diff options
-rwxr-xr-x | config/snort/snort.inc | 37 | ||||
-rw-r--r-- | config/snort/snort_barnyard.php | 8 | ||||
-rwxr-xr-x | config/snort/snort_check_for_rule_updates.php | 5 | ||||
-rwxr-xr-x | config/snort/snort_preprocessors.php | 2 | ||||
-rwxr-xr-x | config/snort/snort_rules.php | 69 | ||||
-rwxr-xr-x | config/snort/snort_rulesets.php | 131 |
6 files changed, 142 insertions, 110 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index cf36ca86..44dd133e 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -39,6 +39,9 @@ require_once("pkg-utils.inc"); // Needed on 2.0 because of filter_get_vpns_list() require_once("filter.inc"); +// Snort GUI needs some extra PHP memory space to manipulate large rules arrays +ini_set("memory_limit", "192M"); + // Explicitly declare these as global so they work through function call includes global $snort_rules_file, $snort_version, $emerging_threats_version, $snort_rules_upd_log; global $all_rules, $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules, $is_postinstall; @@ -1285,7 +1288,7 @@ function snort_get_flowbits($rule) { return $flowbits; } -function snort_get_checked_flowbits(&$rules_map) { +function snort_get_checked_flowbits($rules_map) { /*************************************************************/ /* This function checks all the currently enabled rules to */ @@ -1328,7 +1331,7 @@ function snort_get_checked_flowbits(&$rules_map) { return $checked_flowbits; } -function snort_get_set_flowbits(&$rules_map) { +function snort_get_set_flowbits($rules_map) { /*********************************************************/ /* This function checks all the currently enabled rules */ @@ -1369,7 +1372,7 @@ function snort_get_set_flowbits(&$rules_map) { return $set_flowbits; } -function snort_find_flowbit_required_rules(&$all_rules, &$unchecked_flowbits) { +function snort_find_flowbit_required_rules($all_rules, $unchecked_flowbits) { /********************************************************/ /* This function finds all rules that must be enabled */ @@ -1417,7 +1420,7 @@ function snort_find_flowbit_required_rules(&$all_rules, &$unchecked_flowbits) { return $required_flowbits_rules; } -function snort_resolve_flowbits(&$active_rules) { +function snort_resolve_flowbits($active_rules) { /******************************************************/ /* This function auto-resolves flowbit requirements */ @@ -1529,20 +1532,21 @@ function snort_load_vrt_policy($policy, $load_rules_map=true) { $snortdir = SNORTDIR; $vrt_policy_rules = array(); - /* Create regular expression for searching. */ - $policy_pcre = "/policy\\s" . $policy . "/i"; - /* Refresh the map of all the rules if flag */ /* is set. */ - if ($load_rules_map == true) - $all_rules = snort_load_rules_map("{$snortdir}/rules/"); + if ($load_rules_map) { + /* Since only Snort VRT rules have IPS Policy metadata, */ + /* limit our search to just those files. */ + $snort_vrt_files = glob("{$snortdir}/rules/snort_*.rules"); + $all_rules = array(); + $all_rules = snort_load_rules_map($snort_vrt_files); + } - /* Now walk the rules list and find all those */ - /* that are defined as active for the chosen */ - /* security policy. */ + /* Now walk the rules list and find all those that are defined */ + /* defined as active for the chosen security policy. */ foreach ($all_rules as $k1 => $arulem) { foreach ($arulem as $k2 => $arulem2) { - if (preg_match($policy_pcre, $arulem2['rule'])) { + if (strripos($arulem2['rule'], "policy {$policy}-ips") !== false) { if (!preg_match('/flowbits\s*:\s*noalert/i', $arulem2['rule'])) { if (!is_array($vrt_policy_rules[$k1])) $vrt_policy_rules[$k1] = array(); @@ -1564,9 +1568,9 @@ function snort_load_vrt_policy($policy, $load_rules_map=true) { unset($arulem, $arulem2); /* If we loaded the ALL_RULES map, */ - /* then release the memory. */ + /* then release the global memory. */ if ($load_rules_map == true) - unset($all_rules); + unset($GLOBALS['all_rules']); /* Return all the rules that match the policy. */ return $vrt_policy_rules; @@ -2075,6 +2079,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { $no_rules_defined = false; /* Load up all the rules into a Rules Map array. */ + $all_rules = array(); $all_rules = snort_load_rules_map("{$snortdir}/rules/"); /* Create