aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xconfig/snort/snort.inc201
-rw-r--r--config/snort/snort_post_install.php14
2 files changed, 6 insertions, 209 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index e9feec1a..53ae4a9d 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -1109,9 +1109,6 @@ function sync_snort_package_config() {
if ($is_dirty)
write_config("Snort pkg: updated snort service entry configuration.");
- /* create snort bootup file snort.sh only create once */
-// snort_create_rc();
-
$snortglob = $config['installedpackages']['snortglobal'];
snort_snortloglimit_install_cron(true);
@@ -2833,204 +2830,6 @@ function snort_modify_sids(&$rule_map, $snortcfg) {
unset($enablesid, $disablesid);
}
-function snort_create_rc() {
-
-/*********************************************************/
-/* This function builds the /usr/local/etc/rc.d/snort.sh */
-/* shell script for starting and stopping Snort. The */
-/* script is rebuilt on each package sync operation and */
-/* after any changes to snort.conf saved in the GUI. */
-/*********************************************************/
-
- global $config, $g, $pfs_version;
-
- $snortdir = SNORTDIR;
- $snortlogdir = SNORTLOGDIR;
- $rcdir = RCFILEPREFIX;
-
- // If no interfaces are configured for Snort, exit
- if (!is_array($config['installedpackages']['snortglobal']['rule']))
- return;
- $snortconf = $config['installedpackages']['snortglobal']['rule'];
- if (empty($snortconf))
- return;
-
- // At least one interface is configured, so OK
- $start_snort_iface_start = array();
- $start_snort_iface_stop = array();
-
- // If not using PBI package, then make sure Barnyard2 can
- // find the latest MySQL shared libs in /usr/local/lib/mysql
- if ($pfs_version < 2.1) {
- $sql_lib_path = "\n# Ensure MySQL shared libs are in ldconfig search path\n";
- $sql_lib_path .= "/sbin/ldconfig -m /usr/local/lib/mysql";
- $start_snort_iface_start[] = $sql_lib_path;
- }
-
- // Loop thru each configured interface and build
- // the shell script.
- foreach ($snortconf as $value) {
- // Skip disabled Snort interfaces
- if ($value['enable'] <> 'on')
- continue;
- $snort_uuid = $value['uuid'];
- $if_real = get_real_interface($value['interface']);
-
- $start_barnyard = <<<EOE
-
- if [ ! -f {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid ]; then
- pid=`/bin/pgrep -fn "barnyard2 -r {$snort_uuid} "`
- else
- pid=`/bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid`
- fi
- if [ ! -z \$pid ]; then
- /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 SOFT RESTART for {$value['descr']}({$snort_uuid}_{$if_real})..."
- /bin/pkill -HUP \$pid
- else
- /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 START for {$value['descr']}({$snort_uuid}_{$if_real})..."
- /usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d {$snortlogdir}/snort_{$if_real}{$snort_uuid} -D -q
- fi
-
-EOE;
- $stop_barnyard2 = <<<EOE
-
- if [ -f {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid ]; then
- /usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 STOP for {$value['descr']}({$snort_uuid}_{$if_real})..."
- pid=`/bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid`
- /bin/pkill -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid -a
- time=0 timeout=30
- while kill -0 \$pid 2>/dev/null; do
- sleep 1
- time=\$((time+1))
- if [ \$time -gt \$timeout ]; then
- break
- fi
- done
- if [ -f /var/run/barnyard2_{$if_real}{$snort_uuid}.pid ]; then
- /bin/rm /var/run/barnyard2_{$if_real}{$snort_uuid}.pid
- fi
- else
- pid=`/bin/pgrep -fn "barnyard2 -r {$snort_uuid} "`
- if [ ! -z \$pid ]; then
- /bin/pkill -f "barnyard2 -r {$snort_uuid} "
- time=0 timeout=30
- while kill -0 \$pid 2>/dev/null; do
- sleep 1
- time=\$((time+1))
- if [ \$time -gt \$timeout ]; then
- break
- fi
- done
- fi
- fi
-
-EOE;
- if ($value['barnyard_enable'] == 'on')
- $start_barnyard2 = $start_barnyard;
- else
- $start_barnyard2 = $stop_barnyard2;
-
- $start_snort_iface_start[] = <<<EOE
-
-###### For Each Iface
- # Start snort and barnyard2
- if [ ! -f {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid ]; then
- pid=`/bin/pgrep -fn "snort -R {$snort_uuid} "`
- else
- pid=`/bin/pgrep -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid`
- fi
-
- if [ ! -z \$pid ]; then
- /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort SOFT RESTART for {$value['descr']}({$snort_uuid}_{$if_real})..."
