diff options
| -rwxr-xr-x | config/snort/snort.inc | 116 | ||||
| -rwxr-xr-x | config/snort/snort_alerts.php | 112 | ||||
| -rw-r--r-- | config/snort/snort_blocked.php | 21 | ||||
| -rwxr-xr-x | config/snort/snort_check_for_rule_updates.php | 2 | ||||
| -rw-r--r-- | config/snort/snort_migrate_config.php | 38 | ||||
| -rw-r--r-- | config/snort/snort_post_install.php | 43 | ||||
| -rwxr-xr-x | config/snort/snort_rules.php | 320 | ||||
| -rwxr-xr-x | config/snort/snort_rules_edit.php | 7 |
8 files changed, 452 insertions, 207 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 52aaed2a..d983d995 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -5,7 +5,7 @@ * Copyright (C) 2006 Scott Ullrich * Copyright (C) 2009-2010 Robert Zelaya * Copyright (C) 2011-2012 Ermal Luci - * Copyright (C) 2013 Bill Meeks + * Copyright (C) 2013,2014 Bill Meeks * part of pfSense * All rights reserved. * @@ -1739,34 +1739,32 @@ function snort_write_enforcing_rules_file($rule_map, $rule_path) { } } -function snort_load_sid_mods($sids, $value) { +function snort_load_sid_mods($sids) { /*****************************************/ /* This function parses the string of */ - /* SID values in $sids and returns an */ - /* array with the SID as the key and */ - /* value. The SID values in $sids are */ + /* GID:SID values in $sids and returns */ + /* an array with the GID and SID as the */ + /* keys. The values in $sids are */ /* assumed to be delimited by "||". */ /* */ - /* $sids ==> string of SID values from */ - /* saved config file. */ + /* $sids ==> string of GID:SID values */ + /* from the config file. */ /* */ - /* $value ==> type of mod (enable or */ - /* disable). Not currently */ - /* utilized, but maintained */ - /* so as not to break legacy */ - /* code elsewhere. */ + /* Returns ==> a multidimensional array */ + /* with GID and SID as the */ + /* keys ($result[GID][SID]) */ /*****************************************/ $result = array(); - if (empty($sids) || empty($value)) + if (empty($sids)) return $result; $tmp = explode("||", $sids); foreach ($tmp as $v) { - if (preg_match('/\s\d+/', $v, $match)) { - if (!is_array($result[trim($match[0])])) - $result[trim($match[0])] = array(); - $result[trim($match[0])] = trim($match[0]); + if (preg_match('/(\d+)\s*:\s*(\d+)/', $v, $match)) { + if (!is_array($result[$match[1]])) + $result[$match[1]] = array(); + $result[$match[1]][$match[2]] = "{$match[1]}:{$match[2]}"; } } unset($tmp); @@ -1791,15 +1789,15 @@ function snort_modify_sids(&$rule_map, $snortcfg) { /* Load up our enablesid and disablesid */ /* arrays with lists of modified SIDs */ - $enablesid = snort_load_sid_mods($snortcfg['rule_sid_on'], "enablesid"); - $disablesid = snort_load_sid_mods($snortcfg['rule_sid_off'], "disablesid"); + $enablesid = snort_load_sid_mods($snortcfg['rule_sid_on']); + $disablesid = snort_load_sid_mods($snortcfg['rule_sid_off']); /* Turn on any rules that need to be */ /* forced "on" with enablesid mods. */ if (!empty($enablesid)) { foreach ($rule_map as $k1 => $rulem) { foreach ($rulem as $k2 => $v) { - if (in_array($k2, $enablesid) && $v['disabled'] == 1) { + if (isset($enablesid[$k1][$k2]) && $v['disabled'] == 1) { $rule_map[$k1][$k2]['rule'] = ltrim($v['rule'], " \t#"); $rule_map[$k1][$k2]['disabled'] = 0; } @@ -1812,7 +1810,7 @@ function snort_modify_sids(&$rule_map, $snortcfg) { if (!empty($disablesid)) { foreach ($rule_map as $k1 => $rulem) { foreach ($rulem as $k2 => $v) { - if (in_array($k2, $disablesid) && $v['disabled'] == 0) { + if (isset($disablesid[$k1][$k2]) && $v['disabled'] == 0) { $rule_map[$k1][$k2]['rule'] = "# " . $v['rule']; $rule_map[$k1][$k2]['disabled'] = 1; } @@ -2209,12 +2207,13 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* to be written. */ /***********************************************************/ - global $rebuild_rules; + global $g, $rebuild_rules; $snortdir = SNORTDIR; $flowbit_rules_file = FLOWBITS_FILENAME; $snort_enforcing_rules_file = ENFORCING_RULES_FILENAME; $no_rules_defined = true; + $enabled_rules = array(); /* If there is no reason to rebuild the rules, exit to save time. */ if (!$rebuild_rules) @@ -2223,14 +2222,37 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Log a message for rules rebuild in progress */ log_error(gettext("[Snort] Updating rules configuration for: " . snort_get_friendly_interface($snortcfg['interface']) . " ...")); + /* Enable all, some or none of the SDF rules depending on setting. */ + if ($snortcfg['sensitive_data'] == 'on' && $snortcfg['protect_preproc_rules'] != 'on') { + if (file_exists(SNORTDIR."/preproc_rules/sensitive-data.rules")) { + $sdf_alert_pattern="(".preg_replace("/,/","|",$snortcfg['sdf_alert_data_type']).")"; + $sd_tmp_file=file(SNORTDIR."/preproc_rules/sensitive-data.rules"); + $sd_tmp_new_file=""; + foreach ($sd_tmp_file as $sd_tmp_line) + $sd_tmp_new_file.=preg_match("/$sdf_alert_pattern/i",$sd_tmp_line) ? $sd_tmp_line : ""; + file_put_contents("{$snortcfgdir}/preproc_rules/sensitive-data.rules",$sd_tmp_new_file,LOCK_EX); + } + } + elseif ($snortcfg['sensitive_data'] != 'on' && $snortcfg['protect_preproc_rules'] != 'on') { + /* Setting is "off", so disable all SDF rules. */ + $sedcmd = '/^alert.