an array with the filenames of the enabled */ @@ -2160,7 +2165,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Just put an empty file to always have the file present */ snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); - unset($enabled_rules, $all_rules); + unset($GLOBALS['all_rules']); } else { snort_write_enforcing_rules_file(array(), "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"); snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php index a7f04e39..2773fe95 100644 --- a/config/snort/snort_barnyard.php +++ b/config/snort/snort_barnyard.php @@ -192,8 +192,8 @@ function enable_change(enable_change) { </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Log to a MySQL Database"); ?></td> - <td width="78%" class="vtable"><input name="barnyard_mysql" - type="text" class="formfld" id="barnyard_mysql" size="100" + <td width="78%" class="vtable"><input name="barnyard_mysql" + type="text" class="formfld" id="barnyard_mysql" style="width:95%;" size="85" value="<?=htmlspecialchars($pconfig['barnyard_mysql']);?>"> <br> <span class="vexpl"><?php echo gettext("Example: output database: alert, mysql, " . "dbname=snort user=snort host=localhost password=xyz"); ?><br> @@ -206,8 +206,8 @@ function enable_change(enable_change) { <tr> <td width="22%" valign="top" class="vncell"<?php echo gettext("Advanced configuration " . "pass through"); ?></td> - <td width="78%" class="vtable"><textarea name="barnconfigpassthru" - cols="60" rows="7" id="barnconfigpassthru" ><?=htmlspecialchars($pconfig['barnconfigpassthru']);?></textarea> + <td width="78%" class="vtable"><textarea name="barnconfigpassthru" style="width:95%;" + cols="65" rows="7" id="barnconfigpassthru" ><?=htmlspecialchars($pconfig['barnconfigpassthru']);?></textarea> <br> <?php echo gettext("Arguments here will be automatically inserted into the running " . "barnyard2 configuration."); ?></td> diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index f08ebc18..2b60b6ce 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -41,6 +41,8 @@ $snortdir = SNORTDIR; $snortlibdir = SNORTLIBDIR; $snortlogdir = SNORTLOGDIR; +/* Save the state of $pkg_interface so we can restore it */ +$pkg_interface_orig = $pkg_interface; if ($snort_gui_include) $pkg_interface = ""; else @@ -740,4 +742,7 @@ log_error(gettext("[Snort] The Rules update has finished.")); error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, $snort_rules_upd_log); conf_mount_ro(); +/* Restore the state of $pkg_interface */ +$pkg_interface = $pkg_interface_orig; + ?> diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 4c921ca4..12981398 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -1143,7 +1143,7 @@ include_once("head.inc"); <td width="22%" valign="top"> </td> <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note: "); ?></strong></span> <?php echo gettext("Please save your settings before you exit. Preprocessor changes will rebuild the rules file. This "); ?> - </br><?php echo gettext("may take several seconds. Snort must also be restarted to activate any changes made on this screen."); ?></td> + <?php echo gettext("may take several seconds. Snort must also be restarted to activate any changes made on this screen."); ?></td> </tr> </table> </div> diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index 2ef529b9..ca63dae9 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -192,6 +192,7 @@ if ($_GET['act'] == "toggle" && $_GET['ids'] && !empty($rules_map)) { /* Update the config.xml file. */ write_config(); + $_GET['openruleset'] = $currentruleset; header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); exit; } @@ -227,6 +228,7 @@ if ($_GET['act'] == "resetcategory" && !empty($rules_map)) { unset($a_rule[$id]['rule_sid_off']); write_config(); + $_GET['openruleset'] = $currentruleset; header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); exit; } @@ -240,6 +242,7 @@ if ($_GET['act'] == "resetall" && !empty($rules_map)) { /* Update the config.xml file. */ write_config(); + $_GET['openruleset'] = $currentruleset; header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); exit; } @@ -324,32 +327,6 @@ if ($savemsg) { ?