diff options
27 files changed, 0 insertions, 10908 deletions
diff --git a/config/snort-old/bin/barnyard2 b/config/snort-old/bin/barnyard2 Binary files differdeleted file mode 100644 index b942e87f..00000000 --- a/config/snort-old/bin/barnyard2 +++ /dev/null diff --git a/config/snort-old/bin/oinkmaster_contrib/README.contrib b/config/snort-old/bin/oinkmaster_contrib/README.contrib deleted file mode 100644 index 6923fa26..00000000 --- a/config/snort-old/bin/oinkmaster_contrib/README.contrib +++ /dev/null @@ -1,84 +0,0 @@ -# $Id: README.contrib,v 1.21 2005/10/18 10:41:20 andreas_o Exp $ # - -------------------------------------------------------------------------------- -* oinkgui.pl by Andreas Östling <andreaso@it.su.se> - - A graphical front-end to Oinkmaster written in Perl/Tk. - See README.gui for complete documentation. -------------------------------------------------------------------------------- - - - -------------------------------------------------------------------------------- -* addsid.pl by Andreas Östling <andreaso@it.su.se> - - A script that parses *.rules in all specified directories and adds a - SID to (active) rules that don't have any. (Actually, rev and classtype - are also added if missing, unless you edit addsid.pl and tune this.) The - script first looks for the current highest SID (even in inactive rules) - and starts at the next one, unless this value is below MIN_SID (defined - inside addsid.pl). By default, this value is set to 1000001 since this - is the lowest SID assigned for local usage. Handles multi-line rules. -------------------------------------------------------------------------------- - - - -------------------------------------------------------------------------------- -* create-sidmap.pl by Andreas Östling <andreaso@it.su.se> - - A script that parses all active rules in *.rules in all specified - directories and creates a SID map. (Like Snort's regen-sidmap, but this - one handles multi-line rules.) Result goes to standard output which can - be redirected to a sid-msg.map file. -------------------------------------------------------------------------------- - - - -------------------------------------------------------------------------------- -* makesidex.pl, originally by Jerry Applebaum but later rewritten by - Andreas Östling <andreaso@it.su.se> to handle multi-line rules and - multiple rules directories. - - It reads *.rules in all specified directories, looks for all disabled - rules and prints a "disablesid <sid> # <msg>" line for each disabled rule. - The output can be appended to oinkmaster.conf. - Useful to new Oinkmaster users. -------------------------------------------------------------------------------- - - - -------------------------------------------------------------------------------- -* addmsg.pl by Andreas Östling <andreaso@it.su.se>: - - A script that will parse your oinkmaster.conf for - localsid/enablesid/disablesid lines and add their rule message as a #comment. - If your oinkmaster.conf looks like this before addmsg.pl has been run: - - disablesid 286 - disablesid 287 - disablesid 288 - - It will look something like this afterward: - - disablesid 286 # POP3 EXPLOIT x86 bsd overflow - disablesid 287 # POP3 EXPLOIT x86 bsd overflow - disablesid 288 # POP3 EXPLOIT x86 linux overflow - - addmsg.pl will not touch lines that already has a comment in them. - It's not able to handle SID lists when written like this: - disablesid 1,2,3, ... - But it should handle them if written like this: - disablesid \ - 1, \ - 2, \ - 3 - - The new config file will be printed to standard output, so you - probably want to redirect the output to a file, for example: - - ./addmsg.pl oinkmaster.conf rules/ > oinkmaster.conf.new - - If oinkmaster.conf.new looks ok, simply rename it to oinkmaster.conf. - Do NOT redirect to the same file you read from, as this will destroy - that file. -------------------------------------------------------------------------------- diff --git a/config/snort-old/bin/oinkmaster_contrib/addmsg.pl b/config/snort-old/bin/oinkmaster_contrib/addmsg.pl deleted file mode 100644 index e5866d6f..00000000 --- a/config/snort-old/bin/oinkmaster_contrib/addmsg.pl +++ /dev/null @@ -1,299 +0,0 @@ -#!/usr/bin/perl -w - -# $Id: addmsg.pl,v 1.19 2005/12/31 13:42:46 andreas_o Exp $ # - -# Copyright (c) 2004-2006 Andreas Östling <andreaso@it.su.se> -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or -# without modification, are permitted provided that the following -# conditions are met: -# -# 1. Redistributions of source code must retain the above -# copyright notice, this list of conditions and the following -# disclaimer. -# -# 2. Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials -# provided with the distribution. -# -# 3. Neither the name of the author nor the names of its -# contributors may be used to endorse or promote products -# derived from this software without specific prior written -# permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND -# CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, -# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - -use strict; - -sub get_next_entry($ $ $ $ $ $); -sub parse_singleline_rule($ $ $); - - -my $USAGE = << "RTFM"; - -Parse Oinkmaster configuration file and add the rule's "msg" string as a -#comment for each disablesid/enablesid line. - -Usage: $0 <oinkmaster.conf> <rulesdir> [rulesdir2, ...] - -The new config file will be printed to standard output, so you -probably want to redirect the output to a new file (*NOT* the same -file you used as input, because that will destroy the file!). -For example: - -$0 /etc/oinkmaster.conf /etc/rules/ > oinkmaster.conf.new - -If oinkmaster.conf.new looks ok, simply rename it to /etc/oinkmaster.conf. - -RTFM - - -# Regexp to match the start of a multi-line rule. -# %ACTIONS% will be replaced with content of $config{actions} later. -my $MULTILINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. - '\s.*\\\\\s*\n$'; # '; - -# Regexp to match a single-line rule. -my $SINGLELINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. - '\s.+;\s*\)\s*$'; # '; - - -my $config = shift || die($USAGE); - -my @rulesdirs = @ARGV; -die($USAGE) unless ($#rulesdirs > -1); - -my $verbose = 1; -my (%sidmsgmap, %config); - -$config{rule_actions} = "alert|drop|log|pass|reject|sdrop|activate|dynamic"; - -$SINGLELINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; -$MULTILINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; - - - -# Read in oinkmaster.conf. -open(CONFIG, "<" , "$config") or die("could not open \"$config\" for reading: $!\n"); -my @config = <CONFIG>; -close(CONFIG); - - -# Read in *.rules in all rulesdirs and create %sidmsgmap ($sidmsgmap{sid} = msg). -foreach my $rulesdir (@rulesdirs) { - opendir(RULESDIR, "$rulesdir") or die("could not open \"$rulesdir\": $!\n"); - - while (my $file = readdir(RULESDIR)) { - next unless ($file =~ /\.rules$/); - - open(FILE, "<", "$rulesdir/$file") or die("could not open \"$rulesdir/$file\": $!\n"); - my @file = <FILE>; - close(FILE); - - my ($single, $multi, $nonrule, $msg, $sid); - - while (get_next_entry(\@file, \$single, \$multi, \$nonrule, \$msg, \$sid)) { - $sidmsgmap{$sid} = $msg - if (defined($single)); - } - } -} - - -# Print new oinkmaster.conf. -while ($_ = shift(@config)) { - if (/^\s*(?:disable|enable|local)sid\s+(\d+)\s*$/ || /^\s*(\d+)\s*,\s*\\$/ || /^\s*(\d+)\s*$/) { - my $sid = $1; - my $is_multiline = 0; - chomp; - - if (/\\$/) { - $is_multiline = 1; - s/\\$//; - } - - $_ = sprintf("%-25s", $_); - if (exists($sidmsgmap{$sid})) { - print "$_ # $sidmsgmap{$sid}"; - } else { - print "$_"; - } - print " \\" if ($is_multiline); - print "\n"; - } else { - print; - } -} - - - -# From oinkmaster.pl. -sub get_next_entry($ $ $ $ $ $) -{ - my $arr_ref = shift; - my $single_ref = shift; - my $multi_ref = shift; - my $nonrule_ref = shift; - my $msg_ref = shift; - my $sid_ref = shift; - - undef($$single_ref); - undef($$multi_ref); - undef($$nonrule_ref); - undef($$msg_ref); - undef($$sid_ref); - - my $line = shift(@$arr_ref) || return(0); - my $disabled = 0; - my $broken = 0; - - # Possible beginning of multi-line rule? - if ($line =~ /$MULTILINE_RULE_REGEXP/oi) { - $$single_ref = $line; - $$multi_ref = $line; - - $disabled = 1 if ($line =~ /^\s*#/); - - # Keep on reading as long as line ends with "\". - while (!$broken && $line =~ /\\\s*\n$/) { - - # Remove trailing "\" and newline for single-line version. - $$single_ref =~ s/\\\s*\n//; - - # If there are no more lines, this can not be a valid multi-line rule. - if (!($line = shift(@$arr_ref))) { - - warn("\nWARNING: got EOF while parsing multi-line rule: $$multi_ref\n") - if ($config{verbose}); - - @_ = split(/\n/, $$multi_ref); - - undef($$multi_ref); - undef($$single_ref); - - # First line of broken multi-line rule will be returned as a non-rule line. - $$nonrule_ref = shift(@_) . "\n"; - $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces - - # The rest is put back to the array again. - foreach $_ (reverse((@_))) { - unshift(@$arr_ref, "$_\n"); - } - - return (1); # return non-rule - } - - # Multi-line continuation. - $$multi_ref .= $line; - - # If there are non-comment lines in the middle of a disabled rule, - # mark the rule as broken to return as non-rule lines. - if ($line !~ /^\s*#/ && $disabled) { - $broken = 1; - } elsif ($line =~ /^\s*#/ && !$disabled) { - # comment line (with trailing slash) in the middle of an active rule - ignore it - } else { - $line =~ s/^\s*#*\s*//; # remove leading # in single-line version - $$single_ref .= $line; - } - - } # while line ends with "\" - - # Single-line version should now be a valid rule. - # If not, it wasn't a valid multi-line rule after all. - if (!$broken && parse_singleline_rule($$single_ref, $msg_ref, $sid_ref)) { - - $$single_ref =~ s/^\s*//; # remove leading whitespaces - $$single_ref =~ s/^#+\s*/#/; # remove whitespaces next to leading # - $$single_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces - - $$multi_ref =~ s/^\s*//; - $$multi_ref =~ s/\s*\n$/\n/; - $$multi_ref =~ s/^#+\s*/#/; - - return (1); # return multi - } else { - warn("\nWARNING: invalid multi-line rule: $$single_ref\n") - if ($config{verbose} && $$multi_ref !~ /^\s*#/); - - @_ = split(/\n/, $$multi_ref); - - undef($$multi_ref); - undef($$single_ref); - - # First line of broken multi-line rule will be returned as a non-rule line. - $$nonrule_ref = shift(@_) . "\n"; - $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces - - # The rest is put back to the array again. - foreach $_ (reverse((@_))) { - unshift(@$arr_ref, "$_\n"); - } - - return (1); # return non-rule - } - } elsif (parse_singleline_rule($line, $msg_ref, $sid_ref)) { - $$single_ref = $line; - $$single_ref =~ s/^\s*//; - $$single_ref =~ s/^#+\s*/#/; - $$single_ref =~ s/\s*\n$/\n/; - - return (1); # return single - } else { # non-rule line - - # Do extra check and warn if it *might* be a rule anyway, - # but that we just couldn't parse for some reason. - warn("\nWARNING: line may be a rule but it could not be parsed ". - "(missing sid or msg?): $line\n") - if ($config{verbose} && $line =~ /^\s*alert .+msg\s*:\s*".+"\s*;/); - - $$nonrule_ref = $line; - $$nonrule_ref =~ s/\s*\n$/\n/; - - return (1); # return non-rule - } -} - - - -# From oinkmaster.pl. -sub parse_singleline_rule($ $ $) -{ - my $line = shift; - my $msg_ref = shift; - my $sid_ref = shift; - - if ($line =~ /$SINGLELINE_RULE_REGEXP/oi) { - - if ($line =~ /\bmsg\s*:\s*"(.+?)"\s*;/i) { - $$msg_ref = $1; - } else { - return (0); - } - - if ($line =~ /\bsid\s*:\s*(\d+)\s*;/i) { - $$sid_ref = $1; - } else { - return (0); - } - - return (1); - } - - return (0); -} diff --git a/config/snort-old/bin/oinkmaster_contrib/addsid.pl b/config/snort-old/bin/oinkmaster_contrib/addsid.pl deleted file mode 100644 index 64255d22..00000000 --- a/config/snort-old/bin/oinkmaster_contrib/addsid.pl +++ /dev/null @@ -1,382 +0,0 @@ -#!/usr/bin/perl -w - -# $Id: addsid.pl,v 1.30 2005/12/31 13:42:46 andreas_o Exp $ # - -# Copyright (c) 2004-2006 Andreas Östling <andreaso@it.su.se> -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or -# without modification, are permitted provided that the following -# conditions are met: -# -# 1. Redistributions of source code must retain the above -# copyright notice, this list of conditions and the following -# disclaimer. -# -# 2. Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials -# provided with the distribution. -# -# 3. Neither the name of the author nor the names of its -# contributors may be used to endorse or promote products -# derived from this software without specific prior written -# permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND -# CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, -# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - -use strict; - - -sub get_next_entry($ $ $ $ $ $); -sub parse_singleline_rule($ $ $); -sub get_next_available_sid(@); - - -# Set this to the default classtype you want to add, if missing. -# Set to 0 or "" if you don't want to add a classtype. -my $CLASSTYPE = "misc-attack"; - -# If ADD_REV is set to 1, "rev: 1;" will be added to rule if it has no rev. -# Set to 0 if you don't want to add it. -my $ADD_REV = 1; - -# Minimum SID to add. Normally, the next available SID will be used, -# unless it's below this value. Only SIDs >= 1000000 are reserved for -# personal use. -my $MIN_SID = 1000001; - -# Regexp to match the start of a multi-line rule. -# %ACTIONS% will be replaced with content of $config{actions} later. -my $MULTILINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. - '\s.*\\\\\s*\n$'; # '; - -# Regexp to match a single-line rule. -my $SINGLELINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. - '\s.+;\s*\)\s*$'; # '; - - -my $USAGE = << "RTFM"; - -Parse *.rules in one or more directories and add "sid:<sid>;" to -active rules that don't have any "sid" entry, starting with the next -available SID after parsing all rules files (but $MIN_SID at minumum). -Also, "rev:1;" is added to rules without a "rev" entry, and -"classtype:misc-attack;" is added to rules without a "classtype" entry -(edit options at the top of $0 if you want to change this). - -Usage: $0 <rulesdir> [rulesdir2, ...] - -RTFM - - -# Start in verbose mode. -my $verbose = 1; - -my (%all_sids, %active_sids, %config); - -my @rulesdirs = @ARGV; - -die($USAGE) unless ($#rulesdirs > -1); - -$config{rule_actions} = "alert|drop|log|pass|reject|sdrop|activate|dynamic"; - -$SINGLELINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; -$MULTILINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; - - -# Find out the next available SID. -my $next_sid = get_next_available_sid(@rulesdirs); - -# Avoid seeing possible warnings about broken rules twice. -$verbose = 0; - -# Add sid/rev/classtype to active rules that don't have any. -foreach my $dir (@rulesdirs) { - opendir(RULESDIR, "$dir") or die("could not open \"$dir\": $!\n"); - - while (my $file = readdir(RULESDIR)) { - next unless ($file =~ /\.rules$/); - - open(OLDFILE, "$dir/$file") - or die("could not open \"$dir/$file\": $!\n"); - my @file = <OLDFILE>; - close(OLDFILE); - - open(NEWFILE, ">", "$dir/$file") - or die("could not open \"$dir/$file\" for writing: $!\n"); - - my ($single, $multi, $nonrule, $msg, $sid); - while (get_next_entry(\@file, \$single, \$multi, \$nonrule, \$msg, \$sid)) { - - if (defined($nonrule)) { - print NEWFILE "$nonrule"; - next; - } - - $multi = $single unless (defined($multi)); - - # Don't care about inactive rules. - if ($single =~ /^\s*#/) { - print NEWFILE "$multi"; - next; - } - - my $added; - - # Add SID. - if ($single !~ /sid\s*:\s*\d+\s*;/) { - $added .= "SID $next_sid,"; - $multi =~ s/\)\s*\n/sid:$next_sid;)\n/; - $next_sid++; - } - - # Add revision. - if ($ADD_REV && $single !~ /rev\s*:\s*\d+\s*;/) { - $added .= "rev,"; - $multi =~ s/\)\s*\n/rev:1;)\n/; - } - - # Add classtype. - if ($CLASSTYPE && $single !~ /classtype\s*:\s*.+\s*;/) { - $added .= "classtype $CLASSTYPE,"; - $multi =~ s/\)\s*\n/classtype:$CLASSTYPE;)\n/; - } - - if (defined($added)) { - $added =~ s/,$//; - print "Adding $added to rule \"$msg\"\n" - if (defined($added)); - } - - print NEWFILE "$multi"; - } - - close(NEWFILE); - } - - closedir(RULESDIR); -} - - - -# Read in *.rules in given directory and return highest SID. -sub get_next_available_sid(@) -{ - my @dirs = @_; - - foreach my $dir (@dirs) { - opendir(RULESDIR, "$dir") or die("could not open \"$dir\": $!\n"); - - # Only care about *.rules. - while (my $file = readdir(RULESDIR)) { - next unless ($file =~ /\.rules$/); - - open(OLDFILE, "<$dir/$file") or die("could not open \"$dir/$file\": $!\n"); - my @file = <OLDFILE>; - close(OLDFILE); - - my ($single, $multi, $nonrule, $msg, $sid); - - while (get_next_entry(\@file, \$single, \$multi, \$nonrule, \$msg, \$sid)) { - if (defined($single) && defined($sid)) { - $all_sids{$sid}++; - - # If this is an active rule add to %active_sids and - # warn if it already exists. - if ($single =~ /^\s*alert/) { - print STDERR "WARNING: duplicate SID: $sid\n" - if (exists($active_sids{$sid})); - $active_sids{$sid}++ - } - } - } - } - } - - # Sort sids and use highest one + 1, unless it's below MIN_SID. - @_ = sort {$a <=> $b} keys(%all_sids); - my $sid = pop(@_); - - if (!defined($sid)) { - $sid = $MIN_SID - } else { - $sid++; - } - - # If it's below MIN_SID, use MIN_SID instead. - $sid = $MIN_SID if ($sid < $MIN_SID); - - return ($sid) -} - - - -sub get_next_entry($ $ $ $ $ $) -{ - my $arr_ref = shift; - my $single_ref = shift; - my $multi_ref = shift; - my $nonrule_ref = shift; - my $msg_ref = shift; - my $sid_ref = shift; - - undef($$single_ref); - undef($$multi_ref); - undef($$nonrule_ref); - undef($$msg_ref); - undef($$sid_ref); - - my $line = shift(@$arr_ref) || return(0); - my $disabled = 0; - my $broken = 0; - - # Possible beginning of multi-line rule? - if ($line =~ /$MULTILINE_RULE_REGEXP/oi) { - $$single_ref = $line; - $$multi_ref = $line; - - $disabled = 1 if ($line =~ /^\s*#/); - - # Keep on reading as long as line ends with "\". - while (!$broken && $line =~ /\\\s*\n$/) { - - # Remove trailing "\" and newline for single-line version. - $$single_ref =~ s/\\\s*\n//; - - # If there are no more lines, this can not be a valid multi-line rule. - if (!($line = shift(@$arr_ref))) { - - warn("\nWARNING: got EOF while parsing multi-line rule: $$multi_ref\n") - if ($config{verbose}); - - @_ = split(/\n/, $$multi_ref); - - undef($$multi_ref); - undef($$single_ref); - - # First line of broken multi-line rule will be returned as a non-rule line. - $$nonrule_ref = shift(@_) . "\n"; - $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces - - # The rest is put back to the array again. - foreach $_ (reverse((@_))) { - unshift(@$arr_ref, "$_\n"); - } - - return (1); # return non-rule - } - - # Multi-line continuation. - $$multi_ref .= $line; - - # If there are non-comment lines in the middle of a disabled rule, - # mark the rule as broken to return as non-rule lines. - if ($line !~ /^\s*#/ && $disabled) { - $broken = 1; - } elsif ($line =~ /^\s*#/ && !$disabled) { - # comment line (with trailing slash) in the middle of an active rule - ignore it - } else { - $line =~ s/^\s*#*\s*//; # remove leading # in single-line version - $$single_ref .= $line; - } - - } # while line ends with "\" - - # Single-line version should now be a valid rule. - # If not, it wasn't a valid multi-line rule after all. - if (!$broken && parse_singleline_rule($$single_ref, $msg_ref, $sid_ref)) { - - $$single_ref =~ s/^\s*//; # remove leading whitespaces - $$single_ref =~ s/^#+\s*/#/; # remove whitespaces next to leading # - $$single_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces - - $$multi_ref =~ s/^\s*//; - $$multi_ref =~ s/\s*\n$/\n/; - $$multi_ref =~ s/^#+\s*/#/; - - return (1); # return multi - } else { - warn("\nWARNING: invalid multi-line rule: $$single_ref\n") - if ($config{verbose} && $$multi_ref !~ /^\s*#/); - - @_ = split(/\n/, $$multi_ref); - - undef($$multi_ref); - undef($$single_ref); - - # First line of broken multi-line rule will be returned as a non-rule line. - $$nonrule_ref = shift(@_) . "\n"; - $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces - - # The rest is put back to the array again. - foreach $_ (reverse((@_))) { - unshift(@$arr_ref, "$_\n"); - } - - return (1); # return non-rule - } - } elsif (parse_singleline_rule($line, $msg_ref, $sid_ref)) { - $$single_ref = $line; - $$single_ref =~ s/^\s*//; - $$single_ref =~ s/^#+\s*/#/; - $$single_ref =~ s/\s*\n$/\n/; - - return (1); # return single - } else { # non-rule line - - # Do extra check and warn if it *might* be a rule anyway, - # but that we just couldn't parse for some reason. - warn("\nWARNING: line may be a rule but it could not be parsed ". - "(missing sid or msg?): $line\n") - if ($config{verbose} && $line =~ /^\s*alert .+msg\s*:\s*".+"\s*;/); - - $$nonrule_ref = $line; - $$nonrule_ref =~ s/\s*\n$/\n/; - - return (1); # return non-rule - } -} - - - -# From oinkmaster.pl except that this version -# has been modified so that the sid is *optional*. -sub parse_singleline_rule($ $ $) -{ - my $line = shift; - my $msg_ref = shift; - my $sid_ref = shift; - - if ($line =~ /$SINGLELINE_RULE_REGEXP/oi) { - - if ($line =~ /\bmsg\s*:\s*"(.+?)"\s*;/i) { - $$msg_ref = $1; - } else { - return (0); - } - - if ($line =~ /\bsid\s*:\s*(\d+)\s*;/i) { - $$sid_ref = $1; -# } else { -# return (0); - } - - return (1); - } - - return (0); -} diff --git a/config/snort-old/bin/oinkmaster_contrib/create-sidmap.pl b/config/snort-old/bin/oinkmaster_contrib/create-sidmap.pl deleted file mode 100644 index 26a9040c..00000000 --- a/config/snort-old/bin/oinkmaster_contrib/create-sidmap.pl +++ /dev/null @@ -1,280 +0,0 @@ -#!/usr/local/bin/perl -w - -# $Id: create-sidmap.pl,v 1.21 2005/12/31 13:42:46 andreas_o Exp $ # - -# Copyright (c) 2004-2006 Andreas Östling <andreaso@it.su.se> -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or -# without modification, are permitted provided that the following -# conditions are met: -# -# 1. Redistributions of source code must retain the above -# copyright notice, this list of conditions and the following -# disclaimer. -# -# 2. Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials -# provided with the distribution. -# -# 3. Neither the name of the author nor the names of its -# contributors may be used to endorse or promote products -# derived from this software without specific prior written -# permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND -# CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, -# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - -use strict; - -sub get_next_entry($ $ $ $ $ $); -sub parse_singleline_rule($ $ $); - -# Files to ignore. -my %skipfiles = ( - 'deleted.rules' => 1, -); - -# Regexp to match the start of a multi-line rule. -# %ACTIONS% will be replaced with content of $config{actions} later. -my $MULTILINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. - '\s.*\\\\\s*\n$'; # '; - -# Regexp to match a single-line rule. -my $SINGLELINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. - '\s.+;\s*\)\s*$'; # '; - -my $USAGE = << "RTFM"; - -Parse active rules in *.rules in one or more directories and create a SID -map. Result is sent to standard output, which can be redirected to a -sid-msg.map file. - -Usage: $0 <rulesdir> [rulesdir2, ...] - -RTFM - -my $verbose = 1; - -my (%sidmap, %config); - -my @rulesdirs = @ARGV; - -die($USAGE) unless ($#rulesdirs > -1); - -$config{rule_actions} = "alert|drop|log|pass|reject|sdrop|activate|dynamic"; - -$SINGLELINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; -$MULTILINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; - - -# Read in all rules from each rules file (*.rules) in each rules dir. -# into %sidmap. -foreach my $rulesdir (@rulesdirs) { - opendir(RULESDIR, "$rulesdir") or die("could not open \"$rulesdir\": $!\n"); - - while (my $file = readdir(RULESDIR)) { - next unless ($file =~ /\.rules$/); - next if ($skipfiles{$file}); - - open(FILE, "$rulesdir/$file") or die("could not open \"$rulesdir/$file\": $!\n"); - my @file = <FILE>; - close(FILE); - - my ($single, $multi, $nonrule, $msg, $sid); - - while (get_next_entry(\@file, \$single, \$multi, \$nonrule, \$msg, \$sid)) { - if (defined($single)) { - - warn("WARNING: duplicate SID: $sid (discarding old)\n") - if (exists($sidmap{$sid})); - - $sidmap{$sid} = "$sid || $msg"; - - # Print all references. Borrowed from Brian Caswell's regen-sidmap script. - my $ref = $single; - while ($ref =~ s/(.*)reference\s*:\s*([^\;]+)(.*)$/$1 $3/) { - $sidmap{$sid} .= " || $2" - } - - $sidmap{$sid} .= "\n"; - } - } - } -} - -# Print results. -foreach my $sid (sort { $a <=> $b } keys(%sidmap)) { - print "$sidmap{$sid}"; -} - - - -# Same as in oinkmaster.pl. -sub get_next_entry($ $ $ $ $ $) -{ - my $arr_ref = shift; - my $single_ref = shift; - my $multi_ref = shift; - my $nonrule_ref = shift; - my $msg_ref = shift; - my $sid_ref = shift; - - undef($$single_ref); - undef($$multi_ref); - undef($$nonrule_ref); - undef($$msg_ref); - undef($$sid_ref); - - my $line = shift(@$arr_ref) || return(0); - my $disabled = 0; - my $broken = 0; - - # Possible beginning of multi-line rule? - if ($line =~ /$MULTILINE_RULE_REGEXP/oi) { - $$single_ref = $line; - $$multi_ref = $line; - - $disabled = 1 if ($line =~ /^\s*#/); - - # Keep on reading as long as line ends with "\". - while (!$broken && $line =~ /\\\s*\n$/) { - - # Remove trailing "\" and newline for single-line version. - $$single_ref =~ s/\\\s*\n//; - - # If there are no more lines, this can not be a valid multi-line rule. - if (!($line = shift(@$arr_ref))) { - - warn("\nWARNING: got EOF while parsing multi-line rule: $$multi_ref\n") - if ($config{verbose}); - - @_ = split(/\n/, $$multi_ref); - - undef($$multi_ref); - undef($$single_ref); - - # First line of broken multi-line rule will be returned as a non-rule line. - $$nonrule_ref = shift(@_) . "\n"; - $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces - - # The rest is put back to the array again. - foreach $_ (reverse((@_))) { - unshift(@$arr_ref, "$_\n"); - } - - return (1); # return non-rule - } - - # Multi-line continuation. - $$multi_ref .= $line; - - # If there are non-comment lines in the middle of a disabled rule, - # mark the rule as broken to return as non-rule lines. - if ($line !~ /^\s*#/ && $disabled) { - $broken = 1; - } elsif ($line =~ /^\s*#/ && !$disabled) { - # comment line (with trailing slash) in the middle of an active rule - ignore it - } else { - $line =~ s/^\s*#*\s*//; # remove leading # in single-line version - $$single_ref .= $line; - } - - } # while line ends with "\" - - # Single-line version should now be a valid rule. - # If not, it wasn't a valid multi-line rule after all. - if (!$broken && parse_singleline_rule($$single_ref, $msg_ref, $sid_ref)) { - - $$single_ref =~ s/^\s*//; # remove leading whitespaces - $$single_ref =~ s/^#+\s*/#/; # remove whitespaces next to leading # - $$single_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces - - $$multi_ref =~ s/^\s*//; - $$multi_ref =~ s/\s*\n$/\n/; - $$multi_ref =~ s/^#+\s*/#/; - - return (1); # return multi - } else { - warn("\nWARNING: invalid multi-line rule: $$single_ref\n") - if ($config{verbose} && $$multi_ref !~ /^\s*#/); - - @_ = split(/\n/, $$multi_ref); - - undef($$multi_ref); - undef($$single_ref); - - # First line of broken multi-line rule will be returned as a non-rule line. - $$nonrule_ref = shift(@_) . "\n"; - $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces - - # The rest is put back to the array again. - foreach $_ (reverse((@_))) { - unshift(@$arr_ref, "$_\n"); - } - - return (1); # return non-rule - } - } elsif (parse_singleline_rule($line, $msg_ref, $sid_ref)) { - $$single_ref = $line; - $$single_ref =~ s/^\s*//; - $$single_ref =~ s/^#+\s*/#/; - $$single_ref =~ s/\s*\n$/\n/; - - return (1); # return single - } else { # non-rule line - - # Do extra check and warn if it *might* be a rule anyway, - # but that we just couldn't parse for some reason. - warn("\nWARNING: line may be a rule but it could not be parsed ". - "(missing sid or msg?): $line\n") - if ($config{verbose} && $line =~ /^\s*alert .+msg\s*:\s*".+"\s*;/); - - $$nonrule_ref = $line; - $$nonrule_ref =~ s/\s*\n$/\n/; - - return (1); # return non-rule - } -} - - - -# Same as in oinkmaster.pl. -sub parse_singleline_rule($ $ $) -{ - my $line = shift; - my $msg_ref = shift; - my $sid_ref = shift; - - if ($line =~ /$SINGLELINE_RULE_REGEXP/oi) { - - if ($line =~ /\bmsg\s*:\s*"(.+?)"\s*;/i) { - $$msg_ref = $1; - } else { - return (0); - } - - if ($line =~ /\bsid\s*:\s*(\d+)\s*;/i) { - $$sid_ref = $1; - } else { - return (0); - } - - return (1); - } - - return (0); -} diff --git a/config/snort-old/bin/oinkmaster_contrib/makesidex.pl b/config/snort-old/bin/oinkmaster_contrib/makesidex.pl deleted file mode 100644 index 80354735..00000000 --- a/config/snort-old/bin/oinkmaster_contrib/makesidex.pl +++ /dev/null @@ -1,261 +0,0 @@ -#!/usr/bin/perl -w - -# $Id: makesidex.pl,v 1.11 2005/12/31 13:42:46 andreas_o Exp $ # - -# Copyright (c) 2004-2006 Andreas Östling <andreaso@it.su.se> -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or -# without modification, are permitted provided that the following -# conditions are met: -# -# 1. Redistributions of source code must retain the above -# copyright notice, this list of conditions and the following -# disclaimer. -# -# 2. Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials -# provided with the distribution. -# -# 3. Neither the name of the author nor the names of its -# contributors may be used to endorse or promote products -# derived from this software without specific prior written -# permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND -# CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, -# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - -use strict; - -sub get_next_entry($ $ $ $ $ $); -sub parse_singleline_rule($ $ $); - - -# Regexp to match the start of a multi-line rule. -# %ACTIONS% will be replaced with content of $config{actions} later. -my $MULTILINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. - '\s.*\\\\\s*\n$'; # '; - -# Regexp to match a single-line rule. -my $SINGLELINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. - '\s.+;\s*\)\s*$'; # '; - -my $USAGE = << "RTFM"; - -Parse *.rules in one or more directories and look for all rules that are -disabled (i.e. begin with "#") and print "disablesid <sid> # <msg>" to -standard output for all those rules. This output can be redirected to a -file, which will be understood by Oinkmaster. - -Usage: $0 <rulesdir> [rulesdir2, ...] - -RTFM - -my $verbose = 1; - -my (%disabled, %config); - -my @rulesdirs = @ARGV; - -die($USAGE) unless ($#rulesdirs > -1); - -$config{rule_actions} = "alert|drop|log|pass|reject|sdrop|activate|dynamic"; - -$SINGLELINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; -$MULTILINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; - -foreach my $rulesdir (@rulesdirs) { - opendir(RULESDIR, "$rulesdir") or die("could not open \"$rulesdir\": $!\n"); - - while (my $file = readdir(RULESDIR)) { - next unless ($file =~ /\.rules$/); - - open(FILE, "$rulesdir/$file") or die("could not open \"$rulesdir/$file\": $!\n"); - my @file = <FILE>; - close(FILE); - - my ($single, $multi, $nonrule, $msg, $sid); - - while (get_next_entry(\@file, \$single, \$multi, \$nonrule, \$msg, \$sid)) { - $single = $multi if (defined($multi)); - $disabled{$sid} = $msg - if (defined($single) && $single =~ /^\s*#/); - } - } -} - -# Print results. -foreach my $sid (sort { $a <=> $b } keys(%disabled)) { - printf("%-25s # %s\n", "disablesid $sid", $disabled{$sid}); -} - - - -# Same as in oinkmaster.pl. -sub get_next_entry($ $ $ $ $ $) -{ - my $arr_ref = shift; - my $single_ref = shift; - my $multi_ref = shift; - my $nonrule_ref = shift; - my $msg_ref = shift; - my $sid_ref = shift; - - undef($$single_ref); - undef($$multi_ref); - undef($$nonrule_ref); - undef($$msg_ref); - undef($$sid_ref); - - my $line = shift(@$arr_ref) || return(0); - my $disabled = 0; - my $broken = 0; - - # Possible beginning of multi-line rule? - if ($line =~ /$MULTILINE_RULE_REGEXP/oi) { - $$single_ref = $line; - $$multi_ref = $line; - - $disabled = 1 if ($line =~ /^\s*#/); - - # Keep on reading as long as line ends with "\". - while (!$broken && $line =~ /\\\s*\n$/) { - - # Remove trailing "\" and newline for single-line version. - $$single_ref =~ s/\\\s*\n//; - - # If there are no more lines, this can not be a valid multi-line rule. - if (!($line = shift(@$arr_ref))) { - - warn("\nWARNING: got EOF while parsing multi-line rule: $$multi_ref\n") - if ($config{verbose}); - - @_ = split(/\n/, $$multi_ref); - - undef($$multi_ref); - undef($$single_ref); - - # First line of broken multi-line rule will be returned as a non-rule line. - $$nonrule_ref = shift(@_) . "\n"; - $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces - - # The rest is put back to the array again. - foreach $_ (reverse((@_))) { - unshift(@$arr_ref, "$_\n"); - } - - return (1); # return non-rule - } - - # Multi-line continuation. - $$multi_ref .= $line; - - # If there are non-comment lines in the middle of a disabled rule, - # mark the rule as broken to return as non-rule lines. - if ($line !~ /^\s*#/ && $disabled) { - $broken = 1; - } elsif ($line =~ /^\s*#/ && !$disabled) { - # comment line (with trailing slash) in the middle of an active rule - ignore it - } else { - $line =~ s/^\s*#*\s*//; # remove leading # in single-line version - $$single_ref .= $line; - } - - } # while line ends with "\" - - # Single-line version should now be a valid rule. - # If not, it wasn't a valid multi-line rule after all. - if (!$broken && parse_singleline_rule($$single_ref, $msg_ref, $sid_ref)) { - - $$single_ref =~ s/^\s*//; # remove leading whitespaces - $$single_ref =~ s/^#+\s*/#/; # remove whitespaces next to leading # - $$single_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces - - $$multi_ref =~ s/^\s*//; - $$multi_ref =~ s/\s*\n$/\n/; - $$multi_ref =~ s/^#+\s*/#/; - - return (1); # return multi - } else { - warn("\nWARNING: invalid multi-line rule: $$single_ref\n") - if ($config{verbose} && $$multi_ref !~ /^\s*#/); - - @_ = split(/\n/, $$multi_ref); - - undef($$multi_ref); - undef($$single_ref); - - # First line of broken multi-line rule will be returned as a non-rule line. - $$nonrule_ref = shift(@_) . "\n"; - $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces - - # The rest is put back to the array again. - foreach $_ (reverse((@_))) { - unshift(@$arr_ref, "$_\n"); - } - - return (1); # return non-rule - } - } elsif (parse_singleline_rule($line, $msg_ref, $sid_ref)) { - $$single_ref = $line; - $$single_ref =~ s/^\s*//; - $$single_ref =~ s/^#+\s*/#/; - $$single_ref =~ s/\s*\n$/\n/; - - return (1); # return single - } else { # non-rule line - - # Do extra check and warn if it *might* be a rule anyway, - # but that we just couldn't parse for some reason. - warn("\nWARNING: line may be a rule but it could not be parsed ". - "(missing sid or msg?): $line\n") - if ($config{verbose} && $line =~ /^\s*alert .+msg\s*:\s*".+"\s*;/); - - $$nonrule_ref = $line; - $$nonrule_ref =~ s/\s*\n$/\n/; - - return (1); # return non-rule - } -} - - - -# Same as in oinkmaster.pl. -sub parse_singleline_rule($ $ $) -{ - my $line = shift; - my $msg_ref = shift; - my $sid_ref = shift; - - if ($line =~ /$SINGLELINE_RULE_REGEXP/oi) { - - if ($line =~ /\bmsg\s*:\s*"(.+?)"\s*;/i) { - $$msg_ref = $1; - } else { - return (0); - } - - if ($line =~ /\bsid\s*:\s*(\d+)\s*;/i) { - $$sid_ref = $1; - } else { - return (0); - } - - return (1); - } - - return (0); -} diff --git a/config/snort-old/bin/oinkmaster_contrib/oinkgui.pl b/config/snort-old/bin/oinkmaster_contrib/oinkgui.pl deleted file mode 100644 index 4e96f7db..00000000 --- a/config/snort-old/bin/oinkmaster_contrib/oinkgui.pl +++ /dev/null @@ -1,1046 +0,0 @@ -#!/usr/bin/perl -w - -# $Id: oinkgui.pl,v 1.52 2005/12/31 13:42:46 andreas_o Exp $ # - -# Copyright (c) 2004-2006 Andreas Östling <andreaso@it.su.se> -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or -# without modification, are permitted provided that the following -# conditions are met: -# -# 1. Redistributions of source code must retain the above -# copyright notice, this list of conditions and the following -# disclaimer. -# -# 2. Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials -# provided with the distribution. -# -# 3. Neither the name of the author nor the names of its -# contributors may be used to endorse or promote products -# derived from this software without specific prior written -# permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND -# CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, -# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - -use 5.006001; - -use strict; -use File::Spec; -use Tk; -use Tk::Balloon; -use Tk::BrowseEntry; -use Tk::FileSelect; -use Tk::NoteBook; -use Tk::ROText; - -use constant CSIDL_DRIVES => 17; - -sub update_rules(); -sub clear_messages(); -sub create_cmdline($); -sub fileDialog($ $ $ $); -sub load_config(); -sub save_config(); -sub save_messages(); -sub update_file_label_color($ $ $); -sub create_fileSelectFrame($ $ $ $ $ $); -sub create_checkbutton($ $ $); -sub create_radiobutton($ $ $); -sub create_actionbutton($ $ $); -sub execute_oinkmaster(@); -sub logmsg($ $); - - -my $version = 'Oinkmaster GUI v1.1'; - -my @oinkmaster_conf = qw( - /etc/oinkmaster.conf - /usr/local/etc/oinkmaster.conf -); - -# List of URLs that will show up in the URL BrowseEntry. -my @urls = qw( - http://www.bleedingsnort.com/bleeding.rules.tar.gz - http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules.tar.gz - http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-CURRENT.tar.gz - http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.3.tar.gz -); - -my %color = ( - background => 'Bisque3', - button => 'Bisque2', - label => 'Bisque1', - notebook_bg => 'Bisque2', - notebook_inact => 'Bisque3', - file_label_ok => '#00e000', - file_label_not_ok => 'red', - out_frame_fg => 'white', - out_frame_bg => 'black', - entry_bg => 'white', - button_active => 'white', - button_bg => 'Bisque4', -); - -my %config = ( - animate => 1, - careful => 0, - enable_all => 0, - check_removed => 0, - output_mode => 'normal', - diff_mode => 'detailed', - perl => $^X, - oinkmaster => "", - oinkmaster_conf => "", - outdir => "", - url => "", - varfile => "", - backupdir => "", - editor => "", -); - -my %help = ( - - # File locations. - oinkscript => 'Location of the executable Oinkmaster script (oinkmaster.pl).', - oinkconf => 'The Oinkmaster configuration file to use.', - outdir => 'Where to put the new rules. This should be the directory where you '. - 'store your current rules.', - - url => 'Alternate location of rules archive to download/copy. '. - 'Leave empty to use the location set in oinkmaster.conf.', - varfile => 'Variables that exist in downloaded snort.conf but not in '. - 'this file will be added to it. Leave empty to skip.', - backupdir => 'Directory to put tarball of old rules before overwriting them. '. - 'Leave empty to skip backup.', - editor => 'Full path to editor to execute when pressing the "edit" button '. - '(wordpad is recommended on Windows). ', - - # Checkbuttons. - careful => 'In careful mode, Oinkmaster will just check for changes, '. - 'not update anything.', - enable => 'Some rules may be commented out by default (for a reason!). '. - 'This option will make Oinkmaster enable those.', - removed => 'Check for rules files that exist in the output directory but not '. - 'in the downloaded rules archive.', - - # Action buttons. - clear => 'Clear current output messages.', - save => 'Save current output messages to file.', - exit => 'Exit the GUI.', - update => 'Execute Oinkmaster to update the rules.', - test => 'Test current Oinkmaster configuration. ' . - 'If there are no fatal errors, you are ready to update the rules.', - version => 'Request version information from Oinkmaster.', -); - - -my $gui_config_file = ""; -my $use_fileop = 0; - - -#### MAIN #### - -select STDERR; -$| = 1; -select STDOUT; -$| = 1; - -# Find out if can use Win32::FileOp. -if ($^O eq 'MSWin32') { - BEGIN { $^W = 0 } - $use_fileop = 1 if (eval "require Win32::FileOp"); -} - -# Find out which oinkmaster.pl file to default to. -foreach my $dir (File::Spec->path()) { - my $file = "$dir/oinkmaster"; - if (-f "$file" && (-x "$file" || $^O eq 'MSWin32')) { - $config{oinkmaster} = $file; - last; - } elsif (-f "$file.pl" && (-x "$file" || $^O eq 'MSWin32')) { - $config{oinkmaster} = "$file.pl"; - last; - } -} - -# Find out which oinkmaster config file to default to. -foreach my $file (@oinkmaster_conf) { - if (-e "$file") { - $config{oinkmaster_conf} = $file; - last; - } -} - -# Find out where the GUI config file is (it's not required). -if ($ENV{HOME}) { - $gui_config_file = "$ENV{HOME}/.oinkguirc" -} elsif ($ENV{HOMEDRIVE} && $ENV{HOMEPATH}) { - $gui_config_file = "$ENV{HOMEDRIVE}$ENV{HOMEPATH}\\.oinkguirc"; -} - - -# Create main window. -my $main = MainWindow->new( - -background => "$color{background}", - -title => "$version", -); - - -# Create scrolled frame with output messages. -my $out_frame = $main->Scrolled('ROText', - -setgrid => 'true', - -scrollbars => 'e', - -background => $color{out_frame_bg}, - -foreground => $color{out_frame_fg}, -); - - -my $help_label = $main->Label( - -relief => 'groove', - -background => "$color{label}", -); - -my $balloon = $main->Balloon( - -statusbar => $help_label, -); - - -# Create notebook. -my $notebook = $main->NoteBook( - -ipadx => 6, - -ipady => 6, - -background => $color{notebook_bg}, - -inactivebackground => $color{notebook_inact}, - -backpagecolor => $color{background}, -); - - -# Create tab with required files/dirs. -my $req_tab = $notebook->add("required", - -label => "Required files and directories", - -underline => 0, -); - -$req_tab->configure(-bg => "$color{notebook_inact}"); - - -# Create frame with oinkmaster.pl location. -my $filetypes = [ - ['Oinkmaster script', 'oinkmaster.pl'], - ['All files', '*' ] -]; - -my $oinkscript_frame = - create_fileSelectFrame($req_tab, "oinkmaster.pl", 'EXECFILE', - \$config{oinkmaster}, 'NOEDIT', $filetypes); - -$balloon->attach($oinkscript_frame, -statusmsg => $help{oinkscript}); - - -# Create frame with oinkmaster.conf location. -$filetypes = [ - ['configuration files', '.conf'], - ['All files', '*' ] -]; - -my $oinkconf_frame = - create_fileSelectFrame($req_tab, "oinkmaster.conf", 'ROFILE', - \$config{oinkmaster_conf}, 'EDIT', $filetypes); - -$balloon->attach($oinkconf_frame, -statusmsg => $help{oinkconf}); - - -# Create frame with output directory. -my $outdir_frame = - create_fileSelectFrame($req_tab, "output directory", 'WRDIR', - \$config{outdir}, 'NOEDIT', undef); - -$balloon->attach($outdir_frame, -statusmsg => $help{outdir}); - - - -# Create tab with optional files/dirs. -my $opt_tab = $notebook->add("optional", - -label => "Optional files and directories", - -underline => 0, -); - -$opt_tab->configure(-bg => "$color{notebook_inact}"); - -# Create frame with alternate URL location. -$filetypes = [ - ['compressed tar files', '.tar.gz'] -]; - -my $url_frame = - create_fileSelectFrame($opt_tab, "Alternate URL", 'URL', - \$config{url}, 'NOEDIT', $filetypes); - -$balloon->attach($url_frame, -statusmsg => $help{url}); - - -# Create frame with variable file. -$filetypes = [ - ['Snort configuration files', ['.conf', '.config']], - ['All files', '*' ] -]; - -my $varfile_frame = - create_fileSelectFrame($opt_tab, "Variable file", 'WRFILE', - \$config{varfile}, 'EDIT', $filetypes); - -$balloon->attach($varfile_frame, -statusmsg => $help{varfile}); - - -# Create frame with backup dir location. -my $backupdir_frame = - create_fileSelectFrame($opt_tab, "Backup directory", 'WRDIR', - \$config{backupdir}, 'NOEDIT', undef); - -$balloon->attach($backupdir_frame, -statusmsg => $help{backupdir}); - - -# Create frame with editor location. -$filetypes = [ - ['executable files', ['.exe']], - ['All files', '*' ] -]; - -my $editor_frame = - create_fileSelectFrame($opt_tab, "Editor", 'EXECFILE', - \$config{editor}, 'NOEDIT', $filetypes); - -$balloon->attach($editor_frame, -statusmsg => $help{editor}); - - - -$notebook->pack( - -expand => 'no', - -fill => 'x', - -padx => '5', - -pady => '5', - -side => 'top' -); - - -# Create the frame to the left. -my $left_frame = $main->Frame( - -background => "$color{label}", - -border => '2', -)->pack( - -side => 'left', - -fill => 'y', -); - - -# Create "GUI settings" label. -$left_frame->Label( - -text => "GUI settings:", - -background => "$color{label}", -)->pack( - -side => 'top', - -fill => 'x', -); - - -create_actionbutton($left_frame, "Load saved settings", \&load_config); -create_actionbutton($left_frame, "Save current settings", \&save_config); - - -# Create "options" label at the top of the left frame. -$left_frame->Label( - -text => "Options:", - -background => "$color{label}", -)->pack(-side => 'top', - -fill => 'x', -); - - -# Create checkbuttons in the left frame. -$balloon->attach( - create_checkbutton($left_frame, "Careful mode", \$config{careful}), - -statusmsg => $help{careful} -); - -$balloon->attach( - create_checkbutton($left_frame, "Enable all", \$config{enable_all}), - -statusmsg => $help{enable} -); - -$balloon->attach( - create_checkbutton($left_frame, "Check for removed files", \$config{check_removed}), - -statusmsg => $help{removed} -); - - -# Create "mode" label. -$left_frame->Label( - -text => "Output mode:", - -background => "$color{label}", -)->pack( - -side => 'top', - -fill => 'x', -); - -# Create mode radiobuttons in the left frame. -create_radiobutton($left_frame, "super-quiet", \$config{output_mode}); -create_radiobutton($left_frame, "quiet", \$config{output_mode}); -create_radiobutton($left_frame, "normal", \$config{output_mode}); -create_radiobutton($left_frame, "verbose", \$config{output_mode}); - -# Create "Diff mode" label. -$left_frame->Label( - -text => "Diff mode:", - -background => "$color{label}", -)->pack( - -side => 'top', - -fill => 'x', -); - -create_radiobutton($left_frame, "detailed", \$config{diff_mode}); -create_radiobutton($left_frame, "summarized", \$config{diff_mode}); -create_radiobutton($left_frame, "remove common", \$config{diff_mode}); - - -# Create "activity messages" label. -$main->Label( - -text => "Output messages:", - -width => '130', - -background => "$color{label}", -)->pack( - -side => 'top', - -fill => 'x', -); - - - -# Pack output frame. -$out_frame->pack( - -expand => 'yes', - -fill => 'both', -); - - -# Pack help label below output window. -$help_label->pack( - -fill => 'x', -); - - -# Create "actions" label. -$left_frame->Label( - -text => "Actions:", - -background => "$color{label}", -)->pack( - -side => 'top', - -fill => 'x', -); - - -# Create action buttons. - -$balloon->attach( - create_actionbutton($left_frame, "Update rules!", \&update_rules), - -statusmsg => $help{update} -); - -$balloon->attach( - create_actionbutton($left_frame, "Clear output messages", \&clear_messages), - -statusmsg => $help{clear} -); - -$balloon->attach( - create_actionbutton($left_frame, "Save output messages", \&save_messages), - -statusmsg => $help{save} -); - -$balloon->attach( - create_actionbutton($left_frame, "Exit", \&exit), - -statusmsg => $help{exit} -); - - - -# Make the mousewheel scroll the output window. Taken from Mastering Perl/Tk. -if ($^O eq 'MSWin32') { - $out_frame->bind('<MouseWheel>' => - [ sub { $_[0]->yview('scroll', -($_[1] / 120) * 3, 'units')}, - Ev('D') ] - ); -} else { - $out_frame->bind('<4>' => sub { - $_[0]->yview('scroll', -3, 'units') unless $Tk::strictMotif; - }); - - $out_frame->bind('<5>' => sub { - $_[0]->yview('scroll', +3, 'units') unless $Tk::strictMotif; - }); -} - - - -# Now the fun begins. -if ($config{animate}) { - foreach (split(//, "Welcome to $version")) { - logmsg("$_", 'MISC'); - $out_frame->after(5); - } -} else { - logmsg("Welcome to $version", 'MISC'); -} - -logmsg("\n\n", 'MISC'); - -# Load gui settings into %config. -load_config(); - - -# Warn if any required file/directory is not set. -logmsg("No oinkmaster.pl set, please select one above!\n\n", 'ERROR') - if ($config{oinkmaster} !~ /\S/); - -logmsg("No oinkmaster configuration file set, please select one above!\n\n", 'ERROR') - if ($config{oinkmaster_conf} !~ /\S/); - -logmsg("Output directory is not set, please select one above!\n\n", 'ERROR') - if ($config{outdir} !~ /\S/); - - -MainLoop; - - - -#### END #### - - - -sub fileDialog($ $ $ $) -{ - my $var_ref = shift; - my $title = shift; - my $type = shift; - my $filetypes = shift; - my $dirname; - - if ($type eq 'WRDIR') { - if ($use_fileop) { - $dirname = Win32::FileOp::BrowseForFolder("title", CSIDL_DRIVES); - } else { - my $fs = $main->FileSelect(); - $fs->configure(-verify => ['-d', '-w'], -title => $title); - $dirname = $fs->Show; - } - $$var_ref = $dirname if ($dirname); - } elsif ($type eq 'EXECFILE' || $type eq 'ROFILE' || $type eq 'WRFILE' || $type eq 'URL') { - my $filename = $main->getOpenFile(-title => $title, -filetypes => $filetypes); - $$var_ref = $filename if ($filename); - } elsif ($type eq 'SAVEFILE') { - my $filename = $main->getSaveFile(-title => $title, -filetypes => $filetypes); - $$var_ref = $filename if ($filename); - } else { - logmsg("Unknown type ($type)\n", 'ERROR'); - } -} - - - -sub update_file_label_color($ $ $) -{ - my $label = shift; - my $filename = shift; - my $type = shift; - - $filename =~ s/^\s+//; - $filename =~ s/\s+$//; - - unless ($filename) { - $label->configure(-background => $color{file_label_not_ok}); - return (1); - } - - if ($type eq "URL") { - if ($filename =~ /^(?:http|ftp|scp):\/\/.+\.tar\.gz$/) { - $label->configure(-background => $color{file_label_ok}); - } elsif ($filename =~ /^(?:file:\/\/)*(.+\.tar\.gz)$/) { - my $file = $1; - if (-f "$file" && -r "$file") { - $label->configure(-background => $color{file_label_ok}); - } else { - $label->configure(-background => $color{file_label_not_ok}); - } - } else { - $label->configure(-background => $color{file_label_not_ok}); - } - } elsif ($type eq "ROFILE") { - if (-f "$filename" && -r "$filename") { - $label->configure(-background => $color{file_label_ok}); - } else { - $label->configure(-background => $color{file_label_not_ok}); - } - } elsif ($type eq "EXECFILE") { - if (-f "$filename" && (-x "$filename" || $^O eq 'MSWin32')) { - $label->configure(-background => $color{file_label_ok}); - } else { - $label->configure(-background => $color{file_label_not_ok}); - } - } elsif ($type eq "WRFILE") { - if (-f "$filename" && -w "$filename") { - $label->configure(-background => $color{file_label_ok}); - } else { - $label->configure(-background => $color{file_label_not_ok}); - } - } elsif ($type eq "WRDIR") { - if (-d "$filename" && -w "$filename") { - $label->configure(-background => $color{file_label_ok}); - } else { - $label->configure(-background => $color{file_label_not_ok}); - } - } else { - print STDERR "incorrect type ($type)\n"; - exit; - } - - return (1); -} - - - -sub create_checkbutton($ $ $) -{ - my $frame = shift; - my $name = shift; - my $var_ref = shift; - - my $button = $frame->Checkbutton( - -text => $name, - -background => $color{button}, - -activebackground => $color{button_active}, - -highlightbackground => $color{button_bg}, - -variable => $var_ref, - -relief => 'raise', - -anchor => 'w', - )->pack( - -fill => 'x', - -side => 'top', - -pady => '1', - ); - - return ($button); -} - - - -sub create_actionbutton($ $ $) -{ - my $frame = shift; - my $name = shift; - my $func_ref = shift; - - my $button = $frame->Button( - -text => $name, - -command => sub { - &$func_ref; - $out_frame->focus; - }, - -background => $color{button}, - -activebackground => $color{button_active}, - -highlightbackground => $color{button_bg}, - )->pack( - -fill => 'x', - ); - - return ($button); -} - - - -sub create_radiobutton($ $ $) -{ - my $frame = shift; - my $name = shift; - my $mode_ref = shift; - - my $button = $frame->Radiobutton( - -text => $name, - -highlightbackground => $color{button_bg}, - -background => $color{button}, - -activebackground => $color{button_active}, - -variable => $mode_ref, - -relief => 'raised', - -anchor => 'w', - -value => $name, - )->pack( - -side => 'top', - -pady => '1', - -fill => 'x', - ); - - return ($button); -} - - - -# Create <label><entry><browsebutton> in given frame. -sub create_fileSelectFrame($ $ $ $ $ $) -{ - my $win = shift; - my $name = shift; - my $type = shift; # FILE|DIR|URL - my $var_ref = shift; - my $edtype = shift; # EDIT|NOEDIT - my $filetypes = shift; - - # Create frame. - my $frame = $win->Frame( - -bg => $color{background}, - )->pack( - -padx => '2', - -pady => '2', - -fill => 'x' - ); - - # Create label. - my $label = $frame->Label( - -text => $name, - -width => '16', - -relief => 'raised', - -background => "$color{file_label_not_ok}", - )->pack( - -side => 'left' - ); - - my $entry; - - if ($type eq 'URL') { - $entry = $frame->BrowseEntry( - -textvariable => $var_ref, - -background => $color{entry_bg}, - -width => '80', - -choices => \@urls, - -validate => 'key', - -validatecommand => sub { update_file_label_color($label, $_[0], $type) }, - )->pack( - -side => 'left', - -expand => 'yes', - -fill => 'x' - ); - } else { - $entry = $frame->Entry( - -textvariable => $var_ref, - -background => $color{entry_bg}, - -width => '80', - -validate => 'key', - -validatecommand => sub { update_file_label_color($label, $_[0], $type) }, - )->pack( - -side => 'left', - -expand => 'yes', - -fill => 'x' - ); - } - - # Create edit-button if file is ediable. - if ($edtype eq 'EDIT') { - my $edit_but = $frame->Button( - -text => "Edit", - -background => "$color{button}", - -command => sub { - unless (-e "$$var_ref") { - logmsg("Select an existing file first!\n\n", 'ERROR'); - return; - } - - if ($config{editor}) { - $main->Busy(-recurse => 1); - logmsg("Launching " . $config{editor} . - ", close it to continue the GUI.\n\n", 'MISC'); - sleep(2); - system($config{editor}, $$var_ref); # MainLoop will be put on hold... - $main->Unbusy; - } else { - logmsg("No editor set\n\n", 'ERROR'); - } - } - )->pack( - -side => 'left', - ); - } - - # Create browse-button. - my $but = $frame->Button( - -text => "browse ...", - -background => $color{button}, - -command => sub { - fileDialog($var_ref, $name, $type, $filetypes); - } - )->pack( - -side => 'left', - ); - - return ($frame); -} - - - -sub logmsg($ $) -{ - my $text = shift; - my $type = shift; - - return unless (defined($text)); - - $out_frame->tag(qw(configure OUTPUT -foreground grey)); - $out_frame->tag(qw(configure ERROR -foreground red)); - $out_frame->tag(qw(configure MISC -foreground white)); - $out_frame->tag(qw(configure EXEC -foreground bisque2)); - - $out_frame->insert('end', "$text", "$type"); - $out_frame->see('end'); - $out_frame->update; -} - - - - -sub execute_oinkmaster(@) -{ - my @cmd = @_; - my @obfuscated_cmd; - - # Obfuscate possible password in url. - foreach my $line (@cmd) { - if ($line =~ /^(\S+:\/\/.+?):.+?@(.+)/) { - push(@obfuscated_cmd, "$1:*password*\@$2"); - } else { - push(@obfuscated_cmd, $line); - } - } - - logmsg("@obfuscated_cmd:\n", 'EXEC'); - - $main->Busy(-recurse => 1); - - if ($^O eq 'MSWin32') { - open(OINK, "@cmd 2>&1|"); - while (<OINK>) { - logmsg($_, 'OUTPUT'); - } - close(OINK); - } else { - if (open(OINK,"-|")) { - while (<OINK>) { - logmsg($_, 'OUTPUT'); - } - } else { - open(STDERR, '>&STDOUT'); - exec(@cmd); - } - close(OINK); - } - - $main->Unbusy; - logmsg("done.\n\n", 'EXEC'); -} - - - -sub clear_messages() -{ - $out_frame->delete('1.0','end'); - $out_frame->update; -} - - - -sub save_messages() -{ - my $text = $out_frame->get('1.0', 'end'); - my $title = 'Save output messages'; - my $filename; - - my $filetypes = [ - ['Log files', ['.log', '.txt']], - ['All files', '*' ] - ]; - - - if (length($text) > 1) { - fileDialog(\$filename, $title, 'SAVEFILE', $filetypes); - if (defined($filename)) { - - unless (open(LOG, ">", "$filename")) { - logmsg("Could not open $filename for writing: $!\n\n", 'ERROR'); - return; - } - - print LOG $text; - close(LOG); - logmsg("Successfully saved output messages to $filename\n\n", 'MISC'); - } - - } else { - logmsg("Nothing to save.\n\n", 'ERROR'); - } -} - - - -sub update_rules() -{ - my @cmd; - - create_cmdline(\@cmd) || return; - clear_messages(); - execute_oinkmaster(@cmd); -} - - - -sub create_cmdline($) -{ - my $cmd_ref = shift; - - my $oinkmaster = $config{oinkmaster}; - my $oinkmaster_conf = $config{oinkmaster_conf}; - my $outdir = $config{outdir}; - my $varfile = $config{varfile}; - my $url = $config{url}; - my $backupdir = $config{backupdir}; - - # Assume file:// if url prefix is missing. - if ($url) { - $url = "file://$url" unless ($url =~ /(?:http|ftp|file|scp):\/\//); - if ($url =~ /.+<oinkcode>.+/) { - logmsg("You must replace <oinkcode> with your real oinkcode, see the FAQ!\n\n", 'ERROR'); - return (0); - } - } - - $oinkmaster = File::Spec->rel2abs($oinkmaster) - if ($oinkmaster); - - $outdir = File::Spec->canonpath("$outdir"); - $backupdir = File::Spec->canonpath("$backupdir"); - - # Clean leading/trailing whitespaces. - foreach my $var_ref (\$oinkmaster, \$oinkmaster_conf, \$outdir, - \$varfile, \$url, \$backupdir) { - $$var_ref =~ s/^\s+//; - $$var_ref =~ s/\s+$//; - } - - unless ($config{oinkmaster} && -f "$config{oinkmaster}" && - (-x "$config{oinkmaster}" || $^O eq 'MSWin32')) { - logmsg("Location of oinkmaster.pl is not set correctly!\n\n", 'ERROR'); - return; - } - - unless ($oinkmaster_conf && -f "$oinkmaster_conf") { - logmsg("Location of configuration file is not set correctlyy!\n\n", 'ERROR'); - return (0); - } - - unless ($outdir && -d "$outdir") { - logmsg("Output directory is not set correctly!\n\n", 'ERROR'); - return (0); - } - - # Add leading/trailing "" if win32. - foreach my $var_ref (\$oinkmaster, \$oinkmaster_conf, \$outdir, - \$varfile, \$url, \$backupdir) { - if ($^O eq 'MSWin32' && $$var_ref) { - $$var_ref = "\"$$var_ref\""; - } - } - - push(@$cmd_ref, - "$config{perl}", "$oinkmaster", - "-C", "$oinkmaster_conf", - "-o", "$outdir"); - - push(@$cmd_ref, "-c") if ($config{careful}); - push(@$cmd_ref, "-e") if ($config{enable_all}); - push(@$cmd_ref, "-r") if ($config{check_removed}); - push(@$cmd_ref, "-q") if ($config{output_mode} eq "quiet"); - push(@$cmd_ref, "-Q") if ($config{output_mode} eq "super-quiet"); - push(@$cmd_ref, "-v") if ($config{output_mode} eq "verbose"); - push(@$cmd_ref, "-m") if ($config{diff_mode} eq "remove common"); - push(@$cmd_ref, "-s") if ($config{diff_mode} eq "summarized"); - push(@$cmd_ref, "-U", "$varfile") if ($varfile); - push(@$cmd_ref, "-b", "$backupdir") if ($backupdir); - - push(@$cmd_ref, "-u", "$url") - if ($url); - - return (1); -} - - - -# Load $config file into %config hash. -sub load_config() -{ - unless (defined($gui_config_file) && $gui_config_file) { - logmsg("Unable to determine config file location, is your \$HOME set?\n\n", 'ERROR'); - return; - } - - unless (-e "$gui_config_file") { - logmsg("$gui_config_file does not exist, keeping current/default settings\n\n", 'MISC'); - return; - } - - unless (open(RC, "<", "$gui_config_file")) { - logmsg("Could not open $gui_config_file for reading: $!\n\n", 'ERROR'); - return; - } - - while (<RC>) { - next unless (/^(\S+)=(.*)/); - $config{$1} = $2; - } - - close(RC); - logmsg("Successfully loaded GUI settings from $gui_config_file\n\n", 'MISC'); -} - - - -# Save %config into file $config. -sub save_config() -{ - unless (defined($gui_config_file) && $gui_config_file) { - logmsg("Unable to determine config file location, is your \$HOME set?\n\n", 'ERROR'); - return; - } - - unless (open(RC, ">", "$gui_config_file")) { - logmsg("Could not open $gui_config_file for writing: $!\n\n", 'ERROR'); - return; - } - - print RC "# Automatically created by Oinkgui. ". - "Do not edit directly unless you have to.\n"; - - foreach my $option (sort(keys(%config))) { - print RC "$option=$config{$option}\n"; - } - - close(RC); - logmsg("Successfully saved current GUI settings to $gui_config_file\n\n", 'MISC'); -} diff --git a/config/snort-old/bin/oinkmaster_contrib/oinkmaster.pl b/config/snort-old/bin/oinkmaster_contrib/oinkmaster.pl deleted file mode 100644 index f9c4d215..00000000 --- a/config/snort-old/bin/oinkmaster_contrib/oinkmaster.pl +++ /dev/null @@ -1,2754 +0,0 @@ -#!/usr/bin/perl -w - -# $Id: oinkmaster.pl,v 1.406 2006/02/10 13:02:44 andreas_o Exp $ # - -# Copyright (c) 2001-2006 Andreas Östling <andreaso@it.su.se> -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or -# without modification, are permitted provided that the following -# conditions are met: -# -# 1. Redistributions of source code must retain the above -# copyright notice, this list of conditions and the following -# disclaimer. -# -# 2. Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials -# provided with the distribution. -# -# 3. Neither the name of the author nor the names of its -# contributors may be used to endorse or promote products -# derived from this software without specific prior written -# permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND -# CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR -# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, -# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - -use 5.006001; - -use strict; -use File::Basename; -use File::Copy; -use File::Path; -use File::Spec; -use Getopt::Long; -use File::Temp qw(tempdir); - -sub show_usage(); -sub parse_cmdline($); -sub read_config($ $); -sub sanity_check(); -sub download_file($ $); -sub unpack_rules_archive($ $ $); -sub join_tmp_rules_dirs($ $ @); -sub process_rules($ $ $ $ $ $); -sub process_rule($ $ $ $ $ $ $ $); -sub setup_rules_hash($ $); -sub get_first_only($ $ $); -sub print_changes($ $); -sub print_changetype($ $ $ $); -sub print_summary_change($ $); -sub make_backup($ $); -sub get_changes($ $ $); -sub update_rules($ @); -sub copy_rules($ $); -sub is_in_path($); -sub get_next_entry($ $ $ $ $ $); -sub get_new_vars($ $ $ $); -sub add_new_vars($ $); -sub write_new_vars($ $); -sub msdos_to_cygwin_path($); -sub parse_mod_expr($ $ $ $); -sub untaint_path($); -sub approve_changes(); -sub parse_singleline_rule($ $ $); -sub join_multilines($); -sub minimize_diff($ $); -sub catch_sigint(); -sub clean_exit($); - - -my $VERSION = 'Oinkmaster v2.0, Copyright (C) 2001-2006 '. - 'Andreas Östling <andreaso@it.su.se>'; -my $OUTFILE = 'snortrules.tar.gz'; -my $RULES_DIR = 'rules'; - -my $PRINT_NEW = 1; -my $PRINT_OLD = 2; -my $PRINT_BOTH = 3; - -my %config = ( - careful => 0, - check_removed => 0, - config_test_mode => 0, - enable_all => 0, - interactive => 0, - make_backup => 0, - minimize_diff => 0, - min_files => 1, - min_rules => 1, - quiet => 0, - summary_output => 0, - super_quiet => 0, - update_vars => 0, - use_external_bins => 1, - verbose => 0, - use_path_checks => 1, - rule_actions => "alert|drop|log|pass|reject|sdrop|activate|dynamic", - tmp_basedir => $ENV{TMP} || $ENV{TMPDIR} || $ENV{TEMPDIR} || '/tmp', -); - - -# Regexp to match the start of a multi-line rule. -# %ACTIONS% will be replaced with content of $config{actions} later. -# sid and msg will then be looked for in parse_singleline_rule(). -my $MULTILINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. - '\s.*\\\\\s*\n$'; # '; - -# Regexp to match a single-line rule. -# sid and msg will then be looked for in parse_singleline_rule(). -my $SINGLELINE_RULE_REGEXP = '^\s*#*\s*(?:%ACTIONS%)'. - '\s.+;\s*\)\s*$'; # '; - -# Match var line where var name goes into $1. -my $VAR_REGEXP = '^\s*var\s+(\S+)\s+(\S+)'; - -# Allowed characters in misc paths/filenames, including the ones in the tarball. -my $OK_PATH_CHARS = 'a-zA-Z\d\ _\(\)\[\]\.\-+:\\\/~@,='; - -# Default locations for configuration file. -my @DEFAULT_CONFIG_FILES = qw( - /etc/oinkmaster.conf - /usr/local/etc/oinkmaster.conf -); - -my @DEFAULT_DIST_VAR_FILES = qw( - snort.conf -); - -my (%loaded, $tmpdir); - - - -#### MAIN #### - -# No buffering. -select(STDERR); -$| = 1; -select(STDOUT); -$| = 1; - - -my $start_date = scalar(localtime); - -# Assume the required Perl modules are available if we're on Windows. -$config{use_external_bins} = 0 if ($^O eq "MSWin32"); - -# Parse command line arguments and add at least %config{output_dir}. -parse_cmdline(\%config); - -# If no config was specified on command line, look for one in default locations. -if ($#{$config{config_files}} == -1) { - foreach my $config (@DEFAULT_CONFIG_FILES) { - if (-e "$config") { - push(@{${config{config_files}}}, $config); - last; - } - } -} - -# If no dist var file was specified on command line, set to default file(s). -if ($#{$config{dist_var_files}} == -1) { - foreach my $var_file (@DEFAULT_DIST_VAR_FILES) { - push(@{${config{dist_var_files}}}, $var_file); - } -} - -# If config is still not defined, we can't continue. -if ($#{$config{config_files}} == -1) { - clean_exit("configuration file not found in default locations\n". - "(@DEFAULT_CONFIG_FILES)\n". - "Put it there or use the \"-C <file>\" argument."); -} - -read_config($_, \%config) for @{$config{config_files}}; - -# Now substitute "%ACTIONS%" with $config{rule_actions}, which may have -# been modified after reading the config file. -$SINGLELINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; -$MULTILINE_RULE_REGEXP =~ s/%ACTIONS%/$config{rule_actions}/; - -# If we're told not to use external binaries, load the Perl modules now. -unless ($config{use_external_bins}) { - print STDERR "Loading Perl modules.\n" if ($config{verbose}); - - eval { - require IO::Zlib; - require Archive::Tar; - require LWP::UserAgent; - }; - - clean_exit("failed to load required Perl modules:\n\n$@\n". - "Install them or set use_external_bins to 1 ". - "if you want to use external binaries instead.") - if ($@); -} - - -# Do some basic sanity checking and exit if something fails. -# A new PATH will be set. -sanity_check(); - -$SIG{INT} = \&catch_sigint; - -# Create temporary dir. -$tmpdir = tempdir("oinkmaster.XXXXXXXXXX", DIR => File::Spec->rel2abs($config{tmp_basedir})) - or clean_exit("could not create temporary directory in $config{tmp_basedir}: $!"); - -# If we're in config test mode and have come this far, we're done. -if ($config{config_test_mode}) { - print "No fatal errors in configuration.\n"; - clean_exit(""); -} - -umask($config{umask}) if exists($config{umask}); - -# Download and unpack all the rules archives into separate tmp dirs. -my @url_tmpdirs; -foreach my $url (@{$config{url}}) { - my $url_tmpdir = tempdir("url.XXXXXXXXXX", DIR => $tmpdir) - or clean_exit("could not create temporary directory in $tmpdir: $!"); - push(@url_tmpdirs, "$url_tmpdir/$RULES_DIR"); - if ($url =~ /^dir:\/\/(.+)/) { - mkdir("$url_tmpdir/$RULES_DIR") - or clean_exit("Could not create $url_tmpdir/$RULES_DIR"); - copy_rules($1, "$url_tmpdir/$RULES_DIR"); - } else { - download_file($url, "$url_tmpdir/$OUTFILE"); - unpack_rules_archive("$url", "$url_tmpdir/$OUTFILE", $RULES_DIR); - } -} - -# Copy all rules files from the tmp dirs into $RULES_DIR in the tmp directory. -# File matching 'skipfile' a directive will not be copied. -# Filenames (with full path) will be stored as %new_files{filename}. -# Will exit in case of duplicate filenames. -my $num_files = join_tmp_rules_dirs("$tmpdir/$RULES_DIR", \my %new_files, @url_tmpdirs); - -# Make sure we have at least the minimum number of files. -clean_exit("not enough rules files in downloaded rules archive(s).\n". - "Number of rules files is $num_files but minimum is set to $config{min_files}.") - if ($num_files < $config{min_files}); - -# This is to read in possible 'localsid' rules. -my %rh_tmp = setup_rules_hash(\%new_files, $config{output_dir}); - -# Disable/modify/clean downloaded rules. -my $num_rules = process_rules(\@{$config{sid_modify_list}}, - \%{$config{sid_disable_list}}, - \%{$config{sid_enable_list}}, - \%{$config{sid_local_list}}, - \%rh_tmp, - \%new_files); - -# Make sure we have at least the minimum number of rules. -clean_exit("not enough rules in downloaded archive(s).\n". - "Number of rules is $num_rules but minimum is set to $config{min_rules}.") - if ($num_rules < $config{min_rules}); - -# Setup a hash containing the content of all processed rules files. -my %rh = setup_rules_hash(\%new_files, $config{output_dir}); - -# Compare the new rules to the old ones. -my %changes = get_changes(\%rh, \%new_files, $RULES_DIR); - -# Check for variables that exist in dist snort.conf(s) but not in local snort.conf. -get_new_vars(\%changes, \@{$config{dist_var_files}}, $config{varfile}, \@url_tmpdirs) - if ($config{update_vars}); - - -# Find out if something had changed. -my $something_changed = 0; - -$something_changed = 1 - if (keys(%{$changes{modified_files}}) || - keys(%{$changes{added_files}}) || - keys(%{$changes{removed_files}}) || - $#{$changes{new_vars}} > -1); - - -# Update files listed in %changes{modified_files} (copy the new files -# from the temporary directory into our output directory) and add new -# variables to the local snort.conf if requested, unless we're running in -# careful mode. Create backup first if running with -b. -my $printed = 0; -if ($something_changed) { - if ($config{careful}) { - print STDERR "Skipping backup since we are running in careful mode.\n" - if ($config{make_backup} && (!$config{quiet})); - } else { - if ($config{interactive}) { - print_changes(\%changes, \%rh); - $printed = 1; - } - - if (!$config{interactive} || ($config{interactive} && approve_changes)) { - make_backup($config{output_dir}, $config{backup_dir}) - if ($config{make_backup}); - - add_new_vars(\%changes, $config{varfile}) - if ($config{update_vars}); - - update_rules($config{output_dir}, keys(%{$changes{modified_files}})); - } - } -} else { - print STDERR "No files modified - no need to backup old files, skipping.\n" - if ($config{make_backup} && !$config{quiet}); -} - -print "\nOinkmaster is running in careful mode - not updating anything.\n" - if ($something_changed && $config{careful}); - -print_changes(\%changes, \%rh) - if (!$printed && ($something_changed || !$config{quiet})); - - -# Everything worked. Do a clean exit without any error message. -clean_exit(""); - - -# END OF MAIN # - - - -# Show usage information and exit. -sub show_usage() -{ - my $progname = basename($0); - - print STDERR << "RTFM"; - -$VERSION - -Usage: $progname -o <outdir> [options] - -<outdir> is where to put the new files. -This should be the directory where you store your Snort rules. - -Options: --b <dir> Backup your old rules into <dir> before overwriting them --c Careful mode (dry run) - check for changes but do not update anything --C <file> Use this configuration file instead of the default - May be specified multiple times to load multiple files --e Enable all rules that are disabled by default --h Show this usage information --i Interactive mode - you will be asked to approve the changes (if any) --m Minimize diff when printing result by removing common parts in rules --q Quiet mode - no output unless changes were found --Q Super-quiet mode - like -q but even more quiet --r Check for rules files that exist in the output directory - but not in the downloaded rules archive --s Leave out details in rules results, just print SID, msg and filename --S <file> Look for new variables in this file in the downloaded archive instead - of the default (@DEFAULT_DIST_VAR_FILES). Used in conjunction with -U. - May be specified multiple times to search multiple files. --T Config test - just check configuration file(s) for errors/warnings --u <url> Download from this URL instead of URL(s) in the configuration file - (http|https|ftp|file|scp:// ... .tar.gz|.gz, or dir://<dir>) - May be specified multiple times to grab multiple rules archives --U <file> Merge new variables from downloaded snort.conf(s) into <file> --v Verbose mode (debug) --V Show version and exit - -RTFM - exit; -} - - - -# Parse the command line arguments and exit if we don't like them. -sub parse_cmdline($) -{ - my $cfg_ref = shift; - - Getopt::Long::Configure("bundling"); - - my $cmdline_ok = GetOptions( - "b=s" => \$$cfg_ref{backup_dir}, - "c" => \$$cfg_ref{careful}, - "C=s" => \@{$$cfg_ref{config_files}}, - "e" => \$$cfg_ref{enable_all}, - "h" => \&show_usage, - "i" => \$$cfg_ref{interactive}, - "m" => \$$cfg_ref{minimize_diff}, - "o=s" => \$$cfg_ref{output_dir}, - "q" => \$$cfg_ref{quiet}, - "Q" => \$$cfg_ref{super_quiet}, - "r" => \$$cfg_ref{check_removed}, - "s" => \$$cfg_ref{summary_output}, - "S=s" => \@{$$cfg_ref{dist_var_files}}, - "T" => \$$cfg_ref{config_test_mode}, - "u=s" => \@{$$cfg_ref{url}}, - "U=s" => \$$cfg_ref{varfile}, - "v" => \$$cfg_ref{verbose}, - "V" => sub { - print "$VERSION\n"; - exit(0); - } - ); - - - show_usage unless ($cmdline_ok && $#ARGV == -1); - - $$cfg_ref{quiet} = 1 if ($$cfg_ref{super_quiet}); - $$cfg_ref{update_vars} = 1 if ($$cfg_ref{varfile}); - - if ($$cfg_ref{backup_dir}) { - $$cfg_ref{backup_dir} = File::Spec->canonpath($$cfg_ref{backup_dir}); - $$cfg_ref{make_backup} = 1; - } - - # Cannot specify dist var files without specifying var target file. - if (@{$$cfg_ref{dist_var_files}} && !$$cfg_ref{update_vars}) { - clean_exit("You can not specify distribution variable file(s) without ". - "also specifying local file to merge into"); - } - - # -o <dir> is the only required option in normal usage. - if ($$cfg_ref{output_dir}) { - $$cfg_ref{output_dir} = File::Spec->canonpath($$cfg_ref{output_dir}); - } else { - warn("Error: no output directory specified.\n"); - show_usage(); - } - - # Mark that url was set on command line (so we don't override it later). - $$cfg_ref{cmdline_url} = 1 if ($#{$config{url}} > -1); -} - - - -# Read in stuff from the configuration file. -sub read_config($ $) -{ - my $config_file = shift; - my $cfg_ref = shift; - my $linenum = 0; - my $multi; - my %templates; - - $config_file = File::Spec->canonpath(File::Spec->rel2abs($config_file)); - - clean_exit("configuration file \"$config_file\" does not exist.\n") - unless (-e "$config_file"); - - clean_exit("\"$config_file\" is not a file.\n") - unless (-f "$config_file"); - - print STDERR "Loading $config_file\n" - unless ($config{quiet}); - - # Avoid loading the same file multiple times to avoid infinite recursion etc. - if ($^O eq "MSWin32") { - clean_exit("attempt to load \"$config_file\" twice.") - if ($loaded{$config_file}++); - } else { - my ($dev, $ino) = (stat($config_file))[0,1] - or clean_exit("unable to stat $config_file: $!"); - clean_exit("attempt to load \"$config_file\" twice.") - if ($loaded{$dev, $ino}++); - } - - open(CONF, "<", "$config_file") - or clean_exit("could not open configuration file \"$config_file\": $!"); - my @conf = <CONF>; - close(CONF); - - LINE:while ($_ = shift(@conf)) { - $linenum++; - - unless ($multi) { - s/^\s*//; - s/^#.*//; - } - - # Multi-line start/continuation. - if (/\\\s*\n$/) { - s/\\\s*\n$//; - s/^\s*#.*//; - - # Be strict about removing #comments in modifysid/define_template statements, as - # they may contain other '#' chars. - if (defined($multi) && ($multi =~ /^modifysid/i || $multi =~ /^define_template/i)) { - s/#.*// if (/^\s*\d+[,\s\d]+#/); - } else { - s/\s*\#.*// unless (/^modifysid/i || /^define_template/i); - } - - $multi .= $_; - next LINE; - } - - # Last line of multi-line directive. - if (defined($multi)) { - $multi .= $_; - $_ = $multi; - undef($multi); - } - - # Remove traling whitespaces (*after* a possible multi-line is rebuilt). - s/\s*$//; - - # Remove comments unless it's a modifysid/define_template line - # (the "#" may be part of the modifysid expression). - s/\s*\#.*// unless (/^modifysid/i || /^define_template/i); - - # Skip blank lines. - next unless (/\S/); - - # Use a template and make $_ a "modifysid" line. - if (/^use_template\s+(\S+)\s+(\S+[^"]*)\s*(".*")*(?:#.*)*/i) { - my ($template_name, $sid, $args) = ($1, $2, $3); - - if (exists($templates{$template_name})) { - my $template = $templates{$template_name}; # so we don't substitute %ARGx% globally - - # Evaluate each "%ARGx%" in the template to the corresponding value. - if (defined($args)) { - my @args = split(/"\s+"/, $args); - foreach my $i (1 .. @args) { - $args[$i - 1] =~ s/^"//; - $args[$i - 1] =~ s/"$//; - $template =~ s/%ARG$i%/$args[$i - 1]/g; - } - } - - # There should be no %ARGx% stuff left now. - if ($template =~ /%ARG\d%/) { - warn("WARNING: too few arguments for template \"$template_name\"\n"); - $_ = "error"; # so it will be reported as an invalid line later - } - - unless ($_ eq "error") { - $_ = "modifysid $sid $template\n"; - print STDERR "Template \"$template_name\" expanded to: $_" - if ($config{verbose}); - } - - } else { - warn("WARNING: template \"$template_name\" has not been defined\n"); - } - } - - # new template definition. - if (/^define_template\s+(\S+)\s+(".+"\s+\|\s+".*")\s*(?:#.