Populate Zone Transfer array */ $ztipaddress = populate_zt_array(); if(!is_array($ztipaddress)) return; - $fd = fopen("/etc/axfrdns/tcp","w"); + $fd = fopen("{$g['varetc_path']}/etc/axfrdns/tcp","w"); if(!$fd) { - log_error("Could not open /etc/axfrdns/tcp for writing"); + log_error("Could not open {$g['varetc_path']}/etc/axfrdns/tcp for writing"); return; } foreach($ztipaddress as $zt) { @@ -246,7 +301,7 @@ function tinydns_setup_axfrdns() { } fclose($fd); // Recompile database - exec("cd /service/axfrdns && /usr/local/bin/tinydns-data"); + exec("cd {$g['varrun_path']}/service/axfrdns && /usr/local/bin/tinydns-data"); } function tinydns_get_record_status($record, $pingthreshold = "", $wanpingthreshold = "") { @@ -295,16 +350,17 @@ function tinydns_get_backup_record($record) { function tinydns_setup_ping_items() { global $g, $config; + if(!$config['installedpackages']['tinydnsdomains']) return; $wanif = get_real_wan_interface(); $ip = find_interface_ip($wanif); - conf_mount_rw(); + $processed = array(); /* XXX: make this work with other packages */ - $fd = fopen("/var/db/pkgpinghosts", "w"); + $fd = fopen("{$g['vardb_path']}/pkgpinghosts", "w"); if(!$fd) { - log_error("Could not open /var/db/pkgpinghosts for writing."); + log_error("Could not open {$g['vardb_path']}/pkgpinghosts for writing."); return; } config_lock(); @@ -351,7 +407,6 @@ function tinydns_setup_ping_items() { } fclose($fd); config_unlock(); - conf_mount_ro(); } function tinydns_create_zone_file() { @@ -359,15 +414,14 @@ function tinydns_create_zone_file() { conf_mount_rw(); if(file_exists("/tmp/config.cache")) unlink("/tmp/config.cache"); - parse_config(true); config_lock(); - if(file_exists("/service/tinydns/root/data")) - exec("rm -f /service/tinydns/root/data"); - if(!is_dir("/service/tinydns/root")) + if(file_exists("{$g['varrun_path']}/service/tinydns/root/data")) + exec("rm -f {$g['varrun_path']}/service/tinydns/root/data"); + if(!is_dir("{$g['varrun_path']}/service/tinydns/root")) return; - $fd = fopen("/service/tinydns/root/data", "w"); + $fd = fopen("{$g['varrun_path']}/service/tinydns/root/data", "w"); if(!$fd) { - log_error("Could not open /service/tinydns/root/data for writing."); + log_error("Could not open {$g['varrun_path']}/service/tinydns/root/data for writing."); return; } @@ -381,27 +435,45 @@ function tinydns_create_zone_file() { fwrite($fd, $forwardingservers); if($config['system']['hostname']['domain']) { $dhcpdhostname = $config['system']['hostname']; - if($config['dhcpd']['lan']) + if($config['system']['domain']) $dhcpddomain = $config['system']['domain']; - $dhcpdlanip = $config['interfaces']['lan']['ipaddr']; - $dhcpdipmask = $config['interfaces']['lan']['subnet']; - $dhcpdfqdn = "{$dhcpdhostname}.{$dhcpddomain}"; - tinydns_complete_soa_record($fd, $dhcpdlanip, $dhcpdipmask, $dhcpdhostname, $dhcpddomain); + $interfaces = explode(",", $config['installedpackages']['tinydns']['config'][0]['interface']); + foreach ($interfaces as $dnsif) { + $dnsrif = convert_friendly_interface_to_real_interface_name($dnsif); + $dnsrip = find_interface_ip($dnsrif); + if (intval($config['version']) >= 6) + $ipmask = find_interface_subnet($dnsrif); + else + $ipmask = $config['interfaces'][$dnsif]['subnet']; + $dhcpdfqdn = "{$dhcpdhostname}.