diff options
-rw-r--r-- | config/snort-dev/pfsense_rules/pfsense_rules.tar.gz.md5 | 1 | ||||
-rw-r--r-- | config/snort-dev/snort.xml | 199 | ||||
-rw-r--r-- | config/snort-dev/snort_alerts.php | 630 | ||||
-rw-r--r-- | config/snort-dev/snort_blocked.php | 445 | ||||
-rw-r--r-- | config/snort-dev/snort_download_rules.php | 1211 | ||||
-rw-r--r-- | config/snort-dev/snort_rules_edit.php | 243 | ||||
-rw-r--r-- | config/snort-dev/snort_rulesets.php | 307 | ||||
-rw-r--r-- | config/snort-old/bin/barnyard2 (renamed from config/snort-dev/bin/barnyard2) | bin | 641791 -> 641791 bytes | |||
-rw-r--r-- | config/snort-old/bin/oinkmaster_contrib/README.contrib (renamed from config/snort-dev/bin/oinkmaster_contrib/README.contrib) | 0 | ||||
-rw-r--r-- | config/snort-old/bin/oinkmaster_contrib/addmsg.pl (renamed from config/snort-dev/bin/oinkmaster_contrib/addmsg.pl) | 0 | ||||
-rw-r--r-- | config/snort-old/bin/oinkmaster_contrib/addsid.pl (renamed from config/snort-dev/bin/oinkmaster_contrib/addsid.pl) | 0 | ||||
-rw-r--r-- | config/snort-old/bin/oinkmaster_contrib/create-sidmap.pl (renamed from config/snort-dev/bin/oinkmaster_contrib/create-sidmap.pl) | 0 | ||||
-rw-r--r-- | config/snort-old/bin/oinkmaster_contrib/makesidex.pl (renamed from config/snort-dev/bin/oinkmaster_contrib/makesidex.pl) | 0 | ||||
-rw-r--r-- | config/snort-old/bin/oinkmaster_contrib/oinkgui.pl (renamed from config/snort-dev/bin/oinkmaster_contrib/oinkgui.pl) | 0 | ||||
-rw-r--r-- | config/snort-old/bin/oinkmaster_contrib/oinkmaster.pl (renamed from config/snort-dev/bin/oinkmaster_contrib/oinkmaster.pl) | 0 | ||||
-rwxr-xr-x[-rw-r--r--] | config/snort-old/bin/snort2c (renamed from config/snort-dev/bin/snort2c) | bin | 13508 -> 13508 bytes | |||
-rw-r--r-- | config/snort-old/pfsense_rules/local.rules (renamed from config/snort-dev/pfsense_rules/local.rules) | 0 | ||||
-rw-r--r-- | config/snort-old/pfsense_rules/pfsense_rules.tar.gz.md5 | 1 | ||||
-rw-r--r-- | config/snort-old/pfsense_rules/rules/pfsense-voip.rules (renamed from config/snort-dev/pfsense_rules/rules/pfsense-voip.rules) | 0 | ||||
-rwxr-xr-x[-rw-r--r--] | config/snort-old/snort.inc (renamed from config/snort-dev/snort.inc) | 2042 | ||||
-rw-r--r-- | config/snort-old/snort.xml | 378 | ||||
-rw-r--r-- | config/snort-old/snort_advanced.xml (renamed from config/snort/snort_advanced.xml) | 0 | ||||
-rw-r--r-- | config/snort-old/snort_alerts.php | 124 | ||||
-rw-r--r-- | config/snort-old/snort_blocked.php | 174 | ||||
-rw-r--r-- | config/snort-old/snort_check_for_rule_updates.php (renamed from config/snort-dev/snort_check_for_rule_updates.php) | 529 | ||||
-rw-r--r-- | config/snort-old/snort_define_servers.xml (renamed from config/snort/snort_define_servers.xml) | 0 | ||||
-rw-r--r-- | config/snort-old/snort_download_rules.php | 790 | ||||
-rw-r--r-- | config/snort-old/snort_dynamic_ip_reload.php (renamed from config/snort-dev/snort_dynamic_ip_reload.php) | 27 | ||||
-rw-r--r-- | config/snort-old/snort_rules.php (renamed from config/snort-dev/snort_rules.php) | 331 | ||||
-rw-r--r-- | config/snort-old/snort_rules_edit.php | 207 | ||||
-rw-r--r-- | config/snort-old/snort_rulesets.php | 230 | ||||
-rw-r--r-- | config/snort-old/snort_threshold.xml (renamed from config/snort/snort_threshold.xml) | 0 | ||||
-rw-r--r-- | config/snort-old/snort_whitelist.xml (renamed from config/snort-dev/snort_whitelist.xml) | 44 | ||||
-rw-r--r-- | config/snort-old/snort_xmlrpc_sync.php (renamed from config/snort/snort_xmlrpc_sync.php) | 0 | ||||
-rw-r--r-- | config/snort/NOTES.txt (renamed from config/snort-dev/NOTES.txt) | 0 | ||||
-rw-r--r-- | config/snort/bin/7.2.x86/barnyard2 (renamed from config/snort-dev/bin/7.2.x86/barnyard2) | bin | 715041 -> 715041 bytes | |||
-rwxr-xr-x | config/snort/bin/8.0.x86/barnyard2 (renamed from config/snort-dev/bin/8.0.x86/barnyard2) | bin | 849388 -> 849388 bytes | |||
-rw-r--r-- | config/snort/bin/8.0.x86/md5_files (renamed from config/snort-dev/bin/8.0.x86/md5_files) | 0 | ||||
-rw-r--r-- | config/snort/bin/8.0.x86/md5_files~ (renamed from config/snort-dev/bin/8.0.x86/md5_files~) | 0 | ||||
-rw-r--r-- | config/snort/bin/oinkmaster_contrib/snort_rename.pl (renamed from config/snort-dev/bin/oinkmaster_contrib/snort_rename.pl) | 0 | ||||
-rw-r--r--[-rwxr-xr-x] | config/snort/bin/snort2c | bin | 13508 -> 13508 bytes | |||
-rw-r--r-- | config/snort/css/style.css (renamed from config/snort-dev/css/style.css) | 0 | ||||
-rw-r--r-- | config/snort/css/style2.css (renamed from config/snort-dev/css/style2.css) | 0 | ||||
-rw-r--r-- | config/snort/help_and_info.php (renamed from config/snort-dev/help_and_info.php) | 0 | ||||
-rw-r--r-- | config/snort/images/alert.jpg (renamed from config/snort-dev/images/alert.jpg) | bin | 13730 -> 13730 bytes | |||
-rw-r--r-- | config/snort/images/down.gif (renamed from config/snort-dev/images/down.gif) | bin | 54 -> 54 bytes | |||
-rw-r--r-- | config/snort/images/down2.gif (renamed from config/snort-dev/images/down2.gif) | bin | 60 -> 60 bytes | |||
-rw-r--r-- | config/snort/images/footer.jpg (renamed from config/snort-dev/images/footer.jpg) | bin | 57411 -> 57411 bytes | |||
-rw-r--r-- | config/snort/images/footer2.jpg (renamed from config/snort-dev/images/footer2.jpg) | bin | 31878 -> 31878 bytes | |||
-rw-r--r-- | config/snort/images/icon-table-sort-asc.png (renamed from config/snort-dev/images/icon-table-sort-asc.png) | bin | 2906 -> 2906 bytes | |||
-rw-r--r-- | config/snort/images/icon-table-sort-desc.png (renamed from config/snort-dev/images/icon-table-sort-desc.png) | bin | 2913 -> 2913 bytes | |||
-rw-r--r-- | config/snort/images/icon-table-sort.png (renamed from config/snort-dev/images/icon-table-sort.png) | bin | 3025 -> 3025 bytes | |||
-rw-r--r-- | config/snort/images/icon_excli.png (renamed from config/snort-dev/images/icon_excli.png) | bin | 5280 -> 5280 bytes | |||
-rw-r--r-- | config/snort/images/logo.jpg (renamed from config/snort-dev/images/logo.jpg) | bin | 74306 -> 74306 bytes | |||
-rw-r--r-- | config/snort/images/up.gif (renamed from config/snort-dev/images/up.gif) | bin | 54 -> 54 bytes | |||
-rw-r--r-- | config/snort/images/up2.gif (renamed from config/snort-dev/images/up2.gif) | bin | 60 -> 60 bytes | |||
-rw-r--r-- | config/snort/javascript/jquery-1.3.2.js (renamed from config/snort-dev/javascript/jquery-1.3.2.js) | 0 | ||||
-rw-r--r-- | config/snort/javascript/jquery.blockUI.js (renamed from config/snort-dev/javascript/jquery.blockUI.js) | 0 | ||||
-rw-r--r-- | config/snort/javascript/mootools.js (renamed from config/snort-dev/javascript/mootools.js) | 0 | ||||
-rw-r--r-- | config/snort/javascript/sortableTable.js (renamed from config/snort-dev/javascript/sortableTable.js) | 0 | ||||
-rw-r--r-- | config/snort/javascript/tabs.js (renamed from config/snort-dev/javascript/tabs.js) | 0 | ||||
-rw-r--r-- | config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 | 2 | ||||
-rw-r--r--[-rwxr-xr-x] | config/snort/snort.inc | 2045 | ||||
-rw-r--r-- | config/snort/snort.sh (renamed from config/snort-dev/snort.sh) | 0 | ||||
-rw-r--r-- | config/snort/snort.xml | 333 | ||||
-rw-r--r-- | config/snort/snort_alerts.php | 624 | ||||
-rw-r--r-- | config/snort/snort_barnyard.php (renamed from config/snort-dev/snort_barnyard.php) | 4 | ||||
-rw-r--r-- | config/snort/snort_blocked.php | 453 | ||||
-rw-r--r-- | config/snort/snort_check_for_rule_updates.php | 529 | ||||
-rw-r--r-- | config/snort/snort_define_servers.php (renamed from config/snort-dev/snort_define_servers.php) | 7 | ||||
-rw-r--r-- | config/snort/snort_download_rules.php | 1221 | ||||
-rw-r--r-- | config/snort/snort_dynamic_ip_reload.php | 27 | ||||
-rw-r--r-- | config/snort/snort_fbegin.inc (renamed from config/snort-dev/snort_fbegin.inc) | 0 | ||||
-rw-r--r-- | config/snort/snort_gui.inc (renamed from config/snort-dev/snort_gui.inc) | 0 | ||||
-rw-r--r-- | config/snort/snort_help_info.php (renamed from config/snort-dev/snort_help_info.php) | 0 | ||||
-rw-r--r-- | config/snort/snort_interfaces.php (renamed from config/snort-dev/snort_interfaces.php) | 25 | ||||
-rw-r--r-- | config/snort/snort_interfaces_edit.php (renamed from config/snort-dev/snort_interfaces_edit.php) | 18 | ||||
-rw-r--r-- | config/snort/snort_interfaces_edit_bkup.php | 609 | ||||
-rw-r--r-- | config/snort/snort_interfaces_global.php (renamed from config/snort-dev/snort_interfaces_global.php) | 0 | ||||
-rw-r--r-- | config/snort/snort_preprocessors.php (renamed from config/snort-dev/snort_preprocessors.php) | 8 | ||||
-rw-r--r-- | config/snort/snort_rules.php | 331 | ||||
-rw-r--r-- | config/snort/snort_rules_edit.php | 366 | ||||
-rw-r--r-- | config/snort/snort_rulesets.php | 207 | ||||
-rw-r--r-- | config/snort/snort_whitelist.xml | 44 | ||||
-rwxr-xr-x | pkg_config.7.xml | 22 | ||||
-rwxr-xr-x | pkg_config.8.xml | 29 |
86 files changed, 7707 insertions, 7110 deletions
diff --git a/config/snort-dev/pfsense_rules/pfsense_rules.tar.gz.md5 b/config/snort-dev/pfsense_rules/pfsense_rules.tar.gz.md5 deleted file mode 100644 index 0aede4a0..00000000 --- a/config/snort-dev/pfsense_rules/pfsense_rules.tar.gz.md5 +++ /dev/null @@ -1 +0,0 @@ -102
\ No newline at end of file diff --git a/config/snort-dev/snort.xml b/config/snort-dev/snort.xml deleted file mode 100644 index 37ce9967..00000000 --- a/config/snort-dev/snort.xml +++ /dev/null @@ -1,199 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> -<packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ -/* - authng.xml - part of pfSense (http://www.pfsense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> - <name>Snort</name> - <version>2.8.5.3</version> - <title>Services: Snort 2.8.5.2 pkg v. 1.18</title> - <include_file>/usr/local/pkg/snort/snort.inc</include_file> - <menu> - <name>Snort</name> - <tooltiptext>Setup snort specific settings</tooltiptext> - <section>Services</section> - <url>/snort/snort_interfaces.php</url> - </menu> - <service> - <name>snort</name> - <rcfile></rcfile> - <executable>snort</executable> - <description>Snort is the most widely deployed IDS/IPS technology worldwide.</description> - </service> - <tabs> - </tabs> - <additional_files_needed> - <prefix>/usr/local/pkg/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort.inc</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_fbegin.inc</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/bin/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/bin/oinkmaster_contrib/create-sidmap.pl</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/bin/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/bin/oinkmaster_contrib/oinkmaster.pl</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/bin/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/bin/oinkmaster_contrib/snort_rename.pl</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_gui.inc</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/pf/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_dynamic_ip_reload.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_whitelist.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_alerts.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_barnyard.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_blocked.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_define_servers.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_download_rules.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_check_for_rule_updates.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_help_info.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/help_and_info.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_interfaces.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_interfaces_edit.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_interfaces_global.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_rules.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_rules_edit.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_rulesets.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/snort/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort_preprocessors.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/etc/rc.d/</prefix> - <chmod>755</chmod> - <item>http://www.pfsense.com/packages/config/snort-dev/snort.sh</item> - </additional_files_needed> - <fields> - </fields> - <custom_add_php_command> - </custom_add_php_command> - <custom_php_resync_config_command> - sync_snort_package(); - </custom_php_resync_config_command> - <custom_php_install_command> - snort_postinstall(); - </custom_php_install_command> - <custom_php_deinstall_command> - snort_deinstall(); - </custom_php_deinstall_command> -</packagegui> diff --git a/config/snort-dev/snort_alerts.php b/config/snort-dev/snort_alerts.php deleted file mode 100644 index 4f0ddb03..00000000 --- a/config/snort-dev/snort_alerts.php +++ /dev/null @@ -1,630 +0,0 @@ -<?php -/* $Id$ */ -/* - snort_alerts.php - part of pfSense - - Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>. - Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. - Copyright (C) 2006 Scott Ullrich - All rights reserved. - - Modified for the Pfsense snort package v. 1.8+ - Copyright (C) 2009 Robert Zelaya Sr. Developer - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require_once("globals.inc"); -require_once("guiconfig.inc"); -require_once("/usr/local/pkg/snort/snort.inc"); - -$snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype']; -$snort_logfile = '/var/log/snort/alert'; - -$pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh']; -$pconfig['alertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber']; - -if ($pconfig['alertnumber'] == '' || $pconfig['alertnumber'] == '0') -{ - $anentries = '250'; -}else{ - $anentries = $pconfig['alertnumber']; -} - -if ($_POST['save']) -{ - - //unset($input_errors); - //$pconfig = $_POST; - - /* input validation */ - if ($_POST['save']) - { - - // if (($_POST['radiusacctport'] && !is_port($_POST['radiusacctport']))) { - // $input_errors[] = "A valid port number must be specified. [".$_POST['radiusacctport']."]"; - // } - - } - - /* no errors */ - if (!$input_errors) - { - - $config['installedpackages']['snortglobal']['alertsblocks']['arefresh'] = $_POST['arefresh'] ? on : off; - $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber'] = $_POST['alertnumber']; - - conf_mount_rw(); - write_config(); - //conf_mount_ro(); - sleep(2); - - header("Location: /snort/snort_alerts.php"); - - } - -} - - -if ($_POST['delete']) -{ - - exec("killall syslogd"); - conf_mount_rw(); - if(file_exists("/var/log/snort/alert")) - { - exec('/bin/rm /var/log/snort/*'); - exec('/usr/bin/touch /var/log/snort/alert'); - } - conf_mount_ro(); - system_syslogd_start(); - //exec("/usr/bin/killall -HUP snort"); - -} - -if ($_POST['download']) -{ - - ob_start(); //importanr or other post will fail - $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); - $file_name = "snort_logs_{$save_date}.tar.gz"; - exec("/usr/bin/tar cfz /tmp/snort_logs_{$save_date}.tar.gz /var/log/snort"); - - if(file_exists("/tmp/snort_logs_{$save_date}.tar.gz")) - { - $file = "/tmp/snort_logs_{$save_date}.tar.gz"; - header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); - header("Pragma: private"); // needed for IE - header("Cache-Control: private, must-revalidate"); // needed for IE - header('Content-type: application/force-download'); - header('Content-Transfer-Encoding: Binary'); - header("Content-length: ".filesize($file)); - header("Content-disposition: attachment; filename = {$file_name}"); - readfile("$file"); - exec("/bin/rm /tmp/snort_logs_{$save_date}.tar.gz"); - od_end_clean(); //importanr or other post will fail - }else{ - echo 'Error no saved file.'; - } - -} - - -/* WARNING: took me forever to figure reg expression, dont lose */ -// $fileline = '12/09-18:12:02.086733 [**] [122:6:0] (portscan) TCP Filtered Decoy Portscan [**] [Priority: 3] {PROTO:255} 125.135.214.166 -> 70.61.243.50'; - -function get_snort_alert_date($fileline) -{ - /* date full date \d+\/\d+-\d+:\d+:\d+\.\d+\s */ - if (preg_match("/\d+\/\d+-\d+:\d+:\d\d/", $fileline, $matches1)) - { - $alert_date = "$matches1[0]"; - } - -return $alert_date; - -} - -function get_snort_alert_disc($fileline) -{ - /* disc */ - if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) - { - $alert_disc = "$matches[2]"; - } - -return $alert_disc; - -} - -function get_snort_alert_class($fileline) -{ - /* class */ - if (preg_match('/\[Classification:\s.+[^\d]\]/', $fileline, $matches2)) - { - $alert_class = "$matches2[0]"; - } - -return $alert_class; - -} - -function get_snort_alert_priority($fileline) -{ - /* Priority */ - if (preg_match('/Priority:\s\d/', $fileline, $matches3)) - { - $alert_priority = "$matches3[0]"; - } - -return $alert_priority; - -} - -function get_snort_alert_proto($fileline) -{ - /* Priority */ - if (preg_match('/\{.+\}/', $fileline, $matches3)) - { - $alert_proto = "$matches3[0]"; - } - -return $alert_proto; - -} - -function get_snort_alert_proto_full($fileline) -{ - /* Protocal full */ - if (preg_match('/.+\sTTL/', $fileline, $matches2)) - { - $alert_proto_full = "$matches2[0]"; - } - -return $alert_proto_full; - -} - -function get_snort_alert_ip_src($fileline) -{ - /* SRC IP */ - $re1='.*?'; # Non-greedy match on filler - $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 - - if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4)) - { - $alert_ip_src = $matches4[1][0]; - } - -return $alert_ip_src; - -} - -function get_snort_alert_src_p($fileline) -{ - /* source port */ - if (preg_match('/:\d+\s-/', $fileline, $matches5)) - { - $alert_src_p = "$matches5[0]"; - } - -return $alert_src_p; - -} - -function get_snort_alert_flow($fileline) -{ - /* source port */ - if (preg_match('/(->|<-)/', $fileline, $matches5)) - { - $alert_flow = "$matches5[0]"; - } - -return $alert_flow; - -} - -function get_snort_alert_ip_dst($fileline) -{ - /* DST IP */ - $re1dp='.*?'; # Non-greedy match on filler - $re2dp='(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?![\\d])'; # Uninteresting: ipaddress - $re3dp='.*?'; # Non-greedy match on filler - $re4dp='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 - - if ($c=preg_match_all ("/".$re1dp.$re2dp.$re3dp.$re4dp."/is", $fileline, $matches6)) - { - $alert_ip_dst = $matches6[1][0]; - } - -return $alert_ip_dst; - -} - -function get_snort_alert_dst_p($fileline) -{ - /* dst port */ - if (preg_match('/:\d+$/', $fileline, $matches7)) - { - $alert_dst_p = "$matches7[0]"; - } - -return $alert_dst_p; - -} - -function get_snort_alert_dst_p_full($fileline) -{ - /* dst port full */ - if (preg_match('/:\d+\n[A-Z]+\sTTL/', $fileline, $matches7)) - { - $alert_dst_p = "$matches7[0]"; - } - -return $alert_dst_p; - -} - -function get_snort_alert_sid($fileline) -{ - /* SID */ - if (preg_match('/\[\d+:\d+:\d+\]/', $fileline, $matches8)) - { - $alert_sid = "$matches8[0]"; - } - -return $alert_sid; - -} - -// - -$pgtitle = "Services: Snort: Snort Alerts"; -include("head.inc"); - -?> - -<link rel="stylesheet" href="/snort/css/style.css" type="text/css" media="all"> -<script type="text/javascript" src="/snort/javascript/mootools.js"></script> -<script type="text/javascript" src="/snort/javascript/sortableTable.js"></script> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php - -include("./snort_fbegin.inc"); - -echo "<p class=\"pgtitle\">"; -if($pfsense_stable == 'yes'){echo $pgtitle;} -echo "</p>\n"; - -/* refresh every 60 secs */ -if ($pconfig['arefresh'] == 'on' || $pconfig['arefresh'] == '') -{ - echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_alerts.php\" />\n"; -} -?> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td> -<?php - $tab_array = array(); - $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); - $tab_array[] = array("Global Settings", false, "/snort/snort_interfaces_global.php"); - $tab_array[] = array("Rule Updates", false, "/snort/snort_download_rules.php"); - $tab_array[] = array("Alerts", true, "/snort/snort_alerts.php"); - $tab_array[] = array("Blocked", false, "/snort/snort_blocked.php"); - $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml"); - $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); - display_top_tabs($tab_array); -?> -</td> -</tr> - <tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="1" cellspacing="0" cellpadding="0"> - <tr> - <td width="22%" colspan="0" class="listtopic"> - Last <?=$anentries;?> Alert Entries. - </td> - <td width="78%" class="listtopic"> - Latest Alert Entries Are Listed First. - </td> - </tr> - <tr> - <td width="22%" class="vncell">Save or Remove Logs</td> - <td width="78%" class="vtable"> - <form action="/snort/snort_alerts.php" method="post"> - <input name="download" type="submit" class="formbtn" value="Download"> - All log files will be saved. - <input name="delete" type="submit" class="formbtn" value="Clear"> - <span class="red"><strong>Warning:</strong></span> all log files will be deleted. - </form> - </td> - </tr> - <tr> - <td width="22%" class="vncell">Auto Refresh and Log View</td> - <td width="78%" class="vtable"> - <form action="/snort/snort_alerts.php" method="post"> - <input name="save" type="submit" class="formbtn" value="Save"> - Refresh - <input name="arefresh" type="checkbox" value="on" <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['arefresh']=="on") echo "checked"; ?>> - <strong>Default</strong> is <strong>ON</strong>. - <input name="alertnumber" type="text" class="formfld" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>"> - Enter the number of log entries to view. <strong>Default</strong> is <strong>250</strong>. - </form> - </td> - </tr> - </table> - </div> - </td> - </tr> -</table> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <td width="100%"> - <br> - <div class="tableFilter"> - <form id="tableFilter" onsubmit="myTable.filter(this.id); return false;">Filter: - <select id="column"> - <option value="1">PRIORITY</option> - <option value="2">PROTO</option> - <option value="3">DESCRIPTION</option> - <option value="4">CLASS</option> - <option value="5">SRC</option> - <option value="6">SRC PORT</option> - <option value="7">FLOW</option> - <option value="8">DST</option> - <option value="9">DST PORT</option> - <option value="10">SID</option> - <option value="11">Date</option> - </select> - <input type="text" id="keyword" /> - <input type="submit" value="Submit" /> - <input type="reset" value="Clear" /> - </form> - </div> -<table class="allRow" id="myTable" width="100%" border="2" cellpadding="1" cellspacing="1"> - <thead> - <th axis="number">#</th> - <th axis="string">PRI</th> - <th axis="string">PROTO</th> - <th axis="string">DESCRIPTION</th> - <th axis="string">CLASS</th> - <th axis="string">SRC</th> - <th axis="string">SPORT</th> - <th axis="string">FLOW</th> - <th axis="string">DST</th> - <th axis="string">DPORT</th> - <th axis="string">SID</th> - <th axis="date">Date</th> - </thead> - <tbody> -<?php - - /* make sure alert file exists */ - if(!file_exists('/var/log/snort/alert')) - { - conf_mount_rw(); - exec('/usr/bin/touch /var/log/snort/alert'); - conf_mount_ro(); - } - - $logent = $anentries; - - /* detect the alert file type */ - if ($snortalertlogt == 'full') - { - $alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents('/var/log/snort/alert')))); - }else{ - $alerts_array = array_reverse(array_filter(split("\n", file_get_contents('/var/log/snort/alert')))); - } - - - -if (is_array($alerts_array)) -{ - - $counter = 0; - foreach($alerts_array as $fileline) - { - - if($logent <= $counter) - continue; - - $counter++; - - /* Date */ - $alert_date_str = get_snort_alert_date($fileline); - - if($alert_date_str != '') - { - $alert_date = $alert_date_str; - }else{ - $alert_date = 'empty'; - } - - /* Discription */ - $alert_disc_str = get_snort_alert_disc($fileline); - - if($alert_disc_str != '') - { - $alert_disc = $alert_disc_str; - }else{ - $alert_disc = 'empty'; - } - - /* Classification */ - $alert_class_str = get_snort_alert_class($fileline); - - if($alert_class_str != '') - { - - $alert_class_match = array('[Classification:',']'); - $alert_class = str_replace($alert_class_match, '', "$alert_class_str"); - }else{ - $alert_class = 'Prep'; - } - - /* Priority */ - $alert_priority_str = get_snort_alert_priority($fileline); - - if($alert_priority_str != '') - { - $alert_priority_match = array('Priority: ',']'); - $alert_priority = str_replace($alert_priority_match, '', "$alert_priority_str"); - }else{ - $alert_priority = 'empty'; - } - - /* Protocol */ - /* Detect alert file type */ - if ($snortalertlogt == 'full') - { - $alert_proto_str = get_snort_alert_proto_full($fileline); - }else{ - $alert_proto_str = get_snort_alert_proto($fileline); - } - - if($alert_proto_str != '') - { - $alert_proto_match = array(" TTL",'{','}'); - $alert_proto = str_replace($alert_proto_match, '', "$alert_proto_str"); - }else{ - $alert_proto = 'empty'; - } - - /* IP SRC */ - $alert_ip_src_str = get_snort_alert_ip_src($fileline); - - if($alert_ip_src_str != '') - { - $alert_ip_src = $alert_ip_src_str; - }else{ - $alert_ip_src = 'empty'; - } - - /* IP SRC Port */ - $alert_src_p_str = get_snort_alert_src_p($fileline); - - if($alert_src_p_str != '') - { - $alert_src_p_match = array(' -',':'); - $alert_src_p = str_replace($alert_src_p_match, '', "$alert_src_p_str"); - }else{ - $alert_src_p = 'empty'; - } - - /* Flow */ - $alert_flow_str = get_snort_alert_flow($fileline); - - if($alert_flow_str != '') - { - $alert_flow = $alert_flow_str; - }else{ - $alert_flow = 'empty'; - } - - /* IP Destination */ - $alert_ip_dst_str = get_snort_alert_ip_dst($fileline); - - if($alert_ip_dst_str != '') - { - $alert_ip_dst = $alert_ip_dst_str; - }else{ - $alert_ip_dst = 'empty'; - } - - /* IP DST Port */ - if ($snortalertlogt == 'full') - { - $alert_dst_p_str = get_snort_alert_dst_p_full($fileline); - }else{ - $alert_dst_p_str = get_snort_alert_dst_p($fileline); - } - - if($alert_dst_p_str != '') - { - $alert_dst_p_match = array(':',"\n"," TTL"); - $alert_dst_p_str2 = str_replace($alert_dst_p_match, '', "$alert_dst_p_str"); - $alert_dst_p_match2 = array('/[A-Z]/'); - $alert_dst_p = preg_replace($alert_dst_p_match2, '', "$alert_dst_p_str2"); - }else{ - $alert_dst_p = 'empty'; - } - - /* SID */ - $alert_sid_str = get_snort_alert_sid($fileline); - - if($alert_sid_str != '') - { - $alert_sid_match = array('[',']'); - $alert_sid = str_replace($alert_sid_match, '', "$alert_sid_str"); - }else{ - $alert_sid_str = 'empty'; - } - - /* NOTE: using one echo improves performance by 2x */ - if ($alert_disc != 'empty') - { - echo "<tr id=\"{$counter}\"> - <td class=\"centerAlign\">{$counter}</td> - <td class=\"centerAlign\">{$alert_priority}</td> - <td class=\"centerAlign\">{$alert_proto}</td> - <td>{$alert_disc}</td> - <td class=\"centerAlign\">{$alert_class}</td> - <td>{$alert_ip_src}</td> - <td class=\"centerAlign\">{$alert_src_p}</td> - <td class=\"centerAlign\">{$alert_flow}</td> - <td>{$alert_ip_dst}</td> - <td class=\"centerAlign\">{$alert_dst_p}</td> - <td class=\"centerAlign\">{$alert_sid}</td> - <td>{$alert_date}</td> - </tr>\n"; - } - -// <script type="text/javascript"> -// var myTable = {}; -// window.addEvent('domready', function(){ -// myTable = new sortableTable('myTable', {overCls: 'over', onClick: function(){alert(this.id)}}); -// }); -// </script> - - } -} - -?> - </tbody> - </table> - </td> -</table> - -<?php include("fend.inc"); ?> - - <script type="text/javascript"> - var myTable = {}; - window.addEvent('domready', function(){ - myTable = new sortableTable('myTable', {overCls: 'over'}); - }); - </script> - -</body> -</html> diff --git a/config/snort-dev/snort_blocked.php b/config/snort-dev/snort_blocked.php deleted file mode 100644 index 293679d9..00000000 --- a/config/snort-dev/snort_blocked.php +++ /dev/null @@ -1,445 +0,0 @@ -<?php -/* $Id$ */ -/* - snort_blocked.php - Copyright (C) 2006 Scott Ullrich - All rights reserved. - - Modified for the Pfsense snort package v. 1.8+ - Copyright (C) 2009 Robert Zelaya Sr. Developer - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require_once("globals.inc"); -require_once("guiconfig.inc"); -require_once("/usr/local/pkg/snort/snort.inc"); - -$pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']; -$pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber']; - -if ($pconfig['blertnumber'] == '' || $pconfig['blertnumber'] == '0') -{ - $bnentries = '500'; -}else{ - $bnentries = $pconfig['blertnumber']; -} - -if($_POST['todelete'] or $_GET['todelete']) { - if($_POST['todelete']) - $ip = $_POST['todelete']; - if($_GET['todelete']) - $ip = $_GET['todelete']; - exec("/sbin/pfctl -t snort2c -T delete {$ip}"); -} - -if ($_POST['remove']) { - -exec("/sbin/pfctl -t snort2c -T flush"); -sleep(1); -header("Location: /snort/snort_blocked.php"); - -} - -/* TODO: build a file with block ip and disc */ -if ($_POST['download']) -{ - - ob_start(); //important or other posts will fail - $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); - $file_name = "snort_blocked_{$save_date}.tar.gz"; - exec('/bin/mkdir /tmp/snort_blocked'); - exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.pf'); - - $blocked_ips_array_save = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.pf')))); - - if ($blocked_ips_array_save[0] != '') - { - - /* build the list */ - $counter = 0; - foreach($blocked_ips_array_save as $fileline3) - { - - $counter++; - - exec("/bin/echo $fileline3 >> /tmp/snort_blocked/snort_block.pf"); - - } - } - - exec("/usr/bin/tar cfz /tmp/snort_blocked_{$save_date}.tar.gz /tmp/snort_blocked"); - - if(file_exists("/tmp/snort_blocked_{$save_date}.tar.gz")) - { - $file = "/tmp/snort_blocked_{$save_date}.tar.gz"; - header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); - header("Pragma: private"); // needed for IE - header("Cache-Control: private, must-revalidate"); // needed for IE - header('Content-type: application/force-download'); - header('Content-Transfer-Encoding: Binary'); - header("Content-length: ".filesize($file)); - header("Content-disposition: attachment; filename = {$file_name}"); - readfile("$file"); - exec("/bin/rm /tmp/snort_blocked_{$save_date}.tar.gz"); - exec("/bin/rm /tmp/snort_block.pf"); - exec("/bin/rm /tmp/snort_blocked/snort_block.pf"); - od_end_clean(); //importanr or other post will fail - }else{ - echo 'Error no saved file.'; - } - -} - -if ($_POST['save']) -{ - - /* input validation */ - if ($_POST['save']) - { - - - } - - /* no errors */ - if (!$input_errors) - { - - $config['installedpackages']['snortglobal']['alertsblocks']['brefresh'] = $_POST['brefresh'] ? on : off; - $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'] = $_POST['blertnumber']; - - conf_mount_rw(); - write_config(); - //conf_mount_ro(); - sleep(2); - - header("Location: /snort/snort_blocked.php"); - - } - -} - -/* build filter funcs */ -function get_snort_alert_ip_src($fileline) -{ - /* SRC IP */ - $re1='.*?'; # Non-greedy match on filler - $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 - - if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4)) - { - $alert_ip_src = $matches4[1][0]; - } - -return $alert_ip_src; - -} - -function get_snort_alert_disc($fileline) -{ - /* disc */ - if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) - { - $alert_disc = "$matches[2]"; - } - -return $alert_disc; - -} - -/* build sec filters */ -function get_snort_block_ip($fileline) -{ - /* ip */ - if (preg_match("/\[\d+\.\d+\.\d+\.\d+\]/", $fileline, $matches)) - { - $alert_block_ip = "$matches[0]"; - } - -return $alert_block_ip; - -} - -function get_snort_block_disc($fileline) -{ - /* disc */ - if (preg_match("/\]\s\[.+\]$/", $fileline, $matches)) - { - $alert_block_disc = "$matches[0]"; - } - -return $alert_block_disc; - -} - -/* tell the user what settings they have */ -$blockedtab_msg_chk = $config['installedpackages']['snortglobal']['rm_blocked']; - if ($blockedtab_msg_chk == "1h_b") { - $blocked_msg = "hour"; - } - if ($blockedtab_msg_chk == "3h_b") { - $blocked_msg = "3 hours"; - } - if ($blockedtab_msg_chk == "6h_b") { - $blocked_msg = "6 hours"; - } - if ($blockedtab_msg_chk == "12h_b") { - $blocked_msg = "12 hours"; - } - if ($blockedtab_msg_chk == "1d_b") { - $blocked_msg = "day"; - } - if ($blockedtab_msg_chk == "4d_b") { - $blocked_msg = "4 days"; - } - if ($blockedtab_msg_chk == "7d_b") { - $blocked_msg = "7 days"; - } - if ($blockedtab_msg_chk == "28d_b") { - $blocked_msg = "28 days"; - } - -if ($blockedtab_msg_chk != "never_b") -{ -$blocked_msg_txt = "Hosts are removed every <strong>$blocked_msg</strong>."; -}else{ -$blocked_msg_txt = "Settings are set to never <strong>remove</strong> hosts."; -} - -$pgtitle = "Services: Snort Blocked Hosts"; -include("head.inc"); - -?> - -<body link="#000000" vlink="#000000" alink="#000000"> -<?php - -include("./snort_fbegin.inc"); - -echo "<p class=\"pgtitle\">"; -if($pfsense_stable == 'yes'){echo $pgtitle;} -echo "</p>\n"; - -/* refresh every 60 secs */ -if ($pconfig['brefresh'] == 'on' || $pconfig['brefresh'] == '') -{ - echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_blocked.php\" />\n"; -} -?> - -<script src="/row_toggle.js" type="text/javascript"></script> -<script src="/javascript/sorttable.js" type="text/javascript"></script> -<?php if ($savemsg) print_info_box($savemsg); ?> -<table width="99%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> -<?php - $tab_array = array(); - $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); - $tab_array[] = array("Global Settings", false, "/snort/snort_interfaces_global.php"); - $tab_array[] = array("Rule Updates", false, "/snort/snort_download_rules.php"); - $tab_array[] = array("Alerts", false, "/snort/snort_alerts.php"); - $tab_array[] = array("Blocked", true, "/snort/snort_blocked.php"); - $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml"); - $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); - display_top_tabs($tab_array); -?> - </td> - </tr> - <tr> - <td> - <div id="mainarea"> - - <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td width="22%" colspan="0" class="listtopic"> - Last <?=$bnentries;?> Blocked. - </td> - <td width="78%" class="listtopic"> - This page lists hosts that have been blocked by Snort. <?=$blocked_msg_txt;?> - </td> - </tr> - <tr> - <td width="22%" class="vncell">Save or Remove Hosts</td> - <td width="78%" class="vtable"> - <form action="/snort/snort_blocked.php" method="post"> - <input name="download" type="submit" class="formbtn" value="Download"> - All blocked hosts will be saved. - <input name="remove" type="submit" class="formbtn" value="Clear"> - <span class="red"><strong>Warning:</strong></span> all hosts will be removed. - </form> - </td> - </tr> - <tr> - <td width="22%" class="vncell">Auto Refresh and Log View</td> - <td width="78%" class="vtable"> - <form action="/snort/snort_blocked.php" method="post"> - <input name="save" type="submit" class="formbtn" value="Save"> - Refresh - <input name="brefresh" type="checkbox" value="on" <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=="on" || $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=='') echo "checked"; ?>> - <strong>Default</strong> is <strong>ON</strong>. - <input name="blertnumber" type="text" class="formfld" id="blertnumber" size="5" value="<?=htmlspecialchars($bnentries);?>"> - Enter the number of blocked entries to view. <strong>Default</strong> is <strong>500</strong>. - </form> - </td> - </tr> - </table> - - </div> - </td> - </tr> - - <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> - <tr> - <td> - <table id="sortabletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr id="frheader"> - <td width="5%" class="listhdrr">Remove</td> - <td class="listhdrr">#</td> - <td class="listhdrr">IP</td> - <td class="listhdrr">Alert Description</td> - </tr> -<?php - -/* set the arrays */ -exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache'); -$alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents('/var/log/snort/alert')))); -$blocked_ips_array = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.cache')))); - -$logent = $bnentries; - -if ($blocked_ips_array[0] != '' && $alerts_array[0] != '') -{ - - /* build the list and compare blocks to alerts */ - $counter = 0; - foreach($alerts_array as $fileline) - { - - $counter++; - - $alert_ip_src = get_snort_alert_ip_src($fileline); - $alert_ip_disc = get_snort_alert_disc($fileline); - $alert_ip_src_array[] = get_snort_alert_ip_src($fileline); - - if (in_array("$alert_ip_src", $blocked_ips_array)) - { - $input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n"; - } - } - - foreach($blocked_ips_array as $alert_block_ip) - { - - if (!in_array($alert_block_ip, $alert_ip_src_array)) - { - $input[] = "[$alert_block_ip] " . "[N\A]\n"; - } - } - - /* reduce double occurrences */ - $result = array_unique($input); - - /* buil final list, preg_match, buld html */ - $counter2 = 0; - - foreach($result as $fileline2) - { - if($logent <= $counter2) - continue; - - $counter2++; - - $alert_block_ip_str = get_snort_block_ip($fileline2); - - if($alert_block_ip_str != '') - { - $alert_block_ip_match = array('[',']'); - $alert_block_ip = str_replace($alert_block_ip_match, '', "$alert_block_ip_str"); - }else{ - $alert_block_ip = 'empty'; - } - - $alert_block_disc_str = get_snort_block_disc($fileline2); - - if($alert_block_disc_str != '') - { - $alert_block_disc_match = array('] [',']'); - $alert_block_disc = str_replace($alert_block_disc_match, '', "$alert_block_disc_str"); - }else{ - $alert_block_disc = 'empty'; - } - - /* use one echo to do the magic*/ - echo "<tr> - <td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($alert_block_ip)) . "'> - <img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td> - <td> {$counter2}</td> - <td> {$alert_block_ip}</td> - <td> {$alert_block_disc}</td> - </tr>\n"; - - } - -}else{ - - /* if alerts file is empty and blocked table is not empty */ - $counter2 = 0; - - foreach($blocked_ips_array as $alert_block_ip) - { - if($logent <= $counter2) - continue; - - $counter2++; - - $alert_block_disc = 'N/A'; - - /* use one echo to do the magic*/ - echo "<tr> - <td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($alert_block_ip)) . "'> - <img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td> - <td> {$counter2}</td> - <td> {$alert_block_ip}</td> - <td> {$alert_block_disc}</td> - </tr>\n"; - } -} - -if ($blocked_ips_array[0] == '') -{ - echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\"><br><strong>There are currently no items being blocked by snort.</strong></td></tr>"; -}else{ - echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter2} items listed.</td></tr>"; -} - -?> - </table> - </td> - </tr> - </table> - </td> - </tr> -</table> -<?php include("fend.inc"); ?> -</body> -</html> diff --git a/config/snort-dev/snort_download_rules.php b/config/snort-dev/snort_download_rules.php deleted file mode 100644 index b2bcb748..00000000 --- a/config/snort-dev/snort_download_rules.php +++ /dev/null @@ -1,1211 +0,0 @@ -<?php -/* $Id$ */ -/* - snort_rulesets.php - Copyright (C) 2006 Scott Ullrich - Copyright (C) 2009 Robert Zelaya - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -/* Setup enviroment */ - -/* TODO: review if include files are needed */ -require_once("guiconfig.inc"); -require_once("functions.inc"); -require_once("service-utils.inc"); -require_once("/usr/local/pkg/snort/snort.inc"); - -$tmpfname = "/tmp/snort_rules_up"; -$snortdir = "/usr/local/etc/snort"; -$snortdir_wan = "/usr/local/etc/snort"; -$snort_filename_md5 = "snortrules-snapshot-2.8.tar.gz.md5"; -$snort_filename = "snortrules-snapshot-2.8.tar.gz"; -$emergingthreats_filename_md5 = "version.txt"; -$emergingthreats_filename = "emerging.rules.tar.gz"; -$pfsense_rules_filename_md5 = "pfsense_rules.tar.gz.md5"; -$pfsense_rules_filename = "pfsense_rules.tar.gz"; - -$id_d = $_GET['id_d']; -if (isset($_POST['id_d'])) - $id_d = $_POST['id_d']; - -/* Time stamps define */ -$last_md5_download = $config['installedpackages']['snortglobal']['last_md5_download']; -$last_rules_install = $config['installedpackages']['snortglobal']['last_rules_install']; - -/* define checks */ -$oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; -$snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; -$emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; - - - if ($snortdownload == "off" && $emergingthreats != "on") - { - $snort_emrging_info = "stop"; - } - - if ($oinkid == "" && $snortdownload != "off") - { - $snort_oinkid_info = "stop"; - } - - - /* check if main rule directory is empty */ - $if_mrule_dir = "/usr/local/etc/snort/rules"; - $mfolder_chk = (count(glob("$if_mrule_dir/*")) === 0) ? 'empty' : 'full'; - - -if (file_exists('/var/run/snort.conf.dirty')) { - $snort_dirty_d = 'stop'; -} - - - -/* If no id show the user a button */ -if ($id_d == "" || $snort_emrging_info == "stop" || $snort_oinkid_info == "stop" || $snort_dirty_d == 'stop') { - -$pgtitle = "Services: Snort: Rule Updates"; - -include("head.inc"); -include("./snort_fbegin.inc"); -echo "<p class=\"pgtitle\">"; -if($pfsense_stable == 'yes'){echo $pgtitle;} -echo "</p>\n"; - - echo "<table height=\"32\" width=\"100%\">\n"; - echo " <tr>\n"; - echo " <td>\n"; - echo " <div style='background-color:#E0E0E0' id='redbox'>\n"; - echo " <table width='100%'><tr><td width='8%'>\n"; - echo " <img style='vertical-align:middle' src=\"/snort/images/icon_excli.png\" width=\"40\" height=\"32\">\n"; - echo " </td>\n"; - echo " <td width='70%'><font color='#FF850A'><b>NOTE:</b></font><font color='#000000'> Snort.org and Emergingthreats.net will go down from time to time. Please be patient.</font>\n"; - echo " </td>"; - echo " </tr></table>\n"; - echo " </div>\n"; - echo " </td>\n"; - echo "</table>\n"; - echo "<script type=\"text/javascript\">\n"; - echo "NiftyCheck();\n"; - echo "Rounded(\"div#redbox\",\"all\",\"#FFF\",\"#E0E0E0\",\"smooth\");\n"; - echo "Rounded(\"td#blackbox\",\"all\",\"#FFF\",\"#000000\",\"smooth\");\n"; - echo "</script>\n"; - echo "\n<br>\n"; - -/* make sure user has javascript on */ -echo "<style type=\"text/css\"> -.alert { - position:absolute; - top:10px; - left:0px; - width:94%; -background:#FCE9C0; -background-position: 15px; -border-top:2px solid #DBAC48; -border-bottom:2px solid #DBAC48; -padding: 15px 10px 85% 50px; -} -</style> -<noscript><div class=\"alert\" ALIGN=CENTER><img src=\"/themes/nervecenter/images/icons/icon_alert.gif\"/><strong>Please enable JavaScript to view this content</CENTER></div></noscript>\n"; -echo "<body link=\"#000000\" vlink=\"#000000\" alink=\"#000000\">\n"; - -echo "<script src=\"/row_toggle.js\" type=\"text/javascript\"></script>\n -<script src=\"/javascript/sorttable.js\" type=\"text/javascript\"></script>\n -<table width=\"99%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n - <tr>\n - <td>\n"; - - $tab_array = array(); - $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); - $tab_array[] = array("Global Settings", false, "/snort/snort_interfaces_global.php"); - $tab_array[] = array("Rule Updates", true, "/snort/snort_download_rules.php"); - $tab_array[] = array("Alerts", false, "/snort/snort_alerts.php"); - $tab_array[] = array("Blocked", false, "/snort/snort_blocked.php"); - $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml"); - $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); - display_top_tabs($tab_array); - -if ($snort_emrging_info == "stop" && $snort_oinkid_info == "stop") { -$disable_enable_button = 'onclick="this.disabled=true"'; -}else{ -$disable_enable_button = "onClick=\"parent.location='/snort/snort_download_rules.php?id_d=up'\""; -} -echo "</td>\n - </tr>\n - <tr>\n - <td>\n - <div id=\"mainarea\">\n - <table id=\"maintable\" class=\"tabcont\" width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n - <tr>\n - <td>\n -<input name=\"Submit\" type=\"submit\" class=\"formbtn\" $disable_enable_button value=\"Update Rules\" $disable_button> <br><br> \n"; - -if ($mfolder_chk == "empty") -{ -echo "<span class=\"red\"><strong>WARNING:</strong></span> The main rules <strong>directory</strong> is <strong>empty</strong>. /usr/local/etc/snort/rules <br><br>\n"; -} - -if ($snort_emrging_info == "stop") { -echo "<span class=\"red\"><strong>WARNING:</strong></span> Click on the <strong>\"Global Settings\"</strong> tab and select ether snort.org or enmergingthreats.net rules to download. <br><br> \n"; -} - -if ($snort_oinkid_info == "stop") { -echo "<span class=\"red\"><strong>WARNING:</strong></span> Click on the <strong>\"Global Settings\"</strong> tab and enter a <strong>oinkmaster</strong> code. <br><br> \n"; -} - -if ($snort_dirty_d == "stop") { -echo "<span class=\"red\"><strong>WARNING:</span> CHANGES HAVE NOT BEEN APPLIED</strong> Click on the <strong>\"Apply Settings\"</strong> button at the main interface tab.<br><br> \n"; -} - -echo " </td>\n - </tr>\n - </table>\n - </div>\n - </td>\n - </tr>\n -</table>\n -\n -</form>\n -\n -<p>\n\n"; - -if ($id_d == "") -echo "Click on the <strong>\"Update Rules\"</strong> button to start the updates. <br><br> \n"; - -if ($config['installedpackages']['snortglobal']['last_md5_download'] != "") -echo "The last time the updates were started <strong>$last_md5_download</strong>. <br><br> \n"; - -if ($config['installedpackages']['snortglobal']['last_rules_install'] != "") -echo "The last time the updates were installed <strong>$last_rules_install</strong>. <br><br> \n"; - -include("fend.inc"); - -echo "</body>"; -echo "</html>"; - -exit(0); - -} - -$pgtitle = "Services: Snort: Update Rules"; - -include("/usr/local/www/head.inc"); - -?> -<script src="/javascript/scriptaculous/prototype.js" type="text/javascript"></script> -<script type="text/javascript" src="/snort/javascript/jquery-1.3.2.js"></script> -<script type="text/javascript" src="/snort/javascript/jquery.blockUI.js?v2.28"></script> - -<script type="text/javascript"> -<!-- - -function displaymessage() -{ - - $.blockUI.defaults.message = "Please be patient...."; - - $.blockUI({ - - css: { - border: 'none', - padding: '15px', - backgroundColor: '#000', - '-webkit-border-radius': '10px', - '-moz-border-radius': '10px', - opacity: .5, - color: '#fff', - } - }); - -} - -function displaymessagestop() -{ - -setTimeout($.unblockUI, 2000); - -} - -// --> -</script> - -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("./snort_fbegin.inc"); ?