Major feature update, added Emergingthreats rules,Alerts Tab logging type full or fast,Send alerts to main OS System logs,Log to a Tcpdump,Log to a mysql database,Log Alerts to a snort unified

4 files changed, 244 insertions, 24 deletions

diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index a6cbc605..e7576ceb 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -50,7 +50,7 @@ function sync_package_snort_reinstall()
 	start_service("snort");
 }
 
-function sync_package_snort() 
+function sync_package_snort()
 {
 	global $config, $g;
 
@@ -141,7 +141,7 @@ function sync_package_snort()
   /* TODO; get snort to start under nologin shell */
   foreach($snortInterfaces as $snortIf)
   {
-  	$start .= ";sleep 8;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i {$snortIf} -A fast -q";
+  	$start .= ";sleep 8;snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i {$snortIf} -q";
   }    
     
 	/* if block offenders is checked, start snort2c */
@@ -207,6 +207,7 @@ function snort_deinstall() {
 }
 
 function generate_snort_conf() {
+
 	global $config, $g;
 	conf_mount_rw();
 	/* obtain external interface */
@@ -214,7 +215,32 @@ function generate_snort_conf() {
 	$snort_ext_int = $config['installedpackages']['snort']['config'][0]['iface_array'][0];
 
 	$snort_config_pass_thru = $config['installedpackages']['snortadvanced']['config'][0]['configpassthru'];
-
+	
+/* define snortalertlogtype */
+$snortalertlogtype = $config['installedpackages']['snortadvanced']['config'][0]['snortalertlogtype'];
+if ($snortalertlogtype == fast)
+    $snortalertlogtype_type = "output alert_fast: alert";
+else
+	$snortalertlogtype_type = "output alert_full: alert"; 
+
+/* define alertsystemlog */
+$alertsystemlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['alertsystemlog'];
+if ($alertsystemlog_info_chk == on)
+    $alertsystemlog_type = "output alert_syslog: log_alert";
+
+/* define tcpdumplog */
+$tcpdumplog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['tcpdumplog'];
+if ($tcpdumplog_info_chk == on)
+    $tcpdumplog_type = "output log_tcpdump: snorttcpd.log";
+
+/* define snortmysqllog */
+$snortmysqllog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortmysqllog'];
+
+/* define snortunifiedlog */
+$snortunifiedlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortunifiedlog'];
+if ($snortunifiedlog_info_chk == on)
+    $snortunifiedlog_type = "output alert_unified: snort.alert, limit 128\noutput log_unified: snort.log, limit 128";
+	
 	/* add auto update scripts to /etc/crontab */
 //	$text_ww   = "*/60\t* \t 1\t *\t *\t root\t /usr/bin/nice -n20 /usr/local/pkg/snort_check_for_rule_updates.php";
 //	$filenamea = "/etc/crontab";
@@ -667,8 +693,11 @@ preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 }, trustservers, n
                     #
 #####################
 
-output alert_syslog: LOG_AUTH LOG_ALERT LOG_CONS LOG_NDELAY LOG_PERROR LOG_PID
-output alert_unified: filename snort.alert, limit 128							
+$snortalertlogtype_type
+$alertsystemlog_type
+$tcpdumplog_type
+$snortmysqllog_info_chk
+$snortunifiedlog_type
 						