> -<script language="javascript" type="text/javascript"> -function go() -{ - var box = document.iform.selectbox; - destination = box.options[box.selectedIndex].value; - if (destination) - location.href = destination; -} - -function wopen(url, name, w, h) -{ -// Fudge factors for window decoration space. -// In my tests these work well on all platforms & browsers. -w += 32; -h += 96; - var win = window.open(url, - name, - 'width=' + w + ', height=' + h + ', ' + - 'location=no, menubar=no, ' + - 'status=no, toolbar=no, scrollbars=yes, resizable=yes'); - win.resizeTo(w, h); - win.focus(); -} - -</script> - <form action="/snort/snort_rules.php" method="post" name="iform" id="iform"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> @@ -434,9 +411,10 @@ h += 96; <td class="vncell"> <table width="100%" align="center" border="0" cellpadding="0" cellspacing="0"> <tr> - <td width="55%" valign="middle" rowspan="2"><input type="submit" name="apply" id="apply" value="<?php echo gettext("Apply"); ?>" class="formbtn" - title="<?php echo gettext("Click to rebuild the rules with your changes"); ?>"/> - <input type='hidden' name='id' value='<?=$id;?>'/></td> + <td width="50%" valign="middle" rowspan="2"><input type="submit" name="apply" id="apply" value="<?php echo gettext("Apply"); ?>" class="formbtn" + title="<?php echo gettext("Click to rebuild the rules with your changes"); ?>"/> + <input type='hidden' name='id' value='<?=$id;?>'/> + <input type='hidden' name='openruleset' value='<?=$currentruleset;?>'/></td> <td class="vexpl" valign="middle"><?php echo "<a href='?id={$id}&openruleset={$currentruleset}&act=resetcategory'> <img src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\" width=\"15\" height=\"15\" onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"' @@ -496,6 +474,7 @@ h += 96; <tbody> <?php + $counter = 0; foreach ($rules_map as $k1 => $rulem) { foreach ($rulem as $k2 => $v) { $sid = snort_get_sid($v['rule']); @@ -576,6 +555,7 @@ h += 96; </td> </tr> <?php + $counter++; } } unset($rulem, $v); @@ -586,7 +566,10 @@ h += 96; </tr> <tr> <td> - <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="1"> + <table width="100%" border="0" cellspacing="0" cellpadding="1"> + <tr> + <td class="vexpl" colspan="2" height="30" valign="middle"><?php echo gettext("Rule Count: {$counter}"); ?></td> + </tr> <tr> <td width="16"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" width="11" height="11"></td> @@ -618,5 +601,31 @@ h += 96; </table> </form> <?php include("fend.inc"); ?> + +<script language="javascript" type="text/javascript"> +function go() +{ + var box = document.iform.selectbox; + destination = box.options[box.selectedIndex].value; + if (destination) + location.href = destination; +} + +function wopen(url, name, w, h) +{ +// Fudge factors for window decoration space. +// In my tests these work well on all platforms & browsers. +w += 32; +h += 96; + var win = window.open(url, + name, + 'width=' + w + ', height=' + h + ', ' + + 'location=no, menubar=no, ' + + 'status=no, toolbar=no, scrollbars=yes, resizable=yes'); + win.resizeTo(w, h); + win.focus(); +} + +</script> </body> </html> diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index fce1616b..fa3efc1b 100755 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -112,12 +112,14 @@ else /* alert file */ if ($_POST["Submit"]) { - if ($_POST['ips_policy_enable'] == "on") + if ($_POST['ips_policy_enable'] == "on") { $a_nat[$id]['ips_policy_enable'] = 'on'; - else + $a_nat[$id]['ips_policy'] = $_POST['ips_policy']; + } + else { $a_nat[$id]['ips_policy_enable'] = 'off'; - - $a_nat[$id]['ips_policy'] = $_POST['ips_policy']; + unset($a_nat[$id]['ips_policy']); + } $enabled_items = ""; if (is_array($_POST['toenable'])) @@ -152,6 +154,15 @@ if ($_POST["Submit"]) { if ($_POST['unselectall']) { $a_nat[$id]['rulesets'] = ""; + if ($_POST['ips_policy_enable'] == "on") { + $a_nat[$id]['ips_policy_enable'] = 'on'; + $a_nat[$id]['ips_policy'] = $_POST['ips_policy']; + } + else { + $a_nat[$id]['ips_policy_enable'] = 'off'; + unset($a_nat[$id]['ips_policy']); + } + write_config(); sync_snort_package_config(); @@ -161,17 +172,29 @@ if ($_POST['unselectall']) { if ($_POST['selectall']) { $rulesets = array(); + + if ($_POST['ips_policy_enable'] == "on") { + $a_nat[$id]['ips_policy_enable'] = 