- /bin/pkill -HUP \$pid
- else
- /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort START for {$value['descr']}({$snort_uuid}_{$if_real})..."
- /usr/local/bin/snort -R {$snort_uuid} -D -q -l {$snortlogdir}/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}
- fi
-
- sleep 2
- {$start_barnyard2}
-
-EOE;
-
- $start_snort_iface_stop[] = <<<EOE
-
- if [ -f {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid ]; then
- pid=`/bin/pgrep -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid`
- /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort STOP for {$value['descr']}({$snort_uuid}_{$if_real})..."
- /bin/pkill -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a
- time=0 timeout=30
- while kill -0 \$pid 2>/dev/null; do
- sleep 1
- time=\$((time+1))
- if [ \$time -gt \$timeout ]; then
- break
- fi
- done
- if [ -f /var/run/snort_{$if_real}{$snort_uuid}.pid ]; then
- /bin/rm /var/run/snort_{$if_real}{$snort_uuid}.pid
- fi
- else
- pid=`/bin/pgrep -fn "snort -R {$snort_uuid} "`
- if [ ! -z \$pid ]; then
- /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort STOP for {$value['descr']}({$snort_uuid}_{$if_real})..."
- /bin/pkill -fn "snort -R {$snort_uuid} "
- time=0 timeout=30
- while kill -0 \$pid 2>/dev/null; do
- sleep 1
- time=\$((time+1))
- if [ \$time -gt \$timeout ]; then
- break
- fi
- done
- fi
- fi
-
- sleep 2
- {$stop_barnyard2}
-
-EOE;
- }
-
- $rc_start = implode("\n", $start_snort_iface_start);
- $rc_stop = implode("\n", $start_snort_iface_stop);
-
- $snort_sh_text = <<<EOD
-#!/bin/sh
-########
-# This file was automatically generated
-# by the pfSense service handler.
-# Code added to protect from double starts on pfSense bootup
-######## Start of main snort.sh
-
-rc_start() {
- {$rc_start}
-}
-
-rc_stop() {
- {$rc_stop}
-}
-
-case $1 in
- start)
- rc_start
- ;;
- stop)
- rc_stop
- ;;
- restart)
- rc_stop
- rc_start
- ;;
-esac
-
-EOD;
-
- /* write out snort.sh */
- @file_put_contents("{$rcdir}snort.sh", $snort_sh_text);
- @chmod("{$rcdir}snort.sh", 0755);
-}
-
function snort_generate_barnyard2_conf($snortcfg, $if_real) {
/****************************************************/
diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php
index ece75f2b..f84cfc55 100644
--- a/config/snort/snort_post_install.php
+++ b/config/snort/snort_post_install.php
@@ -112,9 +112,9 @@ foreach ($preproc_rules as $file) {
}
/* Remove any previously installed scripts since we rebuild them */
-@unlink("{$snortdir}/sid");
-@unlink("{$rcdir}snort.sh");
-@unlink("{$rcdir}barnyard2");
+unlink_if_exists("{$snortdir}/sid");
+unlink_if_exists("{$rcdir}snort.sh");
+unlink_if_exists("{$rcdir}barnyard2");
/* Create required log and db directories in /var */
safe_mkdir(SNORTLOGDIR);
@@ -217,10 +217,12 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
unset($snort_conf_text, $selected_rules_sections, $suppress_file_name, $snort_misc_include_rules, $spoink_type, $snortunifiedlog_type, $alertsystemlog_type);
unset($home_net, $external_net, $ipvardef, $portvardef);
- // create barnyard2.conf file for interface
+ // Create barnyard2.conf file for interface
if ($snortcfg['barnyard_enable'] == 'on')
snort_generate_barnyard2_conf($snortcfg, $if_real);
+ // If this interface is not enabled, we're done with it so
+ // loop to the next one.
if ($snortcfg['enable'] != 'on')
continue;
@@ -269,9 +271,6 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
}
}
- /* create snort bootup file snort.sh */
-// snort_create_rc();
-
/* Set Log Limit, Block Hosts Time and Rules Update Time */
snort_snortloglimit_install_cron(true);
snort_rm_blocked_install_cron($config['installedpackages']['snortglobal']['rm_blocked'] != "never_b" ? true : false);
@@ -291,7 +290,6 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
update_status(gettext("Starting Snort using rebuilt configuration..."));
update_output_window(gettext("Please wait... while Snort is started..."));
log_error(gettext("[Snort] Starting Snort using rebuilt configuration..."));
-// mwexec_bg("{$rcdir}snort.sh start");
foreach ($config['installedpackages']['snortglobal']['rule'] as $snortcfg) {
if ($snortcfg['enable'] != 'on')
continue;