*)*$/i) { - my ($template_name, $template) = ($1, $2); - - if (exists($templates{$template_name})) { - warn("WARNING: line $linenum in $config_file: ". - "template \"$template_name\" already defined, keeping old\n"); - } else { - $templates{$template_name} = $template; - } - - # modifysid <SIDORFILE[,SIDORFILE, ...]> "substthis" | "withthis" - } elsif (/^modifysids*\s+(\S+.*)\s+"(.+)"\s+\|\s+"(.*)"\s*(?:#.*)*$/i) { - my ($sid_list, $subst, $repl) = ($1, $2, $3); - warn("WARNING: line $linenum in $config_file is invalid, ignoring\n") - unless(parse_mod_expr(\@{$$cfg_ref{sid_modify_list}}, - $sid_list, $subst, $repl)); - - # disablesid <SID[,SID, ...]> - } elsif (/^disablesids*\s+(\d.*)/i) { - my $sid_list = $1; - foreach my $sid (split(/\s*,\s*/, $sid_list)) { - if ($sid =~ /^\d+$/) { - $$cfg_ref{sid_disable_list}{$sid}++; - } else { - warn("WARNING: line $linenum in $config_file: ". - "\"$sid\" is not a valid SID, ignoring\n"); - } - } - - # localsid <SID[,SID, ...]> - } elsif (/^localsids*\s+(\d.*)/i) { - my $sid_list = $1; - foreach my $sid (split(/\s*,\s*/, $sid_list)) { - if ($sid =~ /^\d+$/) { - $$cfg_ref{sid_local_list}{$sid}++; - } else { - warn("WARNING: line $linenum in $config_file: ". - "\"$sid\" is not a valid SID, ignoring\n"); - } - } - - # enablesid <SID[,SID, ...]> - } elsif (/^enablesids*\s+(\d.*)/i) { - my $sid_list = $1; - foreach my $sid (split(/\s*,\s*/, $sid_list)) { - if ($sid =~ /^\d+$/) { - $$cfg_ref{sid_enable_list}{$sid}++; - } else { - warn("WARNING: line $linenum in $config_file: ". - "\"$sid\" is not a valid SID, ignoring\n"); - } - } - - # skipfile <file[,file, ...]> - } elsif (/^skipfiles*\s+(.*)/i) { - my $args = $1; - foreach my $file (split(/\s*,\s*/, $args)) { - if ($file =~ /^\S+$/) { - $config{verbose} && print STDERR "Adding file to ignore list: $file.\n"; - $$cfg_ref{file_ignore_list}{$file}++; - } else { - warn("WARNING: line $linenum in $config_file is invalid, ignoring\n"); - } - } - - } elsif (/^url\s*=\s*(.*)/i) { - push(@{$$cfg_ref{url}}, $1) - unless ($$cfg_ref{cmdline_url}); - - } elsif (/^path\s*=\s*(.+)/i) { - $$cfg_ref{path} = $1; - - } elsif (/^update_files\s*=\s*(.+)/i) { - $$cfg_ref{update_files} = $1; - - } elsif (/^rule_actions\s*=\s*(.+)/i) { - $$cfg_ref{rule_actions} = $1; - - } elsif (/^umask\s*=\s*([0-7]{4})$/i) { - $$cfg_ref{umask} = oct($1); - - } elsif (/^min_files\s*=\s*(\d+)/i) { - $$cfg_ref{min_files} = $1; - - } elsif (/^min_rules\s*=\s*(\d+)/i) { - $$cfg_ref{min_rules} = $1; - - } elsif (/^tmpdir\s*=\s*(.+)/i) { - $$cfg_ref{tmp_basedir} = $1; - - } elsif (/^use_external_bins\s*=\s*([01])/i) { - $$cfg_ref{use_external_bins} = $1; - - } elsif (/^scp_key\s*=\s*(.+)/i) { - $$cfg_ref{scp_key} = $1; - - } elsif (/^use_path_checks\s*=\s*([01])/i) { - $$cfg_ref{use_path_checks} = $1; - - } elsif (/^user_agent\s*=\s*(.+)/i) { - $$cfg_ref{user_agent} = $1; - - } elsif (/^include\s+(\S+.*)/i) { - my $include = $1; - read_config($include, $cfg_ref); - } else { - warn("WARNING: line $linenum in $config_file is invalid, ignoring\n"); - } - } -} - - - -# Make a few basic tests to make sure things look ok. -# Will also set a new PATH as defined in the config file. -sub sanity_check() -{ - my @req_params = qw(path update_files); # required parameters in conf - my @req_binaries = qw(gzip tar); # required binaries (unless we use modules) - - # Can't use both quiet mode and verbose mode. - clean_exit("quiet mode and verbose mode at the same time doesn't make sense.") - if ($config{quiet} && $config{verbose}); - - # Can't use multiple output modes. - clean_exit("can't use multiple output modes at the same time.") - if ($config{minimize_diff} && $config{summary_output}); - - # Make sure all required variables are defined in the config file. - foreach my $param (@req_params) { - clean_exit("the required parameter \"$param\" is not defined in the configuration file.") - unless (exists($config{$param})); - } - - # We now know a path was defined in the config, so set it. - # If we're under cygwin and path was specified as msdos style, convert - # it to cygwin style to avoid problems. - if ($^O eq "cygwin" && $config{path} =~ /^[a-zA-Z]:[\/\\]/) { - $ENV{PATH} = ""; - foreach my $path (split(/;/, $config{path})) { - $ENV{PATH} .= "$path:" if (msdos_to_cygwin_path(\$path)); - } - chop($ENV{PATH}); - } else { - $ENV{PATH} = $config{path}; - } - - # Reset environment variables that may cause trouble. - delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'}; - - # Make sure $config{update_files} is a valid regexp. - eval { - "foo" =~ /$config{update_files}/; - }; - - clean_exit("update_files (\"$config{update_files}\") is not a valid regexp: $@") - if ($@); - - # Make sure $config{rule_actions} is a valid regexp. - eval { - "foo" =~ /$config{rule_actions}/; - }; - - clean_exit("rule_actions (\"$config{rule_actions}\") is not a valid regexp: $@") - if ($@); - - # If a variable file (probably local snort.conf) has been specified, - # it must exist. It must also be writable unless we're in careful mode. - if ($config{update_vars}) { - $config{varfile} = untaint_path($config{varfile}); - - clean_exit("variable file \"$config{varfile}\" does not exist.") - unless (-e "$config{varfile}"); - - clean_exit("variable file \"$config{varfile}\" is not a file.") - unless (-f "$config{varfile}"); - - clean_exit("variable file \"$config{varfile}\" is not writable by you.") - if (!$config{careful} && !-w "$config{varfile}"); - - # Make sure dist var files don't contain [back]slashes - # (probably means user confused it with local var file). - my %dist_var_files; - foreach my $dist_var_file (@{${config{dist_var_files}}}) { - clean_exit("variable file \"$dist_var_file\" specified multiple times") - if (exists($dist_var_files{$dist_var_file})); - $dist_var_files{$dist_var_file} = 1; - clean_exit("variable file \"$dist_var_file\" contains slashes or backslashes ". - "but it must be specified as a filename (without path) ". - "that exists in the downloaded rules, e.g. \"snort.conf\"") - if ($dist_var_file =~ /\// || $dist_var_file =~ /\\/); - } - } - - # Make sure all required binaries can be found, unless - # we're used to use Perl modules instead. - # Wget is only required if url is http[s] or ftp. - if ($config{use_external_bins}) { - foreach my $binary (@req_binaries) { - clean_exit("$binary not found in PATH ($ENV{PATH}).") - unless (is_in_path($binary)); - } - } - - # Make sure $url is defined (either by -u <url> or url=... in the conf). - clean_exit("URL not specified. Specify at least one \"url=<url>\" in the \n". - "Oinkmaster configuration file or use the \"-u <url>\" argument") - if ($#{$config{url}} == -1); - - # Make sure all urls look ok, and untaint them. - my @urls = @{$config{url}}; - $#{$config{url}} = -1; - foreach my $url (@urls) { - clean_exit("incorrect URL: \"$url\"") - unless ($url =~ /^((?:https*|ftp|file|scp):\/\/.+\.(?:tar\.gz|tgz))$/ - || $url =~ /^(dir:\/\/.+)/); - my $ok_url = $1; - - if ($ok_url =~ /^dir:\/\/(.+)/) { - my $dir = untaint_path($1); - clean_exit("\"$dir\" does not exist or is not a directory") - unless (-d $dir); - - # Simple check if the output dir is specified as url (probably a mistake). - if (File::Spec->canonpath(File::Spec->rel2abs($dir)) - eq File::Spec->canonpath(File::Spec->rel2abs($config{output_dir}))) { - clean_exit("Download directory can not be same as output directory"); - } - } - push(@{$config{url}}, $ok_url); - } - - # Wget must be found if url is http[s]:// or ftp://. - if ($config{use_external_bins}) { - clean_exit("wget not found in PATH ($ENV{PATH}).") - if ($config{'url'} =~ /^(https*|ftp):/ && !is_in_path("wget")); - } - - # scp must be found if scp://... - clean_exit("scp not found in PATH ($ENV{PATH}).") - if ($config{'url'} =~ /^scp:/ && !is_in_path("scp")); - - # ssh key must exist if specified and url is scp://... - clean_exit("ssh key \"$config{scp_key}\" does not exist.") - if ($config{'url'} =~ /^scp:/ && exists($config{scp_key}) - && !-e $config{scp_key}); - - # Untaint output directory string. - $config{output_dir} = untaint_path($config{output_dir}); - - # Make sure the output directory exists and is readable. - clean_exit("the output directory \"$config{output_dir}\" doesn't exist ". - "or isn't readable by you.") - if (!-d "$config{output_dir}" || !-x "$config{output_dir}"); - - # Make sure the output directory is writable unless running in careful mode. - clean_exit("the output directory \"$config{output_dir}\" isn't writable by you.") - if (!$config{careful} && !-w "$config{output_dir}"); - - # Make sure we have read permission on all rules files in the output dir, - # and also write permission unless we're in careful mode. - # This is to avoid bailing out in the middle of an execution if a copy - # fails because of permission problem. - opendir(OUTDIR, "$config{output_dir}") - or clean_exit("could not open directory $config{output_dir}: $!"); - - while ($_ = readdir(OUTDIR)) { - next if (/^\.\.?$/ || exists($config{file_ignore_list}{$_})); - - if (/$config{update_files}/) { - unless (-r "$config{output_dir}/$_") { - closedir(OUTDIR); - clean_exit("no read permission on \"$config{output_dir}/$_\"\n". - "Read permission is required on all rules files ". - "inside the output directory.\n") - } - - if (!$config{careful} && !-w "$config{output_dir}/$_") { - closedir(OUTDIR); - clean_exit("no write permission on \"$config{output_dir}/$_\"\n". - "Write permission is required on all rules files ". - "inside the output directory.\n") - } - } - } - - closedir(OUTDIR); - - # Make sure the backup directory exists and is writable if running with -b. - if ($config{make_backup}) { - $config{backup_dir} = untaint_path($config{backup_dir}); - clean_exit("the backup directory \"$config{backup_dir}\" doesn't exist or ". - "isn't writable by you.") - if (!-d "$config{backup_dir}" || !-w "$config{backup_dir}"); - } - - # Convert tmp_basedir to cygwin style if running cygwin and msdos style was specified. - if ($^O eq "cygwin" && $config{tmp_basedir} =~ /^[a-zA-Z]:[\/\\]/) { - msdos_to_cygwin_path(\$config{tmp_basedir}) - or clean_exit("could not convert temporary dir to cygwin style"); - } - - # Make sure temporary directory exists. - clean_exit("the temporary directory \"$config{tmp_basedir}\" does not ". - "exist or isn't writable by you.") - if (!-d "$config{tmp_basedir}" || !-w "$config{tmp_basedir}"); - - # Also untaint it. - $config{tmp_basedir} = untaint_path($config{tmp_basedir}); - - # Make sure stdin and stdout are ttys if we're running in interactive mode. - clean_exit("you can not run in interactive mode when STDIN/STDOUT is not a TTY.") - if ($config{interactive} && !(-t STDIN && -t STDOUT)); -} - - - -# Download the rules archive. -sub download_file($ $) -{ - my $url = shift; - my $localfile = shift; - my $log = "$tmpdir/wget.log"; - my $ret; - - # If there seems to be a password in the url, replace it with "*password*" - # and use new string when printing the url to screen. - my $obfuscated_url = $url; - $obfuscated_url = "$1:*password*\@$2" - if ($obfuscated_url =~ /^(\S+:\/\/.+?):.+?@(.+)/); - - # Ofbuscate oinkcode as well. - $obfuscated_url = "$1*oinkcode*$2" - if ($obfuscated_url =~ /^(\S+:\/\/.+\.cgi\/)[0-9a-z]{32,64}(\/.+)/i); - - my @user_agent_opt; - @user_agent_opt = ("-U", $config{user_agent}) if (exists($config{user_agent})); - - # Use wget if URL starts with "http[s]" or "ftp" and we use external binaries. - if ($config{use_external_bins} && $url =~ /^(?:https*|ftp)/) { - print STDERR "Downloading file from $obfuscated_url... " - unless ($config{quiet}); - - if ($config{verbose}) { - print STDERR "\n"; - my @wget_cmd = ("wget", "-v", "-O", $localfile, $url, @user_agent_opt); - clean_exit("could not download from $obfuscated_url") - if (system(@wget_cmd)); - - } else { - my @wget_cmd = ("wget", "-v", "-o", $log, "-O", $localfile, $url, @user_agent_opt); - if (system(@wget_cmd)) { - my $log_output; - open(LOG, "<", "$log") - or clean_exit("could not open $log for reading: $!"); - # Sanitize oinkcode in wget's log (password is automatically sanitized). - while (<LOG>) { - $_ = "$1*oinkcode*$2" - if (/(\S+:\/\/.+\.cgi\/)[0-9a-z]{32,64}(\/.+)/i); - $log_output .= $_; - } - close(LOG); - clean_exit("could not download from $obfuscated_url. ". - "Output from wget follows:\n\n $log_output"); - } - print STDERR "done.\n" unless ($config{quiet}); - } - - # Use LWP if URL starts with "http[s]" or "ftp" and use_external_bins=0. - } elsif (!$config{use_external_bins} && $url =~ /^(?:https*|ftp)/) { - print STDERR "Downloading file from $obfuscated_url... " - unless ($config{quiet}); - - my %lwp_opt; - $lwp_opt{agent} = $config{user_agent} if (exists($config{user_agent})); - - my $ua = LWP::UserAgent->new(%lwp_opt); - $ua->env_proxy; - my $request = HTTP::Request->new(GET => $url); - my $response = $ua->request($request, $localfile); - - clean_exit("could not download from $obfuscated_url: " . $response->status_line) - unless $response->is_success; - - print "done.\n" unless ($config{quiet}); - - # Grab file from local filesystem if file://... - } elsif ($url =~ /^file/) { - $url =~ s/^file:\/\///; - - clean_exit("the file $url does not exist.") - unless (-e "$url"); - - clean_exit("the file $url is empty.") - unless (-s "$url"); - - print STDERR "Copying file from $url... " - unless ($config{quiet}); - - copy("$url", "$localfile") - or clean_exit("unable to copy $url to $localfile: $!"); - - print STDERR "done.\n" - unless ($config{quiet}); - - # Grab file using scp if scp://... - } elsif ($url =~ /^scp/) { - $url =~ s/^scp:\/\///; - - my @cmd; - push(@cmd, "scp"); - push(@cmd, "-i", "$config{scp_key}") if (exists($config{scp_key})); - push(@cmd, "-q") if ($config{quiet}); - push(@cmd, "-v") if ($config{verbose}); - push(@cmd, "$url", "$localfile"); - - print STDERR "Copying file from $url using scp:\n" - unless ($config{quiet}); - - clean_exit("scp returned error when trying to copy $url") - if (system(@cmd)); - - # Unknown download method. - } else { - clean_exit("unknown or unsupported download method\n"); - } - - # Make sure the downloaded file actually exists. - clean_exit("failed to download $url: ". - "local target file $localfile doesn't exist after download.") - unless (-e "$localfile"); - - # Also make sure it's at least non-empty. - clean_exit("failed to download $url: local target file $localfile is empty ". - "after download (perhaps you're out of diskspace or file in url is empty?)") - unless (-s "$localfile"); -} - - - -# Copy all rules files from the tmp dirs (one for each url) -# into a single directory inside the tmp dir, except for files -# matching a 'skipfile' directive'. -# Will exit in case of colliding filenames. -sub join_tmp_rules_dirs($ $ @) -{ - my $rules_dir = shift; - my $new_files_ref = shift; - my @url_tmpdirs = @_; - - my %rules_files; - - clean_exit("failed to create directory \"$rules_dir\": $!") - unless (mkdir($rules_dir)); - - foreach my $url_tmpdir (@url_tmpdirs) { - opendir(URL_TMPDIR, "$url_tmpdir") - or clean_exit("could not open directory \"$url_tmpdir\": $!"); - - while ($_ = readdir(URL_TMPDIR)) { - next if (/^\.\.?$/ || exists($config{file_ignore_list}{$_}) || !/$config{update_files}/); - - if (exists($rules_files{$_})) { - closedir(URL_TMPDIR); - clean_exit("a file called \"$_\" exists in multiple rules archives") - } - - # Make sure it's a regular file. - unless (-f "$url_tmpdir/$_" && !-l "$url_tmpdir/$_") { - closedir(URL_TMPDIR); - clean_exit("downloaded \"$_\" is not a regular file.") - } - - $rules_files{$_} = 1; - $$new_files_ref{"$rules_dir/$_"} = 1; - - my $src_file = untaint_path("$url_tmpdir/$_"); - unless (copy("$src_file", "$rules_dir")) { - closedir(URL_TMPDIR); - clean_exit("could not copy \"$src_file\" to \"$rules_dir\": $!"); - } - } - - closedir(URL_TMPDIR); - } - - return (keys(%$new_files_ref)); -} - - - -# Make a few basic sanity checks on the rules archive and then -# uncompress/untar it if everything looked ok. -sub unpack_rules_archive($ $ $) -{ - my $url = shift; # only used when printing warnings/errors - my $archive = shift; - my $rules_dir = shift; - - my ($tar, @tar_content); - - my $old_dir = untaint_path(File::Spec->rel2abs(File::Spec->curdir())); - - my $dir = dirname($archive); - chdir("$dir") or clean_exit("$url: could not change directory to \"$dir\": $!"); - - if ($config{use_external_bins}) { - - # Run integrity check on the gzip file. - clean_exit("$url: integrity check on gzip file failed (file transfer failed or ". - "file in URL not in gzip format?).") - if (system("gzip", "-t", "$archive")); - - # Decompress it. - system("gzip", "-d", "$archive") - and clean_exit("$url: unable to uncompress $archive."); - - # Suffix has now changed from .tar.gz|.tgz to .tar. - $archive =~ s/\.gz$//; - - # Make sure the .tar file now exists. - # (Gzip may not return an error if it was not a gzipped file...) - clean_exit("$url: failed to unpack gzip file (file transfer failed or ". - "file in URL not in tar'ed gzip format?).") - unless (-e "$archive"); - - my $stdout_file = "$tmpdir/tar_content.out"; - - open(OLDOUT, ">&STDOUT") or clean_exit("could not dup STDOUT: $!"); - open(STDOUT, ">$stdout_file") or clean_exit("could not redirect STDOUT: $!"); - - my $ret = system("tar", "tf", "$archive"); - - close(STDOUT); - open(STDOUT, ">&OLDOUT") or clean_exit("could not dup STDOUT: $!"); - close(OLDOUT); - - clean_exit("$url: could not list files in tar archive (is it broken?)") - if ($ret); - - open(TAR, "$stdout_file") or clean_exit("failed to open $stdout_file: $!"); - @tar_content = <TAR>; - close(TAR); - - # use_external_bins=0 - } else { - $tar = Archive::Tar->new($archive, 1); - clean_exit("$url: failed to read $archive (file transfer failed or ". - "file in URL not in tar'ed gzip format?).") - unless (defined($tar)); - @tar_content = $tar->list_files(); - } - - # Make sure we could grab some content from the tarball. - clean_exit("$url: could not list files in tar archive (is it broken?)") - if ($#tar_content < 0); - - # For each filename in the archive, do some basic sanity checks. - foreach my $filename (@tar_content) { - chomp($filename); - - # We don't want absolute filename. - clean_exit("$url: rules archive contains absolute filename. ". - "Offending file/line:\n$filename") - if ($filename =~ /^\//); - - # We don't want to have any weird characters anywhere in the filename. - clean_exit("$url: illegal character in filename in tar archive. Allowed are ". - "$OK_PATH_CHARS\nOffending file/line:\n$filename") - if ($config{use_path_checks} && $filename =~ /[^$OK_PATH_CHARS]/); - - # We don't want to unpack any "../../" junk (check is useless now though). - clean_exit("$url: filename in tar archive contains \"..\".\n". - "Offending file/line:\n$filename") - if ($filename =~ /\.\./); - } - - # Looks good. Now we can untar it. - print STDERR "Archive successfully downloaded, unpacking... " - unless ($config{quiet}); - - if ($config{use_external_bins}) { - clean_exit("failed to untar $archive.") - if system("tar", "xf", "$archive"); - } else { - mkdir("$rules_dir") or clean_exit("could not create \"$rules_dir\" directory: $!\n"); - foreach my $file ($tar->list_files) { - next unless ($file =~ /^$rules_dir\/[^\/]+$/); # only ^rules/<file>$ - - my $content = $tar->get_content($file); - - # Symlinks in the archive will make get_content return undef. - clean_exit("could not get content from file \"$file\" in downloaded archive, ". - "make sure it is a regular file\n") - unless (defined($content)); - - open(RULEFILE, ">", "$file") - or clean_exit("could not open \"$file\" for writing: $!\n"); - print RULEFILE $content; - close(RULEFILE); - } - } - - # Make sure that non-empty rules directory existed in archive. - # We permit empty rules directory if min_files is set to 0 though. - clean_exit("$url: no \"$rules_dir\" directory found in tar file.") - unless (-d "$dir/$rules_dir"); - - my $num_files = 0; - opendir(RULESDIR, "$dir/$rules_dir") - or clean_exit("could not open directory \"$dir/$rules_dir\": $!"); - - while ($_ = readdir(RULESDIR)) { - next if (/^\.\.?$/); - $num_files++; - } - - closedir(RULESDIR); - - clean_exit("$url: directory \"$rules_dir\" in unpacked archive is empty") - if ($num_files == 0 && $config{min_files} != 0); - - chdir($old_dir) - or clean_exit("could not change directory back to $old_dir: $!"); - - print STDERR "done.\n" - unless ($config{quiet}); -} - - - -# Open all rules files in the temporary directory and disable/modify all -# rules/lines as requested in oinkmaster.conf, and then write back to the -# same files. Also clean unwanted whitespaces and duplicate sids from them. -sub process_rules($ $ $ $ $ $) -{ - my $modify_sid_ref = shift; - my $disable_sid_ref = shift; - my $enable_sid_ref = shift; - my $local_sid_ref = shift; - my $rh_tmp_ref = shift; - my $newfiles_ref = shift; - my %sids; - - my %stats = ( - disabled => 0, - enabled => 0, - modified => 0, - total => 0, - ); - - warn("WARNING: all rules that are disabled by default will be enabled\n") - if ($config{enable_all} && !$config{quiet}); - - print STDERR "Processing downloaded rules... " - unless ($config{quiet}); - - print STDERR "\n" - if ($config{verbose}); - - # Phase #1 - process all active rules and store in temporary hash. - # In case of dups, we use the one with the highest rev. - foreach my $file (sort(keys(%$newfiles_ref))) { - - open(INFILE, "<", "$file") - or clean_exit("could not open $file for reading: $!"); - my @infile = <INFILE>; - close(INFILE); - - my ($single, $multi, $nonrule, $msg, $sid); - - RULELOOP:while (get_next_entry(\@infile, \$single, \$multi, \$nonrule, \$msg, \$sid)) { - - # We don't care about non-rules in this phase. - next RULELOOP if (defined($nonrule)); - - # Even if it was a single-line rule, we want a copy in $multi. - $multi = $single unless (defined($multi)); - - my %rule = ( - single => $single, - multi => $multi, - ); - - # modify/disable/enable this rule as requested unless there is a matching - # localsid statement. Possible verbose messages and warnings will be printed. - unless (exists($$local_sid_ref{$sid})) { - process_rule($modify_sid_ref, $disable_sid_ref, $enable_sid_ref, - \%rule, $sid, \%stats, 1, basename($file)); - } - - $stats{total}++; - - $single = $rule{single}; - $multi = $rule{multi}; - - # Only care about active rules in this phase (the rule may have been - # disabled by a disablesid or a modifysid statement above, so we can't - # do this check earlier). - next RULELOOP if ($multi =~ /^#/); - - # Is it a dup? If so, see if this seems to be more recent (higher rev). - if (exists($sids{$sid})) { - warn("\nWARNING: duplicate SID in downloaded archive, SID=$sid, ". - "only keeping rule with highest 'rev'\n") - unless($config{super_quiet}); - - my ($old_rev) = ($sids{$sid}{single} =~ /\brev\s*:\s*(\d+)\s*;/); - my ($new_rev) = ($single =~ /\brev\s*:\s*(\d+)\s*;/); - - # This is so rules with a rev gets higher prio than - # rules without any rev. - $old_rev = -1 unless (defined($old_rev)); - $new_rev = -1 unless (defined($new_rev)); - - # If this rev is higher than the one in the last stored rule with - # this sid, replace rule with this one. This is also done if the - # revs are equal because we assume the rule appearing last in the - # rules file is the more recent rule. - if ($new_rev >= $old_rev) { - $sids{$sid}{single} = $single; - $sids{$sid}{multi} = $multi; - } - - # No dup. - } else { - $sids{$sid}{single} = $single; - $sids{$sid}{multi} = $multi; - } - } - } - - # Phase #2 - read all rules files again, but when writing active rules - # back to the files, use the one stored in the sid hash (which is free of dups). - foreach my $file (sort(keys(%$newfiles_ref))) { - - open(INFILE, "<", "$file") - or clean_exit("could not open $file for reading: $!"); - my @infile = <INFILE>; - close(INFILE); - - # Write back to the same file. - open(OUTFILE, ">", "$file") - or clean_exit("could not open $file for writing: $!"); - - my ($single, $multi, $nonrule, $msg, $sid); - - RULELOOP:while (get_next_entry(\@infile, \$single, \$multi, \$nonrule, \$msg, \$sid)) { - if (defined($nonrule)) { - print OUTFILE "$nonrule"; - next RULELOOP; - } - - # Even if it was a single-line rule, we want a copy in $multi. - $multi = $single unless (defined($multi)); - - # If this rule is marked as localized and has not yet been written, - # write the old version to the new rules file. - if (exists($$local_sid_ref{$sid}) && !exists($sids{$sid}{printed})) { - - # Just ignore the rule in the downloaded file if it doesn't - # exist in the same local file. - unless(exists($$rh_tmp_ref{old}{rules}{basename($file)}{$sid})) { - warn("WARNING: SID $sid is marked as local and exists in ". - "downloaded " . basename($file) . " but the SID does not ". - "exist in the local file, ignoring rule\n") - if ($config{verbose}); - - next RULELOOP; - } - - print OUTFILE $$rh_tmp_ref{old}{rules}{basename($file)}{$sid}; - $sids{$sid}{printed} = 1; - - warn("SID $sid is marked as local, keeping your version from ". - basename($file) . ".\n". - "Your version: $$rh_tmp_ref{old}{rules}{basename($file)}{$sid}". - "Downloaded version: $multi\n") - if ($config{verbose}); - - next RULELOOP; - } - - my %rule = ( - single => $single, - multi => $multi, - ); - - # modify/disable/enable this rule. Possible verbose messages and warnings - # will not be printed (again) as this was done in the first phase. - # We send the stats to a dummy var as this was collected on the - # first phase as well. - process_rule($modify_sid_ref, $disable_sid_ref, $enable_sid_ref, - \%rule, $sid, \my %unused_stats, 0, basename($file)); - - $single = $rule{single}; - $multi = $rule{multi}; - - # Disabled rules are printed right back to the file, unless - # there also is an active rule with the same sid. Als o make - # sure we only print the sid once, even though it's disabled. - if ($multi =~ /^#/ && !exists($sids{$sid}) && !exists($sids{$sid}{printed})) { - print OUTFILE $multi; - $sids{$sid}{printed} = 1; - next RULELOOP; - } - - # If this sid has not yet been printed and this is the place where - # the sid with the highest rev was, print the rule to the file. - # (There can be multiple totally different rules with the same sid - # and we don't want to put the wrong rule in the wrong place. - if (!exists($sids{$sid}{printed}) && $single eq $sids{$sid}{single}) { - print OUTFILE $multi; - $sids{$sid}{printed} = 1; - } - } - - close(OUTFILE); - } - - print STDERR "disabled $stats{disabled}, enabled $stats{enabled}, ". - "modified $stats{modified}, total=$stats{total}\n" - unless ($config{quiet}); - - # Print warnings on attempt at enablesid/disablesid/localsid on non-existent - # rule if we're in verbose mode. - if ($config{verbose}) { - foreach my $sid (keys(%$enable_sid_ref)) { - warn("WARNING: attempt to use \"enablesid\" on non-existent SID $sid\n") - unless (exists($sids{$sid})); - } - - foreach my $sid (keys(%$disable_sid_ref)) { - warn("WARNING: attempt to use \"disablesid\" on non-existent SID $sid\n") - unless (exists($sids{$sid})); - } - - foreach my $sid (keys(%$local_sid_ref)) { - warn("WARNING: attempt to use \"localsid\" on non-existent SID $sid\n") - unless (exists($sids{$sid})); - } - } - - # Print warnings on attempt at modifysid'ing non-existent stuff, unless quiet mode. - unless ($config{quiet}) { - my %new_files; - foreach my $file (sort(keys(%$newfiles_ref))) { - $new_files{basename($file)} = 1; - } - - my %mod_tmp; - foreach my $mod_expr (@$modify_sid_ref) { - my ($type, $arg) = ($mod_expr->[2], $mod_expr->[3]); - $mod_tmp{$type}{$arg} = 1; - } - - foreach my $sid (keys(%{$mod_tmp{sid}})) { - warn("WARNING: attempt to use \"modifysid\" on non-existent SID $sid\n") - unless (exists($sids{$sid})); - } - - foreach my $file (keys(%{$mod_tmp{file}})) { - warn("WARNING: attempt to use \"modifysid\" on non-existent file $file\n") - unless(exists($new_files{$file})); - } - } - - # Return total number of valid rules. - return ($stats{total}); -} - - - -# Process (modify/enable/disable) a rule as requested. -sub process_rule($ $ $ $ $ $ $ $) -{ - my $modify_sid_ref = shift; - my $disable_sid_ref = shift; - my $enable_sid_ref = shift; - my $rule_ref = shift; - my $sid = shift; - my $stats_ref = shift; - my $print_messages = shift; - my $filename = shift; - - # Just for easier access. - my $single = $$rule_ref{single}; - my $multi = $$rule_ref{multi}; - - # Some rules may be commented out by default. - # Enable them if -e is specified (both single-line and multi-line, - # version, because we don't know which version one we're going to - # use below. - # Enable them if -e is specified. - if ($multi =~ /^#/ && $config{enable_all}) { - $multi =~ s/^#*//; - $multi =~ s/\n#*/\n/g; - $single =~ s/^#*//; - $$stats_ref{enabled}++; - } - - # Modify rule if requested. For disablesid/enablesid we work - # on the multi-line version of the rule (if exists). For - # modifysid that's no good since we don't know where in the - # rule the trailing backslashes and newlines are going to be - # and we don't want them to affect the regexp. - MOD_EXP:foreach my $mod_expr (@$modify_sid_ref) { - my ($subst, $repl, $type, $arg) = - ($mod_expr->[0], $mod_expr->[1], $mod_expr->[2], $mod_expr->[3]); - - my $print_modify_warnings = 0; - $print_modify_warnings = 1 if (!$config{super_quiet} && $print_messages && $type eq "sid"); - - if ($type eq "wildcard" || ($type eq "sid" && $sid eq $arg) || - ($type eq "file" && $filename eq $arg)) { - - if ($single =~ /$subst/si) { - print STDERR "Modifying rule, SID=$sid, filename=$filename, ". - "match type=$type, subst=$subst, ". - "repl=$repl\nBefore: $single" - if ($print_messages && $config{verbose}); - - - # If user specified a backreference but the regexp did not set $1 - don't modify rule. - if (!defined($1) && ($repl =~ /[^\\]\$\d+/ || $repl =~ /[^\\]\$\{\d+\}/ - || $repl =~ /^qq\/\$\d+/ || $repl =~ /^qq\/\$\{\d+\}/)) { - warn("WARNING: SID $sid matches modifysid expression \"$subst\" but ". - "backreference variable \$1 is undefined after match, ". - "keeping original rule\n") - if ($print_modify_warnings); - next MOD_EXP; - } - - # Do the substitution on the single-line version and put it - # back in $multi. - $single =~ s/$subst/$repl/eei; - $multi = $single; - - print STDERR "After: $single\n" - if ($print_messages && $config{verbose}); - - $$stats_ref{modified}++; - } else { - if ($print_modify_warnings) { - warn("WARNING: SID $sid does not match modifysid ". - "expression \"$subst\", keeping original rule\n"); - } - } - } - } - - # Disable rule if requested and it's not already disabled. - if (exists($$disable_sid_ref{$sid}) && $multi !~ /^\s*#/) { - $multi = "#$multi"; - $multi =~ s/\n([^#].+)/\n#$1/g; - $$stats_ref{disabled}++; - } - - # Enable rule if requested and it's not already enabled. - if (exists($$enable_sid_ref{$sid}) && $multi =~ /^\s*#/) { - $multi =~ s/^#+//; - $multi =~ s/\n#+(.+)/\n$1/g; - $$stats_ref{enabled}++; - } - - $$rule_ref{single} = $single; - $$rule_ref{multi} = $multi; -} - - - -# Setup rules hash. -# Format for rules will be: rh{old|new}{rules{filename}{sid} = single-line rule -# Format for non-rules will be: rh{old|new}{other}{filename} = array of lines -# List of added files will be stored as rh{added_files}{filename} -sub setup_rules_hash($ $) -{ - my $new_files_ref = shift; - my $output_dir = shift; - - my (%rh, %old_sids); - - print STDERR "Setting up rules structures... " - unless ($config{quiet}); - - foreach my $file (sort(keys(%$new_files_ref))) { - warn("\nWARNING: downloaded rules file $file is empty\n") - if (!-s "$file" && $config{verbose}); - - open(NEWFILE, "<", "$file") - or clean_exit("could not open $file for reading: $!"); - my @newfile = <NEWFILE>; - close(NEWFILE); - - # From now on we don't care about the path, so remove it. - $file = basename($file); - - my ($single, $multi, $nonrule, $msg, $sid); - - while (get_next_entry(\@newfile, \$single, \$multi, \$nonrule, \$msg, \$sid)) { - if (defined($single)) { - $rh{new}{rules}{"$file"}{"$sid"} = $single; - } else { - push(@{$rh{new}{other}{"$file"}}, $nonrule); - } - } - - # Also read in old (aka local) file if it exists. - # We do a sid dup check in these files. - if (-f "$output_dir/$file") { - open(OLDFILE, "<", "$output_dir/$file") - or clean_exit("could not open $output_dir/$file for reading: $!"); - my @oldfile = <OLDFILE>; - close(OLDFILE); - - while (get_next_entry(\@oldfile, \$single, \$multi, \$nonrule, undef, \$sid)) { - if (defined($single)) { - warn("\nWARNING: duplicate SID in your local rules, SID ". - "$sid exists multiple times, you may need to fix this manually!\n") - if (exists($old_sids{$sid})); - - $rh{old}{rules}{"$file"}{"$sid"} = $single; - $old_sids{$sid}++; - } else { - push(@{$rh{old}{other}{"$file"}}, $nonrule); - } - } - } else { - $rh{added_files}{"$file"}++; - } - } - - print STDERR "done.\n" - unless ($config{quiet}); - - return (%rh); -} - - - -# Return lines that exist only in first array but not in second one. -sub get_first_only($ $ $) -{ - my $first_only_ref = shift; - my $first_arr_ref = shift; - my $second_arr_ref = shift; - my %arr_hash; - - @arr_hash{@$second_arr_ref} = (); - - foreach my $line (@$first_arr_ref) { - - # Skip blank lines and CVS Id tags. - next unless ($line =~ /\S/); - next if ($line =~ /^\s*#+\s*\$I\S:.+Exp\s*\$/); - - push(@$first_only_ref, $line) - unless(exists($arr_hash{$line})); - } -} - - - -# Backup files in output dir matching $config{update_files} into the backup dir. -sub make_backup($ $) -{ - my $src_dir = shift; # dir with the rules to be backed up - my $dest_dir = shift; # where to put the backup tarball - - my ($sec, $min, $hour, $mday, $mon, $year) = (localtime)[0 .. 5]; - - my $date = sprintf("%4d%02d%02d-%02d%02d%02d", - $year + 1900, $mon + 1, $mday, $hour, $min, $sec); - - my $backup_tarball = "rules-backup-$date.tar"; - my $backup_tmp_dir = File::Spec->catdir("$tmpdir", "rules-backup-$date"); - my $dest_file = File::Spec->catfile("$dest_dir", "$backup_tarball.gz"); - - print STDERR "Creating backup of old rules..." - unless ($config{quiet}); - - mkdir("$backup_tmp_dir", 0700) - or clean_exit("could not create temporary backup directory $backup_tmp_dir: $!"); - - # Copy all rules files from the rules dir to the temporary backup dir. - opendir(OLDRULES, "$src_dir") - or clean_exit("could not open directory $src_dir: $!"); - - while ($_ = readdir(OLDRULES)) { - next if (/^\.\.?$/); - if (/$config{update_files}/) { - my $src_file = untaint_path("$src_dir/$_"); - copy("$src_file", "$backup_tmp_dir/") - or warn("WARNING: could not copy $src_file to $backup_tmp_dir/: $!"); - } - } - - closedir(OLDRULES); - - # Also backup the -U <file> (as "variable-file.conf") if specified. - if ($config{update_vars}) { - copy("$config{varfile}", "$backup_tmp_dir/variable-file.conf") - or warn("WARNING: could not copy $config{varfile} to $backup_tmp_dir: $!") - } - - my $old_dir = untaint_path(File::Spec->rel2abs(File::Spec->curdir())); - - # Change directory to $tmpdir (so we'll be right below the directory where - # we have our rules to be backed up). - chdir("$tmpdir") or clean_exit("could not change directory to $tmpdir: $!"); - - if ($config{use_external_bins}) { - clean_exit("tar command returned error when archiving backup files.\n") - if (system("tar","cf","$backup_tarball","rules-backup-$date")); - - clean_exit("gzip command returned error when compressing backup file.\n") - if (system("gzip","$backup_tarball")); - - $backup_tarball .= ".gz"; - - } else { - my $tar = Archive::Tar->new; - opendir(RULES, "rules-backup-$date") - or clean_exit("unable to open directory \"rules-backup-$date\": $!"); - - while ($_ = readdir(RULES)) { - next if (/^\.\.?$/); - $tar->add_files("rules-backup-$date/$_"); - } - - closedir(RULES); - - $backup_tarball .= ".gz"; - - # Write tarball. Print stupid error message if it fails as - # we can't use $tar->error or Tar::error on all platforms. - $tar->write("$backup_tarball", 1); - - clean_exit("could not create backup archive: tarball empty after creation\n") - unless (-s "$backup_tarball"); - } - - # Change back to old directory (so it will work with -b <directory> as either - # an absolute or a relative path. - chdir("$old_dir") - or clean_exit("could not change directory back to $old_dir: $!"); - - copy("$tmpdir/$backup_tarball", "$dest_file") - or clean_exit("unable to copy $tmpdir/$backup_tarball to $dest_file/: $!\n"); - - print STDERR " saved as $dest_file.\n" - unless ($config{quiet}); -} - - - -# Print the results. -sub print_changes($ $) -{ - my $ch_ref = shift; - my $rh_ref = shift; - - my ($sec, $min, $hour, $mday, $mon, $year) = (localtime)[0 .. 5]; - - my $date = sprintf("%4d%02d%02d %02d:%02d:%02d", - $year + 1900, $mon + 1, $mday, $hour, $min, $sec); - - print "\n[***] Results from Oinkmaster started $date [***]\n"; - - # Print new variables. - if ($config{update_vars}) { - if ($#{$$ch_ref{new_vars}} > -1) { - print "\n[*] New variables: [*]\n"; - foreach my $var (@{$$ch_ref{new_vars}}) { - print " $var"; - } - } else { - print "\n[*] New variables: [*]\n None.\n" - unless ($config{super_quiet}); - } - } - - - # Print rules modifications. - print "\n[*] Rules modifications: [*]\n None.\n" - if (!keys(%{$$ch_ref{rules}}) && !$config{super_quiet}); - - # Print added rules. - if (exists($$ch_ref{rules}{added})) { - print "\n[+++] Added rules: [+++]\n"; - if ($config{summary_output}) { - print_summary_change(\%{$$ch_ref{rules}{added}}, $rh_ref); - } else { - print_changetype($PRINT_NEW, "Added to", - \%{$$ch_ref{rules}{added}}, $rh_ref); - } - } - - # Print enabled rules. - if (exists($$ch_ref{rules}{ena})) { - print "\n[+++] Enabled rules: [+++]\n"; - if ($config{summary_output}) { - print_summary_change(\%{$$ch_ref{rules}{ena}}, $rh_ref); - } else { - print_changetype($PRINT_NEW, "Enabled in", - \%{$$ch_ref{rules}{ena}}, $rh_ref); - } - } - - # Print enabled + modified rules. - if (exists($$ch_ref{rules}{ena_mod})) { - print "\n[+++] Enabled and modified rules: [+++]\n"; - if ($config{summary_output}) { - print_summary_change(\%{$$ch_ref{rules}{ena_mod}}, $rh_ref); - } else { - print_changetype($PRINT_BOTH, "Enabled and modified in", - \%{$$ch_ref{rules}{ena_mod}}, $rh_ref); - } - } - - # Print modified active rules. - if (exists($$ch_ref{rules}{mod_act})) { - print "\n[///] Modified active rules: [///]\n"; - - if ($config{summary_output}) { - print_summary_change(\%{$$ch_ref{rules}{mod_act}}, $rh_ref); - } else { - print_changetype($PRINT_BOTH, "Modified active in", - \%{$$ch_ref{rules}{mod_act}}, $rh_ref); - } - } - - # Print modified inactive rules. - if (exists($$ch_ref{rules}{mod_ina})) { - print "\n[///] Modified inactive rules: [///]\n"; - if ($config{summary_output}) { - print_summary_change(\%{$$ch_ref{rules}{mod_ina}}, $rh_ref); - } else { - print_changetype($PRINT_BOTH, "Modified inactive in", - \%{$$ch_ref{rules}{mod_ina}}, $rh_ref); - } - } - - # Print disabled + modified rules. - if (exists($$ch_ref{rules}{dis_mod})) { - print "\n[---] Disabled and modified rules: [---]\n"; - if ($config{summary_output}) { - print_summary_change(\%{$$ch_ref{rules}{dis_mod}}, $rh_ref); - } else { - print_changetype($PRINT_BOTH, "Disabled and modified in", - \%{$$ch_ref{rules}{dis_mod}}, $rh_ref); - } - } - - # Print disabled rules. - if (exists($$ch_ref{rules}{dis})) { - print "\n[---] Disabled rules: [---]\n"; - if ($config{summary_output}) { - print_summary_change(\%{$$ch_ref{rules}{dis}}, $rh_ref); - } else { - print_changetype($PRINT_NEW, "Disabled in", - \%{$$ch_ref{rules}{dis}}, $rh_ref); - } - } - - # Print removed rules. - if (exists($$ch_ref{rules}{removed})) { - print "\n[---] Removed rules: [---]\n"; - if ($config{summary_output}) { - print_summary_change(\%{$$ch_ref{rules}{removed}}, $rh_ref); - } else { - print_changetype($PRINT_OLD, "Removed from", - \%{$$ch_ref{rules}{removed}}, $rh_ref); - } - } - - - # Print non-rule modifications. - print "\n[*] Non-rule line modifications: [*]\n None.