aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xconfig/snort/snort.inc186
1 files changed, 118 insertions, 68 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index 303fbf07..ae0ac8cc 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -752,7 +752,7 @@ function build_sid_msg_map($rules_path, $sid_file) {
foreach ($rule_files as $file) {
/* Don't process files with "deleted" in the filename */
- if (preg_match('/deleted/i', $file))
+ if (stristr($file, "deleted"))
continue;
/* Read the file into an array, skipping empty lines. */
@@ -810,7 +810,7 @@ function build_sid_msg_map($rules_path, $sid_file) {
ksort($sidMap);
/* Now print the result to the supplied file */
- file_put_contents($sid_file, array_values($sidMap));
+ @file_put_contents($sid_file, array_values($sidMap));
}
function snort_merge_reference_configs($cfg_in, $cfg_out) {
@@ -845,7 +845,7 @@ function snort_merge_reference_configs($cfg_in, $cfg_out) {
$format = "config reference: %-12s %s\n";
foreach ($outMap as $key=>$value)
$outMap[$key] = sprintf($format, $key, $value);
- file_put_contents($cfg_out, array_values($outMap));
+ @file_put_contents($cfg_out, array_values($outMap));
}
function snort_merge_classification_configs($cfg_in, $cfg_out) {
@@ -880,7 +880,7 @@ function snort_merge_classification_configs($cfg_in, $cfg_out) {
$format = "config classification: %s,%s\n";
foreach ($outMap as $key=>$value)
$outMap[$key] = sprintf($format, $key, $value);
- file_put_contents($cfg_out, array_values($outMap));
+ @file_put_contents($cfg_out, array_values($outMap));
}
function snort_load_rules_map($rules_path) {
@@ -939,7 +939,7 @@ function snort_load_rules_map($rules_path) {
foreach ($rule_files as $file) {
/* Don't process files with "deleted" in the filename. */
- if (preg_match('/deleted/i', $file))
+ if (stristr($file, "deleted"))
continue;
/* Read the file contents into an array, skipping */
@@ -953,7 +953,7 @@ function snort_load_rules_map($rules_path) {
foreach ($rules_array as $rule) {
/* Skip any lines that may be just spaces. */
- if (trim($rule) == "")
+ if (trim($rule, " \n") == "")
continue;
/* Skip any non-rule lines unless we're in */
@@ -1077,22 +1077,32 @@ function snort_get_checked_flowbits(&$rules_map) {
/*************************************************************/
$checked_flowbits = array();
- foreach (array_keys($rules_map) as $k1) {
- foreach (array_keys($rules_map[$k1]) as $k2) {
- if ($rules_map[$k1][$k2]['disabled'] == 1)
+ foreach ($rules_map as $rulem) {
+ if (!is_array($rulem))
+ continue;
+ foreach ($rulem as $rulem2) {
+ if (!is_array($rulem2))
+ continue;
+ if ($rulem2['disabled'] == 1)
+ continue;
+ if (empty($rulem2['flowbits']))
continue;
- if (empty($rules_map[$k1][$k2]['flowbits']))
+ if (!is_array($rulem2['flowbits']))
continue;
- foreach (array_values($rules_map[$k1][$k2]['flowbits']) as $flowbit) {
+ foreach ($rulem2['flowbits'] as $flowbit) {
+ if (empty($flowbit))
+ continue;
$action = substr($flowbit, 0, strpos($flowbit, ","));
if (preg_match('/is(not)?set/i', $action)) {
$tmp = substr($flowbit, strpos($flowbit, ",") +1 );
- if (!in_array($tmp, $checked_flowbits))
+ if (!empty($tmp) && !in_array($tmp, $checked_flowbits))
$checked_flowbits[] = $tmp;
}
}
}
}
+ unset($rulem, $rulem2);
+
return $checked_flowbits;
}
@@ -1105,22 +1115,30 @@ function snort_get_set_flowbits(&$rules_map) {
/*********************************************************/