> -<p class="pgtitle"><?if($pfsense_stable == 'yes'){echo $pgtitle;}?></p> - -<form action="snort_download_rules.php" method="post"> -<div id="inputerrors"></div> - -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> -<?php - $tab_array = array(); - $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); - $tab_array[] = array("Global Settings", false, "/snort/snort_interfaces_global.php"); - $tab_array[] = array("Rule Updates", true, "/snort/snort_download_rules.php"); - $tab_array[] = array("Alerts", false, "/snort/snort_alerts.php"); - $tab_array[] = array("Blocked", false, "/snort/snort_blocked.php"); - $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml"); - $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); - display_top_tabs($tab_array); -?> - -<script type="text/javascript"> -<!-- - displaymessage(); -// --> -</script> - -</td> -</tr> - <br> - <tr> - <td> - <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td align="center" valign="top"> - <!-- progress bar --> - <table id="progholder" width='420' style='border-collapse: collapse; border: 1px solid #000000;' cellpadding='2' cellspacing='2'> - <tr> - <td> - <img border='0' src='../themes/<?= $g['theme']; ?>/images/misc/progress_bar.gif' width='280' height='23' name='progressbar' id='progressbar' alt='' /> - </td> - </tr> - </table> - <br /> - <!-- status box --> - <textarea cols="60" rows="2" name="status" id="status" wrap="hard"> - <?=gettext("Initializing...");?> - </textarea> - <!-- command output box --> - <textarea cols="60" rows="2" name="output" id="output" wrap="hard"> - </textarea> - </td> - </tr> - </table> - </div> - </td> - </tr> -</table> -</form> -<?php include("fend.inc");?> - -<?php - -conf_mount_rw(); - -/* Begin main code */ -/* Set user agent to Mozilla */ -ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); -ini_set("memory_limit","125M"); - -/* mark the time update started */ -$config['installedpackages']['snortglobal']['last_md5_download'] = date("Y-M-jS-h:i-A"); - -/* send current buffer */ -ob_flush(); -conf_mount_rw(); - -$premium_subscriber_chk = $config['installedpackages']['snortglobal']['snortdownload']; - -if ($premium_subscriber_chk == "premium") { - $premium_subscriber = "_s"; -}else{ - $premium_subscriber = ""; -} - -$premium_url_chk = $config['installedpackages']['snortglobal']['snortdownload']; -if ($premium_url_chk == "premium") { - $premium_url = "sub-rules"; -}else{ - $premium_url = "reg-rules"; -} - -/* hide progress bar */ -hide_progress_bar_status(); - -/* send current buffer */ -ob_flush(); -conf_mount_rw(); - -/* remove old $tmpfname files */ -if (file_exists("{$tmpfname}")) { - update_status(gettext("Removing old tmp files...")); - exec("/bin/rm -r {$tmpfname}"); - apc_clear_cache(); -} - -/* Make shure snortdir exits */ -exec("/bin/mkdir -p {$snortdir}"); -exec("/bin/mkdir -p {$snortdir}/rules"); -exec("/bin/mkdir -p {$snortdir}/signatures"); -exec("/bin/mkdir -p /usr/local/lib/snort/dynamicrules/"); - -/* send current buffer */ -ob_flush(); -conf_mount_rw(); - -/* If tmp dir does not exist create it */ -if (file_exists($tmpfname)) { - update_status(gettext("The directory tmp exists...")); -} else { - mkdir("{$tmpfname}", 700); -} - -/* unhide progress bar and lets end this party */ -unhide_progress_bar_status(); - -/* download md5 sig from snort.org */ -if ($snortdownload == "basic" || $snortdownload == "premium") -{ - if (file_exists("{$tmpfname}/{$snort_filename_md5}") && - filesize("{$tmpfname}/{$snort_filename_md5}") > 0) { - update_status(gettext("snort.org md5 temp file exists...")); - } else { - update_status(gettext("Downloading snort.org md5 file...")); - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - $image = @file_get_contents("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5?oink_code={$oinkid}"); -// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5"); - $f = fopen("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5", 'w'); - fwrite($f, $image); - fclose($f); - update_status(gettext("Done downloading snort.org md5")); - } -} - -/* download md5 sig from emergingthreats.net */ -if ($emergingthreats == "on") -{ - update_status(gettext("Downloading emergingthreats md5 file...")); - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - $image = @file_get_contents("http://www.emergingthreats.net/version.txt"); -// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/version.txt"); - $f = fopen("{$tmpfname}/version.txt", 'w'); - fwrite($f, $image); - fclose($f); - update_status(gettext("Done downloading emergingthreats md5")); -} - -/* download md5 sig from pfsense.org */ -if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) { - update_status(gettext("pfsense md5 temp file exists...")); -} else { - update_status(gettext("Downloading pfsense md5 file...")); - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - $image = @file_get_contents("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5"); -// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz.md5"); - $f = fopen("{$tmpfname}/pfsense_rules.tar.gz.md5", 'w'); - fwrite($f, $image); - fclose($f); - update_status(gettext("Done downloading pfsense md5.")); -} - -/* If md5 file is empty wait 15min exit */ -if ($snortdownload != "off") -{ - if (0 == filesize("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5")) - { - update_status(gettext("Please wait... You may only check for New Rules every 15 minutes...")); - update_output_window(gettext("Rules are released every month from snort.org. You may download the Rules at any time.")); - hide_progress_bar_status(); - /* Display last time of sucsessful md5 check from cache */ - echo "\n\n</body>\n</html>\n"; - echo ' -<script type="text/javascript"> -<!-- - displaymessagestop(); -// --> -</script>'; -echo "</body>"; -echo "</html>"; -conf_mount_ro(); - exit(0); - } -} - -/* If emergingthreats md5 file is empty wait 15min exit not needed */ - -/* If pfsense md5 file is empty wait 15min exit */ -if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ - update_status(gettext("Please wait... You may only check for New Pfsense Rules every 15 minutes...")); - update_output_window(gettext("Rules are released to support Pfsense packages.")); - hide_progress_bar_status(); - /* Display last time of sucsessful md5 check from cache */ - echo "\n\n</body>\n</html>\n"; - echo ' -<script type="text/javascript"> -<!-- - displaymessagestop(); -// --> -</script>'; -echo "</body>"; -echo "</html>"; -conf_mount_ro(); - exit(0); -} - -/* Check if were up to date snort.org */ -if ($snortdownload != "off") -{ - if (file_exists("{$snortdir}/snortrules-snapshot-2.8.tar.gz.md5")) - { - $md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); - $md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; - $md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); - $md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; - /* Write out time of last sucsessful md5 to cache */ - write_config(); // Will cause switch back to read-only on nanobsd - conf_mount_rw(); - if ($md5_check_new == $md5_check_old) - { - update_status(gettext("Your rules are up to date...")); - update_output_window(gettext("You may start Snort now, check update.")); - hide_progress_bar_status(); - echo "\n\n</body>\n</html>\n"; - $snort_md5_check_ok = on; - } - } -} - -/* Check if were up to date emergingthreats.net */ -if ($emergingthreats == "on") -{ - if (file_exists("{$snortdir}/version.txt")) - { - $emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/version.txt"); - $emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; - $emerg_md5_check_old_parse = file_get_contents("{$snortdir}/version.txt"); - $emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; - /* Write out time of last sucsessful md5 to cache */ - // Will cause switch back to read-only on nanobsd - write_config(); - conf_mount_rw(); - if ($emerg_md5_check_new == $emerg_md5_check_old) - { - hide_progress_bar_status(); - $emerg_md5_check_ok = on; - } - } -} - -/* Check if were up to date pfsense.org */ - if (file_exists("{$snortdir}/pfsense_rules.tar.gz.md5")) - { - $pfsense_check_new_parse = file_get_contents("{$tmpfname}/pfsense_rules.tar.gz.md5"); - $pfsense_md5_check_new = `/bin/echo "{$pfsense_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; - $pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/pfsense_rules.tar.gz.md5"); - $pfsense_md5_check_old = `/bin/echo "{$pfsense_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; - /* Write out time of last sucsessful md5 to cache */ - // Will cause switch back to read-only on nanobsd - write_config(); - conf_mount_rw(); - if ($pfsense_md5_check_new == $pfsense_md5_check_old) - { - hide_progress_bar_status(); - $pfsense_md5_check_ok = on; - } - } - -/* Check if were up to date is so, exit */ -/* WARNING This code needs constant checks */ -if ($snortdownload != "off" && $emergingthreats != "off") -{ - if ($snort_md5_check_ok == "on" && $emerg_md5_check_ok == "on") - { - update_status(gettext("All your rules are up to date...")); - update_output_window(gettext("You may start Snort now...")); - echo ' - <script type="text/javascript"> - <!-- - displaymessagestop(); - // --> - </script>'; - echo "</body>"; - echo "</html>"; - conf_mount_ro(); - exit(0); - } -} - -if ($snortdownload == "on" && $emergingthreats == "off") -{ - if ($snort_md5_check_ok == "on") - { - update_status(gettext("Your snort.org rules are up to date...")); - update_output_window(gettext("You may start Snort now...")); - echo ' - <script type="text/javascript"> - <!-- - displaymessagestop(); - // --> - </script>'; - echo "</body>"; - echo "</html>"; - conf_mount_ro(); - exit(0); - } -} - -if ($snortdownload == "off" && $emergingthreats == "on") -{ - if ($emerg_md5_check_ok == "on") - { - update_status(gettext("Your Emergingthreats rules are up to date...")); - update_output_window(gettext("You may start Snort now...")); - echo ' - <script type="text/javascript"> - <!-- - displaymessagestop(); - // --> - </script>'; - echo "</body>"; - echo "</html>"; - conf_mount_ro(); - exit(0); - } -} - -/* You are Not Up to date, always stop snort when updating rules for low end machines */; -update_status(gettext("You are NOT up to date...")); -update_output_window(gettext("Stopping Snort service...")); -$chk_if_snort_up = exec("pgrep -x snort"); -if ($chk_if_snort_up != "") { - exec("/usr/bin/touch /tmp/snort_download_halt.pid"); - exec("/bin/sh /usr/local/etc/rc.d/snort.sh stop"); - sleep(2); -} - -/* download snortrules file */ -if ($snortdownload != "off") -{ - if ($snort_md5_check_ok != on) { - if (file_exists("{$tmpfname}/{$snort_filename}")) { - update_status(gettext("Snortrule tar file exists...")); - } else { - unhide_progress_bar_status(); - update_status(gettext("There is a new set of Snort rules posted. Downloading...")); - update_output_window(gettext("May take 4 to 10 min...")); -// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz", $tmpfname . "/{$snort_filename}", "read_body_firmware"); - download_file_with_progress_bar("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz?oink_code={$oinkid}", $tmpfname . "/{$snort_filename}", "read_body_firmware"); - update_all_status($static_output); - update_status(gettext("Done downloading rules file.")); - if (150000 > filesize("{$tmpfname}/$snort_filename")){ - update_status(gettext("Error with the snort rules download...")); - update_output_window(gettext("Snort rules file downloaded failed...")); - echo ' -<script type="text/javascript"> -<!-- - displaymessagestop(); -// --> -</script>'; -echo "</body>"; -echo "</html>"; -conf_mount_ro(); - exit(0); - } - } - } -} - -/* download emergingthreats rules file */ -if ($emergingthreats == "on") -{ - if ($emerg_md5_check_ok != on) - { - if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) - { - update_status(gettext("Emergingthreats tar file exists...")); - }else{ - update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); - update_output_window(gettext("May take 4 to 10 min...")); -// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware"); - download_file_with_progress_bar("http://www.emergingthreats.net/rules/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware"); - update_all_status($static_output); - update_status(gettext("Done downloading Emergingthreats rules file.")); - } - } -} - -/* download pfsense rules file */ -if ($pfsense_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { - update_status(gettext("Snortrule tar file exists...")); -} else { - unhide_progress_bar_status(); - update_status(gettext("There is a new set of Pfsense rules posted. Downloading...")); - update_output_window(gettext("May take 4 to 10 min...")); -// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz", $tmpfname . "/{$pfsense_rules_filename}", "read_body_firmware"); - download_file_with_progress_bar("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz", $tmpfname . "/{$pfsense_rules_filename}", "read_body_firmware"); - update_all_status($static_output); - update_status(gettext("Done downloading rules file.")); - } -} - -/* Compair md5 sig to file sig */ - -//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -//if ($premium_url_chk == on) { -//$md5 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); -//$file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; -// if ($md5 == $file_md5_ondisk) { -// update_status(gettext("Valid md5 checksum pass...")); -//} else { -// update_status(gettext("The downloaded file does not match the md5 file...P is ON")); -// update_output_window(gettext("Error md5 Mismatch...")); -// exit(0); -// } -//} - -//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -//if ($premium_url_chk != on) { -//$md55 = `/bin/cat {$tmpfname}/{$snort_filename_md5} | /usr/bin/awk '{ print $4 }'`; -//$file_md5_ondisk2 = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; -// if ($md55 == $file_md5_ondisk2) { -// update_status(gettext("Valid md5 checksum pass...")); -//} else { -// update_status(gettext("The downloaded file does not match the md5 file...Not P")); -// update_output_window(gettext("Error md5 Mismatch...")); -// exit(0); -// } -//} - -/* Untar snort rules file individually to help people with low system specs */ -if ($snortdownload != "off") -{ - if ($snort_md5_check_ok != on) { - if (file_exists("{$tmpfname}/{$snort_filename}")) { - update_status(gettext("Extracting rules...")); - update_output_window(gettext("May take a while...")); - exec("/bin/mkdir -p {$snortdir}/rules_bk/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/rules_bk rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} etc/" . - " so_rules/precompiled/FreeBSD-7.0/i386/2.8.5.1/" . - " so_rules/bad-traffic.rules/" . - " so_rules/chat.rules/" . - " so_rules/dos.rules/" . - " so_rules/exploit.rules/" . - " so_rules/imap.rules/" . - " so_rules/misc.rules/" . - " so_rules/multimedia.rules/" . - " so_rules/netbios.rules/" . - " so_rules/nntp.rules/" . - " so_rules/p2p.rules/" . - " so_rules/smtp.rules/" . - " so_rules/sql.rules/" . - " so_rules/web-client.rules/" . - " so_rules/web-misc.rules/"); - /* add prefix to all snort.org files */ - /* remove this part and make it all php with the simplst code posible */ - chdir ("/usr/local/etc/snort/rules_bk/rules"); - sleep(2); - exec('/usr/local/bin/perl /usr/local/bin/snort_rename.pl s/^/snort_/ *.rules'); - update_status(gettext("Done extracting Rules.")); - }else{ - update_status(gettext("The Download rules file missing...")); - update_output_window(gettext("Error rules extracting failed...")); - echo ' -<script type="text/javascript"> -<!-- - displaymessagestop(); -// --> -</script>'; -echo "</body>"; -echo "</html>"; -conf_mount_ro(); - exit(0); - } - } -} - -/* Untar emergingthreats rules to tmp */ -if ($emergingthreats == "on") -{ - if ($emerg_md5_check_ok != on) - { - if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) - { - update_status(gettext("Extracting rules...")); - update_output_window(gettext("May take a while...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir} rules/"); - } - } -} - -/* Untar Pfsense rules to tmp */ -if ($pfsense_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { - update_status(gettext("Extracting Pfsense rules...")); - update_output_window(gettext("May take a while...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$pfsense_rules_filename} -C {$snortdir} rules/"); - } -} - -/* Untar snort signatures */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$snort_filename}")) { -$signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; -if ($premium_url_chk == on) { - update_status(gettext("Extracting Signatures...")); - update_output_window(gettext("May take a while...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); - update_status(gettext("Done extracting Signatures.")); - } - } -} - -/* Copy so_rules dir to snort lib dir */ -/* Disabed untill I find out why there is a segment failt coredump when using these rules on 2.8.5.3 */ -if ($snortdownload != "off") -{ - if ($snort_md5_check_ok != on) { - if (file_exists("{$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.5.1")) { - update_status(gettext("Copying so_rules...")); - update_output_window(gettext("May take a while...")); - exec("/bin/cp -f {$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.5.1/* /usr/local/lib/snort/dynamicrules/"); - exec("/bin/cp {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/snort_bad-traffic.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/chat.rules {$snortdir}/rules/snort_chat.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/dos.rules {$snortdir}/rules/snort_dos.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/snort_exploit.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/imap.rules {$snortdir}/rules/snort_imap.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/misc.rules {$snortdir}/rules/snort_misc.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/snort_multimedia.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/snort_netbios.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/snort_nntp.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/snort_p2p.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/snort_smtp.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/sql.rules {$snortdir}/rules/snort_sql.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/web-activex.rules {$snortdir}/rules/snort_web-activex.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/snort_web-client.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/web-iis.rules {$snortdir}/rules/snort_web-iis.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/web.misc.rules {$snortdir}/rules/snort_web.misc.so.rules"); - exec("/bin/rm -r {$snortdir}/so_rules"); - update_status(gettext("Done copying so_rules.")); - }else{ - update_status(gettext("Directory so_rules does not exist...")); - update_output_window(gettext("Error copying so_rules...")); - echo ' -<script type="text/javascript"> -<!-- - displaymessagestop(); -// --> -</script>'; - echo "</body>"; - echo "</html>"; - conf_mount_ro(); - exit(0); - } - } -} - -/* Copy renamed snort.org rules to snort dir */ -if ($snortdownload != "off") -{ - if ($snort_md5_check_ok != on) - { - if (file_exists("{$snortdir}/rules_bk/rules/Makefile.am")) - { - update_status(gettext("Copying renamed snort.org rules to snort directory...")); - exec("/bin/cp {$snortdir}/rules_bk/rules/* {$snortdir}/rules/"); - }else{ - update_status(gettext("The renamed snort.org rules do not exist...")); - update_output_window(gettext("Error copying config...")); - echo ' -<script type="text/javascript"> -<!-- - displaymessagestop(); -// --> -</script>'; - echo "</body>"; - echo "</html>"; - conf_mount_ro(); - exit(0); - } - } -} - -/* Copy configs to snort dir */ -if ($snortdownload != "off") -{ - if ($snort_md5_check_ok != on) - { - if (file_exists("{$snortdir}/etc/Makefile.am")) { - update_status(gettext("Copying configs to snort directory...")); - exec("/bin/cp {$snortdir}/etc/* {$snortdir}"); - exec("/bin/rm -r {$snortdir}/etc"); - }else{ - update_status(gettext("The snort config does not exist...")); - update_output_window(gettext("Error copying config...")); - echo ' -<script type="text/javascript"> -<!-- - displaymessagestop(); -// --> -</script>'; -echo "</body>"; -echo "</html>"; -conf_mount_ro(); - exit(0); - } - } -} - - -/* Copy md5 sig to snort dir */ -if ($snortdownload != "off") -{ - if ($snort_md5_check_ok != on) { - if (file_exists("{$tmpfname}/$snort_filename_md5")) { - update_status(gettext("Copying md5 sig to snort directory...")); - exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); - }else{ - update_status(gettext("The md5 file does not exist...")); - update_output_window(gettext("Error copying config...")); - echo ' -<script type="text/javascript"> -<!-- - displaymessagestop(); -// --> -</script>'; - echo "</body>"; - echo "</html>"; - conf_mount_ro(); - exit(0); - } - } -} - -/* Copy emergingthreats md5 sig to snort dir */ -if ($emergingthreats == "on") -{ - if ($emerg_md5_check_ok != on) - { - if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) - { - update_status(gettext("Copying md5 sig to snort directory...")); - exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); - }else{ - update_status(gettext("The emergingthreats md5 file does not exist...")); - update_output_window(gettext("Error copying config...")); - echo "</body>"; - echo "</html>"; - conf_mount_ro(); - exit(0); - } - } -} - -/* Copy Pfsense md5 sig to snort dir */ -if ($pfsense_md5_check_ok != on) { -if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) { - update_status(gettext("Copying Pfsense md5 sig to snort directory...")); - exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5"); -} else { - update_status(gettext("The Pfsense md5 file does not exist...")); - update_output_window(gettext("Error copying config...")); - echo ' -<script type="text/javascript"> -<!-- - displaymessagestop(); -// --> -</script>'; - echo "</body>"; - echo "</html>"; - conf_mount_ro(); - exit(0); - } -} - -/* Copy signatures dir to snort dir */ -if ($snortdownload != "off") -{ - if ($snort_md5_check_ok != on) - { - $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; - if ($premium_url_chk == on) - { - if (file_exists("{$snortdir}/doc/signatures")) { - update_status(gettext("Copying signatures...")); - update_output_window(gettext("May take a while...")); - exec("/bin/mv -f {$snortdir}/doc/signatures {$snortdir}/signatures"); - exec("/bin/rm -r {$snortdir}/doc/signatures"); - update_status(gettext("Done copying signatures.")); - }else{ - update_status(gettext("Directory signatures exist...")); - update_output_window(gettext("Error copying signature...")); - echo ' -<script type="text/javascript"> -<!-- - displaymessagestop(); -// --> -</script>'; -echo "</body>"; -echo "</html>"; -conf_mount_ro(); - exit(0); - } - } - } -} - -/* double make shure cleanup emerg rules that dont belong */ -if (file_exists("/usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules")) { - apc_clear_cache(); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-botcc.rules"); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-compromised-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-drop-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-dshield-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-rbn-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-tor-BLOCK.rules"); -} - -if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) { - exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so"); - exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*"); -} - -/* make shure default rules are in the right format */ -exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); -exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); -exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - -/* create a msg-map for snort */ -update_status(gettext("Updating Alert Messages...")); -update_output_window(gettext("Please Wait...")); -exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/sid-msg.map"); - - -////////////////// - -/* open oinkmaster_conf for writing" function */ -function oinkmaster_conf($id, $if_real, $iface_uuid) -{ - - global $config, $g, $id, $if_real, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; - conf_mount_rw(); - -/* enable disable setting will carry over with updates */ -/* TODO carry signature changes with the updates */ -if ($snort_md5_check_ok != on || $emerg_md5_check_ok != on || $pfsense_md5_check_ok != on) { - -if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'])) { -$enabled_sid_on = $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']; -$enabled_sid_on_array = split('\|\|', $enabled_sid_on); -foreach($enabled_sid_on_array as $enabled_item_on) -$selected_sid_on_sections .= "$enabled_item_on\n"; - } - -if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { -$enabled_sid_off = $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off']; -$enabled_sid_off_array = split('\|\|', $enabled_sid_off); -foreach($enabled_sid_off_array as $enabled_item_off) -$selected_sid_off_sections .= "$enabled_item_off\n"; - } - -$snort_sid_text = <<<EOD - -########################################### -# # -# this is auto generated on snort updates # -# # -########################################### - -path = /bin:/usr/bin:/usr/local/bin - -update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ - -url = dir:///usr/local/etc/snort/rules - -$selected_sid_on_sections - -$selected_sid_off_sections - -EOD; - - /* open snort's oinkmaster.conf for writing */ - $oinkmasterlist = fopen("/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf", "w"); - - fwrite($oinkmasterlist, "$snort_sid_text"); - - /* close snort's oinkmaster.conf file */ - fclose($oinkmasterlist); - - } -} - -/* Run oinkmaster to snort_wan and cp configs */ -/* If oinkmaster is not needed cp rules normally */ -/* TODO add per interface settings here */ -function oinkmaster_run($id, $if_real, $iface_uuid) -{ - - global $config, $g, $id, $if_real, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; - conf_mount_rw(); - - if ($snort_md5_check_ok != on || $emerg_md5_check_ok != on || $pfsense_md5_check_ok != on) - { - - if ($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'] == '' && $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'] == '') - { - update_status(gettext("Your first set of rules are being copied...")); - update_output_window(gettext("May take a while...")); - exec("/bin/echo \"test {$snortdir} {$snortdir_wan} {$iface_uuid}_{$if_real}\" > /root/debug"); - exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}/rules/"); - exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); - exec("/bin/cp {$snortdir}/generators {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); - exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); - exec("/bin/cp {$snortdir}/sid {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); - exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); - exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); - }else{ - update_status(gettext("Your enable and disable changes are being applied to your fresh set of rules...")); - update_output_window(gettext("May take a while...")); - exec("/bin/echo \"test2 {$snortdir} {$snortdir_wan} {$iface_uuid}_{$if_real}\" > /root/debug"); - exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}/rules/"); - exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); - exec("/bin/cp {$snortdir}/generators {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); - exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); - exec("/bin/cp {$snortdir}/sid {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); - exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); - exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); - - /* might have to add a sleep for 3sec for flash drives or old drives */ - exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf -o /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules > /usr/local/etc/snort/oinkmaster_{$iface_uuid}_{$if_real}.log"); - } - } -} - -/* Start the proccess for every interface rule */ -/* TODO: try to make the code smother */ - -if (!empty($config['installedpackages']['snortglobal']['rule'])) -{ - - $rule_array = $config['installedpackages']['snortglobal']['rule']; - $id = -1; - foreach ($rule_array as $value) { - - $id += 1; - - $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; - $if_real = convert_friendly_interface_to_real_interface_name($result_lan); - $iface_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; - - /* make oinkmaster.conf for each interface rule */ - oinkmaster_conf($id, $if_real, $iface_uuid); - - /* run oinkmaster for each interface rule */ - oinkmaster_run($id, $if_real, $iface_uuid); - - } -} - -////////////// - -/* mark the time update finnished */ -$config['installedpackages']['snortglobal']['last_rules_install'] = date("Y-M-jS-h:i-A"); - -/* remove old $tmpfname files */ -if (file_exists("{$tmpfname}")) -{ - update_status(gettext("Cleaning up...")); - exec("/bin/rm -r /tmp/snort_rules_up"); - sleep(2); - exec("/bin/rm -r {$snortdir}/rules_bk/rules/"); - apc_clear_cache(); -} - -/* php code to flush out cache some people are reportting missing files this might help */ -sleep(2); -apc_clear_cache(); -exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync"); - -/* make all dirs snorts */ -exec("/usr/sbin/chown -R snort:snort /var/log/snort"); -exec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort"); -exec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort"); -exec("/bin/chmod -R 755 /var/log/snort"); -exec("/bin/chmod -R 755 /usr/local/etc/snort"); -exec("/bin/chmod -R 755 /usr/local/lib/snort"); - - -/* if snort is running hardrestart, if snort is not running do nothing */ -if (file_exists("/tmp/snort_download_halt.pid")) { - exec("/bin/sh /usr/local/etc/rc.d/snort.sh start"); - update_status(gettext("The Rules update finished...")); - update_output_window(gettext("Snort has restarted with your new set of rules...")); - exec("/bin/rm /tmp/snort_download_halt.pid"); -} else { - update_status(gettext("The Rules update finished...")); - update_output_window(gettext("You may start snort now...")); -} - -echo ' -<script type="text/javascript"> -<!-- - displaymessagestop(); -// --> -</script>'; - -/* hide progress bar and lets end this party */ -hide_progress_bar_status(); -conf_mount_ro(); -?> - -<?php - -function read_body_firmware($ch, $string) { - global $fout, $file_size, $downloaded, $counter, $version, $latest_version, $current_installed_pfsense_version; - $length = strlen($string); - $downloaded += intval($length); - $downloadProgress = round(100 * (1 - $downloaded / $file_size), 0); - $downloadProgress = 100 - $downloadProgress; - $a = $file_size; - $b = $downloaded; - $c = $downloadProgress; - $text = " Snort download in progress\\n"; - $text .= "----------------------------------------------------\\n"; - $text .= " Downloaded : {$b}\\n"; - $text .= "----------------------------------------------------\\n"; - $counter++; - if($counter > 150) { - update_output_window($text); - update_progress_bar($downloadProgress); - flush(); - $counter = 0; - } - conf_mount_rw(); - fwrite($fout, $string); - conf_mount_ro(); - return $length; -} - -?> - -</body> -</html> diff --git a/config/snort-dev/snort_rules_edit.php b/config/snort-dev/snort_rules_edit.php deleted file mode 100644 index b770867f..00000000 --- a/config/snort-dev/snort_rules_edit.php +++ /dev/null @@ -1,243 +0,0 @@ -#!/usr/local/bin/php -<?php -/* - system_edit.php - Copyright (C) 2004, 2005 Scott Ullrich - All rights reserved. - - Adapted for FreeNAS by Volker Theile (votdev@gmx.de) - Copyright (C) 2006-2009 Volker Theile - - Adapted for Pfsense Snort package by Robert Zelaya - Copyright (C) 2008-2009 Robert Zelaya - - Using dp.SyntaxHighlighter for syntax highlighting - http://www.dreamprojections.com/SyntaxHighlighter - Copyright (C) 2004-2006 Alex Gorbatchev. All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require_once("guiconfig.inc"); -require_once("config.inc"); - - -if (!is_array($config['installedpackages']['snortglobal']['rule'])) { - $config['installedpackages']['snortglobal']['rule'] = array(); -} - -//nat_rules_sort(); -$a_nat = &$config['installedpackages']['snortglobal']['rule']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - -$ids = $_GET['ids']; -if (isset($_POST['ids'])) - $ids = $_POST['ids']; - - -if (isset($id) && $a_nat[$id]) { - - $pconfig['enable'] = $a_nat[$id]['enable']; - $pconfig['interface'] = $a_nat[$id]['interface']; - $pconfig['rulesets'] = $a_nat[$id]['rulesets']; -} - -/* convert fake interfaces to real */ -$if_real = convert_friendly_interface_to_real_interface_name($pconfig['interface']); - - -$file = $_GET['openruleset']; - -//read snort file -$filehandle = fopen($file, "r"); - -//get rule id -$lineid = $_GET['ids']; - -//read file into string, and get filesize -$contents2 = fread($filehandle, filesize($file)); - -//close handler -fclose ($filehandle); - -//delimiter for each new rule is a new line -$delimiter = "\n"; - -//split the contents of the string file into an array using the delimiter -$splitcontents = explode($delimiter, $contents2); - -//copy rule contents from array into string -$tempstring = $splitcontents[$lineid]; - -function write_rule_file($content_changed, $received_file) -{ - //read snort file with writing enabled - $filehandle = fopen($received_file, "w"); - - //delimiter for each new rule is a new line - $delimiter = "\n"; - - //implode the array back into a string for writing purposes - $fullfile = implode($delimiter, $content_changed); - - //write data to file - fwrite($filehandle, $fullfile); - - //close file handle - fclose($filehandle); - -} - - - -if($_POST['highlight'] <> "") { - if($_POST['highlight'] == "yes" or - $_POST['highlight'] == "enabled") { - $highlight = "yes"; - } else { - $highlight = "no"; - } -} else { - $highlight = "no"; -} - -if($_POST['rows'] <> "") - $rows = $_POST['rows']; -else - $rows = 1; - -if($_POST['cols'] <> "") - $cols = $_POST['cols']; -else - $cols = 66; - -if ($_POST) -{ - if ($_POST['save']) { - - /* get the changes */ - $rule_content2 = $_POST['code']; - - //copy string into file array for writing - $splitcontents[$lineid] = $rule_content2; - - //write the new .rules file - write_rule_file($splitcontents, $file); - - header("Location: /snort/snort_rules_edit.php?id=$id&openruleset=$file&ids=$ids"); - - } -} - -$pgtitle = array(gettext("Advanced"), gettext("File Editor")); - -// -?> - -<?php include("head.inc");?> - -<body link="#000000" vlink="#000000" alink="#000000"> -<table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td class="tabcont"> - <form action="snort_rules_edit.php?id=<?=$id; ?>&openruleset=<?=$file; ?>&ids=<?=$ids; ?>" method="post"> - <?php if ($savemsg) print_info_box($savemsg);?> - <table width="100%" cellpadding='9' cellspacing='9' bgcolor='#eeeeee'> - <tr> - <td> - <input name="save" type="submit" class="formbtn" id="save" value="save" /> <input type="button" class="formbtn" value="Cancel" onclick="history.back()"> - <hr noshade="noshade" /> - <?=gettext("Disable original rule"); ?>: - <input id="highlighting_enabled" name="highlight2" type="radio" value="yes" <?php if($highlight == "yes") echo " checked=\"checked\""; ?> /> - <label for="highlighting_enabled"><?=gettext("Enabled"); ?></label> - <input id="highlighting_disabled" name="highlight2" type="radio" value="no"<?php if($highlight == "no") echo " checked=\"checked\""; ?> /> - <label for="highlighting_disabled"><?=gettext("Disabled"); ?></label> - </td> - </tr> - </table> - <table width='100%'> - <tr> - <td valign="top" class="label"> - <div style="background: #eeeeee;" id="textareaitem"> - <!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> - <textarea wrap="off" style="width: 98%; margin: 7px;" class="<?php echo $language; ?>:showcolumns" rows="<?php echo $rows; ?>" cols="<?php echo $cols; ?>" name="code"><?php echo $tempstring;?></textarea> - </div> - </td> - </tr> - </table> - <table width='100%'> - <tr> - <td valign="top" class="label"> - <div style="background: #eeeeee;" id="textareaitem"> - <!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> - <textarea disabled wrap="off" style="width: 98%; margin: 7px;" class="<?php echo $language; ?>:showcolumns" rows="33" cols="<?php echo $cols; ?>" name="code2"><?php echo $contents2;?></textarea> - </div> - </td> - </tr> - </table> - <?php // include("formend.inc");?> - </form> - </td> - </tr> -</table> -<script class="javascript" src="/snort/syntaxhighlighter/shCore.js"></script> -<script class="javascript" src="/snort/syntaxhighlighter/shBrushCSharp.js"></script> -<script class="javascript" src="/snort/syntaxhighlighter/shBrushPhp.js"></script> -<script class="javascript" src="/snort/syntaxhighlighter/shBrushJScript.js"></script> -<script class="javascript" src="/snort/syntaxhighlighter/shBrushJava.js"></script> -<script class="javascript" src="/snort/syntaxhighlighter/shBrushVb.js"></script> -<script class="javascript" src="/snort/syntaxhighlighter/shBrushSql.js"></script> -<script class="javascript" src="/snort/syntaxhighlighter/shBrushXml.js"></script> -<script class="javascript" src="/snort/syntaxhighlighter/shBrushDelphi.js"></script> -<script class="javascript" src="/snort/syntaxhighlighter/shBrushPython.js"></script> -<script class="javascript" src="/snort/syntaxhighlighter/shBrushRuby.js"></script> -<script class="javascript" src="/snort/syntaxhighlighter/shBrushCss.js"></script> -<script class="javascript"> -<!-- - // Set focus. - document.forms[0].savetopath.focus(); - - // Append css for syntax highlighter. - var head = document.getElementsByTagName("head")[0]; - var linkObj = document.createElement("link"); - linkObj.setAttribute("type","text/css"); - linkObj.setAttribute("rel","stylesheet"); - linkObj.setAttribute("href","/snort/syntaxhighlighter/SyntaxHighlighter.css"); - head.appendChild(linkObj); - - // Activate dp.SyntaxHighlighter? - <?php - if($_POST['highlight'] == "yes") { - echo "dp.SyntaxHighlighter.HighlightAll('code', true, true);\n"; - // Disable 'Save' button. - echo "document.forms[0].Save.disabled = 1;\n"; - } -?> -//--> -</script> -<?php //include("fend.inc");?> - -</body> -</html> diff --git a/config/snort-dev/snort_rulesets.php b/config/snort-dev/snort_rulesets.php deleted file mode 100644 index ece409e1..00000000 --- a/config/snort-dev/snort_rulesets.php +++ /dev/null @@ -1,307 +0,0 @@ -<?php -/* $Id$ */ -/* - snort_rulesets.php - Copyright (C) 2006 Scott Ullrich - Copyright (C) 2009 Robert Zelaya - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ - -require("guiconfig.inc"); -//require_once("filter.inc"); -//require_once("service-utils.inc"); -include_once("/usr/local/pkg/snort/snort.inc"); -require_once("/usr/local/pkg/snort/snort_gui.inc"); - - -if (!is_array($config['installedpackages']['snortglobal']['rule'])) { - $config['installedpackages']['snortglobal']['rule'] = array(); -} - -//nat_rules_sort(); -$a_nat = &$config['installedpackages']['snortglobal']['rule']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - - -if (isset($id) && $a_nat[$id]) { - - $pconfig['enable'] = $a_nat[$id]['enable']; - $pconfig['interface'] = $a_nat[$id]['interface']; - $pconfig['rulesets'] = $a_nat[$id]['rulesets']; -} - -/* convert fake interfaces to real */ -$if_real = convert_friendly_interface_to_real_interface_name($pconfig['interface']); - - -$iface_uuid = $a_nat[$id]['uuid']; - -$pgtitle = "Snort: Interface $id $iface_uuid $if_real Categories"; - - -/* Check if the rules dir is empy if so warn the user */ -/* TODO give the user the option to delete the installed rules rules */ -$isrulesfolderempty = exec("ls -A /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/*.rules"); -if ($isrulesfolderempty == "") { - -include("head.inc"); -include("./snort_fbegin.inc"); - -echo "<p class=\"pgtitle\">"; -if($pfsense_stable == 'yes'){echo $pgtitle;} -echo "</p>\n"; - -echo "<body link=\"#000000\" vlink=\"#000000\" alink=\"#000000\">"; - -echo " -<table width=\"99%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n - <tr>\n - <td>\n"; - - $tab_array = array(); - $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); - $tab_array[] = array("If Settings", false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array("Categories", true, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array("Rules", false, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array("Servers", false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array("Preprocessors", false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array("Barnyard2", false, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); - -echo "</td>\n - </tr>\n - <tr>\n - <td>\n - <div id=\"mainarea\">\n - <table id=\"maintable\" class=\"tabcont\" width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n - <tr>\n - <td>\n -# The rules directory is empty. /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules \n - </td>\n - </tr>\n - </table>\n - </div>\n - </td>\n - </tr>\n -</table>\n -\n -</form>\n -\n -<p>\n\n"; - -echo "Please click on the Update Rules tab to install your selected rule sets. $isrulesfolderempty"; -include("fend.inc"); - -echo "</body>"; -echo "</html>"; - -exit(0); - -} - - /* alert file */ -$d_snortconfdirty_path = "/var/run/snort_conf_{$iface_uuid}_{$if_real}.dirty"; - - /* this will exec when alert says apply */ - if ($_POST['apply']) { - - if (file_exists($d_snortconfdirty_path)) { - - write_config(); - - sync_snort_package_all(); - sync_snort_package(); - - unlink($d_snortconfdirty_path); - - } - - } - - if ($_POST["Submit"]) { - $enabled_items = ""; - $isfirst = true; - if (is_array($_POST['toenable'])) { - foreach($_POST['toenable'] as $toenable) { - if(!$isfirst) - $enabled_items .= "||"; - $enabled_items .= "{$toenable}"; - $isfirst = false; - } - }else{ - $enabled_items = $_POST['toenable']; - } - $a_nat[$id]['rulesets'] = $enabled_items; - - write_config(); - - touch($d_snortconfdirty_path); - - header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); - header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); - header( 'Cache-Control: no-store, no-cache, must-revalidate' ); - header( 'Cache-Control: post-check=0, pre-check=0', false ); - header( 'Pragma: no-cache' ); - sleep(2); - sync_snort_package_all(); - header("Location: /snort/snort_rulesets.php?id=$id"); - -} - -$enabled_rulesets = $a_nat[$id]['rulesets']; -if($enabled_rulesets) - $enabled_rulesets_array = split("\|\|", $enabled_rulesets); - -include("head.inc"); - -?> - -<body link="#000000" vlink="#000000" alink="#000000"> -<?php include("./snort_fbegin.inc"); ?> -<p class="pgtitle"><?php if($pfsense_stable == 'yes'){echo $pgtitle;}?></p> -<?php - -echo "<form action=\"snort_rulesets.php?id={$id}\" method=\"post\" name=\"iform\" id=\"iform\">"; - -?> - -<?php - - /* Display message */ - - if ($input_errors) { - print_input_errors($input_errors); // TODO: add checks - } - - if ($savemsg) { - print_info_box2($savemsg); - } - - if (file_exists($d_snortconfdirty_path)) { - echo '<p>'; - - if($savemsg) { - print_info_box_np2("{$savemsg}"); - }else{ - print_info_box_np2(' - The Snort configuration has changed and snort needs to be restarted on this interface.<br> - You must apply the changes in order for them to take effect.<br> - '); - } - } - -?> - -<table width="99%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> -<?php - $tab_array = array(); - $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); - $tab_array[] = array("If Settings", false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array("Categories", true, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array("Rules", false, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array("Servers", false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array("Preprocessors", false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array("Barnyard2", false, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); -?> - </td> - </tr> - <tr> - <td> - <div id="mainarea"> - <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> - <table id="sortabletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr id="frheader"> - <td width="5%" class="listhdrr">Enabled</td> - <td class="listhdrr">Ruleset: Rules that end with "so.rules" are shared object rules.</td> - <!-- <td class="listhdrr">Description</td> --> - </tr> -<?php - $dir = "/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/"; - $dh = opendir($dir); - while (false !== ($filename = readdir($dh))) { - $files[] = $filename; - } - sort($files); - foreach($files as $file) { - if(!stristr($file, ".rules")) - continue; - echo "<tr>"; - echo "<td align=\"center\" valign=\"top\">"; - if(is_array($enabled_rulesets_array)) - if(in_array($file, $enabled_rulesets_array)) { - $CHECKED = " checked=\"checked\""; - } else { - $CHECKED = ""; - } - else - $CHECKED = ""; - echo " <input type='checkbox' name='toenable[]' value='$file' {$CHECKED} />"; - echo "</td>"; - echo "<td>"; - echo "<a href='snort_rules.php?id={$id}&openruleset=/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/" . urlencode($file) . "'>{$file}</a>"; - echo "</td>"; - //echo "<td>"; - //echo "description"; - //echo "</td>"; - } - -?> - </table> - </td> - </tr> - <tr><td> </td></tr> - <tr><td>Check the rulesets that you would like Snort to load at startup.</td></tr> - <tr><td> </td></tr> - <tr><td><input value="Save" type="submit" name="Submit" id="Submit" /></td></tr> - </table> - </div> - </td> - </tr> -</table> - -</form> - -<p><b>NOTE:</b> You can click on a ruleset name to edit the ruleset. - -<?php include("fend.inc"); ?> - -</body> -</html> - -<?php - - function get_snort_rule_file_description($filename) { - $filetext = file_get_contents($filename); - - } - -?> diff --git a/config/snort-dev/bin/barnyard2 b/config/snort-old/bin/barnyard2 Binary files differindex b942e87f..b942e87f 100644 --- a/config/snort-dev/bin/barnyard2 +++ b/config/snort-old/bin/barnyard2 diff --git a/config/snort-dev/bin/oinkmaster_contrib/README.contrib b/config/snort-old/bin/oinkmaster_contrib/README.contrib index 6923fa26..6923fa26 100644 --- a/config/snort-dev/bin/oinkmaster_contrib/README.contrib +++ b/config/snort-old/bin/oinkmaster_contrib/README.contrib diff --git a/config/snort-dev/bin/oinkmaster_contrib/addmsg.pl b/config/snort-old/bin/oinkmaster_contrib/addmsg.pl index e5866d6f..e5866d6f 100644 --- a/config/snort-dev/bin/oinkmaster_contrib/addmsg.pl +++ b/config/snort-old/bin/oinkmaster_contrib/addmsg.pl diff --git a/config/snort-dev/bin/oinkmaster_contrib/addsid.pl b/config/snort-old/bin/oinkmaster_contrib/addsid.pl index 64255d22..64255d22 100644 --- a/config/snort-dev/bin/oinkmaster_contrib/addsid.pl +++ b/config/snort-old/bin/oinkmaster_contrib/addsid.pl diff --git a/config/snort-dev/bin/oinkmaster_contrib/create-sidmap.pl b/config/snort-old/bin/oinkmaster_contrib/create-sidmap.pl index 26a9040c..26a9040c 100644 --- a/config/snort-dev/bin/oinkmaster_contrib/create-sidmap.pl +++ b/config/snort-old/bin/oinkmaster_contrib/create-sidmap.pl diff --git a/config/snort-dev/bin/oinkmaster_contrib/makesidex.pl b/config/snort-old/bin/oinkmaster_contrib/makesidex.pl index 80354735..80354735 100644 --- a/config/snort-dev/bin/oinkmaster_contrib/makesidex.pl +++ b/config/snort-old/bin/oinkmaster_contrib/makesidex.pl diff --git a/config/snort-dev/bin/oinkmaster_contrib/oinkgui.pl b/config/snort-old/bin/oinkmaster_contrib/oinkgui.pl index 4e96f7db..4e96f7db 100644 --- a/config/snort-dev/bin/oinkmaster_contrib/oinkgui.pl +++ b/config/snort-old/bin/oinkmaster_contrib/oinkgui.pl diff --git a/config/snort-dev/bin/oinkmaster_contrib/oinkmaster.pl b/config/snort-old/bin/oinkmaster_contrib/oinkmaster.pl index f9c4d215..f9c4d215 100644 --- a/config/snort-dev/bin/oinkmaster_contrib/oinkmaster.pl +++ b/config/snort-old/bin/oinkmaster_contrib/oinkmaster.pl diff --git a/config/snort-dev/bin/snort2c b/config/snort-old/bin/snort2c Binary files differindex fdc91ac8..fdc91ac8 100644..100755 --- a/config/snort-dev/bin/snort2c +++ b/config/snort-old/bin/snort2c diff --git a/config/snort-dev/pfsense_rules/local.rules b/config/snort-old/pfsense_rules/local.rules index 83a05f1b..83a05f1b 100644 --- a/config/snort-dev/pfsense_rules/local.rules +++ b/config/snort-old/pfsense_rules/local.rules diff --git a/config/snort-old/pfsense_rules/pfsense_rules.tar.gz.md5 b/config/snort-old/pfsense_rules/pfsense_rules.tar.gz.md5 new file mode 100644 index 00000000..83d5bdae --- /dev/null +++ b/config/snort-old/pfsense_rules/pfsense_rules.tar.gz.md5 @@ -0,0 +1 @@ +10002
