diff options
-rw-r--r-- | config/snort/snort.inc | 13 | ||||
-rw-r--r-- | config/snort/snort_check_for_rule_updates.php | 142 | ||||
-rw-r--r-- | config/snort/snort_rules.php | 20 | ||||
-rw-r--r-- | config/snort/snort_rules_edit.php | 12 |
4 files changed, 94 insertions, 93 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index c83d1983..fe6ad11b 100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -49,6 +49,19 @@ define("SNORTLOGDIR", "/var/log/snort"); if (!is_array($config['installedpackages']['snortglobal'])) $config['installedpackages']['snortglobal'] = array(); +function snort_get_rule_part($source, $beginning, $ending, $start_pos) { + + $beginning_pos = strpos($source, $beginning, $start_pos); + if (!$beginning_pos) + return false; + $middle_pos = $beginning_pos + strlen($beginning); + $source = substr($source, $middle_pos); + $ending_pos = strpos($source, $ending, 0); + if (!$ending_pos) + return false; + return substr($source, 0, $ending_pos); +} + function snort_generate_id() { global $config; diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 6a6390cb..e1da6bf3 100644 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -157,10 +157,13 @@ if ($emergingthreats == "on") { /* Normalize rulesets */ $sedcmd = "s/^#alert/# alert/g\n"; -$sedcmd = "s/^##alert/# alert/g\n"; -$sedcmd = "s/^# alert/# alert/g\n"; -$sedcmd = "s/^#\talert/# alert/g\n"; -$sedcmd = "s/^##\talert/# alert/g\n"; +$sedcmd .= "s/^##alert/# alert/g\n"; +$sedcmd .= "s/^# alert/# alert/g\n"; +$sedcmd .= "s/^#\talert/# alert/g\n"; +$sedcmd .= "s/^##\talert/# alert/g\n"; +$sedcmd .= "s/^\talert/alert/g\n"; +$sedcmd .= "s/^ alert/alert/g\n"; +$sedcmd .= "s/^ alert/alert/g\n"; @file_put_contents("{$snortdir}/tmp/sedcmd", $sedcmd); /* Untar snort rules file individually to help people with low system specs */ @@ -264,79 +267,89 @@ if (is_dir($tmpfname)) { exec("/bin/rm -r {$tmpfname}"); } -////////////////// -/* open oinkmaster_conf for writing" function */ -function oinkmaster_conf($snortcfg, $if_real) { +function snort_apply_customizations($snortcfg, $if_real) { global $config, $g, $snortdir; - $selected_sid_on_sections = ""; - $selected_sid_off_sections = ""; + if (empty($snortcfg['rulesets'])) + return; + else { + update_status(gettext("Your set of configured rules are being copied...")); + log_error(gettext("Your set of configured rules are being copied...")); + $files = explode("||", $snortcfg['rulesets']); + foreach ($files as $file) + @copy("{$snortdir}/rules/{$file}", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/rules/{$file}"); + + @copy("{$snortdir}/classification.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/classification.config"); + @copy("{$snortdir}/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map"); + exec("/bin/cp -r {$snortdir}/generators {$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}"); + @copy("{$snortdir}/reference.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/reference.config"); + @copy("{$snortdir}/sid", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/sid"); + @copy("{$snortdir}/sid-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/sid-msg.map"); + @copy("{$snortdir}/unicode.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/unicode.map"); + } if (!empty($snortcfg['rule_sid_on']) || !empty($snortcfg['rule_sid_off'])) { if (!empty($snortcfg['rule_sid_on'])) { $enabled_sid_on_array = explode("||", trim($snortcfg['rule_sid_on'])); - foreach($enabled_sid_on_array as $enabled_item_on) - $selected_sid_on_sections .= "$enabled_item_on\n"; + $enabled_sids = array_flip($enabled_sid_on_array); } if (!empty($snortcfg['rule_sid_off'])) { $enabled_sid_off_array = explode("||", trim($snortcfg['rule_sid_off'])); - foreach($enabled_sid_off_array as $enabled_item_off) - $selected_sid_off_sections .