*classtype:sdf/s/^/#/'; + @file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd); + mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/sensitive-data.rules"); + @unlink("{$g['tmp_path']}/sedcmd"); + } + + /* Load the decoder, preprocessor and sensitive-data */ + /* rules from the interface's preproc_rule directory */ + /* into the $enabled_rules array. */ + $enabled_rules = snort_load_rules_map("{$snortcfgdir}/preproc_rules/"); + /* Only rebuild rules if some are selected or an IPS Policy is enabled */ if (!empty($snortcfg['rulesets']) || $snortcfg['ips_policy_enable'] == 'on') { - $enabled_rules = array(); $enabled_files = array(); $all_rules = array(); $no_rules_defined = false; - /* Load up all the rules into a Rules Map array. */ + /* Load up all the text rules into a Rules Map array. */ $all_rules = snort_load_rules_map("{$snortdir}/rules/"); /* Create an array with the filenames of the enabled */ @@ -2320,7 +2342,8 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Just put an empty file to always have the file present */ snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); } else { - snort_write_enforcing_rules_file(array(), "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"); + /* No regular rules or policy were selected, so just use the decoder and preproc rules */ + snort_write_enforcing_rules_file($enabled_rules, "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"); snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); } @@ -2333,7 +2356,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Log a warning if the interface has no rules defined or enabled */ if ($no_rules_defined) - log_error(gettext("[Snort] Warning - no text rules selected for: " . snort_get_friendly_interface($snortcfg['interface']) . " ...")); + log_error(gettext("[Snort] Warning - no text rules or IPS-Policy selected for: " . snort_get_friendly_interface($snortcfg['interface']) . " ...")); /* Build a new sid-msg.map file from the enabled */ /* rules and copy it to the interface directory. */ @@ -3219,43 +3242,9 @@ EOD; $snort_misc_include_rules .= "include {$snortcfgdir}/reference.config\n"; if (file_exists("{$snortcfgdir}/classification.config")) $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n"; - if (is_dir("{$snortcfgdir}/preproc_rules")) { - if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") { - $sedcmd = '/^#alert.*classtype:sdf/s/^#//'; - if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")){ - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n"; - #enable only selected sensitive data - if (file_exists(SNORTDIR."/preproc_rules/sensitive-data.rules")){ - $sdf_alert_pattern="(".preg_replace("/,/","|",$snortcfg['sdf_alert_data_type']).")"; - $sd_tmp_file=file(SNORTDIR."/preproc_rules/sensitive-data.rules"); - $sd_tmp_new_file=""; - foreach ($sd_tmp_file as $sd_tmp_line) - $sd_tmp_new_file.=preg_match("/$sdf_alert_pattern/i",$sd_tmp_line) ? $sd_tmp_line : ""; - file_put_contents("{$snortcfgdir}/preproc_rules/sensitive-data.rules",$sd_tmp_new_file,LOCK_EX); - } - } - } else - $sedcmd = '/^alert.*classtype:sdf/s/^/#/'; - if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && - file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "off") { - @file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd); - mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules"); - mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules"); - @unlink("{$g['tmp_path']}/sedcmd"); - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; - } else if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && - file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "on") { - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; - } - else { - $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; - log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); - } - } else { + if (!file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") || !file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules")) { $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; - log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); + log_error("[Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file."); } /* generate rule sections to load */ @@ -3673,9 +3662,8 @@ EOD; ipvar HOME_NET [{$home_net}] ipvar EXTERNAL_NET [{$external_net}] -# Define Rule Paths # +# Define Rule Path # var RULE_PATH {$snortcfgdir}/rules -var PREPROC_RULE_PATH {$snortcfgdir}/preproc_rules # Define Servers # {$ipvardef} diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index f232f897..804c6e8a 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -7,6 +7,7 @@ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. * Copyright (C) 2006 Scott Ullrich * Copyright (C) 2012 Ermal Luci + * Copyright (C) 2013,2014 Bill Meeks * All rights reserved. * * Modified for the Pfsense snort package v. 1.8+ @@ -141,6 +142,14 @@ $a_instance = &$config['installedpackages']['snortglobal']['rule']; $snort_uuid = $a_instance[$instanceid]['uuid']; $if_real = snort_get_real_interface($a_instance[$instanceid]['interface']); +// Load up the arrays of force-enabled and force-disabled SIDs +$enablesid = snort_load_sid_mods($a_instance[$instanceid]['rule_sid_on']); +$disablesid = snort_load_sid_mods($a_instance[$instanceid]['rule_sid_off']); + +// Grab pfSense version so we can refer to it later on this page +$pfs_version=substr(trim(file_get_contents("/etc/version")),0,3); + +$pconfig = array(); if (is_array($config['installedpackages']['snortglobal']['alertsblocks'])) { $pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh']; $pconfig['alertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber']; @@ -215,6 +224,64 @@ if (($_GET['act'] == "addsuppress_srcip" || $_GET['act'] == "addsuppress_dstip") $input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!"); } +if ($_GET['act'] == "togglesid" && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) { + // Get the GID tag embedded in the clicked rule icon. + $gid = $_GET['gen_id']; + + // Get the SID tag embedded in the clicked rule icon. + $sid= $_GET['sidid']; + + // See if the target SID is in our list of modified SIDs, + // and toggle it if present. + if (isset($enablesid[$gid][$sid])) + unset($enablesid[$gid][$sid]); + if (isset($disablesid[$gid][$sid])) + unset($disablesid[$gid][$sid]); + elseif (!isset($disablesid[$gid][$sid])) + $disablesid[$gid][$sid] = "disablesid"; + + // Write the updated enablesid and disablesid values to the config file. + $tmp = ""; + foreach (array_keys($enablesid) as $k1) { + foreach (array_keys($enablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; + } + $tmp = rtrim($tmp, "||"); + + if (!empty($tmp)) + $a_instance[$instanceid]['rule_sid_on'] = $tmp; + else + unset($a_instance[$instanceid]['rule_sid_on']); + + $tmp = ""; + foreach (array_keys($disablesid) as $k1) { + foreach (array_keys($disablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; + } + $tmp = rtrim($tmp, "||"); + + if (!empty($tmp)) + $a_instance[$instanceid]['rule_sid_off'] = $tmp; + else + unset($a_instance[$instanceid]['rule_sid_off']); + + /* Update the config.xml file. */ + write_config(); + + /*************************************************/ + /* Update the snort.conf file and rebuild the */ + /* rules for this interface. */ + /*************************************************/ + $rebuild_rules = true; + snort_generate_conf($a_instance[$instanceid]); + $rebuild_rules = false; + + /* Soft-restart Snort to live-load the new rules */ + snort_reload_config($a_instance[$instanceid]); + + $savemsg = gettext("The state for rule {$gid}:{$sid} has been modified. Snort is 'live-reloading' the new rules list. Please wait at least 30 secs for the process to complete before toggling additional rules."); +} + if ($_GET['action'] == "clear" || $_POST['delete']) { snort_post_delete_logs($snort_uuid); $fd = @fopen("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert", "w+"); @@ -264,16 +331,14 @@ include_once("head.inc"); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> - +<script src="/javascript/filter_log.js" type="text/javascript"></script> <?php include_once("fbegin.inc"); /* refresh every 60 secs */ if ($pconfig['arefresh'] == 'on') echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_alerts.php?instance={$instanceid}\" />\n"; -?> - -<?php if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} +if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} /* Display Alert message */ if ($input_errors) { print_input_errors($input_errors); // TODO: add checks @@ -403,10 +468,17 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { $alert_ip_src = $fields[6]; /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $alert_ip_src = str_replace(":", ":​", $alert_ip_src); - /* Add Reverse DNS lookup icon */ - $alert_ip_src .= "<br/><a href='/diag_dns.php?host={$fields[6]}&instance={$instanceid}'>"; + /* Add Reverse DNS lookup icons (two different links if pfSense version supports them) */ + $alert_ip_src .= "<br/>"; + if ($pfs_version > 2.0) { + $alert_ip_src .= "<a onclick=\"javascript:getURL('/diag_dns.php?host={$fields[6]}&dialog_output=true', outputrule);\">"; + $alert_ip_src .= "<img src='../themes/{$g['theme']}/images/icons/icon_log_d.gif' width='11' height='11' border='0' "; + $alert_ip_src .= "title='" . gettext("Resolve host via reverse DNS lookup (quick pop-up)") . "' style=\"cursor: pointer;\"></a> "; + } + $alert_ip_src .= "<a href='/diag_dns.php?host={$fields[6]}&instance={$instanceid}'>"; $alert_ip_src .= "<img src='../themes/{$g['theme']}/images/icons/icon_log.gif' width='11' height='11' border='0' "; $alert_ip_src .= "title='" . gettext("Resolve host via reverse DNS lookup") . "'></a>"; + /* Add icons for auto-adding to Suppress List if appropriate */ if (!snort_is_alert_globally_suppressed($supplist, $fields[1], $fields[2]) && !isset($supplist[$fields[1]][$fields[2]]['by_src'][$fields[6]])) { @@ -421,7 +493,7 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { /* Add icon for auto-removing from Blocked Table if required */ if (isset($tmpblocked[$fields[6]])) { $alert_ip_src .= " "; - $alert_ip_src .= "<a href='?instance={$id}&todelete=" . trim(urlencode($fields[6])) . "'> + $alert_ip_src .= "<a href='?instance={$instanceid}&todelete=" . trim(urlencode($fields[6])) . "'> <img title=\"" . gettext("Remove host from Blocked Table") . "\" border=\"0\" width='12' height='12' name='todelete' id='todelete' alt=\"Remove from Blocked Hosts\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a>"; } /* IP SRC Port */ @@ -430,8 +502,14 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { $alert_ip_dst = $fields[8]; /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $alert_ip_dst = str_replace(":", ":​", $alert_ip_dst); - /* Add Reverse DNS lookup icon */ - $alert_ip_dst .= "<br/><a href='/diag_dns.php?host={$fields[8]}&instance={$instanceid}'>"; + /* Add Reverse DNS lookup icons (two different links if pfSense version supports them) */ + $alert_ip_dst .= "<br/>"; + if ($pfs_version > 2.0) { + $alert_ip_dst .= "<a onclick=\"javascript:getURL('/diag_dns.php?host={$fields[8]}&dialog_output=true', outputrule);\">"; + $alert_ip_dst .= "<img src='../themes/{$g['theme']}/images/icons/icon_log_d.gif' width='11' height='11' border='0' "; + $alert_ip_dst .= "title='" . gettext("Resolve host via reverse DNS lookup (quick pop-up)") . "' style=\"cursor: pointer;\"></a> "; + } + $alert_ip_dst .= "<a href='/diag_dns.php?host={$fields[8]}&instance={$instanceid}'>"; $alert_ip_dst .= "<img src='../themes/{$g['theme']}/images/icons/icon_log.gif' width='11' height='11' border='0' "; $alert_ip_dst .= "title='" . gettext("Resolve host via reverse DNS lookup") . "'></a>"; /* Add icons for auto-adding to Suppress List if appropriate */ @@ -448,7 +526,7 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { /* Add icon for auto-removing from Blocked Table if required */ if (isset($tmpblocked[$fields[8]])) { $alert_ip_dst .= " "; - $alert_ip_dst .= "<a href='?instance={$id}&todelete=" . trim(urlencode($fields[8])) . "'> + $alert_ip_dst .= "<a href='?instance={$instanceid}&todelete=" . trim(urlencode($fields[8])) . "'> <img title=\"" . gettext("Remove host from Blocked Table") . "\" border=\"0\" width='12' height='12' name='todelete' id='todelete' alt=\"Remove from Blocked Hosts\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a>"; } /* IP DST Port */ @@ -464,6 +542,18 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { $sidsupplink = "<img src='../themes/{$g['theme']}/images/icons/icon_plus_d.gif' width='12' height='12' border='0' "; $sidsupplink .