\n" - if (!keys(%{$$ch_ref{other}}) && !$config{super_quiet}); - - # Print added non-rule lines. - if (exists($$ch_ref{other}{added})) { - print "\n[+++] Added non-rule lines: [+++]\n"; - foreach my $file (sort({uc($a) cmp uc($b)} keys(%{$$ch_ref{other}{added}}))) { - my $num = $#{$$ch_ref{other}{added}{$file}} + 1; - print "\n -> Added to $file ($num):\n"; - foreach my $line (@{$$ch_ref{other}{added}{$file}}) { - print " $line"; - } - } - } - - # Print removed non-rule lines. - if (keys(%{$$ch_ref{other}{removed}}) > 0) { - print "\n[---] Removed non-rule lines: [---]\n"; - foreach my $file (sort({uc($a) cmp uc($b)} keys(%{$$ch_ref{other}{removed}}))) { - my $num = $#{$$ch_ref{other}{removed}{$file}} + 1; - print "\n -> Removed from $file ($num):\n"; - foreach my $other (@{$$ch_ref{other}{removed}{$file}}) { - print " $other"; - } - } - } - - - # Print list of added files. - if (keys(%{$$ch_ref{added_files}})) { - print "\n[+] Added files (consider updating your snort.conf to include them if needed): [+]\n\n"; - foreach my $added_file (sort({uc($a) cmp uc($b)} keys(%{$$ch_ref{added_files}}))) { - print " -> $added_file\n"; - } - } else { - print "\n[*] Added files: [*]\n None.\n" - unless ($config{super_quiet} || $config{summary_output}); - } - - # Print list of possibly removed files if requested. - if ($config{check_removed}) { - if (keys(%{$$ch_ref{removed_files}})) { - print "\n[-] Files possibly removed from the archive ". - "(consider removing them from your snort.conf if needed): [-]\n\n"; - foreach my $removed_file (sort({uc($a) cmp uc($b)} keys(%{$$ch_ref{removed_files}}))) { - print " -> $removed_file\n"; - } - } else { - print "\n[*] Files possibly removed from the archive: [*]\n None.\n" - unless ($config{super_quiet} || $config{summary_output}); - } - } - - print "\n"; -} - - - -# Helper for print_changes(). -sub print_changetype($ $ $ $) -{ - my $type = shift; # $PRINT_OLD|$PRINT_NEW|$PRINT_BOTH - my $string = shift; # string to print before filename - my $ch_ref = shift; # reference to an entry in the rules changes hash - my $rh_ref = shift; # reference to rules hash - - foreach my $file (sort({uc($a) cmp uc($b)} keys(%$ch_ref))) { - my $num = keys(%{$$ch_ref{$file}}); - print "\n -> $string $file ($num):\n"; - foreach my $sid (keys(%{$$ch_ref{$file}})) { - if ($type == $PRINT_OLD) { - print " $$rh_ref{old}{rules}{$file}{$sid}" - } elsif ($type == $PRINT_NEW) { - print " $$rh_ref{new}{rules}{$file}{$sid}" - } elsif ($type == $PRINT_BOTH) { - - my $old = $$rh_ref{old}{rules}{$file}{$sid}; - my $new = $$rh_ref{new}{rules}{$file}{$sid}; - - if ($config{minimize_diff}) { - my ($old, $new) = minimize_diff($old, $new); - print "\n old SID $sid: $old"; - print " new SID $sid: $new"; - } else { - print "\n old: $old"; - print " new: $new"; - } - } - } - } -} - - - -# Print changes in bmc style, i.e. only sid and msg, no full details. -sub print_summary_change($ $) -{ - my $ch_ref = shift; # reference to an entry in the rules changes hash - my $rh_ref = shift; # reference to rules hash - - my (@sids, %sidmap); - - print "\n"; - - # First get all the sids (may be spread across multiple files. - foreach my $file (keys(%$ch_ref)) { - foreach my $sid (keys(%{$$ch_ref{$file}})) { - push(@sids, $sid); - if (exists($$rh_ref{new}{rules}{$file}{$sid})) { - $sidmap{$sid}{rule} = $$rh_ref{new}{rules}{$file}{$sid}; - } else { - $sidmap{$sid}{rule} = $$rh_ref{old}{rules}{$file}{$sid}; - } - $sidmap{$sid}{file} = $file; - } - } - - # Print rules, sorted by sid. - foreach my $sid (sort {$a <=> $b} (@sids)) { - my @rule = $sidmap{$sid}{rule}; - my $file = $sidmap{$sid}{file}; - get_next_entry(\@rule, undef, undef, undef, \(my $msg), undef); - printf("%8d - %s (%s)\n", $sid, $msg, $file); - } - - print "\n"; -} - - - -# Compare the new rules to the old ones. -sub get_changes($ $ $) -{ - my $rh_ref = shift; - my $new_files_ref = shift; - my $rules_dir = shift; - my %changes; - - print STDERR "Comparing new files to the old ones... " - unless ($config{quiet}); - - # We have the list of added files (without full path) in $rh_ref{added_files} - # but we'd rather want to have it in $changes{added_files} now. - $changes{added_files} = $$rh_ref{added_files}; - - # New files are also regarded as modified since we want to update - # (i.e. add) those as well. Here we want them with full path. - foreach my $file (keys(%{$changes{added_files}})) { - $changes{modified_files}{"$tmpdir/$rules_dir/$file"}++; - } - - # Add list of possibly removed files if requested. - if ($config{check_removed}) { - opendir(OLDRULES, "$config{output_dir}") - or clean_exit("could not open directory $config{output_dir}: $!"); - - while ($_ = readdir(OLDRULES)) { - next if (/^\.\.?$/); - $changes{removed_files}{"$_"} = 1 - if (/$config{update_files}/ && - !exists($config{file_ignore_list}{$_}) && - !-e "$tmpdir/$rules_dir/$_"); - } - - closedir(OLDRULES); - } - - # For each new rules file... - FILELOOP:foreach my $file_w_path (sort(keys(%$new_files_ref))) { - my $file = basename($file_w_path); - - # Skip comparison if it's an added file. - next FILELOOP if (exists($$rh_ref{added_files}{$file})); - - # For each sid in the new file... - foreach my $sid (keys(%{$$rh_ref{new}{rules}{$file}})) { - my $new_rule = $$rh_ref{new}{rules}{$file}{$sid}; - - # Sid also exists in the old file? - if (exists($$rh_ref{old}{rules}{$file}{$sid})) { - my $old_rule = $$rh_ref{old}{rules}{$file}{$sid}; - - # Are they identical? - unless ($new_rule eq $old_rule) { - $changes{modified_files}{$file_w_path}++; - - # Find out in which way the rules are different. - if ("#$old_rule" eq $new_rule) { - $changes{rules}{dis}{$file}{$sid}++; - } elsif ($old_rule eq "#$new_rule") { - $changes{rules}{ena}{$file}{$sid}++; - } elsif ($old_rule =~ /^\s*#/ && $new_rule !~ /^\s*#/) { - $changes{rules}{ena_mod}{$file}{$sid}++; - } elsif ($old_rule !~ /^\s*#/ && $new_rule =~ /^\s*#/) { - $changes{rules}{dis_mod}{$file}{$sid}++; - } elsif ($old_rule =~ /^\s*#/ && $new_rule =~ /^\s*#/) { - $changes{rules}{mod_ina}{$file}{$sid}++; - } else { - $changes{rules}{mod_act}{$file}{$sid}++; - } - - } - } else { # sid not found in old file, i.e. it's added - $changes{modified_files}{$file_w_path}++; - $changes{rules}{added}{$file}{$sid}++; - } - } # foreach sid - - # Check for removed rules, i.e. sids that exist in the old file but - # not in the new one. - foreach my $sid (keys(%{$$rh_ref{old}{rules}{$file}})) { - unless (exists($$rh_ref{new}{rules}{$file}{$sid})) { - $changes{modified_files}{$file_w_path}++; - $changes{rules}{removed}{$file}{$sid}++; - } - } - - # Check for added non-rule lines. - get_first_only(\my @added, - \@{$$rh_ref{new}{other}{$file}}, - \@{$$rh_ref{old}{other}{$file}}); - - if (scalar(@added)) { - @{$changes{other}{added}{$file}} = @added; - $changes{modified_files}{$file_w_path}++; - } - - # Check for removed non-rule lines. - get_first_only(\my @removed, - \@{$$rh_ref{old}{other}{$file}}, - \@{$$rh_ref{new}{other}{$file}}); - - if (scalar(@removed)) { - @{$changes{other}{removed}{$file}} = @removed; - $changes{modified_files}{$file_w_path}++; - } - - } # foreach new file - - print STDERR "done.\n" unless ($config{quiet}); - - return (%changes); -} - - - -# Simply copy the modified rules files to the output directory. -sub update_rules($ @) -{ - my $dst_dir = shift; - my @modified_files = @_; - - print STDERR "Updating local rules files... " - if (!$config{quiet} || $config{interactive}); - - foreach my $file_w_path (@modified_files) { - copy("$file_w_path", "$dst_dir") - or clean_exit("could not copy $file_w_path to $dst_dir: $!"); - } - - print STDERR "done.\n" - if (!$config{quiet} || $config{interactive}); -} - - -# Simply copy rules files from one dir to another. -# Links are not allowed. -sub copy_rules($ $) -{ - my $src_dir = shift; - my $dst_dir = shift; - - print STDERR "Copying rules from $src_dir... " - if (!$config{quiet} || $config{interactive}); - - opendir(SRC_DIR, $src_dir) - or clean_exit("could not open directory $src_dir: $!"); - - my $num_files = 0; - while ($_ = readdir(SRC_DIR)) { - next if (/^\.\.?$/ || exists($config{file_ignore_list}{$_}) - || !/$config{update_files}/); - - my $src_file = untaint_path("$src_dir/$_"); - - # Make sure it's a regular file. - unless (-f "$src_file" && !-l "$src_file") { - closedir(SRC_DIR); - clean_exit("\"$src_file\" is not a regular file.") - } - - unless (copy($src_file, $dst_dir)) { - closedir(SRC_DIR); - clean_exit("could not copy \"$src_file\" to \"$dst_dir\"/: $!"); - } - $num_files++; - } - - closedir(SRC_DIR); - - print STDERR "$num_files files copied.\n" - if (!$config{quiet} || $config{interactive}); -} - - - -# Return true if file is in PATH and is executable. -sub is_in_path($) -{ - my $file = shift; - - foreach my $dir (File::Spec->path()) { - if ((-f "$dir/$file" && -x "$dir/$file") - || (-f "$dir/$file.exe" && -x "$dir/$file.exe")) { - print STDERR "Found $file binary in $dir\n" - if ($config{verbose}); - return (1); - } - } - - return (0); -} - - - -# get_next_entry() will parse the array referenced in the first arg -# and return the next entry. The array should contain a rules file, -# and the returned entry will be removed from the array. -# An entry is one of: -# - single-line rule (put in 2nd ref) -# - multi-line rule (put in 3rd ref) -# - non-rule line (put in 4th ref) -# If the entry is a multi-line rule, its single-line version is also -# returned (put in the 2nd ref). -# If it's a rule, the msg string will be put in 4th ref and sid in 5th. -sub get_next_entry($ $ $ $ $ $) -{ - my $arr_ref = shift; - my $single_ref = shift; - my $multi_ref = shift; - my $nonrule_ref = shift; - my $msg_ref = shift; - my $sid_ref = shift; - - undef($$single_ref); - undef($$multi_ref); - undef($$nonrule_ref); - undef($$msg_ref); - undef($$sid_ref); - - my $line = shift(@$arr_ref) || return(0); - my $disabled = 0; - my $broken = 0; - - chomp($line); - $line .= "\n"; - - # Possible beginning of multi-line rule? - if ($line =~ /$MULTILINE_RULE_REGEXP/oi) { - $$single_ref = $line; - $$multi_ref = $line; - - $disabled = 1 if ($line =~ /^\s*#/); - - # Keep on reading as long as line ends with "\". - while (!$broken && $line =~ /\\\s*\n$/) { - - # Remove trailing "\" and newline for single-line version. - $$single_ref =~ s/\\\s*\n//; - - # If there are no more lines, this can not be a valid multi-line rule. - if (!($line = shift(@$arr_ref))) { - - warn("\nWARNING: got EOF while parsing multi-line rule: $$multi_ref\n") - if ($config{verbose}); - - @_ = split(/\n/, $$multi_ref); - - undef($$multi_ref); - undef($$single_ref); - - # First line of broken multi-line rule will be returned as a non-rule line. - $$nonrule_ref = shift(@_) . "\n"; - $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces - - # The rest is put back to the array again. - foreach $_ (reverse((@_))) { - unshift(@$arr_ref, "$_\n"); - } - - return (1); # return non-rule - } - - # Multi-line continuation. - $$multi_ref .= $line; - - # If there are non-comment lines in the middle of a disabled rule, - # mark the rule as broken to return as non-rule lines. - if ($line !~ /^\s*#/ && $disabled) { - $broken = 1; - } elsif ($line =~ /^\s*#/ && !$disabled) { - # comment line (with trailing slash) in the middle of an active rule - ignore it - } else { - $line =~ s/^\s*#*\s*//; # remove leading # in single-line version - $$single_ref .= $line; - } - - } # while line ends with "\" - - # Single-line version should now be a valid rule. - # If not, it wasn't a valid multi-line rule after all. - if (!$broken && parse_singleline_rule($$single_ref, $msg_ref, $sid_ref)) { - - $$single_ref =~ s/^\s*//; # remove leading whitespaces - $$single_ref =~ s/^#+\s*/#/; # remove whitespaces next to leading # - $$single_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces - - $$multi_ref =~ s/^\s*//; - $$multi_ref =~ s/\s*\n$/\n/; - $$multi_ref =~ s/^#+\s*/#/; - - return (1); # return multi - - # Invalid multi-line rule. - } else { - warn("\nWARNING: invalid multi-line rule: $$single_ref\n") - if ($config{verbose} && $$multi_ref !~ /^\s*#/); - - @_ = split(/\n/, $$multi_ref); - - undef($$multi_ref); - undef($$single_ref); - - # First line of broken multi-line rule will be returned as a non-rule line. - $$nonrule_ref = shift(@_) . "\n"; - $$nonrule_ref =~ s/\s*\n$/\n/; # remove trailing whitespaces - - # The rest is put back to the array again. - foreach $_ (reverse((@_))) { - unshift(@$arr_ref, "$_\n"); - } - - return (1); # return non-rule - } - - # Check if it's a regular single-line rule. - } elsif (parse_singleline_rule($line, $msg_ref, $sid_ref)) { - $$single_ref = $line; - $$single_ref =~ s/^\s*//; - $$single_ref =~ s/^#+\s*/#/; - $$single_ref =~ s/\s*\n$/\n/; - - return (1); # return single - - # Non-rule line. - } else { - - # Do extra check and warn if it *might* be a rule anyway, - # but that we just couldn't parse for some reason. - warn("\nWARNING: line may be a rule but it could not be parsed ". - "(missing sid?): $line\n") - if ($config{verbose} && $line =~ /^\s*alert .+msg\s*:\s*".+"\s*;/); - - $$nonrule_ref = $line; - $$nonrule_ref =~ s/\s*\n$/\n/; - - return (1); # return non-rule - } -} - - - -# Look for variables that exist in dist var files but not in local var file. -sub get_new_vars($ $ $ $) -{ - my $ch_ref = shift; - my $dist_var_files_ref = shift; - my $local_var_file = shift; - my $url_tmpdirs_ref = shift; - - my %new_vars; - my (%old_vars, %dist_var_files, %found_dist_var_files); - my $confs_found = 0; - - - # Warn in case we can't find a specified dist file. - foreach my $dir (@$url_tmpdirs_ref) { - foreach my $dist_var_file (@$dist_var_files_ref) { - if (-e "$dir/$dist_var_file") { - $found_dist_var_files{$dist_var_file} = 1; - $confs_found++; - } - } - } - - foreach my $dist_var_file (@$dist_var_files_ref) { - unless (exists($found_dist_var_files{$dist_var_file})) { - warn("WARNING: did not find variable file \"$dist_var_file\" in ". - "downloaded archive(s)\n") - unless($config{quiet}); - } - } - - unless ($confs_found) { - unless ($config{quiet}) { - warn("WARNING: no variable files found in downloaded archive(s), ". - "aborting check for new variables\n"); - return; - } - } - - # Read in variable names from old (target) var file. - open(LOCAL_VAR_FILE, "<", "$local_var_file") - or clean_exit("could not open $local_var_file for reading: $!"); - - my @local_var_conf = <LOCAL_VAR_FILE>; - - foreach $_ (join_multilines(\@local_var_conf)) { - $old_vars{lc($1)}++ if (/$VAR_REGEXP/i); - } - - close(LOCAL_VAR_FILE); - - # Read in variables from new file(s). - foreach my $dir (@$url_tmpdirs_ref) { - foreach my $dist_var_file (@$dist_var_files_ref) { - my $conf = "$dir/$dist_var_file"; - if (-e "$conf") { - my $num_new = 0; - print STDERR "Checking downloaded $dist_var_file for new variables... " - unless ($config{quiet}); - - open(DIST_CONF, "<", "$conf") - or clean_exit("could not open $conf for reading: $!"); - my @dist_var_conf = <DIST_CONF>; - close(DIST_CONF); - - foreach $_ (join_multilines(\@dist_var_conf)) { - if (/$VAR_REGEXP/i && !exists($old_vars{lc($1)})) { - my ($varname, $varval) = (lc($1), $2); - if (exists($new_vars{$varname})) { - warn("\nWARNING: new variable \"$varname\" is defined multiple ". - "times in downloaded files\n"); - } - s/^\s*//; - push(@{$$ch_ref{new_vars}}, "$_\n"); - $new_vars{$varname} = $varval; - $num_new++; - } - } - - close(DIST_CONF); - print STDERR "$num_new new found.\n" - unless ($config{quiet}); - } - } - } -} - - - -# Add new variables to local snort.conf. -sub add_new_vars($ $) -{ - my $ch_ref = shift; - my $varfile = shift; - my $tmp_varfile = "$tmpdir/tmp_varfile.conf"; - my $new_content; - - return unless ($#{$changes{new_vars}} > -1); - - print STDERR "Adding new variables to $varfile... " - unless ($config{quiet}); - - open(OLD_LOCAL_CONF, "<", "$varfile") - or clean_exit("could not open $varfile for reading: $!"); - my @old_content = <OLD_LOCAL_CONF>; - close(OLD_LOCAL_CONF); - - open(NEW_LOCAL_CONF, ">", "$tmp_varfile") - or clean_exit("could not open $tmp_varfile for writing: $!"); - - my @old_vars = grep(/$VAR_REGEXP/i, @old_content); - - - # If any vars exist in old file, put new vars right after them. - if ($#old_vars > -1) { - while ($_ = shift(@old_content)) { - print NEW_LOCAL_CONF $_; - last if ($_ eq $old_vars[$#old_vars]); - } - } - - print NEW_LOCAL_CONF @{$changes{new_vars}}; - print NEW_LOCAL_CONF @old_content; - - close(NEW_LOCAL_CONF); - - clean_exit("could not copy $tmp_varfile to $varfile: $!") - unless (copy("$tmp_varfile", "$varfile")); - - print STDERR "done.\n" - unless ($config{quiet}); -} - - - -# Convert msdos style path to cygwin style, e.g. -# c:\foo => /cygdrive/c/foo -sub msdos_to_cygwin_path($) -{ - my $path_ref = shift; - - if ($$path_ref =~ /^([a-zA-Z]):[\/\\](.*)/) { - my ($drive, $dir) = ($1, $2); - $dir =~ s/\\/\//g; - $$path_ref = "/cygdrive/$drive/$dir"; - return (1); - } - - return (0); -} - - - -# Parse and process a modifysid expression. -# Return 1 if valid, or otherwise 0. -sub parse_mod_expr($ $ $ $) -{ - my $mod_list_ref = shift; # where to store valid entries - my $sid_arg_list = shift; # comma-separated list of SIDs/files or wildcard - my $subst = shift; # regexp to look for - my $repl = shift; # regexp to replace it with - - my @tmp_mod_list; - - $sid_arg_list =~ s/\s+$//; - - foreach my $sid_arg (split(/\s*,\s*/, $sid_arg_list)) { - my $type = ""; - - $type = "sid" if ($sid_arg =~ /^\d+$/); - $type = "file" if ($sid_arg =~ /^\S+.*\.\S+$/); - $type = "wildcard" if ($sid_arg eq "*"); - - return (0) unless ($type); - - # Sanity check to make sure user escaped at least all the "$" in $subst. - if ($subst =~ /[^\\]\$./ || $subst =~ /^\$/) { - warn("WARNING: unescaped \$ in expression \"$subst\", all special ". - "characters must be escaped\n"); - return (0); - } - - # Only allow backreference variables. The check should at least catch some user typos. - if (($repl =~ /[^\\]\$(\D.)/ && $1 !~ /{\d/) || $repl =~ /[^\\]\$$/ - || ($repl =~ /^\$(\D.)/ && $1 !~ /{\d/)) { - warn("WARNING: illegal replacement expression \"$repl\": unescaped \$ ". - "that isn't a backreference\n"); - return (0); - } - - # Don't permit unescaped @. - if ($repl =~ /[^\\]\@/ || $repl =~ /^\@/) { - warn("WARNING: illegal replacement expression \"$repl\": unescaped \@\n"); - return (0); - } - - # Make sure the regexp is valid. - my $repl_qq = "qq/$repl/"; - my $dummy = "foo"; - - eval { - $dummy =~ s/$subst/$repl_qq/ee; - }; - - # We should probably check for warnings as well as errors... - if ($@) { - warn("Invalid regexp: $@"); - return (0); - } - - push(@tmp_mod_list, [$subst, $repl_qq, $type, $sid_arg]); - } - - # If we come this far, all sids and the regexp were parsed successfully, so - # append them to real mod list array. - foreach my $mod_entry (@tmp_mod_list) { - push(@$mod_list_ref, $mod_entry); - } - - return (1); -} - - - -# Untaint a path. Die if it contains illegal chars. -sub untaint_path($) -{ - my $path = shift; - my $orig_path = $path; - - return $path unless ($config{use_path_checks}); - - (($path) = $path =~ /^([$OK_PATH_CHARS]+)$/) - or clean_exit("illegal character in path/filename ". - "\"$orig_path\", allowed are $OK_PATH_CHARS\n". - "Fix this or set use_path_checks=0 in oinkmaster.conf ". - "to disable this check completely if it is too strict.\n"); - - return ($path); -} - - - -# Ask user to approve changes. Return 1 for yes, 0 for no. -sub approve_changes() -{ - my $answer = ""; - - while ($answer !~ /^[yn]/i) { - print "Do you approve these changes? [Yn] "; - $answer = <STDIN>; - $answer = "y" unless ($answer =~ /\S/); - } - - return ($answer =~ /^y/i); -} - - - -# Remove common leading and trailing stuff from two rules. -sub minimize_diff($ $) -{ - my $old_rule = shift; - my $new_rule = shift; - - my $original_old = $old_rule; - my $original_new = $new_rule; - - # Additional chars to print next to the diffing part. - my $additional_chars = 20; - - # Remove the rev keyword from the rules, as it often - # makes the whole diff minimizing useless. - $old_rule =~ s/\s*\b(rev\s*:\s*\d+\s*;)\s*//; - my $old_rev = $1; - - $new_rule =~ s/\s*\b(rev\s*:\s*\d+\s*;)\s*//; - my $new_rev = $1; - - # If rev was the only thing that changed, we want to restore the rev - # before continuing so we don't remove common stuff from rules that - # are identical. - if ($old_rule eq $new_rule) { - $old_rule = $original_old; - $new_rule = $original_new; - } - - # Temporarily remove possible leading # so it works nicely - # with modified rules that are also being either enabled or disabled. - my $old_is_disabled = 0; - my $new_is_disabled = 0; - - $old_is_disabled = 1 if ($old_rule =~ s/^#//); - $new_is_disabled = 1 if ($new_rule =~ s/^#//); - - # Go forward char by char until they aren't equeal. - # $i will bet set to the index where they diff. - my @old = split(//, $old_rule); - my @new = split(//, $new_rule); - - my $i = 0; - while ($i <= $#old && $i <= $#new && $old[$i] eq $new[$i]) { - $i++; - } - - # Now same thing but backwards. - # $j will bet set to the index where they diff. - @old = reverse(split(//, $old_rule)); - @new = reverse(split(//, $new_rule)); - - my $j = 0; - while ($j <= $#old && $j <= $#new && $old[$j] eq $new[$j]) { - $j++; - } - - # Print some additional chars on either side, if there is room for it. - $i -= $additional_chars; - $i = 0 if ($i < 0); - - $j = -$j + $additional_chars; - $j = 0 if ($j > -1); - - my ($old, $new); - - # Print entire rules (i.e. they can not be shortened). - if (!$i && !$j) { - $old = $old_rule; - $new = $new_rule; - - # Leading and trailing stuff can be removed. - } elsif ($i && $j) { - $old = "..." . substr($old_rule, $i, $j) . "..."; - $new = "..." . substr($new_rule, $i, $j) . "..."; - - # Trailing stuff can be removed. - } elsif (!$i && $j) { - $old = substr($old_rule, $i, $j) . "..."; - $new = substr($new_rule, $i, $j) . "..."; - - # Leading stuff can be removed. - } elsif ($i && !$j) { - $old = "..." . substr($old_rule, $i); - $new = "..." . substr($new_rule, $i); - } - - chomp($old, $new); - $old .= "\n"; - $new .= "\n"; - - # Restore possible leading # now. - $old = "#$old" if ($old_is_disabled); - $new = "#$new" if ($new_is_disabled); - - return ($old, $new); -} - - - -# Check a string and return 1 if it's a valid single-line snort rule. -# Msg string is put in second arg, sid in third (those are the only -# required keywords, besides the leading rule actions). -sub parse_singleline_rule($ $ $) -{ - my $line = shift; - my $msg_ref = shift; - my $sid_ref = shift; - - undef($$msg_ref); - undef($$sid_ref); - - if ($line =~ /$SINGLELINE_RULE_REGEXP/oi) { - - if ($line =~ /\bmsg\s*:\s*"(.+?)"\s*;/i) { - $$msg_ref = $1; - } else { - return (0); - } - - if ($line =~ /\bsid\s*:\s*(\d+)\s*;/i) { - $$sid_ref = $1; - } else { - return (0); - } - - return (1); - } - - return (0); -} - - - -# Merge multiline directives in an array by simply removing traling backslashes. -sub join_multilines($) -{ - my $multiline_conf_ref = shift; - my $joined_conf = ""; - - foreach $_ (@$multiline_conf_ref) { - s/\\\s*\n$//; - $joined_conf .= $_; - } - - return (split/\n/, $joined_conf); -} - - - -# Catch SIGINT. -sub catch_sigint() -{ - $SIG{INT} = 'IGNORE'; - print STDERR "\nInterrupted, cleaning up.\n"; - sleep(1); - clean_exit("interrupted by signal"); -} - - - -# Remove temporary directory and exit. -# If a non-empty string is given as argument, it will be regarded -# as an error message and we will use die() with the message instead -# of just exit(0). -sub clean_exit($) -{ - my $err_msg = shift; - - $SIG{INT} = 'DEFAULT'; - - if (defined($tmpdir) && -d "$tmpdir") { - chdir(File::Spec->rootdir()); - rmtree("$tmpdir", 0, 1); - undef($tmpdir); - } - - if (!defined($err_msg) || $err_msg eq "") { - exit(0); - } else { - chomp($err_msg); - die("\n$0: Error: $err_msg\n\nOink, oink. Exiting...\n"); - } -} - - - -#### EOF #### diff --git a/config/snort-old/bin/snort2c b/config/snort-old/bin/snort2c Binary files differdeleted file mode 100755 index fdc91ac8..00000000 --- a/config/snort-old/bin/snort2c +++ /dev/null diff --git a/config/snort-old/pfsense_rules/local.rules b/config/snort-old/pfsense_rules/local.rules deleted file mode 100644 index 83a05f1b..00000000 --- a/config/snort-old/pfsense_rules/local.rules +++ /dev/null @@ -1,7 +0,0 @@ -# ---------------- -# LOCAL RULES -# ---------------- -# This file intentionally does not come with signatures. Put your local -# additions here. Pfsense first install rule. Rule edit tabe fails with out this file. -# -#
\ No newline at end of file diff --git a/config/snort-old/pfsense_rules/pfsense_rules.tar.gz.md5 b/config/snort-old/pfsense_rules/pfsense_rules.tar.gz.md5 deleted file mode 100644 index 83d5bdae..00000000 --- a/config/snort-old/pfsense_rules/pfsense_rules.tar.gz.md5 +++ /dev/null @@ -1 +0,0 @@ -10002
\ No newline at end of file diff --git a/config/snort-old/pfsense_rules/rules/pfsense-voip.rules b/config/snort-old/pfsense_rules/rules/pfsense-voip.rules deleted file mode 100644 index 12f2fdf2..00000000 --- a/config/snort-old/pfsense_rules/rules/pfsense-voip.rules +++ /dev/null @@ -1,10 +0,0 @@ -alert ip any any -> $HOME_NET $SIP_PROXY_PORTS (msg:"OPTIONS SIP scan"; content:"OPTIONS"; depth:7; threshold: type both , track by_src, count 30, seconds 3; sid:5000001; rev:1;) -# Excessive number of SIP 4xx Responses Does not work -#### alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Excessive number of SIP 4xx Responses - possible user or password guessing attack"; pcre:"/^SIP\/2.0 4\d{2}"; threshold: type both, track by_src, count 100, seconds 60; sid:5000002; rev:1;) -alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"Ghost call attack"; content:"SIP/2.0 180"; depth:11; threshold: type both, track by_src, count 100, seconds 60; sid:5000003; rev:1;) -# Rule for alerting of INVITE flood attack: -alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; sid:5000004; rev:1;) -# Rule for alerting of REGISTER flood attack: -alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"REGISTER message flooding"; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; sid:5000005; rev:1;) -# Threshold rule for unauthorized responses: -alert ip any any -> $SIP_PROXY_IP $SIP_PROXY_PORTS (msg:"INVITE message flooding"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; sid:5000006; rev:1;) diff --git a/config/snort-old/snort.inc b/config/snort-old/snort.inc deleted file mode 100755 index 0ed53feb..00000000 --- a/config/snort-old/snort.inc +++ /dev/null @@ -1,1640 +0,0 @@ -<?php -/* $Id$ */ -/* - snort.inc - Copyright (C) 2006 Scott Ullrich - part of pfSense - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require_once("pfsense-utils.inc"); - -// Needed on 2.0 because of get_vpns_list() -require_once("filter.inc"); - -/* Allow additional execution time 0 = no limit. */ -ini_set('max_execution_time', '9999'); -ini_set('max_input_time', '9999'); - -/* define oinkid */ -if($config['installedpackages']['snort']) - $oinkid = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; - -function sync_package_snort_reinstall() -{ - global $config; - if(!$config['installedpackages']['snort']) - return; - - /* create snort configuration file */ - create_snort_conf(); - - /* start snort service */ - start_service("snort"); -} -function sync_package_snort() -{ - global $config, $g; - conf_mount_rw(); - - mwexec("mkdir -p /var/log/snort/"); - - if(!file_exists("/var/log/snort/alert")) - touch("/var/log/snort/alert"); - - /* snort -> advanced features */ - $bpfbufsize = $config['installedpackages']['snortadvanced']['config'][0]['bpfbufsize']; - $bpfmaxbufsize = $config['installedpackages']['snortadvanced']['config'][0]['bpfmaxbufsize']; - $bpfmaxinsns = $config['installedpackages']['snortadvanced']['config'][0]['bpfmaxinsns']; - - /* set the snort performance model */ - if($config['installedpackages']['snort']['config'][0]['performance']) - $snort_performance = $config['installedpackages']['snort']['config'][0]['performance']; - else - $snort_performance = "ac-bnfa"; - - /* create a few directories and ensure the sample files are in place */ - exec("/bin/mkdir -p /usr/local/etc/snort"); - exec("/bin/mkdir -p /var/log/snort"); - exec("/bin/mkdir -p /usr/local/etc/snort/rules"); - exec("/bin/rm /usr/local/etc/snort/snort.conf-sample"); - exec("/bin/rm /usr/local/etc/snort/threshold.conf-sample"); - exec("/bin/rm /usr/local/etc/snort/sid-msg.map-sample"); - exec("/bin/rm /usr/local/etc/snort/unicode.map-sample"); - exec("/bin/rm /usr/local/etc/snort/classification.config-sample"); - exec("/bin/rm /usr/local/etc/snort/generators-sample"); - exec("/bin/rm /usr/local/etc/snort/reference.config-sample"); - exec("/bin/rm /usr/local/etc/snort/gen-msg.map-sample"); - exec("/bin/rm /usr/local/etc/snort/sid"); - exec("/bin/rm -f /usr/local/etc/rc.d/snort"); - - $first = 0; - $snortInterfaces = array(); /* -gtm */ - - $if_list = $config['installedpackages']['snort']['config'][0]['iface_array']; - $if_array = split(',', $if_list); - //print_r($if_array); - if($if_array) { - foreach($if_array as $iface) { - $if = convert_friendly_interface_to_real_interface_name($iface); - - if($config['interfaces'][$iface]['ipaddr'] == "pppoe") { - $if = "ng0"; - } - - /* build a list of user specified interfaces -gtm */ - if($if){ - array_push($snortInterfaces, $if); - $first = 1; - } - } - - if (count($snortInterfaces) < 1) { - log_error("Snort will not start. You must select an interface for it to listen on."); - return; - } - } - //print_r($snortInterfaces); - - /* create log directory */ - $start = "/bin/mkdir -p /var/log/snort\n"; - - /* snort advanced features - bpf tuning */ - if($bpfbufsize) - $start .= "sysctl net.bpf.bufsize={$bpfbufsize}\n"; - if($bpfmaxbufsize) - $start .= "sysctl net.bpf.maxbufsize={$bpfmaxbufsize}\n"; - if($bpfmaxinsns) - $start .= "sysctl net.bpf.maxinsns={$bpfmaxinsns}\n"; - - /* go ahead and issue bpf changes */ - if($bpfbufsize) - mwexec_bg("sysctl net.bpf.bufsize={$bpfbufsize}"); - if($bpfmaxbufsize) - mwexec_bg("sysctl net.bpf.maxbufsize={$bpfmaxbufsize}"); - if($bpfmaxinsns) - mwexec_bg("sysctl net.bpf.maxinsns={$bpfmaxinsns}"); - - /* always stop barnyard2 before starting snort -gtm */ - $start .= "/usr/bin/killall barnyard2\n"; - - /* start a snort process for each interface -gtm */ - /* Note the sleep delay. Seems to help getting mult interfaces to start -gtm */ - /* snort start options are; config file, log file, demon, interface, packet flow, alert type, quiet */ - /* TODO; get snort to start under nologin shell */ - foreach($snortInterfaces as $snortIf) - { - $start .= "sleep 4\n"; - $start .= "/usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i {$snortIf} -q\n"; - /* define snortbarnyardlog_chk */ - $snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; - if ($snortbarnyardlog_info_chk == on) - $start .= "\nsleep 4;/usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D -q\n"; - } - $check_if_snort_runs = "\n\tif [ \"`ls -A /usr/local/etc/snort/rules`\" ] ; then\n\techo \"rules exist\"\n\telse\n\techo \"rules DONT exist\"\n\texit 2\n\tfi \n\n\tif [ \"`pgrep -x snort`\" = \"\" ] ; then\n\t/bin/rm /tmp/snort.sh.pid\n\tfi \n\n\tif [ \"`pgrep -x snort`\" != \"\" ] ; then\n\tlogger -p daemon.info -i -t SnortStartup \"Snort already running...\"\n\t/usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php &\n\texit 1\n\tfi\n\n"; - $if_snort_pid = "\nif ls /tmp/snort.sh.pid > /dev/null\nthen\n echo \"snort.sh is running\"\n exit 0\nelse\n echo \"snort.sh is not running\"\nfi\n"; - $echo_snort_sh_pid = "\necho \"snort.sh run\" > /tmp/snort.sh.pid\n"; - $echo_snort_sh_startup_log = "\necho \"snort.sh run\" >> /tmp/snort.sh_startup.log\n"; - $del_old_pids = "\nrm -f /var/run/snort_*\n"; - $sample_before = "BEFORE_MEM=`top | grep Wired | awk '{print \$12}'`\n"; - $sample_after = "\n\tAFTER_MEM=`top | grep Wired | awk '{print \$12}'`\n"; - if ($snort_performance == "ac-bnfa") - $sleep_before_final = "\necho \"Sleeping before final memory sampling...\"\nWAITSECURE=60\n"; - else - $sleep_before_final = "\necho \"Sleeping before final memory sampling...\"\nWAITSECURE=300\n"; - $sleep_before_final .= "while [ \"\$MYSNORTLOG\" = \"\" -a \$WAITSECURE -gt 0 ] ; do\n\tsleep 2\n\tMYSNORTLOG=`/usr/sbin/clog /var/log/system.log | grep snort | tail | grep 'Snort initialization completed successfully'`\n\tWAITSECURE=`expr \$WAITSECURE - 1`\ndone\n"; - $total_used_after = "TOTAL_USAGE=`top | grep snort | grep -v grep | awk '{ print \$6 }'`\n"; - $echo_usage .= $sample_after . "\t" . $total_used_after . "\techo \"Ram free BEFORE starting Snort: \$BEFORE_MEM -- Ram free AFTER starting Snort: \$AFTER_MEM -- Mode " . $snort_performance . " -- Snort memory usage: \$TOTAL_USAGE\" | logger -p daemon.info -i -t SnortStartup\n\n"; - - /* write out rc.d start/stop file */ - write_rcfile(array( - "file" => "snort.sh", - "start" => "{$check_if_snort_runs}{$if_snort_pid}{$echo_snort_sh_pid}{$echo_snort_sh_startup_log}{$del_old_pids}{$sample_before}{$start}{$sleep_before_final}{$echo_usage}", - "stop" => "/usr/bin/killall snort; killall barnyard2" - ) - ); - - /* create snort configuration file */ - create_snort_conf(); - -/* create barnyard2 configuration file */ -$snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; -if ($snortbarnyardlog_info_chk == on) - create_barnyard2_conf(); - - /* snort will not start on install untill setting are set */ -if ($config['installedpackages']['snort']['config'][0]['autorulesupdate7'] != "") { - /* start snort service */ - conf_mount_ro(); - start_service("snort"); - } -} - -/* open barnyard2.conf for writing */ -function create_barnyard2_conf() { - global $bconfig, $bg; - /* write out barnyard2_conf */ - conf_mount_rw(); - $barnyard2_conf_text = generate_barnyard2_conf(); - $bconf = fopen("/usr/local/etc/barnyard2.conf", "w"); - if(!$bconf) { - log_error("Could not open /usr/local/etc/barnyard2.conf for writing."); - exit; - } - fwrite($bconf, $barnyard2_conf_text); - fclose($bconf); - conf_mount_ro(); -} -/* open barnyard2.conf for writing" */ -function generate_barnyard2_conf() { - - global $config, $g; - conf_mount_rw(); - -/* define snortbarnyardlog */ -/* TODO add support for the other 5 output plugins */ - -$snortbarnyardlog_database_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_database']; -$snortbarnyardlog_hostname_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_hostname']; -$snortbarnyardlog_interface_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_interface']; - -$barnyard2_conf_text = <<<EOD - -# barnyard2.conf -# barnyard2 can be found at http://www.securixlive.com/barnyard2/index.php - -# Copyright (C) 2006 Robert Zelaya -# part of pfSense -# All rights reserved. - -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: - -# 1. Redistributions of source code must retain the above copyright notice, -# this list of conditions and the following disclaimer. - -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. - -# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -# POSSIBILITY OF SUCH DAMAGE. - -# set the appropriate paths to the file(s) your Snort process is using -config reference-map: /usr/local/etc/snort/reference.config -config class-map: /usr/local/etc/snort/classification.config -config gen-msg-map: /usr/local/etc/snort/gen-msg.map -config sid-msg-map: /usr/local/etc/snort/sid-msg.map - -config hostname: $snortbarnyardlog_hostname_info_chk -config interface: $snortbarnyardlog_interface_info_chk - -# Step 2: setup the input plugins -input unified2 - -# database: log to a variety of databases -# output database: log, mysql, user=xxxx password=xxxxxx dbname=xxxx host=xxx.xxx.xxx.xxxx - -$snortbarnyardlog_database_info_chk - -EOD; - conf_mount_rw(); - return $barnyard2_conf_text; - -} - -function create_snort_conf() { - global $config, $g; - /* write out snort.conf */ - $snort_conf_text = generate_snort_conf(); - conf_mount_rw(); - $conf = fopen("/usr/local/etc/snort/snort.conf", "w"); - if(!$conf) { - log_error("Could not open /usr/local/etc/snort/snort.conf for writing."); - exit; - } - fwrite($conf, $snort_conf_text); - fclose($conf); - conf_mount_ro(); -} - -function snort_deinstall() { - - global $config, $g; - conf_mount_rw(); - - - /* remove custom sysctl */ - remove_text_from_file("/etc/sysctl.conf", "sysctl net.bpf.bufsize=20480"); - /* decrease bpf buffers back to 4096, from 20480 */ - exec("/sbin/sysctl net.bpf.bufsize=4096"); - exec("/usr/bin/killall snort"); - sleep(5); - exec("/usr/bin/killall -9 snort"); - exec("rm -f /usr/local/etc/rc.d/snort*"); - exec("rm -rf /usr/local/etc/snort*"); - exec("cd /var/db/pkg && pkg_delete `ls | grep snort`"); - exec("cd /var/db/pkg && pkg_delete `ls | grep mysql-client`"); - exec("cd /var/db/pkg && pkg_delete `ls | grep libdnet`"); - exec("/usr/bin/killall -9 snort"); - exec("/usr/bin/killall snort"); - - /* Remove snort cron entries Ugly code needs smoothness*/ - - function snort_rm_blocked_deinstall_cron($should_install) { - global $config, $g; - - $is_installed = false; - - if(!$config['cron']['item']) - return; - - $x=0; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort2c")) { - $is_installed = true; - break; - } - $x++; - } - if($is_installed == true) { - if($x > 0) { - unset($config['cron']['item'][$x]); - write_config(); - } - configure_cron(); - } - } - - function snort_rules_up_deinstall_cron($should_install) { - global $config, $g; - - $is_installed = false; - - if(!