'on'; + $a_nat[$id]['ips_policy'] = $_POST['ips_policy']; + } + else { + $a_nat[$id]['ips_policy_enable'] = 'off'; + unset($a_nat[$id]['ips_policy']); + } + if ($emergingdownload == 'on') { $files = glob("{$snortdir}/rules/emerging*.rules"); foreach ($files as $file) $rulesets[] = basename($file); } if ($snortcommunitydownload == 'on') { - $files = glob("{$snortdir}/rules/sc_*.rules"); + $files = glob("{$snortdir}/rules/*_community.rules"); foreach ($files as $file) $rulesets[] = basename($file); } - if ($snortdownload == 'on') { + + /* Include the Snort VRT rules only if enabled and no IPS policy is set */ + if ($snortdownload == 'on' && $a_nat[$id]['ips_policy_enable'] == 'off') { $files = glob("{$snortdir}/rules/snort*.rules"); foreach ($files as $file) $rulesets[] = basename($file); @@ -210,49 +233,6 @@ if ($savemsg) { ?> -<script language="javascript" type="text/javascript"> -function popup(url) -{ - params = 'width='+screen.width; - params += ', height='+screen.height; - params += ', top=0, left=0' - params += ', fullscreen=yes'; - - newwin=window.open(url,'windowname4', params); - if (window.focus) {newwin.focus()} - return false; -} - -function wopen(url, name, w, h) -{ -// Fudge factors for window decoration space. -// In my tests these work well on all platforms & browsers. -w += 32; -h += 96; - var win = window.open(url, - name, - 'width=' + w + ', height=' + h + ', ' + - 'location=no, menubar=no, ' + - 'status=no, toolbar=no, scrollbars=yes, resizable=yes'); - win.resizeTo(w, h); - win.focus(); -} - -function enable_change() -{ - var endis = !(document.iform.ips_policy_enable.checked); - document.iform.ips_policy.disabled=endis; - - for (var i = 0; i < document.iform.elements.length; i++) { - if (document.iform.elements[i].type == 'checkbox') { - var str = document.iform.elements[i].value; - if (str.substr(0,6) == "snort_") - document.iform.elements[i].disabled = !(endis); - } - } -} -</script> - <form action="snort_rulesets.php" method="post" name="iform" id="iform"> <input type="hidden" name="id" id="id" value="<?=$id;?>" /> <table width="100%" border="0" cellpadding="0" cellspacing="0"> @@ -271,14 +251,14 @@ function enable_change() echo '</td></tr>'; echo '<tr><td class="tabnavtbl">'; $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); - $tab_array = array(); - $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Categories"), true, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); + $tab_array = array(); + $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Categories"), true, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Rules"), false, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); ?> </td></tr> <tr> @@ -348,7 +328,7 @@ function enable_change() </td> </tr> <tr> - <td colspan="6" class="listtopic"><?php echo gettext("Snort IPS Policy Selection"); ?><br/></td> + <td colspan="6" class="listtopic"><?php echo gettext("Snort IPS Policy selection"); ?><br/></td> </tr> <tr> <td colspan="6" valign="center" class="listn"> @@ -389,7 +369,7 @@ function enable_change() </td> </tr> <tr> - <td colspan="6" class="listtopic"><?php echo gettext("Select the rulesets you would like Snort to load at startup"); ?><br/></td> + <td colspan="6" class="listtopic"><?php echo gettext("Select the rulesets Snort will load at startup"); ?><br/></td> </tr> <tr> <td colspan="6"> @@ -570,5 +550,38 @@ function enable_change() <?php include("fend.inc"); ?> + +<script language="javascript" type="text/javascript"> + +function wopen(url, name, w, h) +{ +// Fudge factors for window decoration space. +// In my tests these work well on all platforms & browsers. +w += 32; +h += 96; + var win = window.open(url, + name, + 'width=' + w + ', height=' + h + ', ' + + 'location=no, menubar=no, ' + + 'status=no, toolbar=no, scrollbars=yes, resizable=yes'); + win.resizeTo(w, h); + win.focus(); +} + +function enable_change() +{ + var endis = !(document.iform.ips_policy_enable.checked); + document.iform.ips_policy.disabled=endis; + + for (var i = 0; i < document.iform.elements.length; i++) { + if (document.iform.elements[i].type == 'checkbox') { + var str = document.iform.elements[i].value; + if (str.substr(0,6) == "snort_") + document.iform.elements[i].disabled = !(endis); + } + } +} +</script> + </body> </html> |