= "title='" . gettext("This alert is already in the Suppress List") . "'/>"; } + /* Add icon for toggling rule state */ + if (isset($disablesid[$fields[1]][$fields[2]])) { + $sid_dsbl_link = "<a href='?instance={$instanceid}&act=togglesid&sidid={$fields[2]}&gen_id={$fields[1]}'>"; + $sid_dsbl_link .= "<img src='../themes/{$g['theme']}/images/icons/icon_block_d.gif' width='11' height='11' border='0' "; + $sid_dsbl_link .= "title='" . gettext("Rule is forced to a disabled state. Click to remove the force-disable action.") . "'></a>"; + } + else { + $sid_dsbl_link = "<a href='?instance={$instanceid}&act=togglesid&sidid={$fields[2]}&gen_id={$fields[1]}'>"; + $sid_dsbl_link .= "<img src='../themes/{$g['theme']}/images/icons/icon_block.gif' width='11' height='11' border='0' "; + $sid_dsbl_link .= "title='" . gettext("Click to force-disable rule and remove from current rules set.") . "'></a>"; + } + /* DESCRIPTION */ $alert_class = $fields[11]; echo "<tr> @@ -475,7 +565,7 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { <td class='listr' align='center'>{$alert_src_p}</td> <td class='listr' align='center'>{$alert_ip_dst}</td> <td class='listr' align='center'>{$alert_dst_p}</td> - <td class='listr' align='center'>{$alert_sid_str}<br/>{$sidsupplink}</td> + <td class='listr' align='center'>{$alert_sid_str}<br/>{$sidsupplink} {$sid_dsbl_link}</td> <td class='listr' style=\"word-wrap:break-word;\">{$alert_descr}</td> </tr>\n"; diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index 8d106a90..4fc470d3 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -7,6 +7,7 @@ * * Modified for the Pfsense snort package v. 1.8+ * Copyright (C) 2009 Robert Zelaya Sr. Developer + * Copyright (C) 2014 Bill Meeks * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: @@ -33,6 +34,9 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); +// Grab pfSense version so we can refer to it later on this page +$pfs_version=substr(trim(file_get_contents("/etc/version")),0,3); + if (!is_array($config['installedpackages']['snortglobal']['alertsblocks'])) $config['installedpackages']['snortglobal']['alertsblocks'] = array(); @@ -127,6 +131,7 @@ include_once("head.inc"); ?> <body link="#000000" vlink="#000000" alink="#000000"> +<script src="/javascript/filter_log.js" type="text/javascript"></script> <?php @@ -260,19 +265,25 @@ if ($pconfig['brefresh'] == 'on') /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $tmp_ip = str_replace(":", ":​", $blocked_ip); - + /* Add reverse DNS lookup icons (two different links if pfSense version supports them) */ + $rdns_link = ""; + if ($pfs_version > 2.0) { + $rdns_link .= "<a onclick=\"javascript:getURL('/diag_dns.php?host={$blocked_ip}&dialog_output=true', outputrule);\">"; + $rdns_link .= "<img src='../themes/{$g['theme']}/images/icons/icon_log_d.gif' width='11' height='11' border='0' "; + $rdns_link .= "title='" . gettext("Resolve host via reverse DNS lookup (quick pop-up)") . "' style=\"cursor: pointer;\"></a> "; + } + $rdns_link .= "<a href='/diag_dns.php?host={$blocked_ip}'>"; + $rdns_link .= "<img src='../themes/{$g['theme']}/images/icons/icon_log.gif' width='11' height='11' border='0' "; + $rdns_link .= "title='" . gettext("Resolve host via reverse DNS lookup") . "'></a>"; /* use one echo to do the magic*/ echo "<tr> <td align=\"center\" valign=\"middle\" class=\"listr\">{$counter}</td> - <td valign=\"middle\" class=\"listr\">{$tmp_ip} <a href='/diag_dns.php?host={$blocked_ip}'> - <img src='../themes/{$g['theme']}/images/icons/icon_log.gif' width='11' height='11' border='0' - title='" . gettext("Resolve host via reverse DNS lookup") . "'></a></td> + <td align=\"center\" valign=\"middle\" class=\"listr\">{$tmp_ip}<br/>{$rdns_link}</td> <td valign=\"middle\" class=\"listr\">{$blocked_desc}</td> <td align=\"center\" valign=\"middle\" class=\"listr\"><a href='snort_blocked.php?todelete=" . trim(urlencode($blocked_ip)) . "'> <img title=\"" . gettext("Delete host from Blocked Table") . "\" border=\"0\" name='todelete' id='todelete' alt=\"Delete host from Blocked Table\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td> </tr>\n"; } - } ?> </tbody> diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 807b7844..0306c90d 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -34,7 +34,7 @@ require_once("functions.inc"); require_once("service-utils.inc"); require_once "/usr/local/pkg/snort/snort.inc"; -global $g, $pkg_interface, $snort_gui_include, $rebuild_rules; +global $g, $config, $pkg_interface, $snort_gui_include, $rebuild_rules; if (!defined("VRT_DNLD_URL")) define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/"); diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php index 61989e99..1a812b24 100644 --- a/config/snort/snort_migrate_config.php +++ b/config/snort/snort_migrate_config.php @@ -1,8 +1,8 @@ <?php /* - * snort_migrate_config.inc + * snort_migrate_config.php * - * Copyright (C) 2013 Bill Meeks + * Copyright (C) 2013, 2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -288,6 +288,40 @@ foreach ($rule as &$r) { } } + // Change any ENABLE_SID settings to new format of GID:SID + if (!empty($pconfig['rule_sid_on'])) { + $tmp = explode("||", $pconfig['rule_sid_on']); + $new_tmp = ""; + foreach ($tmp as $v) { + if (strpos($v, ":") === false) { + if (preg_match('/(\d+)/', $v, $match)) + $new_tmp .= "1:{$match[1]}||"; + } + } + $new_tmp = rtrim($new_tmp, " ||"); + if (!empty($new_tmp)) { + $pconfig['rule_sid_on'] = $new_tmp; + $updated_cfg = true; + } + } + + // Change any DISABLE_SID settings to new format of GID:SID + if (!empty($pconfig['rule_sid_off'])) { + $tmp = explode("||", $pconfig['rule_sid_off']); + $new_tmp = ""; + foreach ($tmp as $v) { + if (strpos($v, ":") === false) { + if (preg_match('/(\d+)/', $v, $match)) + $new_tmp .