\ No newline at end of file diff --git a/config/snort-dev/pfsense_rules/rules/pfsense-voip.rules b/config/snort-old/pfsense_rules/rules/pfsense-voip.rules index 12f2fdf2..12f2fdf2 100644 --- a/config/snort-dev/pfsense_rules/rules/pfsense-voip.rules +++ b/config/snort-old/pfsense_rules/rules/pfsense-voip.rules diff --git a/config/snort-dev/snort.inc b/config/snort-old/snort.inc index cd8ba9a2..00a86c35 100644..100755 --- a/config/snort-dev/snort.inc +++ b/config/snort-old/snort.inc @@ -3,7 +3,6 @@ /* snort.inc Copyright (C) 2006 Scott Ullrich - Copyright (C) 2009 Robert Zelaya part of pfSense All rights reserved. @@ -30,981 +29,215 @@ */ require_once("pfsense-utils.inc"); -require_once("config.inc"); -require_once("functions.inc"); -// Needed on 2.0 because of filter_get_vpns_list() -require_once("filter.inc"); - -/* find out if were in 1.2.3-RELEASE */ - -$pfsense_ver_chk = exec('/bin/cat /etc/version'); -if ($pfsense_ver_chk == '1.2.3-RELEASE') -{ - $pfsense_stable = 'yes'; -}else{ - $pfsense_stable = 'no'; -} - -/* checks to see if snort is running yes/no and stop/start */ - function Running_Ck($snort_uuid, $if_real, $id) { - global $config; - - $snort_up_ck = exec("/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep snort | /usr/bin/awk '{print \$2;}' | sed 1q"); - - if(snort_up_ck == ''){ - $snort_up = 'no'; - return $snort_up; - } - - if(snort_up_ck != ''){ - - //$snort_up_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_uuid}_{$if_real}\" | awk '{print \$1;}'"); - //$snort_up_s = exec("/usr/bin/top -U snort -u | grep snort | grep {$snort_up_pre} | /usr/bin/awk '{print \$1;}'"); - //$snort_up_r = exec("/usr/bin/top -U root -u | grep snort | grep {$snort_up_pre} | /usr/bin/awk '{print \$1;}'"); - - /* use ob_clean to clear output buffer, this code needs to be watched */ - ob_clean(); - $snort_up_prell = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_uuid}_{$if_real}\" | awk '{print \$1;}'", $retval); - - if ($snort_up_prell != "") { - $snort_uph = 'yes'; - }else{ - $snort_uph = 'no'; - } - } - - return $snort_uph; - } - -/* checks to see if barnyard2 is running yes/no */ - function Running_Ck_b($snort_uuid, $if_real, $id) { - global $config; - - $snort_up_ck_b = exec("/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep barnyard2 | /usr/bin/awk '{print \$2;}' | sed 1q"); - - if($snort_up_ck_b == ''){ - $snort_up_b = 'no'; - return $snort_up_b; - } - - if(snort_up_ck_b != ''){ - - //$snort_up_pre_b = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"f snort_{$snort_uuid}_{$if_real}.u2\" | awk '{print \$1;}'"); - //$snort_up_s_b = exec("/usr/bin/top -U snort -u | grep barnyard2 | grep {$snort_up_pre_b} | /usr/bin/awk '{print \$1;}'"); - //$snort_up_r_b = exec("/usr/bin/top -U root -u | grep barnyard2 | grep {$snort_up_pre_b} | /usr/bin/awk '{print \$1;}'"); - - /* use ob_clean to clear output buffer, this code needs to be watched */ - ob_clean(); - $snort_up_pre_b = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"f snort_{$snort_uuid}_{$if_real}.u2\" | awk '{print \$1;}'"); - - if ($snort_up_pre_b != '') { - $snort_up_b = 'yes'; - }else{ - $snort_up_b = 'no'; - } - } - - return $snort_up_b; - } - - function Running_Stop($snort_uuid, $if_real, $id) { - global $config; - - $start_up_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_uuid}_{$if_real}\" | awk '{print \$1;}'"); - $start_up_s = exec("/usr/bin/top -U snort -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); - $start_up_r = exec("/usr/bin/top -U root -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); - - $start2_upb_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"snort_{$snort_uuid}_{$if_real}.u2\" | awk '{print \$1;}'"); - $start2_upb_s = exec("/usr/bin/top -U snort -u | grep barnyard2 | grep {$start2_upb_pre} | awk '{ print $1; }'"); - $start2_upb_r = exec("/usr/bin/top -U root -u | grep barnyard2 | grep {$start2_upb_pre} | awk '{ print $1; }'"); - - if ($start_up_s != "" || $start_up_r != "" || $start2_upb_s != "" || $start2_upb_r != "") - { - if ($start_up_s != "") - { - exec("/bin/kill {$start_up_s}"); - exec("/bin/rm /var/run/snort_{$snort_uuid}_{$if_real}*"); - } - - if ($start2_upb_s != "") - { - exec("/bin/kill {$start2_upb_s}"); - exec("/bin/rm /var/run/barnyard2_{$snort_uuid}_{$if_real}*"); - } - - if ($start_up_r != "") - { - exec("/bin/kill {$start_up_r}"); - exec("/bin/rm /var/run/snort_{$snort_uuid}_{$if_real}*"); - } - - if ($start2_upb_r != "") - { - exec("/bin/kill {$start2_upb_r}"); - exec("/bin/rm /var/run/barnyard2_{$snort_uuid}_{$if_real}*"); - } - - /* Log Iface stop */ - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule STOP for {$snort_uuid}_{$if_real}...'"); - } - } - - - function Running_Start($snort_uuid, $if_real, $id) { - global $config; - - $snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable']; - if ($snort_info_chk == 'on') { - exec("/usr/local/bin/snort -u snort -g snort -R \"{$snort_uuid}_{$if_real}\" -D -q -l /var/log/snort -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); - } - /* define snortbarnyardlog_chk */ - /* top will have trouble if the uuid is to far back */ - $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; - $snortbarnyardlog_mysql_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; - if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '' && $snort_info_chk == 'on') { - exec("/usr/local/bin/barnyard2 -f \"snort_{$snort_uuid}_{$if_real}.u2\" -u snort -g snort -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -w /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.waldo -D -q"); - } - - /* Log Iface stop */ - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule START for {$id}_{$snort_uuid}_{$if_real}...'"); - } - -/* get the real iface name of wan */ -function convert_friendly_interface_to_real_interface_name2($interface) -{ - global $config; - - $lc_interface = strtolower($interface); - if($lc_interface == "lan") return $config['interfaces']['lan']['if']; - if($lc_interface == "wan") return $config['interfaces']['wan']['if']; - $ifdescrs = array(); - for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) - $ifdescrs['opt' . $j] = "opt" . $j; - foreach ($ifdescrs as $ifdescr => $ifname) - { - if(strtolower($ifname) == $lc_interface) - return $config['interfaces'][$ifname]['if']; - if(strtolower($config['interfaces'][$ifname]['descr']) == $lc_interface) - return $config['interfaces'][$ifname]['if']; - } - - return $interface; -} - -$if_real_wan = convert_friendly_interface_to_real_interface_name2($interface_fake); +// Needed on 2.0 because of get_vpns_list() +require_once("filter.inc"); /* Allow additional execution time 0 = no limit. */ ini_set('max_execution_time', '9999'); ini_set('max_input_time', '9999'); /* define oinkid */ -if($config['installedpackages']['snortglobal']) - $oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; - -function snort_postinstall() -{ - global $config; - conf_mount_rw(); - - if(!file_exists("/var/log/snort/")) { - mwexec("mkdir -p /var/log/snort/"); - mwexec("mkdir -p /var/log/snort/barnyard2"); - } - - if(!file_exists("/var/log/snort/alert")) - touch("/var/log/snort/alert"); - - /* snort -> advanced features */ - $bpfbufsize = $config['installedpackages']['snortglobal']['bpfbufsize']; - $bpfmaxbufsize = $config['installedpackages']['snortglobal']['bpfmaxbufsize']; - $bpfmaxinsns = $config['installedpackages']['snortglobal']['bpfmaxinsns']; - - - /* create a few directories and ensure the sample files are in place */ - exec("/bin/mkdir -p /usr/local/etc/snort"); - exec("/bin/mkdir -p /var/log/snort"); - exec("/bin/mkdir -p /usr/local/etc/snort/rules"); +if($config['installedpackages']['snort']) + $oinkid = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; - if(file_exists("/usr/local/etc/snort/snort.conf-sample")) - { - exec("/bin/rm /usr/local/etc/snort/snort.conf-sample"); - exec("/bin/rm /usr/local/etc/snort/threshold.conf-sample"); - exec("/bin/rm /usr/local/etc/snort/sid-msg.map-sample"); - exec("/bin/rm /usr/local/etc/snort/unicode.map-sample"); - exec("/bin/rm /usr/local/etc/snort/classification.config-sample"); - exec("/bin/rm /usr/local/etc/snort/generators-sample"); - exec("/bin/rm /usr/local/etc/snort/reference.config-sample"); - exec("/bin/rm /usr/local/etc/snort/gen-msg.map-sample"); - exec("/bin/rm /usr/local/etc/snort/sid"); - exec("/bin/rm /usr/local/etc/rc.d/snort"); - exec("/bin/rm /usr/local/etc/rc.d/bardyard2"); - } - - if(!file_exists("/usr/local/etc/snort/custom_rules")) - { - exec("/bin/mkdir -p /usr/local/etc/snort/custom_rules/"); - } - - exec("/usr/sbin/pw groupadd snort"); - exec('/usr/sbin/pw useradd snort -c "SNORT USER" -d /nonexistent -g snort -s /sbin/nologin'); - exec("/usr/sbin/chown -R snort:snort /var/log/snort"); - exec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort"); - exec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort"); - exec("/bin/chmod -R 755 /var/log/snort"); - exec("/bin/chmod -R 755 /usr/local/etc/snort"); - exec("/bin/chmod -R 755 /usr/local/lib/snort"); - - - /* remove example files */ - if(file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0")) - { - exec('/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*'); - } - - if(file_exists("/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so")) - { - exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*'); - } - - /* find out if were in 1.2.3-RELEASE */ - $pfsense_ver_chk = exec('/bin/cat /etc/version'); - if ($pfsense_ver_chk == '1.2.3-RELEASE') - { - $pfsense_stable = 'yes'; - }else{ - $pfsense_stable = 'no'; - } - - /* move files around, make it look clean */ - exec('/bin/mkdir -p /usr/local/www/snort/css'); - exec('/bin/mkdir -p /usr/local/www/snort/images'); - exec('/bin/mkdir -p /usr/local/www/snort/javascript'); - - chdir ("/usr/local/www/snort/css/"); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/css/style.css'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/css/style2.css'); - chdir ("/usr/local/www/snort/images/"); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/alert.jpg'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/down.gif'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/down2.gif'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/icon-table-sort.png'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/icon-table-sort-asc.png'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/icon-table-sort-desc.png'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/up.gif'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/up2.gif'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/logo.jpg'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/footer.jpg'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/footer2.jpg'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/icon_excli.png'); - chdir ("/usr/local/www/snort/javascript/"); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/javascript/jquery.blockUI.js'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/javascript/jquery-1.3.2.js'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/javascript/mootools.js'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/javascript/sortableTable.js'); - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/javascript/tabs.js'); - - /* install barnyard2 for 2.0 and 1.2.3 */ - chdir ("/usr/local/bin/"); - if ($pfsense_stable == 'yes') { - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/bin/7.2.x86/barnyard2'); - }else{ - exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/bin/8.0.x86/barnyard2'); - } - exec('/bin/chmod 077 /usr/local/bin/barnyard2'); - - /* back to default */ - chdir ("/root/"); - - conf_mount_ro(); - -} - function sync_package_snort_reinstall() { global $config; - conf_mount_rw(); - - if(!$config['installedpackages']['snortglobal']) + if(!$config['installedpackages']['snort']) return; /* create snort configuration file */ create_snort_conf(); /* start snort service */ - // start_service("snort"); // do not start, may be needed latter. - - conf_mount_ro(); + start_service("snort"); } - -/* func for updating cron */ -function snort_rm_blocked_install_cron($should_install) -{ - global $config, $g; - - if ($g['booting']==true) - return; - - $is_installed = false; - - if(!$config['cron']['item']) - return; - - $x=0; - foreach($config['cron']['item'] as $item) - { - if (strstr($item['command'], "snort2c")) - { - $is_installed = true; - break; - } - $x++; - } - - $snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked']; - if ($snort_rm_blocked_info_ck == "1h_b") - { - $snort_rm_blocked_min = "*/5"; - $snort_rm_blocked_hr = "*"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "3600"; - } - if ($snort_rm_blocked_info_ck == "3h_b") - { - $snort_rm_blocked_min = "*/15"; - $snort_rm_blocked_hr = "*"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "10800"; - } - if ($snort_rm_blocked_info_ck == "6h_b") - { - $snort_rm_blocked_min = "*/30"; - $snort_rm_blocked_hr = "*"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "21600"; - } - if ($snort_rm_blocked_info_ck == "12h_b") - { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/1"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "43200"; - } - if ($snort_rm_blocked_info_ck == "1d_b") - { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/2"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "86400"; - } - if ($snort_rm_blocked_info_ck == "4d_b") - { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/8"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "345600"; - } - if ($snort_rm_blocked_info_ck == "7d_b") - { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/14"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "604800"; - } - if ($snort_rm_blocked_info_ck == "28d_b") - { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "0"; - $snort_rm_blocked_mday = "*/2"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "2419200"; - } - switch($should_install) - { - case true: - if(!$is_installed) - { - $cron_item = array(); - $cron_item['minute'] = "$snort_rm_blocked_min"; - $cron_item['hour'] = "$snort_rm_blocked_hr"; - $cron_item['mday'] = "$snort_rm_blocked_mday"; - $cron_item['month'] = "$snort_rm_blocked_month"; - $cron_item['wday'] = "$snort_rm_blocked_wday"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; - $config['cron']['item'][] = $cron_item; - write_config("Installed $snort_rm_blocked_info_ck minute filter reload for Time Based Rules"); - configure_cron(); - } - break; - case false: - if($is_installed == true) - { - if($x > 0) - { - unset($config['cron']['item'][$x]); - write_config(); - conf_mount_rw(); - } - configure_cron(); - } - break; - } -} - -/* func to install snort update */ -function snort_rules_up_install_cron($should_install) { - global $config, $g; - - if ($g['booting']==true) - return; - - $is_installed = false; - - if(!$config['cron']['item']) - return; - - $x=0; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort_check_for_rule_updates.php")) { - $is_installed = true; - break; - } - $x++; - } - $snort_rules_up_info_ck = $config['installedpackages']['snortglobal']['autorulesupdate7']; - if ($snort_rules_up_info_ck == "6h_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "*/6"; - $snort_rules_up_mday = "*"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "12h_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "*/12"; - $snort_rules_up_mday = "*"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "1d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/1"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "4d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/4"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "7d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/7"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "28d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/28"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - switch($should_install) { - case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['minute'] = "$snort_rules_up_min"; - $cron_item['hour'] = "$snort_rules_up_hr"; - $cron_item['mday'] = "$snort_rules_up_mday"; - $cron_item['month'] = "$snort_rules_up_month"; - $cron_item['wday'] = "$snort_rules_up_wday"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /usr/local/etc/snort/snort_update.log"; - $config['cron']['item'][] = $cron_item; - write_config("Installed 15 minute filter reload for Time Based Rules"); - configure_cron(); - } - break; - case false: - if($is_installed == true) { - if($x > 0) { - unset($config['cron']['item'][$x]); - write_config(); - conf_mount_rw(); - } - configure_cron(); - } - break; - } -} - -function sync_snort_package_remove_old() -{ - - global $config, $g; - -$snort_dir_scan = '/usr/local/etc/snort'; - -// scan dirm might have to make this into a funtion -$dh_scan = opendir($snort_dir_scan); -while (false !== ($dir_filename = readdir($dh_scan))) { - $list_dir_files[] = $dir_filename; -} - -// find patern in a array, very cool code -class array_ereg { - function array_ereg($pattern) { $this->pattern = $pattern; } - function ereg($string) { - return ereg($this->pattern, $string); - } -} - - $rule_array2 = $config['installedpackages']['snortglobal']['rule']; - $id2 = -1; - foreach ($rule_array2 as $value) - { - - $id += 1; - - $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; - $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); - - $snort_rules_list[] = "snort_$id$if_real"; - - } - - -$snort_dir_filter = array_filter($list_dir_files, array(new array_ereg("snort_"), 'ereg')); -$snort_dir_filter_search_result = array_diff($snort_dir_filter, $snort_rules_list); - - foreach ($snort_dir_filter_search_result as $value) - { - exec("rm -r /usr/local/etc/snort/$value"); - } - -} - -/* make sure this func on writes to files and does not start snort */ -function sync_snort_package() +function sync_package_snort() { global $config, $g; conf_mount_rw(); - /* all new files are for the user snort nologin */ - if(!file_exists("/var/log/snort")) - { - exec("/bin/mkdir -p /var/log/snort"); - } - - exec("/usr/sbin/chown -R snort:snort /var/log/snort"); - exec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort"); - exec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort"); - exec("/bin/chmod -R 755 /var/log/snort"); - exec("/bin/chmod -R 755 /usr/local/etc/snort"); - exec("/bin/chmod -R 755 /usr/local/lib/snort"); - - - conf_mount_ro(); -} - -/* make sure this func on writes to files and does not start snort */ -function sync_snort_package_all() -{ - global $config, $g, $id, $if_real, $snort_uuid, $interface_fake; - -/* RedDevil suggested code */ -/* TODO: more testing needs to be done */ -exec("/sbin/sysctl net.bpf.bufsize=8388608"); -exec("/sbin/sysctl net.bpf.maxbufsize=4194304"); -exec("/sbin/sysctl net.bpf.maxinsns=512"); -exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); - -# Error checking -if ($id != '' && $if_real != '') //new -{ - /* do not start config build if rules is empty */ - if (!empty($config['installedpackages']['snortglobal']['rule'])) - { - - conf_mount_rw(); - - $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; - $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; - $if_real = convert_friendly_interface_to_real_interface_name($result_lan); - - /* create snort configuration file */ - create_snort_conf($id, $if_real, $snort_uuid); - - /* if rules exist cp rules to each iface */ - create_rules_iface($id, $if_real, $snort_uuid); - - /* create snort bootup file snort.sh only create once */ - create_snort_sh(); - - /* create barnyard2 configuration file */ - $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; - if ($snortbarnyardlog_info_chk == 'on') - create_barnyard2_conf($id, $if_real, $snort_uuid); - - sync_snort_package(); - - conf_mount_ro(); - } - } -} - -/* only be run on new iface create, bootup and ip refresh */ -function sync_snort_package_empty() -{ - global $config, $g; - conf_mount_rw(); - - /* do not start config build if rules is empty */ - if (!empty($config['installedpackages']['snortglobal']['rule'])) - { - if ($id == "") - { - - $rule_array = $config['installedpackages']['snortglobal']['rule']; - $id = -1; - foreach ($rule_array as $value) - { - - if ($id == '') { - $id = 0; - } - - $id += 1; + mwexec("mkdir -p /var/log/snort/"); - $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; - $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); - $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; + if(!file_exists("/var/log/snort/alert")) + touch("/var/log/snort/alert"); - if ($if_real != '' && $snort_uuid != '') { - /* create snort configuration file */ - create_snort_conf($id, $if_real, $snort_uuid); + /* snort -> advanced features */ + $bpfbufsize = $config['installedpackages']['snortadvanced']['config'][0]['bpfbufsize']; + $bpfmaxbufsize = $config['installedpackages']['snortadvanced']['config'][0]['bpfmaxbufsize']; + $bpfmaxinsns = $config['installedpackages']['snortadvanced']['config'][0]['bpfmaxinsns']; - /* if rules exist cp rules to each iface */ - create_rules_iface($id, $if_real, $snort_uuid); + /* set the snort performance model */ + if($config['installedpackages']['snort']['config'][0]['performance']) + $snort_performance = $config['installedpackages']['snort']['config'][0]['performance']; + else + $snort_performance = "ac-bnfa"; - /* create barnyard2 configuration file */ - $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; - if ($snortbarnyardlog_info_chk == 'on') - create_barnyard2_conf($id, $if_real, $snort_uuid); - } + /* create a few directories and ensure the sample files are in place */ + exec("/bin/mkdir -p /usr/local/etc/snort"); + exec("/bin/mkdir -p /var/log/snort"); + exec("/bin/mkdir -p /usr/local/etc/snort/rules"); + exec("/bin/rm /usr/local/etc/snort/snort.conf-sample"); + exec("/bin/rm /usr/local/etc/snort/threshold.conf-sample"); + exec("/bin/rm /usr/local/etc/snort/sid-msg.map-sample"); + exec("/bin/rm /usr/local/etc/snort/unicode.map-sample"); + exec("/bin/rm /usr/local/etc/snort/classification.config-sample"); + exec("/bin/rm /usr/local/etc/snort/generators-sample"); + exec("/bin/rm /usr/local/etc/snort/reference.config-sample"); + exec("/bin/rm /usr/local/etc/snort/gen-msg.map-sample"); + exec("/bin/rm /usr/local/etc/snort/sid"); + exec("/bin/rm -f /usr/local/etc/rc.d/snort"); + + $first = 0; + $snortInterfaces = array(); /* -gtm */ + + $if_list = $config['installedpackages']['snort']['config'][0]['iface_array']; + $if_array = split(',', $if_list); + //print_r($if_array); + if($if_array) { + foreach($if_array as $iface) { + $if = convert_friendly_interface_to_real_interface_name($iface); + + if($config['interfaces'][$iface]['ipaddr'] == "pppoe") { + $if = "ng0"; } - - /* create snort bootup file snort.sh only create once */ - create_snort_sh(); - - sync_snort_package(); - + + /* build a list of user specified interfaces -gtm */ + if($if){ + array_push($snortInterfaces, $if); + $first = 1; + } + } + + if (count($snortInterfaces) < 1) { + log_error("Snort will not start. You must select an interface for it to listen on."); + return; } } -} - -/* Start of main config files */ -/* Start of main config files */ - - -/* open snort.sh for writing" */ -function create_snort_sh() -{ - # Don not add $id or this will break - - global $config, $g; - conf_mount_rw(); - - /* do not start config build if rules is empty */ - if (!empty($config['installedpackages']['snortglobal']['rule'])) + //print_r($snortInterfaces); + + /* create log directory */ + $start = "/bin/mkdir -p /var/log/snort\n"; + + /* snort advanced features - bpf tuning */ + if($bpfbufsize) + $start .= "sysctl net.bpf.bufsize={$bpfbufsize}\n"; + if($bpfmaxbufsize) + $start .= "sysctl net.bpf.maxbufsize={$bpfmaxbufsize}\n"; + if($bpfmaxinsns) + $start .= "sysctl net.bpf.maxinsns={$bpfmaxinsns}\n"; + + /* go ahead and issue bpf changes */ + if($bpfbufsize) + mwexec_bg("sysctl net.bpf.bufsize={$bpfbufsize}"); + if($bpfmaxbufsize) + mwexec_bg("sysctl net.bpf.maxbufsize={$bpfmaxbufsize}"); + if($bpfmaxinsns) + mwexec_bg("sysctl net.bpf.maxinsns={$bpfmaxinsns}"); + + /* always stop barnyard2 before starting snort -gtm */ + $start .= "/usr/bin/killall barnyard2\n"; + + /* start a snort process for each interface -gtm */ + /* Note the sleep delay. Seems to help getting mult interfaces to start -gtm */ + /* snort start options are; config file, log file, demon, interface, packet flow, alert type, quiet */ + /* TODO; get snort to start under nologin shell */ + foreach($snortInterfaces as $snortIf) { - if ($id == "") - { - - $rule_array = $config['installedpackages']['snortglobal']['rule']; - $id = -1; - foreach ($rule_array as $value) - { - - $id += 1; - - $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; - $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; - $if_real = convert_friendly_interface_to_real_interface_name($result_lan); - - /* define snortbarnyardlog_chk */ - $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; - $snortbarnyardlog_mysql_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; - - if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '') { - $start_barnyard2 = "sleep 4;/usr/local/bin/barnyard2 -f snort_{$snort_uuid}_{$if_real}.u2 -u snort -g snort -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -w /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.waldo -D -q"; - } - -/* Get all interface startup commands ready */ - -$snort_sh_text2[] = <<<EOD -###### For Each Iface - - # If Snort proc is NOT running - if [ "`/bin/ps -auwx | grep -v grep | grep "R {$snort_uuid}_{$if_real}" | awk '{print $2;}'`" = "" ]; then - - /bin/echo "snort.sh run" > /tmp/snort.sh.pid - - # Start snort and barnyard2 - /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid - /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid.lck - - /usr/local/bin/snort -u snort -g snort -R {$snort_uuid}_{$if_real} -D -q -l /var/log/snort -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} - $start_barnyard2 - - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD Reload For {$snort_uuid}_{$if_real}..." - - fi -EOD; - -$snort_sh_text3[] = <<<EOE - -###### For Each Iface - - #### Fake start only used on bootup and Pfsense IP changes - #### Only try to restart if snort is running on Iface - if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}_{$if_real}" | /usr/bin/awk '{print $2;}'`" != "" ]; then - - snort_pid="`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}_{$if_real}" | /usr/bin/awk '{print $2;}'`" - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort already running, soft restart" - - #### Restart Iface - /bin/kill -HUP \${snort_pid} - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Soft Reload For {$snort_uuid}_{$if_real}..." - - fi - -EOE; - -$snort_sh_text4[] = <<<EOF - - pid_s=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}_{$if_real}" | /usr/bin/awk '{print \$2;}'` - sleep 3 - pid_b=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "snort_{$snort_uuid}_{$if_real}.u2" | /usr/bin/awk '{print \$2;}'` - - if [ \${pid_s} ] ; then + $start .= "sleep 4\n"; + $start .= "/usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i {$snortIf} -q\n"; + /* define snortbarnyardlog_chk */ + $snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; + if ($snortbarnyardlog_info_chk == on) + $start .= "\nsleep 4;/usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D -q\n"; + } + $check_if_snort_runs = "\n\tif [ \"`ls -A /usr/local/etc/snort/rules`\" ] ; then\n\techo \"rules exist\"\n\telse\n\techo \"rules DONT exist\"\n\texit 2\n\tfi \n\n\tif [ \"`pgrep -x snort`\" = \"\" ] ; then\n\t/bin/rm /tmp/snort.sh.pid\n\tfi \n\n\tif [ \"`pgrep -x snort`\" != \"\" ] ; then\n\tlogger -p daemon.info -i -t SnortStartup \"Snort already running...\"\n\t/usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php\n\texit 1\n\tfi\n\n"; + $if_snort_pid = "\nif ls /tmp/snort.sh.pid > /dev/null\nthen\n echo \"snort.sh is running\"\n exit 0\nelse\n echo \"snort.sh is not running\"\nfi\n"; + $echo_snort_sh_pid = "\necho \"snort.sh run\" > /tmp/snort.sh.pid\n"; + $echo_snort_sh_startup_log = "\necho \"snort.sh run\" >> /tmp/snort.sh_startup.log\n"; + $del_old_pids = "\nrm -f /var/run/snort_*\n"; + $sample_before = "BEFORE_MEM=`top | grep Wired | awk '{print \$12}'`\n"; + $sample_after = "\n\tAFTER_MEM=`top | grep Wired | awk '{print \$12}'`\n"; + if ($snort_performance == "ac-bnfa") + $sleep_before_final = "\necho \"Sleeping before final memory sampling...\"\nWAITSECURE=60\n"; + else + $sleep_before_final = "\necho \"Sleeping before final memory sampling...\"\nWAITSECURE=300\n"; + $sleep_before_final .= "while [ \"\$MYSNORTLOG\" = \"\" -a \$WAITSECURE -gt 0 ] ; do\n\tsleep 2\n\tMYSNORTLOG=`/usr/sbin/clog /var/log/system.log | grep snort | tail | grep 'Snort initialization completed successfully'`\n\tWAITSECURE=`expr \$WAITSECURE - 1`\ndone\n"; + $total_used_after = "TOTAL_USAGE=`top | grep snort | grep -v grep | awk '{ print \$6 }'`\n"; + $echo_usage .= $sample_after . "\t" . $total_used_after . "\techo \"Ram free BEFORE starting Snort: \$BEFORE_MEM -- Ram free AFTER starting Snort: \$AFTER_MEM -- Mode " . $snort_performance . " -- Snort memory usage: \$TOTAL_USAGE\" | logger -p daemon.info -i -t SnortStartup\n\n"; - /bin/echo "snort.sh run" > /tmp/snort.sh.pid - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD STOP For {$snort_uuid}_{$if_real}..." - - /bin/kill \${pid_s} - sleep 3 - /bin/kill \${pid_b} - - /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid.lck - /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid + /* write out rc.d start/stop file */ + write_rcfile(array( + "file" => "snort.sh", + "start" => "{$check_if_snort_runs}{$if_snort_pid}{$echo_snort_sh_pid}{$echo_snort_sh_startup_log}{$del_old_pids}{$sample_before}{$start}{$sleep_before_final}{$echo_usage}", + "stop" => "/usr/bin/killall snort; killall barnyard2" + ) + ); - fi + /* create snort configuration file */ + create_snort_conf(); -EOF; +/* create barnyard2 configuration file */ +$snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; +if ($snortbarnyardlog_info_chk == on) + create_barnyard2_conf(); - } - } + /* snort will not start on install untill setting are set */ +if ($config['installedpackages']['snort']['config'][0]['autorulesupdate7'] != "") { + /* start snort service */ + conf_mount_ro(); + start_service("snort"); } - - -$start_snort_iface_start = implode("\n\n", $snort_sh_text2); - -$start_snort_iface_restart = implode("\n\n", $snort_sh_text3); - -$start_snort_iface_stop = implode("\n\n", $snort_sh_text4); - -/* open snort.sh for writing" */ -conf_mount_rw(); - -$snort_sh_text = <<<EOD -#!/bin/sh -######## -# This file was automatically generated -# by the pfSense service handler. -# Code added to protect from double starts on pfSense bootup -######## Begining of Main snort.sh - -rc_start() { - - #### Check for double starts, Pfsense has problems with that - if /bin/ls /tmp/snort.sh.pid > /dev/null ; then - - /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" - exit 0 - - fi - - /bin/echo "snort.sh run" > /tmp/snort.sh.pid - - #### Remake the configs on boot Important! - /usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php - /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Startup files Sync..." - -$start_snort_iface_restart - - /bin/rm /tmp/snort.sh.pid - - #### If on Fake start snort is NOT running DO a real start. - if [ "`/bin/ps -auwx | grep -v grep | grep "R {$snort_uuid}_{$if_real}" | awk '{print $2;}'`" = "" ]; then - - rc_start_real - - fi -} - -rc_start_real() { - - #### Check for double starts, Pfsense has problems with that - if /bin/ls /tmp/snort.sh.pid > /dev/null ; then - /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" - exit 0 - fi - -$start_snort_iface_start - - /bin/rm /tmp/snort.sh.pid - -} - -rc_stop() { - - #### Check for double starts, Pfsense has problems with that - if /bin/ls /tmp/snort.sh.pid > /dev/null ; then - /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" - exit 0 - fi - -$start_snort_iface_stop - - /bin/rm /tmp/snort.sh.pid - /bin/rm /var/run/snort* - -} - -case $1 in - start) - rc_start - ;; - start_real) - rc_start_real - ;; - stop) - rc_stop - ;; - restart) - rc_stop - rc_start_real - ;; -esac - -EOD; - - /* write out snort.sh */ - $bconf = fopen("/usr/local/etc/rc.d/snort.sh", "w"); - if(!$bconf) { - log_error("Could not open /usr/local/etc/rc.d/snort.sh for writing."); - exit; - } - /* write snort.sh */ - fwrite($bconf, $snort_sh_text); - fclose($bconf); - -} - - -///////////////////////// >>>>>>>>>>>> - -/* if rules exist copy to new interfaces */ -function create_rules_iface($id, $if_real, $snort_uuid) -{ - - global $config, $g; - conf_mount_rw(); - - $if_rule_dir = "/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"; - $folder_chk = (count(glob("$if_rule_dir/*")) === 0) ? 'empty' : 'full'; - - if ($folder_chk == "empty") - { - exec("/bin/cp -R /usr/local/etc/snort/rules /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); - if (file_exists("/usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules")) - { - exec("/bin/cp /usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules/local_{$snort_uuid}_{$if_real}.rules"); - } - } - } /* open barnyard2.conf for writing */ -function create_barnyard2_conf($id, $if_real, $snort_uuid) { - global $bconfig, $g; +function create_barnyard2_conf() { + global $bconfig, $bg; /* write out barnyard2_conf */ - - if(!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf")) - { - exec("/bin//usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); - } - - $barnyard2_conf_text = generate_barnyard2_conf($id, $if_real, $snort_uuid); - $bconf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", "w"); + conf_mount_rw(); + $barnyard2_conf_text = generate_barnyard2_conf(); + $bconf = fopen("/usr/local/etc/barnyard2.conf", "w"); if(!$bconf) { - log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf for writing."); + log_error("Could not open /usr/local/etc/barnyard2.conf for writing."); exit; } fwrite($bconf, $barnyard2_conf_text); fclose($bconf); + conf_mount_ro(); } - /* open barnyard2.conf for writing" */ -function generate_barnyard2_conf($id, $if_real, $snort_uuid) { +function generate_barnyard2_conf() { global $config, $g; conf_mount_rw(); /* define snortbarnyardlog */ -/* TODO: add support for the other 5 output plugins */ +/* TODO add support for the other 5 output plugins */ -$snortbarnyardlog_database_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; -$snortbarnyardlog_hostname_info_chk = exec("/bin/hostname"); +$snortbarnyardlog_database_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_database']; +$snortbarnyardlog_hostname_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_hostname']; +$snortbarnyardlog_interface_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_interface']; $barnyard2_conf_text = <<<EOD # barnyard2.conf # barnyard2 can be found at http://www.securixlive.com/barnyard2/index.php -# + # Copyright (C) 2006 Robert Zelaya # part of pfSense # All rights reserved. -# + +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: + # 1. Redistributions of source code must retain the above copyright notice, # this list of conditions and the following disclaimer. -# + # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. -# + # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE @@ -1015,125 +248,93 @@ $barnyard2_conf_text = <<<EOD # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. -# # set the appropriate paths to the file(s) your Snort process is using - -config reference_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config -config classification_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config -config gen_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map -config sid_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/sid-msg.map +config reference-map: /usr/local/etc/snort/reference.config +config class-map: /usr/local/etc/snort/classification.config +config gen-msg-map: /usr/local/etc/snort/gen-msg.map +config sid-msg-map: /usr/local/etc/snort/sid-msg.map config hostname: $snortbarnyardlog_hostname_info_chk -config interface: {$snort_uuid}_{$if_real} +config interface: $snortbarnyardlog_interface_info_chk # Step 2: setup the input plugins input unified2 -config logdir: /var/log/snort - # database: log to a variety of databases # output database: log, mysql, user=xxxx password=xxxxxx dbname=xxxx host=xxx.xxx.xxx.xxxx $snortbarnyardlog_database_info_chk EOD; - + conf_mount_rw(); return $barnyard2_conf_text; } -function create_snort_conf($id, $if_real, $snort_uuid) -{ +function create_snort_conf() { global $config, $g; /* write out snort.conf */ - - if ($if_real != '' && $snort_uuid != '') { - - $snort_conf_text = generate_snort_conf($id, $if_real, $snort_uuid); + $snort_conf_text = generate_snort_conf(); conf_mount_rw(); - $conf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf", "w"); + $conf = fopen("/usr/local/etc/snort/snort.conf", "w"); if(!$conf) { - log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf for writing."); + log_error("Could not open /usr/local/etc/snort/snort.conf for writing."); exit; } fwrite($conf, $snort_conf_text); fclose($conf); conf_mount_ro(); - } } -function snort_deinstall() -{ +function snort_deinstall() { - global $config, $g, $id, $if_real; - conf_mount_rw(); + global $config, $g; /* remove custom sysctl */ remove_text_from_file("/etc/sysctl.conf", "sysctl net.bpf.bufsize=20480"); /* decrease bpf buffers back to 4096, from 20480 */ exec("/sbin/sysctl net.bpf.bufsize=4096"); - exec("/usr/usr/bin/killall snort"); - sleep(2); - exec("/usr/usr/bin/killall -9 snort"); - sleep(2); - exec("/usr/usr/bin/killall barnyard2"); - sleep(2); - exec("/usr/usr/bin/killall -9 barnyard2"); - sleep(2); - exec("/usr/sbin/pw userdel snort"); - exec("/usr/sbin/pw groupdel snort"); + exec("/usr/bin/killall snort"); + sleep(5); + exec("/usr/bin/killall -9 snort"); + exec("rm -f /usr/local/etc/rc.d/snort*"); exec("rm -rf /usr/local/etc/snort*"); - //exec("cd /var/db/pkg && pkg_delete `ls | grep barnyard2`"); exec("cd /var/db/pkg && pkg_delete `ls | grep snort`"); - exec("cd /var/db/pkg && pkg_delete `ls | grep mysql`"); - exec("cd /var/db/pkg && pkg_delete `ls | grep pcre`"); - exec("cd /var/db/pkg && pkg_delete `ls | grep perl`"); + exec("cd /var/db/pkg && pkg_delete `ls | grep mysql-client`"); + exec("cd /var/db/pkg && pkg_delete `ls | grep libdnet`"); + exec("/usr/bin/killall -9 snort"); + exec("/usr/bin/killall snort"); /* Remove snort cron entries Ugly code needs smoothness*/ - -function snort_rm_blocked_deinstall_cron($should_install) -{ + + function snort_rm_blocked_deinstall_cron($should_install) { global $config, $g; - conf_mount_rw(); $is_installed = false; if(!$config['cron']['item']) - return; + return; $x=0; - foreach($config['cron']['item'] as $item) - { - if (strstr($item['command'], "snort2c")) - { - $is_installed = true; - break; - } - - $x++; - + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort2c")) { + $is_installed = true; + break; + } + $x++; + } + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + } + configure_cron(); + } } - if($is_installed == true) - { - if($x > 0) - { - unset($config['cron']['item'][$x]); - write_config(); - conf_mount_rw(); - } - - configure_cron(); - - } - conf_mount_ro(); - -} - - function snort_rules_up_deinstall_cron($should_install) -{ + + function snort_rules_up_deinstall_cron($should_install) { global $config, $g; - conf_mount_rw(); $is_installed = false; @@ -1152,11 +353,10 @@ function snort_rm_blocked_deinstall_cron($should_install) if($x > 0) { unset($config['cron']['item'][$x]); write_config(); - conf_mount_rw(); } configure_cron(); } -} + } snort_rm_blocked_deinstall_cron(""); snort_rules_up_deinstall_cron(""); @@ -1164,200 +364,177 @@ snort_rules_up_deinstall_cron(""); /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */ /* Keep this as a last step */ - unset($config['installedpackages']['snortglobal']); + unset($config['installedpackages']['snort']['config'][0]['autorulesupdate7']); + unset($config['installedpackages']['snort']['config'][0]['rm_blocked']); write_config(); - conf_mount_rw(); - exec("rm -r /usr/local/www/snort"); - exec("rm -r /usr/local/pkg/snort"); - exec("rm -r /usr/local/lib/snort/"); - exec("rm -r /var/log/snort/"); - - conf_mount_ro(); - } -function generate_snort_conf($id, $if_real, $snort_uuid) -{ +function generate_snort_conf() { global $config, $g; - conf_mount_rw(); - /* obtain external interface */ /* XXX: make multi wan friendly */ - $snort_ext_int = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + $snort_ext_int = $config['installedpackages']['snort']['config'][0]['iface_array'][0]; - /* create basic files */ - if(!file_exists("/usr/local/etc/snort/snort/snort_{$snort_uuid}_{$if_real}")) - { - exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/"); - exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"); - - if(!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map")) - { - exec("/bin/cp /usr/local/etc/snort/classification.config /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config"); - exec("/bin/cp /usr/local/etc/snort/gen-msg.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map"); - exec("/bin/cp /usr/local/etc/snort/reference.config /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config"); - exec("/bin/cp /usr/local/etc/snort/sid-msg.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/sid-msg.map"); - exec("/bin/cp /usr/local/etc/snort/unicode.