 #################
                 #
diff --git a/config/snort/snort.xml b/config/snort/snort.xml
index 9bccf830..e60a6328 100644
--- a/config/snort/snort.xml
+++ b/config/snort/snort.xml
@@ -47,7 +47,7 @@
     <faq>Currently there are no FAQ items provided.</faq>
 	<name>Snort</name>
 	<version>2.8.4.1</version>
-	<title>Services: Snort 2.8.4.1 pkg v. 1.1</title>
+	<title>Services: Snort 2.8.4.1 pkg v. 1.2</title>
 	<include_file>/usr/local/pkg/snort.inc</include_file>
 	<menu>
 		<name>Snort</name>
@@ -259,9 +259,9 @@
 			<type>checkbox</type>
 		</field>
 		<field>
-			<fielddescr>Snort signature info files.</fielddescr>
-			<fieldname>signatureinfo</fieldname>
-			<description>15,000 snort alert info summary files. At leats a 1GHz system requierment</description>
+			<fielddescr>Install emergingthreats rules.</fielddescr>
+			<fieldname>emergingthreats</fieldname>
+			<description>Emerging Threats is an open source community that produces fastest moving and diverse Snort Rules.</description>
 			<type>checkbox</type>
 		</field>
     </fields>
diff --git a/config/snort/snort_advanced.xml b/config/snort/snort_advanced.xml
index 35db6945..227c0ce4 100644
--- a/config/snort/snort_advanced.xml
+++ b/config/snort/snort_advanced.xml
@@ -111,6 +111,54 @@
 			<cols>40</cols>
 			<rows>5</rows>
 		</field>
+		<field>
+			<fielddescr>Snort signature info files.</fielddescr>
+			<fieldname>signatureinfo</fieldname>
+			<description>Snort signature info files will be installed during updates. At leats 500 mb of memory is needed.</description>
+			<type>checkbox</type>
+		</field>
+		<field>
+			<fielddescr>Alerts Tab logging type.</fielddescr>
+			<fieldname>snortalertlogtype</fieldname>
+			<description>Please choose the type of Alert logging you will like see in the Alerts Tab. The options are Full descriptions or Fast short descriptions</description>
+			<type>select</type>
+			<options>
+				<option>
+					<name>fast</name>
+					<value>fast</value>
+				</option>
+				<option>
+					<name>full</name>
+					<value>full</value>
+				</option>
+			</options>
+		</field>
+		<field>
+			<fielddescr>Send alerts to main System logs.</fielddescr>
+			<fieldname>alertsystemlog</fieldname>
+			<description>Snort will send Alerts to the Pfsense system logs.</description>
+			<type>checkbox</type>
+		</field>
+		<field>
+			<fielddescr>Log to a Tcpdump file.</fielddescr>
+			<fieldname>tcpdumplog</fieldname>
+			<description>Snort will log packets to a tcpdump-formatted file. The file then can be analyzed by a wireshark type of application. WARNING: File may become large.</description>
+			<type>checkbox</type>
+		</field>
+		<field>
+			<fielddescr>Log to a mysql database.</fielddescr>
+			<fieldname>snortmysqllog</fieldname>
+			<description>Example: output database: log, mysql, dbname=snort user=snort host=localhost password=xyz</description>
+			<type>input</type>
+			<size>101</size>
+			<value></value>
+		</field>
+		<field>
+			<fielddescr>Log Alerts to a snort unified file.</fielddescr>
+			<fieldname>snortunifiedlog</fieldname>
+			<description>Snort will log Alerts to a file in the UNIFIED format.</description>
+			<type>checkbox</type>
+		</field>		
     </fields>
 	<custom_php_deinstall_command>
 		snort_advanced();
diff --git a/config/snort/snort_download_rules.php b/config/snort/snort_download_rules.php
index e82a0239..240f9ea6 100644
--- a/config/snort/snort_download_rules.php
+++ b/config/snort/snort_download_rules.php
@@ -32,6 +32,8 @@ $tmpfname = "/tmp/snort_rules_up";
 $snortdir = "/usr/local/etc/snort";
 $snort_filename_md5 = "snortrules-snapshot-2.8.tar.gz.md5";
 $snort_filename = "snortrules-snapshot-2.8.tar.gz";
+$emergingthreats_filename_md5 = "version.txt";
+$emergingthreats_filename = "emerging.rules.tar.gz";
 
 require_once("guiconfig.inc");
 require_once("functions.inc");
@@ -174,7 +176,7 @@ if (file_exists($tmpfname)) {
 /* unhide progress bar and lets end this party */
 unhide_progress_bar_status();
 
-/*  download md5 sig */
+/*  download md5 sig from snort.org */
 if (file_exists("{$tmpfname}/{$snort_filename_md5}")) {
     update_status(gettext("md5 temp file exists..."));
 } else {
@@ -188,6 +190,19 @@ if (file_exists("{$tmpfname}/{$snort_filename_md5}")) {
     update_status(gettext("Done. downloading md5"));
 }
 