$set_flowbits = array();
- foreach (array_keys($rules_map) as $k1) {
- foreach (array_keys($rules_map[$k1]) as $k2) {
- if ($rules_map[$k1][$k2]['disabled'] == 1)
+ foreach ($rules_map as $rulem) {
+ if (!is_array($rulem))
+ continue;
+ foreach ($rulem as $rulem2) {
+ if ($rulem2['disabled'] == 1)
+ continue;
+ if (empty($rulem2['flowbits']))
continue;
- if (empty($rules_map[$k1][$k2]['flowbits']))
+ if (!is_array($rulem2['flowbits']))
continue;
- foreach (array_values($rules_map[$k1][$k2]['flowbits']) as $flowbit) {
+ foreach ($rulem2['flowbits'] as $flowbit) {
+ if (empty($flowbit))
+ continue;
$action = substr($flowbit, 0, strpos($flowbit, ","));
if (preg_match('/^set/i', $action)) {
$tmp = substr($flowbit, strpos($flowbit, ",") +1 );
- if (!in_array($tmp, $set_flowbits))
+ if (!empty($tmp) && !in_array($tmp, $set_flowbits))
$set_flowbits[] = $tmp;
}
}
}
}
+ unset($rulem, $rulem2);
+
return $set_flowbits;
}
@@ -1134,27 +1152,39 @@ function snort_find_flowbit_required_rules(&$all_rules, &$unchecked_flowbits) {
/********************************************************/
$required_flowbits_rules = array();
- foreach (array_keys($all_rules) as $k1) {
- foreach (array_keys($all_rules[$k1]) as $k2) {
- if (empty($all_rules[$k1][$k2]['flowbits']))
+ foreach ($all_rules as $k1 => $rule) {
+ if (!is_array($rule))
+ continue;
+ foreach ($rule as $k2 => $rule2) {
+ if (empty($rule2['flowbits']))
continue;
- foreach (array_values($all_rules[$k1][$k2]['flowbits']) as $flowbit) {
+ if (!is_array($rule2['flowbits']))
+ continue;
+ foreach ($rule2['flowbits'] as $flowbit) {
+ if (empty($flowbit))
+ continue;
$action = substr($flowbit, 0, strpos($flowbit, ","));
- if (preg_match('/^set/i', $action)) {
+ if (!strcasecmp(substr($action, 0, 3), "set")) {
$tmp = substr($flowbit, strpos($flowbit, ",") +1 );
- if (in_array($tmp, $unchecked_flowbits)) {
- $required_flowbits_rules[$k1][$k2]['category'] = $all_rules[$k1][$k2]['category'];
- if ($all_rules[$k1][$k2]['disabled'] == 0)
+ if (!empty($tmp) && in_array($tmp, $unchecked_flowbits)) {
+ if (!is_array($required_flowbits_rules[$k1]))
+ $required_flowbits_rules[$k1] = array();
+ if (!is_array($required_flowbits_rules[$k1][$k2]))
+ $required_flowbits_rules[$k1][$k2] = array();
+ $required_flowbits_rules[$k1][$k2]['category'] = $rule2['category'];
+ if ($rule2['disabled'] == 0)
/* If not disabled, just return the rule text "as is" */
- $required_flowbits_rules[$k1][$k2]['rule'] = ltrim($all_rules[$k1][$k2]['rule']);
+ $required_flowbits_rules[$k1][$k2]['rule'] = ltrim($rule2['rule']);
else
/* If rule is disabled, remove leading '#' to enable it */
- $required_flowbits_rules[$k1][$k2]['rule'] = ltrim(substr($all_rules[$k1][$k2]['rule'], strpos($all_rules[$k1][$k2]['rule'], "#") + 1));
+ $required_flowbits_rules[$k1][$k2]['rule'] = ltrim(substr($rule2['rule'], strpos($rule2['rule'], "#") + 1));
}
}
}
}
}
+ unset($rule, $rule2);
+
return $required_flowbits_rules;
}
@@ -1227,18 +1257,22 @@ function snort_write_flowbit_rules_file(&$flowbit_rules, $rule_file) {
if (is_dir($rule_file))
$rule_file = rtrim($rule_file, '/').'/flowbit-required.rules';
- file_put_contents($rule_file, "# These rules set flowbits checked by your other enabled rules. If the\n");
- file_put_contents($rule_file, "# the dependent flowbits are not set, then some of your chosen rules may\n", FILE_APPEND);