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/unicode.map"); - exec("/bin/cp /usr/local/etc/snort/threshold.conf /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/threshold.conf"); - exec("/bin/cp /usr/local/etc/snort/snort.conf /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf"); - exec("/bin/cp/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); - exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"); - } - } + $snort_config_pass_thru = $config['installedpackages']['snortadvanced']['config'][0]['configpassthru']; /* define snortalertlogtype */ -$snortalertlogtype = $config['installedpackages']['snortglobal']['snortalertlogtype']; +$snortalertlogtype = $config['installedpackages']['snortadvanced']['config'][0]['snortalertlogtype']; if ($snortalertlogtype == fast) $snortalertlogtype_type = "output alert_fast: alert"; else $snortalertlogtype_type = "output alert_full: alert"; /* define alertsystemlog */ -$alertsystemlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['alertsystemlog']; +$alertsystemlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['alertsystemlog']; if ($alertsystemlog_info_chk == on) $alertsystemlog_type = "output alert_syslog: log_alert"; /* define tcpdumplog */ -$tcpdumplog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['tcpdumplog']; +$tcpdumplog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['tcpdumplog']; if ($tcpdumplog_info_chk == on) $tcpdumplog_type = "output log_tcpdump: snorttcpd.log"; +/* define snortbarnyardlog_chk */ +$snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; +if ($snortbarnyardlog_info_chk == on) + $snortbarnyardlog_type = "barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D"; + /* define snortunifiedlog */ -$snortunifiedlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['snortunifiedlog']; +$snortunifiedlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortunifiedlog']; if ($snortunifiedlog_info_chk == on) - $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, limit 128"; + $snortunifiedlog_type = "output unified2: filename snort.u2, limit 128"; -/* define spoink (DISABLED)*/ -$spoink_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['blockoffenders7']; +/* define spoink */ +$spoink_info_chk = $config['installedpackages']['snort']['config'][0]['blockoffenders7']; if ($spoink_info_chk == on) $spoink_type = "output alert_pf: /var/db/whitelist,snort2c"; /* define servers and ports snortdefservers */ /* def DNS_SERVSERS */ -$def_dns_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_dns_servers']; +$def_dns_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_dns_servers']; if ($def_dns_servers_info_chk == "") $def_dns_servers_type = "\$HOME_NET"; else $def_dns_servers_type = "$def_dns_servers_info_chk"; /* def DNS_PORTS */ -$def_dns_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_dns_ports']; +$def_dns_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_dns_ports']; if ($def_dns_ports_info_chk == "") $def_dns_ports_type = "53"; else $def_dns_ports_type = "$def_dns_ports_info_chk"; /* def SMTP_SERVSERS */ -$def_smtp_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_smtp_servers']; +$def_smtp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_smtp_servers']; if ($def_smtp_servers_info_chk == "") $def_smtp_servers_type = "\$HOME_NET"; else $def_smtp_servers_type = "$def_smtp_servers_info_chk"; /* def SMTP_PORTS */ -$def_smtp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_smtp_ports']; +$def_smtp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_smtp_ports']; if ($def_smtp_ports_info_chk == "") $def_smtp_ports_type = "25"; else $def_smtp_ports_type = "$def_smtp_ports_info_chk"; /* def MAIL_PORTS */ -$def_mail_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_mail_ports']; +$def_mail_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_mail_ports']; if ($def_mail_ports_info_chk == "") $def_mail_ports_type = "25,143,465,691"; else $def_mail_ports_type = "$def_mail_ports_info_chk"; /* def HTTP_SERVSERS */ -$def_http_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_http_servers']; +$def_http_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_http_servers']; if ($def_http_servers_info_chk == "") $def_http_servers_type = "\$HOME_NET"; else $def_http_servers_type = "$def_http_servers_info_chk"; /* def WWW_SERVSERS */ -$def_www_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_www_servers']; +$def_www_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_www_servers']; if ($def_www_servers_info_chk == "") $def_www_servers_type = "\$HOME_NET"; else $def_www_servers_type = "$def_www_servers_info_chk"; /* def HTTP_PORTS */ -$def_http_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_http_ports']; +$def_http_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_http_ports']; if ($def_http_ports_info_chk == "") $def_http_ports_type = "80"; else $def_http_ports_type = "$def_http_ports_info_chk"; /* def SQL_SERVSERS */ -$def_sql_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_sql_servers']; +$def_sql_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sql_servers']; if ($def_sql_servers_info_chk == "") $def_sql_servers_type = "\$HOME_NET"; else $def_sql_servers_type = "$def_sql_servers_info_chk"; /* def ORACLE_PORTS */ -$def_oracle_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_oracle_ports']; +$def_oracle_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_oracle_ports']; if ($def_oracle_ports_info_chk == "") $def_oracle_ports_type = "1521"; else $def_oracle_ports_type = "$def_oracle_ports_info_chk"; /* def MSSQL_PORTS */ -$def_mssql_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_mssql_ports']; +$def_mssql_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_mssql_ports']; if ($def_mssql_ports_info_chk == "") $def_mssql_ports_type = "1433"; else $def_mssql_ports_type = "$def_mssql_ports_info_chk"; /* def TELNET_SERVSERS */ -$def_telnet_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_telnet_servers']; +$def_telnet_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_telnet_servers']; if ($def_telnet_servers_info_chk == "") $def_telnet_servers_type = "\$HOME_NET"; else $def_telnet_servers_type = "$def_telnet_servers_info_chk"; /* def TELNET_PORTS */ -$def_telnet_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_telnet_ports']; +$def_telnet_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_telnet_ports']; if ($def_telnet_ports_info_chk == "") $def_telnet_ports_type = "23"; else $def_telnet_ports_type = "$def_telnet_ports_info_chk"; /* def SNMP_SERVSERS */ -$def_snmp_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_snmp_servers']; +$def_snmp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_snmp_servers']; if ($def_snmp_servers_info_chk == "") $def_snmp_servers_type = "\$HOME_NET"; else $def_snmp_servers_type = "$def_snmp_servers_info_chk"; /* def SNMP_PORTS */ -$def_snmp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_snmp_ports']; +$def_snmp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_snmp_ports']; if ($def_snmp_ports_info_chk == "") $def_snmp_ports_type = "161"; else $def_snmp_ports_type = "$def_snmp_ports_info_chk"; /* def FTP_SERVSERS */ -$def_ftp_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ftp_servers']; +$def_ftp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ftp_servers']; if ($def_ftp_servers_info_chk == "") $def_ftp_servers_type = "\$HOME_NET"; else $def_ftp_servers_type = "$def_ftp_servers_info_chk"; /* def FTP_PORTS */ -$def_ftp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ftp_ports']; +$def_ftp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ftp_ports']; if ($def_ftp_ports_info_chk == "") $def_ftp_ports_type = "21"; else $def_ftp_ports_type = "$def_ftp_ports_info_chk"; /* def SSH_SERVSERS */ -$def_ssh_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssh_servers']; +$def_ssh_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssh_servers']; if ($def_ssh_servers_info_chk == "") $def_ssh_servers_type = "\$HOME_NET"; else @@ -1370,124 +547,360 @@ else $ssh_port = "22"; /* def SSH_PORTS */ -$def_ssh_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssh_ports']; +$def_ssh_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssh_ports']; if ($def_ssh_ports_info_chk == "") $def_ssh_ports_type = "{$ssh_port}"; else $def_ssh_ports_type = "$def_ssh_ports_info_chk"; /* def POP_SERVSERS */ -$def_pop_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_pop_servers']; +$def_pop_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop_servers']; if ($def_pop_servers_info_chk == "") $def_pop_servers_type = "\$HOME_NET"; else $def_pop_servers_type = "$def_pop_servers_info_chk"; /* def POP2_PORTS */ -$def_pop2_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_pop2_ports']; +$def_pop2_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop2_ports']; if ($def_pop2_ports_info_chk == "") $def_pop2_ports_type = "109"; else $def_pop2_ports_type = "$def_pop2_ports_info_chk"; /* def POP3_PORTS */ -$def_pop3_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_pop3_ports']; +$def_pop3_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop3_ports']; if ($def_pop3_ports_info_chk == "") $def_pop3_ports_type = "110"; else $def_pop3_ports_type = "$def_pop3_ports_info_chk"; /* def IMAP_SERVSERS */ -$def_imap_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_imap_servers']; +$def_imap_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_imap_servers']; if ($def_imap_servers_info_chk == "") $def_imap_servers_type = "\$HOME_NET"; else $def_imap_servers_type = "$def_imap_servers_info_chk"; /* def IMAP_PORTS */ -$def_imap_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_imap_ports']; +$def_imap_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_imap_ports']; if ($def_imap_ports_info_chk == "") $def_imap_ports_type = "143"; else $def_imap_ports_type = "$def_imap_ports_info_chk"; /* def SIP_PROXY_IP */ -$def_sip_proxy_ip_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_sip_proxy_ip']; +$def_sip_proxy_ip_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sip_proxy_ip']; if ($def_sip_proxy_ip_info_chk == "") $def_sip_proxy_ip_type = "\$HOME_NET"; else $def_sip_proxy_ip_type = "$def_sip_proxy_ip_info_chk"; /* def SIP_PROXY_PORTS */ -$def_sip_proxy_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_sip_proxy_ports']; +$def_sip_proxy_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sip_proxy_ports']; if ($def_sip_proxy_ports_info_chk == "") $def_sip_proxy_ports_type = "5060:5090,16384:32768"; else $def_sip_proxy_ports_type = "$def_sip_proxy_ports_info_chk"; /* def AUTH_PORTS */ -$def_auth_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_auth_ports']; +$def_auth_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_auth_ports']; if ($def_auth_ports_info_chk == "") $def_auth_ports_type = "113"; else $def_auth_ports_type = "$def_auth_ports_info_chk"; /* def FINGER_PORTS */ -$def_finger_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_finger_ports']; +$def_finger_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_finger_ports']; if ($def_finger_ports_info_chk == "") $def_finger_ports_type = "79"; else $def_finger_ports_type = "$def_finger_ports_info_chk"; /* def IRC_PORTS */ -$def_irc_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_irc_ports']; +$def_irc_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_irc_ports']; if ($def_irc_ports_info_chk == "") $def_irc_ports_type = "6665,6666,6667,6668,6669,7000"; else $def_irc_ports_type = "$def_irc_ports_info_chk"; /* def NNTP_PORTS */ -$def_nntp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_nntp_ports']; +$def_nntp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_nntp_ports']; if ($def_nntp_ports_info_chk == "") $def_nntp_ports_type = "119"; else $def_nntp_ports_type = "$def_nntp_ports_info_chk"; /* def RLOGIN_PORTS */ -$def_rlogin_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_rlogin_ports']; +$def_rlogin_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_rlogin_ports']; if ($def_rlogin_ports_info_chk == "") $def_rlogin_ports_type = "513"; else $def_rlogin_ports_type = "$def_rlogin_ports_info_chk"; /* def RSH_PORTS */ -$def_rsh_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_rsh_ports']; +$def_rsh_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_rsh_ports']; if ($def_rsh_ports_info_chk == "") $def_rsh_ports_type = "514"; else $def_rsh_ports_type = "$def_rsh_ports_info_chk"; /* def SSL_PORTS */ -$def_ssl_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssl_ports']; +$def_ssl_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssl_ports']; if ($def_ssl_ports_info_chk == "") - $def_ssl_ports_type = "443,465,563,636,989,990,992,993,994,995"; + $def_ssl_ports_type = "25,443,465,636,993,995"; else $def_ssl_ports_type = "$def_ssl_ports_info_chk"; + /* add auto update scripts to /etc/crontab */ +// $text_ww = "*/60\t* \t 1\t *\t *\t root\t /usr/bin/nice -n20 /usr/local/pkg/snort_check_for_rule_updates.php"; +// $filenamea = "/etc/crontab"; +// remove_text_from_file($filenamea, $text_ww); +// add_text_to_file($filenamea, $text_ww); +// exec("killall -HUP cron"); */ + /* should we install a automatic update crontab entry? */ - $automaticrulesupdate = $config['installedpackages']['snortglobal']['automaticrulesupdate7']; + $automaticrulesupdate = $config['installedpackages']['snort']['config'][0]['automaticrulesupdate']; /* if user is on pppoe, we really want to use ng0 interface */ if($config['interfaces'][$snort_ext_int]['ipaddr'] == "pppoe") $snort_ext_int = "ng0"; /* set the snort performance model */ - if($config['installedpackages']['snortglobal']['rule'][$id]['performance']) - $snort_performance = $config['installedpackages']['snortglobal']['rule'][$id]['performance']; + if($config['installedpackages']['snort']['config'][0]['performance']) + $snort_performance = $config['installedpackages']['snort']['config'][0]['performance']; else $snort_performance = "ac-bnfa"; - /* open snort's whitelist for writing */ + /* set the snort block hosts time IMPORTANT snort has trouble installing if snort_rm_blocked_info_ck != "" */ + $snort_rm_blocked_info_ck = $config['installedpackages']['snort']['config'][0]['rm_blocked']; + if ($snort_rm_blocked_info_ck == "never_b") + $snort_rm_blocked_false = ""; + else + $snort_rm_blocked_false = "true"; + +if ($snort_rm_blocked_info_ck != "") { +function snort_rm_blocked_install_cron($should_install) { + global $config, $g; + conf_mount_rw(); + if ($g['booting']==true) + return; + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort2c")) { + $is_installed = true; + break; + } + $x++; + } + $snort_rm_blocked_info_ck = $config['installedpackages']['snort']['config'][0]['rm_blocked']; + if ($snort_rm_blocked_info_ck == "1h_b") { + $snort_rm_blocked_min = "*/5"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "3600"; + } + if ($snort_rm_blocked_info_ck == "3h_b") { + $snort_rm_blocked_min = "*/15"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "10800"; + } + if ($snort_rm_blocked_info_ck == "6h_b") { + $snort_rm_blocked_min = "*/30"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "21600"; + } + if ($snort_rm_blocked_info_ck == "12h_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/1"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "43200"; + } + if ($snort_rm_blocked_info_ck == "1d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/2"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "86400"; + } + if ($snort_rm_blocked_info_ck == "4d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/8"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "345600"; + } + if ($snort_rm_blocked_info_ck == "7d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/14"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "604800"; + } + if ($snort_rm_blocked_info_ck == "28d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "0"; + $snort_rm_blocked_mday = "*/2"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "2419200"; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "$snort_rm_blocked_min"; + $cron_item['hour'] = "$snort_rm_blocked_hr"; + $cron_item['mday'] = "$snort_rm_blocked_mday"; + $cron_item['month'] = "$snort_rm_blocked_month"; + $cron_item['wday'] = "$snort_rm_blocked_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; + $config['cron']['item'][] = $cron_item; + write_config("Installed 15 minute filter reload for Time Based Rules"); + conf_mount_rw(); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + conf_mount_rw(); + } + configure_cron(); + } + break; + } + } + snort_rm_blocked_install_cron(""); + snort_rm_blocked_install_cron($snort_rm_blocked_false); +} + + /* set the snort rules update time */ + $snort_rules_up_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; + if ($snort_rules_up_info_ck == "never_up") + $snort_rules_up_false = ""; + else + $snort_rules_up_false = "true"; + +if ($snort_rules_up_info_ck != "") { +function snort_rules_up_install_cron($should_install) { + global $config, $g; + conf_mount_rw(); + if ($g['booting']==true) + return; + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort_check_for_rule_updates.php")) { + $is_installed = true; + break; + } + $x++; + } + $snort_rules_up_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; + if ($snort_rules_up_info_ck == "6h_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "*/6"; + $snort_rules_up_mday = "*"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "12h_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "*/12"; + $snort_rules_up_mday = "*"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "1d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/1"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "4d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/4"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "7d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/7"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "28d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/28"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "$snort_rules_up_min"; + $cron_item['hour'] = "$snort_rules_up_hr"; + $cron_item['mday'] = "$snort_rules_up_mday"; + $cron_item['month'] = "$snort_rules_up_month"; + $cron_item['wday'] = "$snort_rules_up_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort_check_for_rule_updates.php >> /usr/local/etc/snort_bkup/snort_update.log"; + $config['cron']['item'][] = $cron_item; + write_config("Installed 15 minute filter reload for Time Based Rules"); + conf_mount_rw(); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + conf_mount_rw(); + } + configure_cron(); + } + break; + } + } + snort_rules_up_install_cron(""); + snort_rules_up_install_cron($snort_rules_up_false); +} + /* Be sure we're really rw before writing */ + conf_mount_rw(); + /* open snort2c's whitelist for writing */ $whitelist = fopen("/var/db/whitelist", "w"); if(!$whitelist) { log_error("Could not open /var/db/whitelist for writing."); @@ -1543,14 +956,13 @@ else $home_net .= "127.0.0.1 "; /* iterate all vips and add to whitelist */ - if($config['virtualip']) foreach($config['virtualip']['vip'] as $vip) if($vip['subnet']) $home_net .= $vip['subnet'] . " "; - if($config['installedpackages']['snortglobal']['config']) - foreach($config['installedpackages']['snortglobal']['config'] as $snort) + if($config['installedpackages']['snortwhitelist']) + foreach($config['installedpackages']['snortwhitelist']['config'] as $snort) if($snort['ip']) $home_net .= $snort['ip'] . " "; @@ -1570,19 +982,11 @@ else fwrite($whitelist, trim($wl) . "\n"); /* should we whitelist vpns? */ - $whitelistvpns = $config['installedpackages']['snortglobal']['whitelistvpns']; + $whitelistvpns = $config['installedpackages']['snort']['config'][0]['whitelistvpns']; /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */ if($whitelistvpns) { - if ($pfsense_stable == 'yes') // chk what pfsense version were on - { - $vpns_list = get_vpns_list(); - } - if ($pfsense_stable == 'no') // chk what pfsense version were on - { - $vpns_list = filter_get_vpns_list(); - } - + $vpns_list = get_vpns_list(); $whitelist_vpns = split(" ", $vpns_list); foreach($whitelist_vpns as $wl) if(trim($wl)) @@ -1591,9 +995,34 @@ else /* close file */ fclose($whitelist); - + + /* Be sure we're really rw before writing */ + conf_mount_rw(); + /* open snort's threshold.conf for writing */ + $threshlist = fopen("/usr/local/etc/snort/threshold.conf", "w"); + if(!$threshlist) { + log_error("Could not open /usr/local/etc/snort/threshold.conf for writing."); + return; + } + + /* list all entries to new lines */ + if($config['installedpackages']['snortthreshold']) + foreach($config['installedpackages']['snortthreshold']['config'] as $snortthreshlist) + if($snortthreshlist['threshrule']) + $snortthreshlist_r .= $snortthreshlist['threshrule'] . "\n"; + + + /* foreach through threshlist, writing out to file */ + $threshlist_split = split("\n", $snortthreshlist_r); + foreach($threshlist_split as $wl) + if(trim($wl)) + fwrite($threshlist, trim($wl) . "\n"); + + /* close snort's threshold.conf file */ + fclose($threshlist); + /* generate rule sections to load */ - $enabled_rulesets = $config['installedpackages']['snortglobal']['rule'][$id]['rulesets']; + $enabled_rulesets = $config['installedpackages']['snort']['rulesets']; if($enabled_rulesets) { $selected_rules_sections = ""; $enabled_rulesets_array = split("\|\|", $enabled_rulesets); @@ -1603,256 +1032,6 @@ else conf_mount_ro(); -///////////////////////////// - -/* preprocessor code */ - -/* def perform_stat */ -$snort_perform_stat = <<<EOD -########################## - # -# NEW # -# Performance Statistics # - # -########################## - -preprocessor perfmonitor: time 300 file /var/log/snort/snort_{$snort_uuid}_{$if_real}.stats pktcnt 10000 - -EOD; - -$def_perform_stat_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['perform_stat']; -if ($def_perform_stat_info_chk == "on") - $def_perform_stat_type = "$snort_perform_stat"; -else - $def_perform_stat_type = ""; - -$def_flow_depth_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['flow_depth']; -if ($def_flow_depth_info_chk == '') - $def_flow_depth_type = '0'; -else - $def_flow_depth_type = $config['installedpackages']['snortglobal']['rule'][$id]['flow_depth']; - -/* def http_inspect */ -$snort_http_inspect = <<<EOD -################# - # -# HTTP Inspect # - # -################# - -preprocessor http_inspect: global iis_unicode_map unicode.map 1252 - -preprocessor http_inspect_server: server default \ - ports { 80 8080 } \ - non_strict \ - non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ - flow_depth {$def_flow_depth_type} \ - apache_whitespace no \ - directory no \ - iis_backslash no \ - u_encode yes \ - ascii no \ - chunk_length 500000 \ - bare_byte yes \ - double_decode yes \ - iis_unicode no \ - iis_delimiter no \ - multi_slash no - -EOD; - -$def_http_inspect_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['http_inspect']; -if ($def_http_inspect_info_chk == "on") - $def_http_inspect_type = "$snort_http_inspect"; -else - $def_http_inspect_type = ""; - -/* def other_preprocs */ -$snort_other_preprocs = <<<EOD -################## - # -# Other preprocs # - # -################## - -preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 -preprocessor bo - -EOD; - -$def_other_preprocs_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['other_preprocs']; -if ($def_other_preprocs_info_chk == "on") - $def_other_preprocs_type = "$snort_other_preprocs"; -else - $def_other_preprocs_type = ""; - -/* def ftp_preprocessor */ -$snort_ftp_preprocessor = <<<EOD -##################### - # -# ftp preprocessor # - # -##################### - -preprocessor ftp_telnet: global \ -inspection_type stateless - -preprocessor ftp_telnet_protocol: telnet \ - normalize \ - ayt_attack_thresh 200 - -preprocessor ftp_telnet_protocol: \ - ftp server default \ - def_max_param_len 100 \ - ports { 21 } \ - ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \ - ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \ - ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ - ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ - ftp_cmds { FEAT CEL CMD MACB } \ - ftp_cmds { MDTM REST SIZE MLST MLSD } \ - ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ - alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ - alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \ - alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \ - alt_max_param_len 256 { RNTO CWD } \ - alt_max_param_len 400 { PORT } \ - alt_max_param_len 512 { SIZE } \ - chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \ - chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \ - chk_str_fmt { LIST NLST SITE SYST STAT HELP } \ - chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \ - chk_str_fmt { FEAT CEL CMD } \ - chk_str_fmt { MDTM REST SIZE MLST MLSD } \ - chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ - cmd_validity MODE < char ASBCZ > \ - cmd_validity STRU < char FRP > \ - cmd_validity ALLO < int [ char R int ] > \ - cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ - cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ - cmd_validity PORT < host_port > - -preprocessor ftp_telnet_protocol: ftp client default \ - max_resp_len 256 \ - bounce yes \ - telnet_cmds yes - -EOD; - -$def_ftp_preprocessor_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['ftp_preprocessor']; -if ($def_ftp_preprocessor_info_chk == "on") - $def_ftp_preprocessor_type = "$snort_ftp_preprocessor"; -else - $def_ftp_preprocessor_type = ""; - -/* def smtp_preprocessor */ -$snort_smtp_preprocessor = <<<EOD -##################### - # -# SMTP preprocessor # - # -##################### - -preprocessor SMTP: \ - ports { 25 465 691 } \ - inspection_type stateful \ - normalize cmds \ - valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \ -CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \ -PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - max_header_line_len 1000 \ - max_response_line_len 512 \ - alt_max_command_line_len 260 { MAIL } \ - alt_max_command_line_len 300 { RCPT } \ - alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ - alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ - alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ - alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ - alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - xlink2state { enable } - -EOD; - -$def_smtp_preprocessor_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['smtp_preprocessor']; -if ($def_smtp_preprocessor_info_chk == "on") - $def_smtp_preprocessor_type = "$snort_smtp_preprocessor"; -else - $def_smtp_preprocessor_type = ""; - -/* def sf_portscan */ -$snort_sf_portscan = <<<EOD -################ - # -# sf Portscan # - # -################ - -preprocessor sfportscan: scan_type { all } \ - proto { all } \ - memcap { 10000000 } \ - sense_level { medium } \ - ignore_scanners { \$HOME_NET } - -EOD; - -$def_sf_portscan_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['sf_portscan']; -if ($def_sf_portscan_info_chk == "on") - $def_sf_portscan_type = "$snort_sf_portscan"; -else - $def_sf_portscan_type = ""; - -/* def dce_rpc_2 */ -$snort_dce_rpc_2 = <<<EOD -############### - # -# NEW # -# DCE/RPC 2 # - # -############### - -preprocessor dcerpc2: memcap 102400, events [smb, co, cl] -preprocessor dcerpc2_server: default, policy WinXP, \ - detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ - autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ - smb_max_chain 3 - -EOD; - -$def_dce_rpc_2_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['dce_rpc_2']; -if ($def_dce_rpc_2_info_chk == "on") - $def_dce_rpc_2_type = "$snort_dce_rpc_2"; -else - $def_dce_rpc_2_type = ""; - -/* def dns_preprocessor */ -$snort_dns_preprocessor = <<<EOD -#################### - # -# DNS preprocessor # - # -#################### - -preprocessor dns: \ - ports { 53 } \ - enable_rdata_overflow - -EOD; - -$def_dns_preprocessor_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['dns_preprocessor']; -if ($def_dns_preprocessor_info_chk == "on") - $def_dns_preprocessor_type = "$snort_dns_preprocessor"; -else - $def_dns_preprocessor_type = ""; - -/* def SSL_PORTS IGNORE */ -$def_ssl_ports_ignore_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssl_ports_ignore']; -if ($def_ssl_ports_ignore_info_chk == "") - $def_ssl_ports_ignore_type = "443 465 563 636 989 990 992 993 994 995"; -else - $def_ssl_ports_ignore_type = "$def_ssl_ports_ignore_info_chk"; - -////////////////////////////////////////////////////////////////// /* build snort configuration file */ /* TODO; feed back from pfsense users to reduce false positives */ $snort_conf_text = <<<EOD @@ -1864,21 +1043,21 @@ else # for more information # snort.conf # Snort can be found at http://www.snort.org/ -# -# Copyright (C) 2009 Robert Zelaya + +# Copyright (C) 2006 Robert Zelaya # part of pfSense # All rights reserved. -# + # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are met: -# + # 1. Redistributions of source code must retain the above copyright notice, # this list of conditions and the following disclaimer. -# + # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. -# + # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE @@ -1967,7 +1146,7 @@ portvar DCERPC_BRIGHTSTORE [6503,6504] # ##################### -var RULE_PATH /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules +var RULE_PATH /usr/local/etc/snort/rules # var PREPROC_RULE_PATH ./preproc_rules ################################ @@ -1992,7 +1171,8 @@ config disable_decode_drops # ################################### -config detection: search-method {$snort_performance} max_queue_events 5 +config detection: search-method {$snort_performance} +config detection: max_queue_events 5 config event_queue: max_queue 8 log 3 order_events content_length #Configure dynamic loaded libraries @@ -2007,25 +1187,150 @@ dynamicdetection directory /usr/local/lib/snort/dynamicrules/ ################### preprocessor frag3_global: max_frags 8192 +preprocessor frag3_engine: policy windows +preprocessor frag3_engine: policy linux +preprocessor frag3_engine: policy first preprocessor frag3_engine: policy bsd detect_anomalies preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp yes, track_icmp yes +preprocessor stream5_tcp: bind_to any, policy windows +preprocessor stream5_tcp: bind_to any, policy linux +preprocessor stream5_tcp: bind_to any, policy vista +preprocessor stream5_tcp: bind_to any, policy macos preprocessor stream5_tcp: policy BSD, ports both all, use_static_footprint_sizes -preprocessor stream5_udp: -preprocessor stream5_icmp: +preprocessor stream5_udp +preprocessor stream5_icmp + +########################## + # +# NEW # +# Performance Statistics # + # +########################## + +preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 10000 + +################# + # +# HTTP Inspect # + # +################# -{$def_perform_stat_type} +preprocessor http_inspect: global iis_unicode_map unicode.map 1252 -{$def_http_inspect_type} +preprocessor http_inspect_server: server default \ + ports { 80 8080 } \ + no_alerts \ + non_strict \ + non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ + flow_depth 0 \ + apache_whitespace yes \ + directory no \ + iis_backslash no \ + u_encode yes \ + ascii yes \ + chunk_length 500000 \ + bare_byte yes \ + double_decode yes \ + iis_unicode yes \ + iis_delimiter yes \ + multi_slash no -{$def_other_preprocs_type} +################## + # +# Other preprocs # + # +################## + +preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 +preprocessor bo + +##################### + # +# ftp preprocessor # + # +##################### -{$def_ftp_preprocessor_type} +preprocessor ftp_telnet: global \ +inspection_type stateless -{$def_smtp_preprocessor_type} +preprocessor ftp_telnet_protocol: telnet \ + normalize \ + ayt_attack_thresh 200 -{$def_sf_portscan_type} +preprocessor ftp_telnet_protocol: \ + ftp server default \ + def_max_param_len 100 \ + ports { 21 } \ + ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \ + ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \ + ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ + ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ + ftp_cmds { FEAT CEL CMD MACB } \ + ftp_cmds { MDTM REST SIZE MLST MLSD } \ + ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ + alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ + alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \ + alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \ + alt_max_param_len 256 { RNTO CWD } \ + alt_max_param_len 400 { PORT } \ + alt_max_param_len 512 { SIZE } \ + chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \ + chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \ + chk_str_fmt { LIST NLST SITE SYST STAT HELP } \ + chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \ + chk_str_fmt { FEAT CEL CMD } \ + chk_str_fmt { MDTM REST SIZE MLST MLSD } \ + chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ + cmd_validity MODE < char ASBCZ > \ + cmd_validity STRU < char FRP > \ + cmd_validity ALLO < int [ char R int ] > \ + cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ + cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ + cmd_validity PORT < host_port > + +preprocessor ftp_telnet_protocol: ftp client default \ + max_resp_len 256 \ + bounce yes \ + telnet_cmds yes + +##################### + # +# SMTP preprocessor # + # +##################### + +preprocessor SMTP: \ + ports { 25 465 691 } \ + inspection_type stateful \ + normalize cmds \ + valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \ +CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \ +PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + max_header_line_len 1000 \ + max_response_line_len 512 \ + alt_max_command_line_len 260 { MAIL } \ + alt_max_command_line_len 300 { RCPT } \ + alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ + alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ + alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ + alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ + alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + xlink2state { enable } + +################ + # +# sf Portscan # + # +################ + +preprocessor sfportscan: scan_type { all } \ + proto { all } \ + memcap { 10000000 } \ + sense_level { medium } \ + ignore_scanners { \$HOME_NET } ############################ # @@ -2037,9 +1342,28 @@ preprocessor stream5_icmp: # ############################ -{$def_dce_rpc_2_type} +############### + # +# NEW # +# DCE/RPC 2 # + # +############### + +preprocessor dcerpc2: memcap 102400, events [smb, co, cl] +preprocessor dcerpc2_server: default, policy WinXP, \ + detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ + autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ + smb_max_chain 3 + +#################### + # +# DNS preprocessor # + # +#################### -{$def_dns_preprocessor_type} +preprocessor dns: \ + ports { 53 } \ + enable_rdata_overflow ############################## # @@ -2048,7 +1372,7 @@ preprocessor stream5_icmp: # ############################## -preprocessor ssl: ports { {$def_ssl_ports_ignore_type} }, trustservers, noinspect_encrypted +preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 }, trustservers, noinspect_encrypted ##################### # @@ -2069,9 +1393,9 @@ $spoink_type # ################# -include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config -include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config -include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/threshold.conf +include /usr/local/etc/snort/reference.config +include /usr/local/etc/snort/classification.config +include /usr/local/etc/snort/threshold.conf # Snort user pass through configuration {$snort_config_pass_thru} @@ -2085,19 +1409,17 @@ include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/threshold.conf {$selected_rules_sections} EOD; - + conf_mount_ro(); return $snort_conf_text; } /* check downloaded text from snort.org to make sure that an error did not occur * for example, if you are not a premium subscriber you can only download rules - * so often, etc. TO BE: Removed unneeded. + * so often, etc. */ - function check_for_common_errors($filename) { global $snort_filename, $snort_filename_md5, $console_mode; - -// ob_flush(); + ob_flush(); $contents = file_get_contents($filename); if(stristr($contents, "You don't have permission")) { if(!$console_mode) { @@ -2105,6 +1427,7 @@ function check_for_common_errors($filename) { hide_progress_bar_status(); } else { log_error("An error occured. Scroll down to inspect it's contents."); + echo "An error occured. Scroll down to inspect it's contents."; } if(!$console_mode) { update_output_window(strip_tags("$contents")); @@ -2147,12 +1470,14 @@ function verify_downloaded_file($filename) { } exit; } - update_all_status("Verified {$filename}."); + update_all_status("Verifyied {$filename}."); } /* extract rules */ function extract_snort_rules_md5($tmpfname) { global $snort_filename, $snort_filename_md5, $console_mode; + ini_set("memory_limit","64M"); + conf_mount_rw(); ob_flush(); if(!$console_mode) { $static_output = gettext("Extracting snort rules..."); @@ -2175,6 +1500,7 @@ function extract_snort_rules_md5($tmpfname) { log_error("Snort rules extracted."); echo "Snort rules extracted."; } + conf_mount_ro(); } /* verify MD5 against downloaded item */ @@ -2187,7 +1513,7 @@ function verify_snort_rules_md5($tmpfname) { } $md555 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); - $md5 = `echo "{$md555}" | /usr/bin/awk '{ print $4 }'`; + $md5 = `/bin/echo "{$md555}" | /usr/bin/awk '{ print $4 }'`; $file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; if($md5 == $file_md5_ondisk) { if(!$console_mode) { @@ -2243,7 +1569,7 @@ function get_snort_alert($ip) { if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) $alert_title = $matches[2]; if (preg_match("/(\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)/", $fileline, $matches)) - $alert_ip = $matches[$id]; + $alert_ip = $matches[0]; if($alert_ip == $ip) { if(!$snort_config[$ip]) $snort_config[$ip] = $alert_title; @@ -2256,7 +1582,7 @@ function get_snort_alert($ip) { function make_clickable($buffer) { global $config, $g; /* if clickable urls is disabled, simply return buffer back to caller */ - $clickablalerteurls = $config['installedpackages']['snort']['config'][$id]['oinkmastercode']; + $clickablalerteurls = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; if(!$clickablalerteurls) return $buffer; $buffer = eregi_replace("(^|[ \n\r\t])((http(s?)://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $buffer); diff --git a/config/snort-old/snort.xml b/config/snort-old/snort.xml new file mode 100644 index 00000000..6f067f2d --- /dev/null +++ b/config/snort-old/snort.xml @@ -0,0 +1,378 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + authng.xml + part of pfSense (http://www.pfsense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>Snort</name> + <version>2.8.4.1_5</version> + <title>Services: Snort 2.8.4.1_5 pkg v. 1.7</title> + <include_file>/usr/local/pkg/snort.inc</include_file> + <menu> + <name>Snort</name> + <tooltiptext>Setup snort specific settings</tooltiptext> + <section>Services</section> + <url>/pkg_edit.php?xml=snort.xml&id=0</url> + </menu> + <service> + <name>snort</name> + <rcfile>snort.sh</rcfile> + <executable>snort</executable> + <description>Snort is the most widely deployed IDS/IPS technology worldwide..</description> + </service> + <tabs> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=snort.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Update Rules</text> + <url>/snort_download_rules.php</url> + </tab> + <tab> + <text>Categories</text> + <url>/snort_rulesets.php</url> + </tab> + <tab> + <text>Rules</text> + <url>/snort_rules.php</url> + </tab> + <tab> + <text>Servers</text> + <url>/pkg_edit.php?xml=snort_define_servers.xml&id=0</url> + </tab> + <tab> + <text>Blocked</text> + <url>/snort_blocked.php</url> + </tab> + <tab> + <text>Whitelist</text> + <url>/pkg.php?xml=snort_whitelist.xml</url> + </tab> + <tab> + <text>Threshold</text> + <url>/pkg.php?xml=snort_threshold.xml</url> + </tab> + <tab> + <text>Alerts</text> + <url>/snort_alerts.php</url> + </tab> + <tab> + <text>Advanced</text> + <url>/pkg_edit.php?xml=snort_advanced.xml&id=0</url> + </tab> + </tabs> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/bin/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/bin/barnyard2</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/bin/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/bin/oinkmaster_contrib/create-sidmap.pl</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/bin/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/bin/oinkmaster_contrib/oinkmaster.pl</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort_download_rules.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort_rules.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort_rules_edit.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort_rulesets.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort_whitelist.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort_blocked.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort_check_for_rule_updates.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort_alerts.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/pf/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort_dynamic_ip_reload.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort_advanced.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort_define_servers.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/snort_threshold.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort-old/pfsense_rules/local.rules</item> + </additional_files_needed> + <fields> + <field> + <fielddescr>Interface</fielddescr> + <fieldname>iface_array</fieldname> + <description>Select the interface(s) Snort will listen on.</description> + <type>interfaces_selection</type> + <size>3</size> + <value>lan</value> + <multiple>true</multiple> + </field> + <field> + <fielddescr>Memory Performance</fielddescr> + <fieldname>performance</fieldname> + <description>Lowmem and ac-bnfa are recommended for low end systems, Ac: high memory, best performance, ac-std: moderate memory,high performance, acs: small memory, moderateperformance, ac-banded: small memory,moderate performance, ac-sparsebands: small memory, high performance.</description> + <type>select</type> + <options> + <option> + <name>ac-bnfa</name> + <value>ac-bnfa</value> + </option> + <option> + <name>lowmem</name> + <value>lowmem</value> + </option> + <option> + <name>ac-std</name> + <value>ac-std</value> + </option> + <option> + <name>ac</name> + <value>ac</value> + </option> + <option> + <name>ac-banded</name> + <value>ac-banded</value> + </option> + <option> + <name>ac-sparsebands</name> + <value>ac-sparsebands</value> + </option> + <option> + <name>acs</name> + <value>acs</value> + </option> + </options> + </field> + <field> + <fielddescr>Oinkmaster code</fielddescr> + <fieldname>oinkmastercode</fieldname> + <description>Obtain a snort.org Oinkmaster code and paste here.</description> + <type>input</type> + <size>60</size> + <value></value> + </field> + <field> + <fielddescr>Snort.org subscriber</fielddescr> + <fieldname>subscriber</fieldname> + <description>Check this box if you are a Snort.org subscriber (premium rules).</description> + <type>checkbox</type> + <size>60</size> + </field> + <field> + <fielddescr>Block offenders</fielddescr> + <fieldname>blockoffenders7</fieldname> + <description>Checking this option will automatically block hosts that generate a snort alert.</description> + <type>checkbox</type> + <size>60</size> + </field> + <field> + <fielddescr>Remove blocked hosts every</fielddescr> + <fieldname>rm_blocked</fieldname> + <description>Please select the amount of time hosts are blocked</description> + <type>select</type> + <options> + <option> + <name>never</name> + <value>never_b</value> + </option> + <option> + <name>1 hour</name> + <value>1h_b</value> + </option> + <option> + <name>3 hours</name> + <value>3h_b</value> + </option> + <option> + <name>6 hours</name> + <value>6h_b</value> + </option> + <option> + <name>12 hours</name> + <value>12h_b</value> + </option> + <option> + <name>1 day</name> + <value>1d_b</value> + </option> + <option> + <name>4 days</name> + <value>4d_b</value> + </option> + <option> + <name>7 days</name> + <value>7d_b</value> + </option> + <option> + <name>28 days</name> + <value>28d_b</value> + </option> + </options> + </field> + <field> + </field> + <field> + <fielddescr>Update rules automatically</fielddescr> + <fieldname>autorulesupdate7</fieldname> + <description>Please select the update times for rules.</description> + <type>select</type> + <options> + <option> + <name>never</name> + <value>never_up</value> + </option> + <option> + <name>6 hours</name> + <value>6h_up</value> + </option> + <option> + <name>12 hours</name> + <value>12h_up</value> + </option> + <option> + <name>1 day</name> + <value>1d_up</value> + </option> + <option> + <name>4 days</name> + <value>4d_up</value> + </option> + <option> + <name>7 days</name> + <value>7d_up</value> + </option> + <option> + <name>28 days</name> + <value>28d_up</value> + </option> + </options> + </field> + <field> + <fielddescr>Whitelist VPNs automatically</fielddescr> + <fieldname>whitelistvpns</fieldname> + <description>Checking this option will install whitelists for all VPNs.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Convert Snort alerts urls to clickable links</fielddescr> + <fieldname>clickablalerteurls</fieldname> + <description>Checking this option will automatically convert URLs in the Snort alerts tab to clickable links.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Associate events on Blocked tab</fielddescr> + <fieldname>associatealertip</fieldname> + <description>Checking this option will automatically associate the blocked reason from the snort alerts file.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Install emergingthreats rules.</fielddescr> + <fieldname>emergingthreats</fieldname> + <description>Emerging Threats is an open source community that produces fastest moving and diverse Snort Rules.</description> + <type>checkbox</type> + </field> + </fields> + <custom_php_resync_config_command> + sync_package_snort(); + </custom_php_resync_config_command> + <custom_add_php_command> + </custom_add_php_command> + <custom_php_install_command> + sync_package_snort_reinstall(); + </custom_php_install_command> + <custom_php_deinstall_command> + snort_deinstall(); + </custom_php_deinstall_command> +</packagegui> diff --git a/config/snort/snort_advanced.xml b/config/snort-old/snort_advanced.xml index 1fdddda2..1fdddda2 100644 --- a/config/snort/snort_advanced.xml +++ b/config/snort-old/snort_advanced.xml diff --git a/config/snort-old/snort_alerts.php b/config/snort-old/snort_alerts.php new file mode 100644 index 00000000..e67b9b5f --- /dev/null +++ b/config/snort-old/snort_alerts.php @@ -0,0 +1,124 @@ +<?php +/* $Id$ */ +/* + snort_alerts.php + part of pfSense + + Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>. + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("globals.inc"); +require("guiconfig.inc"); +require("/usr/local/pkg/snort.inc"); + +$snort_logfile = "{$g['varlog_path']}/snort/alert"; + +$nentries = $config['syslog']['nentries']; +if (!$nentries) + $nentries = 50; + +if ($_POST['clear']) { + exec("killall syslogd"); + conf_mount_rw(); + exec("rm {$snort_logfile}; touch {$snort_logfile}"); + conf_mount_ro(); + system_syslogd_start(); + exec("/usr/bin/killall -HUP snort"); + exec("/usr/bin/killall snort2c"); + if ($config['installedpackages']['snort']['config'][0]['blockoffenders'] == 'on') + exec("/usr/local/bin/snort2c -w /var/db/whitelist -a /var/log/snort/alert"); +} + +$pgtitle = "Services: Snort: Snort Alerts"; +include("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<?php +if(!$pgtitle_output) + echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; +?> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td> +<?php + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"),false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), true, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + display_top_tabs($tab_array); +?> + </td></tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> + <tr> + <td colspan="2" class="listtopic"> + Last <?=$nentries;?> Snort Alert entries</td> + </tr> + <?php dump_log_file($snort_logfile, $nentries); ?> + <tr><td><br><form action="snort_alerts.php" method="post"> + <input name="clear" type="submit" class="formbtn" value="Clear log"></td></tr> + </table> + </div> + </form> + </td> + </tr> +</table> +<?php include("fend.inc"); ?> +<meta http-equiv="refresh" content="60;url=<?php print $_SERVER['SCRIPT_NAME']; ?>"> +</body> +</html> +<!-- <?php echo $snort_logfile; ?> --> + +<?php + +function dump_log_file($logfile, $tail, $withorig = true, $grepfor = "", $grepinvert = "") { + global $g, $config; + $logarr = ""; + exec("cat {$logfile} | /usr/bin/tail -n {$tail}", $logarr); + foreach ($logarr as $logent) { + if(!logent) + continue; + $ww_logent = $logent; + $ww_logent = str_replace("[", " [ ", $ww_logent); + $ww_logent = str_replace("]", " ] ", $ww_logent); + echo "<tr valign=\"top\">\n"; + echo "<td colspan=\"2\" class=\"listr\">" . make_clickable($ww_logent) . " </td>\n"; + echo "</tr>\n"; + } +} + +?>