= "1:{$match[1]}||"; + } + } + $new_tmp = rtrim($new_tmp, " ||"); + if (!empty($new_tmp)) { + $pconfig['rule_sid_off'] = $new_tmp; + $updated_cfg = true; + } + } + // Save the new configuration data into the $config array pointer $r = $pconfig; } diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php index 003628be..a3c8eced 100644 --- a/config/snort/snort_post_install.php +++ b/config/snort/snort_post_install.php @@ -793,43 +793,9 @@ EOD; $snort_misc_include_rules .= "include {$snortcfgdir}/reference.config\n"; if (file_exists("{$snortcfgdir}/classification.config")) $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n"; - if (is_dir("{$snortcfgdir}/preproc_rules")) { - if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") { - $sedcmd = '/^#alert.*classtype:sdf/s/^#//'; - if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")){ - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n"; - #enable only selected sensitive data - if (file_exists(SNORTDIR."/preproc_rules/sensitive-data.rules")){ - $sdf_alert_pattern="(".preg_replace("/,/","|",$snortcfg['sdf_alert_data_type']).")"; - $sd_tmp_file=file(SNORTDIR."/preproc_rules/sensitive-data.rules"); - $sd_tmp_new_file=""; - foreach ($sd_tmp_file as $sd_tmp_line) - $sd_tmp_new_file.=preg_match("/$sdf_alert_pattern/i",$sd_tmp_line) ? $sd_tmp_line : ""; - file_put_contents("{$snortcfgdir}/preproc_rules/sensitive-data.rules",$sd_tmp_new_file,LOCK_EX); - } - } - } else - $sedcmd = '/^alert.*classtype:sdf/s/^/#/'; - if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && - file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "off") { - @file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd); - mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules"); - mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules"); - @unlink("{$g['tmp_path']}/sedcmd"); - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; - } else if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && - file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "on") { - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; - } - else { - $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; - log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); - } - } else { + if (!file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") || !file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules")) { $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; - log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); + log_error("[Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file."); } /* generate rule sections to load */ @@ -1249,7 +1215,6 @@ ipvar EXTERNAL_NET [{$external_net}] # Define Rule Paths # var RULE_PATH {$snortcfgdir}/rules -var PREPROC_RULE_PATH {$snortcfgdir}/preproc_rules # Define Servers # {$ipvardef} @@ -1403,13 +1368,13 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { update_status(gettext("Saved settings detected...")); /* Do one-time settings migration for new multi-engine configurations */ update_output_window(gettext("Please wait... migrating settings to new multi-engine configuration...")); - include "/usr/local/pkg/snort/snort_migrate_config.php"; + include('/usr/local/pkg/snort/snort_migrate_config.php'); update_output_window(gettext("Please wait... rebuilding installation with saved settings...")); log_error(gettext("[Snort] Downloading and updating configured rule types...")); update_output_window(gettext("Please wait... downloading and updating configured rule types...")); if ($pkg_interface <> "console") $snort_gui_include = true; - include "/usr/local/pkg/snort/snort_check_for_rule_updates.php"; + include('/usr/local/pkg/snort/snort_check_for_rule_updates.php'); update_status(gettext("Generating snort.conf configuration file from saved settings...")); $rebuild_rules = true; diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index a82d81d2..71fdbd16 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -5,6 +5,7 @@ * Copyright (C) 2004, 2005 Scott Ullrich * Copyright (C) 2008, 2009 Robert Zelaya * Copyright (C) 2011 Ermal Luci + * Copyright (C) 2013, 2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -29,7 +30,6 @@ * POSSIBILITY OF SUCH DAMAGE. */ - require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); @@ -51,7 +51,6 @@ if (is_null($id)) { } if (isset($id) && $a_rule[$id]) { - $pconfig['enable'] = $a_rule[$id]['enable']; $pconfig['interface'] = $a_rule[$id]['interface']; $pconfig['rulesets'] = $a_rule[$id]['rulesets']; if (!empty($a_rule[$id]['customrules'])) @@ -109,8 +108,20 @@ $snort_uuid = $a_rule[$id]['uuid']; $snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingdownload = $config['installedpackages']['snortglobal']['emergingthreats']; +$etprodownload = $config['installedpackages']['snortglobal']['emergingthreats_pro']; $categories = explode("||", $pconfig['rulesets']); +// add the standard rules files to the categories list +$categories[] = "custom.rules"; +$categories[] = "decoder.rules"; +$categories[] = "preprocessor.rules"; +$categories[] = "sensitive-data.rules"; +if (!empty($a_rule[$id]['ips_policy'])) + $categories[] = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']); +if ($a_rule[$id]['autoflowbitrules'] == 'on') + $categories[] = "Auto-Flowbit Rules"; +natcasesort($categories); + if ($_GET['openruleset']) $currentruleset = $_GET['openruleset']; else if ($_POST['openruleset']) @@ -118,13 +129,6 @@ else if ($_POST['openruleset']) else $currentruleset = $categories[0]; -if (empty($categories[0]) && ($currentruleset != "custom.rules") && ($currentruleset != "Auto-Flowbit Rules")) { - if (!empty($a_rule[$id]['ips_policy'])) - $currentruleset = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']); - else - $currentruleset = "custom.rules"; -} - /* One last sanity check -- if the rules directory is empty, default to loading custom rules */ $tmp = glob("{$snortdir}/rules/*.rules"); if (empty($tmp)) @@ -136,58 +140,66 @@ if ($currentruleset != 'custom.rules') { // Read the current rules file into our rules map array. // If it is the auto-flowbits file, set the full path. if ($currentruleset == "Auto-Flowbit