+/*  download md5 sig from emergingthreats.net */
+$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats'];
+if ($emergingthreats_url_chk == on) {
+    update_status(gettext("Downloading md5 file..."));
+    ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)');
+    $image = @file_get_contents("http://www.emergingthreats.net/version.txt");
+//    $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/version.txt");
+    $f = fopen("{$tmpfname}/version.txt", 'w');
+    fwrite($f, $image);
+    fclose($f);
+    update_status(gettext("Done. downloading md5"));
+}
+
 /*  Time stamps define */
 $last_md5_download = $config['installedpackages']['snort']['last_md5_download'];
 $last_rules_install = $config['installedpackages']['snort']['last_rules_install'];
@@ -204,7 +219,22 @@ if (0 == filesize("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5")){
     exit(0);
 }
 
-/* Check if were up to date */
+/* If emergingthreats md5 file is empty wait 15min exit */
+$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats'];
+if ($emergingthreats_url_chk == on) {
+if (0 == filesize("{$tmpfname}/version.txt")){
+    update_status(gettext("There was an error getting emergingthreats md5."));
+    update_output_window(gettext("There was an error getting emergingthreats md5."));
+    hide_progress_bar_status();
+    /* Display last time of sucsessful md5 check from cache */
+//   echo "\n<p align=center><b>You last checked for updates: </b>{$last_md5_download}</p>\n";
+//   echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n";
+   echo "\n\n</body>\n</html>\n";
+   exit(0);
+  }
+}
+
+/* Check if were up to date snort.org */
 if (file_exists("{$snortdir}/snortrules-snapshot-2.8.tar.gz.md5")){
 $md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}");
 $md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`;
@@ -222,25 +252,92 @@ if ($md5_check_new == $md5_check_old) {
         echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n";
 //        echo "P is this code {$premium_subscriber}";
         echo "\n\n</body>\n</html>\n";
-        exit(0);
+        $snort_md5_check_ok = on;
     }
 }
 
+/* Check if were up to date emergingthreats.net */
+$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats'];
+if ($emergingthreats_url_chk == on) {
+if (file_exists("{$snortdir}/version.txt")){
+$emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/version.txt");
+$emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`;
+$emerg_md5_check_old_parse = file_get_contents("{$snortdir}/version.txt");
+$emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`;
+/* Write out time of last sucsessful md5 to cache */
+$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A");
+write_config();
+if ($emerg_md5_check_new == $emerg_md5_check_old) {
+        update_status(gettext("Your emergingthreats rules are up to date..."));
+        update_output_window(gettext("You may start Snort now, check update."));
+        hide_progress_bar_status();
+        $emerg_md5_check_chk_ok = on;
+        /* Timestamps to html  */
+//        echo "\n<p align=center><b>You last checked for updates: </b>{$last_md5_download}</p>\n";
+//        echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n";
+    }
+  }
+}
+
+/*  Make Clean Snort Directory emergingthreats not checked */
+if ($snort_md5_check_ok == on && $emergingthreats_url_chk != on) {
+	update_status(gettext("Cleaning the snort Directory..."));
+    update_output_window(gettext("removing..."));
+	exec("/bin/rm -r {$snortdir}/rules/emerging*");
+	exec("/bin/rm -r {$snortdir}/version.txt");
+	update_status(gettext("Done making snort direcory."));
+}
+
+/* Check if were up to date exits */
+if ($snort_md5_check_ok == on && $emerg_md5_check_chk_ok == on) {
+		update_status(gettext("Your rules are up to date..."));
+		update_output_window(gettext("You may start Snort now..."));
+		exit(0);
+}
+
+if ($snort_md5_check_ok == on && $emergingthreats_url_chk != on) {
+		update_status(gettext("Your rules are up to date..."));
+		update_output_window(gettext("You may start Snort now..."));
+		exit(0);
+}
+		
 /* "You are Not Up to date */;
 update_status(gettext("You are NOT up to date..."));
+		update_output_window(gettext("Stoping Snort service..."));
+stop_service("snort");
+sleep(2);
+// start_service("snort");
 