\ No newline at end of file diff --git a/config/snort-old/snort_blocked.php b/config/snort-old/snort_blocked.php new file mode 100644 index 00000000..ff158853 --- /dev/null +++ b/config/snort-old/snort_blocked.php @@ -0,0 +1,174 @@ +<?php +/* $Id$ */ +/* + snort_blocked.php + Copyright (C) 2006 Scott Ullrich + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); +require("/usr/local/pkg/snort.inc"); + +if($_POST['todelete'] or $_GET['todelete']) { + if($_POST['todelete']) + $ip = $_POST['todelete']; + if($_GET['todelete']) + $ip = $_GET['todelete']; + exec("/sbin/pfctl -t snort2c -T delete {$ip}"); +} + +$pgtitle = "Snort: Snort Blocked"; +include("head.inc"); + +?> + +<body link="#000000" vlink="#000000" alink="#000000"> +<?php include("fbegin.inc"); ?> + +<?php +if(!$pgtitle_output) + echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; +?> + +<form action="snort_rulesets.php" method="post" name="iform" id="iform"> +<script src="/row_toggle.js" type="text/javascript"></script> +<script src="/javascript/sorttable.js" type="text/javascript"></script> +<?php if ($savemsg) print_info_box($savemsg); ?> +<table width="99%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> +<?php + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), true, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + display_top_tabs($tab_array); +?> + </td> + </tr> + <tr> + <td> + <div id="mainarea"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <table id="sortabletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr id="frheader"> + <td width="5%" class="listhdrr">Remove</td> + <td class="listhdrr">IP</td> + <td class="listhdrr">Alert Description</td> + </tr> +<?php + + $associatealertip = $config['installedpackages']['snort']['config'][0]['associatealertip']; + $ips = `/sbin/pfctl -t snort2c -T show`; + $ips_array = split("\n", $ips); + $counter = 0; + foreach($ips_array as $ip) { + if(!$ip) + continue; + $ww_ip = str_replace(" ", "", $ip); + $counter++; + if($associatealertip) + $alert_description = get_snort_alert($ww_ip); + else + $alert_description = ""; + echo "\n<tr>"; + echo "\n<td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($ww_ip)) . "'>"; + echo "\n<img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"./themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td>"; + echo "\n<td> {$ww_ip}</td>"; + echo "\n<td> {$alert_description}<!-- |{$ww_ip}| get_snort_alert($ww_ip); --></td>"; + echo "\n</tr>"; + } + echo "\n<tr><td colspan='3'> </td></tr>"; + if($counter < 1) + echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">There are currently no items being blocked by snort.</td></tr>"; + else + echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter} items listed.</td></tr>"; + +?> + + </table> + </td> + </tr> + </table> + </div> + </td> + </tr> +</table> + +</form> + +<p> + +<?php + +$blockedtab_msg_chk = $config['installedpackages']['snort']['config'][0]['rm_blocked']; + if ($blockedtab_msg_chk == "1h_b") { + $blocked_msg = "hour"; + } + if ($blockedtab_msg_chk == "3h_b") { + $blocked_msg = "3 hours"; + } + if ($blockedtab_msg_chk == "6h_b") { + $blocked_msg = "6 hours"; + } + if ($blockedtab_msg_chk == "12h_b") { + $blocked_msg = "12 hours"; + } + if ($blockedtab_msg_chk == "1d_b") { + $blocked_msg = "day"; + } + if ($blockedtab_msg_chk == "4d_b") { + $blocked_msg = "4 days"; + } + if ($blockedtab_msg_chk == "7d_b") { + $blocked_msg = "7 days"; + } + if ($blockedtab_msg_chk == "28d_b") { + $blocked_msg = "28 days"; + } + +echo "This page lists hosts that have been blocked by Snort. Hosts are automatically deleted every $blocked_msg."; + +?> + +<?php include("fend.inc"); ?> + +</body> +</html> + +<?php + +/* write out snort cache */ +write_snort_config_cache($snort_config); + +?>
\ No newline at end of file diff --git a/config/snort-dev/snort_check_for_rule_updates.php b/config/snort-old/snort_check_for_rule_updates.php index 6f95b101..8d308245 100644 --- a/config/snort-dev/snort_check_for_rule_updates.php +++ b/config/snort-old/snort_check_for_rule_updates.php @@ -3,7 +3,6 @@ /* snort_rulesets.php Copyright (C) 2006 Scott Ullrich - Copyright (C) 2009 Robert Zelaya All rights reserved. Redistribution and use in source and binary forms, with or without @@ -29,8 +28,8 @@ */ /* Setup enviroment */ -$tmpfname = "/tmp/snort_rules_up"; -$snortdir = "/usr/local/etc/snort"; +$tmpfname = "/root/snort_rules_up"; +$snortdir = "/usr/local/etc/snort_bkup"; $snortdir_wan = "/usr/local/etc/snort"; $snort_filename_md5 = "snortrules-snapshot-2.8.tar.gz.md5"; $snort_filename = "snortrules-snapshot-2.8.tar.gz"; @@ -39,71 +38,53 @@ $emergingthreats_filename = "emerging.rules.tar.gz"; $pfsense_rules_filename_md5 = "pfsense_rules.tar.gz.md5"; $pfsense_rules_filename = "pfsense_rules.tar.gz"; -require_once("globals.inc"); -require_once("guiconfig.inc"); -require_once("/usr/local/pkg/snort/snort.inc"); +require("/usr/local/pkg/snort.inc"); +require_once("config.inc"); -/* define checks */ -$oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; -$snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; -$emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; - -if ($oinkid == "" && $snortdownload != "off") -{ - echo "You must obtain an oinkid from snort.org and set its value in the Snort settings tab.\n"; - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'You must obtain an oinkid from snort.org and set its value in the Snort settings tab.'"); - exit; -} - -if ($snortdownload != "on" && $emergingthreats != "on") -{ - echo 'Snort Global Settings: download snort.org rules = off and download emergingthreat rules = off.\n'; - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'No rules have been selected to download.'"); - exit; -} +?> -conf_mount_rw(); -/* Time stamps define */ -$last_md5_download = $config['installedpackages']['snortglobal']['last_md5_download']; -$last_rules_install = $config['installedpackages']['snortglobal']['last_rules_install']; +<?php $up_date_time = date('l jS \of F Y h:i:s A'); -echo "\n"; -echo "#########################\n"; -echo "$up_date_time\n"; -echo "#########################\n"; -echo "\n\n"; - -exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Checking for needed updates...'"); +echo ""; +echo "#########################"; +echo "$up_date_time"; +echo "#########################"; +echo ""; /* Begin main code */ /* Set user agent to Mozilla */ ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); ini_set("memory_limit","125M"); -/* mark the time update started */ -$config['installedpackages']['snortglobal']['last_md5_download'] = date("Y-M-jS-h:i-A"); - /* send current buffer */ ob_flush(); -conf_mount_rw(); + +/* define oinkid */ +if($config['installedpackages']['snort']) + $oinkid = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; + +/* if missing oinkid exit */ +if(!$oinkid) { + echo "Please add you oink code\n"; + exit; +} /* premium_subscriber check */ //unset($config['installedpackages']['snort']['config'][0]['subscriber']); //write_config(); // Will cause switch back to read-only on nanobsd //conf_mount_rw(); // Uncomment this if the previous line is uncommented +$premium_subscriber_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -$premium_subscriber_chk = $config['installedpackages']['snortglobal']['snortdownload']; - -if ($premium_subscriber_chk == "premium") { +if ($premium_subscriber_chk === on) { $premium_subscriber = "_s"; }else{ $premium_subscriber = ""; } -$premium_url_chk = $config['installedpackages']['snortglobal']['snortdownload']; -if ($premium_url_chk == "premium") { +$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +if ($premium_url_chk === on) { $premium_url = "sub-rules"; }else{ $premium_url = "reg-rules"; @@ -111,23 +92,16 @@ if ($premium_url_chk == "premium") { /* send current buffer */ ob_flush(); -conf_mount_rw(); +conf_mount_rw(); /* remove old $tmpfname files */ if (file_exists("{$tmpfname}")) { - echo "Removing old tmp files...\n"; exec("/bin/rm -r {$tmpfname}"); apc_clear_cache(); } -/* Make shure snortdir exits */ -exec("/bin/mkdir -p {$snortdir}"); -exec("/bin/mkdir -p {$snortdir}/rules"); -exec("/bin/mkdir -p {$snortdir}/signatures"); - /* send current buffer */ ob_flush(); -conf_mount_rw(); /* If tmp dir does not exist create it */ if (file_exists($tmpfname)) { @@ -151,7 +125,7 @@ if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { } /* download md5 sig from emergingthreats.net */ -$emergingthreats_url_chk = $config['installedpackages']['snortglobal']['emergingthreats']; +$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; if ($emergingthreats_url_chk == on) { echo "Downloading md5 file...\n"; ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); @@ -177,11 +151,14 @@ if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) { echo "Done. downloading md5\n"; } +/* Time stamps define */ +$last_md5_download = $config['installedpackages']['snort']['last_md5_download']; +$last_rules_install = $config['installedpackages']['snort']['last_rules_install']; + /* If md5 file is empty wait 15min exit */ if (0 == filesize("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5")){ echo "Please wait... You may only check for New Rules every 15 minutes...\n"; echo "Rules are released every month from snort.org. You may download the Rules at any time.\n"; - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Please wait... You may only check for New Rules every 15 minutes...'"); exit(0); } @@ -191,7 +168,6 @@ if (0 == filesize("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5")){ if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ echo "Please wait... You may only check for New Pfsense Rules every 15 minutes...\n"; echo "Rules are released to support Pfsense packages.\n"; - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Please wait... You may only check for New Pfsense Rules every 15 minutes...'"); exit(0); } @@ -202,18 +178,18 @@ $md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 $md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); $md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; /* Write out time of last sucsessful md5 to cache */ +$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); write_config(); // Will cause switch back to read-only on nanobsd conf_mount_rw(); if ($md5_check_new == $md5_check_old) { echo "Your rules are up to date...\n"; echo "You may start Snort now, check update.\n"; $snort_md5_check_ok = on; - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your snort rules are up to date...'"); } } /* Check if were up to date emergingthreats.net */ -$emergingthreats_url_chk = $config['installedpackages']['snortglobal']['emergingthreats']; +$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; if ($emergingthreats_url_chk == on) { if (file_exists("{$snortdir}/version.txt")){ $emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/version.txt"); @@ -221,13 +197,13 @@ $emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk $emerg_md5_check_old_parse = file_get_contents("{$snortdir}/version.txt"); $emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; /* Write out time of last sucsessful md5 to cache */ +$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); write_config(); // Will cause switch back to read-only on nanobsd conf_mount_rw(); if ($emerg_md5_check_new == $emerg_md5_check_old) { echo "Your emergingthreats rules are up to date...\n"; echo "You may start Snort now, check update.\n"; $emerg_md5_check_chk_ok = on; - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your emergingthreats rules are up to date...'"); } } } @@ -240,65 +216,39 @@ $pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_m $pfsense_md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; if ($pfsense_md5_check_new == $pfsense_md5_check_old) { $pfsense_md5_check_ok = on; - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your pfsense rules are up to date...'"); } } /* Make Clean Snort Directory emergingthreats not checked */ if ($snort_md5_check_ok == on && $emergingthreats_url_chk != on) { - update_status(gettext("Cleaning the snort Directory...")); - update_output_window(gettext("removing...")); - exec("/bin/rm {$snortdir}/rules/emerging*"); + echo "Cleaning the snort Directory...\n"; + echo "removing...\n"; + exec("/bin/rm {$snortdir}/rules/emerging*\n"); exec("/bin/rm {$snortdir}/version.txt"); - exec("/bin/rm {$snortdir_wan}/rules/emerging*"); - exec("/bin/rm {$snortdir_wan}/version.txt"); echo "Done making cleaning emrg direcory.\n"; } /* Check if were up to date exits */ if ($snort_md5_check_ok == on && $emerg_md5_check_chk_ok == on && $pfsense_md5_check_ok == on) { - echo "Your emergingthreats rules are up to date...\n"; - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your emergingthreats rules are up to date...'"); + echo "Your rules are up to date...\n"; + echo "You may start Snort now...\n"; exit(0); } if ($snort_md5_check_ok == on && $pfsense_md5_check_ok == on && $emergingthreats_url_chk != on) { - echo "Your pfsense rules are up to date...\n"; - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your pfsense rules are up to date...'"); + echo "Your rules are up to date...\n"; + echo "You may start Snort now...\n"; exit(0); } /* You are Not Up to date, always stop snort when updating rules for low end machines */; echo "You are NOT up to date...\n"; -echo "Stopping All Snort Package services...\n"; -exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'SNORT RULES ARE OUT OF DATE, UPDATING...'"); -exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Stopping All Snort Package Services...'"); +echo "Stopping Snort service...\n"; $chk_if_snort_up = exec("pgrep -x snort"); if ($chk_if_snort_up != "") { - - - exec("/usr/bin/touch /tmp/snort_download_halt.pid"); - - /* dont flood the syslog code */ - exec("/bin/cp /var/log/system.log /var/log/system.log.bk"); - sleep(3); - - exec("/usr/bin/killall snort"); - exec("/bin/rm /var/run/snort*"); - sleep(2); - exec("/usr/bin/killall barnyard2"); - exec("/bin/rm /var/run/barnyard2*"); - - /* stop syslog flood code */ - exec("/bin/cp /var/log/system.log /var/log/snort/snort_sys_rules_update.log"); - exec("/usr/bin/killall syslogd"); - exec("/usr/sbin/clog -i -s 262144 /var/log/system.log"); - exec("/usr/sbin/syslogd -c -ss -f /var/etc/syslog.conf"); - sleep(2); - exec("/bin/cp /var/log/system.log.bk /var/log/system.log"); - $after_mem = exec("/usr/bin/top | /usr/bin/grep Wired | /usr/bin/awk '{ print $2 }'"); - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'MEM after snort STOP {$after_mem}'"); - + exec("/usr/bin/touch /tmp/snort_download_halt.pid"); + stop_service("snort"); + sleep(2); } /* download snortrules file */ @@ -306,6 +256,7 @@ if ($snort_md5_check_ok != on) { if (file_exists("{$tmpfname}/{$snort_filename}")) { echo "Snortrule tar file exists...\n"; } else { + echo "There is a new set of Snort rules posted. Downloading...\n"; echo "May take 4 to 10 min...\n"; ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); @@ -360,56 +311,28 @@ if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { } } -/* Compair md5 sig to file sig */ - -//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -//if ($premium_url_chk == on) { -//$md5 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); -//$file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; -// if ($md5 == $file_md5_ondisk) { -// update_status(gettext("Valid md5 checksum pass...")); -//} else { -// update_status(gettext("The downloaded file does not match the md5 file...P is ON")); -// update_output_window(gettext("Error md5 Mismatch...")); -// exit(0); -// } -//} - -//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -//if ($premium_url_chk != on) { -//$md55 = `/bin/cat {$tmpfname}/{$snort_filename_md5} | /usr/bin/awk '{ print $4 }'`; -//$file_md5_ondisk2 = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; -// if ($md55 == $file_md5_ondisk2) { -// update_status(gettext("Valid md5 checksum pass...")); -//} else { -// update_status(gettext("The downloaded file does not match the md5 file...Not P")); -// update_output_window(gettext("Error md5 Mismatch...")); -// exit(0); -// } -//} - /* Untar snort rules file individually to help people with low system specs */ if ($snort_md5_check_ok != on) { if (file_exists("{$tmpfname}/{$snort_filename}")) { echo "Extracting rules...\n"; echo "May take a while...\n"; - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} rules/" . - " etc/" . - " so_rules/precompiled/FreeBSD-7.0/i386/2.8.4" . - " so_rules/bad-traffic.rules/" . - " so_rules/chat.rules/" . - " so_rules/dos.rules/" . - " so_rules/exploit.rules/" . - " so_rules/imap.rules/" . - " so_rules/misc.rules/" . - " so_rules/multimedia.rules/" . - " so_rules/netbios.rules/" . - " so_rules/nntp.rules/" . - " so_rules/p2p.rules/" . - " so_rules/smtp.rules/" . - " so_rules/sql.rules/" . - " so_rules/web-client.rules/" . - " so_rules/web-misc.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} etc/"); + exec("`/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/*`"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/chat.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/dos.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/exploit.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/imap.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/misc.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/multimedia.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/netbios.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/nntp.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/p2p.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/smtp.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/sql.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-client.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-misc.rules/"); echo "Done extracting Rules.\n"; } else { echo "The Download rules file missing...\n"; @@ -441,7 +364,7 @@ if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { /* Untar snort signatures */ if ($snort_md5_check_ok != on) { if (file_exists("{$tmpfname}/{$snort_filename}")) { -$signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; +$signature_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['signatureinfo']; if ($premium_url_chk == on) { echo "Extracting Signatures...\n"; echo "May take a while...\n"; @@ -454,8 +377,8 @@ if ($premium_url_chk == on) { /* Make Clean Snort Directory */ //if ($snort_md5_check_ok != on && $emerg_md5_check_chk_ok != on && $pfsense_md5_check_ok != on) { //if (file_exists("{$snortdir}/rules")) { -// update_status(gettext("Cleaning the snort Directory...")); -// update_output_window(gettext("removing...")); +// echo "Cleaning the snort Directory...\n"; +// echo "removing...\n"; // exec("/bin/mkdir -p {$snortdir}"); // exec("/bin/mkdir -p {$snortdir}/rules"); // exec("/bin/mkdir -p {$snortdir}/signatures"); @@ -463,49 +386,96 @@ if ($premium_url_chk == on) { // exec("/bin/rm {$snortdir}/rules/*"); // exec("/bin/rm {$snortdir_wan}/*"); // exec("/bin/rm {$snortdir_wan}/rules/*"); - // exec("/bin/rm /usr/local/lib/snort/dynamicrules/*"); //} else { -// update_status(gettext("Making Snort Directory...")); -// update_output_window(gettext("should be fast...")); -// exec("/bin/mkdir -p {$snortdir}"); -// exec("/bin/mkdir -p {$snortdir}/rules"); -// exec("/bin/rm {$snortdir_wan}/*"); +// echo "Making Snort Directory...\n"; +// echo "should be fast...\n"; +// exec("/bin/mkdir {$snortdir}"); +// exec("/bin/mkdir {$snortdir}/rules"); +// exec("/bin/rm {$snortdir_wan}/\*"); // exec("/bin/rm {$snortdir_wan}/rules/*"); // exec("/bin/rm /usr/local/lib/snort/dynamicrules/\*"); -// update_status(gettext("Done making snort direcory.")); +// echo "Done making snort direcory.\n"; // } //} -/* Copy so_rules dir to snort lib dir */ -/* Disabled untill I figure out why there is a segment falut core dump on 2.8.5.3 */ -//if ($snort_md5_check_ok != on) { -//if (file_exists("{$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { -// echo "Copying so_rules...\n"; -// echo "May take a while...\n"; -// exec("`/bin/cp -f {$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/`"); -// exec("/bin/cp {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/bad-traffic.so.rules"); -// exec("/bin/cp {$snortdir}/so_rules/chat.rules {$snortdir}/rules/chat.so.rules"); -// exec("/bin/cp {$snortdir}/so_rules/dos.rules {$snortdir}/rules/dos.so.rules"); -// exec("/bin/cp {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/exploit.so.rules"); -// exec("/bin/cp {$snortdir}/so_rules/imap.rules {$snortdir}/rules/imap.so.rules"); -// exec("/bin/cp {$snortdir}/so_rules/misc.rules {$snortdir}/rules/misc.so.rules"); -// exec("/bin/cp {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/multimedia.so.rules"); -// exec("/bin/cp {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/netbios.so.rules"); -// exec("/bin/cp {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/nntp.so.rules"); -// exec("/bin/cp {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/p2p.so.rules"); -// exec("/bin/cp {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/smtp.so.rules"); -// exec("/bin/cp {$snortdir}/so_rules/sql.rules {$snortdir}/rules/sql.so.rules"); -// exec("/bin/cp {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/web-client.so.rules"); -// exec("/bin/cp {$snortdir}/so_rules/web.misc.rules {$snortdir}/rules/web.misc.so.rules"); -// exec("/bin/rm -r {$snortdir}/so_rules"); -// echo "Done copying so_rules.\n"; -//} else { -// echo "Directory so_rules does not exist...\n"; -// echo "Error copying so_rules...\n"; -// exit(0); -// } -//} +/* Copy so_rules dir to snort lib dir */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { + echo "Copying so_rules...\n"; + echo "May take a while...\n"; + sleep(2); + exec("`/bin/cp -f {$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/`"); + exec("/bin/cp {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/bad-traffic.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/chat.rules {$snortdir}/rules/chat.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/dos.rules {$snortdir}/rules/dos.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/exploit.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/imap.rules {$snortdir}/rules/imap.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/misc.rules {$snortdir}/rules/misc.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/multimedia.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/netbios.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/nntp.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/p2p.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/smtp.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/sql.rules {$snortdir}/rules/sql.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/web-client.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/web-misc.rules {$snortdir}/rules/web-misc.so.rules"); + exec("/bin/rm -r {$snortdir}/so_rules"); + echo "Done copying so_rules.\n"; +} else { + echo "Directory so_rules does not exist...\n"; + echo "Error copping so_rules...\n"; + exit(0); + } +} + +/* enable disable setting will carry over with updates */ +/* TODO carry signature changes with the updates */ +if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { + +if (!empty($config['installedpackages']['snort']['rule_sid_on'])) { +$enabled_sid_on = $config['installedpackages']['snort']['rule_sid_on']; +$enabled_sid_on_array = split('\|\|', $enabled_sid_on); +foreach($enabled_sid_on_array as $enabled_item_on) +$selected_sid_on_sections .= "$enabled_item_on\n"; + } + +if (!empty($config['installedpackages']['snort']['rule_sid_off'])) { +$enabled_sid_off = $config['installedpackages']['snort']['rule_sid_off']; +$enabled_sid_off_array = split('\|\|', $enabled_sid_off); +foreach($enabled_sid_off_array as $enabled_item_off) +$selected_sid_off_sections .= "$enabled_item_off\n"; + } + +$snort_sid_text = <<<EOD + +########################################### +# # +# this is auto generated on snort updates # +# # +########################################### + +path = /bin:/usr/bin:/usr/local/bin + +update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ + +url = dir:///usr/local/etc/snort_bkup/rules + +$selected_sid_on_sections + +$selected_sid_off_sections + +EOD; + + /* open snort's threshold.conf for writing */ + $oinkmasterlist = fopen("/usr/local/etc/snort_bkup/oinkmaster.conf", "w"); + + fwrite($oinkmasterlist, "$snort_sid_text"); + + /* close snort's threshold.conf file */ + fclose($oinkmasterlist); + +} /* Copy configs to snort dir */ if ($snort_md5_check_ok != on) { @@ -513,10 +483,9 @@ if (file_exists("{$snortdir}/etc/Makefile.am")) { echo "Copying configs to snort directory...\n"; exec("/bin/cp {$snortdir}/etc/* {$snortdir}"); exec("/bin/rm -r {$snortdir}/etc"); - } else { - echo "The snort config does not exist...\n"; - echo "Error copying config...\n"; + echo "The snort configs does not exist...\n"; + echo "Error copping config...\n"; exit(0); } } @@ -528,7 +497,7 @@ if (file_exists("{$tmpfname}/$snort_filename_md5")) { exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); } else { echo "The md5 file does not exist...\n"; - echo "Error copying config...\n"; + echo "Error copping config...\n"; exit(0); } } @@ -541,7 +510,7 @@ if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) { exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); } else { echo "The emergingthreats md5 file does not exist...\n"; - echo "Error copying config...\n"; + echo "Error copping config...\n"; exit(0); } } @@ -554,14 +523,14 @@ if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) { exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5"); } else { echo "The Pfsense md5 file does not exist...\n"; - echo "Error copying config...\n"; + echo "Error copping config...\n"; exit(0); } } - + /* Copy signatures dir to snort dir */ if ($snort_md5_check_ok != on) { -$signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; +$signature_info_chk = $config['installedpackages']['snort']['config'][0]['signatureinfo']; if ($premium_url_chk == on) { if (file_exists("{$snortdir}/doc/signatures")) { echo "Copying signatures...\n"; @@ -571,22 +540,22 @@ if (file_exists("{$snortdir}/doc/signatures")) { echo "Done copying signatures.\n"; } else { echo "Directory signatures exist...\n"; - echo "Error copying signature...\n"; + echo "Error copping signature...\n"; exit(0); } } } -/* double make shure cleanup emerg rules that dont belong */ -if (file_exists("/usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules")) { +/* double make shure clean up emerg rules that dont belong */ +if (file_exists("/usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules")) { apc_clear_cache(); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-botcc.rules"); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-compromised-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-drop-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-dshield-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-rbn-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort/rules/emerging-tor-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-compromised-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-drop-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-dshield-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-rbn-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-tor-BLOCK.rules"); } if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) { @@ -594,176 +563,72 @@ if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*"); } -/* make shure default rules are in the right format */ -exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); -exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); -exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - -/* create a msg-map for snort */ echo "Updating Alert Messages...\n"; echo "Please Wait...\n"; -exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/sid-msg.map"); - - -////////////////// - -/* Start the proccess for every interface rule */ -/* TODO: try to make the code smother */ - -if (!empty($config['installedpackages']['snortglobal']['rule'])) { - -$rule_array = $config['installedpackages']['snortglobal']['rule']; -$id = -1; -foreach ($rule_array as $value) { - -$id += 1; - -$result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; -$if_real = convert_friendly_interface_to_real_interface_name($result_lan); - - /* make oinkmaster.conf for each interface rule */ - oinkmaster_conf(); - - /* run oinkmaster for each interface rule */ - oinkmaster_run(); - - } -} - -/* open oinkmaster_conf for writing" function */ -function oinkmaster_conf() { - - global $config, $g, $id, $if_real, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_chk_ok, $pfsense_md5_check_ok; - -/* enable disable setting will carry over with updates */ -/* TODO carry signature changes with the updates */ -if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { - -if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'])) { -$enabled_sid_on = $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']; -$enabled_sid_on_array = split('\|\|', $enabled_sid_on); -foreach($enabled_sid_on_array as $enabled_item_on) -$selected_sid_on_sections .= "$enabled_item_on\n"; - } - -if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { -$enabled_sid_off = $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off']; -$enabled_sid_off_array = split('\|\|', $enabled_sid_off); -foreach($enabled_sid_off_array as $enabled_item_off) -$selected_sid_off_sections .= "$enabled_item_off\n"; - } - -$snort_sid_text = <<<EOD - -########################################### -# # -# this is auto generated on snort updates # -# # -########################################### - -path = /bin:/usr/bin:/usr/local/bin - -update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ - -url = dir:///usr/local/etc/snort/rules - -$selected_sid_on_sections - -$selected_sid_off_sections - -EOD; - - /* open snort's oinkmaster.conf for writing */ - $oinkmasterlist = fopen("/usr/local/etc/snort/oinkmaster_$if_real.conf", "w"); - - fwrite($oinkmasterlist, "$snort_sid_text"); - - /* close snort's oinkmaster.conf file */ - fclose($oinkmasterlist); - - } -} +sleep(2); +exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort_bkup/rules > /usr/local/etc/snort_bkup/sid-msg.map"); /* Run oinkmaster to snort_wan and cp configs */ /* If oinkmaster is not needed cp rules normally */ /* TODO add per interface settings here */ -function oinkmaster_run() { - - global $config, $g, $id, $if_real, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_chk_ok, $pfsense_md5_check_ok; - if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { - if (empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']) || empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { - echo "Your first set of rules are being copied...\n"; - echo "May take a while...\n"; - exec("/bin/echo \"test {$snortdir} {$snortdir_wan} $id$if_real\" >> /root/debug"); - exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/snort_$id$if_real/rules/"); - exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/generators {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/sid {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}/snort_$id$if_real"); + if (empty($config['installedpackages']['snort']['rule_sid_on']) || empty($config['installedpackages']['snort']['rule_sid_off'])) { +echo "Your first set of rules are being copied...\n"; +echo "May take a while...\n"; + + exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); } else { echo "Your enable and disable changes are being applied to your fresh set of rules...\n"; echo "May take a while...\n"; - exec("/bin/echo \"test2 {$snortdir} {$snortdir_wan} $id$if_real\" > /root/debug"); - exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/snort_$id$if_real/rules/"); - exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/generators {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/sid {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}/snort_$id$if_real"); - exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); /* oinkmaster.pl will convert saved changes for the new updates then we have to change #alert to # alert for the gui */ /* might have to add a sleep for 3sec for flash drives or old drives */ - exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort/oinkmaster_$id$if_real.conf -o /usr/local/etc/snort/snort_$id$if_real/rules > /usr/local/etc/snort/oinkmaster_$id$if_real.log"); - - } + exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort_bkup/oinkmaster.conf -o /usr/local/etc/snort/rules > /usr/local/etc/snort_bkup/oinkmaster.log"); + exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); + exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); + exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); + } } -////////////// - -/* mark the time update finnished */ -$config['installedpackages']['snortglobal']['last_rules_install'] = date("Y-M-jS-h:i-A"); - /* remove old $tmpfname files */ if (file_exists("{$tmpfname}")) { echo "Cleaning up...\n"; - exec("/bin/rm -r /tmp/snort_rules_up"); -// apc_clear_cache(); + exec("/bin/rm -r /root/snort_rules_up"); } /* php code to flush out cache some people are reportting missing files this might help */ -sleep(2); +sleep(5); apc_clear_cache(); exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync"); - /* make snort the owner */ - exec("/usr/sbin/chown -R snort:snort /var/log/snort"); - exec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort"); - exec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort"); - exec("/bin/chmod -R 755 /var/log/snort"); - exec("/bin/chmod -R 755 /usr/local/etc/snort"); - exec("/bin/chmod -R 755 /usr/local/lib/snort"); - /* if snort is running hardrestart, if snort is not running do nothing */ if (file_exists("/tmp/snort_download_halt.pid")) { - exec("/bin/sh /usr/local/etc/rc.d/snort.sh start"); + start_service("snort"); echo "The Rules update finished...\n"; echo "Snort has restarted with your new set of rules...\n"; - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'SNORT RULE UPDATE FINNISHED...'"); exec("/bin/rm /tmp/snort_download_halt.pid"); } else { echo "The Rules update finished...\n"; - exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'SNORT RULE UPDATE FINNISHED...'"); + echo "You may start snort now...\n"; } - conf_mount_ro(); ?> diff --git a/config/snort/snort_define_servers.xml b/config/snort-old/snort_define_servers.xml index 7df880d0..7df880d0 100644 --- a/config/snort/snort_define_servers.xml +++ b/config/snort-old/snort_define_servers.xml diff --git a/config/snort-old/snort_download_rules.php b/config/snort-old/snort_download_rules.php new file mode 100644 index 00000000..9826ba2a --- /dev/null +++ b/config/snort-old/snort_download_rules.php @@ -0,0 +1,790 @@ +<?php +/* $Id$ */ +/* + snort_rulesets.php + Copyright (C) 2006 Scott Ullrich and Robert Zelaya + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* Setup enviroment */ +$tmpfname = "/root/snort_rules_up"; +$snortdir = "/usr/local/etc/snort_bkup"; +$snortdir_wan = "/usr/local/etc/snort"; +$snort_filename_md5 = "snortrules-snapshot-2.8.tar.gz.md5"; +$snort_filename = "snortrules-snapshot-2.8.tar.gz"; +$emergingthreats_filename_md5 = "version.txt"; +$emergingthreats_filename = "emerging.rules.tar.gz"; +$pfsense_rules_filename_md5 = "pfsense_rules.tar.gz.md5"; +$pfsense_rules_filename = "pfsense_rules.tar.gz"; + +require_once("guiconfig.inc"); +require_once("functions.inc"); +require_once("service-utils.inc"); +require("/usr/local/pkg/snort.inc"); + +$pgtitle = "Services: Snort: Update Rules"; + +include("/usr/local/www/head.inc"); + +?> + +<script src="/javascript/scriptaculous/prototype.js" type="text/javascript"></script> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + +<?php include("/usr/local/www/fbegin.inc"); ?> + +<?php +if(!$pgtitle_output) + echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; +?> + +<form action="snort_download_rules.php" method="post"> +<div id="inputerrors"></div> + +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> +<?php + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), true, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + display_top_tabs($tab_array); +?> + </td> + </tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td align="center" valign="top"> + <!-- progress bar --> + <table id="progholder" width='420' style='border-collapse: collapse; border: 1px solid #000000;' cellpadding='2' cellspacing='2'> + <tr> + <td> + <img border='0' src='./themes/<?= $g['theme']; ?>/images/misc/progress_bar.gif' width='280' height='23' name='progressbar' id='progressbar' alt='' /> + </td> + </tr> + </table> + <br /> + <!-- status box --> + <textarea cols="60" rows="2" name="status" id="status" wrap="hard"> + <?=gettext("Initializing...");?> + </textarea> + <!-- command output box --> + <textarea cols="60" rows="2" name="output" id="output" wrap="hard"> + </textarea> + </td> + </tr> + </table> + </div> + </td> + </tr> +</table> +</form> + +<?php include("fend.inc");?> + +<?php + + +/* Begin main code */ +/* Set user agent to Mozilla */ +ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); +ini_set("memory_limit","125M"); + +/* send current buffer */ +ob_flush(); + +/* define oinkid */ +if($config['installedpackages']['snort']) + $oinkid = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; + +/* if missing oinkid exit */ +if(!$oinkid) { + $static_output = gettext("You must obtain an oinkid from snort.org and set its value in the Snort settings tab."); + update_all_status($static_output); + hide_progress_bar_status(); + exit; +} + +/* premium_subscriber check */ +//unset($config['installedpackages']['snort']['config'][0]['subscriber']); +//write_config(); // Will cause switch back to read-only on nanobsd +//conf_mount_rw(); // Uncomment this if the previous line is uncommented + +$premium_subscriber_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; + +if ($premium_subscriber_chk === on) { + $premium_subscriber = "_s"; +}else{ + $premium_subscriber = ""; +} + +$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +if ($premium_url_chk === on) { + $premium_url = "sub-rules"; +}else{ + $premium_url = "reg-rules"; +} + +/* hide progress bar */ +hide_progress_bar_status(); + +/* send current buffer */ +ob_flush(); + +conf_mount_rw(); + +/* remove old $tmpfname files */ +if (file_exists("{$tmpfname}")) { + update_status(gettext("Removing old tmp files...")); + exec("/bin/rm -r {$tmpfname}"); + apc_clear_cache(); +} + +/* Make shure snortdir exits */ +exec("/bin/mkdir -p {$snortdir}"); +exec("/bin/mkdir -p {$snortdir}/rules"); +exec("/bin/mkdir -p {$snortdir}/signatures"); + +/* send current buffer */ +ob_flush(); + +/* If tmp dir does not exist create it */ +if (file_exists($tmpfname)) { + update_status(gettext("The directory tmp exists...")); +} else { + mkdir("{$tmpfname}", 700); +} + +/* unhide progress bar and lets end this party */ +unhide_progress_bar_status(); + +/* download md5 sig from snort.org */ +if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { + update_status(gettext("md5 temp file exists...")); +} else { + update_status(gettext("Downloading md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5?oink_code={$oinkid}"); +// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5"); + $f = fopen("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5", 'w'); + fwrite($f, $image); + fclose($f); + update_status(gettext("Done. downloading md5")); +} + +/* download md5 sig from emergingthreats.net */ +$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; +if ($emergingthreats_url_chk == on) { + update_status(gettext("Downloading md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://www.emergingthreats.net/version.txt"); +// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/version.txt"); + $f = fopen("{$tmpfname}/version.txt", 'w'); + fwrite($f, $image); + fclose($f); + update_status(gettext("Done. downloading md5")); +} + +/* download md5 sig from pfsense.org */ +if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) { + update_status(gettext("md5 temp file exists...")); +} else { + update_status(gettext("Downloading pfsense md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5"); +// $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz.md5"); + $f = fopen("{$tmpfname}/pfsense_rules.tar.gz.md5", 'w'); + fwrite($f, $image); + fclose($f); + update_status(gettext("Done. downloading md5")); +} + +/* Time stamps define */ +$last_md5_download = $config['installedpackages']['snort']['last_md5_download']; +$last_rules_install = $config['installedpackages']['snort']['last_rules_install']; + +/* If md5 file is empty wait 15min exit */ +if (0 == filesize("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5")){ + update_status(gettext("Please wait... You may only check for New Rules every 15 minutes...")); + update_output_window(gettext("Rules are released every month from snort.org. You may download the Rules at any time.")); + hide_progress_bar_status(); + /* Display last time of sucsessful md5 check from cache */ + echo "\n<p align=center><b>You last checked for updates: </b>{$last_md5_download}</p>\n"; + echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n"; + echo "\n\n</body>\n</html>\n"; + exit(0); +} + +/* If emergingthreats md5 file is empty wait 15min exit not needed */ + +/* If pfsense md5 file is empty wait 15min exit */ +if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ + update_status(gettext("Please wait... You may only check for New Pfsense Rules every 15 minutes...")); + update_output_window(gettext("Rules are released to support Pfsense packages.")); + hide_progress_bar_status(); + /* Display last time of sucsessful md5 check from cache */ + echo "\n<p align=center><b>You last checked for updates: </b>{$last_md5_download}</p>\n"; + echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n"; + echo "\n\n</body>\n</html>\n"; + exit(0); +} + +/* Check if were up to date snort.org */ +if (file_exists("{$snortdir}/snortrules-snapshot-2.8.tar.gz.md5")){ +$md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); +$md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; +$md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); +$md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; +/* Write out time of last sucsessful md5 to cache */ +$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); +write_config(); // Will cause switch back to read-only on nanobsd +conf_mount_rw(); +if ($md5_check_new == $md5_check_old) { + update_status(gettext("Your rules are up to date...")); + update_output_window(gettext("You may start Snort now, check update.")); + hide_progress_bar_status(); + /* Timestamps to html */ + echo "\n<p align=center><b>You last checked for updates: </b>{$last_md5_download}</p>\n"; + echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n"; +// echo "P is this code {$premium_subscriber}"; + echo "\n\n</body>\n</html>\n"; + $snort_md5_check_ok = on; + } +} + +/* Check if were up to date emergingthreats.net */ +$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; +if ($emergingthreats_url_chk == on) { +if (file_exists("{$snortdir}/version.txt")){ +$emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/version.txt"); +$emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; +$emerg_md5_check_old_parse = file_get_contents("{$snortdir}/version.txt"); +$emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; +/* Write out time of last sucsessful md5 to cache */ +$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); +write_config(); // Will cause switch back to read-only on nanobsd +conf_mount_rw(); +if ($emerg_md5_check_new == $emerg_md5_check_old) { + update_status(gettext("Your emergingthreats rules are up to date...")); + update_output_window(gettext("You may start Snort now, check update.")); + hide_progress_bar_status(); + $emerg_md5_check_chk_ok = on; + } + } +} + +/* Check if were up to date pfsense.org */ +if (file_exists("{$snortdir}/$pfsense_rules_filename_md5")){ +$pfsense_md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); +$pfsense_md5_check_new = `/bin/echo "{$pfsense_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; +$pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); +$pfsense_md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; +if ($pfsense_md5_check_new == $pfsense_md5_check_old) { + $pfsense_md5_check_ok = on; + } +} + +/* Make Clean Snort Directory emergingthreats not checked */ +if ($snort_md5_check_ok == on && $emergingthreats_url_chk != on) { + update_status(gettext("Cleaning the snort Directory...")); + update_output_window(gettext("removing...")); + exec("/bin/rm {$snortdir}/rules/emerging*"); + exec("/bin/rm {$snortdir}/version.txt"); + exec("/bin/rm {$snortdir_wan}/rules/emerging*"); + exec("/bin/rm {$snortdir_wan}/version.txt"); + update_status(gettext("Done making cleaning emrg direcory.")); +} + +/* Check if were up to date exits */ +if ($snort_md5_check_ok == on && $emerg_md5_check_chk_ok == on && $pfsense_md5_check_ok == on) { + update_status(gettext("Your rules are up to date...")); + update_output_window(gettext("You may start Snort now...")); + exit(0); +} + +if ($snort_md5_check_ok == on && $pfsense_md5_check_ok == on && $emergingthreats_url_chk != on) { + update_status(gettext("Your rules are up to date...")); + update_output_window(gettext("You may start Snort now...")); + exit(0); +} + +/* You are Not Up to date, always stop snort when updating rules for low end machines */; +update_status(gettext("You are NOT up to date...")); +update_output_window(gettext("Stopping Snort service...")); +$chk_if_snort_up = exec("pgrep -x snort"); +if ($chk_if_snort_up != "") { + exec("/usr/bin/touch /tmp/snort_download_halt.pid"); + stop_service("snort"); + sleep(2); +} + +/* download snortrules file */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$snort_filename}")) { + update_status(gettext("Snortrule tar file exists...")); +} else { + unhide_progress_bar_status(); + update_status(gettext("There is a new set of Snort rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); +// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz", $tmpfname . "/{$snort_filename}", "read_body_firmware"); + download_file_with_progress_bar("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz?oink_code={$oinkid}", $tmpfname . "/{$snort_filename}", "read_body_firmware"); + update_all_status($static_output); + update_status(gettext("Done downloading rules file.")); + if (150000 > filesize("{$tmpfname}/$snort_filename")){ + update_status(gettext("Error with the snort rules download...")); + update_output_window(gettext("Snort rules file downloaded failed...")); + exit(0); + } + } +} + +/* download emergingthreats rules file */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { + update_status(gettext("Emergingthreats tar file exists...")); +} else { + update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); +// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware"); + download_file_with_progress_bar("http://www.emergingthreats.net/rules/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware"); + update_all_status($static_output); + update_status(gettext("Done downloading Emergingthreats rules file.")); + } + } + } + +/* download pfsense rules file */ +if ($pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { + update_status(gettext("Snortrule tar file exists...")); +} else { + unhide_progress_bar_status(); + update_status(gettext("There is a new set of Pfsense rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); +// download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/pfsense_rules.tar.gz", $tmpfname . "/{$pfsense_rules_filename}", "read_body_firmware"); + download_file_with_progress_bar("http://www.pfsense.com/packages/config/snort/pfsense_rules/pfsense_rules.tar.gz", $tmpfname . "/{$pfsense_rules_filename}", "read_body_firmware"); + update_all_status($static_output); + update_status(gettext("Done downloading rules file.")); + } +} + +/* Compair md5 sig to file sig */ + +//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +//if ($premium_url_chk == on) { +//$md5 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); +//$file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; +// if ($md5 == $file_md5_ondisk) { +// update_status(gettext("Valid md5 checksum pass...")); +//} else { +// update_status(gettext("The downloaded file does not match the md5 file...P is ON")); +// update_output_window(gettext("Error md5 Mismatch...")); +// exit(0); +// } +//} + +//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +//if ($premium_url_chk != on) { +//$md55 = `/bin/cat {$tmpfname}/{$snort_filename_md5} | /usr/bin/awk '{ print $4 }'`; +//$file_md5_ondisk2 = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; +// if ($md55 == $file_md5_ondisk2) { +// update_status(gettext("Valid md5 checksum pass...")); +//} else { +// update_status(gettext("The downloaded file does not match the md5 file...Not P")); +// update_output_window(gettext("Error md5 Mismatch...")); +// exit(0); +// } +//} + +/* Untar snort rules file individually to help people with low system specs */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$snort_filename}")) { + update_status(gettext("Extracting rules...