Rules") - $rulefile = "{$snortcfgdir}/rules/" . FLOWBITS_FILENAME; + $rules_map = snort_load_rules_map("{$snortcfgdir}/rules/" . FLOWBITS_FILENAME); // Test for the special case of an IPS Policy file. - if (substr($currentruleset, 0, 10) == "IPS Policy") + elseif (substr($currentruleset, 0, 10) == "IPS Policy") $rules_map = snort_load_vrt_policy($a_rule[$id]['ips_policy']); - elseif (!file_exists($rulefile)) - $input_errors[] = gettext("{$currentruleset} seems to be missing!!! Please verify rules files have been downloaded, then go to the Categories tab and save the rule set again."); - else + // Test for preproc_rules file and set the full path. + elseif (file_exists("{$snortdir}/preproc_rules/{$currentruleset}")) + $rules_map = snort_load_rules_map("{$snortdir}/preproc_rules/{$currentruleset}"); + // Test for existence of regular text rules file and load it. + elseif (file_exists($rulefile)) $rules_map = snort_load_rules_map($rulefile); + else + $input_errors[] = gettext("{$currentruleset} seems to be missing!!! Please verify rules files have been downloaded, then go to the Categories tab and save the rule set again."); } /* Load up our enablesid and disablesid arrays with enabled or disabled SIDs */ -$enablesid = snort_load_sid_mods($a_rule[$id]['rule_sid_on'], "enablesid"); -$disablesid = snort_load_sid_mods($a_rule[$id]['rule_sid_off'], "disablesid"); +$enablesid = snort_load_sid_mods($a_rule[$id]['rule_sid_on']); +$disablesid = snort_load_sid_mods($a_rule[$id]['rule_sid_off']); if ($_GET['act'] == "toggle" && $_GET['ids'] && !empty($rules_map)) { + // Get the GID tag embedded in the clicked rule icon. + $gid = $_GET['gid']; + // Get the SID tag embedded in the clicked rule icon. $sid= $_GET['ids']; // See if the target SID is in our list of modified SIDs, - // and toggle it if present; otherwise, add it to the - // appropriate list. - if (isset($enablesid[$sid])) { - unset($enablesid[$sid]); - if (!isset($disablesid[$sid])) - $disablesid[$sid] = "disablesid"; - } - elseif (isset($disablesid[$sid])) { - unset($disablesid[$sid]); - if (!isset($enablesid[$sid])) - $enablesid[$sid] = "enablesid"; - } + // and toggle it back to default if present; otherwise, + // add it to the appropriate modified SID list. + if (isset($enablesid[$gid][$sid])) + unset($enablesid[$gid][$sid]); + elseif (isset($disablesid[$gid][$sid])) + unset($disablesid[$gid][$sid]); else { - if ($rules_map[1][$sid]['disabled'] == 1) - $enablesid[$sid] = "enablesid"; + if ($rules_map[$gid][$sid]['disabled'] == 1) + $enablesid[$gid][$sid] = "enablesid"; else - $disablesid[$sid] = "disablesid"; + $disablesid[$gid][$sid] = "disablesid"; } // Write the updated enablesid and disablesid values to the config file. $tmp = ""; - foreach ($enablesid as $k => $v) { - $tmp .= "||{$v} {$k}"; + foreach (array_keys($enablesid) as $k1) { + foreach (array_keys($enablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); + if (!empty($tmp)) $a_rule[$id]['rule_sid_on'] = $tmp; else unset($a_rule[$id]['rule_sid_on']); + $tmp = ""; - foreach ($disablesid as $k => $v) { - $tmp .= "||{$v} {$k}"; + foreach (array_keys($disablesid) as $k1) { + foreach (array_keys($disablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); + if (!empty($tmp)) $a_rule[$id]['rule_sid_off'] = $tmp; else @@ -197,7 +209,7 @@ if ($_GET['act'] == "toggle" && $_GET['ids'] && !empty($rules_map)) { write_config(); $_GET['openruleset'] = $currentruleset; - $anchor = "rule_{$sid}"; + $anchor = "rule_{$gid}_{$sid}"; } if ($_GET['act'] == "disable_all" && !empty($rules_map)) { @@ -205,28 +217,37 @@ if ($_GET['act'] == "disable_all" && !empty($rules_map)) { // Mark all rules in the currently selected category "disabled". foreach (array_keys($rules_map) as $k1) { foreach (array_keys($rules_map[$k1]) as $k2) { - if (isset($enablesid[$k2])) - unset($enablesid[$k2]); - $disablesid[$k2] = "disablesid"; + if (isset($enablesid[$k1][$k2])) + unset($enablesid[$k1][$k2]); + $disablesid[$k1][$k2] = "disablesid"; } } + // Write the updated enablesid and disablesid values to the config file. $tmp = ""; - foreach ($enablesid as $k => $v) { - $tmp .= "||{$v} {$k}"; + foreach (array_keys($enablesid) as $k1) { + foreach (array_keys($enablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); + if (!empty($tmp)) $a_rule[$id]['rule_sid_on'] = $tmp; else unset($a_rule[$id]['rule_sid_on']); + $tmp = ""; - foreach ($disablesid as $k => $v) { - $tmp .= "||{$v} {$k}"; + foreach (array_keys($disablesid) as $k1) { + foreach (array_keys($disablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); + if (!empty($tmp)) $a_rule[$id]['rule_sid_off'] = $tmp; else unset($a_rule[$id]['rule_sid_off']); + write_config(); $_GET['openruleset'] = $currentruleset; @@ -239,28 +260,36 @@ if ($_GET['act'] == "enable_all" && !empty($rules_map)) { // Mark all rules in the currently selected category "enabled". foreach (array_keys($rules_map) as $k1) { foreach (array_keys($rules_map[$k1]) as $k2) { - if (isset($disablesid[$k2])) - unset($disablesid[$k2]); - $enablesid[$k2] = "enablesid"; + if (isset($disablesid[$k1][$k2])) + unset($disablesid[$k1][$k2]); + $enablesid[$k1][$k2] = "enablesid"; } } // Write the updated enablesid and disablesid values to the config file. $tmp = ""; - foreach ($enablesid as $k => $v) { - $tmp .= "||{$v} {$k}"; + foreach (array_keys($enablesid) as $k1) { + foreach (array_keys($enablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); + if (!empty($tmp)) $a_rule[$id]['rule_sid_on'] = $tmp; else unset($a_rule[$id]['rule_sid_on']); + $tmp = ""; - foreach ($disablesid as $k => $v) { - $tmp .