{$dhcpddomain}"; + tinydns_complete_soa_record($fd, $dnsrip, $ipmask, $dhcpdhostname, $dhcpddomain); + } } } /* Register Static IPs */ if($config['installedpackages']['tinydns']['config'][0]['regdhcpstatic']) { - foreach($config['dhcpd'] as $zone_key => $zone ) { + $interfaces = explode(",", $config['installedpackages']['tinydns']['config'][0]['interface']); + foreach ($interfaces as $dnsif) { + if (is_array($config['dhcpd'][$dnsif])) + continue; + $zone =& $config['dhcpd'][$dnsif]; + if (!isset($dhcpifconf['enable'])) + continue; $dhcpdhostname = $config['system']['hostname']; if ($zone['ddnsdomain']) $dhcpddomain = $zone['ddnsdomain']; else $dhcpddomain = $config['system']['domain']; - $dhcpdlanip = $config['interfaces'][$zone_key]['ipaddr']; - $dhcpdipmask = $config['interfaces'][$zone_key]['subnet']; + + $dnsrif = convert_friendly_interface_to_real_interface_name($dnsif); + $dnsrip = find_interface_ip($dnsrif); + if (intval($config['version']) >= 6) + $ipmask = find_interface_subnet($dnsrif); + else + $ipmask = $config['interfaces'][$dnsif]['subnet']; $dhcpdfqdn = "{$dhcpdhostname}.{$dhcpddomain}"; - tinydns_complete_soa_record($fd, $dhcpdlanip, $dhcpdipmask, $dhcpdhostname, $dhcpddomain); + tinydns_complete_soa_record($fd, $dnsrip, $ipmask, $dhcpdhostname, $dhcpddomain); if(is_array($zone['staticmap'])) { foreach($zone['staticmap'] as $dhcpdstatic) { @@ -478,7 +550,7 @@ function tinydns_create_zone_file() { } fclose($fd); /* tell tinydns to reload zone file */ - exec("cd /service/tinydns/root && /usr/local/bin/tinydns-data"); + exec("cd {$g['varrun_path']}/service/tinydns/root && /usr/local/bin/tinydns-data"); config_unlock(); conf_mount_ro(); } @@ -850,48 +922,55 @@ function tinydns_get_dns_record_type($tinydnsrecord) { /* This function will be replaced by an auto detect DNS cache servers routine */ /* At the moment there is no tagging of DNSroute to a WAN port. It needs to be added */ -function tinydns_dnscache_forwarding_servers() { - $fr = fopen("/var/etc/resolv.conf.dnscache", "r"); - if (! $fr) { - printf("Error: cannot open resolv.conf.dnscache in tinydns_register_forwarding_servers().\n"); - return 1; - } - $lip = strlen("nameserver") + 1; - $j = 0; - $iprecords = ""; - while (!feof($fr)) { - $routers = fgets($fr, 4096); - $discard = ($routers[0] == "\n"); - if(!$discard) { - if ($routerip = strstr($routers,"nameserver")) { - $routerip = substr($routerip,$lip); - if($routerip) { - $j += 1; - $routera = "{$routerip}"; - $iprecords .= $routera; - } - } - } - } - fclose($fr); - exec("echo 1 > /etc/dnscache/env/FORWARDONLY"); - if(is_dir("/etc/dnscache/root/servers/")) - exec("rm -R /etc/dnscache/root/servers/"); - exec("mkdir /etc/dnscache/root/servers/"); - $fr = fopen("/etc/dnscache/root/servers/@", "w"); - if (! $fr) { - printf("Error: cannot write to /etc/dnscache/root/servers/@ in tinydns_dnscache_forwarding_servers().\n"); - return 1; +function tinydns_dnscache_forwarding_servers($index) { + global $g, $config; + + exec("echo 1 > {$g['varetc_path']}/etc/dnscache{$index}/env/FORWARDONLY"); + if(is_dir("{$g['varetc_path']}/etc/dnscache{$index}/root/servers/")) + exec("rm -R {$g['varetc_path']}/etc/dnscache/root/servers/"); + exec("/bin/mkdir -p {$g['varetc_path']}/etc/dnscache{$index}/root/servers/"); + if (intval($config['version']) >= 6) + exec("/bin/cat {$g['varetc_path']}/nameserver_* > {$g['varetc_path']}/etc/dnscache{$index}/root/servers/@"); + else { + $fr = fopen("{$g['varetc_path']}/resolv.conf.dnscache", "r"); + if (! $fr) { + printf("Error: cannot open resolv.conf.dnscache in tinydns_register_forwarding_servers().\n"); + return 1; + } + $lip = strlen("nameserver") + 1; + $j = 0; + $iprecords = ""; + while (!feof($fr)) { + $routers = fgets($fr, 4096); + $discard = ($routers[0] == "\n"); + if(!$discard) { + if ($routerip = strstr($routers,"nameserver")) { + $routerip = substr($routerip,$lip); + if($routerip) { + $j += 1; + $routera = "{$routerip}"; + $iprecords .