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} etc/"); + exec("`/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/*`"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/chat.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/dos.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/exploit.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/imap.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/misc.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/multimedia.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/netbios.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/nntp.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/p2p.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/smtp.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/sql.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-client.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-misc.rules/"); + update_status(gettext("Done extracting Rules.")); +} else { + update_status(gettext("The Download rules file missing...")); + update_output_window(gettext("Error rules extracting failed...")); + exit(0); + } +} + +/* Untar emergingthreats rules to tmp */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { + update_status(gettext("Extracting rules...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir} rules/"); + } + } +} + +/* Untar Pfsense rules to tmp */ +if ($pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { + update_status(gettext("Extracting Pfsense rules...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$pfsense_rules_filename} -C {$snortdir} rules/"); + } +} + +/* Untar snort signatures */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/{$snort_filename}")) { +$signature_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['signatureinfo']; +if ($premium_url_chk == on) { + update_status(gettext("Extracting Signatures...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); + update_status(gettext("Done extracting Signatures.")); + } + } +} + +/* Make Clean Snort Directory */ +//if ($snort_md5_check_ok != on && $emerg_md5_check_chk_ok != on && $pfsense_md5_check_ok != on) { +//if (file_exists("{$snortdir}/rules")) { +// update_status(gettext("Cleaning the snort Directory...")); +// update_output_window(gettext("removing...")); +// exec("/bin/mkdir -p {$snortdir}"); +// exec("/bin/mkdir -p {$snortdir}/rules"); +// exec("/bin/mkdir -p {$snortdir}/signatures"); +// exec("/bin/rm {$snortdir}/*"); +// exec("/bin/rm {$snortdir}/rules/*"); +// exec("/bin/rm {$snortdir_wan}/*"); +// exec("/bin/rm {$snortdir_wan}/rules/*"); + +// exec("/bin/rm /usr/local/lib/snort/dynamicrules/*"); +//} else { +// update_status(gettext("Making Snort Directory...")); +// update_output_window(gettext("should be fast...")); +// exec("/bin/mkdir -p {$snortdir}"); +// exec("/bin/mkdir -p {$snortdir}/rules"); +// exec("/bin/rm {$snortdir_wan}/*"); +// exec("/bin/rm {$snortdir_wan}/rules/*"); +// exec("/bin/rm /usr/local/lib/snort/dynamicrules/\*"); +// update_status(gettext("Done making snort direcory.")); +// } +//} + +/* Copy so_rules dir to snort lib dir */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { + update_status(gettext("Copying so_rules...")); + update_output_window(gettext("May take a while...")); + exec("`/bin/cp -f {$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/`"); + exec("/bin/cp {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/bad-traffic.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/chat.rules {$snortdir}/rules/chat.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/dos.rules {$snortdir}/rules/dos.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/exploit.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/imap.rules {$snortdir}/rules/imap.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/misc.rules {$snortdir}/rules/misc.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/multimedia.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/netbios.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/nntp.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/p2p.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/smtp.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/sql.rules {$snortdir}/rules/sql.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/web-client.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/web.misc.rules {$snortdir}/rules/web.misc.so.rules"); + exec("/bin/rm -r {$snortdir}/so_rules"); + update_status(gettext("Done copying so_rules.")); +} else { + update_status(gettext("Directory so_rules does not exist...")); + update_output_window(gettext("Error copying so_rules...")); + exit(0); + } +} + +/* enable disable setting will carry over with updates */ +/* TODO carry signature changes with the updates */ +if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { + +if (!empty($config['installedpackages']['snort']['rule_sid_on'])) { +$enabled_sid_on = $config['installedpackages']['snort']['rule_sid_on']; +$enabled_sid_on_array = split('\|\|', $enabled_sid_on); +foreach($enabled_sid_on_array as $enabled_item_on) +$selected_sid_on_sections .= "$enabled_item_on\n"; + } + +if (!empty($config['installedpackages']['snort']['rule_sid_off'])) { +$enabled_sid_off = $config['installedpackages']['snort']['rule_sid_off']; +$enabled_sid_off_array = split('\|\|', $enabled_sid_off); +foreach($enabled_sid_off_array as $enabled_item_off) +$selected_sid_off_sections .= "$enabled_item_off\n"; + } + +$snort_sid_text = <<<EOD + +########################################### +# # +# this is auto generated on snort updates # +# # +########################################### + +path = /bin:/usr/bin:/usr/local/bin + +update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ + +url = dir:///usr/local/etc/snort_bkup/rules + +$selected_sid_on_sections + +$selected_sid_off_sections + +EOD; + + /* open snort's threshold.conf for writing */ + $oinkmasterlist = fopen("/usr/local/etc/snort_bkup/oinkmaster.conf", "w"); + + fwrite($oinkmasterlist, "$snort_sid_text"); + + /* close snort's threshold.conf file */ + fclose($oinkmasterlist); + +} + +/* Copy configs to snort dir */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$snortdir}/etc/Makefile.am")) { + update_status(gettext("Copying configs to snort directory...")); + exec("/bin/cp {$snortdir}/etc/* {$snortdir}"); + exec("/bin/rm -r {$snortdir}/etc"); + +} else { + update_status(gettext("The snort config does not exist...")); + update_output_window(gettext("Error copying config...")); + exit(0); + } +} + +/* Copy md5 sig to snort dir */ +if ($snort_md5_check_ok != on) { +if (file_exists("{$tmpfname}/$snort_filename_md5")) { + update_status(gettext("Copying md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); +} else { + update_status(gettext("The md5 file does not exist...")); + update_output_window(gettext("Error copying config...")); + exit(0); + } +} + +/* Copy emergingthreats md5 sig to snort dir */ +if ($emergingthreats_url_chk == on) { +if ($emerg_md5_check_chk_ok != on) { +if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) { + update_status(gettext("Copying md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); +} else { + update_status(gettext("The emergingthreats md5 file does not exist...")); + update_output_window(gettext("Error copying config...")); + exit(0); + } + } +} + +/* Copy Pfsense md5 sig to snort dir */ +if ($pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) { + update_status(gettext("Copying Pfsense md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5"); +} else { + update_status(gettext("The Pfsense md5 file does not exist...")); + update_output_window(gettext("Error copying config...")); + exit(0); + } +} + +/* Copy signatures dir to snort dir */ +if ($snort_md5_check_ok != on) { +$signature_info_chk = $config['installedpackages']['snort']['config'][0]['signatureinfo']; +if ($premium_url_chk == on) { +if (file_exists("{$snortdir}/doc/signatures")) { + update_status(gettext("Copying signatures...")); + update_output_window(gettext("May take a while...")); + exec("/bin/mv -f {$snortdir}/doc/signatures {$snortdir}/signatures"); + exec("/bin/rm -r {$snortdir}/doc/signatures"); + update_status(gettext("Done copying signatures.")); +} else { + update_status(gettext("Directory signatures exist...")); + update_output_window(gettext("Error copying signature...")); + exit(0); + } + } +} + +/* double make shure cleanup emerg rules that dont belong */ +if (file_exists("/usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules")) { + apc_clear_cache(); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-compromised-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-drop-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-dshield-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-rbn-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-tor-BLOCK.rules"); +} + +if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) { + exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so"); + exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*"); +} + +/* create a msg-map for snort */ +update_status(gettext("Updating Alert Messages...")); +update_output_window(gettext("Please Wait...")); +exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort_bkup/rules > /usr/local/etc/snort_bkup/sid-msg.map"); + +/* Run oinkmaster to snort_wan and cp configs */ +/* If oinkmaster is not needed cp rules normally */ +/* TODO add per interface settings here */ +if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { + + if (empty($config['installedpackages']['snort']['rule_sid_on']) || empty($config['installedpackages']['snort']['rule_sid_off'])) { + update_status(gettext("Your first set of rules are being copied...")); + update_output_window(gettext("May take a while...")); + exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); + +} else { + update_status(gettext("Your enable and disable changes are being applied to your fresh set of rules...")); + update_output_window(gettext("May take a while...")); + exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); + + /* oinkmaster.pl will convert saved changes for the new updates then we have to change #alert to # alert for the gui */ + /* might have to add a sleep for 3sec for flash drives or old drives */ + exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort_bkup/oinkmaster.conf -o /usr/local/etc/snort/rules > /usr/local/etc/snort_bkup/oinkmaster.log"); + exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); + exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); + exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); + + + } +} + +/* remove old $tmpfname files */ +if (file_exists("{$tmpfname}")) { + update_status(gettext("Cleaning up...")); + exec("/bin/rm -r /root/snort_rules_up"); +// apc_clear_cache(); +} + +/* php code to flush out cache some people are reportting missing files this might help */ +sleep(2); +apc_clear_cache(); +exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync"); + +/* if snort is running hardrestart, if snort is not running do nothing */ +if (file_exists("/tmp/snort_download_halt.pid")) { + start_service("snort"); + update_status(gettext("The Rules update finished...")); + update_output_window(gettext("Snort has restarted with your new set of rules...")); + exec("/bin/rm /tmp/snort_download_halt.pid"); +} else { + update_status(gettext("The Rules update finished...")); + update_output_window(gettext("You may start snort now...")); +} + +/* hide progress bar and lets end this party */ +hide_progress_bar_status(); +conf_mount_ro(); +?> + +<?php + +function read_body_firmware($ch, $string) { + global $fout, $file_size, $downloaded, $counter, $version, $latest_version, $current_installed_pfsense_version; + $length = strlen($string); + $downloaded += intval($length); + $downloadProgress = round(100 * (1 - $downloaded / $file_size), 0); + $downloadProgress = 100 - $downloadProgress; + $a = $file_size; + $b = $downloaded; + $c = $downloadProgress; + $text = " Snort download in progress\\n"; + $text .= "----------------------------------------------------\\n"; + $text .= " Downloaded : {$b}\\n"; + $text .= "----------------------------------------------------\\n"; + $counter++; + if($counter > 150) { + update_output_window($text); + update_progress_bar($downloadProgress); + flush(); + $counter = 0; + } + conf_mount_rw(); + fwrite($fout, $string); + conf_mount_ro(); + return $length; +} + +?> + +</body> +</html> diff --git a/config/snort-dev/snort_dynamic_ip_reload.php b/config/snort-old/snort_dynamic_ip_reload.php index 98d9bcce..0fad085b 100644 --- a/config/snort-dev/snort_dynamic_ip_reload.php +++ b/config/snort-old/snort_dynamic_ip_reload.php @@ -3,7 +3,7 @@ /* $Id$ */ /* snort_dynamic_ip_reload.php - Copyright (C) 2009 Robert Zeleya + Copyright (C) 2006 Scott Ullrich and Robert Zeleya All rights reserved. Redistribution and use in source and binary forms, with or without @@ -31,20 +31,19 @@ /* NOTE: this file gets included from the pfSense filter.inc plugin process */ /* NOTE: file location /usr/local/pkg/pf, all files in pf dir get exec on filter reloads */ -require_once("/usr/local/pkg/snort/snort.inc"); +require_once("/usr/local/pkg/snort.inc"); +require_once("service-utils.inc"); +require_once("config.inc"); -/* get the varibles from the command line */ -/* Note: snort.sh sould only be using this */ -//$id = $_SERVER["argv"][1]; -//$if_real = $_SERVER["argv"][2]; -//$test_iface = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; - -//if ($id == "" || $if_real == "" || $test_iface == "") { -// exec("/usr/bin/logger -p daemon.info -i -t SnortDynIP \"ERORR starting snort_dynamic_ip_reload.php\""); -// exit; -// } - -sync_snort_package_empty(); +if($config['interfaces']['wan']['ipaddr'] == "pppoe" or + $config['interfaces']['wan']['ipaddr'] == "dhcp") { + create_snort_conf(); + exec("killall -HUP snort"); + /* define snortbarnyardlog_chk */ + $snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; + if ($snortbarnyardlog_info_chk == on) + exec("killall -HUP barnyard2"); +} ?>
\ No newline at end of file diff --git a/config/snort-dev/snort_rules.php b/config/snort-old/snort_rules.php index c95d76ca..94c99f0e 100644 --- a/config/snort-dev/snort_rules.php +++ b/config/snort-old/snort_rules.php @@ -2,8 +2,7 @@ /* $Id$ */ /* edit_snortrule.php - Copyright (C) 2004, 2005 Scott Ullrich - Copyright (C) 2008, 2009 Robert Zelaya + Copyright (C) 2004, 2005 Scott Ullrich and Rober Zelaya All rights reserved. Redistribution and use in source and binary forms, with or without @@ -27,45 +26,22 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +require("guiconfig.inc"); +require("config.inc"); - -require_once("guiconfig.inc"); -require_once("/usr/local/pkg/snort/snort_gui.inc"); -require_once("/usr/local/pkg/snort/snort.inc"); - -if (!is_array($config['installedpackages']['snortglobal']['rule'])) { - $config['installedpackages']['snortglobal']['rule'] = array(); -} - -//nat_rules_sort(); -$a_nat = &$config['installedpackages']['snortglobal']['rule']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; - -if (isset($id) && $a_nat[$id]) { - - $pconfig['enable'] = $a_nat[$id]['enable']; - $pconfig['interface'] = $a_nat[$id]['interface']; - $pconfig['rulesets'] = $a_nat[$id]['rulesets']; +if(!is_dir("/usr/local/etc/snort/rules")) { + conf_mount_rw(); + exec('mkdir /usr/local/etc/snort/rules/'); + conf_mount_ro(); } -/* convert fake interfaces to real */ -$if_real = convert_friendly_interface_to_real_interface_name($pconfig['interface']); - -$iface_uuid = $a_nat[$id]['uuid']; - -// if(!is_dir("/usr/local/etc/snort/rules")) -// exec('mkdir /usr/local/etc/snort/rules/'); - /* Check if the rules dir is empy if so warn the user */ /* TODO give the user the option to delete the installed rules rules */ -$isrulesfolderempty = exec("ls -A /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/*.rules"); +$isrulesfolderempty = exec('ls -A /usr/local/etc/snort/rules/*.rules'); if ($isrulesfolderempty == "") { include("head.inc"); -include("./snort_fbegin.inc"); +include("fbegin.inc"); echo "<body link=\"#000000\" vlink=\"#000000\" alink=\"#000000\">"; @@ -75,15 +51,18 @@ echo "<script src=\"/row_toggle.js\" type=\"text/javascript\"></script>\n <tr>\n <td>\n"; - $tab_array = array(); - $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); - $tab_array[] = array("If Settings", false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array("Categories", false, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array("Rules", true, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array("Servers", false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array("Preprocessors", false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array("Barnyard2", false, "/snort/snort_barnyard.php?id={$id}"); - display_top_tabs($tab_array); + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), true, "/snort_rules.php"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + display_top_tabs($tab_array); echo "</td>\n </tr>\n @@ -126,6 +105,8 @@ function get_middle($source, $beginning, $ending, $init_pos) { function write_rule_file($content_changed, $received_file) { + conf_mount_rw(); + //read snort file with writing enabled $filehandle = fopen($received_file, "w"); @@ -141,6 +122,7 @@ function write_rule_file($content_changed, $received_file) //close file handle fclose($filehandle); + conf_mount_rw(); } function load_rule_file($incoming_file) @@ -155,9 +137,8 @@ function load_rule_file($incoming_file) //close handler fclose ($filehandle); - //string for populating category select - $currentruleset = basename($rulefile); + $currentruleset = substr($file, 27); //delimiter for each new rule is a new line $delimiter = "\n"; @@ -169,13 +150,10 @@ function load_rule_file($incoming_file) } -$ruledir = "/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/"; +$ruledir = "/usr/local/etc/snort/rules/"; $dh = opendir($ruledir); -if ($_GET['openruleset'] != '' && $_GET['ids'] != '') -{ - header("Location: /snort/snort_rules.php?id=$id&openruleset={$_GET['openruleset']}&saved=yes"); -} +$message_reload = "The Snort rule configuration has been changed.<br>You must apply the changes in order for them to take effect."; while (false !== ($filename = readdir($dh))) { @@ -191,22 +169,19 @@ sort($files); if ($_GET['openruleset']) { - $rulefile = $_GET['openruleset']; + $file = $_GET['openruleset']; } else { - $rulefile = $ruledir.$files[0]; + $file = $ruledir.$files[0]; } //Load the rule file -$splitcontents = load_rule_file($rulefile); +$splitcontents = load_rule_file($file); if ($_POST) { - - conf_mount_rw(); - if (!$_POST['apply']) { //retrieve POST data $post_lineid = $_POST['lineid']; @@ -283,20 +258,26 @@ if ($_POST) $splitcontents[$post_lineid] = $tempstring; //write the new .rules file - write_rule_file($splitcontents, $rulefile); + write_rule_file($splitcontents, $file); //once file has been written, reload file - $splitcontents = load_rule_file($rulefile); + $splitcontents = load_rule_file($file); $stopMsg = true; } + + if ($_POST['apply']) { +// stop_service("snort"); +// sleep(2); +// start_service("snort"); + $savemsg = "The snort rules selections have been saved. Please restart snort by clicking save on the settings tab."; + $stopMsg = false; + } + } else if ($_GET['act'] == "toggle") { - - conf_mount_rw(); - - $toggleid = $_GET['ids']; + $toggleid = $_GET['id']; //copy rule contents from array into string $tempstring = $splitcontents[$toggleid]; @@ -330,10 +311,10 @@ else if ($_GET['act'] == "toggle") $splitcontents[$toggleid] = $tempstring; //write the new .rules file - write_rule_file($splitcontents, $rulefile); + write_rule_file($splitcontents, $file); //once file has been written, reload file - $splitcontents = load_rule_file($rulefile); + $splitcontents = load_rule_file($file); $stopMsg = true; @@ -345,22 +326,20 @@ else if ($_GET['act'] == "toggle") // sid being turned off $sid_off = str_replace("sid:", "", $sid_off_cut); // rule_sid_on registers - $sid_on_pieces = $a_nat[$id]['rule_sid_on']; + $sid_on_pieces = $config['installedpackages']['snort']['rule_sid_on']; // if off sid is the same as on sid remove it $sid_on_old = str_replace("||enablesid $sid_off", "", "$sid_on_pieces"); // write the replace sid back as empty - $a_nat[$id]['rule_sid_on'] = $sid_on_old; + $config['installedpackages']['snort']['rule_sid_on'] = $sid_on_old; // rule sid off registers - $sid_off_pieces = $a_nat[$id]['rule_sid_off']; + $sid_off_pieces = $config['installedpackages']['snort']['rule_sid_off']; // if off sid is the same as off sid remove it $sid_off_old = str_replace("||disablesid $sid_off", "", "$sid_off_pieces"); // write the replace sid back as empty - $a_nat[$id]['rule_sid_off'] = $sid_off_old; + $config['installedpackages']['snort']['rule_sid_off'] = $sid_off_old; // add sid off registers to new off sid - $a_nat[$id]['rule_sid_off'] = "||disablesid $sid_off" . $a_nat[$id]['rule_sid_off']; + $config['installedpackages']['snort']['rule_sid_off'] = "||disablesid $sid_off" . $config['installedpackages']['snort']['rule_sid_off']; write_config(); - conf_mount_rw(); - } else { @@ -370,55 +349,39 @@ else if ($_GET['act'] == "toggle") // sid being turned off $sid_on = str_replace("sid:", "", $sid_on_cut); // rule_sid_off registers - $sid_off_pieces = $a_nat[$id]['rule_sid_off']; + $sid_off_pieces = $config['installedpackages']['snort']['rule_sid_off']; // if off sid is the same as on sid remove it $sid_off_old = str_replace("||disablesid $sid_on", "", "$sid_off_pieces"); // write the replace sid back as empty - $a_nat[$id]['rule_sid_off'] = $sid_off_old; + $config['installedpackages']['snort']['rule_sid_off'] = $sid_off_old; // rule sid on registers - $sid_on_pieces = $a_nat[$id]['rule_sid_on']; + $sid_on_pieces = $config['installedpackages']['snort']['rule_sid_on']; // if on sid is the same as on sid remove it $sid_on_old = str_replace("||enablesid $sid_on", "", "$sid_on_pieces"); // write the replace sid back as empty - $a_nat[$id]['rule_sid_on'] = $sid_on_old; + $config['installedpackages']['snort']['rule_sid_on'] = $sid_on_old; // add sid on registers to new on sid - $a_nat[$id]['rule_sid_on'] = "||enablesid $sid_on" . $a_nat[$id]['rule_sid_on']; + $config['installedpackages']['snort']['rule_sid_on'] = "||enablesid $sid_on" . $config['installedpackages']['snort']['rule_sid_on']; write_config(); - conf_mount_rw(); } } -if ($_GET['saved'] == 'yes') -{ - $message = "The Snort rule configuration has been changed.<br>You must restart this snort interface in order for the changes to take effect."; - -// stop_service("snort"); -// sleep(2); -// start_service("snort"); -// $savemsg = ""; -// $stopMsg = false; -} - -$currentruleset = basename($rulefile); - -$ifname = strtoupper($pconfig['interface']); +$pgtitle = "Snort: Rules"; require("guiconfig.inc"); include("head.inc"); - -$pgtitle = "Snort: $id $iface_uuid $if_real Category: $currentruleset"; - ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("./snort_fbegin.inc"); ?> -<p class="pgtitle"><?if($pfsense_stable == 'yes'){echo $pgtitle;}?></p> - +<?php include("fbegin.inc"); ?> <?php -echo "<form action=\"snort_rules.php?id={$id}\" method=\"post\" name=\"iform\" id=\"iform\">"; +if(!$pgtitle_output) + echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; ?> -<?php if ($_GET['saved'] == 'yes') {print_info_box_np2($message);}?> +<form action="snort_rules.php" method="post" name="iform" id="iform"> +<?php if ($savemsg){print_info_box($savemsg);} else if ($stopMsg){print_info_box_np($message_reload);}?> +<br> </form> <script type="text/javascript" language="javascript" src="row_toggle.js"> <script src="/javascript/sorttable.js" type="text/javascript"> @@ -440,40 +403,28 @@ function go() } // --> </script> -<script type="text/javascript"> -<!-- -function popup(url) -{ - params = 'width='+screen.width; - params += ', height='+screen.height; - params += ', top=0, left=0' - params += ', fullscreen=yes'; - - newwin=window.open(url,'windowname4', params); - if (window.focus) {newwin.focus()} - return false; -} -// --> -</script> <table width="99%" border="0" cellpadding="0" cellspacing="0"> <tr> <td> <?php - $tab_array = array(); - $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); - $tab_array[] = array("If Settings", false, "/snort/snort_interfaces_edit.php?id={$id}"); - $tab_array[] = array("Categories", false, "/snort/snort_rulesets.php?id={$id}"); - $tab_array[] = array("Rules", true, "/snort/snort_rules.php?id={$id}"); - $tab_array[] = array("Servers", false, "/snort/snort_define_servers.php?id={$id}"); - $tab_array[] = array("Preprocessors", false, "/snort/snort_preprocessors.php?id={$id}"); - $tab_array[] = array("Barnyard2", false, "/snort/snort_barnyard.php?id={$id}"); + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), true, "/snort_rules.php"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); display_top_tabs($tab_array); ?> - </td> - </tr> - <tr> - <td> + </td> + </tr> + <tr> + <td> <div id="mainarea"> <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> @@ -496,8 +447,7 @@ function popup(url) echo "<br>Category: "; //string for populating category select - $currentruleset = basename($rulefile); - + $currentruleset = substr($file, 27); ?> <form name="forms"> <select name="selectbox" class="formfld" onChange="go()"> @@ -509,7 +459,7 @@ function popup(url) if ($files[$i] === $currentruleset) $selectedruleset = "selected"; ?> - <option value="?id=<?=$id;?>&openruleset=<?=$ruledir;?><?=$files[$i];?>" <?=$selectedruleset;?>><?=$files[$i];?></option>" + <option value="?&openruleset=<?=$ruledir;?><?=$files[$i];?>" <?=$selectedruleset;?>><?=$files[$i];?></option>" <?php $i++; @@ -562,13 +512,7 @@ function popup(url) $textss = $textse = ""; $iconb = "icon_block.gif"; } - - if ($disabled_pos !== false){ - $ischecked = ""; - }else{ - $ischecked = "checked"; - } - + $rule_content = explode(' ', $tempstring); $protocol = $rule_content[$counter2];//protocol location @@ -581,93 +525,87 @@ function popup(url) $counter2++; $destination_port = $rule_content[$counter2];//destination port location - if (strstr($tempstring, 'msg: "')) - $message = get_middle($tempstring, 'msg: "', '";', 0); - if (strstr($tempstring, 'msg:"')) - $message = get_middle($tempstring, 'msg:"', '";', 0); + $message = get_middle($tempstring, 'msg:"', '";', 0); - echo "<tr> - <td class=\"listt\"> - $textss\n"; + echo "<tr>"; + echo "<td class=\"listt\">"; + echo $textss; ?> - <a href="?id=<?=$id;?>&openruleset=<?=$rulefile;?>&act=toggle&ids=<?=$counter;?>"><img src="../themes/<?= $g['theme']; ?>/images/icons/<?=$iconb;?>" width="10" height="10" border="0" title="click to toggle enabled/disabled status"></a> - <!-- <input name="enable" type="checkbox" value="yes" <?= $ischecked; ?> onClick="enable_change(false)"> --> - <!-- TODO: add checkbox and save so that that disabling is nicer --> + <a href="?&openruleset=<?=$file;?>&act=toggle&id=<?=$counter;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/<?=$iconb;?>" width="11" height="11" border="0" title="click to toggle enabled/disabled status"></a> <?php - echo "$textse - </td> - <td class=\"listlr\"> - $textss - $sid - $textse - </td> - <td class=\"listlr\"> - $textss - $protocol"; - ?> - <?php + echo $textse; + echo "</td>"; + + + echo "<td class=\"listlr\">"; + echo $textss; + echo $sid; + echo $textse; + echo "</td>"; + + echo "<td class=\"listlr\">"; + echo $textss; + echo $protocol; $printcounter++; - echo "$textse - </td> - <td class=\"listlr\"> - $textss - $source - $textse - </td> - <td class=\"listlr\"> - $textss - $source_port - $textse - </td> - <td class=\"listlr\"> - $textss - $destination - $textse - </td> - <td class=\"listlr\"> - $textss - $destination_port - $textse - </td>"; + echo $textse; + echo "</td>"; + echo "<td class=\"listlr\">"; + echo $textss; + echo $source; + echo $textse; + echo "</td>"; + echo "<td class=\"listlr\">"; + echo $textss; + echo $source_port; + echo $textse; + echo "</td>"; + echo "<td class=\"listlr\">"; + echo $textss; + echo $destination; + echo $textse; + echo "</td>"; + echo "<td class=\"listlr\">"; + echo $textss; + echo $destination_port; + echo $textse; + echo "</td>"; ?> <td class="listbg"><font color="white"> <?php - echo "$textss - $message - $textse - </td>"; + echo $textss; + echo $message; + echo $textse; + echo "</td>"; ?> <td valign="middle" nowrap class="list"> <table border="0" cellspacing="0" cellpadding="1"> <tr> - <td><a href="javascript: void(0)"onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$rulefile;?>&ids=<?=$counter;?>')"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit rule" width="17" height="17" border="0"></a></td> - <!-- Codes by Quackit.com --> + <td><a href="snort_rules_edit.php?openruleset=<?=$file;?>&id=<?=$counter;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit rule" width="17" height="17" border="0"></a></td> </tr> </table> </td> <?php } } - echo " There are $printcounter rules in this category. <br><br>"; + echo " "; + echo "There are "; + echo $printcounter; + echo " rules in this category. <br><br>"; ?> </table> </td> </tr> <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> - <td width="16"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" width="11" height="11"></td> + <td width="16"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" width="11" height="11"></td> <td>Rule Enabled</td> </tr> <tr> - <td><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_block_d.gif" width="11" height="11"></td> + <td><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_block_d.gif" width="11" height="11"></td> <td nowrap>Rule Disabled</td> - </tr> - <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> - <tr> - <!-- TODO: add save and cancel for checkbox options --> - <!-- <td><pre><input name="Submit" type="submit" class="formbtn" value="Save"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()"><pre></td> --> + + </tr> - </table> <tr> <td colspan="10"> <p> @@ -677,11 +615,12 @@ function popup(url) </tr> </table> </table> + </td> </tr> - </table> + <?php include("fend.inc"); ?> </div></body> -</html> +</html>
\ No newline at end of file diff --git a/config/snort-old/snort_rules_edit.php b/config/snort-old/snort_rules_edit.php new file mode 100644 index 00000000..cbabce73 --- /dev/null +++ b/config/snort-old/snort_rules_edit.php @@ -0,0 +1,207 @@ +<?php +/* $Id$ */ +/* + snort_rules_edit.php + Copyright (C) 2004, 2005 Scott Ullrich + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +function get_middle($source, $beginning, $ending, $init_pos) { + $beginning_pos = strpos($source, $beginning, $init_pos); + $middle_pos = $beginning_pos + strlen($beginning); + $ending_pos = strpos($source, $ending, $beginning_pos); + $middle = substr($source, $middle_pos, $ending_pos - $middle_pos); + return $middle; +} + + +$file = $_GET['openruleset']; + +//read snort file +$filehandle = fopen($file, "r"); + +//get rule id +$lineid = $_GET['id']; + +//read file into string, and get filesize +$contents = fread($filehandle, filesize($file)); + +//close handler +fclose ($filehandle); + +//delimiter for each new rule is a new line +$delimiter = "\n"; + +//split the contents of the string file into an array using the delimiter +$splitcontents = explode($delimiter, $contents); + +//copy rule contents from array into string +$tempstring = $splitcontents[$lineid]; + +//explode rule contents into an array, (delimiter is space) +$rule_content = explode(' ', $tempstring); + +//search string +$findme = "# alert"; //find string for disabled alerts + +//find if alert is disabled +$disabled = strstr($tempstring, $findme); + +//get sid +$sid = get_middle($tempstring, 'sid:', ';', 0); + + +//if find alert is false, then rule is disabled +if ($disabled !== false) +{ + //move counter up 1, so we do not retrieve the # in the rule_content array + $counter2 = 2; +} +else +{ + $counter2 = 1; +} + + +$protocol = $rule_content[$counter2];//protocol location +$counter2++; +$source = $rule_content[$counter2];//source location +$counter2++; +$source_port = $rule_content[$counter2];//source port location +$counter2++; +$direction = $rule_content[$counter2]; +$counter2++; +$destination = $rule_content[$counter2];//destination location +$counter2++; +$destination_port = $rule_content[$counter2];//destination port location +$message = get_middle($tempstring, 'msg:"', '";', 0); + +$content = get_middle($tempstring, 'content:"', '";', 0); +$classtype = get_middle($tempstring, 'classtype:', ';', 0); +$revision = get_middle($tempstring, 'rev:', ';',0); + +$pgtitle = "Snort: Edit Rule"; +require("guiconfig.inc"); +include("head.inc"); +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + +<?php include("fbegin.inc"); ?> +<?php +if(!$pgtitle_output) + echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; +?> +<table width="99%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> +<?php + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), true, "/snort_rules.php?openruleset=/usr/local/etc/snort/rules/attack-responses.rules"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + display_top_tabs($tab_array); +?> + </td> + </tr> + <tr> + <td> + <div id="mainarea"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <form action="snort_rules.php?openruleset=<?=$file;?>&id=<?=$lineid;?>" target="" method="post" name="editform" id="editform"> + <table id="edittable" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="listhdr" width="10%">Enabled: </td> + <td class="listlr" width="30%"><input name="enabled" type="checkbox" id="enabled" value="yes" <?php if ($disabled === false) echo "checked";?>></td> + </tr> + <tr> + <td class="listhdr" width="10%">SID: </td> + <td class="listlr" width="30%"><?php echo $sid; ?></td> + </tr> + <tr> + <td class="listhdr" width="10%">Protocol: </td> + <td class="listlr" width="30%"><?php echo $protocol; ?></td> + </tr> + <tr> + <td class="listhdr" width="10%">Source: </td> + <td class="listlr" width="30%"><input name="src" type="text" id="src" size="20" value="<?php echo $source;?>"></td> + </tr> + <tr> + <td class="listhdr" width="10%">Source Port: </td> + <td class="listlr" width="30%"><input name="srcport" type="text" id="srcport" size="20" value="<?php echo $source_port;?>"></td> + </tr> + <tr> + <td class="listhdr" width="10%">Direction:</td> + <td class="listlr" width="30%"><?php echo $direction;?></td> + </tr> + <tr> + <td class="listhdr" width="10%">Destination:</td> + <td class="listlr" width="30%"><input name="dest" type="text" id="dest" size="20" value="<?php echo $destination;?>"></td> + </tr> + <tr> + <td class="listhdr" width="10%">Destination Port: </td> + <td class="listlr" width="30%"><input name="destport" type="text" id="destport" size="20" value="<?php echo $destination_port;?>"></td> + </tr> + <tr> + <td class="listhdr" width="10%">Message: </td> + <td class="listlr" width="30%"><?php echo $message; ?></td> + </tr> + <tr> + <td class="listhdr" width="10%">Content: </td> + <td class="listlr" width="30%"><?php echo $content; ?></td> + </tr> + <tr> + <td class="listhdr" width="10%">Classtype: </td> + <td class="listlr" width="30%"><?php echo $classtype; ?></td> + </tr> + <tr> + <td class="listhdr" width="10%">Revision: </td> + <td class="listlr" width="30%"><?php echo $revision; ?></td> + </tr> + <tr><td> </td></tr> + <tr> + <td><input name="lineid" type="hidden" value="<?=$lineid;?>"></td> + <td><input class="formbtn" value="Save" type="submit" name="editsave" id="editsave">   <input type="button" class="formbtn" value="Cancel" onclick="history.back()"></td> + </tr> + </table> + </form> + </td> + </tr> + </table> + </td> +</tr> +</table> + +<?php include("fend.inc"); ?> +</div></body> +</html>
\ No newline at end of file diff --git a/config/snort-old/snort_rulesets.php b/config/snort-old/snort_rulesets.php new file mode 100644 index 00000000..d839ae7a --- /dev/null +++ b/config/snort-old/snort_rulesets.php @@ -0,0 +1,230 @@ +<?php +/* $Id$ */ +/* + snort_rulesets.php + Copyright (C) 2006 Scott Ullrich + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); +require_once("service-utils.inc"); +require("/usr/local/pkg/snort.inc"); + +if(!is_dir("/usr/local/etc/snort/rules")) { + conf_mount_rw(); + exec('mkdir /usr/local/etc/snort/rules/'); + conf_mount_ro(); +} + +/* Check if the rules dir is empy if so warn the user */ +/* TODO give the user the option to delete the installed rules rules */ +$isrulesfolderempty = exec('ls -A /usr/local/etc/snort/rules/*.rules'); +if ($isrulesfolderempty == "") { + +include("head.inc"); +include("fbegin.inc"); + +echo "<body link=\"#000000\" vlink=\"#000000\" alink=\"#000000\">"; + +echo "<script src=\"/row_toggle.js\" type=\"text/javascript\"></script>\n +<script src=\"/javascript/sorttable.js\" type=\"text/javascript\"></script>\n +<table width=\"99%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n + <tr>\n + <td>\n"; + + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), true, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + display_top_tabs($tab_array); + +echo "</td>\n + </tr>\n + <tr>\n + <td>\n + <div id=\"mainarea\">\n + <table id=\"maintable\" class=\"tabcont\" width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n + <tr>\n + <td>\n +# The rules directory is empty.\n + </td>\n + </tr>\n + </table>\n + </div>\n + </td>\n + </tr>\n +</table>\n +\n +</form>\n +\n +<p>\n\n"; + +echo "Please click on the Update Rules tab to install your selected rule sets."; +include("fend.inc"); + +echo "</body>"; +echo "</html>"; + +exit(0); + +} + +if($_POST) { + $enabled_items = ""; + $isfirst = true; + foreach($_POST['toenable'] as $toenable) { + if(!$isfirst) + $enabled_items .= "||"; + $enabled_items .= "{$toenable}"; + $isfirst = false; + } + $config['installedpackages']['snort']['rulesets'] = $enabled_items; + write_config(); + stop_service("snort"); + create_snort_conf(); + sleep(2); + start_service("snort"); + $savemsg = "The snort ruleset selections have been saved."; +} + +$enabled_rulesets = $config['installedpackages']['snort']['rulesets']; +if($enabled_rulesets) + $enabled_rulesets_array = split("\|\|", $enabled_rulesets); + +$pgtitle = "Snort: Categories"; +include("head.inc"); + +?> + +<body link="#000000" vlink="#000000" alink="#000000"> +<?php include("fbegin.inc"); ?> + +<?php +if(!$pgtitle_output) + echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; +?> + +<form action="snort_rulesets.php" method="post" name="iform" id="iform"> +<script src="/row_toggle.js" type="text/javascript"></script> +<script src="/javascript/sorttable.js" type="text/javascript"></script> +<?php if ($savemsg) print_info_box($savemsg); ?> +<table width="99%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> +<?php + $tab_array = array(); + $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); + $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); + $tab_array[] = array(gettext("Categories"), true, "/snort_rulesets.php"); + $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); + $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); + $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); + $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); + $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); + $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); + $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + display_top_tabs($tab_array); +?> + </td> + </tr> + <tr> + <td> + <div id="mainarea"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <table id="sortabletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr id="frheader"> + <td width="5%" class="listhdrr">Enabled</td> + <td class="listhdrr">Ruleset: Rules that end with "so.rules" are shared object rules.</td> + <!-- <td class="listhdrr">Description</td> --> + </tr> +<?php + $dir = "/usr/local/etc/snort/rules/"; + $dh = opendir($dir); + while (false !== ($filename = readdir($dh))) { + $files[] = $filename; + } + sort($files); + foreach($files as $file) { + if(!stristr($file, ".rules")) + continue; + echo "<tr>"; + echo "<td align=\"center\" valign=\"top\">"; + if(is_array($enabled_rulesets_array)) + if(in_array($file, $enabled_rulesets_array)) { + $CHECKED = " checked=\"checked\""; + } else { + $CHECKED = ""; + } + else + $CHECKED = ""; + echo " <input type='checkbox' name='toenable[]' value='$file' {$CHECKED} />"; + echo "</td>"; + echo "<td>"; + echo "<a href='snort_rules.php?openruleset=/usr/local/etc/snort/rules/" . urlencode($file) . "'>{$file}</a>"; + echo "</td>"; + //echo "<td>"; + //echo "description"; + //echo "</td>"; + } + +?> + </table> + </td> + </tr> + <tr><td> </td></tr> + <tr><td>Check the rulesets that you would like Snort to load at startup.</td></tr> + <tr><td> </td></tr> + <tr><td><input value="Save" type="submit" name="save" id="save" /></td></tr> + </table> + </div> + </td> + </tr> +</table> + +</form> + +<p><b>NOTE:</b> You can click on a ruleset name to edit the ruleset. + +<?php include("fend.inc"); ?> + +</body> +</html> + +<?php + + function get_snort_rule_file_description($filename) { + $filetext = file_get_contents($filename); + + } + +?>