- file_put_contents($rule_file, "# not fire. Enabling all rules that set these dependent flowbits ensures\n", FILE_APPEND);
- file_put_contents($rule_file, "# your chosen rules fire as intended.\n#\n", FILE_APPEND);
- file_put_contents($rule_file, "# If you wish to prevent alerts from any of these rules, add the GID:SID\n", FILE_APPEND);
- file_put_contents($rule_file, "# of the rule to the Suppression List for the interface.\n", FILE_APPEND);
- foreach (array_keys($flowbit_rules) as $k1) {
- foreach (array_keys($flowbit_rules[$k1]) as $k2) {
- file_put_contents($rule_file, "\n# Category: " . $flowbit_rules[$k1][$k2]['category'], FILE_APPEND);
- file_put_contents($rule_file, " GID:" . $k1 . " SID:" . $k2 . "\n", FILE_APPEND);
- file_put_contents($rule_file, $flowbit_rules[$k1][$k2]['rule'], FILE_APPEND);
+ $fp = fopen($rule_file, "w");
+ if ($fp) {
+ @fwrite($fp, "# These rules set flowbits checked by your other enabled rules. If the\n");
+ @fwrite($fp, "# the dependent flowbits are not set, then some of your chosen rules may\n");
+ @fwrite($fp, "# not fire. Enabling all rules that set these dependent flowbits ensures\n");
+ @fwrite($fp, "# your chosen rules fire as intended.\n#\n");
+ @fwrite($fp, "# If you wish to prevent alerts from any of these rules, add the GID:SID\n");
+ @fwrite($fp, "# of the rule to the Suppression List for the interface.\n");
+ foreach ($flowbit_rules as $k1 => $rule) {
+ foreach ($rule as $k2 => $rule2) {
+ @fwrite($fp, "\n# Category: " . $rule2['category']);
+ @fwrite($fp, " GID:" . $k1 . " SID:" . $k2 . "\n");
+ @fwrite($fp, $rule2['rule']);
+ }
}
+ fclose($fp);
}
}
@@ -1266,22 +1300,26 @@ function snort_load_vrt_policy($policy) {
/* Now walk the rules list and find all those */
/* that are defined as active for the chosen */
/* security policy. */
- foreach (array_keys($all_rules_map) as $k1) {
- foreach (array_keys($all_rules_map[$k1]) as $k2) {
- if (preg_match($policy_pcre, $all_rules_map[$k1][$k2]['rule'])) {
- if (!preg_match('/flowbits\s*:\s*noalert/i', $all_rules_map[$k1][$k2]['rule'])) {
- $vrt_policy_rules[$k1][$k2] = $all_rules_map[$k1][$k2];
+ foreach ($all_rules_map as $k1 => $arulem) {
+ foreach ($arulem as $k2 => $arulem2) {
+ if (preg_match($policy_pcre, $arulem2['rule'])) {
+ if (!preg_match('/flowbits\s*:\s*noalert/i', $arulem2['rule'])) {
+ if (!is_array($vrt_policy_rules[$k1]))
+ $vrt_policy_rules[$k1] = array();
+ if (!is_array($vrt_policy_rules[$k1][$k2]))
+ $vrt_policy_rules[$k1][$k2] = array();
+ $vrt_policy_rules[$k1][$k2] = $arulem2;
/* Enable the policy rule if disabled */
- if ($all_rules_map[$k1][$k2]['disabled'] == 1)
- $vrt_policy_rules[$k1][$k2]['rule'] = ltrim(substr($all_rules_map[$k1][$k2]['rule'], strpos($all_rules_map[$k1][$k2]['rule'], "#") + 1));
+ if ($arulem2['disabled'] == 1)
+ $vrt_policy_rules[$k1][$k2]['rule'] = ltrim(substr($arulem2['rule'], strpos($arulem2['rule'], "#") + 1));
}
}
}
}
/* Release memory we no longer need. */
- unset($all_rules_map);
+ unset($all_rules_map, $arulem, $arulem2);
/* Return all the rules that match the policy. */
return $vrt_policy_rules;
@@ -1307,16 +1345,20 @@ function snort_write_enforcing_rules_file(&$rule_map, $rule_path) {
else
$rule_file = $rule_path;
- file_put_contents($rule_file, "# These rules are your current set of enforced rules for the protected\n");
- file_put_contents($rule_file, "# interface. This list was compiled from the categories selected on the\n", FILE_APPEND);