= "$enabled_item_off\n"; + $disabled_sids = array_flip($enabled_sid_off_array); } - $snort_sid_text = <<<EOD - -########################################### -# # -# this is auto generated on snort updates # -# # -########################################### - -path = /bin:/usr/bin:/usr/local/bin - -update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ - -url = dir://{$snortdir}/rules + $files = glob("{$snortdir}/snort_{$snortcfg}_{$if_real}/rules"); + foreach ($files as $file) { + $splitcontents = file($file); + $changed = false; + foreach ( $splitcontents as $counter => $value ) { + $disabled = "False"; + $findme = "# alert"; //find string for disabled alerts + $counter2 = 1; + $sid = snort_get_rule_part($value, 'sid:', ';', 0); + if (!is_numeric($sid)) + continue; + if (isset($enabled_sids[$sid])) { + if (substr($value, 0, 5) == "alert") + /* Rule is already enabled */ + continue; + if (substr($value, 0, 7) == "# alert") { + /* Rule is disabled, change */ + $splitcontents[$counter] = substr($value, 2); + $changed = true; + } else if (substr($splitcontents[$counter - 1], 0, 5) == "alert") { + /* Rule is already enabled */ + continue; + } else if (substr($splitcontents[$counter - 1], 0, 7) == "# alert") { + /* Rule is disabled, change */ + $splitcontents[$counter - 1] = substr($value, 2); + $changed = true; + } + } else if (isset($disabled_sids[$sid])) { + if (substr($value, 0, 7) == "# alert") + /* Rule is already disabled */ + continue; + if (substr($value, 0, 5) == "alert") { + /* Rule is enabled, change */ + $splitcontents[$counter] = "# {$value}"; + $changed = true; + } else if (substr($splitcontents[$counter - 1], 0, 7) == "# alert") { + /* Rule is already disabled */ + continue; + } else if (substr($splitcontents[$counter - 1], 0, 5) == "alert") { + /* Rule is enabled, change */ + $splitcontents[$counter - 1] = "# {$value}"; + $changed = true; + } -{$selected_sid_on_sections} - -{$selected_sid_off_sections} - -EOD; - - /* open snort's oinkmaster.conf for writing */ - @file_put_contents("{$snortdir}/tmp/oinkmaster_{$snortcfg['uuid']}.conf", $snort_sid_text); - } -} - -function oinkmaster_run($snortcfg, $if_real) { - global $config, $g, $snortdir; - - - if (empty($snortcfg['rulesets'])) - return; - else { - update_status(gettext("Your set of configured rules are being copied...")); - log_error(gettext("Your set of configured rules are being copied...")); - $files = explode("||", $snortcfg['rulesets']); - foreach ($files as $file) - @copy("{$snortdir}/rules/{$file}", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/rules/{$file}"); - } - if (!empty($snortcfg['rule_sid_on']) || !empty($snortcfg['rule_sid_off'])) { - @unlink("{$snortdir}/oinkmaster.log"); - log_error(gettext("Your enable and disable changes are being applied to your fresh set of rules...")); - exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C {$snortdir}/tmp/oinkmaster_{$snortcfg['uuid']}.conf -o {$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/rules >> {$snortdir}/oinkmaster.log"); + } + if ($changed == true) + @file_put_contents($file, implode("\n", $splitcontents)); + } + } } - @copy("{$snortdir}/classification.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/classification.config"); - @copy("{$snortdir}/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map"); - exec("/bin/cp -r {$snortdir}/generators {$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}"); - @copy("{$snortdir}/reference.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/reference.config"); - @copy("{$snortdir}/sid", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/sid"); - @copy("{$snortdir}/sid-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/sid-msg.map"); - @copy("{$snortdir}/unicode.