\ No newline at end of file diff --git a/config/snort/snort_threshold.xml b/config/snort-old/snort_threshold.xml index f9075d3d..f9075d3d 100644 --- a/config/snort/snort_threshold.xml +++ b/config/snort-old/snort_threshold.xml diff --git a/config/snort-dev/snort_whitelist.xml b/config/snort-old/snort_whitelist.xml index d98f83fa..42769e4e 100644 --- a/config/snort-dev/snort_whitelist.xml +++ b/config/snort-old/snort_whitelist.xml @@ -45,40 +45,52 @@ <description>Describe your package here</description> <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> - <name>snortglobal</name> + <name>snort-whitelist</name> <version>0.1.0</version> <title>Snort: Whitelist</title> - <include_file>/usr/local/pkg/snort/snort.inc</include_file> + <include_file>/usr/local/pkg/snort.inc</include_file> <!-- Menu is where this packages menu will appear --> <tabs> <tab> - <text>Snort Interfaces</text> - <url>/snort/snort_interfaces.php</url> + <text>Settings</text> + <url>/pkg_edit.php?xml=snort.xml&id=0</url> </tab> <tab> - <text>Global Settings</text> - <url>/snort/snort_interfaces_global.php</url> + <text>Update Rules</text> + <url>/snort_download_rules.php</url> </tab> <tab> - <text>Rule Updates</text> - <url>/snort/snort_download_rules.php</url> + <text>Categories</text> + <url>/snort_rulesets.php</url> </tab> <tab> - <text>Alerts</text> - <url>/snort/snort_alerts.php</url> + <text>Rules</text> + <url>/snort_rules.php</url> + </tab> + <tab> + <text>Servers</text> + <url>/pkg_edit.php?xml=snort_define_servers.xml&id=0</url> </tab> <tab> <text>Blocked</text> - <url>/snort/snort_blocked.php</url> + <url>/snort_blocked.php</url> </tab> <tab> <text>Whitelist</text> - <url>/pkg.php?xml=/snort/snort_whitelist.xml</url> + <url>/pkg.php?xml=snort_whitelist.xml</url> <active/> </tab> <tab> - <text>Help Info</text> - <url>/snort/snort_help_info.php</url> + <text>Threshold</text> + <url>/pkg.php?xml=snort_threshold.xml</url> + </tab> + <tab> + <text>Alerts</text> + <url>/snort_alerts.php</url> + </tab> + <tab> + <text>Advanced</text> + <url>/pkg_edit.php?xml=snort_advanced.xml&id=0</url> </tab> </tabs> <adddeleteeditpagefields> @@ -112,6 +124,6 @@ <custom_delete_php_command> </custom_delete_php_command> <custom_php_resync_config_command> - sync_snort_package_empty(); + create_snort_conf(); </custom_php_resync_config_command> -</packagegui> +</packagegui>
\ No newline at end of file diff --git a/config/snort/snort_xmlrpc_sync.php b/config/snort-old/snort_xmlrpc_sync.php index db8b3f3e..db8b3f3e 100644 --- a/config/snort/snort_xmlrpc_sync.php +++ b/config/snort-old/snort_xmlrpc_sync.php diff --git a/config/snort-dev/NOTES.txt b/config/snort/NOTES.txt index b8c61c39..b8c61c39 100644 --- a/config/snort-dev/NOTES.txt +++ b/config/snort/NOTES.txt diff --git a/config/snort-dev/bin/7.2.x86/barnyard2 b/config/snort/bin/7.2.x86/barnyard2 Binary files differindex 9266051c..9266051c 100644 --- a/config/snort-dev/bin/7.2.x86/barnyard2 +++ b/config/snort/bin/7.2.x86/barnyard2 diff --git a/config/snort-dev/bin/8.0.x86/barnyard2 b/config/snort/bin/8.0.x86/barnyard2 Binary files differindex 43476338..43476338 100755 --- a/config/snort-dev/bin/8.0.x86/barnyard2 +++ b/config/snort/bin/8.0.x86/barnyard2 diff --git a/config/snort-dev/bin/8.0.x86/md5_files b/config/snort/bin/8.0.x86/md5_files index 3b283d80..3b283d80 100644 --- a/config/snort-dev/bin/8.0.x86/md5_files +++ b/config/snort/bin/8.0.x86/md5_files diff --git a/config/snort-dev/bin/8.0.x86/md5_files~ b/config/snort/bin/8.0.x86/md5_files~ index 3b283d80..3b283d80 100644 --- a/config/snort-dev/bin/8.0.x86/md5_files~ +++ b/config/snort/bin/8.0.x86/md5_files~ diff --git a/config/snort-dev/bin/oinkmaster_contrib/snort_rename.pl b/config/snort/bin/oinkmaster_contrib/snort_rename.pl index e5f0d39e..e5f0d39e 100644 --- a/config/snort-dev/bin/oinkmaster_contrib/snort_rename.pl +++ b/config/snort/bin/oinkmaster_contrib/snort_rename.pl diff --git a/config/snort/bin/snort2c b/config/snort/bin/snort2c Binary files differindex fdc91ac8..fdc91ac8 100755..100644 --- a/config/snort/bin/snort2c +++ b/config/snort/bin/snort2c diff --git a/config/snort-dev/css/style.css b/config/snort/css/style.css index 44568873..44568873 100644 --- a/config/snort-dev/css/style.css +++ b/config/snort/css/style.css diff --git a/config/snort-dev/css/style2.css b/config/snort/css/style2.css index d7a1616c..d7a1616c 100644 --- a/config/snort-dev/css/style2.css +++ b/config/snort/css/style2.css diff --git a/config/snort-dev/help_and_info.php b/config/snort/help_and_info.php index 0f4a0c9f..0f4a0c9f 100644 --- a/config/snort-dev/help_and_info.php +++ b/config/snort/help_and_info.php diff --git a/config/snort-dev/images/alert.jpg b/config/snort/images/alert.jpg Binary files differindex 96c24e35..96c24e35 100644 --- a/config/snort-dev/images/alert.jpg +++ b/config/snort/images/alert.jpg diff --git a/config/snort-dev/images/down.gif b/config/snort/images/down.gif Binary files differindex 2b3c99fc..2b3c99fc 100644 --- a/config/snort-dev/images/down.gif +++ b/config/snort/images/down.gif diff --git a/config/snort-dev/images/down2.gif b/config/snort/images/down2.gif Binary files differindex 71bf92eb..71bf92eb 100644 --- a/config/snort-dev/images/down2.gif +++ b/config/snort/images/down2.gif diff --git a/config/snort-dev/images/footer.jpg b/config/snort/images/footer.jpg Binary files differindex 4af05707..4af05707 100644 --- a/config/snort-dev/images/footer.jpg +++ b/config/snort/images/footer.jpg diff --git a/config/snort-dev/images/footer2.jpg b/config/snort/images/footer2.jpg Binary files differindex 3332e085..3332e085 100644 --- a/config/snort-dev/images/footer2.jpg +++ b/config/snort/images/footer2.jpg diff --git a/config/snort-dev/images/icon-table-sort-asc.png b/config/snort/images/icon-table-sort-asc.png Binary files differindex 0c127919..0c127919 100644 --- a/config/snort-dev/images/icon-table-sort-asc.png +++ b/config/snort/images/icon-table-sort-asc.png diff --git a/config/snort-dev/images/icon-table-sort-desc.png b/config/snort/images/icon-table-sort-desc.png Binary files differindex 5c52f2d0..5c52f2d0 100644 --- a/config/snort-dev/images/icon-table-sort-desc.png +++ b/config/snort/images/icon-table-sort-desc.png diff --git a/config/snort-dev/images/icon-table-sort.png b/config/snort/images/icon-table-sort.png Binary files differindex 3cae604b..3cae604b 100644 --- a/config/snort-dev/images/icon-table-sort.png +++ b/config/snort/images/icon-table-sort.png diff --git a/config/snort-dev/images/icon_excli.png b/config/snort/images/icon_excli.png Binary files differindex 4b54fa31..4b54fa31 100644 --- a/config/snort-dev/images/icon_excli.png +++ b/config/snort/images/icon_excli.png diff --git a/config/snort-dev/images/logo.jpg b/config/snort/images/logo.jpg Binary files differindex fa01d818..fa01d818 100644 --- a/config/snort-dev/images/logo.jpg +++ b/config/snort/images/logo.jpg diff --git a/config/snort-dev/images/up.gif b/config/snort/images/up.gif Binary files differindex 89596771..89596771 100644 --- a/config/snort-dev/images/up.gif +++ b/config/snort/images/up.gif diff --git a/config/snort-dev/images/up2.gif b/config/snort/images/up2.gif Binary files differindex 21c5a254..21c5a254 100644 --- a/config/snort-dev/images/up2.gif +++ b/config/snort/images/up2.gif diff --git a/config/snort-dev/javascript/jquery-1.3.2.js b/config/snort/javascript/jquery-1.3.2.js index 59b71d25..59b71d25 100644 --- a/config/snort-dev/javascript/jquery-1.3.2.js +++ b/config/snort/javascript/jquery-1.3.2.js diff --git a/config/snort-dev/javascript/jquery.blockUI.js b/config/snort/javascript/jquery.blockUI.js index 57318334..57318334 100644 --- a/config/snort-dev/javascript/jquery.blockUI.js +++ b/config/snort/javascript/jquery.blockUI.js diff --git a/config/snort-dev/javascript/mootools.js b/config/snort/javascript/mootools.js index e058db83..e058db83 100644 --- a/config/snort-dev/javascript/mootools.js +++ b/config/snort/javascript/mootools.js diff --git a/config/snort-dev/javascript/sortableTable.js b/config/snort/javascript/sortableTable.js index 096f8d4c..096f8d4c 100644 --- a/config/snort-dev/javascript/sortableTable.js +++ b/config/snort/javascript/sortableTable.js diff --git a/config/snort-dev/javascript/tabs.js b/config/snort/javascript/tabs.js index 40e54f0e..40e54f0e 100644 --- a/config/snort-dev/javascript/tabs.js +++ b/config/snort/javascript/tabs.js diff --git a/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 b/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 index 83d5bdae..0aede4a0 100644 --- a/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 +++ b/config/snort/pfsense_rules/pfsense_rules.tar.gz.md5 @@ -1 +1 @@ -10002
\ No newline at end of file +102
\ No newline at end of file diff --git a/config/snort/snort.inc b/config/snort/snort.inc index 00a86c35..eef238a0 100755..100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -3,6 +3,7 @@ /* snort.inc Copyright (C) 2006 Scott Ullrich + Copyright (C) 2009 Robert Zelaya part of pfSense All rights reserved. @@ -29,215 +30,982 @@ */ require_once("pfsense-utils.inc"); +require_once("config.inc"); +require_once("functions.inc"); -// Needed on 2.0 because of get_vpns_list() -require_once("filter.inc"); +// Needed on 2.0 because of filter_get_vpns_list() +require_once("filter.inc"); + +/* find out if were in 1.2.3-RELEASE */ + +$pfsense_ver_chk = exec('/bin/cat /etc/version'); +if ($pfsense_ver_chk == '1.2.3-RELEASE') +{ + $pfsense_stable = 'yes'; +}else{ + $pfsense_stable = 'no'; +} + +/* checks to see if snort is running yes/no and stop/start */ + function Running_Ck($snort_uuid, $if_real, $id) { + global $config; + + $snort_up_ck = exec("/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep snort | /usr/bin/awk '{print \$2;}' | sed 1q"); + + if(snort_up_ck == ''){ + $snort_up = 'no'; + return $snort_up; + } + + if(snort_up_ck != ''){ + + //$snort_up_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_uuid}_{$if_real}\" | awk '{print \$1;}'"); + //$snort_up_s = exec("/usr/bin/top -U snort -u | grep snort | grep {$snort_up_pre} | /usr/bin/awk '{print \$1;}'"); + //$snort_up_r = exec("/usr/bin/top -U root -u | grep snort | grep {$snort_up_pre} | /usr/bin/awk '{print \$1;}'"); + + /* use ob_clean to clear output buffer, this code needs to be watched */ + ob_clean(); + $snort_up_prell = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_uuid}_{$if_real}\" | awk '{print \$1;}'", $retval); + + if ($snort_up_prell != "") { + $snort_uph = 'yes'; + }else{ + $snort_uph = 'no'; + } + } + + return $snort_uph; + } + +/* checks to see if barnyard2 is running yes/no */ + function Running_Ck_b($snort_uuid, $if_real, $id) { + global $config; + + $snort_up_ck_b = exec("/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep barnyard2 | /usr/bin/awk '{print \$2;}' | sed 1q"); + + if($snort_up_ck_b == ''){ + $snort_up_b = 'no'; + return $snort_up_b; + } + + if(snort_up_ck_b != ''){ + + //$snort_up_pre_b = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"f snort_{$snort_uuid}_{$if_real}.u2\" | awk '{print \$1;}'"); + //$snort_up_s_b = exec("/usr/bin/top -U snort -u | grep barnyard2 | grep {$snort_up_pre_b} | /usr/bin/awk '{print \$1;}'"); + //$snort_up_r_b = exec("/usr/bin/top -U root -u | grep barnyard2 | grep {$snort_up_pre_b} | /usr/bin/awk '{print \$1;}'"); + + /* use ob_clean to clear output buffer, this code needs to be watched */ + ob_clean(); + $snort_up_pre_b = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"f snort_{$snort_uuid}_{$if_real}.u2\" | awk '{print \$1;}'"); + + if ($snort_up_pre_b != '') { + $snort_up_b = 'yes'; + }else{ + $snort_up_b = 'no'; + } + } + + return $snort_up_b; + } + + function Running_Stop($snort_uuid, $if_real, $id) { + global $config; + + $start_up_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"R {$snort_uuid}_{$if_real}\" | awk '{print \$1;}'"); + $start_up_s = exec("/usr/bin/top -U snort -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); + $start_up_r = exec("/usr/bin/top -U root -u | grep snort | grep {$start_up_pre} | awk '{ print $1; }'"); + + $start2_upb_pre = exec("/usr/bin/top -a -U snort -u | grep -v grep | grep \"snort_{$snort_uuid}_{$if_real}.u2\" | awk '{print \$1;}'"); + $start2_upb_s = exec("/usr/bin/top -U snort -u | grep barnyard2 | grep {$start2_upb_pre} | awk '{ print $1; }'"); + $start2_upb_r = exec("/usr/bin/top -U root -u | grep barnyard2 | grep {$start2_upb_pre} | awk '{ print $1; }'"); + + if ($start_up_s != "" || $start_up_r != "" || $start2_upb_s != "" || $start2_upb_r != "") + { + if ($start_up_s != "") + { + exec("/bin/kill {$start_up_s}"); + exec("/bin/rm /var/run/snort_{$snort_uuid}_{$if_real}*"); + } + + if ($start2_upb_s != "") + { + exec("/bin/kill {$start2_upb_s}"); + exec("/bin/rm /var/run/barnyard2_{$snort_uuid}_{$if_real}*"); + } + + if ($start_up_r != "") + { + exec("/bin/kill {$start_up_r}"); + exec("/bin/rm /var/run/snort_{$snort_uuid}_{$if_real}*"); + } + + if ($start2_upb_r != "") + { + exec("/bin/kill {$start2_upb_r}"); + exec("/bin/rm /var/run/barnyard2_{$snort_uuid}_{$if_real}*"); + } + + /* Log Iface stop */ + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule STOP for {$snort_uuid}_{$if_real}...'"); + } + } + + + function Running_Start($snort_uuid, $if_real, $id) { + global $config; + + $snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable']; + if ($snort_info_chk == 'on') { + exec("/usr/local/bin/snort -u snort -g snort -R \"{$snort_uuid}_{$if_real}\" -D -q -l /var/log/snort -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); + } + /* define snortbarnyardlog_chk */ + /* top will have trouble if the uuid is to far back */ + $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; + $snortbarnyardlog_mysql_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; + if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '' && $snort_info_chk == 'on') { + exec("/usr/local/bin/barnyard2 -f \"snort_{$snort_uuid}_{$if_real}.u2\" -u snort -g snort -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -w /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.waldo -D -q"); + } + + /* Log Iface stop */ + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule START for {$id}_{$snort_uuid}_{$if_real}...'"); + } + +/* get the real iface name of wan */ +function convert_friendly_interface_to_real_interface_name2($interface) +{ + global $config; + + $lc_interface = strtolower($interface); + if($lc_interface == "lan") return $config['interfaces']['lan']['if']; + if($lc_interface == "wan") return $config['interfaces']['wan']['if']; + $ifdescrs = array(); + for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) + $ifdescrs['opt' . $j] = "opt" . $j; + foreach ($ifdescrs as $ifdescr => $ifname) + { + if(strtolower($ifname) == $lc_interface) + return $config['interfaces'][$ifname]['if']; + if(strtolower($config['interfaces'][$ifname]['descr']) == $lc_interface) + return $config['interfaces'][$ifname]['if']; + } + + return $interface; +} + +$if_real_wan = convert_friendly_interface_to_real_interface_name2($interface_fake); /* Allow additional execution time 0 = no limit. */ ini_set('max_execution_time', '9999'); ini_set('max_input_time', '9999'); /* define oinkid */ -if($config['installedpackages']['snort']) - $oinkid = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; +if($config['installedpackages']['snortglobal']) + $oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; + +function snort_postinstall() +{ + global $config; + conf_mount_rw(); + + if(!file_exists("/var/log/snort/")) { + mwexec("mkdir -p /var/log/snort/"); + mwexec("mkdir -p /var/log/snort/barnyard2"); + } + + if(!file_exists("/var/log/snort/alert")) + touch("/var/log/snort/alert"); + + /* snort -> advanced features */ + $bpfbufsize = $config['installedpackages']['snortglobal']['bpfbufsize']; + $bpfmaxbufsize = $config['installedpackages']['snortglobal']['bpfmaxbufsize']; + $bpfmaxinsns = $config['installedpackages']['snortglobal']['bpfmaxinsns']; + + + /* create a few directories and ensure the sample files are in place */ + exec("/bin/mkdir -p /usr/local/etc/snort"); + exec("/bin/mkdir -p /var/log/snort"); + exec("/bin/mkdir -p /usr/local/etc/snort/rules"); + if(file_exists("/usr/local/etc/snort/snort.conf-sample")) + { + exec("/bin/rm /usr/local/etc/snort/snort.conf-sample"); + exec("/bin/rm /usr/local/etc/snort/threshold.conf-sample"); + exec("/bin/rm /usr/local/etc/snort/sid-msg.map-sample"); + exec("/bin/rm /usr/local/etc/snort/unicode.map-sample"); + exec("/bin/rm /usr/local/etc/snort/classification.config-sample"); + exec("/bin/rm /usr/local/etc/snort/generators-sample"); + exec("/bin/rm /usr/local/etc/snort/reference.config-sample"); + exec("/bin/rm /usr/local/etc/snort/gen-msg.map-sample"); + exec("/bin/rm /usr/local/etc/snort/sid"); + exec("/bin/rm /usr/local/etc/rc.d/snort"); + exec("/bin/rm /usr/local/etc/rc.d/bardyard2"); + } + + if(!file_exists("/usr/local/etc/snort/custom_rules")) + { + exec("/bin/mkdir -p /usr/local/etc/snort/custom_rules/"); + } + + exec("/usr/sbin/pw groupadd snort"); + exec('/usr/sbin/pw useradd snort -c "SNORT USER" -d /nonexistent -g snort -s /sbin/nologin'); + exec("/usr/sbin/chown -R snort:snort /var/log/snort"); + exec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort"); + exec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort"); + exec("/bin/chmod -R 755 /var/log/snort"); + exec("/bin/chmod -R 755 /usr/local/etc/snort"); + exec("/bin/chmod -R 755 /usr/local/lib/snort"); + + + /* remove example files */ + if(file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0")) + { + exec('/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*'); + } + + if(file_exists("/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so")) + { + exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*'); + } + + /* find out if were in 1.2.3-RELEASE */ + $pfsense_ver_chk = exec('/bin/cat /etc/version'); + if ($pfsense_ver_chk == '1.2.3-RELEASE') + { + $pfsense_stable = 'yes'; + }else{ + $pfsense_stable = 'no'; + } + + /* move files around, make it look clean */ + exec('/bin/mkdir -p /usr/local/www/snort/css'); + exec('/bin/mkdir -p /usr/local/www/snort/images'); + exec('/bin/mkdir -p /usr/local/www/snort/javascript'); + + chdir ("/usr/local/www/snort/css/"); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/css/style.css'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/css/style2.css'); + chdir ("/usr/local/www/snort/images/"); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/alert.jpg'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/down.gif'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/down2.gif'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon-table-sort.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon-table-sort-asc.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon-table-sort-desc.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/up.gif'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/up2.gif'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/logo.jpg'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/footer.jpg'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/footer2.jpg'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/images/icon_excli.png'); + chdir ("/usr/local/www/snort/javascript/"); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/javascript/jquery.blockUI.js'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/javascript/jquery-1.3.2.js'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/javascript/mootools.js'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/javascript/sortableTable.js'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/javascript/tabs.js'); + + /* install barnyard2 for 2.0 and 1.2.3 */ + chdir ("/usr/local/bin/"); + if ($pfsense_stable == 'yes') { + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/bin/7.2.x86/barnyard2'); + }else{ + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort/bin/8.0.x86/barnyard2'); + } + exec('/bin/chmod 077 /usr/local/bin/barnyard2'); + + /* back to default */ + chdir ("/root/"); + + conf_mount_ro(); + +} + function sync_package_snort_reinstall() { global $config; - if(!$config['installedpackages']['snort']) + conf_mount_rw(); + + if(!$config['installedpackages']['snortglobal']) return; /* create snort configuration file */ create_snort_conf(); /* start snort service */ - start_service("snort"); + // start_service("snort"); // do not start, may be needed latter. + + conf_mount_ro(); } -function sync_package_snort() + +/* func for updating cron */ +function snort_rm_blocked_install_cron($should_install) +{ + global $config, $g; + + if ($g['booting']==true) + return; + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) + { + if (strstr($item['command'], "snort2c")) + { + $is_installed = true; + break; + } + $x++; + } + + $snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked']; + if ($snort_rm_blocked_info_ck == "1h_b") + { + $snort_rm_blocked_min = "*/5"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "3600"; + } + if ($snort_rm_blocked_info_ck == "3h_b") + { + $snort_rm_blocked_min = "*/15"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "10800"; + } + if ($snort_rm_blocked_info_ck == "6h_b") + { + $snort_rm_blocked_min = "*/30"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "21600"; + } + if ($snort_rm_blocked_info_ck == "12h_b") + { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/1"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "43200"; + } + if ($snort_rm_blocked_info_ck == "1d_b") + { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/2"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "86400"; + } + if ($snort_rm_blocked_info_ck == "4d_b") + { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/8"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "345600"; + } + if ($snort_rm_blocked_info_ck == "7d_b") + { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/14"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "604800"; + } + if ($snort_rm_blocked_info_ck == "28d_b") + { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "0"; + $snort_rm_blocked_mday = "*/2"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "2419200"; + } + switch($should_install) + { + case true: + if(!$is_installed) + { + $cron_item = array(); + $cron_item['minute'] = "$snort_rm_blocked_min"; + $cron_item['hour'] = "$snort_rm_blocked_hr"; + $cron_item['mday'] = "$snort_rm_blocked_mday"; + $cron_item['month'] = "$snort_rm_blocked_month"; + $cron_item['wday'] = "$snort_rm_blocked_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; + $config['cron']['item'][] = $cron_item; + write_config("Installed $snort_rm_blocked_info_ck minute filter reload for Time Based Rules"); + configure_cron(); + } + break; + case false: + if($is_installed == true) + { + if($x > 0) + { + unset($config['cron']['item'][$x]); + write_config(); + conf_mount_rw(); + } + configure_cron(); + } + break; + } +} + +/* func to install snort update */ +function snort_rules_up_install_cron($should_install) { + global $config, $g; + + if ($g['booting']==true) + return; + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort_check_for_rule_updates.php")) { + $is_installed = true; + break; + } + $x++; + } + $snort_rules_up_info_ck = $config['installedpackages']['snortglobal']['autorulesupdate7']; + if ($snort_rules_up_info_ck == "6h_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "*/6"; + $snort_rules_up_mday = "*"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "12h_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "*/12"; + $snort_rules_up_mday = "*"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "1d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/1"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "4d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/4"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "7d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/7"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "28d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/28"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "$snort_rules_up_min"; + $cron_item['hour'] = "$snort_rules_up_hr"; + $cron_item['mday'] = "$snort_rules_up_mday"; + $cron_item['month'] = "$snort_rules_up_month"; + $cron_item['wday'] = "$snort_rules_up_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /usr/local/etc/snort/snort_update.log"; + $config['cron']['item'][] = $cron_item; + write_config("Installed 15 minute filter reload for Time Based Rules"); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + conf_mount_rw(); + } + configure_cron(); + } + break; + } +} + +function sync_snort_package_remove_old() +{ + + global $config, $g; + +$snort_dir_scan = '/usr/local/etc/snort'; + +// scan dirm might have to make this into a funtion +$dh_scan = opendir($snort_dir_scan); +while (false !== ($dir_filename = readdir($dh_scan))) { + $list_dir_files[] = $dir_filename; +} + +// find patern in a array, very cool code +class array_ereg { + function array_ereg($pattern) { $this->pattern = $pattern; } + function ereg($string) { + return ereg($this->pattern, $string); + } +} + + $rule_array2 = $config['installedpackages']['snortglobal']['rule']; + $id2 = -1; + foreach ($rule_array2 as $value) + { + + $id += 1; + + $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); + + $snort_rules_list[] = "snort_$id$if_real"; + + } + + +$snort_dir_filter = array_filter($list_dir_files, array(new array_ereg("snort_"), 'ereg')); +$snort_dir_filter_search_result = array_diff($snort_dir_filter, $snort_rules_list); + + foreach ($snort_dir_filter_search_result as $value) + { + exec("rm -r /usr/local/etc/snort/$value"); + } + +} + +/* make sure this func on writes to files and does not start snort */ +function sync_snort_package() { global $config, $g; conf_mount_rw(); - mwexec("mkdir -p /var/log/snort/"); + /* all new files are for the user snort nologin */ + if(!file_exists("/var/log/snort")) + { + exec("/bin/mkdir -p /var/log/snort"); + } + + exec("/usr/sbin/chown -R snort:snort /var/log/snort"); + exec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort"); + exec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort"); + exec("/bin/chmod -R 755 /var/log/snort"); + exec("/bin/chmod -R 755 /usr/local/etc/snort"); + exec("/bin/chmod -R 755 /usr/local/lib/snort"); - if(!file_exists("/var/log/snort/alert")) - touch("/var/log/snort/alert"); - /* snort -> advanced features */ - $bpfbufsize = $config['installedpackages']['snortadvanced']['config'][0]['bpfbufsize']; - $bpfmaxbufsize = $config['installedpackages']['snortadvanced']['config'][0]['bpfmaxbufsize']; - $bpfmaxinsns = $config['installedpackages']['snortadvanced']['config'][0]['bpfmaxinsns']; + conf_mount_ro(); +} - /* set the snort performance model */ - if($config['installedpackages']['snort']['config'][0]['performance']) - $snort_performance = $config['installedpackages']['snort']['config'][0]['performance']; - else - $snort_performance = "ac-bnfa"; +/* make sure this func on writes to files and does not start snort */ +function sync_snort_package_all($id, $if_real, $snort_uuid) +{ + //global $config, $g, $id, $if_real, $snort_uuid, $interface_fake; + global $config, $g; - /* create a few directories and ensure the sample files are in place */ - exec("/bin/mkdir -p /usr/local/etc/snort"); - exec("/bin/mkdir -p /var/log/snort"); - exec("/bin/mkdir -p /usr/local/etc/snort/rules"); - exec("/bin/rm /usr/local/etc/snort/snort.conf-sample"); - exec("/bin/rm /usr/local/etc/snort/threshold.conf-sample"); - exec("/bin/rm /usr/local/etc/snort/sid-msg.map-sample"); - exec("/bin/rm /usr/local/etc/snort/unicode.map-sample"); - exec("/bin/rm /usr/local/etc/snort/classification.config-sample"); - exec("/bin/rm /usr/local/etc/snort/generators-sample"); - exec("/bin/rm /usr/local/etc/snort/reference.config-sample"); - exec("/bin/rm /usr/local/etc/snort/gen-msg.map-sample"); - exec("/bin/rm /usr/local/etc/snort/sid"); - exec("/bin/rm -f /usr/local/etc/rc.d/snort"); - - $first = 0; - $snortInterfaces = array(); /* -gtm */ - - $if_list = $config['installedpackages']['snort']['config'][0]['iface_array']; - $if_array = split(',', $if_list); - //print_r($if_array); - if($if_array) { - foreach($if_array as $iface) { - $if = convert_friendly_interface_to_real_interface_name($iface); - - if($config['interfaces'][$iface]['ipaddr'] == "pppoe") { - $if = "ng0"; - } - - /* build a list of user specified interfaces -gtm */ - if($if){ - array_push($snortInterfaces, $if); - $first = 1; +/* RedDevil suggested code */ +/* TODO: more testing needs to be done */ +exec("/sbin/sysctl net.bpf.bufsize=8388608"); +exec("/sbin/sysctl net.bpf.maxbufsize=4194304"); +exec("/sbin/sysctl net.bpf.maxinsns=512"); +exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); + +# Error checking +if ($id != '' && $if_real != '') //new +{ + /* do not start config build if rules is empty */ + if (!empty($config['installedpackages']['snortglobal']['rule'])) + { + + conf_mount_rw(); + + $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; + $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); + + /* create snort configuration file */ + create_snort_conf($id, $if_real, $snort_uuid); + + /* if rules exist cp rules to each iface */ + create_rules_iface($id, $if_real, $snort_uuid); + + /* create snort bootup file snort.sh only create once */ + create_snort_sh(); + + /* create barnyard2 configuration file */ + $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; + if ($snortbarnyardlog_info_chk == 'on') + create_barnyard2_conf($id, $if_real, $snort_uuid); + + sync_snort_package(); + + conf_mount_ro(); + } + } +} + +/* only be run on new iface create, bootup and ip refresh */ +function sync_snort_package_empty() +{ + global $config, $g; + conf_mount_rw(); + + /* do not start config build if rules is empty */ + if (!empty($config['installedpackages']['snortglobal']['rule'])) + { + if ($id == "") + { + + $rule_array = $config['installedpackages']['snortglobal']['rule']; + $id = -1; + foreach ($rule_array as $value) + { + + if ($id == '') { + $id = 0; + } + + $id += 1; + + $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); + $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; + + if ($if_real != '' && $snort_uuid != '') { + /* create snort configuration file */ + create_snort_conf($id, $if_real, $snort_uuid); + + /* if rules exist cp rules to each iface */ + create_rules_iface($id, $if_real, $snort_uuid); + + /* create barnyard2 configuration file */ + $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; + if ($snortbarnyardlog_info_chk == 'on') + create_barnyard2_conf($id, $if_real, $snort_uuid); + } } - } - - if (count($snortInterfaces) < 1) { - log_error("Snort will not start. You must select an interface for it to listen on."); - return; + + /* create snort bootup file snort.sh only create once */ + create_snort_sh(); + + sync_snort_package(); + } } - //print_r($snortInterfaces); - - /* create log directory */ - $start = "/bin/mkdir -p /var/log/snort\n"; - - /* snort advanced features - bpf tuning */ - if($bpfbufsize) - $start .= "sysctl net.bpf.bufsize={$bpfbufsize}\n"; - if($bpfmaxbufsize) - $start .= "sysctl net.bpf.maxbufsize={$bpfmaxbufsize}\n"; - if($bpfmaxinsns) - $start .= "sysctl net.bpf.maxinsns={$bpfmaxinsns}\n"; - - /* go ahead and issue bpf changes */ - if($bpfbufsize) - mwexec_bg("sysctl net.bpf.bufsize={$bpfbufsize}"); - if($bpfmaxbufsize) - mwexec_bg("sysctl net.bpf.maxbufsize={$bpfmaxbufsize}"); - if($bpfmaxinsns) - mwexec_bg("sysctl net.bpf.maxinsns={$bpfmaxinsns}"); - - /* always stop barnyard2 before starting snort -gtm */ - $start .= "/usr/bin/killall barnyard2\n"; - - /* start a snort process for each interface -gtm */ - /* Note the sleep delay. Seems to help getting mult interfaces to start -gtm */ - /* snort start options are; config file, log file, demon, interface, packet flow, alert type, quiet */ - /* TODO; get snort to start under nologin shell */ - foreach($snortInterfaces as $snortIf) +} + +/* Start of main config files */ +/* Start of main config files */ + + +/* open snort.sh for writing" */ +function create_snort_sh() +{ + # Don not add $id or this will break + + global $config, $g; + conf_mount_rw(); + + /* do not start config build if rules is empty */ + if (!empty($config['installedpackages']['snortglobal']['rule'])) { - $start .= "sleep 4\n"; - $start .= "/usr/local/bin/snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -D -i {$snortIf} -q\n"; - /* define snortbarnyardlog_chk */ - $snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; - if ($snortbarnyardlog_info_chk == on) - $start .= "\nsleep 4;/usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D -q\n"; - } - $check_if_snort_runs = "\n\tif [ \"`ls -A /usr/local/etc/snort/rules`\" ] ; then\n\techo \"rules exist\"\n\telse\n\techo \"rules DONT exist\"\n\texit 2\n\tfi \n\n\tif [ \"`pgrep -x snort`\" = \"\" ] ; then\n\t/bin/rm /tmp/snort.sh.pid\n\tfi \n\n\tif [ \"`pgrep -x snort`\" != \"\" ] ; then\n\tlogger -p daemon.info -i -t SnortStartup \"Snort already running...\"\n\t/usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php\n\texit 1\n\tfi\n\n"; - $if_snort_pid = "\nif ls /tmp/snort.sh.pid > /dev/null\nthen\n echo \"snort.sh is running\"\n exit 0\nelse\n echo \"snort.sh is not running\"\nfi\n"; - $echo_snort_sh_pid = "\necho \"snort.sh run\" > /tmp/snort.sh.pid\n"; - $echo_snort_sh_startup_log = "\necho \"snort.sh run\" >> /tmp/snort.sh_startup.log\n"; - $del_old_pids = "\nrm -f /var/run/snort_*\n"; - $sample_before = "BEFORE_MEM=`top | grep Wired | awk '{print \$12}'`\n"; - $sample_after = "\n\tAFTER_MEM=`top | grep Wired | awk '{print \$12}'`\n"; - if ($snort_performance == "ac-bnfa") - $sleep_before_final = "\necho \"Sleeping before final memory sampling...\"\nWAITSECURE=60\n"; - else - $sleep_before_final = "\necho \"Sleeping before final memory sampling...\"\nWAITSECURE=300\n"; - $sleep_before_final .= "while [ \"\$MYSNORTLOG\" = \"\" -a \$WAITSECURE -gt 0 ] ; do\n\tsleep 2\n\tMYSNORTLOG=`/usr/sbin/clog /var/log/system.log | grep snort | tail | grep 'Snort initialization completed successfully'`\n\tWAITSECURE=`expr \$WAITSECURE - 1`\ndone\n"; - $total_used_after = "TOTAL_USAGE=`top | grep snort | grep -v grep | awk '{ print \$6 }'`\n"; - $echo_usage .= $sample_after . "\t" . $total_used_after . "\techo \"Ram free BEFORE starting Snort: \$BEFORE_MEM -- Ram free AFTER starting Snort: \$AFTER_MEM -- Mode " . $snort_performance . " -- Snort memory usage: \$TOTAL_USAGE\" | logger -p daemon.info -i -t SnortStartup\n\n"; + if ($id == "") + { + + $rule_array = $config['installedpackages']['snortglobal']['rule']; + $id = -1; + foreach ($rule_array as $value) + { + + $id += 1; + + $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; + $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); + + /* define snortbarnyardlog_chk */ + $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; + $snortbarnyardlog_mysql_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; + + if ($snortbarnyardlog_info_chk == 'on' && $snortbarnyardlog_mysql_info_chk != '') { + $start_barnyard2 = "sleep 4;/usr/local/bin/barnyard2 -f snort_{$snort_uuid}_{$if_real}.u2 -u snort -g snort -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -w /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.waldo -D -q"; + } + +/* Get all interface startup commands ready */ + +$snort_sh_text2[] = <<<EOD +###### For Each Iface + + # If Snort proc is NOT running + if [ "`/bin/ps -auwx | grep -v grep | grep "R {$snort_uuid}_{$if_real}" | awk '{print $2;}'`" = "" ]; then + + /bin/echo "snort.sh run" > /tmp/snort.sh.pid - /* write out rc.d start/stop file */ - write_rcfile(array( - "file" => "snort.sh", - "start" => "{$check_if_snort_runs}{$if_snort_pid}{$echo_snort_sh_pid}{$echo_snort_sh_startup_log}{$del_old_pids}{$sample_before}{$start}{$sleep_before_final}{$echo_usage}", - "stop" => "/usr/bin/killall snort; killall barnyard2" - ) - ); + # Start snort and barnyard2 + /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid + /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid.lck - /* create snort configuration file */ - create_snort_conf(); + /usr/local/bin/snort -u snort -g snort -R {$snort_uuid}_{$if_real} -D -q -l /var/log/snort -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} + $start_barnyard2 -/* create barnyard2 configuration file */ -$snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; -if ($snortbarnyardlog_info_chk == on) - create_barnyard2_conf(); + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD Reload For {$snort_uuid}_{$if_real}..." - /* snort will not start on install untill setting are set */ -if ($config['installedpackages']['snort']['config'][0]['autorulesupdate7'] != "") { - /* start snort service */ - conf_mount_ro(); - start_service("snort"); + fi +EOD; + +$snort_sh_text3[] = <<<EOE + +###### For Each Iface + + #### Fake start only used on bootup and Pfsense IP changes + #### Only try to restart if snort is running on Iface + if [ "`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}_{$if_real}" | /usr/bin/awk '{print $2;}'`" != "" ]; then + + snort_pid="`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}_{$if_real}" | /usr/bin/awk '{print $2;}'`" + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort already running, soft restart" + + #### Restart Iface + /bin/kill -HUP \${snort_pid} + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Soft Reload For {$snort_uuid}_{$if_real}..." + + fi + +EOE; + +$snort_sh_text4[] = <<<EOF + + pid_s=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "R {$snort_uuid}_{$if_real}" | /usr/bin/awk '{print \$2;}'` + sleep 3 + pid_b=`/bin/ps -auwx | /usr/bin/grep -v grep | /usr/bin/grep "snort_{$snort_uuid}_{$if_real}.u2" | /usr/bin/awk '{print \$2;}'` + + if [ \${pid_s} ] ; then + + /bin/echo "snort.sh run" > /tmp/snort.sh.pid + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort HARD STOP For {$snort_uuid}_{$if_real}..." + + /bin/kill \${pid_s} + sleep 3 + /bin/kill \${pid_b} + + /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid.lck + /bin/rm /var/run/snort_{$snort_uuid}_{$if_real}.pid + + fi + +EOF; + + } + } } + + +$start_snort_iface_start = implode("\n\n", $snort_sh_text2); + +$start_snort_iface_restart = implode("\n\n", $snort_sh_text3); + +$start_snort_iface_stop = implode("\n\n", $snort_sh_text4); + +/* open snort.sh for writing" */ +conf_mount_rw(); + +$snort_sh_text = <<<EOD +#!/bin/sh +######## +# This file was automatically generated +# by the pfSense service handler. +# Code added to protect from double starts on pfSense bootup +######## Begining of Main snort.sh + +rc_start() { + + #### Check for double starts, Pfsense has problems with that + if /bin/ls /tmp/snort.sh.pid > /dev/null ; then + + /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" + exit 0 + + fi + + /bin/echo "snort.sh run" > /tmp/snort.sh.pid + + #### Remake the configs on boot Important! + /usr/local/bin/php -f /usr/local/pkg/pf/snort_dynamic_ip_reload.php + /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort Startup files Sync..." + +$start_snort_iface_restart + + /bin/rm /tmp/snort.sh.pid + + #### If on Fake start snort is NOT running DO a real start. + if [ "`/bin/ps -auwx | grep -v grep | grep "R {$snort_uuid}_{$if_real}" | awk '{print $2;}'`" = "" ]; then + + rc_start_real + + fi +} + +rc_start_real() { + + #### Check for double starts, Pfsense has problems with that + if /bin/ls /tmp/snort.sh.pid > /dev/null ; then + /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" + exit 0 + fi + +$start_snort_iface_start + + /bin/rm /tmp/snort.sh.pid + +} + +rc_stop() { + + #### Check for double starts, Pfsense has problems with that + if /bin/ls /tmp/snort.sh.pid > /dev/null ; then + /usr/bin/logger -p daemon.info -i -t SnortStartup "Error: snort.sh IS running" + exit 0 + fi + +$start_snort_iface_stop + + /bin/rm /tmp/snort.sh.pid + /bin/rm /var/run/snort* + +} + +case $1 in + start) + rc_start + ;; + start_real) + rc_start_real + ;; + stop) + rc_stop + ;; + restart) + rc_stop + rc_start_real + ;; +esac + +EOD; + + /* write out snort.sh */ + $bconf = fopen("/usr/local/etc/rc.d/snort.sh", "w"); + if(!$bconf) { + log_error("Could not open /usr/local/etc/rc.d/snort.sh for writing."); + exit; + } + /* write snort.sh */ + fwrite($bconf, $snort_sh_text); + fclose($bconf); + +} + + +///////////////////////// >>>>>>>>>>>> + +/* if rules exist copy to new interfaces */ +function create_rules_iface($id, $if_real, $snort_uuid) +{ + + global $config, $g; + conf_mount_rw(); + + $if_rule_dir = "/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"; + $folder_chk = (count(glob("$if_rule_dir/*")) === 0) ? 'empty' : 'full'; + + if ($folder_chk == "empty") + { + exec("/bin/cp -R /usr/local/etc/snort/rules /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); + if (file_exists("/usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules")) + { + exec("/bin/cp /usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules/local_{$snort_uuid}_{$if_real}.rules"); + } + } + } /* open barnyard2.conf for writing */ -function create_barnyard2_conf() { - global $bconfig, $bg; +function create_barnyard2_conf($id, $if_real, $snort_uuid) { + global $bconfig, $g; /* write out barnyard2_conf */ - conf_mount_rw(); - $barnyard2_conf_text = generate_barnyard2_conf(); - $bconf = fopen("/usr/local/etc/barnyard2.conf", "w"); + + if(!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf")) + { + exec("/bin//usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); + } + + $barnyard2_conf_text = generate_barnyard2_conf($id, $if_real, $snort_uuid); + $bconf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", "w"); if(!$bconf) { - log_error("Could not open /usr/local/etc/barnyard2.conf for writing."); + log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf for writing."); exit; } fwrite($bconf, $barnyard2_conf_text); fclose($bconf); - conf_mount_ro(); } + /* open barnyard2.conf for writing" */ -function generate_barnyard2_conf() { +function generate_barnyard2_conf($id, $if_real, $snort_uuid) { global $config, $g; conf_mount_rw(); /* define snortbarnyardlog */ -/* TODO add support for the other 5 output plugins */ +/* TODO: add support for the other 5 output plugins */ -$snortbarnyardlog_database_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_database']; -$snortbarnyardlog_hostname_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_hostname']; -$snortbarnyardlog_interface_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog_interface']; +$snortbarnyardlog_database_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; +$snortbarnyardlog_hostname_info_chk = exec("/bin/hostname"); $barnyard2_conf_text = <<<EOD # barnyard2.conf # barnyard2 can be found at http://www.securixlive.com/barnyard2/index.php - +# # Copyright (C) 2006 Robert Zelaya # part of pfSense # All rights reserved. - -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: - +# # 1. Redistributions of source code must retain the above copyright notice, # this list of conditions and the following disclaimer. - +# # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. - +# # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE @@ -248,93 +1016,125 @@ $barnyard2_conf_text = <<<EOD # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. +# # set the appropriate paths to the file(s) your Snort process is using -config reference-map: /usr/local/etc/snort/reference.config -config class-map: /usr/local/etc/snort/classification.config -config gen-msg-map: /usr/local/etc/snort/gen-msg.map -config sid-msg-map: /usr/local/etc/snort/sid-msg.map + +config reference_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config +config classification_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config +config gen_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map +config sid_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/sid-msg.map config hostname: $snortbarnyardlog_hostname_info_chk -config interface: $snortbarnyardlog_interface_info_chk +config interface: {$snort_uuid}_{$if_real} # Step 2: setup the input plugins input unified2 +config logdir: /var/log/snort + # database: log to a variety of databases # output database: log, mysql, user=xxxx password=xxxxxx dbname=xxxx host=xxx.xxx.xxx.xxxx $snortbarnyardlog_database_info_chk EOD; - conf_mount_rw(); + return $barnyard2_conf_text; } -function create_snort_conf() { +function create_snort_conf($id, $if_real, $snort_uuid) +{ global $config, $g; /* write out snort.conf */ - $snort_conf_text = generate_snort_conf(); + + if ($if_real != '' && $snort_uuid != '') { + + $snort_conf_text = generate_snort_conf($id, $if_real, $snort_uuid); conf_mount_rw(); - $conf = fopen("/usr/local/etc/snort/snort.conf", "w"); + $conf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf", "w"); if(!$conf) { - log_error("Could not open /usr/local/etc/snort/snort.conf for writing."); + log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf for writing."); exit; } fwrite($conf, $snort_conf_text); fclose($conf); conf_mount_ro(); + } } -function snort_deinstall() { +function snort_deinstall() +{ - global $config, $g; + global $config, $g, $id, $if_real; + conf_mount_rw(); /* remove custom sysctl */ remove_text_from_file("/etc/sysctl.conf", "sysctl net.bpf.bufsize=20480"); /* decrease bpf buffers back to 4096, from 20480 */ exec("/sbin/sysctl net.bpf.bufsize=4096"); - exec("/usr/bin/killall snort"); - sleep(5); - exec("/usr/bin/killall -9 snort"); - exec("rm -f /usr/local/etc/rc.d/snort*"); + exec("/usr/usr/bin/killall snort"); + sleep(2); + exec("/usr/usr/bin/killall -9 snort"); + sleep(2); + exec("/usr/usr/bin/killall barnyard2"); + sleep(2); + exec("/usr/usr/bin/killall -9 barnyard2"); + sleep(2); + exec("/usr/sbin/pw userdel snort"); + exec("/usr/sbin/pw groupdel snort"); exec("rm -rf /usr/local/etc/snort*"); + //exec("cd /var/db/pkg && pkg_delete `ls | grep barnyard2`"); exec("cd /var/db/pkg && pkg_delete `ls | grep snort`"); - exec("cd /var/db/pkg && pkg_delete `ls | grep mysql-client`"); - exec("cd /var/db/pkg && pkg_delete `ls | grep libdnet`"); - exec("/usr/bin/killall -9 snort"); - exec("/usr/bin/killall snort"); + exec("cd /var/db/pkg && pkg_delete `ls | grep mysql`"); + exec("cd /var/db/pkg && pkg_delete `ls | grep pcre`"); + exec("cd /var/db/pkg && pkg_delete `ls | grep perl`"); /* Remove snort cron entries Ugly code needs smoothness*/ - - function snort_rm_blocked_deinstall_cron($should_install) { + +function snort_rm_blocked_deinstall_cron($should_install) +{ global $config, $g; + conf_mount_rw(); $is_installed = false; if(!