= "||{$v} {$k}"; + foreach (array_keys($disablesid) as $k1) { + foreach (array_keys($disablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); + if (!empty($tmp)) $a_rule[$id]['rule_sid_off'] = $tmp; else unset($a_rule[$id]['rule_sid_off']); + write_config(); $_GET['openruleset'] = $currentruleset; @@ -273,30 +302,38 @@ if ($_GET['act'] == "resetcategory" && !empty($rules_map)) { // Reset any modified SIDs in the current rule category to their defaults. foreach (array_keys($rules_map) as $k1) { foreach (array_keys($rules_map[$k1]) as $k2) { - if (isset($enablesid[$k2])) - unset($enablesid[$k2]); - if (isset($disablesid[$k2])) - unset($disablesid[$k2]); + if (isset($enablesid[$k1][$k2])) + unset($enablesid[$k1][$k2]); + if (isset($disablesid[$k1][$k2])) + unset($disablesid[$k1][$k2]); } } // Write the updated enablesid and disablesid values to the config file. $tmp = ""; - foreach ($enablesid as $k => $v) { - $tmp .= "||{$v} {$k}"; + foreach (array_keys($enablesid) as $k1) { + foreach (array_keys($enablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); + if (!empty($tmp)) $a_rule[$id]['rule_sid_on'] = $tmp; else unset($a_rule[$id]['rule_sid_on']); + $tmp = ""; - foreach ($disablesid as $k => $v) { - $tmp .= "||{$v} {$k}"; + foreach (array_keys($disablesid) as $k1) { + foreach (array_keys($disablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; } + $tmp = rtrim($tmp, "||"); + if (!empty($tmp)) $a_rule[$id]['rule_sid_off'] = $tmp; else unset($a_rule[$id]['rule_sid_off']); + write_config(); $_GET['openruleset'] = $currentruleset; @@ -416,15 +453,15 @@ if ($savemsg) { display_top_tabs($tab_array); echo '</td></tr>'; echo '<tr><td class="tabnavtbl">'; - $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface ");; - $tab_array = array(); - $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Rules"), true, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); + $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); + $tab_array = array(); + $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Rules"), true, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); ?> </td></tr> <tr><td><div id="mainarea"> @@ -435,19 +472,14 @@ if ($savemsg) { <tr> <td class="vncell" height="30px"><strong><?php echo gettext("Category:"); ?></strong> <select id="selectbox" name="selectbox" class="formselect" onChange="go()"> - <option value='?id=<?=$id;?>&openruleset=custom.rules'>custom.rules</option> <?php - $files = explode("||", $pconfig['rulesets']); - if ($a_rule[$id]['ips_policy_enable'] == 'on') - $files[] = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']); - if ($a_rule[$id]['autoflowbitrules'] == 'on') - $files[] = "Auto-Flowbit Rules"; - natcasesort($files); - foreach ($files as $value) { + foreach ($categories as $value) { if ($snortdownload != 'on' && substr($value, 0, 6) == "snort_") continue; if ($emergingdownload != 'on' && substr($value, 0, 8) == "emerging") continue; + if ($etprodownload != 'on' && substr($value, 0, 6) == "etpro-") + continue; if (empty($value)) continue; echo "<option value='?id={$id}&openruleset={$value}' "; @@ -491,7 +523,7 @@ if ($savemsg) { <input type='hidden' name='id' value='<?=$id;?>'/> <input type='hidden' name='openruleset' value='<?=$currentruleset;?>'/><br/><br/> <span class="vexpl"><span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . - gettext("Snort must be restarted to activate any SID enable/disable changes made on this tab."); ?></span></td> + gettext("Snort must be restarted to activate any rule enable/disable changes made on this tab."); ?></span></td> <td class="vexpl" valign="middle"><?php echo "<a href='?id={$id}&openruleset={$currentruleset}&act=resetcategory'> <img src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\" width=\"15\" height=\"15\" onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"' @@ -543,11 +575,14 @@ if ($savemsg) { </tr> <tr> <td> + + <?php if ($currentruleset != 'decoder.rules' && $currentruleset != 'preprocessor.rules'): ?> <table id="myTable" class="sortable" style="table-layout: fixed;" width="100%" border="0" cellpadding="0" cellspacing="0"> <colgroup> <col width="15" align="left" valign="middle"> - <col width="9%" align="center" axis="number"> - <col width="60" align="center" axis="string"> + <col width="6%" align="center" axis="number"> + <col width="8%" align="center" axis="number"> + <col width="54" align="center" axis="string"> <col width="14%" align="center" axis="string"> <col width="11%" align="center" axis="string"> <col width="14%" align="center" axis="string"> @@ -558,6 +593,7 @@ if ($savemsg) { <thead> <tr> <th class="list"> </th> + <th class="listhdrr"><?php echo gettext("GID"); ?></th> <th class="listhdrr"><?php echo gettext("SID"); ?></th> <th class="listhdrr"><?php echo gettext("Proto"); ?></th> <th class="listhdrr"><?php echo gettext("Source"); ?></th> @@ -579,24 +615,24 @@ if ($savemsg) { $counter = $enable_cnt = $disable_cnt = 0; foreach ($rules_map as $k1 => $rulem) { foreach ($rulem as $k2 => $v) { - $sid = snort_get_sid($v['rule']); - $gid = snort_get_gid($v['rule']); + $sid = $k2; + $gid = $k1; - if (isset($disablesid[$sid])) { + if (isset($disablesid[$gid][$sid])) { $textss = "<span class=\"gray\">"; $textse = "</span>"; $iconb = "icon_reject_d.gif"; $disable_cnt++; $title = gettext("Disabled by user. Click to toggle to enabled state"); } - elseif (($v['disabled'] == 1) && (!isset($enablesid[$sid]))) { + elseif (($v['disabled'] == 1) && (!isset($enablesid[$gid][$sid]))) { $textss = "<span class=\"gray\">"; $textse = "</span>"; $iconb = "icon_block_d.gif"; $disable_cnt++; $title = gettext("Disabled by default. Click to toggle to enabled state"); } - elseif (isset($enablesid[$sid])) { + elseif (isset($enablesid[$gid][$sid])) { $textss = $textse = ""; $iconb = "icon_reject.gif"; $enable_cnt++; @@ -630,13 +666,16 @@ if ($savemsg) { $message = snort_get_msg($v['rule']); echo "<tr><td class=\"listt\" align=\"left\" valign=\"middle\"> $textss - <a id=\"rule_{$sid}\" href='?id={$id}&openruleset={$currentruleset}&act=toggle&ids={$sid}'> + <a id=\"rule_{$gid}_{$sid}\" href='?id={$id}&openruleset={$currentruleset}&act=toggle&gid={$gid}&ids={$sid}'> <img src=\"../themes/{$g['theme']}/images/icons/{$iconb}\" width=\"11\" height=\"11\" border=\"0\" title='{$title}'></a> $textse </td> <td class=\"listlr\" align=\"center\"> + {$textss}{$gid}{$textse} + </td> + <td class=\"listlr\" align=\"center\"> {$textss}{$sid}{$textse} </td> <td class=\"listlr\" align=\"center\"> @@ -673,6 +712,119 @@ if ($savemsg) { ?