 /* download snortrules file */
+if ($snort_md5_check_ok != on) {
 if (file_exists("{$tmpfname}/{$snort_filename}")) {
     update_status(gettext("Snortrule tar file exists..."));
 } else {
+	unhide_progress_bar_status();
     update_status(gettext("There is a new set of Snort rules posted. Downloading..."));
     update_output_window(gettext("May take 4 to 10 min..."));
-//   download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz", $tmpfname . "/{$snort_filename}", "read_body_firmware");
-    download_file_with_progress_bar("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz?oink_code={$oinkid}", $tmpfname . "/{$snort_filename}", "read_body_firmware");
+//    download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz", $tmpfname . "/{$snort_filename}", "read_body_firmware");
+   download_file_with_progress_bar("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz?oink_code={$oinkid}", $tmpfname . "/{$snort_filename}", "read_body_firmware");
     update_all_status($static_output);
     update_status(gettext("Done downloading rules file."));
+ }
 }
 
+/* download emergingthreats rules file */
+if ($emergingthreats_url_chk == on) {
+if ($emerg_md5_check_chk_ok != on) {
+if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) {
+    update_status(gettext("Emergingthreats tar file exists..."));
+} else {
+    update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading..."));
+    update_output_window(gettext("May take 4 to 10 min..."));
+//   download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware");
+    download_file_with_progress_bar("http://www.emergingthreats.net/rules/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware");
+    update_all_status($static_output);
+    update_status(gettext("Done downloading Emergingthreats rules file."));
+   }
+  }
+ }
 
 /* Compair md5 sig to file sig */
 
@@ -271,7 +368,8 @@ if (file_exists("{$tmpfname}/{$snort_filename}")) {
 //}
 
 /* Untar snort rules file individually to help people with low system specs */
-if (file_exists("{$tmpfname}/$snort_filename")) {
+if ($snort_md5_check_ok != on) {
+if (file_exists("{$tmpfname}/{$snort_filename}")) {
     update_status(gettext("Extracting rules..."));
     update_output_window(gettext("May take a while..."));
     exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} rules/");
@@ -296,46 +394,70 @@ if (file_exists("{$tmpfname}/$snort_filename")) {
     update_status(gettext("The Download rules file missing..."));
     update_output_window(gettext("Error rules extracting failed..."));
     exit(0);
+ }
+}
+
+/* Untar emergingthreats rules to tmp */
+if ($emergingthreats_url_chk == on) {
+if ($emerg_md5_check_chk_ok != on) {
+if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) {
+    update_status(gettext("Extracting rules..."));
+    update_output_window(gettext("May take a while..."));
+    exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$tmpfname} rules/");
+  }
+ }
 }
 
+/* Untar snort signatures */
+if ($snort_md5_check_ok != on) {
+if (file_exists("{$tmpfname}/{$snort_filename}")) {
 $signature_info_chk = $config['installedpackages']['snort']['config'][0]['signatureinfo'];
 if ($premium_url_chk == on) {
 	update_status(gettext("Extracting Signatures..."));
 	update_output_window(gettext("May take a while..."));
 	exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} doc/signatures/");
 	update_status(gettext("Done extracting Signatures."));
+  }
+ }
 }
 
-/*  Making Cleaning Snort Directory */
-if (file_exists("{$snortdir}")) {
+/*  Make Clean Snort Directory */
+if ($snort_md5_check_ok != on && $emerg_md5_check_chk_ok != on) {
+if (file_exists("{$snortdir}/rules")) {
     update_status(gettext("Cleaning the snort Directory..."));
     update_output_window(gettext("removing..."));
 	exec("/bin/rm -r {$snortdir}/*");
-    exec("/bin/rm -r /usr/local/lib/snort/dynamicrules/*");
+	exec("/bin/rm -r {$snortdir}/rules/*");
+    exec("/bin/rm -r /usr/local/lib/snort/dynamicrules/*");	
 } else {
     update_status(gettext("Making Snort Directory..."));
     update_output_window(gettext("should be fast..."));
     exec("/bin/mkdir {$snortdir}");
+	exec("/bin/mkdir {$snortdir}/rules");
 	exec("/bin/rm -r /usr/local/lib/snort/dynamicrules/*");
     update_status(gettext("Done making snort direcory."));
+  }
 }
 