$config['cron']['item']) - return; - - $x=0; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort_check_for_rule_updates.php")) { - $is_installed = true; - break; - } - $x++; - } - if($is_installed == true) { - if($x > 0) { - unset($config['cron']['item'][$x]); - write_config(); - } - configure_cron(); - } - } - -snort_rm_blocked_deinstall_cron(""); -snort_rules_up_deinstall_cron(""); - -/* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */ -/* Keep this as a last step */ - -unset($config['installedpackages']['snort']); -unset($config['installedpackages']['snortdefservers']); -unset($config['installedpackages']['snortwhitelist']); -unset($config['installedpackages']['snortthreshold']); -unset($config['installedpackages']['snortadvanced']); - - -write_config(); -conf_mount_ro(); - -} - -function generate_snort_conf() { - - global $config, $g; - conf_mount_rw(); - /* obtain external interface */ - /* XXX: make multi wan friendly */ - $snort_ext_int = $config['installedpackages']['snort']['config'][0]['iface_array'][0]; - - $snort_config_pass_thru = $config['installedpackages']['snortadvanced']['config'][0]['configpassthru']; - -/* define snortalertlogtype */ -$snortalertlogtype = $config['installedpackages']['snortadvanced']['config'][0]['snortalertlogtype']; -if ($snortalertlogtype == fast) - $snortalertlogtype_type = "output alert_fast: alert"; -else - $snortalertlogtype_type = "output alert_full: alert"; - -/* define alertsystemlog */ -$alertsystemlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['alertsystemlog']; -if ($alertsystemlog_info_chk == on) - $alertsystemlog_type = "output alert_syslog: log_alert"; - -/* define tcpdumplog */ -$tcpdumplog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['tcpdumplog']; -if ($tcpdumplog_info_chk == on) - $tcpdumplog_type = "output log_tcpdump: snorttcpd.log"; - -/* define snortbarnyardlog_chk */ -$snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; -if ($snortbarnyardlog_info_chk == on) - $snortbarnyardlog_type = "barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D"; - -/* define snortunifiedlog */ -$snortunifiedlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortunifiedlog']; -if ($snortunifiedlog_info_chk == on) - $snortunifiedlog_type = "output unified2: filename snort.u2, limit 128"; - -/* define spoink */ -$spoink_info_chk = $config['installedpackages']['snort']['config'][0]['blockoffenders7']; -if ($spoink_info_chk == on) - $spoink_type = "output alert_pf: /var/db/whitelist,snort2c"; - - /* define servers and ports snortdefservers */ - -/* def DNS_SERVSERS */ -$def_dns_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_dns_servers']; -if ($def_dns_servers_info_chk == "") - $def_dns_servers_type = "\$HOME_NET"; -else - $def_dns_servers_type = "$def_dns_servers_info_chk"; - -/* def DNS_PORTS */ -$def_dns_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_dns_ports']; -if ($def_dns_ports_info_chk == "") - $def_dns_ports_type = "53"; -else - $def_dns_ports_type = "$def_dns_ports_info_chk"; - -/* def SMTP_SERVSERS */ -$def_smtp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_smtp_servers']; -if ($def_smtp_servers_info_chk == "") - $def_smtp_servers_type = "\$HOME_NET"; -else - $def_smtp_servers_type = "$def_smtp_servers_info_chk"; - -/* def SMTP_PORTS */ -$def_smtp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_smtp_ports']; -if ($def_smtp_ports_info_chk == "") - $def_smtp_ports_type = "25"; -else - $def_smtp_ports_type = "$def_smtp_ports_info_chk"; - -/* def MAIL_PORTS */ -$def_mail_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_mail_ports']; -if ($def_mail_ports_info_chk == "") - $def_mail_ports_type = "25,143,465,691"; -else - $def_mail_ports_type = "$def_mail_ports_info_chk"; - -/* def HTTP_SERVSERS */ -$def_http_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_http_servers']; -if ($def_http_servers_info_chk == "") - $def_http_servers_type = "\$HOME_NET"; -else - $def_http_servers_type = "$def_http_servers_info_chk"; - -/* def WWW_SERVSERS */ -$def_www_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_www_servers']; -if ($def_www_servers_info_chk == "") - $def_www_servers_type = "\$HOME_NET"; -else - $def_www_servers_type = "$def_www_servers_info_chk"; - -/* def HTTP_PORTS */ -$def_http_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_http_ports']; -if ($def_http_ports_info_chk == "") - $def_http_ports_type = "80"; -else - $def_http_ports_type = "$def_http_ports_info_chk"; - -/* def SQL_SERVSERS */ -$def_sql_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sql_servers']; -if ($def_sql_servers_info_chk == "") - $def_sql_servers_type = "\$HOME_NET"; -else - $def_sql_servers_type = "$def_sql_servers_info_chk"; - -/* def ORACLE_PORTS */ -$def_oracle_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_oracle_ports']; -if ($def_oracle_ports_info_chk == "") - $def_oracle_ports_type = "1521"; -else - $def_oracle_ports_type = "$def_oracle_ports_info_chk"; - -/* def MSSQL_PORTS */ -$def_mssql_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_mssql_ports']; -if ($def_mssql_ports_info_chk == "") - $def_mssql_ports_type = "1433"; -else - $def_mssql_ports_type = "$def_mssql_ports_info_chk"; - -/* def TELNET_SERVSERS */ -$def_telnet_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_telnet_servers']; -if ($def_telnet_servers_info_chk == "") - $def_telnet_servers_type = "\$HOME_NET"; -else - $def_telnet_servers_type = "$def_telnet_servers_info_chk"; - -/* def TELNET_PORTS */ -$def_telnet_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_telnet_ports']; -if ($def_telnet_ports_info_chk == "") - $def_telnet_ports_type = "23"; -else - $def_telnet_ports_type = "$def_telnet_ports_info_chk"; - -/* def SNMP_SERVSERS */ -$def_snmp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_snmp_servers']; -if ($def_snmp_servers_info_chk == "") - $def_snmp_servers_type = "\$HOME_NET"; -else - $def_snmp_servers_type = "$def_snmp_servers_info_chk"; - -/* def SNMP_PORTS */ -$def_snmp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_snmp_ports']; -if ($def_snmp_ports_info_chk == "") - $def_snmp_ports_type = "161"; -else - $def_snmp_ports_type = "$def_snmp_ports_info_chk"; - -/* def FTP_SERVSERS */ -$def_ftp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ftp_servers']; -if ($def_ftp_servers_info_chk == "") - $def_ftp_servers_type = "\$HOME_NET"; -else - $def_ftp_servers_type = "$def_ftp_servers_info_chk"; - -/* def FTP_PORTS */ -$def_ftp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ftp_ports']; -if ($def_ftp_ports_info_chk == "") - $def_ftp_ports_type = "21"; -else - $def_ftp_ports_type = "$def_ftp_ports_info_chk"; - -/* def SSH_SERVSERS */ -$def_ssh_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssh_servers']; -if ($def_ssh_servers_info_chk == "") - $def_ssh_servers_type = "\$HOME_NET"; -else - $def_ssh_servers_type = "$def_ssh_servers_info_chk"; - -/* if user has defined a custom ssh port, use it */ -if($config['system']['ssh']['port']) - $ssh_port = $config['system']['ssh']['port']; -else - $ssh_port = "22"; - -/* def SSH_PORTS */ -$def_ssh_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssh_ports']; -if ($def_ssh_ports_info_chk == "") - $def_ssh_ports_type = "{$ssh_port}"; -else - $def_ssh_ports_type = "$def_ssh_ports_info_chk"; - -/* def POP_SERVSERS */ -$def_pop_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop_servers']; -if ($def_pop_servers_info_chk == "") - $def_pop_servers_type = "\$HOME_NET"; -else - $def_pop_servers_type = "$def_pop_servers_info_chk"; - -/* def POP2_PORTS */ -$def_pop2_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop2_ports']; -if ($def_pop2_ports_info_chk == "") - $def_pop2_ports_type = "109"; -else - $def_pop2_ports_type = "$def_pop2_ports_info_chk"; - -/* def POP3_PORTS */ -$def_pop3_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop3_ports']; -if ($def_pop3_ports_info_chk == "") - $def_pop3_ports_type = "110"; -else - $def_pop3_ports_type = "$def_pop3_ports_info_chk"; - -/* def IMAP_SERVSERS */ -$def_imap_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_imap_servers']; -if ($def_imap_servers_info_chk == "") - $def_imap_servers_type = "\$HOME_NET"; -else - $def_imap_servers_type = "$def_imap_servers_info_chk"; - -/* def IMAP_PORTS */ -$def_imap_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_imap_ports']; -if ($def_imap_ports_info_chk == "") - $def_imap_ports_type = "143"; -else - $def_imap_ports_type = "$def_imap_ports_info_chk"; - -/* def SIP_PROXY_IP */ -$def_sip_proxy_ip_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sip_proxy_ip']; -if ($def_sip_proxy_ip_info_chk == "") - $def_sip_proxy_ip_type = "\$HOME_NET"; -else - $def_sip_proxy_ip_type = "$def_sip_proxy_ip_info_chk"; - -/* def SIP_PROXY_PORTS */ -$def_sip_proxy_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sip_proxy_ports']; -if ($def_sip_proxy_ports_info_chk == "") - $def_sip_proxy_ports_type = "5060:5090,16384:32768"; -else - $def_sip_proxy_ports_type = "$def_sip_proxy_ports_info_chk"; - -/* def AUTH_PORTS */ -$def_auth_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_auth_ports']; -if ($def_auth_ports_info_chk == "") - $def_auth_ports_type = "113"; -else - $def_auth_ports_type = "$def_auth_ports_info_chk"; - -/* def FINGER_PORTS */ -$def_finger_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_finger_ports']; -if ($def_finger_ports_info_chk == "") - $def_finger_ports_type = "79"; -else - $def_finger_ports_type = "$def_finger_ports_info_chk"; - -/* def IRC_PORTS */ -$def_irc_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_irc_ports']; -if ($def_irc_ports_info_chk == "") - $def_irc_ports_type = "6665,6666,6667,6668,6669,7000"; -else - $def_irc_ports_type = "$def_irc_ports_info_chk"; - -/* def NNTP_PORTS */ -$def_nntp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_nntp_ports']; -if ($def_nntp_ports_info_chk == "") - $def_nntp_ports_type = "119"; -else - $def_nntp_ports_type = "$def_nntp_ports_info_chk"; - -/* def RLOGIN_PORTS */ -$def_rlogin_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_rlogin_ports']; -if ($def_rlogin_ports_info_chk == "") - $def_rlogin_ports_type = "513"; -else - $def_rlogin_ports_type = "$def_rlogin_ports_info_chk"; - -/* def RSH_PORTS */ -$def_rsh_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_rsh_ports']; -if ($def_rsh_ports_info_chk == "") - $def_rsh_ports_type = "514"; -else - $def_rsh_ports_type = "$def_rsh_ports_info_chk"; - -/* def SSL_PORTS */ -$def_ssl_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssl_ports']; -if ($def_ssl_ports_info_chk == "") - $def_ssl_ports_type = "25,443,465,636,993,995"; -else - $def_ssl_ports_type = "$def_ssl_ports_info_chk"; - - /* add auto update scripts to /etc/crontab */ -// $text_ww = "*/60\t* \t 1\t *\t *\t root\t /usr/bin/nice -n20 /usr/local/pkg/snort_check_for_rule_updates.php"; -// $filenamea = "/etc/crontab"; -// remove_text_from_file($filenamea, $text_ww); -// add_text_to_file($filenamea, $text_ww); -// exec("killall -HUP cron"); */ - - /* should we install a automatic update crontab entry? */ - $automaticrulesupdate = $config['installedpackages']['snort']['config'][0]['automaticrulesupdate']; - - /* if user is on pppoe, we really want to use ng0 interface */ - if($config['interfaces'][$snort_ext_int]['ipaddr'] == "pppoe") - $snort_ext_int = "ng0"; - - /* set the snort performance model */ - if($config['installedpackages']['snort']['config'][0]['performance']) - $snort_performance = $config['installedpackages']['snort']['config'][0]['performance']; - else - $snort_performance = "ac-bnfa"; - - /* set the snort block hosts time IMPORTANT snort has trouble installing if snort_rm_blocked_info_ck != "" */ - $snort_rm_blocked_info_ck = $config['installedpackages']['snort']['config'][0]['rm_blocked']; - if ($snort_rm_blocked_info_ck == "never_b") - $snort_rm_blocked_false = ""; - else - $snort_rm_blocked_false = "true"; - -if ($snort_rm_blocked_info_ck != "") { -function snort_rm_blocked_install_cron($should_install) { - global $config, $g; - conf_mount_rw(); - if ($g['booting']==true) - return; - - $is_installed = false; - - if(!$config['cron']['item']) - return; - - $x=0; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort2c")) { - $is_installed = true; - break; - } - $x++; - } - $snort_rm_blocked_info_ck = $config['installedpackages']['snort']['config'][0]['rm_blocked']; - if ($snort_rm_blocked_info_ck == "1h_b") { - $snort_rm_blocked_min = "*/5"; - $snort_rm_blocked_hr = "*"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "3600"; - } - if ($snort_rm_blocked_info_ck == "3h_b") { - $snort_rm_blocked_min = "*/15"; - $snort_rm_blocked_hr = "*"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "10800"; - } - if ($snort_rm_blocked_info_ck == "6h_b") { - $snort_rm_blocked_min = "*/30"; - $snort_rm_blocked_hr = "*"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "21600"; - } - if ($snort_rm_blocked_info_ck == "12h_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/1"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "43200"; - } - if ($snort_rm_blocked_info_ck == "1d_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/2"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "86400"; - } - if ($snort_rm_blocked_info_ck == "4d_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/8"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "345600"; - } - if ($snort_rm_blocked_info_ck == "7d_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/14"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "604800"; - } - if ($snort_rm_blocked_info_ck == "28d_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "0"; - $snort_rm_blocked_mday = "*/2"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "2419200"; - } - switch($should_install) { - case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['minute'] = "$snort_rm_blocked_min"; - $cron_item['hour'] = "$snort_rm_blocked_hr"; - $cron_item['mday'] = "$snort_rm_blocked_mday"; - $cron_item['month'] = "$snort_rm_blocked_month"; - $cron_item['wday'] = "$snort_rm_blocked_wday"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; - $config['cron']['item'][] = $cron_item; - write_config("Installed 15 minute filter reload for Time Based Rules"); - conf_mount_rw(); - configure_cron(); - } - break; - case false: - if($is_installed == true) { - if($x > 0) { - unset($config['cron']['item'][$x]); - write_config(); - conf_mount_rw(); - } - configure_cron(); - } - break; - } - } - snort_rm_blocked_install_cron(""); - snort_rm_blocked_install_cron($snort_rm_blocked_false); -} - - /* set the snort rules update time */ - $snort_rules_up_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; - if ($snort_rules_up_info_ck == "never_up") - $snort_rules_up_false = ""; - else - $snort_rules_up_false = "true"; - -if ($snort_rules_up_info_ck != "") { -function snort_rules_up_install_cron($should_install) { - global $config, $g; - conf_mount_rw(); - if ($g['booting']==true) - return; - - $is_installed = false; - - if(!$config['cron']['item']) - return; - - $x=0; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort_check_for_rule_updates.php")) { - $is_installed = true; - break; - } - $x++; - } - $snort_rules_up_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; - if ($snort_rules_up_info_ck == "6h_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "*/6"; - $snort_rules_up_mday = "*"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "12h_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "*/12"; - $snort_rules_up_mday = "*"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "1d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/1"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "4d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/4"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "7d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/7"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "28d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/28"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - switch($should_install) { - case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['minute'] = "$snort_rules_up_min"; - $cron_item['hour'] = "$snort_rules_up_hr"; - $cron_item['mday'] = "$snort_rules_up_mday"; - $cron_item['month'] = "$snort_rules_up_month"; - $cron_item['wday'] = "$snort_rules_up_wday"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort_check_for_rule_updates.php >> /usr/local/etc/snort_bkup/snort_update.log"; - $config['cron']['item'][] = $cron_item; - write_config("Installed 15 minute filter reload for Time Based Rules"); - conf_mount_rw(); - configure_cron(); - } - break; - case false: - if($is_installed == true) { - if($x > 0) { - unset($config['cron']['item'][$x]); - write_config(); - conf_mount_rw(); - } - configure_cron(); - } - break; - } - } - snort_rules_up_install_cron(""); - snort_rules_up_install_cron($snort_rules_up_false); -} - /* Be sure we're really rw before writing */ - conf_mount_rw(); - /* open snort2c's whitelist for writing */ - $whitelist = fopen("/var/db/whitelist", "w"); - if(!$whitelist) { - log_error("Could not open /var/db/whitelist for writing."); - return; - } - - /* build an interface array list */ - $int_array = array('lan'); - for ($j = 1; isset ($config['interfaces']['opt' . $j]); $j++) - if(isset($config['interfaces']['opt' . $j]['enable'])) - if(!$config['interfaces']['opt' . $j]['gateway']) - $int_array[] = "opt{$j}"; - - /* iterate through interface list and write out whitelist items - * and also compile a home_net list for snort. - */ - foreach($int_array as $int) { - /* calculate interface subnet information */ - $ifcfg = $config['interfaces'][$int]; - $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']); - $subnetmask = gen_subnet_mask($ifcfg['subnet']); - if($subnet == "pppoe" or $subnet == "dhcp") { - $subnet = find_interface_ip("ng0"); - if($subnet) - $home_net .= "{$subnet} "; - } else { - if ($subnet) - if($ifcfg['subnet']) - $home_net .= "{$subnet}/{$ifcfg['subnet']} "; - } - } - - /* add all WAN ips to the whitelist */ - $wan_if = get_real_wan_interface(); - $ip = find_interface_ip($wan_if); - if($ip) - $home_net .= "{$ip} "; - - /* Add Gateway on WAN interface to whitelist (For RRD graphs) */ - $int = convert_friendly_interface_to_real_interface_name("WAN"); - $gw = get_interface_gateway($int); - if($gw) - $home_net .= "{$gw} "; - - /* Add DNS server for WAN interface to whitelist */ - $dns_servers = get_dns_servers(); - foreach($dns_servers as $dns) { - if($dns) - $home_net .= "{$dns} "; - } - - /* Add loopback to whitelist (ftphelper) */ - $home_net .= "127.0.0.1 "; - - /* iterate all vips and add to whitelist */ - if($config['virtualip']) - foreach($config['virtualip']['vip'] as $vip) - if($vip['subnet']) - $home_net .= $vip['subnet'] . " "; - - if($config['installedpackages']['snortwhitelist']) - foreach($config['installedpackages']['snortwhitelist']['config'] as $snort) - if($snort['ip']) - $home_net .= $snort['ip'] . " "; - - /* write out whitelist, convert spaces to carriage returns */ - $whitelist_home_net = str_replace(" ", " ", $home_net); - $whitelist_home_net = str_replace(" ", "\n", $home_net); - - /* make $home_net presentable to snort */ - $home_net = trim($home_net); - $home_net = str_replace(" ", ",", $home_net); - $home_net = "[{$home_net}]"; - - /* foreach through whitelist, writing out to file */ - $whitelist_split = split("\n", $whitelist_home_net); - foreach($whitelist_split as $wl) - if(trim($wl)) - fwrite($whitelist, trim($wl) . "\n"); - - /* should we whitelist vpns? */ - $whitelistvpns = $config['installedpackages']['snort']['config'][0]['whitelistvpns']; - - /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */ - if($whitelistvpns) { - $vpns_list = get_vpns_list(); - $whitelist_vpns = split(" ", $vpns_list); - foreach($whitelist_vpns as $wl) - if(trim($wl)) - fwrite($whitelist, trim($wl) . "\n"); - } - - /* close file */ - fclose($whitelist); - - /* Be sure we're really rw before writing */ - conf_mount_rw(); - /* open snort's threshold.conf for writing */ - $threshlist = fopen("/usr/local/etc/snort/threshold.conf", "w"); - if(!$threshlist) { - log_error("Could not open /usr/local/etc/snort/threshold.conf for writing."); - return; - } - - /* list all entries to new lines */ - if($config['installedpackages']['snortthreshold']) - foreach($config['installedpackages']['snortthreshold']['config'] as $snortthreshlist) - if($snortthreshlist['threshrule']) - $snortthreshlist_r .= $snortthreshlist['threshrule'] . "\n"; - - - /* foreach through threshlist, writing out to file */ - $threshlist_split = split("\n", $snortthreshlist_r); - foreach($threshlist_split as $wl) - if(trim($wl)) - fwrite($threshlist, trim($wl) . "\n"); - - /* close snort's threshold.conf file */ - fclose($threshlist); - - /* generate rule sections to load */ - $enabled_rulesets = $config['installedpackages']['snort']['rulesets']; - if($enabled_rulesets) { - $selected_rules_sections = ""; - $enabled_rulesets_array = split("\|\|", $enabled_rulesets); - foreach($enabled_rulesets_array as $enabled_item) - $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n"; - } - - conf_mount_ro(); - - /* build snort configuration file */ - /* TODO; feed back from pfsense users to reduce false positives */ - $snort_conf_text = <<<EOD - -# snort configuration file -# generated by the pfSense -# package manager system -# see /usr/local/pkg/snort.inc -# for more information -# snort.conf -# Snort can be found at http://www.snort.org/ - -# Copyright (C) 2006 Robert Zelaya -# part of pfSense -# All rights reserved. - -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: - -# 1. Redistributions of source code must retain the above copyright notice, -# this list of conditions and the following disclaimer. - -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. - -# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -# POSSIBILITY OF SUCH DAMAGE. - -######################### - # -# Define Local Network # - # -######################### - -var HOME_NET {$home_net} -var EXTERNAL_NET !\$HOME_NET - -################### - # -# Define Servers # - # -################### - -var DNS_SERVERS [{$def_dns_servers_type}] -var SMTP_SERVERS [{$def_smtp_servers_type}] -var HTTP_SERVERS [{$def_http_servers_type}] -var SQL_SERVERS [{$def_sql_servers_type}] -var TELNET_SERVERS [{$def_telnet_servers_type}] -var SNMP_SERVERS [{$def_snmp_servers_type}] -var FTP_SERVERS [{$def_ftp_servers_type}] -var SSH_SERVERS [{$def_ssh_servers_type}] -var POP_SERVERS [{$def_pop_servers_type}] -var IMAP_SERVERS [{$def_imap_servers_type}] -var RPC_SERVERS \$HOME_NET -var WWW_SERVERS [{$def_www_servers_type}] -var SIP_PROXY_IP [{$def_sip_proxy_ip_type}] -var AIM_SERVERS \ -[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] - -######################## - # -# Define Server Ports # - # -######################## - -portvar HTTP_PORTS [{$def_http_ports_type}] -portvar SHELLCODE_PORTS !80 -portvar ORACLE_PORTS [{$def_oracle_ports_type}] -portvar AUTH_PORTS [{$def_auth_ports_type}] -portvar DNS_PORTS [{$def_dns_ports_type}] -portvar FINGER_PORTS [{$def_finger_ports_type}] -portvar FTP_PORTS [{$def_ftp_ports_type}] -portvar IMAP_PORTS [{$def_imap_ports_type}] -portvar IRC_PORTS [{$def_irc_ports_type}] -portvar MSSQL_PORTS [{$def_mssql_ports_type}] -portvar NNTP_PORTS [{$def_nntp_ports_type}] -portvar POP2_PORTS [{$def_pop2_ports_type}] -portvar POP3_PORTS [{$def_pop3_ports_type}] -portvar SUNRPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779] -portvar RLOGIN_PORTS [{$def_rlogin_ports_type}] -portvar RSH_PORTS [{$def_rsh_ports_type}] -portvar SMB_PORTS [139,445] -portvar SMTP_PORTS [{$def_smtp_ports_type}] -portvar SNMP_PORTS [{$def_snmp_ports_type}] -portvar SSH_PORTS [{$def_ssh_ports_type}] -portvar TELNET_PORTS [{$def_telnet_ports_type}] -portvar MAIL_PORTS [{$def_mail_ports_type}] -portvar SSL_PORTS [{$def_ssl_ports_type}] -portvar SIP_PROXY_PORTS [{$def_sip_proxy_ports_type}] - -# DCERPC NCACN-IP-TCP -portvar DCERPC_NCACN_IP_TCP [139,445] -portvar DCERPC_NCADG_IP_UDP [138,1024:] -portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:] -portvar DCERPC_NCACN_UDP_LONG [135,1024:] -portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:] -portvar DCERPC_NCACN_TCP [2103,2105,2107] -portvar DCERPC_BRIGHTSTORE [6503,6504] - -##################### - # -# Define Rule Paths # - # -##################### - -var RULE_PATH /usr/local/etc/snort/rules -# var PREPROC_RULE_PATH ./preproc_rules - -################################ - # -# Configure the snort decoder # - # -################################ - -config checksum_mode: all -config disable_decode_alerts -config disable_tcpopt_experimental_alerts -config disable_tcpopt_obsolete_alerts -config disable_ttcp_alerts -config disable_tcpopt_alerts -config disable_ipopt_alerts -config disable_decode_drops - -################################### - # -# Configure the detection engine # -# Use lower memory models # - # -################################### - -config detection: search-method {$snort_performance} -config detection: max_queue_events 5 -config event_queue: max_queue 8 log 3 order_events content_length - -#Configure dynamic loaded libraries -dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor/ -dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so -dynamicdetection directory /usr/local/lib/snort/dynamicrules/ - -################### - # -# Flow and stream # - # -################### - -preprocessor frag3_global: max_frags 8192 -preprocessor frag3_engine: policy windows -preprocessor frag3_engine: policy linux -preprocessor frag3_engine: policy first -preprocessor frag3_engine: policy bsd detect_anomalies - -preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ -track_udp yes, track_icmp yes -preprocessor stream5_tcp: bind_to any, policy windows -preprocessor stream5_tcp: bind_to any, policy linux -preprocessor stream5_tcp: bind_to any, policy vista -preprocessor stream5_tcp: bind_to any, policy macos -preprocessor stream5_tcp: policy BSD, ports both all, use_static_footprint_sizes -preprocessor stream5_udp -preprocessor stream5_icmp - -########################## - # -# NEW # -# Performance Statistics # - # -########################## - -preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 10000 - -################# - # -# HTTP Inspect # - # -################# - -preprocessor http_inspect: global iis_unicode_map unicode.map 1252 - -preprocessor http_inspect_server: server default \ - ports { 80 8080 } \ - no_alerts \ - non_strict \ - non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ - flow_depth 0 \ - apache_whitespace yes \ - directory no \ - iis_backslash no \ - u_encode yes \ - ascii yes \ - chunk_length 500000 \ - bare_byte yes \ - double_decode yes \ - iis_unicode yes \ - iis_delimiter yes \ - multi_slash no - -################## - # -# Other preprocs # - # -################## - -preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 -preprocessor bo - -##################### - # -# ftp preprocessor # - # -##################### - -preprocessor ftp_telnet: global \ -inspection_type stateless - -preprocessor ftp_telnet_protocol: telnet \ - normalize \ - ayt_attack_thresh 200 - -preprocessor ftp_telnet_protocol: \ - ftp server default \ - def_max_param_len 100 \ - ports { 21 } \ - ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \ - ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \ - ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ - ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ - ftp_cmds { FEAT CEL CMD MACB } \ - ftp_cmds { MDTM REST SIZE MLST MLSD } \ - ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ - alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ - alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \ - alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \ - alt_max_param_len 256 { RNTO CWD } \ - alt_max_param_len 400 { PORT } \ - alt_max_param_len 512 { SIZE } \ - chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \ - chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \ - chk_str_fmt { LIST NLST SITE SYST STAT HELP } \ - chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \ - chk_str_fmt { FEAT CEL CMD } \ - chk_str_fmt { MDTM REST SIZE MLST MLSD } \ - chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ - cmd_validity MODE < char ASBCZ > \ - cmd_validity STRU < char FRP > \ - cmd_validity ALLO < int [ char R int ] > \ - cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ - cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ - cmd_validity PORT < host_port > - -preprocessor ftp_telnet_protocol: ftp client default \ - max_resp_len 256 \ - bounce yes \ - telnet_cmds yes - -##################### - # -# SMTP preprocessor # - # -##################### - -preprocessor SMTP: \ - ports { 25 465 691 } \ - inspection_type stateful \ - normalize cmds \ - valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \ -CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \ -PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - max_header_line_len 1000 \ - max_response_line_len 512 \ - alt_max_command_line_len 260 { MAIL } \ - alt_max_command_line_len 300 { RCPT } \ - alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ - alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ - alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ - alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ - alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - xlink2state { enable } - -################ - # -# sf Portscan # - # -################ - -preprocessor sfportscan: scan_type { all } \ - proto { all } \ - memcap { 10000000 } \ - sense_level { medium } \ - ignore_scanners { \$HOME_NET } - -############################ - # -# OLD # -# preprocessor dcerpc: \ # -# autodetect \ # -# max_frag_size 3000 \ # -# memcap 100000 # - # -############################ - -############### - # -# NEW # -# DCE/RPC 2 # - # -############### - -preprocessor dcerpc2: memcap 102400, events [smb, co, cl] -preprocessor dcerpc2_server: default, policy WinXP, \ - detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ - autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ - smb_max_chain 3 - -#################### - # -# DNS preprocessor # - # -#################### - -preprocessor dns: \ - ports { 53 } \ - enable_rdata_overflow - -############################## - # -# NEW # -# Ignore SSL and Encryption # - # -############################## - -preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 }, trustservers, noinspect_encrypted - -##################### - # -# Snort Output Logs # - # -##################### - -$snortalertlogtype_type -$alertsystemlog_type -$tcpdumplog_type -$snortmysqllog_info_chk -$snortunifiedlog_type -$spoink_type - -################# - # -# Misc Includes # - # -################# - -include /usr/local/etc/snort/reference.config -include /usr/local/etc/snort/classification.config -include /usr/local/etc/snort/threshold.conf - -# Snort user pass through configuration -{$snort_config_pass_thru} - -################### - # -# Rules Selection # - # -################### - -{$selected_rules_sections} - -EOD; - conf_mount_ro(); - return $snort_conf_text; -} - -/* check downloaded text from snort.org to make sure that an error did not occur - * for example, if you are not a premium subscriber you can only download rules - * so often, etc. - */ -function check_for_common_errors($filename) { - global $snort_filename, $snort_filename_md5, $console_mode; - ob_flush(); - $contents = file_get_contents($filename); - if(stristr($contents, "You don't have permission")) { - if(!$console_mode) { - update_all_status("An error occured while downloading {$filename}."); - hide_progress_bar_status(); - } else { - log_error("An error occured. Scroll down to inspect it's contents."); - echo "An error occured. Scroll down to inspect it's contents."; - } - if(!$console_mode) { - update_output_window(strip_tags("$contents")); - } else { - $contents = strip_tags($contents); - log_error("Error downloading snort rules: {$contents}"); - echo "Error downloading snort rules: {$contents}"; - } - scroll_down_to_bottom_of_page(); - exit; - } -} - -/* force browser to scroll all the way down */ -function scroll_down_to_bottom_of_page() { - global $snort_filename, $console_mode; - ob_flush(); - if(!$console_mode) - echo "\n<script type=\"text/javascript\">parent.scrollTo(0,1500);\n</script>"; -} - -/* ensure downloaded file looks sane */ -function verify_downloaded_file($filename) { - global $snort_filename, $snort_filename_md5, $console_mode; - ob_flush(); - if(filesize($filename)<9500) { - if(!$console_mode) { - update_all_status("Checking {$filename}..."); - check_for_common_errors($filename); - } - } - update_all_status("Verifying {$filename}..."); - if(!file_exists($filename)) { - if(!$console_mode) { - update_all_status("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."); - hide_progress_bar_status(); - } else { - log_error("Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."); - echo "Could not fetch snort rules ({$filename}). Check oinkid key and dns and try again."; - } - exit; - } - update_all_status("Verifyied {$filename}."); -} - -/* extract rules */ -function extract_snort_rules_md5($tmpfname) { - global $snort_filename, $snort_filename_md5, $console_mode; - ini_set("memory_limit","64M"); - conf_mount_rw(); - ob_flush(); - if(!$console_mode) { - $static_output = gettext("Extracting snort rules..."); - update_all_status($static_output); - } - if(!is_dir("/usr/local/etc/snort/rules/")) - mkdir("/usr/local/etc/snort/rules/"); - $cmd = "/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C /usr/local/etc/snort/ rules/"; - $handle = popen("{$cmd} 2>&1", 'r'); - while(!feof($handle)) { - $buffer = fgets($handle); - update_output_window($buffer); - } - pclose($handle); - - if(!$console_mode) { - $static_output = gettext("Snort rules extracted."); - update_all_status($static_output); - } else { - log_error("Snort rules extracted."); - echo "Snort rules extracted."; - } - conf_mount_ro(); -} - -/* verify MD5 against downloaded item */ -function verify_snort_rules_md5($tmpfname) { - global $snort_filename, $snort_filename_md5, $console_mode; - ob_flush(); - if(!$console_mode) { - $static_output = gettext("Verifying md5 signature..."); - update_all_status($static_output); - } - - $md555 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); - $md5 = `/bin/echo "{$md555}" | /usr/bin/awk '{ print $4 }'`; - $file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; - if($md5 == $file_md5_ondisk) { - if(!$console_mode) { - $static_output = gettext("snort rules: md5 signature of rules mismatch."); - update_all_status($static_output); - hide_progress_bar_status(); - } else { - log_error("snort rules: md5 signature of rules mismatch."); - echo "snort rules: md5 signature of rules mismatch."; - } - exit; - } -} - -/* hide progress bar */ -function hide_progress_bar_status() { - global $snort_filename, $snort_filename_md5, $console_mode; - ob_flush(); - if(!$console_mode) - echo "\n<script type=\"text/javascript\">document.progressbar.style.visibility='hidden';\n</script>"; -} - -/* unhide progress bar */ -function unhide_progress_bar_status() { - global $snort_filename, $snort_filename_md5, $console_mode; - ob_flush(); - if(!$console_mode) - echo "\n<script type=\"text/javascript\">document.progressbar.style.visibility='visible';\n</script>"; -} - -/* update both top and bottom text box during an operation */ -function update_all_status($status) { - global $snort_filename, $snort_filename_md5, $console_mode; - ob_flush(); - if(!$console_mode) { - update_status($status); - update_output_window($status); - } -} - -/* obtain alert description for an ip address */ -function get_snort_alert($ip) { - global $snort_alert_file_split, $snort_config; - if(!file_exists("/var/log/snort/alert")) - return; - if(!$snort_config) - $snort_config = read_snort_config_cache(); - if($snort_config[$ip]) - return $snort_config[$ip]; - if(!$snort_alert_file_split) - $snort_alert_file_split = split("\n", file_get_contents("/var/log/snort/alert")); - foreach($snort_alert_file_split as $fileline) { - if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) - $alert_title = $matches[2]; - if (preg_match("/(\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)/", $fileline, $matches)) - $alert_ip = $matches[0]; - if($alert_ip == $ip) { - if(!$snort_config[$ip]) - $snort_config[$ip] = $alert_title; - return $alert_title; - } - } - return "n/a"; -} - -function make_clickable($buffer) { - global $config, $g; - /* if clickable urls is disabled, simply return buffer back to caller */ - $clickablalerteurls = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; - if(!$clickablalerteurls) - return $buffer; - $buffer = eregi_replace("(^|[ \n\r\t])((http(s?)://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $buffer); - $buffer = eregi_replace("(^|[ \n\r\t])((ftp://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $buffer); - $buffer = eregi_replace("([a-z_-][a-z0-9\._-]*@[a-z0-9_-]+(\.[a-z0-9_-]+)+)","<a href=\"mailto:\\1\">\\1</a>", $buffer); - $buffer = eregi_replace("(^|[ \n\r\t])(www\.([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"http://\\2\" target=\"_blank\">\\2</a>", $buffer); - $buffer = eregi_replace("(^|[ \n\r\t])(ftp\.([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"ftp://\\2\" target=\"_blank\">\\2</a>", $buffer); - - return $buffer; -} - -function read_snort_config_cache() { - global $g, $config, $snort_config; - if($snort_config) - return $snort_config; - if(file_exists($g['tmp_path'] . '/snort_config.cache')) { - $snort_config = unserialize(file_get_contents($g['tmp_path'] . '/snort_config.cache')); - return $snort_config; - } - return; -} - -function write_snort_config_cache($snort_config) { - global $g, $config; - conf_mount_rw(); - $configcache = fopen($g['tmp_path'] . '/snort_config.cache', "w"); - if(!$configcache) { - log_error("Could not open {$g['tmp_path']}/snort_config.cache for writing."); - return false; - } - fwrite($configcache, serialize($snort_config)); - fclose($configcache); - conf_mount_ro(); - return true; -} - -function snort_advanced() { - global $g, $config; - sync_package_snort(); -} - -function snort_define_servers() { - global $g, $config; - sync_package_snort(); -} - -?