= $routera; + } + } + } + } + fclose($fr); + $fr = fopen("{$g['varetc_path']}/etc/dnscache{$index}/root/servers/@", "w"); + if (! $fr) { + printf("Error: cannot write to {$g['varetc_path']}/etc/dnscache{$index}/root/servers/@ in tinydns_dnscache_forwarding_servers().\n"); + return 1; + } + if($iprecords) + fwrite($fr, $iprecords); + fclose($fr); } - if($iprecords) - fwrite($fr, $iprecords); - fclose($fr); } -/* This routine adds filenames to /etc/dnscache/root/servers/ with the contents pointing to the tinyDNS server */ -function tinydns_create_soa_domain_list($dnsserverip) { - if(file_exists("/service/tinydns/root/data")) - $tinydns_data = file_get_contents("/service/tinydns/root/data"); +/* This routine adds filenames to {$g['varetc_path']}/etc/dnscache/root/servers/ with the contents pointing to the tinyDNS server */ +function tinydns_create_soa_domain_list($dnsserverip, $index = 0) { + global $g; + if(file_exists("{$g['varrun_path']}/service/tinydns/root/data")) + $tinydns_data = file_get_contents("{$g['varrun_path']}/service/tinydns/root/data"); else $tinydns_data = ""; $datalen = strlen($tinydns_data); @@ -906,9 +985,9 @@ function tinydns_create_soa_domain_list($dnsserverip) { if($fqdn) { $rtypes = tinydns_get_dns_record_type($dnsrecord); if($rtypes[0] == "SOA") { - $fr = fopen("/etc/dnscache/root/servers/{$fqdn}", "w"); + $fr = fopen("{$g['varetc_path']}/etc/dnscache{$index}/root/servers/{$fqdn}", "w"); if (! $fr) { - printf("Error: cannot open /etc/dnscache/root/servers/{$fqdn} in tinydns_create_soa_domain_list().\n"); + printf("Error: cannot open {$g['varetc_path']}/etc/dnscache{$index}/root/servers/{$fqdn} in tinydns_create_soa_domain_list().\n"); return 1; } if($fqdn)fwrite($fr, $dnsserverip); @@ -921,7 +1000,9 @@ function tinydns_create_soa_domain_list($dnsserverip) { /* This function is not called */ /* At the moment there is no tagging of DNSroute to a WAN port. It needs to be added */ function tinydns_register_forwarding_servers() { - $fr = fopen("/var/etc/resolv.conf", "r"); + global $g; + + $fr = fopen("{$g['varetc_path']}/resolv.conf", "r"); if (! $fr) { printf("Error: cannot open resolv.conf in tinydns_register_forwarding_servers().\n"); return 1; @@ -985,7 +1066,9 @@ EOD; return $rootservers; } -function dnscache_use_root_servers() { +function dnscache_use_root_servers($index = 0) { + global $g; + $rootservers =<<<EOD 198.41.0.4 192.228.79.201 @@ -1003,13 +1086,13 @@ function dnscache_use_root_servers() { EOD; - exec("echo 0 > /etc/dnscache/env/FORWARDONLY"); - if(is_dir("/etc/dnscache/root/servers/")) - exec("rm -R /etc/dnscache/root/servers/"); - exec("mkdir /etc/dnscache/root/servers/"); - $fr = fopen("/etc/dnscache/root/servers/@", "w"); + exec("echo 0 > {$g['varetc_path']}/etc/dnscache{$index}/env/FORWARDONLY"); + if(is_dir("{$g['varetc_path']}/etc/dnscache{$index}/root/servers/")) + exec("/bin/rm -R {$g['varetc_path']}/etc/dnscache{$index}/root/servers/"); + exec("/bin/mkdir -p {$g['varetc_path']}/etc/dnscache{$index}/root/servers/"); + $fr = fopen("{$g['varetc_path']}/etc/dnscache{$index}/root/servers/@", "w"); if (! $fr) { - printf("Error: cannot write to /etc/dnscache/root/servers/@ in dnscache_use_root_servers().\n"); + printf("Error: cannot write to {$g['varetc_path']}/etc/dnscache{$index}/root/servers/@ in dnscache_use_root_servers().\n"); return 1; } fwrite($fr, $rootservers); @@ -1032,4 +1115,4 @@ function tinydns_cleanup_addedit_form_record() { } } -?>