> </tbody> </table> + + <?php else: ?> + + <table id="myTable" class="sortable" style="table-layout: fixed;" width="100%" border="0" cellpadding="0" cellspacing="0"> + <colgroup> + <col width="15" align="left" valign="middle"> + <col width="6%" align="center" axis="number"> + <col width="6%" align="center" axis="number"> + <col width="22%" align="center" axis="string"> + <col width="15%" align="center" axis="string"> + <col align="left" axis="string"> + <col width="22" align="right" valign="middle"> + </colgroup> + <thead> + <tr> + <th class="list"> </th> + <th class="listhdrr"><?php echo gettext("GID"); ?></th> + <th class="listhdrr"><?php echo gettext("SID"); ?></th> + <th class="listhdrr"><?php echo gettext("Classification"); ?></th> + <th class="listhdrr"><?php echo gettext("IPS Policy"); ?></th> + <th class="listhdrr"><?php echo gettext("Message"); ?></th> + <th class="list"><a href="javascript: void(0)" + onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>','FileViewer',800,600)"> + <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_service_restart.gif" <?php + echo "onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_services_restart_mo.gif\"' + onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_service_restart.gif\"' ";?> + title="<?php echo gettext("Click to view full text of all the category rules"); ?>" width="17" height="17" border="0"></a></th> + </tr> + </thead> + <tbody> + <?php + $counter = $enable_cnt = $disable_cnt = 0; + foreach ($rules_map as $k1 => $rulem) { + foreach ($rulem as $k2 => $v) { + $sid = snort_get_sid($v['rule']); + $gid = snort_get_gid($v['rule']); + if (isset($disablesid[$gid][$sid])) { + $textss = "<span class=\"gray\">"; + $textse = "</span>"; + $iconb = "icon_reject_d.gif"; + $disable_cnt++; + $title = gettext("Disabled by user. Click to toggle to default state"); + } + elseif (($v['disabled'] == 1) && (!isset($enablesid[$gid][$sid]))) { + $textss = "<span class=\"gray\">"; + $textse = "</span>"; + $iconb = "icon_block_d.gif"; + $disable_cnt++; + $title = gettext("Disabled by default. Click to toggle to enabled state"); + } + elseif (isset($enablesid[$gid][$sid])) { + $textss = $textse = ""; + $iconb = "icon_reject.gif"; + $enable_cnt++; + $title = gettext("Enabled by user. Click to toggle to default state"); + } + else { + $textss = $textse = ""; + $iconb = "icon_block.gif"; + $enable_cnt++; + $title = gettext("Enabled by default. Click to toggle to disabled state"); + } + $message = snort_get_msg($v['rule']); + $matches = array(); + if (preg_match('/(?:classtype\b\s*:)\s*(\S*\s*;)/iU', $v['rule'], $matches)) + $classtype = trim($matches[1], " ;"); + else + $classtype = "No Classtype Defined"; + $matches = array(); + if (preg_match_all('/(\S*-ips)(?:\s*drop|alert)(?:,|\s*|;)/i', $v['rule'], $matches)) + $policy = implode("<br/>", $matches[1]); + else + $policy = "none"; + + echo "<tr><td class=\"listt\" align=\"left\" valign=\"middle\"> $textss + <a id=\"rule_{$sid}\" href='?id={$id}&openruleset={$currentruleset}&act=toggle&ids={$sid}&gid={$gid}'> + <img src=\"../themes/{$g['theme']}/images/icons/{$iconb}\" + width=\"11\" height=\"11\" border=\"0\" + title='{$title}'></a> + $textse + </td> + <td class=\"listlr\" align=\"center\"> + {$textss}{$gid}{$textse} + </td> + <td class=\"listlr\" align=\"center\"> + {$textss}{$sid}{$textse} + </td> + <td class=\"listlr\" align=\"center\"> + {$textss}{$classtype}</span> + </td> + <td class=\"listlr\" align=\"center\"> + {$textss}{$policy}</span> + </td> + <td class=\"listbg\" style=\"word-wrap:break-word; whitespace:pre-line;\"><font color=\"white\"> + {$textss}{$message}{$textse}</font> + </td>"; + ?> + <td align="right" valign="middle" nowrap class="listt"> + <a href="javascript: void(0)" + onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>&ids=<?=$sid;?>&gid=<?=$gid;?>','FileViewer',800,600)"> + <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif" + title="<?php echo gettext("Click to view the entire rule text"); ?>" width="17" height="17" border="0"></a> + </td> + </tr> + <?php + $counter++; + } + } + unset($rulem, $v); + ?> + </tbody> + </table> + <?php endif;?> </td> </tr> <tr> diff --git a/config/snort/snort_rules_edit.php b/config/snort/snort_rules_edit.php index c0087464..28deccd5 100755 --- a/config/snort/snort_rules_edit.php +++ b/config/snort/snort_rules_edit.php @@ -4,6 +4,7 @@ * * Copyright (C) 2004, 2005 Scott Ullrich * Copyright (C) 2011 Ermal Luci + * Copyright (C) 2014 Bill Meeks * All rights reserved. * * Adapted for FreeNAS by Volker Theile (votdev@gmx.de) @@ -97,18 +98,22 @@ elseif (isset($_GET['ids'])) { // If flowbit rule, point to interface-specific file if ($file == "Auto-Flowbit Rules") $rules_map = snort_load_rules_map("{$snortcfgdir}/rules/" . FLOWBITS_FILENAME); + elseif (file_exists("{$snortdir}/preproc_rules/{$file}")) + $rules_map = snort_load_rules_map("{$snortdir}/preproc_rules/{$file}"); else $rules_map = snort_load_rules_map("{$snortdir}/rules/{$file}"); $contents = $rules_map[$_GET['gid']][trim($_GET['ids'])]['rule']; $wrap_flag = "soft"; } - // Is it our special flowbit rules file? elseif ($file == "Auto-Flowbit Rules") $contents = file_get_contents("{$snortcfgdir}/rules/{$flowbit_rules_file}"); // Is it a rules file in the ../rules/ directory? elseif (file_exists("{$snortdir}/rules/{$file}")) $contents = file_get_contents("{$snortdir}/rules/{$file}"); +// Is it a rules file in the ../preproc_rules/ directory? +elseif (file_exists("{$snortdir}/preproc_rules/{$file}")) + $contents = file_get_contents("{$snortdir}/preproc_rules/{$file}"); // Is it a fully qualified path and file? elseif (file_exists($file)) $contents = file_get_contents($file); |