> diff --git a/config/snort-old/snort.xml b/config/snort-old/snort.xml deleted file mode 100644 index 06cd521e..00000000 --- a/config/snort-old/snort.xml +++ /dev/null @@ -1,378 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> -<packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ -/* - authng.xml - part of pfSense (https://www.pfsense.org) - Copyright (C) 2007 to whom it may belong - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> - <name>Snort</name> - <version>2.8.4.1_5</version> - <title>Services: Snort 2.8.4.1_5 pkg v. 1.8</title> - <include_file>/usr/local/pkg/snort.inc</include_file> - <menu> - <name>Snort</name> - <tooltiptext>Setup snort specific settings</tooltiptext> - <section>Services</section> - <url>/pkg_edit.php?xml=snort.xml&id=0</url> - </menu> - <service> - <name>snort</name> - <rcfile>snort.sh</rcfile> - <executable>snort</executable> - <description>Snort is the most widely deployed IDS/IPS technology worldwide..</description> - </service> - <tabs> - <tab> - <text>Settings</text> - <url>/pkg_edit.php?xml=snort.xml&id=0</url> - <active/> - </tab> - <tab> - <text>Update Rules</text> - <url>/snort_download_rules.php</url> - </tab> - <tab> - <text>Categories</text> - <url>/snort_rulesets.php</url> - </tab> - <tab> - <text>Rules</text> - <url>/snort_rules.php</url> - </tab> - <tab> - <text>Servers</text> - <url>/pkg_edit.php?xml=snort_define_servers.xml&id=0</url> - </tab> - <tab> - <text>Blocked</text> - <url>/snort_blocked.php</url> - </tab> - <tab> - <text>Whitelist</text> - <url>/pkg.php?xml=snort_whitelist.xml</url> - </tab> - <tab> - <text>Threshold</text> - <url>/pkg.php?xml=snort_threshold.xml</url> - </tab> - <tab> - <text>Alerts</text> - <url>/snort_alerts.php</url> - </tab> - <tab> - <text>Advanced</text> - <url>/pkg_edit.php?xml=snort_advanced.xml&id=0</url> - </tab> - </tabs> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>077</chmod> - <item>https://packages.pfsense.org/packages/config/snort-old/snort.inc</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/bin/</prefix> - <chmod>077</chmod> - <item>https://packages.pfsense.org/packages/config/snort-old/bin/barnyard2</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/bin/</prefix> - <chmod>077</chmod> - <item>https://packages.pfsense.org/packages/config/snort-old/bin/oinkmaster_contrib/create-sidmap.pl</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/bin/</prefix> - <chmod>077</chmod> - <item>https://packages.pfsense.org/packages/config/snort-old/bin/oinkmaster_contrib/oinkmaster.pl</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/</prefix> - <chmod>077</chmod> - <item>https://packages.pfsense.org/packages/config/snort-old/snort_download_rules.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/</prefix> - <chmod>077</chmod> - <item>https://packages.pfsense.org/packages/config/snort-old/snort_rules.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/</prefix> - <chmod>077</chmod> - <item>https://packages.pfsense.org/packages/config/snort-old/snort_rules_edit.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/</prefix> - <chmod>077</chmod> - <item>https://packages.pfsense.org/packages/config/snort-old/snort_rulesets.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>077</chmod> - <item>https://packages.pfsense.org/packages/config/snort-old/snort_whitelist.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/</prefix> - <chmod>077</chmod> - <item>https://packages.pfsense.org/packages/config/snort-old/snort_blocked.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>077</chmod> - <item>https://packages.pfsense.org/packages/config/snort-old/snort_check_for_rule_updates.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/</prefix> - <chmod>077</chmod> - <item>https://packages.pfsense.org/packages/config/snort-old/snort_alerts.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/pf/</prefix> - <chmod>077</chmod> - <item>https://packages.pfsense.org/packages/config/snort-old/snort_dynamic_ip_reload.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>077</chmod> - <item>https://packages.pfsense.org/packages/config/snort-old/snort_advanced.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>077</chmod> - <item>https://packages.pfsense.org/packages/config/snort-old/snort_define_servers.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>077</chmod> - <item>https://packages.pfsense.org/packages/config/snort-old/snort_threshold.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>077</chmod> - <item>https://packages.pfsense.org/packages/config/snort-old/pfsense_rules/local.rules</item> - </additional_files_needed> - <fields> - <field> - <fielddescr>Interface</fielddescr> - <fieldname>iface_array</fieldname> - <description>Select the interface(s) Snort will listen on.</description> - <type>interfaces_selection</type> - <size>3</size> - <value>lan</value> - <multiple>true</multiple> - </field> - <field> - <fielddescr>Memory Performance</fielddescr> - <fieldname>performance</fieldname> - <description>Lowmem and ac-bnfa are recommended for low end systems, Ac: high memory, best performance, ac-std: moderate memory,high performance, acs: small memory, moderateperformance, ac-banded: small memory,moderate performance, ac-sparsebands: small memory, high performance.</description> - <type>select</type> - <options> - <option> - <name>ac-bnfa</name> - <value>ac-bnfa</value> - </option> - <option> - <name>lowmem</name> - <value>lowmem</value> - </option> - <option> - <name>ac-std</name> - <value>ac-std</value> - </option> - <option> - <name>ac</name> - <value>ac</value> - </option> - <option> - <name>ac-banded</name> - <value>ac-banded</value> - </option> - <option> - <name>ac-sparsebands</name> - <value>ac-sparsebands</value> - </option> - <option> - <name>acs</name> - <value>acs</value> - </option> - </options> - </field> - <field> - <fielddescr>Oinkmaster code</fielddescr> - <fieldname>oinkmastercode</fieldname> - <description>Obtain a snort.org Oinkmaster code and paste here.</description> - <type>input</type> - <size>60</size> - <value></value> - </field> - <field> - <fielddescr>Snort.org subscriber</fielddescr> - <fieldname>subscriber</fieldname> - <description>Check this box if you are a Snort.org subscriber (premium rules).</description> - <type>checkbox</type> - <size>60</size> - </field> - <field> - <fielddescr>Block offenders</fielddescr> - <fieldname>blockoffenders7</fieldname> - <description>Checking this option will automatically block hosts that generate a snort alert.</description> - <type>checkbox</type> - <size>60</size> - </field> - <field> - <fielddescr>Remove blocked hosts every</fielddescr> - <fieldname>rm_blocked</fieldname> - <description>Please select the amount of time hosts are blocked</description> - <type>select</type> - <options> - <option> - <name>never</name> - <value>never_b</value> - </option> - <option> - <name>1 hour</name> - <value>1h_b</value> - </option> - <option> - <name>3 hours</name> - <value>3h_b</value> - </option> - <option> - <name>6 hours</name> - <value>6h_b</value> - </option> - <option> - <name>12 hours</name> - <value>12h_b</value> - </option> - <option> - <name>1 day</name> - <value>1d_b</value> - </option> - <option> - <name>4 days</name> - <value>4d_b</value> - </option> - <option> - <name>7 days</name> - <value>7d_b</value> - </option> - <option> - <name>28 days</name> - <value>28d_b</value> - </option> - </options> - </field> - <field> - </field> - <field> - <fielddescr>Update rules automatically</fielddescr> - <fieldname>autorulesupdate7</fieldname> - <description>Please select the update times for rules.</description> - <type>select</type> - <options> - <option> - <name>never</name> - <value>never_up</value> - </option> - <option> - <name>6 hours</name> - <value>6h_up</value> - </option> - <option> - <name>12 hours</name> - <value>12h_up</value> - </option> - <option> - <name>1 day</name> - <value>1d_up</value> - </option> - <option> - <name>4 days</name> - <value>4d_up</value> - </option> - <option> - <name>7 days</name> - <value>7d_up</value> - </option> - <option> - <name>28 days</name> - <value>28d_up</value> - </option> - </options> - </field> - <field> - <fielddescr>Whitelist VPNs automatically</fielddescr> - <fieldname>whitelistvpns</fieldname> - <description>Checking this option will install whitelists for all VPNs.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Convert Snort alerts urls to clickable links</fielddescr> - <fieldname>clickablalerteurls</fieldname> - <description>Checking this option will automatically convert URLs in the Snort alerts tab to clickable links.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Associate events on Blocked tab</fielddescr> - <fieldname>associatealertip</fieldname> - <description>Checking this option will automatically associate the blocked reason from the snort alerts file.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Install emergingthreats rules.</fielddescr> - <fieldname>emergingthreats</fieldname> - <description>Emerging Threats is an open source community that produces fastest moving and diverse Snort Rules.</description> - <type>checkbox</type> - </field> - </fields> - <custom_php_resync_config_command> - sync_package_snort(); - </custom_php_resync_config_command> - <custom_add_php_command> - </custom_add_php_command> - <custom_php_install_command> - sync_package_snort_reinstall(); - </custom_php_install_command> - <custom_php_deinstall_command> - snort_deinstall(); - </custom_php_deinstall_command> -</packagegui> diff --git a/config/snort-old/snort_advanced.xml b/config/snort-old/snort_advanced.xml deleted file mode 100644 index 1fdddda2..00000000 --- a/config/snort-old/snort_advanced.xml +++ /dev/null @@ -1,196 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> -<packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ -/* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> - <name>SnortAdvanced</name> - <version>none</version> - <title>Services: Snort Advanced</title> - <include_file>/usr/local/pkg/snort.inc</include_file> - <tabs> - <tab> - <text>Settings</text> - <url>/pkg_edit.php?xml=snort.xml&id=0</url> - </tab> - <tab> - <text>Update Rules</text> - <url>/snort_download_rules.php</url> - </tab> - <tab> - <text>Categories</text> - <url>/snort_rulesets.php</url> - </tab> - <tab> - <text>Rules</text> - <url>/snort_rules.php</url> - </tab> - <tab> - <text>Servers</text> - <url>/pkg_edit.php?xml=snort_define_servers.xml&id=0</url> - </tab> - <tab> - <text>Blocked</text> - <url>/snort_blocked.php</url> - </tab> - <tab> - <text>Whitelist</text> - <url>/pkg.php?xml=snort_whitelist.xml</url> - </tab> - <tab> - <text>Threshold</text> - <url>/pkg.php?xml=snort_threshold.xml</url> - </tab> - <tab> - <text>Alerts</text> - <url>/snort_alerts.php</url> - </tab> - <tab> - <text>Advanced</text> - <url>/pkg_edit.php?xml=snort_advanced.xml&id=0</url> - <active/> - </tab> - </tabs> - <fields> - <field> - <fielddescr>BPF Buffer size</fielddescr> - <fieldname>bpfbufsize</fieldname> - <description>Changing this option adjusts the system BPF buffer size. Leave blank if you do not know what this does. Default is 1024.</description> - <type>input</type> - </field> - <field> - <fielddescr>Maximum BPF buffer size</fielddescr> - <fieldname>bpfmaxbufsize</fieldname> - <description>Changing this option adjusts the system maximum BPF buffer size. Leave blank if you do not know what this does. Default is 524288. This value should never be set above hardware cache size. The best (optimal size) is 50% - 80% of the hardware cache size.</description> - <type>input</type> - </field> - <field> - <fielddescr>Maximum BPF inserts</fielddescr> - <fieldname>bpfmaxinsns</fieldname> - <description>Changing this option adjusts the system maximum BPF insert size. Leave blank if you do not know what this does. Default is 512.</description> - <type>input</type> - </field> - <field> - <fielddescr>Advanced configuration pass through</fielddescr> - <fieldname>configpassthru</fieldname> - <description>Add items to here will be automatically inserted into the running snort configuration</description> - <type>textarea</type> - <cols>40</cols> - <rows>5</rows> - </field> - <field> - <fielddescr>Snort signature info files.</fielddescr> - <fieldname>signatureinfo</fieldname> - <description>Snort signature info files will be installed during updates. At leats 500 mb of memory is needed.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Alerts Tab logging type.</fielddescr> - <fieldname>snortalertlogtype</fieldname> - <description>Please choose the type of Alert logging you will like see in the Alerts Tab. The options are Full descriptions or Fast short descriptions</description> - <type>select</type> - <options> - <option> - <name>fast</name> - <value>fast</value> - </option> - <option> - <name>full</name> - <value>full</value> - </option> - </options> - </field> - <field> - <fielddescr>Send alerts to main System logs.</fielddescr> - <fieldname>alertsystemlog</fieldname> - <description>Snort will send Alerts to the Pfsense system logs.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Log to a Tcpdump file.</fielddescr> - <fieldname>tcpdumplog</fieldname> - <description>Snort will log packets to a tcpdump-formatted file. The file then can be analyzed by a wireshark type of application. WARNING: File may become large.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Enable Barnyard2.</fielddescr> - <fieldname>snortbarnyardlog</fieldname> - <description>This will enable barnyard2 in the snort package. You will also have to set the database credentials.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Barnyard2 Log Mysql Database.</fielddescr> - <fieldname>snortbarnyardlog_database</fieldname> - <description>Example: output database: log, mysql, dbname=snort user=snort host=localhost password=xyz</description> - <type>input</type> - <size>101</size> - <value></value> - </field> - <field> - <fielddescr>Barnyard2 Configure Hostname ID.</fielddescr> - <fieldname>snortbarnyardlog_hostname</fieldname> - <description>Example: pfsense.local</description> - <type>input</type> - <size>25</size> - <value></value> - </field> - <field> - <fielddescr>Barnyard2 Configure Interface ID</fielddescr> - <fieldname>snortbarnyardlog_interface</fieldname> - <description>Example: vr0</description> - <type>input</type> - <size>25</size> - <value></value> - </field> - <field> - <fielddescr>Log Alerts to a snort unified2 file.</fielddescr> - <fieldname>snortunifiedlog</fieldname> - <description>Snort will log Alerts to a file in the UNIFIED2 format. This is a requirement for barnyard2.</description> - <type>checkbox</type> - </field> - </fields> - <custom_php_deinstall_command> - snort_advanced(); - </custom_php_deinstall_command> -</packagegui> diff --git a/config/snort-old/snort_alerts.php b/config/snort-old/snort_alerts.php deleted file mode 100644 index e67b9b5f..00000000 --- a/config/snort-old/snort_alerts.php +++ /dev/null @@ -1,124 +0,0 @@ -<?php -/* $Id$ */ -/* - snort_alerts.php - part of pfSense - - Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>. - Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("globals.inc"); -require("guiconfig.inc"); -require("/usr/local/pkg/snort.inc"); - -$snort_logfile = "{$g['varlog_path']}/snort/alert"; - -$nentries = $config['syslog']['nentries']; -if (!$nentries) - $nentries = 50; - -if ($_POST['clear']) { - exec("killall syslogd"); - conf_mount_rw(); - exec("rm {$snort_logfile}; touch {$snort_logfile}"); - conf_mount_ro(); - system_syslogd_start(); - exec("/usr/bin/killall -HUP snort"); - exec("/usr/bin/killall snort2c"); - if ($config['installedpackages']['snort']['config'][0]['blockoffenders'] == 'on') - exec("/usr/local/bin/snort2c -w /var/db/whitelist -a /var/log/snort/alert"); -} - -$pgtitle = "Services: Snort: Snort Alerts"; -include("head.inc"); - -?> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<?php -if(!$pgtitle_output) - echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; -?> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td> -<?php - $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"),false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), true, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); - display_top_tabs($tab_array); -?> - </td></tr> - <tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> - <tr> - <td colspan="2" class="listtopic"> - Last <?=$nentries;?> Snort Alert entries</td> - </tr> - <?php dump_log_file($snort_logfile, $nentries); ?> - <tr><td><br><form action="snort_alerts.php" method="post"> - <input name="clear" type="submit" class="formbtn" value="Clear log"></td></tr> - </table> - </div> - </form> - </td> - </tr> -</table> -<?php include("fend.inc"); ?> -<meta http-equiv="refresh" content="60;url=<?php print $_SERVER['SCRIPT_NAME']; ?>"> -</body> -</html> -<!-- <?php echo $snort_logfile; ?> --> - -<?php - -function dump_log_file($logfile, $tail, $withorig = true, $grepfor = "", $grepinvert = "") { - global $g, $config; - $logarr = ""; - exec("cat {$logfile} | /usr/bin/tail -n {$tail}", $logarr); - foreach ($logarr as $logent) { - if(!logent) - continue; - $ww_logent = $logent; - $ww_logent = str_replace("[", " [ ", $ww_logent); - $ww_logent = str_replace("]", " ] ", $ww_logent); - echo "<tr valign=\"top\">\n"; - echo "<td colspan=\"2\" class=\"listr\">" . make_clickable($ww_logent) . " </td>\n"; - echo "</tr>\n"; - } -} - -?>
\ No newline at end of file diff --git a/config/snort-old/snort_blocked.php b/config/snort-old/snort_blocked.php deleted file mode 100644 index ff158853..00000000 --- a/config/snort-old/snort_blocked.php +++ /dev/null @@ -1,174 +0,0 @@ -<?php -/* $Id$ */ -/* - snort_blocked.php - Copyright (C) 2006 Scott Ullrich - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); -require("/usr/local/pkg/snort.inc"); - -if($_POST['todelete'] or $_GET['todelete']) { - if($_POST['todelete']) - $ip = $_POST['todelete']; - if($_GET['todelete']) - $ip = $_GET['todelete']; - exec("/sbin/pfctl -t snort2c -T delete {$ip}"); -} - -$pgtitle = "Snort: Snort Blocked"; -include("head.inc"); - -?> - -<body link="#000000" vlink="#000000" alink="#000000"> -<?php include("fbegin.inc"); ?> - -<?php -if(!$pgtitle_output) - echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; -?> - -<form action="snort_rulesets.php" method="post" name="iform" id="iform"> -<script src="/row_toggle.js" type="text/javascript"></script> -<script src="/javascript/sorttable.js" type="text/javascript"></script> -<?php if ($savemsg) print_info_box($savemsg); ?> -<table width="99%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> -<?php - $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), true, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); - display_top_tabs($tab_array); -?> - </td> - </tr> - <tr> - <td> - <div id="mainarea"> - <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> - <table id="sortabletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr id="frheader"> - <td width="5%" class="listhdrr">Remove</td> - <td class="listhdrr">IP</td> - <td class="listhdrr">Alert Description</td> - </tr> -<?php - - $associatealertip = $config['installedpackages']['snort']['config'][0]['associatealertip']; - $ips = `/sbin/pfctl -t snort2c -T show`; - $ips_array = split("\n", $ips); - $counter = 0; - foreach($ips_array as $ip) { - if(!$ip) - continue; - $ww_ip = str_replace(" ", "", $ip); - $counter++; - if($associatealertip) - $alert_description = get_snort_alert($ww_ip); - else - $alert_description = ""; - echo "\n<tr>"; - echo "\n<td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($ww_ip)) . "'>"; - echo "\n<img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"./themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td>"; - echo "\n<td> {$ww_ip}</td>"; - echo "\n<td> {$alert_description}<!-- |{$ww_ip}| get_snort_alert($ww_ip); --></td>"; - echo "\n</tr>"; - } - echo "\n<tr><td colspan='3'> </td></tr>"; - if($counter < 1) - echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">There are currently no items being blocked by snort.</td></tr>"; - else - echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter} items listed.</td></tr>"; - -?> - - </table> - </td> - </tr> - </table> - </div> - </td> - </tr> -</table> - -</form> - -<p> - -<?php - -$blockedtab_msg_chk = $config['installedpackages']['snort']['config'][0]['rm_blocked']; - if ($blockedtab_msg_chk == "1h_b") { - $blocked_msg = "hour"; - } - if ($blockedtab_msg_chk == "3h_b") { - $blocked_msg = "3 hours"; - } - if ($blockedtab_msg_chk == "6h_b") { - $blocked_msg = "6 hours"; - } - if ($blockedtab_msg_chk == "12h_b") { - $blocked_msg = "12 hours"; - } - if ($blockedtab_msg_chk == "1d_b") { - $blocked_msg = "day"; - } - if ($blockedtab_msg_chk == "4d_b") { - $blocked_msg = "4 days"; - } - if ($blockedtab_msg_chk == "7d_b") { - $blocked_msg = "7 days"; - } - if ($blockedtab_msg_chk == "28d_b") { - $blocked_msg = "28 days"; - } - -echo "This page lists hosts that have been blocked by Snort. Hosts are automatically deleted every $blocked_msg."; - -?> - -<?php include("fend.inc"); ?> - -</body> -</html> - -<?php - -/* write out snort cache */ -write_snort_config_cache($snort_config); - -?>
\ No newline at end of file diff --git a/config/snort-old/snort_check_for_rule_updates.php b/config/snort-old/snort_check_for_rule_updates.php deleted file mode 100644 index f6ebfd3a..00000000 --- a/config/snort-old/snort_check_for_rule_updates.php +++ /dev/null @@ -1,634 +0,0 @@ -<?php -/* $Id$ */ -/* - snort_rulesets.php - Copyright (C) 2006 Scott Ullrich - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -/* Setup enviroment */ -$tmpfname = "/root/snort_rules_up"; -$snortdir = "/usr/local/etc/snort_bkup"; -$snortdir_wan = "/usr/local/etc/snort"; -$snort_filename_md5 = "snortrules-snapshot-2.8.tar.gz.md5"; -$snort_filename = "snortrules-snapshot-2.8.tar.gz"; -$emergingthreats_filename_md5 = "version.txt"; -$emergingthreats_filename = "emerging.rules.tar.gz"; -$pfsense_rules_filename_md5 = "pfsense_rules.tar.gz.md5"; -$pfsense_rules_filename = "pfsense_rules.tar.gz"; - -require("/usr/local/pkg/snort.inc"); -require_once("config.inc"); - -?> - - -<?php - -$up_date_time = date('l jS \of F Y h:i:s A'); -echo ""; -echo "#########################"; -echo "$up_date_time"; -echo "#########################"; -echo ""; - -/* Begin main code */ -/* Set user agent to Mozilla */ -ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); -ini_set("memory_limit","125M"); - -/* send current buffer */ -ob_flush(); - -/* define oinkid */ -if($config['installedpackages']['snort']) - $oinkid = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; - -/* if missing oinkid exit */ -if(!$oinkid) { - echo "Please add you oink code\n"; - exit; -} - -/* premium_subscriber check */ -//unset($config['installedpackages']['snort']['config'][0]['subscriber']); -//write_config(); // Will cause switch back to read-only on nanobsd -//conf_mount_rw(); // Uncomment this if the previous line is uncommented -$premium_subscriber_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; - -if ($premium_subscriber_chk === on) { - $premium_subscriber = "_s"; -}else{ - $premium_subscriber = ""; -} - -$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -if ($premium_url_chk === on) { - $premium_url = "sub-rules"; -}else{ - $premium_url = "reg-rules"; -} - -/* send current buffer */ -ob_flush(); - -conf_mount_rw(); -/* remove old $tmpfname files */ -if (file_exists("{$tmpfname}")) { - exec("/bin/rm -r {$tmpfname}"); - apc_clear_cache(); -} - -/* send current buffer */ -ob_flush(); - -/* If tmp dir does not exist create it */ -if (file_exists($tmpfname)) { - echo "The directory tmp exists...\n"; -} else { - mkdir("{$tmpfname}", 700); -} - -/* download md5 sig from snort.org */ -if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { - echo "md5 temp file exists...\n"; -} else { - echo "Downloading md5 file...\n"; - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - $image = @file_get_contents("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5?oink_code={$oinkid}"); -// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5"); - $f = fopen("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5", 'w'); - fwrite($f, $image); - fclose($f); - echo "Done. downloading md5\n"; -} - -/* download md5 sig from emergingthreats.net */ -$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; -if ($emergingthreats_url_chk == on) { - echo "Downloading md5 file...\n"; - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - $image = @file_get_contents("http://www.emergingthreats.net/version.txt"); -// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/version.txt"); - $f = fopen("{$tmpfname}/version.txt", 'w'); - fwrite($f, $image); - fclose($f); - echo "Done. downloading md5\n"; -} - -/* download md5 sig from pfsense.org */ -if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) { - echo "md5 temp file exists...\n"; -} else { - echo "Downloading pfsense md5 file...\n"; - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - $image = @file_get_contents("https://packages.pfsense.org/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5"); -// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz.md5"); - $f = fopen("{$tmpfname}/pfsense_rules.tar.gz.md5", 'w'); - fwrite($f, $image); - fclose($f); - echo "Done. downloading md5\n"; -} - -/* Time stamps define */ -$last_md5_download = $config['installedpackages']['snort']['last_md5_download']; -$last_rules_install = $config['installedpackages']['snort']['last_rules_install']; - -/* If md5 file is empty wait 15min exit */ -if (0 == filesize("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5")){ - echo "Please wait... You may only check for New Rules every 15 minutes...\n"; - echo "Rules are released every month from snort.org. You may download the Rules at any time.\n"; - exit(0); -} - -/* If emergingthreats md5 file is empty wait 15min exit not needed */ - -/* If pfsense md5 file is empty wait 15min exit */ -if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ - echo "Please wait... You may only check for New Pfsense Rules every 15 minutes...\n"; - echo "Rules are released to support Pfsense packages.\n"; - exit(0); -} - -/* Check if were up to date snort.org */ -if (file_exists("{$snortdir}/snortrules-snapshot-2.8.tar.gz.md5")){ -$md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); -$md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; -$md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); -$md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; -/* Write out time of last sucsessful md5 to cache */ -$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); -write_config(); // Will cause switch back to read-only on nanobsd -conf_mount_rw(); -if ($md5_check_new == $md5_check_old) { - echo "Your rules are up to date...\n"; - echo "You may start Snort now, check update.\n"; - $snort_md5_check_ok = on; - } -} - -/* Check if were up to date emergingthreats.net */ -$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; -if ($emergingthreats_url_chk == on) { -if (file_exists("{$snortdir}/version.txt")){ -$emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/version.txt"); -$emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; -$emerg_md5_check_old_parse = file_get_contents("{$snortdir}/version.txt"); -$emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; -/* Write out time of last sucsessful md5 to cache */ -$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); -write_config(); // Will cause switch back to read-only on nanobsd -conf_mount_rw(); -if ($emerg_md5_check_new == $emerg_md5_check_old) { - echo "Your emergingthreats rules are up to date...\n"; - echo "You may start Snort now, check update.\n"; - $emerg_md5_check_chk_ok = on; - } - } -} - -/* Check if were up to date pfsense.org */ -if (file_exists("{$snortdir}/$pfsense_rules_filename_md5")){ -$pfsense_md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); -$pfsense_md5_check_new = `/bin/echo "{$pfsense_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; -$pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); -$pfsense_md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; -if ($pfsense_md5_check_new == $pfsense_md5_check_old) { - $pfsense_md5_check_ok = on; - } -} - -/* Make Clean Snort Directory emergingthreats not checked */ -if ($snort_md5_check_ok == on && $emergingthreats_url_chk != on) { - echo "Cleaning the snort Directory...\n"; - echo "removing...\n"; - exec("/bin/rm {$snortdir}/rules/emerging*\n"); - exec("/bin/rm {$snortdir}/version.txt"); - echo "Done making cleaning emrg direcory.\n"; -} - -/* Check if were up to date exits */ -if ($snort_md5_check_ok == on && $emerg_md5_check_chk_ok == on && $pfsense_md5_check_ok == on) { - echo "Your rules are up to date...\n"; - echo "You may start Snort now...\n"; - exit(0); -} - -if ($snort_md5_check_ok == on && $pfsense_md5_check_ok == on && $emergingthreats_url_chk != on) { - echo "Your rules are up to date...\n"; - echo "You may start Snort now...\n"; - exit(0); -} - -/* You are Not Up to date, always stop snort when updating rules for low end machines */; -echo "You are NOT up to date...\n"; -echo "Stopping Snort service...\n"; -$chk_if_snort_up = exec("pgrep -x snort"); -if ($chk_if_snort_up != "") { - exec("/usr/bin/touch /tmp/snort_download_halt.pid"); - stop_service("snort"); - sleep(2); -} - -/* download snortrules file */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$snort_filename}")) { - echo "Snortrule tar file exists...\n"; -} else { - - echo "There is a new set of Snort rules posted. Downloading...\n"; - echo "May take 4 to 10 min...\n"; - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - $image = @file_get_contents("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz?oink_code={$oinkid}"); -// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz"); - $f = fopen("{$tmpfname}/snortrules-snapshot-2.8.tar.gz", 'w'); - fwrite($f, $image); - fclose($f); - echo "Done downloading rules file.\n"; - if (150000 > filesize("{$tmpfname}/$snort_filename")){ - echo "Error with the snort rules download...\n"; - echo "Snort rules file downloaded failed...\n"; - exit(0); - } - } -} - -/* download emergingthreats rules file */ -if ($emergingthreats_url_chk == on) { -if ($emerg_md5_check_chk_ok != on) { -if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { - echo "Emergingthreats tar file exists...\n"; -} else { - echo "There is a new set of Emergingthreats rules posted. Downloading...\n"; - echo "May take 4 to 10 min...\n"; - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - $image = @file_get_contents("http://www.emergingthreats.net/rules/emerging.rules.tar.gz"); -// $image = @file_get_contents("http://www.emergingthreats.net/rules/emerging.rules.tar.gz"); - $f = fopen("{$tmpfname}/emerging.rules.tar.gz", 'w'); - fwrite($f, $image); - fclose($f); - echo "Done downloading Emergingthreats rules file.\n"; - } - } - } - -/* download pfsense rules file */ -if ($pfsense_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { - echo "Snortrule tar file exists...\n"; -} else { - - echo "There is a new set of Pfsense rules posted. Downloading...\n"; - echo "May take 4 to 10 min...\n"; - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - $image = @file_get_contents("https://packages.pfsense.org/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz"); -// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz"); - $f = fopen("{$tmpfname}/pfsense_rules.tar.gz", 'w'); - fwrite($f, $image); - fclose($f); - echo "Done downloading rules file.\n"; - } -} - -/* Untar snort rules file individually to help people with low system specs */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$snort_filename}")) { - echo "Extracting rules...\n"; - echo "May take a while...\n"; - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} etc/"); - exec("`/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/*`"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/chat.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/dos.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/exploit.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/imap.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/misc.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/multimedia.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/netbios.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/nntp.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/p2p.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/smtp.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/sql.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-client.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-misc.rules/"); - echo "Done extracting Rules.\n"; -} else { - echo "The Download rules file missing...\n"; - echo "Error rules extracting failed...\n"; - exit(0); - } -} - -/* Untar emergingthreats rules to tmp */ -if ($emergingthreats_url_chk == on) { -if ($emerg_md5_check_chk_ok != on) { -if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { - echo "Extracting rules...\n"; - echo "May take a while...\n"; - exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir} rules/"); - } - } -} - -/* Untar Pfsense rules to tmp */ -if ($pfsense_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { - echo "Extracting Pfsense rules...\n"; - echo "May take a while...\n"; - exec("/usr/bin/tar xzf {$tmpfname}/{$pfsense_rules_filename} -C {$snortdir} rules/"); - } -} - -/* Untar snort signatures */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$snort_filename}")) { -$signature_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['signatureinfo']; -if ($premium_url_chk == on) { - echo "Extracting Signatures...\n"; - echo "May take a while...\n"; - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); - echo "Done extracting Signatures.\n"; - } - } -} - -/* Make Clean Snort Directory */ -//if ($snort_md5_check_ok != on && $emerg_md5_check_chk_ok != on && $pfsense_md5_check_ok != on) { -//if (file_exists("{$snortdir}/rules")) { -// echo "Cleaning the snort Directory...\n"; -// echo "removing...\n"; -// exec("/bin/mkdir -p {$snortdir}"); -// exec("/bin/mkdir -p {$snortdir}/rules"); -// exec("/bin/mkdir -p {$snortdir}/signatures"); -// exec("/bin/rm {$snortdir}/*"); -// exec("/bin/rm {$snortdir}/rules/*"); -// exec("/bin/rm {$snortdir_wan}/*"); -// exec("/bin/rm {$snortdir_wan}/rules/*"); -// exec("/bin/rm /usr/local/lib/snort/dynamicrules/*"); -//} else { -// echo "Making Snort Directory...\n"; -// echo "should be fast...\n"; -// exec("/bin/mkdir {$snortdir}"); -// exec("/bin/mkdir {$snortdir}/rules"); -// exec("/bin/rm {$snortdir_wan}/\*"); -// exec("/bin/rm {$snortdir_wan}/rules/*"); -// exec("/bin/rm /usr/local/lib/snort/dynamicrules/\*"); -// echo "Done making snort direcory.\n"; -// } -//} - -/* Copy so_rules dir to snort lib dir */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { - echo "Copying so_rules...\n"; - echo "May take a while...\n"; - sleep(2); - exec("`/bin/cp -f {$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/`"); - exec("/bin/cp {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/bad-traffic.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/chat.rules {$snortdir}/rules/chat.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/dos.rules {$snortdir}/rules/dos.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/exploit.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/imap.rules {$snortdir}/rules/imap.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/misc.rules {$snortdir}/rules/misc.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/multimedia.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/netbios.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/nntp.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/p2p.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/smtp.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/sql.rules {$snortdir}/rules/sql.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/web-client.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/web-misc.rules {$snortdir}/rules/web-misc.so.rules"); - exec("/bin/rm -r {$snortdir}/so_rules"); - echo "Done copying so_rules.\n"; -} else { - echo "Directory so_rules does not exist...\n"; - echo "Error copping so_rules...\n"; - exit(0); - } -} - -/* enable disable setting will carry over with updates */ -/* TODO carry signature changes with the updates */ -if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { - -if (!empty($config['installedpackages']['snort']['rule_sid_on'])) { -$enabled_sid_on = $config['installedpackages']['snort']['rule_sid_on']; -$enabled_sid_on_array = split('\|\|', $enabled_sid_on); -foreach($enabled_sid_on_array as $enabled_item_on) -$selected_sid_on_sections .= "$enabled_item_on\n"; - } - -if (!empty($config['installedpackages']['snort']['rule_sid_off'])) { -$enabled_sid_off = $config['installedpackages']['snort']['rule_sid_off']; -$enabled_sid_off_array = split('\|\|', $enabled_sid_off); -foreach($enabled_sid_off_array as $enabled_item_off) -$selected_sid_off_sections .= "$enabled_item_off\n"; - } - -$snort_sid_text = <<<EOD - -########################################### -# # -# this is auto generated on snort updates # -# # -########################################### - -path = /bin:/usr/bin:/usr/local/bin - -update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ - -url = dir:///usr/local/etc/snort_bkup/rules - -$selected_sid_on_sections - -$selected_sid_off_sections - -EOD; - - /* open snort's threshold.conf for writing */ - $oinkmasterlist = fopen("/usr/local/etc/snort_bkup/oinkmaster.conf", "w"); - - fwrite($oinkmasterlist, "$snort_sid_text"); - - /* close snort's threshold.conf file */ - fclose($oinkmasterlist); - -} - -/* Copy configs to snort dir */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$snortdir}/etc/Makefile.am")) { - echo "Copying configs to snort directory...\n"; - exec("/bin/cp {$snortdir}/etc/* {$snortdir}"); - exec("/bin/rm -r {$snortdir}/etc"); -} else { - echo "The snort configs does not exist...\n"; - echo "Error copping config...\n"; - exit(0); - } -} - -/* Copy md5 sig to snort dir */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$tmpfname}/$snort_filename_md5")) { - echo "Copying md5 sig to snort directory...\n"; - exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); -} else { - echo "The md5 file does not exist...\n"; - echo "Error copping config...\n"; - exit(0); - } -} - -/* Copy emergingthreats md5 sig to snort dir */ -if ($emergingthreats_url_chk == on) { -if ($emerg_md5_check_chk_ok != on) { -if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) { - echo "Copying md5 sig to snort directory...