\ No newline at end of file +?> diff --git a/config/tinydns/tinydns.xml b/config/tinydns/tinydns.xml index fc1c3482..1eb5b1eb 100644 --- a/config/tinydns/tinydns.xml +++ b/config/tinydns/tinydns.xml @@ -57,8 +57,14 @@ <url>/tinydns_status.php</url> </menu> <service> - <name>DNS Server</name> + <name>svscan</name> <rcfile>svscan.sh</rcfile> + <executable>svscan</executable> + <description>Daemontools service directory watcher</description> + </service> + <service> + <name>DNS Server</name> + <rcfile>tinydns.sh</rcfile> <executable>tinydns</executable> <description>TinyDNS DNS Server</description> </service> @@ -174,6 +180,14 @@ <type>checkbox</type> </field> <field> + <fielddescr>Interface to listen</fielddescr> + <fieldname>interface</fieldname> + <type>interfaces_selection</type> + <multiple>on</multiple> + <size>4</size> + <required>on</required> + </field> + <field> <fielddescr>Register DHCP static mappings with server</fielddescr> <fieldname>regdhcpstatic</fieldname> <description>Register static DHCP leases with TinyDNS server using the Fully Qualified Domain Name specified in System: General.</description> @@ -281,6 +295,9 @@ tinydns_setup_ping_items(); tinydns_sync_on_changes(); </custom_delete_php_command> + <custom_php_validation_command> + tinydns_validate(); + </custom_php_validation_command> <custom_add_php_command> tinydns_custom_php_changeip_command(); tinydns_custom_php_install_command(); @@ -306,4 +323,4 @@ <custom_php_command_before_form> unset($_POST['temp']); </custom_php_command_before_form> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/tinydns/tinydns_domains.xml b/config/tinydns/tinydns_domains.xml index 33647bac..247227d8 100644 --- a/config/tinydns/tinydns_domains.xml +++ b/config/tinydns/tinydns_domains.xml @@ -232,28 +232,15 @@ } </custom_php_validation_command> <custom_add_php_command> - $dnssync = true; - log_error("Begin tinydns add"); + </custom_add_php_command> + <custom_php_resync_config_command> + log_error("Begin tinydns resync"); tinydns_create_zone_file(); log_error("Zone file done."); tinydns_setup_ping_items(); log_error("Ping items done."); tinydns_sync_on_changes(); log_error("Sync items done."); - </custom_add_php_command> - <custom_php_resync_config_command> - if(!$dnssync) { - log_error("Begin tinydns resync"); - tinydns_create_zone_file(); - log_error("Zone file done."); - tinydns_setup_ping_items(); - log_error("Ping items done."); - tinydns_sync_on_changes(); - log_error("Sync items done."); - } else { - tinydns_create_zone_file(); - tinydns_setup_ping_items(); - } </custom_php_resync_config_command> <custom_php_command_before_form> unset($_POST['temp']); diff --git a/config/vhosts/vhosts.inc b/config/vhosts/vhosts.inc index 3602b40a..9f394fb0 100644 --- a/config/vhosts/vhosts.inc +++ b/config/vhosts/vhosts.inc @@ -136,6 +136,7 @@ function vhosts_sync_package_php() $vhostarray_http[$x]['privatekey'] = ''; $vhostarray_http[$x]['enabled'] = $rowhelper['enabled']; $vhostarray_http[$x]['description'] = $rowhelper['description']; + $server_port = $rowhelper['port']; } $x++; } @@ -267,7 +268,7 @@ function vhosts_sync_package_php() $tmp .= "######### Options that are good to be but not neccesary to be changed #######\n"; $tmp .= "\n"; $tmp .= "## bind to port (default: 80)\n"; - $tmp .= "#server.port = 8001\n"; + $tmp .= "server.port = $server_port\n"; $tmp .= "\n"; $tmp .= "#the regex method isn't working\n"; $tmp .= "#\$HTTP[\"host\"] =~ \"(^|\\.)host01\\.com\$\" {\n"; @@ -321,9 +322,6 @@ function vhosts_sync_package_php() $tmp .= "\$SERVER[\"socket\"] == \"".$ipaddress.":".$port."\" {\n"; } - if (strlen($rowhelper['description']) > 0) { - $tmp .= "# ".$rowhelper['description']." \n\n"; - } $tmp .= " \$HTTP[\"host\"] == \"".$host."\" {\n"; $tmp .= " server.document-root = \"/usr/local/vhosts/".$directory."\"\n"; |