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/unicode.map"); } -////////////// if ($snortdownload == 'on' || $emergingthreats == 'on') { /* You are Not Up to date, always stop snort when updating rules for low end machines */; @@ -347,10 +360,7 @@ if ($snortdownload == 'on' || $emergingthreats == 'on') { $if_real = snort_get_real_interface($value['interface']); /* make oinkmaster.conf for each interface rule */ - oinkmaster_conf($value, $if_real); - - /* run oinkmaster for each interface rule */ - oinkmaster_run($value, $if_real); + snort_apply_customizations($value, $if_real); } } diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index a171dc06..79067c26 100644 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -55,18 +55,6 @@ if (isset($id) && $a_rule[$id]) { $pconfig['rulesets'] = $a_rule[$id]['rulesets']; } -function get_middle($source, $beginning, $ending, $init_pos) { - $beginning_pos = strpos($source, $beginning, $init_pos); - if (!$beginning_pos) - return false; - $middle_pos = $beginning_pos + strlen($beginning); - $source = substr($source, $middle_pos); - $ending_pos = strpos($source, $ending, 0); - if (!$ending_pos) - return false; - return substr($source, 0, $ending_pos); -} - function load_rule_file($incoming_file) { //read file into string, and get filesize @@ -124,7 +112,7 @@ if ($_GET['act'] == "toggle" && $_GET['ids'] && !empty($splitcontents)) { @file_put_contents($rulefile, implode("\n", $splitcontents)); //write disable/enable sid to config.xml - $sid = get_middle($tempstring, 'sid:', ";", 0); + $sid = snort_get_rule_part($tempstring, 'sid:', ";", 0); if (is_numeric($sid)) { // rule_sid_on registers $sidon = explode("||", $a_rule[$id]['rule_sid_on']); @@ -269,7 +257,7 @@ if (empty($pconfig['rulesets'])): $disabled_pos = strstr($value, $findme); $counter2 = 1; - $sid = get_middle($value, 'sid:', ';', 0); + $sid = snort_get_rule_part($value, 'sid:', ';', 0); //check to see if the sid is numberical if (!is_numeric($sid)) continue; @@ -302,9 +290,9 @@ if (empty($pconfig['rulesets'])): $destination_port = $rule_content[$counter2];//destination port location if (strstr($value, 'msg: "')) - $message = get_middle($value, 'msg: "', '";', 0); + $message = snort_get_rule_part($value, 'msg: "', '";', 0); else if (strstr($value, 'msg:"')) - $message = get_middle($value, 'msg:"', '";', 0); + $message = snort_get_rule_part($value, 'msg:"', '";', 0); echo "<tr><td width='3%' class='listt'> $textss <a href='?id={$id}&openruleset={$currentruleset}&act=toggle&ids={$counter}'> diff --git a/config/snort/snort_rules_edit.php b/config/snort/snort_rules_edit.php index 454b250b..127bfe0c 100644 --- a/config/snort/snort_rules_edit.php +++ b/config/snort/snort_rules_edit.php @@ -82,16 +82,6 @@ if (strstr($splitcontents[$lineid], $findme)) if ($highlight == "no") $splitcontents[$lineid] = substr($splitcontents[$lineid], 2); -if (!function_exists('get_middle')) { - function get_middle($source, $beginning, $ending, $init_pos) { - $beginning_pos = strpos($source, $beginning, $init_pos); - $middle_pos = $beginning_pos + strlen($beginning); - $ending_pos = strpos($source, $ending, $beginning_pos); - $middle = substr($source, $middle_pos, $ending_pos - $middle_pos); - return $middle; - } -} - if ($_POST) { if ($_POST['save']) { @@ -102,7 +92,7 @@ if ($_POST) { $splitcontents[$lineid] = "# " . $_POST['code']; //write disable/enable sid to config.xml - $sid = get_middle($splitcontents[$lineid], 'sid:', ';', 0); + $sid = snort_get_rule_part($splitcontents[$lineid], 'sid:', ';', 0); if (is_numeric($sid)) { // rule_sid_on registers if (!empty($a_nat[$id]['rule_sid_on'])) |