- file_put_contents($rule_file, "# CATEGORIES tab of the Snort configuration for the interface and/or any\n", FILE_APPEND);
- file_put_contents($rule_file, "# chosen Snort VRT pre-defined IPS Policy.\n#\n", FILE_APPEND);
- file_put_contents($rule_file, "# Any enablesid or disablesid customizations you made have been applied\n", FILE_APPEND);
- file_put_contents($rule_file, "# to the rules in this file.\n\n", FILE_APPEND);
- foreach (array_keys($rule_map) as $k1) {
- foreach (array_keys($rule_map[$k1]) as $k2) {
- file_put_contents($rule_file, $rule_map[$k1][$k2]['rule'], FILE_APPEND);
+ $fp = fopen($rule_file, "w");
+ if ($fp) {
+ @fwrite($fp, "# These rules are your current set of enforced rules for the protected\n");
+ @fwrite($fp, "# interface. This list was compiled from the categories selected on the\n");
+ @fwrite($fp, "# CATEGORIES tab of the Snort configuration for the interface and/or any\n");
+ @fwrite($fp, "# chosen Snort VRT pre-defined IPS Policy.\n#\n");
+ @fwrite($fp, "# Any enablesid or disablesid customizations you made have been applied\n");
+ @fwrite($fp, "# to the rules in this file.\n\n");
+ foreach ($rule_map as $rulem) {
+ foreach ($rulem as $rulem2) {
+ @fwrite($fp, $rulem2['rule']);
+ }
}
+ fclose($fp);
}
}
@@ -1365,18 +1407,22 @@ function snort_modify_sids(&$rule_map, $snortcfg) {
/* Turn on any rules that need to be */
/* forced "on" with enablesid mods. */
if (!empty($enablesid)) {
- foreach ($enablesid as $k2 => $v) {
- if ($rule_map[1][$k2]['disabled'] == 1)
- $rule_map[1][$k2]['rule'] = ltrim(substr($rule_map[1][$k2]['rule'], strpos($rule_map[1][$k2]['rule'], "#") + 1));
+ foreach ($rule_map as $k1 => $rulem) {
+ foreach ($rulem as $k2 => $v) {
+ if (in_array($k2, $enablesid) && $v['disabled'] == 1)
+ $rule_map[$k1][$k2]['rule'] = ltrim(substr($v['rule'], strpos($v['rule'], "#") + 1));
+ }
}
}
/* Turn off any rules that need to be */
/* forced "off" with disablesid mods. */
if (!empty($disablesid)) {
- foreach ($disablesid as $k2 => $v) {
- if ($rule_map[1][$k2]['disabled'] == 0)
- $rule_map[1][$k2]['rule'] = "# " . $rule_map[1][$k2]['rule'];
+ foreach ($rule_map as $k1 => $rulem) {
+ foreach ($rulem as $k2 => $v) {
+ if (in_array($k2, $disablesid) && $v['disabled'] == 0)
+ $rule_map[$k1][$k2]['rule'] = "# " . $v['rule'];
+ }
}
}
}
@@ -2107,12 +2153,16 @@ EOD;
/* add all the VRT policy rules to our enforcing rule set. */
if (!empty($snortcfg['ips_policy'])) {
$policy_rules = snort_load_vrt_policy($snortcfg['ips_policy']);
- foreach (array_keys($policy_rules) as $k1) {
- foreach (array_keys($policy_rules[$k1]) as $k2) {
- $enabled_rules[$k1][$k2]['rule'] = $policy_rules[$k1][$k2]['rule'];
- $enabled_rules[$k1][$k2]['category'] = $policy_rules[$k1][$k2]['category'];
- $enabled_rules[$k1][$k2]['disabled'] = $policy_rules[$k1][$k2]['disabled'];
- $enabled_rules[$k1][$k2]['flowbits'] = $policy_rules[$k1][$k2]['flowbits'];
+ foreach ($policy_rules as $k1 => $policy) {
+ foreach ($policy as $k2 => $p) {
+ if (!is_array($enabled_rules[$k1]))
+ $enabled_rules[$k1] = array();
+ if (!is_array($enabled_rules[$k1][$k2]))
+ $enabled_rules[$k1][$k2] = array();
+ $enabled_rules[$k1][$k2]['rule'] = $p['rule'];
+ $enabled_rules[$k1][$k2]['category'] = $p['category'];
+ $enabled_rules[$k1][$k2]['disabled'] = $p['disabled'];
+ $enabled_rules[$k1][$k2]['flowbits'] = $p['flowbits'];
}
}
unset($policy_rules);