\n"; - exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); -} else { - echo "The emergingthreats md5 file does not exist...\n"; - echo "Error copping config...\n"; - exit(0); - } - } -} - -/* Copy Pfsense md5 sig to snort dir */ -if ($pfsense_md5_check_ok != on) { -if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) { - echo "Copying Pfsense md5 sig to snort directory...\n"; - exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5"); -} else { - echo "The Pfsense md5 file does not exist...\n"; - echo "Error copping config...\n"; - exit(0); - } -} - -/* Copy signatures dir to snort dir */ -if ($snort_md5_check_ok != on) { -$signature_info_chk = $config['installedpackages']['snort']['config'][0]['signatureinfo']; -if ($premium_url_chk == on) { -if (file_exists("{$snortdir}/doc/signatures")) { - echo "Copying signatures...\n"; - echo "May take a while...\n"; - exec("/bin/mv -f {$snortdir}/doc/signatures {$snortdir}/signatures"); - exec("/bin/rm -r {$snortdir}/doc/signatures"); - echo "Done copying signatures.\n"; -} else { - echo "Directory signatures exist...\n"; - echo "Error copping signature...\n"; - exit(0); - } - } -} - -/* double make shure clean up emerg rules that dont belong */ -if (file_exists("/usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules")) { - apc_clear_cache(); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-compromised-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-drop-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-dshield-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-rbn-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-tor-BLOCK.rules"); -} - -if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) { - exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so"); - exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*"); -} - -echo "Updating Alert Messages...\n"; -echo "Please Wait...\n"; -sleep(2); -exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort_bkup/rules > /usr/local/etc/snort_bkup/sid-msg.map"); - -/* Run oinkmaster to snort_wan and cp configs */ -/* If oinkmaster is not needed cp rules normally */ -/* TODO add per interface settings here */ -if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { - - if (empty($config['installedpackages']['snort']['rule_sid_on']) || empty($config['installedpackages']['snort']['rule_sid_off'])) { -echo "Your first set of rules are being copied...\n"; -echo "May take a while...\n"; - - exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); - exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); - -} else { - echo "Your enable and disable changes are being applied to your fresh set of rules...\n"; - echo "May take a while...\n"; - exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); - exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); - - /* oinkmaster.pl will convert saved changes for the new updates then we have to change #alert to # alert for the gui */ - /* might have to add a sleep for 3sec for flash drives or old drives */ - exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort_bkup/oinkmaster.conf -o /usr/local/etc/snort/rules > /usr/local/etc/snort_bkup/oinkmaster.log"); - exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - - } -} - -/* remove old $tmpfname files */ -if (file_exists("{$tmpfname}")) { - echo "Cleaning up...\n"; - exec("/bin/rm -r /root/snort_rules_up"); -} - -/* php code to flush out cache some people are reportting missing files this might help */ -sleep(5); -apc_clear_cache(); -exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync"); - -/* if snort is running hardrestart, if snort is not running do nothing */ -if (file_exists("/tmp/snort_download_halt.pid")) { - start_service("snort"); - echo "The Rules update finished...\n"; - echo "Snort has restarted with your new set of rules...\n"; - exec("/bin/rm /tmp/snort_download_halt.pid"); -} else { - echo "The Rules update finished...\n"; - echo "You may start snort now...\n"; -} -conf_mount_ro(); - -?> diff --git a/config/snort-old/snort_define_servers.xml b/config/snort-old/snort_define_servers.xml deleted file mode 100644 index 7df880d0..00000000 --- a/config/snort-old/snort_define_servers.xml +++ /dev/null @@ -1,364 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> -<packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ -/* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> - <name>SnortDefServers</name> - <version>none</version> - <title>Services: Snort Define Servers</title> - <include_file>/usr/local/pkg/snort.inc</include_file> - <tabs> - <tab> - <text>Settings</text> - <url>/pkg_edit.php?xml=snort.xml&id=0</url> - </tab> - <tab> - <text>Update Rules</text> - <url>/snort_download_rules.php</url> - </tab> - <tab> - <text>Categories</text> - <url>/snort_rulesets.php</url> - </tab> - <tab> - <text>Rules</text> - <url>/snort_rules.php</url> - </tab> - <tab> - <text>Servers</text> - <url>/pkg_edit.php?xml=snort_define_servers.xml&id=0</url> - <active/> - </tab> - <tab> - <text>Blocked</text> - <url>/snort_blocked.php</url> - </tab> - <tab> - <text>Whitelist</text> - <url>/pkg.php?xml=snort_whitelist.xml</url> - </tab> - <tab> - <text>Threshold</text> - <url>/pkg.php?xml=snort_threshold.xml</url> - </tab> - <tab> - <text>Alerts</text> - <url>/snort_alerts.php</url> - </tab> - <tab> - <text>Advanced</text> - <url>/pkg_edit.php?xml=snort_advanced.xml&id=0</url> - </tab> - </tabs> - <fields> - <field> - <fielddescr>Define DNS_SERVERS</fielddescr> - <fieldname>def_dns_servers</fieldname> - <description>Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.</description> - <type>input</type> - <size>101</size> - <value></value> - </field> - <field> - <fielddescr>Define DNS_PORTS</fielddescr> - <fieldname>def_dns_ports</fieldname> - <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 53.</description> - <type>input</type> - <size>43</size> - <value></value> - </field> - <field> - <fielddescr>Define SMTP_SERVERS</fielddescr> - <fieldname>def_smtp_servers</fieldname> - <description>Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.</description> - <type>input</type> - <size>101</size> - <value></value> - </field> - <field> - <fielddescr>Define SMTP_PORTS</fielddescr> - <fieldname>def_smtp_ports</fieldname> - <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 25.</description> - <type>input</type> - <size>43</size> - <value></value> - </field> - <field> - <fielddescr>Define Mail_Ports</fielddescr> - <fieldname>def_mail_ports</fieldname> - <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 25,143,465,691.</description> - <type>input</type> - <size>43</size> - <value></value> - </field> - <field> - <fielddescr>Define HTTP_SERVERS</fielddescr> - <fieldname>def_http_servers</fieldname> - <description>Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.</description> - <type>input</type> - <size>101</size> - <value></value> - </field> - <field> - <fielddescr>Define WWW_SERVERS</fielddescr> - <fieldname>def_www_servers</fieldname> - <description>Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.</description> - <type>input</type> - <size>101</size> - <value></value> - </field> - <field> - <fielddescr>Define HTTP_PORTS</fielddescr> - <fieldname>def_http_ports</fieldname> - <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 80.</description> - <type>input</type> - <size>43</size> - <value></value> - </field> - <field> - <fielddescr>Define SQL_SERVERS</fielddescr> - <fieldname>def_sql_servers</fieldname> - <description>Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.</description> - <type>input</type> - <size>101</size> - <value></value> - </field> - <field> - <fielddescr>Define ORACLE_PORTS</fielddescr> - <fieldname>def_oracle_ports</fieldname> - <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 1521.</description> - <type>input</type> - <size>43</size> - <value></value> - </field> - <field> - <fielddescr>Define MSSQL_PORTS</fielddescr> - <fieldname>def_mssql_ports</fieldname> - <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 1433.</description> - <type>input</type> - <size>43</size> - <value></value> - </field> - <field> - <fielddescr>Define TELNET_SERVERS</fielddescr> - <fieldname>def_telnet_servers</fieldname> - <description>Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.</description> - <type>input</type> - <size>101</size> - <value></value> - </field> - <field> - <fielddescr>Define TELNET_PORTS</fielddescr> - <fieldname>def_telnet_ports</fieldname> - <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 23.</description> - <type>input</type> - <size>43</size> - <value></value> - </field> - <field> - <fielddescr>Define SNMP_SERVERS</fielddescr> - <fieldname>def_snmp_servers</fieldname> - <description>Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.</description> - <type>input</type> - <size>101</size> - <value></value> - </field> - <field> - <fielddescr>Define SNMP_PORTS</fielddescr> - <fieldname>def_snmp_ports</fieldname> - <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 161.</description> - <type>input</type> - <size>43</size> - <value></value> - </field> - <field> - <fielddescr>Define FTP_SERVERS</fielddescr> - <fieldname>def_ftp_servers</fieldname> - <description>Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.</description> - <type>input</type> - <size>101</size> - <value></value> - </field> - <field> - <fielddescr>Define FTP_PORTS</fielddescr> - <fieldname>def_ftp_ports</fieldname> - <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 21.</description> - <type>input</type> - <size>43</size> - <value></value> - </field> - <field> - <fielddescr>Define SSH_SERVERS</fielddescr> - <fieldname>def_ssh_servers</fieldname> - <description>Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.</description> - <type>input</type> - <size>101</size> - <value></value> - </field> - <field> - <fielddescr>Define SSH_PORTS</fielddescr> - <fieldname>def_ssh_ports</fieldname> - <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is Pfsense SSH port.</description> - <type>input</type> - <size>43</size> - <value></value> - </field> - <field> - <fielddescr>Define POP_SERVERS</fielddescr> - <fieldname>def_pop_servers</fieldname> - <description>Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.</description> - <type>input</type> - <size>101</size> - <value></value> - </field> - <field> - <fielddescr>Define POP2_PORTS</fielddescr> - <fieldname>def_pop2_ports</fieldname> - <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 109.</description> - <type>input</type> - <size>43</size> - <value></value> - </field> - <field> - <fielddescr>Define POP3_PORTS</fielddescr> - <fieldname>def_pop3_ports</fieldname> - <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 110.</description> - <type>input</type> - <size>43</size> - <value></value> - </field> - <field> - <fielddescr>Define IMAP_SERVERS</fielddescr> - <fieldname>def_imap_servers</fieldname> - <description>Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.</description> - <type>input</type> - <size>101</size> - <value></value> - </field> - <field> - <fielddescr>Define IMAP_PORTS</fielddescr> - <fieldname>def_imap_ports</fieldname> - <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 143.</description> - <type>input</type> - <size>43</size> - <value></value> - </field> - <field> - <fielddescr>Define SIP_PROXY_IP</fielddescr> - <fieldname>def_sip_proxy_ip</fieldname> - <description>Example: "192.168.1.3/24,192.168.1.4/24". Leave blank to scan all networks.</description> - <type>input</type> - <size>101</size> - <value></value> - </field> - <field> - <fielddescr>Define SIP_PROXY_PORTS</fielddescr> - <fieldname>def_sip_proxy_ports</fieldname> - <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 5060:5090,16384:32768.</description> - <type>input</type> - <size>43</size> - <value></value> - </field> - <field> - <fielddescr>Define AUTH_PORTS</fielddescr> - <fieldname>def_auth_ports</fieldname> - <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 113.</description> - <type>input</type> - <size>43</size> - <value></value> - </field> - <field> - <fielddescr>Define FINGER_PORTS</fielddescr> - <fieldname>def_finger_ports</fieldname> - <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 79.</description> - <type>input</type> - <size>43</size> - <value></value> - </field> - <field> - <fielddescr>Define IRC_PORTS</fielddescr> - <fieldname>def_irc_ports</fieldname> - <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 6665,6666,6667,6668,6669,7000.</description> - <type>input</type> - <size>43</size> - <value></value> - </field> - <field> - <fielddescr>Define NNTP_PORTS</fielddescr> - <fieldname>def_nntp_ports</fieldname> - <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 119.</description> - <type>input</type> - <size>43</size> - <value></value> - </field> - <field> - <fielddescr>Define RLOGIN_PORTS</fielddescr> - <fieldname>def_rlogin_ports</fieldname> - <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 513.</description> - <type>input</type> - <size>43</size> - <value></value> - </field> - <field> - <fielddescr>Define RSH_PORTS</fielddescr> - <fieldname>def_rsh_ports</fieldname> - <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 514.</description> - <type>input</type> - <size>43</size> - <value></value> - </field> - <field> - <fielddescr>Define SSL_PORTS</fielddescr> - <fieldname>def_ssl_ports</fieldname> - <description>Example: Specific ports "25,443" or All ports betwen "5060:5090 . Default is 25,443,465,636,993,995.</description> - <type>input</type> - <size>43</size> - <value></value> - </field> - </fields> - <custom_php_deinstall_command> - snort_define_servers(); - </custom_php_deinstall_command> -</packagegui> diff --git a/config/snort-old/snort_download_rules.php b/config/snort-old/snort_download_rules.php deleted file mode 100644 index a559bad2..00000000 --- a/config/snort-old/snort_download_rules.php +++ /dev/null @@ -1,790 +0,0 @@ -<?php -/* $Id$ */ -/* - snort_rulesets.php - Copyright (C) 2006 Scott Ullrich and Robert Zelaya - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -/* Setup enviroment */ -$tmpfname = "/root/snort_rules_up"; -$snortdir = "/usr/local/etc/snort_bkup"; -$snortdir_wan = "/usr/local/etc/snort"; -$snort_filename_md5 = "snortrules-snapshot-2.8.tar.gz.md5"; -$snort_filename = "snortrules-snapshot-2.8.tar.gz"; -$emergingthreats_filename_md5 = "version.txt"; -$emergingthreats_filename = "emerging.rules.tar.gz"; -$pfsense_rules_filename_md5 = "pfsense_rules.tar.gz.md5"; -$pfsense_rules_filename = "pfsense_rules.tar.gz"; - -require_once("guiconfig.inc"); -require_once("functions.inc"); -require_once("service-utils.inc"); -require("/usr/local/pkg/snort.inc"); - -$pgtitle = "Services: Snort: Update Rules"; - -include("/usr/local/www/head.inc"); - -?> - -<script src="/javascript/scriptaculous/prototype.js" type="text/javascript"></script> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> - -<?php include("/usr/local/www/fbegin.inc"); ?> - -<?php -if(!$pgtitle_output) - echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; -?> - -<form action="snort_download_rules.php" method="post"> -<div id="inputerrors"></div> - -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> -<?php - $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), true, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); - display_top_tabs($tab_array); -?> - </td> - </tr> - <tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td align="center" valign="top"> - <!-- progress bar --> - <table id="progholder" width='420' style='border-collapse: collapse; border: 1px solid #000000;' cellpadding='2' cellspacing='2'> - <tr> - <td> - <img border='0' src='./themes/<?= $g['theme']; ?>/images/misc/progress_bar.gif' width='280' height='23' name='progressbar' id='progressbar' alt='' /> - </td> - </tr> - </table> - <br /> - <!-- status box --> - <textarea cols="60" rows="2" name="status" id="status" wrap="hard"> - <?=gettext("Initializing...");?> - </textarea> - <!-- command output box --> - <textarea cols="60" rows="2" name="output" id="output" wrap="hard"> - </textarea> - </td> - </tr> - </table> - </div> - </td> - </tr> -</table> -</form> - -<?php include("fend.inc");?> - -<?php - - -/* Begin main code */ -/* Set user agent to Mozilla */ -ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); -ini_set("memory_limit","125M"); - -/* send current buffer */ -ob_flush(); - -/* define oinkid */ -if($config['installedpackages']['snort']) - $oinkid = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; - -/* if missing oinkid exit */ -if(!$oinkid) { - $static_output = gettext("You must obtain an oinkid from snort.org and set its value in the Snort settings tab."); - update_all_status($static_output); - hide_progress_bar_status(); - exit; -} - -/* premium_subscriber check */ -//unset($config['installedpackages']['snort']['config'][0]['subscriber']); -//write_config(); // Will cause switch back to read-only on nanobsd -//conf_mount_rw(); // Uncomment this if the previous line is uncommented - -$premium_subscriber_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; - -if ($premium_subscriber_chk === on) { - $premium_subscriber = "_s"; -}else{ - $premium_subscriber = ""; -} - -$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -if ($premium_url_chk === on) { - $premium_url = "sub-rules"; -}else{ - $premium_url = "reg-rules"; -} - -/* hide progress bar */ -hide_progress_bar_status(); - -/* send current buffer */ -ob_flush(); - -conf_mount_rw(); - -/* remove old $tmpfname files */ -if (file_exists("{$tmpfname}")) { - update_status(gettext("Removing old tmp files...")); - exec("/bin/rm -r {$tmpfname}"); - apc_clear_cache(); -} - -/* Make shure snortdir exits */ -exec("/bin/mkdir -p {$snortdir}"); -exec("/bin/mkdir -p {$snortdir}/rules"); -exec("/bin/mkdir -p {$snortdir}/signatures"); - -/* send current buffer */ -ob_flush(); - -/* If tmp dir does not exist create it */ -if (file_exists($tmpfname)) { - update_status(gettext("The directory tmp exists...")); -} else { - mkdir("{$tmpfname}", 700); -} - -/* unhide progress bar and lets end this party */ -unhide_progress_bar_status(); - -/* download md5 sig from snort.org */ -if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { - update_status(gettext("md5 temp file exists...")); -} else { - update_status(gettext("Downloading md5 file...")); - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - $image = @file_get_contents("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5?oink_code={$oinkid}"); -// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5"); - $f = fopen("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5", 'w'); - fwrite($f, $image); - fclose($f); - update_status(gettext("Done. downloading md5")); -} - -/* download md5 sig from emergingthreats.net */ -$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; -if ($emergingthreats_url_chk == on) { - update_status(gettext("Downloading md5 file...")); - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - $image = @file_get_contents("http://www.emergingthreats.net/version.txt"); -// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/version.txt"); - $f = fopen("{$tmpfname}/version.txt", 'w'); - fwrite($f, $image); - fclose($f); - update_status(gettext("Done. downloading md5")); -} - -/* download md5 sig from pfsense.org */ -if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) { - update_status(gettext("md5 temp file exists...")); -} else { - update_status(gettext("Downloading pfsense md5 file...")); - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - $image = @file_get_contents("https://packages.pfsense.org/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5"); -// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz.md5"); - $f = fopen("{$tmpfname}/pfsense_rules.tar.gz.md5", 'w'); - fwrite($f, $image); - fclose($f); - update_status(gettext("Done. downloading md5")); -} - -/* Time stamps define */ -$last_md5_download = $config['installedpackages']['snort']['last_md5_download']; -$last_rules_install = $config['installedpackages']['snort']['last_rules_install']; - -/* If md5 file is empty wait 15min exit */ -if (0 == filesize("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5")){ - update_status(gettext("Please wait... You may only check for New Rules every 15 minutes...")); - update_output_window(gettext("Rules are released every month from snort.org. You may download the Rules at any time.")); - hide_progress_bar_status(); - /* Display last time of sucsessful md5 check from cache */ - echo "\n<p align=center><b>You last checked for updates: </b>{$last_md5_download}</p>\n"; - echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n"; - echo "\n\n</body>\n</html>\n"; - exit(0); -} - -/* If emergingthreats md5 file is empty wait 15min exit not needed */ - -/* If pfsense md5 file is empty wait 15min exit */ -if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ - update_status(gettext("Please wait... You may only check for New Pfsense Rules every 15 minutes...")); - update_output_window(gettext("Rules are released to support Pfsense packages.")); - hide_progress_bar_status(); - /* Display last time of sucsessful md5 check from cache */ - echo "\n<p align=center><b>You last checked for updates: </b>{$last_md5_download}</p>\n"; - echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n"; - echo "\n\n</body>\n</html>\n"; - exit(0); -} - -/* Check if were up to date snort.org */ -if (file_exists("{$snortdir}/snortrules-snapshot-2.8.tar.gz.md5")){ -$md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); -$md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; -$md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); -$md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; -/* Write out time of last sucsessful md5 to cache */ -$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); -write_config(); // Will cause switch back to read-only on nanobsd -conf_mount_rw(); -if ($md5_check_new == $md5_check_old) { - update_status(gettext("Your rules are up to date...")); - update_output_window(gettext("You may start Snort now, check update.")); - hide_progress_bar_status(); - /* Timestamps to html */ - echo "\n<p align=center><b>You last checked for updates: </b>{$last_md5_download}</p>\n"; - echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n"; -// echo "P is this code {$premium_subscriber}"; - echo "\n\n</body>\n</html>\n"; - $snort_md5_check_ok = on; - } -} - -/* Check if were up to date emergingthreats.net */ -$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; -if ($emergingthreats_url_chk == on) { -if (file_exists("{$snortdir}/version.txt")){ -$emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/version.txt"); -$emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; -$emerg_md5_check_old_parse = file_get_contents("{$snortdir}/version.txt"); -$emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; -/* Write out time of last sucsessful md5 to cache */ -$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); -write_config(); // Will cause switch back to read-only on nanobsd -conf_mount_rw(); -if ($emerg_md5_check_new == $emerg_md5_check_old) { - update_status(gettext("Your emergingthreats rules are up to date...")); - update_output_window(gettext("You may start Snort now, check update.")); - hide_progress_bar_status(); - $emerg_md5_check_chk_ok = on; - } - } -} - -/* Check if were up to date pfsense.org */ -if (file_exists("{$snortdir}/$pfsense_rules_filename_md5")){ -$pfsense_md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); -$pfsense_md5_check_new = `/bin/echo "{$pfsense_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; -$pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); -$pfsense_md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; -if ($pfsense_md5_check_new == $pfsense_md5_check_old) { - $pfsense_md5_check_ok = on; - } -} - -/* Make Clean Snort Directory emergingthreats not checked */ -if ($snort_md5_check_ok == on && $emergingthreats_url_chk != on) { - update_status(gettext("Cleaning the snort Directory...")); - update_output_window(gettext("removing...")); - exec("/bin/rm {$snortdir}/rules/emerging*"); - exec("/bin/rm {$snortdir}/version.txt"); - exec("/bin/rm {$snortdir_wan}/rules/emerging*"); - exec("/bin/rm {$snortdir_wan}/version.txt"); - update_status(gettext("Done making cleaning emrg direcory.")); -} - -/* Check if were up to date exits */ -if ($snort_md5_check_ok == on && $emerg_md5_check_chk_ok == on && $pfsense_md5_check_ok == on) { - update_status(gettext("Your rules are up to date...")); - update_output_window(gettext("You may start Snort now...")); - exit(0); -} - -if ($snort_md5_check_ok == on && $pfsense_md5_check_ok == on && $emergingthreats_url_chk != on) { - update_status(gettext("Your rules are up to date...")); - update_output_window(gettext("You may start Snort now...")); - exit(0); -} - -/* You are Not Up to date, always stop snort when updating rules for low end machines */; -update_status(gettext("You are NOT up to date...")); -update_output_window(gettext("Stopping Snort service...")); -$chk_if_snort_up = exec("pgrep -x snort"); -if ($chk_if_snort_up != "") { - exec("/usr/bin/touch /tmp/snort_download_halt.pid"); - stop_service("snort"); - sleep(2); -} - -/* download snortrules file */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$snort_filename}")) { - update_status(gettext("Snortrule tar file exists...")); -} else { - unhide_progress_bar_status(); - update_status(gettext("There is a new set of Snort rules posted. Downloading...")); - update_output_window(gettext("May take 4 to 10 min...")); -// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz", $tmpfname . "/{$snort_filename}", "read_body_firmware"); - download_file_with_progress_bar("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz?oink_code={$oinkid}", $tmpfname . "/{$snort_filename}", "read_body_firmware"); - update_all_status($static_output); - update_status(gettext("Done downloading rules file.")); - if (150000 > filesize("{$tmpfname}/$snort_filename")){ - update_status(gettext("Error with the snort rules download...")); - update_output_window(gettext("Snort rules file downloaded failed...")); - exit(0); - } - } -} - -/* download emergingthreats rules file */ -if ($emergingthreats_url_chk == on) { -if ($emerg_md5_check_chk_ok != on) { -if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { - update_status(gettext("Emergingthreats tar file exists...")); -} else { - update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); - update_output_window(gettext("May take 4 to 10 min...")); -// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware"); - download_file_with_progress_bar("http://www.emergingthreats.net/rules/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware"); - update_all_status($static_output); - update_status(gettext("Done downloading Emergingthreats rules file.")); - } - } - } - -/* download pfsense rules file */ -if ($pfsense_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { - update_status(gettext("Snortrule tar file exists...")); -} else { - unhide_progress_bar_status(); - update_status(gettext("There is a new set of Pfsense rules posted. Downloading...")); - update_output_window(gettext("May take 4 to 10 min...")); -// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz", $tmpfname . "/{$pfsense_rules_filename}", "read_body_firmware"); - download_file_with_progress_bar("https://packages.pfsense.org/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz", $tmpfname . "/{$pfsense_rules_filename}", "read_body_firmware"); - update_all_status($static_output); - update_status(gettext("Done downloading rules file.")); - } -} - -/* Compair md5 sig to file sig */ - -//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -//if ($premium_url_chk == on) { -//$md5 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); -//$file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; -// if ($md5 == $file_md5_ondisk) { -// update_status(gettext("Valid md5 checksum pass...")); -//} else { -// update_status(gettext("The downloaded file does not match the md5 file...P is ON")); -// update_output_window(gettext("Error md5 Mismatch...")); -// exit(0); -// } -//} - -//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -//if ($premium_url_chk != on) { -//$md55 = `/bin/cat {$tmpfname}/{$snort_filename_md5} | /usr/bin/awk '{ print $4 }'`; -//$file_md5_ondisk2 = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; -// if ($md55 == $file_md5_ondisk2) { -// update_status(gettext("Valid md5 checksum pass...")); -//} else { -// update_status(gettext("The downloaded file does not match the md5 file...Not P")); -// update_output_window(gettext("Error md5 Mismatch...")); -// exit(0); -// } -//} - -/* Untar snort rules file individually to help people with low system specs */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$snort_filename}")) { - update_status(gettext("Extracting rules...")); - update_output_window(gettext("May take a while...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} etc/"); - exec("`/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/*`"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/chat.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/dos.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/exploit.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/imap.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/misc.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/multimedia.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/netbios.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/nntp.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/p2p.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/smtp.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/sql.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-client.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-misc.rules/"); - update_status(gettext("Done extracting Rules.")); -} else { - update_status(gettext("The Download rules file missing...")); - update_output_window(gettext("Error rules extracting failed...")); - exit(0); - } -} - -/* Untar emergingthreats rules to tmp */ -if ($emergingthreats_url_chk == on) { -if ($emerg_md5_check_chk_ok != on) { -if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { - update_status(gettext("Extracting rules...")); - update_output_window(gettext("May take a while...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir} rules/"); - } - } -} - -/* Untar Pfsense rules to tmp */ -if ($pfsense_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { - update_status(gettext("Extracting Pfsense rules...")); - update_output_window(gettext("May take a while...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$pfsense_rules_filename} -C {$snortdir} rules/"); - } -} - -/* Untar snort signatures */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$snort_filename}")) { -$signature_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['signatureinfo']; -if ($premium_url_chk == on) { - update_status(gettext("Extracting Signatures...")); - update_output_window(gettext("May take a while...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); - update_status(gettext("Done extracting Signatures.")); - } - } -} - -/* Make Clean Snort Directory */ -//if ($snort_md5_check_ok != on && $emerg_md5_check_chk_ok != on && $pfsense_md5_check_ok != on) { -//if (file_exists("{$snortdir}/rules")) { -// update_status(gettext("Cleaning the snort Directory...")); -// update_output_window(gettext("removing...")); -// exec("/bin/mkdir -p {$snortdir}"); -// exec("/bin/mkdir -p {$snortdir}/rules"); -// exec("/bin/mkdir -p {$snortdir}/signatures"); -// exec("/bin/rm {$snortdir}/*"); -// exec("/bin/rm {$snortdir}/rules/*"); -// exec("/bin/rm {$snortdir_wan}/*"); -// exec("/bin/rm {$snortdir_wan}/rules/*"); - -// exec("/bin/rm /usr/local/lib/snort/dynamicrules/*"); -//} else { -// update_status(gettext("Making Snort Directory...")); -// update_output_window(gettext("should be fast...")); -// exec("/bin/mkdir -p {$snortdir}"); -// exec("/bin/mkdir -p {$snortdir}/rules"); -// exec("/bin/rm {$snortdir_wan}/*"); -// exec("/bin/rm {$snortdir_wan}/rules/*"); -// exec("/bin/rm /usr/local/lib/snort/dynamicrules/\*"); -// update_status(gettext("Done making snort direcory.")); -// } -//} - -/* Copy so_rules dir to snort lib dir */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { - update_status(gettext("Copying so_rules...")); - update_output_window(gettext("May take a while...")); - exec("`/bin/cp -f {$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/`"); - exec("/bin/cp {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/bad-traffic.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/chat.rules {$snortdir}/rules/chat.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/dos.rules {$snortdir}/rules/dos.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/exploit.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/imap.rules {$snortdir}/rules/imap.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/misc.rules {$snortdir}/rules/misc.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/multimedia.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/netbios.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/nntp.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/p2p.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/smtp.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/sql.rules {$snortdir}/rules/sql.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/web-client.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/web.misc.rules {$snortdir}/rules/web.misc.so.rules"); - exec("/bin/rm -r {$snortdir}/so_rules"); - update_status(gettext("Done copying so_rules.")); -} else { - update_status(gettext("Directory so_rules does not exist...")); - update_output_window(gettext("Error copying so_rules...")); - exit(0); - } -} - -/* enable disable setting will carry over with updates */ -/* TODO carry signature changes with the updates */ -if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { - -if (!empty($config['installedpackages']['snort']['rule_sid_on'])) { -$enabled_sid_on = $config['installedpackages']['snort']['rule_sid_on']; -$enabled_sid_on_array = split('\|\|', $enabled_sid_on); -foreach($enabled_sid_on_array as $enabled_item_on) -$selected_sid_on_sections .= "$enabled_item_on\n"; - } - -if (!empty($config['installedpackages']['snort']['rule_sid_off'])) { -$enabled_sid_off = $config['installedpackages']['snort']['rule_sid_off']; -$enabled_sid_off_array = split('\|\|', $enabled_sid_off); -foreach($enabled_sid_off_array as $enabled_item_off) -$selected_sid_off_sections .= "$enabled_item_off\n"; - } - -$snort_sid_text = <<<EOD - -########################################### -# # -# this is auto generated on snort updates # -# # -########################################### - -path = /bin:/usr/bin:/usr/local/bin - -update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ - -url = dir:///usr/local/etc/snort_bkup/rules - -$selected_sid_on_sections - -$selected_sid_off_sections - -EOD; - - /* open snort's threshold.conf for writing */ - $oinkmasterlist = fopen("/usr/local/etc/snort_bkup/oinkmaster.conf", "w"); - - fwrite($oinkmasterlist, "$snort_sid_text"); - - /* close snort's threshold.conf file */ - fclose($oinkmasterlist); - -} - -/* Copy configs to snort dir */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$snortdir}/etc/Makefile.am")) { - update_status(gettext("Copying configs to snort directory...")); - exec("/bin/cp {$snortdir}/etc/* {$snortdir}"); - exec("/bin/rm -r {$snortdir}/etc"); - -} else { - update_status(gettext("The snort config does not exist...")); - update_output_window(gettext("Error copying config...")); - exit(0); - } -} - -/* Copy md5 sig to snort dir */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$tmpfname}/$snort_filename_md5")) { - update_status(gettext("Copying md5 sig to snort directory...")); - exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); -} else { - update_status(gettext("The md5 file does not exist...")); - update_output_window(gettext("Error copying config...")); - exit(0); - } -} - -/* Copy emergingthreats md5 sig to snort dir */ -if ($emergingthreats_url_chk == on) { -if ($emerg_md5_check_chk_ok != on) { -if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) { - update_status(gettext("Copying md5 sig to snort directory...")); - exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); -} else { - update_status(gettext("The emergingthreats md5 file does not exist...")); - update_output_window(gettext("Error copying config...")); - exit(0); - } - } -} - -/* Copy Pfsense md5 sig to snort dir */ -if ($pfsense_md5_check_ok != on) { -if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) { - update_status(gettext("Copying Pfsense md5 sig to snort directory...")); - exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5"); -} else { - update_status(gettext("The Pfsense md5 file does not exist...")); - update_output_window(gettext("Error copying config...")); - exit(0); - } -} - -/* Copy signatures dir to snort dir */ -if ($snort_md5_check_ok != on) { -$signature_info_chk = $config['installedpackages']['snort']['config'][0]['signatureinfo']; -if ($premium_url_chk == on) { -if (file_exists("{$snortdir}/doc/signatures")) { - update_status(gettext("Copying signatures...")); - update_output_window(gettext("May take a while...")); - exec("/bin/mv -f {$snortdir}/doc/signatures {$snortdir}/signatures"); - exec("/bin/rm -r {$snortdir}/doc/signatures"); - update_status(gettext("Done copying signatures.")); -} else { - update_status(gettext("Directory signatures exist...")); - update_output_window(gettext("Error copying signature...")); - exit(0); - } - } -} - -/* double make shure cleanup emerg rules that dont belong */ -if (file_exists("/usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules")) { - apc_clear_cache(); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-compromised-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-drop-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-dshield-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-rbn-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-tor-BLOCK.rules"); -} - -if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) { - exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so"); - exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*"); -} - -/* create a msg-map for snort */ -update_status(gettext("Updating Alert Messages...")); -update_output_window(gettext("Please Wait...")); -exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort_bkup/rules > /usr/local/etc/snort_bkup/sid-msg.map"); - -/* Run oinkmaster to snort_wan and cp configs */ -/* If oinkmaster is not needed cp rules normally */ -/* TODO add per interface settings here */ -if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { - - if (empty($config['installedpackages']['snort']['rule_sid_on']) || empty($config['installedpackages']['snort']['rule_sid_off'])) { - update_status(gettext("Your first set of rules are being copied...")); - update_output_window(gettext("May take a while...")); - exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); - exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); - -} else { - update_status(gettext("Your enable and disable changes are being applied to your fresh set of rules...")); - update_output_window(gettext("May take a while...")); - exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); - exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); - - /* oinkmaster.pl will convert saved changes for the new updates then we have to change #alert to # alert for the gui */ - /* might have to add a sleep for 3sec for flash drives or old drives */ - exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort_bkup/oinkmaster.conf -o /usr/local/etc/snort/rules > /usr/local/etc/snort_bkup/oinkmaster.log"); - exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - - - } -} - -/* remove old $tmpfname files */ -if (file_exists("{$tmpfname}")) { - update_status(gettext("Cleaning up...")); - exec("/bin/rm -r /root/snort_rules_up"); -// apc_clear_cache(); -} - -/* php code to flush out cache some people are reportting missing files this might help */ -sleep(2); -apc_clear_cache(); -exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync"); - -/* if snort is running hardrestart, if snort is not running do nothing */ -if (file_exists("/tmp/snort_download_halt.pid")) { - start_service("snort"); - update_status(gettext("The Rules update finished...")); - update_output_window(gettext("Snort has restarted with your new set of rules...")); - exec("/bin/rm /tmp/snort_download_halt.pid"); -} else { - update_status(gettext("The Rules update finished...")); - update_output_window(gettext("You may start snort now...")); -} - -/* hide progress bar and lets end this party */ -hide_progress_bar_status(); -conf_mount_ro(); -?> - -<?php - -function read_body_firmware($ch, $string) { - global $fout, $file_size, $downloaded, $counter, $version, $latest_version, $current_installed_pfsense_version; - $length = strlen($string); - $downloaded += intval($length); - $downloadProgress = round(100 * (1 - $downloaded / $file_size), 0); - $downloadProgress = 100 - $downloadProgress; - $a = $file_size; - $b = $downloaded; - $c = $downloadProgress; - $text = " Snort download in progress\\n"; - $text .= "----------------------------------------------------\\n"; - $text .= " Downloaded : {$b}\\n"; - $text .= "----------------------------------------------------\\n"; - $counter++; - if($counter > 150) { - update_output_window($text); - update_progress_bar($downloadProgress); - flush(); - $counter = 0; - } - conf_mount_rw(); - fwrite($fout, $string); - conf_mount_ro(); - return $length; -} - -?> - -</body> -</html> diff --git a/config/snort-old/snort_dynamic_ip_reload.php b/config/snort-old/snort_dynamic_ip_reload.php deleted file mode 100644 index 0fad085b..00000000 --- a/config/snort-old/snort_dynamic_ip_reload.php +++ /dev/null @@ -1,49 +0,0 @@ -<?php - -/* $Id$ */ -/* - snort_dynamic_ip_reload.php - Copyright (C) 2006 Scott Ullrich and Robert Zeleya - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -/* NOTE: this file gets included from the pfSense filter.inc plugin process */ -/* NOTE: file location /usr/local/pkg/pf, all files in pf dir get exec on filter reloads */ - -require_once("/usr/local/pkg/snort.inc"); -require_once("service-utils.inc"); -require_once("config.inc"); - - -if($config['interfaces']['wan']['ipaddr'] == "pppoe" or - $config['interfaces']['wan']['ipaddr'] == "dhcp") { - create_snort_conf(); - exec("killall -HUP snort"); - /* define snortbarnyardlog_chk */ - $snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; - if ($snortbarnyardlog_info_chk == on) - exec("killall -HUP barnyard2"); -} - -?>