-/*  Copy rules dir to snort dir */
+/*  Copy snort rules  and emergingthreats dir to snort dir */
+if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on) {
 if (file_exists("{$tmpfname}/rules")) {
     update_status(gettext("Copying rules..."));
     update_output_window(gettext("May take a while..."));
-    exec("/bin/mv -f {$tmpfname}/rules {$snortdir}/rules");
+    exec("/bin/cp {$tmpfname}/rules/* {$snortdir}/rules");
     update_status(gettext("Done copping rules."));
     /* Write out time of last sucsessful rule install catch */
     $config['installedpackages']['snort']['last_rules_install'] = date("Y-M-jS-h:i-A");
     write_config();
 } else {
     update_status(gettext("Directory rules does not exists..."));
-    update_output_window(gettext("Error copping rules direcory..."));
+    update_output_window(gettext("Error copying rules direcory..."));
     exit(0);
+ }
 }
 
 /*  Copy md5 sig to snort dir */
+if ($snort_md5_check_ok != on) {
 if (file_exists("{$tmpfname}/$snort_filename_md5")) {
     update_status(gettext("Copying md5 sig to snort directory..."));
     exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5");
@@ -343,9 +465,25 @@ if (file_exists("{$tmpfname}/$snort_filename_md5")) {
     update_status(gettext("The md5 file does not exist..."));
     update_output_window(gettext("Error copping config..."));
     exit(0);
+ }
+}
+
+/*  Copy emergingthreats md5 sig to snort dir */
+if ($emergingthreats_url_chk == on) {
+if ($emerg_md5_check_chk_ok != on) {
+if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) {
+    update_status(gettext("Copying md5 sig to snort directory..."));
+    exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5");
+} else {
+    update_status(gettext("The emergingthreats md5 file does not exist..."));
+    update_output_window(gettext("Error copping config..."));
+    exit(0);
+  }
+ }
 }
 
 /*  Copy configs to snort dir */
+if ($snort_md5_check_ok != on) {
 if (file_exists("{$tmpfname}/etc/Makefile.am")) {
     update_status(gettext("Copying configs to snort directory..."));
     exec("/bin/cp {$tmpfname}/etc/* {$snortdir}");
@@ -353,9 +491,11 @@ if (file_exists("{$tmpfname}/etc/Makefile.am")) {
     update_status(gettext("The snort configs does not exist..."));
     update_output_window(gettext("Error copping config..."));
     exit(0);
+ }
 }
 
 /*  Copy signatures dir to snort dir */
+if ($snort_md5_check_ok != on) {
 $signature_info_chk = $config['installedpackages']['snort']['config'][0]['signatureinfo'];
 if ($premium_url_chk == on) {
 if (file_exists("{$tmpfname}/doc/signatures")) {
@@ -368,9 +508,11 @@ if (file_exists("{$tmpfname}/doc/signatures")) {
     update_output_window(gettext("Error copping signature..."));
     exit(0);
   }
+ }
 }
-
+ 
 /*  Copy so_rules dir to snort lib dir */
+if ($snort_md5_check_ok != on) {
 if (file_exists("{$tmpfname}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) {
     update_status(gettext("Copying so_rules..."));
     update_output_window(gettext("May take a while..."));
@@ -394,12 +536,13 @@ if (file_exists("{$tmpfname}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) {
     update_status(gettext("Directory so_rules does not exist..."));
     update_output_window(gettext("Error copping so_rules..."));
     exit(0);
+ }
 }
 
 
 /* php code finish */
-update_status(gettext("Rules update finished..."));
-update_output_window(gettext("You may start Snort now finnal."));
+update_status(gettext("The Rules update finished..."));
+update_output_window(gettext("Please reboot Pfsense before starting Snort..."));
 
 /* hide progress bar and lets end this party */
 hide_progress_bar_status();