\ No newline at end of file diff --git a/config/snort-old/snort_rules.php b/config/snort-old/snort_rules.php deleted file mode 100644 index 94c99f0e..00000000 --- a/config/snort-old/snort_rules.php +++ /dev/null @@ -1,626 +0,0 @@ -<?php -/* $Id$ */ -/* - edit_snortrule.php - Copyright (C) 2004, 2005 Scott Ullrich and Rober Zelaya - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ -require("guiconfig.inc"); -require("config.inc"); - -if(!is_dir("/usr/local/etc/snort/rules")) { - conf_mount_rw(); - exec('mkdir /usr/local/etc/snort/rules/'); - conf_mount_ro(); -} - -/* Check if the rules dir is empy if so warn the user */ -/* TODO give the user the option to delete the installed rules rules */ -$isrulesfolderempty = exec('ls -A /usr/local/etc/snort/rules/*.rules'); -if ($isrulesfolderempty == "") { - -include("head.inc"); -include("fbegin.inc"); - -echo "<body link=\"#000000\" vlink=\"#000000\" alink=\"#000000\">"; - -echo "<script src=\"/row_toggle.js\" type=\"text/javascript\"></script>\n -<script src=\"/javascript/sorttable.js\" type=\"text/javascript\"></script>\n -<table width=\"99%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n - <tr>\n - <td>\n"; - - $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), true, "/snort_rules.php"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); - display_top_tabs($tab_array); - -echo "</td>\n - </tr>\n - <tr>\n - <td>\n - <div id=\"mainarea\">\n - <table id=\"maintable\" class=\"tabcont\" width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n - <tr>\n - <td>\n -# The rules directory is empty.\n - </td>\n - </tr>\n - </table>\n - </div>\n - </td>\n - </tr>\n -</table>\n -\n -</form>\n -\n -<p>\n\n"; - -echo "Please click on the Update Rules tab to install your selected rule sets."; -include("fend.inc"); - -echo "</body>"; -echo "</html>"; - -exit(0); - -} - -function get_middle($source, $beginning, $ending, $init_pos) { - $beginning_pos = strpos($source, $beginning, $init_pos); - $middle_pos = $beginning_pos + strlen($beginning); - $ending_pos = strpos($source, $ending, $beginning_pos); - $middle = substr($source, $middle_pos, $ending_pos - $middle_pos); - return $middle; -} - -function write_rule_file($content_changed, $received_file) -{ - conf_mount_rw(); - - //read snort file with writing enabled - $filehandle = fopen($received_file, "w"); - - //delimiter for each new rule is a new line - $delimiter = "\n"; - - //implode the array back into a string for writing purposes - $fullfile = implode($delimiter, $content_changed); - - //write data to file - fwrite($filehandle, $fullfile); - - //close file handle - fclose($filehandle); - - conf_mount_rw(); -} - -function load_rule_file($incoming_file) -{ - - //read snort file - $filehandle = fopen($incoming_file, "r"); - - //read file into string, and get filesize - $contents = fread($filehandle, filesize($incoming_file)); - - //close handler - fclose ($filehandle); - - //string for populating category select - $currentruleset = substr($file, 27); - - //delimiter for each new rule is a new line - $delimiter = "\n"; - - //split the contents of the string file into an array using the delimiter - $splitcontents = explode($delimiter, $contents); - - return $splitcontents; - -} - -$ruledir = "/usr/local/etc/snort/rules/"; -$dh = opendir($ruledir); - -$message_reload = "The Snort rule configuration has been changed.<br>You must apply the changes in order for them to take effect."; - -while (false !== ($filename = readdir($dh))) -{ - //only populate this array if its a rule file - $isrulefile = strstr($filename, ".rules"); - if ($isrulefile !== false) - { - $files[] = $filename; - } -} - -sort($files); - -if ($_GET['openruleset']) -{ - $file = $_GET['openruleset']; -} -else -{ - $file = $ruledir.$files[0]; - -} - -//Load the rule file -$splitcontents = load_rule_file($file); - -if ($_POST) -{ - if (!$_POST['apply']) { - //retrieve POST data - $post_lineid = $_POST['lineid']; - $post_enabled = $_POST['enabled']; - $post_src = $_POST['src']; - $post_srcport = $_POST['srcport']; - $post_dest = $_POST['dest']; - $post_destport = $_POST['destport']; - - //clean up any white spaces insert by accident - $post_src = str_replace(" ", "", $post_src); - $post_srcport = str_replace(" ", "", $post_srcport); - $post_dest = str_replace(" ", "", $post_dest); - $post_destport = str_replace(" ", "", $post_destport); - - //copy rule contents from array into string - $tempstring = $splitcontents[$post_lineid]; - - //search string - $findme = "# alert"; //find string for disabled alerts - - //find if alert is disabled - $disabled = strstr($tempstring, $findme); - - //if find alert is false, then rule is disabled - if ($disabled !== false) - { - //has rule been enabled - if ($post_enabled == "yes") - { - //move counter up 1, so we do not retrieve the # in the rule_content array - $tempstring = str_replace("# alert", "alert", $tempstring); - $counter2 = 1; - } - else - { - //rule is staying disabled - $counter2 = 2; - } - } - else - { - //has rule been disabled - if ($post_enabled != "yes") - { - //move counter up 1, so we do not retrieve the # in the rule_content array - $tempstring = str_replace("alert", "# alert", $tempstring); - $counter2 = 2; - } - else - { - //rule is staying enabled - $counter2 = 1; - } - } - - //explode rule contents into an array, (delimiter is space) - $rule_content = explode(' ', $tempstring); - - //insert new values - $counter2++; - $rule_content[$counter2] = $post_src;//source location - $counter2++; - $rule_content[$counter2] = $post_srcport;//source port location - $counter2 = $counter2+2; - $rule_content[$counter2] = $post_dest;//destination location - $counter2++; - $rule_content[$counter2] = $post_destport;//destination port location - - //implode the array back into string - $tempstring = implode(' ', $rule_content); - - //copy string into file array for writing - $splitcontents[$post_lineid] = $tempstring; - - //write the new .rules file - write_rule_file($splitcontents, $file); - - //once file has been written, reload file - $splitcontents = load_rule_file($file); - - $stopMsg = true; - } - - if ($_POST['apply']) { -// stop_service("snort"); -// sleep(2); -// start_service("snort"); - $savemsg = "The snort rules selections have been saved. Please restart snort by clicking save on the settings tab."; - $stopMsg = false; - } - -} -else if ($_GET['act'] == "toggle") -{ - $toggleid = $_GET['id']; - - //copy rule contents from array into string - $tempstring = $splitcontents[$toggleid]; - - //explode rule contents into an array, (delimiter is space) - $rule_content = explode(' ', $tempstring); - - //search string - $findme = "# alert"; //find string for disabled alerts - - //find if alert is disabled - $disabled = strstr($tempstring, $findme); - - //if find alert is false, then rule is disabled - if ($disabled !== false) - { - //rule has been enabled - //move counter up 1, so we do not retrieve the # in the rule_content array - $tempstring = str_replace("# alert", "alert", $tempstring); - - } - else - { - //has rule been disabled - //move counter up 1, so we do not retrieve the # in the rule_content array - $tempstring = str_replace("alert", "# alert", $tempstring); - - } - - //copy string into array for writing - $splitcontents[$toggleid] = $tempstring; - - //write the new .rules file - write_rule_file($splitcontents, $file); - - //once file has been written, reload file - $splitcontents = load_rule_file($file); - - $stopMsg = true; - - //write disable/enable sid to config.xml - if ($disabled == false) { - $string_sid = strstr($tempstring, 'sid:'); - $sid_pieces = explode(";", $string_sid); - $sid_off_cut = $sid_pieces[0]; - // sid being turned off - $sid_off = str_replace("sid:", "", $sid_off_cut); - // rule_sid_on registers - $sid_on_pieces = $config['installedpackages']['snort']['rule_sid_on']; - // if off sid is the same as on sid remove it - $sid_on_old = str_replace("||enablesid $sid_off", "", "$sid_on_pieces"); - // write the replace sid back as empty - $config['installedpackages']['snort']['rule_sid_on'] = $sid_on_old; - // rule sid off registers - $sid_off_pieces = $config['installedpackages']['snort']['rule_sid_off']; - // if off sid is the same as off sid remove it - $sid_off_old = str_replace("||disablesid $sid_off", "", "$sid_off_pieces"); - // write the replace sid back as empty - $config['installedpackages']['snort']['rule_sid_off'] = $sid_off_old; - // add sid off registers to new off sid - $config['installedpackages']['snort']['rule_sid_off'] = "||disablesid $sid_off" . $config['installedpackages']['snort']['rule_sid_off']; - write_config(); - } - else - { - $string_sid = strstr($tempstring, 'sid:'); - $sid_pieces = explode(";", $string_sid); - $sid_on_cut = $sid_pieces[0]; - // sid being turned off - $sid_on = str_replace("sid:", "", $sid_on_cut); - // rule_sid_off registers - $sid_off_pieces = $config['installedpackages']['snort']['rule_sid_off']; - // if off sid is the same as on sid remove it - $sid_off_old = str_replace("||disablesid $sid_on", "", "$sid_off_pieces"); - // write the replace sid back as empty - $config['installedpackages']['snort']['rule_sid_off'] = $sid_off_old; - // rule sid on registers - $sid_on_pieces = $config['installedpackages']['snort']['rule_sid_on']; - // if on sid is the same as on sid remove it - $sid_on_old = str_replace("||enablesid $sid_on", "", "$sid_on_pieces"); - // write the replace sid back as empty - $config['installedpackages']['snort']['rule_sid_on'] = $sid_on_old; - // add sid on registers to new on sid - $config['installedpackages']['snort']['rule_sid_on'] = "||enablesid $sid_on" . $config['installedpackages']['snort']['rule_sid_on']; - write_config(); - } - -} - - -$pgtitle = "Snort: Rules"; -require("guiconfig.inc"); -include("head.inc"); -?> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<?php -if(!$pgtitle_output) - echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; -?> -<form action="snort_rules.php" method="post" name="iform" id="iform"> -<?php if ($savemsg){print_info_box($savemsg);} else if ($stopMsg){print_info_box_np($message_reload);}?> -<br> -</form> -<script type="text/javascript" language="javascript" src="row_toggle.js"> - <script src="/javascript/sorttable.js" type="text/javascript"> -</script> - -<script language="javascript" type="text/javascript"> -<!-- -function go() -{ - var agt=navigator.userAgent.toLowerCase(); - if (agt.indexOf("msie") != -1) { - box = document.forms.selectbox; - } else { - box = document.forms[1].selectbox; - } - destination = box.options[box.selectedIndex].value; - if (destination) - location.href = destination; -} -// --> -</script> - -<table width="99%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> -<?php - $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), true, "/snort_rules.php"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); - display_top_tabs($tab_array); -?> - </td> - </tr> - <tr> - <td> - <div id="mainarea"> - <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> - <table id="ruletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr id="frheader"> - <td width="3%" class="list"> </td> - <td width="5%" class="listhdr">SID</td> - <td width="6%" class="listhdrr">Proto</td> - <td width="15%" class="listhdrr">Source</td> - <td width="10%" class="listhdrr">Port</td> - <td width="15%" class="listhdrr">Destination</td> - <td width="10%" class="listhdrr">Port</td> - <td width="32%" class="listhdrr">Message</td> - - </tr> - <tr> - <?php - - echo "<br>Category: "; - - //string for populating category select - $currentruleset = substr($file, 27); - ?> - <form name="forms"> - <select name="selectbox" class="formfld" onChange="go()"> - <?php - $i=0; - foreach ($files as $value) - { - $selectedruleset = ""; - if ($files[$i] === $currentruleset) - $selectedruleset = "selected"; - ?> - <option value="?&openruleset=<?=$ruledir;?><?=$files[$i];?>" <?=$selectedruleset;?>><?=$files[$i];?></option>" - <?php - $i++; - - } - ?> - </select> - </form> - </tr> - <?php - - $counter = 0; - $printcounter = 0; - - foreach ( $splitcontents as $value ) - { - - $counter++; - $disabled = "False"; - $comments = "False"; - - $tempstring = $splitcontents[$counter]; - $findme = "# alert"; //find string for disabled alerts - - //find alert - $disabled_pos = strstr($tempstring, $findme); - - - //do soemthing, this rule is enabled - $counter2 = 1; - - //retrieve sid value - $sid = get_middle($tempstring, 'sid:', ';', 0); - - //check to see if the sid is numberical - $is_sid_num = is_numeric($sid); - - //if SID is numerical, proceed - if ($is_sid_num) - { - - //if find alert is false, then rule is disabled - if ($disabled_pos !== false){ - $counter2 = $counter2+1; - $textss = "<span class=\"gray\">"; - $textse = "</span>"; - $iconb = "icon_block_d.gif"; - } - else - { - $textss = $textse = ""; - $iconb = "icon_block.gif"; - } - - $rule_content = explode(' ', $tempstring); - - $protocol = $rule_content[$counter2];//protocol location - $counter2++; - $source = $rule_content[$counter2];//source location - $counter2++; - $source_port = $rule_content[$counter2];//source port location - $counter2 = $counter2+2; - $destination = $rule_content[$counter2];//destination location - $counter2++; - $destination_port = $rule_content[$counter2];//destination port location - - $message = get_middle($tempstring, 'msg:"', '";', 0); - - echo "<tr>"; - echo "<td class=\"listt\">"; - echo $textss; - ?> - <a href="?&openruleset=<?=$file;?>&act=toggle&id=<?=$counter;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/<?=$iconb;?>" width="11" height="11" border="0" title="click to toggle enabled/disabled status"></a> - <?php - echo $textse; - echo "</td>"; - - - echo "<td class=\"listlr\">"; - echo $textss; - echo $sid; - echo $textse; - echo "</td>"; - - echo "<td class=\"listlr\">"; - echo $textss; - echo $protocol; - $printcounter++; - echo $textse; - echo "</td>"; - echo "<td class=\"listlr\">"; - echo $textss; - echo $source; - echo $textse; - echo "</td>"; - echo "<td class=\"listlr\">"; - echo $textss; - echo $source_port; - echo $textse; - echo "</td>"; - echo "<td class=\"listlr\">"; - echo $textss; - echo $destination; - echo $textse; - echo "</td>"; - echo "<td class=\"listlr\">"; - echo $textss; - echo $destination_port; - echo $textse; - echo "</td>"; - ?> - <td class="listbg"><font color="white"> - <?php - echo $textss; - echo $message; - echo $textse; - echo "</td>"; - ?> - <td valign="middle" nowrap class="list"> - <table border="0" cellspacing="0" cellpadding="1"> - <tr> - <td><a href="snort_rules_edit.php?openruleset=<?=$file;?>&id=<?=$counter;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit rule" width="17" height="17" border="0"></a></td> - </tr> - </table> - </td> - <?php - } - } - echo " "; - echo "There are "; - echo $printcounter; - echo " rules in this category. <br><br>"; - ?> - </table> - </td> - </tr> - <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> - <tr> - <td width="16"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" width="11" height="11"></td> - <td>Rule Enabled</td> - </tr> - <tr> - <td><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_block_d.gif" width="11" height="11"></td> - <td nowrap>Rule Disabled</td> - - - </tr> - <tr> - <td colspan="10"> - <p> - <!--<strong><span class="red">Warning:<br> - </span></strong>Editing these r</p>--> - </td> - </tr> - </table> - </table> - - </td> - </tr> -</table> - - -<?php include("fend.inc"); ?> -</div></body> -</html>
\ No newline at end of file diff --git a/config/snort-old/snort_rules_edit.php b/config/snort-old/snort_rules_edit.php deleted file mode 100644 index cbabce73..00000000 --- a/config/snort-old/snort_rules_edit.php +++ /dev/null @@ -1,207 +0,0 @@ -<?php -/* $Id$ */ -/* - snort_rules_edit.php - Copyright (C) 2004, 2005 Scott Ullrich - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -function get_middle($source, $beginning, $ending, $init_pos) { - $beginning_pos = strpos($source, $beginning, $init_pos); - $middle_pos = $beginning_pos + strlen($beginning); - $ending_pos = strpos($source, $ending, $beginning_pos); - $middle = substr($source, $middle_pos, $ending_pos - $middle_pos); - return $middle; -} - - -$file = $_GET['openruleset']; - -//read snort file -$filehandle = fopen($file, "r"); - -//get rule id -$lineid = $_GET['id']; - -//read file into string, and get filesize -$contents = fread($filehandle, filesize($file)); - -//close handler -fclose ($filehandle); - -//delimiter for each new rule is a new line -$delimiter = "\n"; - -//split the contents of the string file into an array using the delimiter -$splitcontents = explode($delimiter, $contents); - -//copy rule contents from array into string -$tempstring = $splitcontents[$lineid]; - -//explode rule contents into an array, (delimiter is space) -$rule_content = explode(' ', $tempstring); - -//search string -$findme = "# alert"; //find string for disabled alerts - -//find if alert is disabled -$disabled = strstr($tempstring, $findme); - -//get sid -$sid = get_middle($tempstring, 'sid:', ';', 0); - - -//if find alert is false, then rule is disabled -if ($disabled !== false) -{ - //move counter up 1, so we do not retrieve the # in the rule_content array - $counter2 = 2; -} -else -{ - $counter2 = 1; -} - - -$protocol = $rule_content[$counter2];//protocol location -$counter2++; -$source = $rule_content[$counter2];//source location -$counter2++; -$source_port = $rule_content[$counter2];//source port location -$counter2++; -$direction = $rule_content[$counter2]; -$counter2++; -$destination = $rule_content[$counter2];//destination location -$counter2++; -$destination_port = $rule_content[$counter2];//destination port location -$message = get_middle($tempstring, 'msg:"', '";', 0); - -$content = get_middle($tempstring, 'content:"', '";', 0); -$classtype = get_middle($tempstring, 'classtype:', ';', 0); -$revision = get_middle($tempstring, 'rev:', ';',0); - -$pgtitle = "Snort: Edit Rule"; -require("guiconfig.inc"); -include("head.inc"); -?> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> - -<?php include("fbegin.inc"); ?> -<?php -if(!$pgtitle_output) - echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; -?> -<table width="99%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> -<?php - $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), true, "/snort_rules.php?openruleset=/usr/local/etc/snort/rules/attack-responses.rules"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); - display_top_tabs($tab_array); -?> - </td> - </tr> - <tr> - <td> - <div id="mainarea"> - <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> - <form action="snort_rules.php?openruleset=<?=$file;?>&id=<?=$lineid;?>" target="" method="post" name="editform" id="editform"> - <table id="edittable" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td class="listhdr" width="10%">Enabled: </td> - <td class="listlr" width="30%"><input name="enabled" type="checkbox" id="enabled" value="yes" <?php if ($disabled === false) echo "checked";?>></td> - </tr> - <tr> - <td class="listhdr" width="10%">SID: </td> - <td class="listlr" width="30%"><?php echo $sid; ?></td> - </tr> - <tr> - <td class="listhdr" width="10%">Protocol: </td> - <td class="listlr" width="30%"><?php echo $protocol; ?></td> - </tr> - <tr> - <td class="listhdr" width="10%">Source: </td> - <td class="listlr" width="30%"><input name="src" type="text" id="src" size="20" value="<?php echo $source;?>"></td> - </tr> - <tr> - <td class="listhdr" width="10%">Source Port: </td> - <td class="listlr" width="30%"><input name="srcport" type="text" id="srcport" size="20" value="<?php echo $source_port;?>"></td> - </tr> - <tr> - <td class="listhdr" width="10%">Direction:</td> - <td class="listlr" width="30%"><?php echo $direction;?></td> - </tr> - <tr> - <td class="listhdr" width="10%">Destination:</td> - <td class="listlr" width="30%"><input name="dest" type="text" id="dest" size="20" value="<?php echo $destination;?>"></td> - </tr> - <tr> - <td class="listhdr" width="10%">Destination Port: </td> - <td class="listlr" width="30%"><input name="destport" type="text" id="destport" size="20" value="<?php echo $destination_port;?>"></td> - </tr> - <tr> - <td class="listhdr" width="10%">Message: </td> - <td class="listlr" width="30%"><?php echo $message; ?></td> - </tr> - <tr> - <td class="listhdr" width="10%">Content: </td> - <td class="listlr" width="30%"><?php echo $content; ?></td> - </tr> - <tr> - <td class="listhdr" width="10%">Classtype: </td> - <td class="listlr" width="30%"><?php echo $classtype; ?></td> - </tr> - <tr> - <td class="listhdr" width="10%">Revision: </td> - <td class="listlr" width="30%"><?php echo $revision; ?></td> - </tr> - <tr><td> </td></tr> - <tr> - <td><input name="lineid" type="hidden" value="<?=$lineid;?>"></td> - <td><input class="formbtn" value="Save" type="submit" name="editsave" id="editsave">   <input type="button" class="formbtn" value="Cancel" onclick="history.back()"></td> - </tr> - </table> - </form> - </td> - </tr> - </table> - </td> -</tr> -</table> - -<?php include("fend.inc"); ?> -</div></body> -</html>
\ No newline at end of file diff --git a/config/snort-old/snort_rulesets.php b/config/snort-old/snort_rulesets.php deleted file mode 100644 index d839ae7a..00000000 --- a/config/snort-old/snort_rulesets.php +++ /dev/null @@ -1,230 +0,0 @@ -<?php -/* $Id$ */ -/* - snort_rulesets.php - Copyright (C) 2006 Scott Ullrich - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); -require_once("service-utils.inc"); -require("/usr/local/pkg/snort.inc"); - -if(!is_dir("/usr/local/etc/snort/rules")) { - conf_mount_rw(); - exec('mkdir /usr/local/etc/snort/rules/'); - conf_mount_ro(); -} - -/* Check if the rules dir is empy if so warn the user */ -/* TODO give the user the option to delete the installed rules rules */ -$isrulesfolderempty = exec('ls -A /usr/local/etc/snort/rules/*.rules'); -if ($isrulesfolderempty == "") { - -include("head.inc"); -include("fbegin.inc"); - -echo "<body link=\"#000000\" vlink=\"#000000\" alink=\"#000000\">"; - -echo "<script src=\"/row_toggle.js\" type=\"text/javascript\"></script>\n -<script src=\"/javascript/sorttable.js\" type=\"text/javascript\"></script>\n -<table width=\"99%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n - <tr>\n - <td>\n"; - - $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), true, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); - display_top_tabs($tab_array); - -echo "</td>\n - </tr>\n - <tr>\n - <td>\n - <div id=\"mainarea\">\n - <table id=\"maintable\" class=\"tabcont\" width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n - <tr>\n - <td>\n -# The rules directory is empty.\n - </td>\n - </tr>\n - </table>\n - </div>\n - </td>\n - </tr>\n -</table>\n -\n -</form>\n -\n -<p>\n\n"; - -echo "Please click on the Update Rules tab to install your selected rule sets."; -include("fend.inc"); - -echo "</body>"; -echo "</html>"; - -exit(0); - -} - -if($_POST) { - $enabled_items = ""; - $isfirst = true; - foreach($_POST['toenable'] as $toenable) { - if(!$isfirst) - $enabled_items .= "||"; - $enabled_items .= "{$toenable}"; - $isfirst = false; - } - $config['installedpackages']['snort']['rulesets'] = $enabled_items; - write_config(); - stop_service("snort"); - create_snort_conf(); - sleep(2); - start_service("snort"); - $savemsg = "The snort ruleset selections have been saved."; -} - -$enabled_rulesets = $config['installedpackages']['snort']['rulesets']; -if($enabled_rulesets) - $enabled_rulesets_array = split("\|\|", $enabled_rulesets); - -$pgtitle = "Snort: Categories"; -include("head.inc"); - -?> - -<body link="#000000" vlink="#000000" alink="#000000"> -<?php include("fbegin.inc"); ?> - -<?php -if(!$pgtitle_output) - echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; -?> - -<form action="snort_rulesets.php" method="post" name="iform" id="iform"> -<script src="/row_toggle.js" type="text/javascript"></script> -<script src="/javascript/sorttable.js" type="text/javascript"></script> -<?php if ($savemsg) print_info_box($savemsg); ?> -<table width="99%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> -<?php - $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), true, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); - display_top_tabs($tab_array); -?> - </td> - </tr> - <tr> - <td> - <div id="mainarea"> - <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> - <table id="sortabletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr id="frheader"> - <td width="5%" class="listhdrr">Enabled</td> - <td class="listhdrr">Ruleset: Rules that end with "so.rules" are shared object rules.</td> - <!-- <td class="listhdrr">Description</td> --> - </tr> -<?php - $dir = "/usr/local/etc/snort/rules/"; - $dh = opendir($dir); - while (false !== ($filename = readdir($dh))) { - $files[] = $filename; - } - sort($files); - foreach($files as $file) { - if(!stristr($file, ".rules")) - continue; - echo "<tr>"; - echo "<td align=\"center\" valign=\"top\">"; - if(is_array($enabled_rulesets_array)) - if(in_array($file, $enabled_rulesets_array)) { - $CHECKED = " checked=\"checked\""; - } else { - $CHECKED = ""; - } - else - $CHECKED = ""; - echo " <input type='checkbox' name='toenable[]' value='$file' {$CHECKED} />"; - echo "</td>"; - echo "<td>"; - echo "<a href='snort_rules.php?openruleset=/usr/local/etc/snort/rules/" . urlencode($file) . "'>{$file}</a>"; - echo "</td>"; - //echo "<td>"; - //echo "description"; - //echo "</td>"; - } - -?> - </table> - </td> - </tr> - <tr><td> </td></tr> - <tr><td>Check the rulesets that you would like Snort to load at startup.</td></tr> - <tr><td> </td></tr> - <tr><td><input value="Save" type="submit" name="save" id="save" /></td></tr> - </table> - </div> - </td> - </tr> -</table> - -</form> - -<p><b>NOTE:</b> You can click on a ruleset name to edit the ruleset. - -<?php include("fend.inc"); ?> - -</body> -</html> - -<?php - - function get_snort_rule_file_description($filename) { - $filetext = file_get_contents($filename); - - } - -?>
\ No newline at end of file diff --git a/config/snort-old/snort_threshold.xml b/config/snort-old/snort_threshold.xml deleted file mode 100644 index f9075d3d..00000000 --- a/config/snort-old/snort_threshold.xml +++ /dev/null @@ -1,129 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> -<packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ -/* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> - <name>snort-threshold</name> - <version>0.1.0</version> - <title>Snort: Alert Thresholding and Suppression</title> - <include_file>/usr/local/pkg/snort.inc</include_file> - <!-- Menu is where this packages menu will appear --> - <tabs> - <tab> - <text>Settings</text> - <url>/pkg_edit.php?xml=snort.xml&id=0</url> - </tab> - <tab> - <text>Update Rules</text> - <url>/snort_download_rules.php</url> - </tab> - <tab> - <text>Categories</text> - <url>/snort_rulesets.php</url> - </tab> - <tab> - <text>Rules</text> - <url>/snort_rules.php</url> - </tab> - <tab> - <text>Servers</text> - <url>/pkg_edit.php?xml=snort_define_servers.xml&id=0</url> - </tab> - <tab> - <text>Blocked</text> - <url>/snort_blocked.php</url> - </tab> - <tab> - <text>Whitelist</text> - <url>/pkg.php?xml=snort_whitelist.xml</url> - </tab> - <tab> - <text>Threshold</text> - <url>/pkg.php?xml=snort_threshold.xml</url> - <active/> - </tab> - <tab> - <text>Alerts</text> - <url>/snort_alerts.php</url> - </tab> - <tab> - <text>Advanced</text> - <url>/pkg_edit.php?xml=snort_advanced.xml&id=0</url> - </tab> - </tabs> - <adddeleteeditpagefields> - <columnitem> - <fielddescr>Thresholding or Suppression Rule</fielddescr> - <fieldname>threshrule</fieldname> - </columnitem> - <columnitem> - <fielddescr>Description</fielddescr> - <fieldname>description</fieldname> - </columnitem> - </adddeleteeditpagefields> - <fields> - <field> - <fielddescr>Thresholding or Suppression Rule</fielddescr> - <fieldname>threshrule</fieldname> - <description>Enter the Rule. Example; "suppress gen_id 125, sig_id 4" or "threshold gen_id 1, sig_id 1851, type limit, track by_src, count 1, seconds 60"</description> - <type>input</type> - <size>40</size> - </field> - <field> - <fielddescr>Description</fielddescr> - <fieldname>description</fieldname> - <description>Enter the description for this item</description> - <type>input</type> - <size>60</size> - </field> - </fields> - <custom_php_command_before_form> - </custom_php_command_before_form> - <custom_delete_php_command> - </custom_delete_php_command> - <custom_php_resync_config_command> - create_snort_conf(); - </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file diff --git a/config/snort-old/snort_whitelist.xml b/config/snort-old/snort_whitelist.xml deleted file mode 100644 index 42769e4e..00000000 --- a/config/snort-old/snort_whitelist.xml +++ /dev/null @@ -1,129 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> -<packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ -/* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> - <name>snort-whitelist</name> - <version>0.1.0</version> - <title>Snort: Whitelist</title> - <include_file>/usr/local/pkg/snort.inc</include_file> - <!-- Menu is where this packages menu will appear --> - <tabs> - <tab> - <text>Settings</text> - <url>/pkg_edit.php?xml=snort.xml&id=0</url> - </tab> - <tab> - <text>Update Rules</text> - <url>/snort_download_rules.php</url> - </tab> - <tab> - <text>Categories</text> - <url>/snort_rulesets.php</url> - </tab> - <tab> - <text>Rules</text> - <url>/snort_rules.php</url> - </tab> - <tab> - <text>Servers</text> - <url>/pkg_edit.php?xml=snort_define_servers.xml&id=0</url> - </tab> - <tab> - <text>Blocked</text> - <url>/snort_blocked.php</url> - </tab> - <tab> - <text>Whitelist</text> - <url>/pkg.php?xml=snort_whitelist.xml</url> - <active/> - </tab> - <tab> - <text>Threshold</text> - <url>/pkg.php?xml=snort_threshold.xml</url> - </tab> - <tab> - <text>Alerts</text> - <url>/snort_alerts.php</url> - </tab> - <tab> - <text>Advanced</text> - <url>/pkg_edit.php?xml=snort_advanced.xml&id=0</url> - </tab> - </tabs> - <adddeleteeditpagefields> - <columnitem> - <fielddescr>Whitelisted IP</fielddescr> - <fieldname>ip</fieldname> - </columnitem> - <columnitem> - <fielddescr>Description</fielddescr> - <fieldname>description</fieldname> - </columnitem> - </adddeleteeditpagefields> - <fields> - <field> - <fielddescr>Whitelisted IP</fielddescr> - <fieldname>ip</fieldname> - <description>Enter the IP or network to whitelist from snort blocking. Network items should be expressed in CIDR notation. Example: 0.0.0.0/24 or 0.0.0.0/32</description> - <type>input</type> - <size>40</size> - </field> - <field> - <fielddescr>Description</fielddescr> - <fieldname>description</fieldname> - <description>Enter the description for this item</description> - <type>input</type> - <size>60</size> - </field> - </fields> - <custom_php_command_before_form> - </custom_php_command_before_form> - <custom_delete_php_command> - </custom_delete_php_command> - <custom_php_resync_config_command> - create_snort_conf(); - </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file diff --git a/config/snort-old/snort_xmlrpc_sync.php b/config/snort-old/snort_xmlrpc_sync.php deleted file mode 100644 index db8b3f3e..00000000 --- a/config/snort-old/snort_xmlrpc_sync.php +++ /dev/null @@ -1,114 +0,0 @@ -<?php - -/* $Id$ */ -/* - snort_xmlrpc_sync.php - Copyright (C) 2006 Scott Ullrich - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -/* NOTE: this file gets included from the pfSense filter.inc plugin process */ - -require_once("/usr/local/pkg/snort.inc"); -require_once("service-utils.inc"); - -if(!$config) { - log_error("\$config is not enabled!!"); -} else { - if(!$g['booting']) - snort_do_xmlrpc_sync(); -} - -function snort_do_xmlrpc_sync() { - - return; /* need to fix the bug which whipes out carp sync settings, etc */ - - global $config, $g; - $syncxmlrpc = $config['installedpackages']['snort']['config'][0]['syncxmlrpc']; - /* option enabled? */ - if(!$syncxmlrpc) - return; - - $carp = &$config['installedpackages']['carpsettings']['config'][0]; - $password = $carp['password']; - - if(!$carp['synchronizetoip']) - return; - - log_error("[SNORT] snort_xmlrpc_sync.php is starting."); - $xmlrpc_sync_neighbor = $carp['synchronizetoip']; - if($config['system']['webgui']['protocol'] != "") { - $synchronizetoip = $config['system']['webgui']['protocol']; - $synchronizetoip .= "://"; - } - $port = $config['system']['webgui']['port']; - /* if port is empty lets rely on the protocol selection */ - if($port == "") { - if($config['system']['webgui']['protocol'] == "http") { - $port = "80"; - } else { - $port = "443"; - } - } - $synchronizetoip .= $carp['synchronizetoip']; - - /* xml will hold the sections to sync */ - $xml = array(); - $xml['installedpackages']['snort'] = &$config['installedpackages']['snort']; - $xml['installedpackages']['snortwhitelist'] = &$config['installedpackages']['snortwhitelist']; - - /* assemble xmlrpc payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($xml) - ); - - /* set a few variables needed for sync code borrowed from filter.inc */ - $url = $synchronizetoip; - $method = 'pfsense.restore_config_section'; - - /* Sync! */ - log_error("Beginning Snort XMLRPC sync to {$url}:{$port}."); - $msg = new XML_RPC_Message($method, $params); - $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); - if($g['debug']) - $cli->setDebug(1); - /* send our XMLRPC message and timeout after 240 seconds */ - $resp = $cli->send($msg, "999"); - if(!$resp) { - $error = "A communications error occured while attempting Snort XMLRPC sync with {$url}:{$port}."; - log_error($error); - file_notice("sync_settings", $error, "Snort Settings Sync", ""); - } elseif($resp->faultCode()) { - $error = "An error code was received while attempting Snort XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); - file_notice("sync_settings", $error, "Snort Settings Sync", ""); - } else { - log_error("Snort XMLRPC sync successfully completed with {$url}:{$port}."); - } - log_error("[SNORT] snort_xmlrpc_sync.php is ending."); -} - -?>
\ No newline at end of file |