$config['cron']['item']) - return; + return; $x=0; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort2c")) { - $is_installed = true; - break; - } - $x++; - } - if($is_installed == true) { - if($x > 0) { - unset($config['cron']['item'][$x]); - write_config(); - } - configure_cron(); - } + foreach($config['cron']['item'] as $item) + { + if (strstr($item['command'], "snort2c")) + { + $is_installed = true; + break; + } + + $x++; + } - - function snort_rules_up_deinstall_cron($should_install) { + if($is_installed == true) + { + if($x > 0) + { + unset($config['cron']['item'][$x]); + write_config(); + conf_mount_rw(); + } + + configure_cron(); + + } + conf_mount_ro(); + +} + + function snort_rules_up_deinstall_cron($should_install) +{ global $config, $g; + conf_mount_rw(); $is_installed = false; @@ -353,10 +1153,11 @@ function snort_deinstall() { if($x > 0) { unset($config['cron']['item'][$x]); write_config(); + conf_mount_rw(); } configure_cron(); } - } +} snort_rm_blocked_deinstall_cron(""); snort_rules_up_deinstall_cron(""); @@ -364,177 +1165,200 @@ snort_rules_up_deinstall_cron(""); /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */ /* Keep this as a last step */ - unset($config['installedpackages']['snort']['config'][0]['autorulesupdate7']); - unset($config['installedpackages']['snort']['config'][0]['rm_blocked']); + unset($config['installedpackages']['snortglobal']); write_config(); + conf_mount_rw(); + + exec("rm -r /usr/local/www/snort"); + exec("rm -r /usr/local/pkg/snort"); + exec("rm -r /usr/local/lib/snort/"); + exec("rm -r /var/log/snort/"); + conf_mount_ro(); + } -function generate_snort_conf() { +function generate_snort_conf($id, $if_real, $snort_uuid) +{ global $config, $g; + conf_mount_rw(); + /* obtain external interface */ /* XXX: make multi wan friendly */ - $snort_ext_int = $config['installedpackages']['snort']['config'][0]['iface_array'][0]; + $snort_ext_int = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; - $snort_config_pass_thru = $config['installedpackages']['snortadvanced']['config'][0]['configpassthru']; + /* create basic files */ + if(!file_exists("/usr/local/etc/snort/snort/snort_{$snort_uuid}_{$if_real}")) + { + exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/"); + exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"); + + if(!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map")) + { + exec("/bin/cp /usr/local/etc/snort/classification.config /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config"); + exec("/bin/cp /usr/local/etc/snort/gen-msg.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map"); + exec("/bin/cp /usr/local/etc/snort/reference.config /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config"); + exec("/bin/cp /usr/local/etc/snort/sid-msg.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/sid-msg.map"); + exec("/bin/cp /usr/local/etc/snort/unicode.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/unicode.map"); + exec("/bin/cp /usr/local/etc/snort/threshold.conf /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/threshold.conf"); + exec("/bin/cp /usr/local/etc/snort/snort.conf /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf"); + exec("/bin/cp/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); + exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"); + } + } /* define snortalertlogtype */ -$snortalertlogtype = $config['installedpackages']['snortadvanced']['config'][0]['snortalertlogtype']; +$snortalertlogtype = $config['installedpackages']['snortglobal']['snortalertlogtype']; if ($snortalertlogtype == fast) $snortalertlogtype_type = "output alert_fast: alert"; else $snortalertlogtype_type = "output alert_full: alert"; /* define alertsystemlog */ -$alertsystemlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['alertsystemlog']; +$alertsystemlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['alertsystemlog']; if ($alertsystemlog_info_chk == on) $alertsystemlog_type = "output alert_syslog: log_alert"; /* define tcpdumplog */ -$tcpdumplog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['tcpdumplog']; +$tcpdumplog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['tcpdumplog']; if ($tcpdumplog_info_chk == on) $tcpdumplog_type = "output log_tcpdump: snorttcpd.log"; -/* define snortbarnyardlog_chk */ -$snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; -if ($snortbarnyardlog_info_chk == on) - $snortbarnyardlog_type = "barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /usr/local/etc/snort/barnyard2.waldo -D"; - /* define snortunifiedlog */ -$snortunifiedlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortunifiedlog']; +$snortunifiedlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['snortunifiedlog']; if ($snortunifiedlog_info_chk == on) - $snortunifiedlog_type = "output unified2: filename snort.u2, limit 128"; + $snortunifiedlog_type = "output unified2: filename snort_{$snort_uuid}_{$if_real}.u2, limit 128"; -/* define spoink */ -$spoink_info_chk = $config['installedpackages']['snort']['config'][0]['blockoffenders7']; +/* define spoink (DISABLED)*/ +$spoink_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['blockoffenders7']; if ($spoink_info_chk == on) $spoink_type = "output alert_pf: /var/db/whitelist,snort2c"; /* define servers and ports snortdefservers */ /* def DNS_SERVSERS */ -$def_dns_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_dns_servers']; +$def_dns_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_dns_servers']; if ($def_dns_servers_info_chk == "") $def_dns_servers_type = "\$HOME_NET"; else $def_dns_servers_type = "$def_dns_servers_info_chk"; /* def DNS_PORTS */ -$def_dns_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_dns_ports']; +$def_dns_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_dns_ports']; if ($def_dns_ports_info_chk == "") $def_dns_ports_type = "53"; else $def_dns_ports_type = "$def_dns_ports_info_chk"; /* def SMTP_SERVSERS */ -$def_smtp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_smtp_servers']; +$def_smtp_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_smtp_servers']; if ($def_smtp_servers_info_chk == "") $def_smtp_servers_type = "\$HOME_NET"; else $def_smtp_servers_type = "$def_smtp_servers_info_chk"; /* def SMTP_PORTS */ -$def_smtp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_smtp_ports']; +$def_smtp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_smtp_ports']; if ($def_smtp_ports_info_chk == "") $def_smtp_ports_type = "25"; else $def_smtp_ports_type = "$def_smtp_ports_info_chk"; /* def MAIL_PORTS */ -$def_mail_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_mail_ports']; +$def_mail_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_mail_ports']; if ($def_mail_ports_info_chk == "") $def_mail_ports_type = "25,143,465,691"; else $def_mail_ports_type = "$def_mail_ports_info_chk"; /* def HTTP_SERVSERS */ -$def_http_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_http_servers']; +$def_http_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_http_servers']; if ($def_http_servers_info_chk == "") $def_http_servers_type = "\$HOME_NET"; else $def_http_servers_type = "$def_http_servers_info_chk"; /* def WWW_SERVSERS */ -$def_www_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_www_servers']; +$def_www_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_www_servers']; if ($def_www_servers_info_chk == "") $def_www_servers_type = "\$HOME_NET"; else $def_www_servers_type = "$def_www_servers_info_chk"; /* def HTTP_PORTS */ -$def_http_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_http_ports']; +$def_http_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_http_ports']; if ($def_http_ports_info_chk == "") $def_http_ports_type = "80"; else $def_http_ports_type = "$def_http_ports_info_chk"; /* def SQL_SERVSERS */ -$def_sql_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sql_servers']; +$def_sql_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_sql_servers']; if ($def_sql_servers_info_chk == "") $def_sql_servers_type = "\$HOME_NET"; else $def_sql_servers_type = "$def_sql_servers_info_chk"; /* def ORACLE_PORTS */ -$def_oracle_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_oracle_ports']; +$def_oracle_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_oracle_ports']; if ($def_oracle_ports_info_chk == "") $def_oracle_ports_type = "1521"; else $def_oracle_ports_type = "$def_oracle_ports_info_chk"; /* def MSSQL_PORTS */ -$def_mssql_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_mssql_ports']; +$def_mssql_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_mssql_ports']; if ($def_mssql_ports_info_chk == "") $def_mssql_ports_type = "1433"; else $def_mssql_ports_type = "$def_mssql_ports_info_chk"; /* def TELNET_SERVSERS */ -$def_telnet_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_telnet_servers']; +$def_telnet_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_telnet_servers']; if ($def_telnet_servers_info_chk == "") $def_telnet_servers_type = "\$HOME_NET"; else $def_telnet_servers_type = "$def_telnet_servers_info_chk"; /* def TELNET_PORTS */ -$def_telnet_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_telnet_ports']; +$def_telnet_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_telnet_ports']; if ($def_telnet_ports_info_chk == "") $def_telnet_ports_type = "23"; else $def_telnet_ports_type = "$def_telnet_ports_info_chk"; /* def SNMP_SERVSERS */ -$def_snmp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_snmp_servers']; +$def_snmp_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_snmp_servers']; if ($def_snmp_servers_info_chk == "") $def_snmp_servers_type = "\$HOME_NET"; else $def_snmp_servers_type = "$def_snmp_servers_info_chk"; /* def SNMP_PORTS */ -$def_snmp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_snmp_ports']; +$def_snmp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_snmp_ports']; if ($def_snmp_ports_info_chk == "") $def_snmp_ports_type = "161"; else $def_snmp_ports_type = "$def_snmp_ports_info_chk"; /* def FTP_SERVSERS */ -$def_ftp_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ftp_servers']; +$def_ftp_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ftp_servers']; if ($def_ftp_servers_info_chk == "") $def_ftp_servers_type = "\$HOME_NET"; else $def_ftp_servers_type = "$def_ftp_servers_info_chk"; /* def FTP_PORTS */ -$def_ftp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ftp_ports']; +$def_ftp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ftp_ports']; if ($def_ftp_ports_info_chk == "") $def_ftp_ports_type = "21"; else $def_ftp_ports_type = "$def_ftp_ports_info_chk"; /* def SSH_SERVSERS */ -$def_ssh_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssh_servers']; +$def_ssh_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssh_servers']; if ($def_ssh_servers_info_chk == "") $def_ssh_servers_type = "\$HOME_NET"; else @@ -547,360 +1371,124 @@ else $ssh_port = "22"; /* def SSH_PORTS */ -$def_ssh_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssh_ports']; +$def_ssh_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssh_ports']; if ($def_ssh_ports_info_chk == "") $def_ssh_ports_type = "{$ssh_port}"; else $def_ssh_ports_type = "$def_ssh_ports_info_chk"; /* def POP_SERVSERS */ -$def_pop_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop_servers']; +$def_pop_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_pop_servers']; if ($def_pop_servers_info_chk == "") $def_pop_servers_type = "\$HOME_NET"; else $def_pop_servers_type = "$def_pop_servers_info_chk"; /* def POP2_PORTS */ -$def_pop2_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop2_ports']; +$def_pop2_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_pop2_ports']; if ($def_pop2_ports_info_chk == "") $def_pop2_ports_type = "109"; else $def_pop2_ports_type = "$def_pop2_ports_info_chk"; /* def POP3_PORTS */ -$def_pop3_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_pop3_ports']; +$def_pop3_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_pop3_ports']; if ($def_pop3_ports_info_chk == "") $def_pop3_ports_type = "110"; else $def_pop3_ports_type = "$def_pop3_ports_info_chk"; /* def IMAP_SERVSERS */ -$def_imap_servers_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_imap_servers']; +$def_imap_servers_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_imap_servers']; if ($def_imap_servers_info_chk == "") $def_imap_servers_type = "\$HOME_NET"; else $def_imap_servers_type = "$def_imap_servers_info_chk"; /* def IMAP_PORTS */ -$def_imap_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_imap_ports']; +$def_imap_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_imap_ports']; if ($def_imap_ports_info_chk == "") $def_imap_ports_type = "143"; else $def_imap_ports_type = "$def_imap_ports_info_chk"; /* def SIP_PROXY_IP */ -$def_sip_proxy_ip_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sip_proxy_ip']; +$def_sip_proxy_ip_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_sip_proxy_ip']; if ($def_sip_proxy_ip_info_chk == "") $def_sip_proxy_ip_type = "\$HOME_NET"; else $def_sip_proxy_ip_type = "$def_sip_proxy_ip_info_chk"; /* def SIP_PROXY_PORTS */ -$def_sip_proxy_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_sip_proxy_ports']; +$def_sip_proxy_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_sip_proxy_ports']; if ($def_sip_proxy_ports_info_chk == "") $def_sip_proxy_ports_type = "5060:5090,16384:32768"; else $def_sip_proxy_ports_type = "$def_sip_proxy_ports_info_chk"; /* def AUTH_PORTS */ -$def_auth_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_auth_ports']; +$def_auth_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_auth_ports']; if ($def_auth_ports_info_chk == "") $def_auth_ports_type = "113"; else $def_auth_ports_type = "$def_auth_ports_info_chk"; /* def FINGER_PORTS */ -$def_finger_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_finger_ports']; +$def_finger_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_finger_ports']; if ($def_finger_ports_info_chk == "") $def_finger_ports_type = "79"; else $def_finger_ports_type = "$def_finger_ports_info_chk"; /* def IRC_PORTS */ -$def_irc_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_irc_ports']; +$def_irc_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_irc_ports']; if ($def_irc_ports_info_chk == "") $def_irc_ports_type = "6665,6666,6667,6668,6669,7000"; else $def_irc_ports_type = "$def_irc_ports_info_chk"; /* def NNTP_PORTS */ -$def_nntp_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_nntp_ports']; +$def_nntp_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_nntp_ports']; if ($def_nntp_ports_info_chk == "") $def_nntp_ports_type = "119"; else $def_nntp_ports_type = "$def_nntp_ports_info_chk"; /* def RLOGIN_PORTS */ -$def_rlogin_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_rlogin_ports']; +$def_rlogin_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_rlogin_ports']; if ($def_rlogin_ports_info_chk == "") $def_rlogin_ports_type = "513"; else $def_rlogin_ports_type = "$def_rlogin_ports_info_chk"; /* def RSH_PORTS */ -$def_rsh_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_rsh_ports']; +$def_rsh_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_rsh_ports']; if ($def_rsh_ports_info_chk == "") $def_rsh_ports_type = "514"; else $def_rsh_ports_type = "$def_rsh_ports_info_chk"; /* def SSL_PORTS */ -$def_ssl_ports_info_chk = $config['installedpackages']['snortdefservers']['config'][0]['def_ssl_ports']; +$def_ssl_ports_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssl_ports']; if ($def_ssl_ports_info_chk == "") - $def_ssl_ports_type = "25,443,465,636,993,995"; + $def_ssl_ports_type = "443,465,563,636,989,990,992,993,994,995"; else $def_ssl_ports_type = "$def_ssl_ports_info_chk"; - /* add auto update scripts to /etc/crontab */ -// $text_ww = "*/60\t* \t 1\t *\t *\t root\t /usr/bin/nice -n20 /usr/local/pkg/snort_check_for_rule_updates.php"; -// $filenamea = "/etc/crontab"; -// remove_text_from_file($filenamea, $text_ww); -// add_text_to_file($filenamea, $text_ww); -// exec("killall -HUP cron"); */ - /* should we install a automatic update crontab entry? */ - $automaticrulesupdate = $config['installedpackages']['snort']['config'][0]['automaticrulesupdate']; + $automaticrulesupdate = $config['installedpackages']['snortglobal']['automaticrulesupdate7']; /* if user is on pppoe, we really want to use ng0 interface */ if($config['interfaces'][$snort_ext_int]['ipaddr'] == "pppoe") $snort_ext_int = "ng0"; /* set the snort performance model */ - if($config['installedpackages']['snort']['config'][0]['performance']) - $snort_performance = $config['installedpackages']['snort']['config'][0]['performance']; + if($config['installedpackages']['snortglobal']['rule'][$id]['performance']) + $snort_performance = $config['installedpackages']['snortglobal']['rule'][$id]['performance']; else $snort_performance = "ac-bnfa"; - /* set the snort block hosts time IMPORTANT snort has trouble installing if snort_rm_blocked_info_ck != "" */ - $snort_rm_blocked_info_ck = $config['installedpackages']['snort']['config'][0]['rm_blocked']; - if ($snort_rm_blocked_info_ck == "never_b") - $snort_rm_blocked_false = ""; - else - $snort_rm_blocked_false = "true"; - -if ($snort_rm_blocked_info_ck != "") { -function snort_rm_blocked_install_cron($should_install) { - global $config, $g; - conf_mount_rw(); - if ($g['booting']==true) - return; - - $is_installed = false; - - if(!$config['cron']['item']) - return; - - $x=0; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort2c")) { - $is_installed = true; - break; - } - $x++; - } - $snort_rm_blocked_info_ck = $config['installedpackages']['snort']['config'][0]['rm_blocked']; - if ($snort_rm_blocked_info_ck == "1h_b") { - $snort_rm_blocked_min = "*/5"; - $snort_rm_blocked_hr = "*"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "3600"; - } - if ($snort_rm_blocked_info_ck == "3h_b") { - $snort_rm_blocked_min = "*/15"; - $snort_rm_blocked_hr = "*"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "10800"; - } - if ($snort_rm_blocked_info_ck == "6h_b") { - $snort_rm_blocked_min = "*/30"; - $snort_rm_blocked_hr = "*"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "21600"; - } - if ($snort_rm_blocked_info_ck == "12h_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/1"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "43200"; - } - if ($snort_rm_blocked_info_ck == "1d_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/2"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "86400"; - } - if ($snort_rm_blocked_info_ck == "4d_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/8"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "345600"; - } - if ($snort_rm_blocked_info_ck == "7d_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "*/14"; - $snort_rm_blocked_mday = "*"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "604800"; - } - if ($snort_rm_blocked_info_ck == "28d_b") { - $snort_rm_blocked_min = "2"; - $snort_rm_blocked_hr = "0"; - $snort_rm_blocked_mday = "*/2"; - $snort_rm_blocked_month = "*"; - $snort_rm_blocked_wday = "*"; - $snort_rm_blocked_expire = "2419200"; - } - switch($should_install) { - case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['minute'] = "$snort_rm_blocked_min"; - $cron_item['hour'] = "$snort_rm_blocked_hr"; - $cron_item['mday'] = "$snort_rm_blocked_mday"; - $cron_item['month'] = "$snort_rm_blocked_month"; - $cron_item['wday'] = "$snort_rm_blocked_wday"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; - $config['cron']['item'][] = $cron_item; - write_config("Installed 15 minute filter reload for Time Based Rules"); - conf_mount_rw(); - configure_cron(); - } - break; - case false: - if($is_installed == true) { - if($x > 0) { - unset($config['cron']['item'][$x]); - write_config(); - conf_mount_rw(); - } - configure_cron(); - } - break; - } - } - snort_rm_blocked_install_cron(""); - snort_rm_blocked_install_cron($snort_rm_blocked_false); -} - - /* set the snort rules update time */ - $snort_rules_up_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; - if ($snort_rules_up_info_ck == "never_up") - $snort_rules_up_false = ""; - else - $snort_rules_up_false = "true"; - -if ($snort_rules_up_info_ck != "") { -function snort_rules_up_install_cron($should_install) { - global $config, $g; - conf_mount_rw(); - if ($g['booting']==true) - return; - - $is_installed = false; - - if(!$config['cron']['item']) - return; - - $x=0; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "snort_check_for_rule_updates.php")) { - $is_installed = true; - break; - } - $x++; - } - $snort_rules_up_info_ck = $config['installedpackages']['snort']['config'][0]['autorulesupdate7']; - if ($snort_rules_up_info_ck == "6h_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "*/6"; - $snort_rules_up_mday = "*"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "12h_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "*/12"; - $snort_rules_up_mday = "*"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "1d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/1"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "4d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/4"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "7d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/7"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - if ($snort_rules_up_info_ck == "28d_up") { - $snort_rules_up_min = "3"; - $snort_rules_up_hr = "0"; - $snort_rules_up_mday = "*/28"; - $snort_rules_up_month = "*"; - $snort_rules_up_wday = "*"; - } - switch($should_install) { - case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['minute'] = "$snort_rules_up_min"; - $cron_item['hour'] = "$snort_rules_up_hr"; - $cron_item['mday'] = "$snort_rules_up_mday"; - $cron_item['month'] = "$snort_rules_up_month"; - $cron_item['wday'] = "$snort_rules_up_wday"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort_check_for_rule_updates.php >> /usr/local/etc/snort_bkup/snort_update.log"; - $config['cron']['item'][] = $cron_item; - write_config("Installed 15 minute filter reload for Time Based Rules"); - conf_mount_rw(); - configure_cron(); - } - break; - case false: - if($is_installed == true) { - if($x > 0) { - unset($config['cron']['item'][$x]); - write_config(); - conf_mount_rw(); - } - configure_cron(); - } - break; - } - } - snort_rules_up_install_cron(""); - snort_rules_up_install_cron($snort_rules_up_false); -} - /* Be sure we're really rw before writing */ - conf_mount_rw(); - /* open snort2c's whitelist for writing */ + /* open snort's whitelist for writing */ $whitelist = fopen("/var/db/whitelist", "w"); if(!$whitelist) { log_error("Could not open /var/db/whitelist for writing."); @@ -940,7 +1528,7 @@ function snort_rules_up_install_cron($should_install) { $home_net .= "{$ip} "; /* Add Gateway on WAN interface to whitelist (For RRD graphs) */ - $int = convert_friendly_interface_to_real_interface_name("WAN"); + $int = convert_friendly_interface_to_real_interface_name2("WAN"); $gw = get_interface_gateway($int); if($gw) $home_net .= "{$gw} "; @@ -956,13 +1544,14 @@ function snort_rules_up_install_cron($should_install) { $home_net .= "127.0.0.1 "; /* iterate all vips and add to whitelist */ + if($config['virtualip']) foreach($config['virtualip']['vip'] as $vip) if($vip['subnet']) $home_net .= $vip['subnet'] . " "; - if($config['installedpackages']['snortwhitelist']) - foreach($config['installedpackages']['snortwhitelist']['config'] as $snort) + if($config['installedpackages']['snortglobal']['config']) + foreach($config['installedpackages']['snortglobal']['config'] as $snort) if($snort['ip']) $home_net .= $snort['ip'] . " "; @@ -982,11 +1571,19 @@ function snort_rules_up_install_cron($should_install) { fwrite($whitelist, trim($wl) . "\n"); /* should we whitelist vpns? */ - $whitelistvpns = $config['installedpackages']['snort']['config'][0]['whitelistvpns']; + $whitelistvpns = $config['installedpackages']['snortglobal']['whitelistvpns']; /* grab a list of vpns and whitelist if user desires added by nestorfish 954 */ if($whitelistvpns) { - $vpns_list = get_vpns_list(); + if ($pfsense_stable == 'yes') // chk what pfsense version were on + { + $vpns_list = get_vpns_list(); + } + if ($pfsense_stable == 'no') // chk what pfsense version were on + { + $vpns_list = filter_get_vpns_list(); + } + $whitelist_vpns = split(" ", $vpns_list); foreach($whitelist_vpns as $wl) if(trim($wl)) @@ -995,34 +1592,9 @@ function snort_rules_up_install_cron($should_install) { /* close file */ fclose($whitelist); - - /* Be sure we're really rw before writing */ - conf_mount_rw(); - /* open snort's threshold.conf for writing */ - $threshlist = fopen("/usr/local/etc/snort/threshold.conf", "w"); - if(!$threshlist) { - log_error("Could not open /usr/local/etc/snort/threshold.conf for writing."); - return; - } - - /* list all entries to new lines */ - if($config['installedpackages']['snortthreshold']) - foreach($config['installedpackages']['snortthreshold']['config'] as $snortthreshlist) - if($snortthreshlist['threshrule']) - $snortthreshlist_r .= $snortthreshlist['threshrule'] . "\n"; - - - /* foreach through threshlist, writing out to file */ - $threshlist_split = split("\n", $snortthreshlist_r); - foreach($threshlist_split as $wl) - if(trim($wl)) - fwrite($threshlist, trim($wl) . "\n"); - - /* close snort's threshold.conf file */ - fclose($threshlist); - + /* generate rule sections to load */ - $enabled_rulesets = $config['installedpackages']['snort']['rulesets']; + $enabled_rulesets = $config['installedpackages']['snortglobal']['rule'][$id]['rulesets']; if($enabled_rulesets) { $selected_rules_sections = ""; $enabled_rulesets_array = split("\|\|", $enabled_rulesets); @@ -1032,6 +1604,256 @@ function snort_rules_up_install_cron($should_install) { conf_mount_ro(); +///////////////////////////// + +/* preprocessor code */ + +/* def perform_stat */ +$snort_perform_stat = <<<EOD +########################## + # +# NEW # +# Performance Statistics # + # +########################## + +preprocessor perfmonitor: time 300 file /var/log/snort/snort_{$snort_uuid}_{$if_real}.stats pktcnt 10000 + +EOD; + +$def_perform_stat_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['perform_stat']; +if ($def_perform_stat_info_chk == "on") + $def_perform_stat_type = "$snort_perform_stat"; +else + $def_perform_stat_type = ""; + +$def_flow_depth_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['flow_depth']; +if ($def_flow_depth_info_chk == '') + $def_flow_depth_type = '0'; +else + $def_flow_depth_type = $config['installedpackages']['snortglobal']['rule'][$id]['flow_depth']; + +/* def http_inspect */ +$snort_http_inspect = <<<EOD +################# + # +# HTTP Inspect # + # +################# + +preprocessor http_inspect: global iis_unicode_map unicode.map 1252 + +preprocessor http_inspect_server: server default \ + ports { 80 8080 } \ + non_strict \ + non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ + flow_depth {$def_flow_depth_type} \ + apache_whitespace no \ + directory no \ + iis_backslash no \ + u_encode yes \ + ascii no \ + chunk_length 500000 \ + bare_byte yes \ + double_decode yes \ + iis_unicode no \ + iis_delimiter no \ + multi_slash no + +EOD; + +$def_http_inspect_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['http_inspect']; +if ($def_http_inspect_info_chk == "on") + $def_http_inspect_type = "$snort_http_inspect"; +else + $def_http_inspect_type = ""; + +/* def other_preprocs */ +$snort_other_preprocs = <<<EOD +################## + # +# Other preprocs # + # +################## + +preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 +preprocessor bo + +EOD; + +$def_other_preprocs_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['other_preprocs']; +if ($def_other_preprocs_info_chk == "on") + $def_other_preprocs_type = "$snort_other_preprocs"; +else + $def_other_preprocs_type = ""; + +/* def ftp_preprocessor */ +$snort_ftp_preprocessor = <<<EOD +##################### + # +# ftp preprocessor # + # +##################### + +preprocessor ftp_telnet: global \ +inspection_type stateless + +preprocessor ftp_telnet_protocol: telnet \ + normalize \ + ayt_attack_thresh 200 + +preprocessor ftp_telnet_protocol: \ + ftp server default \ + def_max_param_len 100 \ + ports { 21 } \ + ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \ + ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \ + ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ + ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ + ftp_cmds { FEAT CEL CMD MACB } \ + ftp_cmds { MDTM REST SIZE MLST MLSD } \ + ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ + alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ + alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \ + alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \ + alt_max_param_len 256 { RNTO CWD } \ + alt_max_param_len 400 { PORT } \ + alt_max_param_len 512 { SIZE } \ + chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \ + chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \ + chk_str_fmt { LIST NLST SITE SYST STAT HELP } \ + chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \ + chk_str_fmt { FEAT CEL CMD } \ + chk_str_fmt { MDTM REST SIZE MLST MLSD } \ + chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ + cmd_validity MODE < char ASBCZ > \ + cmd_validity STRU < char FRP > \ + cmd_validity ALLO < int [ char R int ] > \ + cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ + cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ + cmd_validity PORT < host_port > + +preprocessor ftp_telnet_protocol: ftp client default \ + max_resp_len 256 \ + bounce yes \ + telnet_cmds yes + +EOD; + +$def_ftp_preprocessor_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['ftp_preprocessor']; +if ($def_ftp_preprocessor_info_chk == "on") + $def_ftp_preprocessor_type = "$snort_ftp_preprocessor"; +else + $def_ftp_preprocessor_type = ""; + +/* def smtp_preprocessor */ +$snort_smtp_preprocessor = <<<EOD +##################### + # +# SMTP preprocessor # + # +##################### + +preprocessor SMTP: \ + ports { 25 465 691 } \ + inspection_type stateful \ + normalize cmds \ + valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \ +CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \ +PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + max_header_line_len 1000 \ + max_response_line_len 512 \ + alt_max_command_line_len 260 { MAIL } \ + alt_max_command_line_len 300 { RCPT } \ + alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ + alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ + alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ + alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ + alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + xlink2state { enable } + +EOD; + +$def_smtp_preprocessor_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['smtp_preprocessor']; +if ($def_smtp_preprocessor_info_chk == "on") + $def_smtp_preprocessor_type = "$snort_smtp_preprocessor"; +else + $def_smtp_preprocessor_type = ""; + +/* def sf_portscan */ +$snort_sf_portscan = <<<EOD +################ + # +# sf Portscan # + # +################ + +preprocessor sfportscan: scan_type { all } \ + proto { all } \ + memcap { 10000000 } \ + sense_level { medium } \ + ignore_scanners { \$HOME_NET } + +EOD; + +$def_sf_portscan_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['sf_portscan']; +if ($def_sf_portscan_info_chk == "on") + $def_sf_portscan_type = "$snort_sf_portscan"; +else + $def_sf_portscan_type = ""; + +/* def dce_rpc_2 */ +$snort_dce_rpc_2 = <<<EOD +############### + # +# NEW # +# DCE/RPC 2 # + # +############### + +preprocessor dcerpc2: memcap 102400, events [smb, co, cl] +preprocessor dcerpc2_server: default, policy WinXP, \ + detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ + autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ + smb_max_chain 3 + +EOD; + +$def_dce_rpc_2_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['dce_rpc_2']; +if ($def_dce_rpc_2_info_chk == "on") + $def_dce_rpc_2_type = "$snort_dce_rpc_2"; +else + $def_dce_rpc_2_type = ""; + +/* def dns_preprocessor */ +$snort_dns_preprocessor = <<<EOD +#################### + # +# DNS preprocessor # + # +#################### + +preprocessor dns: \ + ports { 53 } \ + enable_rdata_overflow + +EOD; + +$def_dns_preprocessor_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['dns_preprocessor']; +if ($def_dns_preprocessor_info_chk == "on") + $def_dns_preprocessor_type = "$snort_dns_preprocessor"; +else + $def_dns_preprocessor_type = ""; + +/* def SSL_PORTS IGNORE */ +$def_ssl_ports_ignore_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['def_ssl_ports_ignore']; +if ($def_ssl_ports_ignore_info_chk == "") + $def_ssl_ports_ignore_type = "443 465 563 636 989 990 992 993 994 995"; +else + $def_ssl_ports_ignore_type = "$def_ssl_ports_ignore_info_chk"; + +////////////////////////////////////////////////////////////////// /* build snort configuration file */ /* TODO; feed back from pfsense users to reduce false positives */ $snort_conf_text = <<<EOD @@ -1043,21 +1865,21 @@ function snort_rules_up_install_cron($should_install) { # for more information # snort.conf # Snort can be found at http://www.snort.org/ - -# Copyright (C) 2006 Robert Zelaya +# +# Copyright (C) 2009 Robert Zelaya # part of pfSense # All rights reserved. - +# # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are met: - +# # 1. Redistributions of source code must retain the above copyright notice, # this list of conditions and the following disclaimer. - +# # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. - +# # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE @@ -1146,7 +1968,7 @@ portvar DCERPC_BRIGHTSTORE [6503,6504] # ##################### -var RULE_PATH /usr/local/etc/snort/rules +var RULE_PATH /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules # var PREPROC_RULE_PATH ./preproc_rules ################################ @@ -1171,8 +1993,7 @@ config disable_decode_drops # ################################### -config detection: search-method {$snort_performance} -config detection: max_queue_events 5 +config detection: search-method {$snort_performance} max_queue_events 5 config event_queue: max_queue 8 log 3 order_events content_length #Configure dynamic loaded libraries @@ -1187,150 +2008,25 @@ dynamicdetection directory /usr/local/lib/snort/dynamicrules/ ################### preprocessor frag3_global: max_frags 8192 -preprocessor frag3_engine: policy windows -preprocessor frag3_engine: policy linux -preprocessor frag3_engine: policy first preprocessor frag3_engine: policy bsd detect_anomalies preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ track_udp yes, track_icmp yes -preprocessor stream5_tcp: bind_to any, policy windows -preprocessor stream5_tcp: bind_to any, policy linux -preprocessor stream5_tcp: bind_to any, policy vista -preprocessor stream5_tcp: bind_to any, policy macos preprocessor stream5_tcp: policy BSD, ports both all, use_static_footprint_sizes -preprocessor stream5_udp -preprocessor stream5_icmp - -########################## - # -# NEW # -# Performance Statistics # - # -########################## - -preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 10000 - -################# - # -# HTTP Inspect # - # -################# +preprocessor stream5_udp: +preprocessor stream5_icmp: -preprocessor http_inspect: global iis_unicode_map unicode.map 1252 +{$def_perform_stat_type} -preprocessor http_inspect_server: server default \ - ports { 80 8080 } \ - no_alerts \ - non_strict \ - non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ - flow_depth 0 \ - apache_whitespace yes \ - directory no \ - iis_backslash no \ - u_encode yes \ - ascii yes \ - chunk_length 500000 \ - bare_byte yes \ - double_decode yes \ - iis_unicode yes \ - iis_delimiter yes \ - multi_slash no +{$def_http_inspect_type} -################## - # -# Other preprocs # - # -################## - -preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 -preprocessor bo - -##################### - # -# ftp preprocessor # - # -##################### +{$def_other_preprocs_type} -preprocessor ftp_telnet: global \ -inspection_type stateless +{$def_ftp_preprocessor_type} -preprocessor ftp_telnet_protocol: telnet \ - normalize \ - ayt_attack_thresh 200 +{$def_smtp_preprocessor_type} -preprocessor ftp_telnet_protocol: \ - ftp server default \ - def_max_param_len 100 \ - ports { 21 } \ - ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \ - ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \ - ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ - ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ - ftp_cmds { FEAT CEL CMD MACB } \ - ftp_cmds { MDTM REST SIZE MLST MLSD } \ - ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ - alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ - alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \ - alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \ - alt_max_param_len 256 { RNTO CWD } \ - alt_max_param_len 400 { PORT } \ - alt_max_param_len 512 { SIZE } \ - chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \ - chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \ - chk_str_fmt { LIST NLST SITE SYST STAT HELP } \ - chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \ - chk_str_fmt { FEAT CEL CMD } \ - chk_str_fmt { MDTM REST SIZE MLST MLSD } \ - chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ - cmd_validity MODE < char ASBCZ > \ - cmd_validity STRU < char FRP > \ - cmd_validity ALLO < int [ char R int ] > \ - cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ - cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ - cmd_validity PORT < host_port > - -preprocessor ftp_telnet_protocol: ftp client default \ - max_resp_len 256 \ - bounce yes \ - telnet_cmds yes - -##################### - # -# SMTP preprocessor # - # -##################### - -preprocessor SMTP: \ - ports { 25 465 691 } \ - inspection_type stateful \ - normalize cmds \ - valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \ -CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \ -PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - max_header_line_len 1000 \ - max_response_line_len 512 \ - alt_max_command_line_len 260 { MAIL } \ - alt_max_command_line_len 300 { RCPT } \ - alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ - alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ - alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \ - alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR } \ - alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - xlink2state { enable } - -################ - # -# sf Portscan # - # -################ - -preprocessor sfportscan: scan_type { all } \ - proto { all } \ - memcap { 10000000 } \ - sense_level { medium } \ - ignore_scanners { \$HOME_NET } +{$def_sf_portscan_type} ############################ # @@ -1342,28 +2038,9 @@ preprocessor sfportscan: scan_type { all } \ # ############################ -############### - # -# NEW # -# DCE/RPC 2 # - # -############### - -preprocessor dcerpc2: memcap 102400, events [smb, co, cl] -preprocessor dcerpc2_server: default, policy WinXP, \ - detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ - autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ - smb_max_chain 3 - -#################### - # -# DNS preprocessor # - # -#################### +{$def_dce_rpc_2_type} -preprocessor dns: \ - ports { 53 } \ - enable_rdata_overflow +{$def_dns_preprocessor_type} ############################## # @@ -1372,7 +2049,7 @@ preprocessor dns: \ # ############################## -preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 }, trustservers, noinspect_encrypted +preprocessor ssl: ports { {$def_ssl_ports_ignore_type} }, trustservers, noinspect_encrypted ##################### # @@ -1393,9 +2070,9 @@ $spoink_type # ################# -include /usr/local/etc/snort/reference.config -include /usr/local/etc/snort/classification.config -include /usr/local/etc/snort/threshold.conf +include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config +include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config +include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/threshold.conf # Snort user pass through configuration {$snort_config_pass_thru} @@ -1409,17 +2086,19 @@ include /usr/local/etc/snort/threshold.conf {$selected_rules_sections} EOD; - conf_mount_ro(); + return $snort_conf_text; } /* check downloaded text from snort.org to make sure that an error did not occur * for example, if you are not a premium subscriber you can only download rules - * so often, etc. + * so often, etc. TO BE: Removed unneeded. */ + function check_for_common_errors($filename) { global $snort_filename, $snort_filename_md5, $console_mode; - ob_flush(); + +// ob_flush(); $contents = file_get_contents($filename); if(stristr($contents, "You don't have permission")) { if(!$console_mode) { @@ -1427,7 +2106,6 @@ function check_for_common_errors($filename) { hide_progress_bar_status(); } else { log_error("An error occured. Scroll down to inspect it's contents."); - echo "An error occured. Scroll down to inspect it's contents."; } if(!$console_mode) { update_output_window(strip_tags("$contents")); @@ -1470,14 +2148,12 @@ function verify_downloaded_file($filename) { } exit; } - update_all_status("Verifyied {$filename}."); + update_all_status("Verified {$filename}."); } /* extract rules */ function extract_snort_rules_md5($tmpfname) { global $snort_filename, $snort_filename_md5, $console_mode; - ini_set("memory_limit","64M"); - conf_mount_rw(); ob_flush(); if(!$console_mode) { $static_output = gettext("Extracting snort rules..."); @@ -1500,7 +2176,6 @@ function extract_snort_rules_md5($tmpfname) { log_error("Snort rules extracted."); echo "Snort rules extracted."; } - conf_mount_ro(); } /* verify MD5 against downloaded item */ @@ -1513,7 +2188,7 @@ function verify_snort_rules_md5($tmpfname) { } $md555 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); - $md5 = `/bin/echo "{$md555}" | /usr/bin/awk '{ print $4 }'`; + $md5 = `echo "{$md555}" | /usr/bin/awk '{ print $4 }'`; $file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; if($md5 == $file_md5_ondisk) { if(!$console_mode) { @@ -1569,7 +2244,7 @@ function get_snort_alert($ip) { if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) $alert_title = $matches[2]; if (preg_match("/(\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)/", $fileline, $matches)) - $alert_ip = $matches[0]; + $alert_ip = $matches[$id]; if($alert_ip == $ip) { if(!$snort_config[$ip]) $snort_config[$ip] = $alert_title; @@ -1582,7 +2257,7 @@ function get_snort_alert($ip) { function make_clickable($buffer) { global $config, $g; /* if clickable urls is disabled, simply return buffer back to caller */ - $clickablalerteurls = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; + $clickablalerteurls = $config['installedpackages']['snort']['config'][$id]['oinkmastercode']; if(!$clickablalerteurls) return $buffer; $buffer = eregi_replace("(^|[ \n\r\t])((http(s?)://)(www\.)?([a-z0-9_-]+(\.[a-z0-9_-]+)+)(/[^/ \n\r]*)*)","\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $buffer); diff --git a/config/snort-dev/snort.sh b/config/snort/snort.sh index 5b725cfe..5b725cfe 100644 --- a/config/snort-dev/snort.sh +++ b/config/snort/snort.sh diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 763f65eb..502438c2 100644 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -46,73 +46,32 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>Snort</name> - <version>2.8.4.1_5</version> - <title>Services: Snort 2.8.4.1_5 pkg v. 1.6</title> - <include_file>/usr/local/pkg/snort.inc</include_file> + <version>2.8.5.3</version> + <title>Services: Snort 2.8.5.2 pkg v. 1.19</title> + <include_file>/usr/local/pkg/snort/snort.inc</include_file> <menu> <name>Snort</name> <tooltiptext>Setup snort specific settings</tooltiptext> <section>Services</section> - <url>/pkg_edit.php?xml=snort.xml&id=0</url> + <url>/snort/snort_interfaces.php</url> </menu> <service> <name>snort</name> - <rcfile>snort.sh</rcfile> + <rcfile></rcfile> <executable>snort</executable> - <description>Snort is the most widely deployed IDS/IPS technology worldwide..</description> + <description>Snort is the most widely deployed IDS/IPS technology worldwide.</description> </service> <tabs> - <tab> - <text>Settings</text> - <url>/pkg_edit.php?xml=snort.xml&id=0</url> - <active/> - </tab> - <tab> - <text>Update Rules</text> - <url>/snort_download_rules.php</url> - </tab> - <tab> - <text>Categories</text> - <url>/snort_rulesets.php</url> - </tab> - <tab> - <text>Rules</text> - <url>/snort_rules.php</url> - </tab> - <tab> - <text>Servers</text> - <url>/pkg_edit.php?xml=snort_define_servers.xml&id=0</url> - </tab> - <tab> - <text>Blocked</text> - <url>/snort_blocked.php</url> - </tab> - <tab> - <text>Whitelist</text> - <url>/pkg.php?xml=snort_whitelist.xml</url> - </tab> - <tab> - <text>Threshold</text> - <url>/pkg.php?xml=snort_threshold.xml</url> - </tab> - <tab> - <text>Alerts</text> - <url>/snort_alerts.php</url> - </tab> - <tab> - <text>Advanced</text> - <url>/pkg_edit.php?xml=snort_advanced.xml&id=0</url> - </tab> </tabs> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> + <prefix>/usr/local/pkg/snort/</prefix> <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort/snort.inc</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/bin/</prefix> + <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/bin/barnyard2</item> + <item>http://www.pfsense.com/packages/config/snort/snort_fbegin.inc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/bin/</prefix> @@ -123,256 +82,118 @@ <prefix>/usr/local/bin/</prefix> <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort/bin/oinkmaster_contrib/oinkmaster.pl</item> - </additional_files_needed> + </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/</prefix> + <prefix>/usr/local/bin/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_download_rules.php</item> + <item>http://www.pfsense.com/packages/config/snort/bin/oinkmaster_contrib/snort_rename.pl</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/</prefix> + <prefix>/usr/local/pkg/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_rules.php</item> + <item>http://www.pfsense.com/packages/config/snort/snort_gui.inc</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/</prefix> + <prefix>/usr/local/pkg/pf/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_rules_edit.php</item> + <item>http://www.pfsense.com/packages/config/snort/snort_dynamic_ip_reload.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/</prefix> + <prefix>/usr/local/pkg/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_rulesets.php</item> + <item>http://www.pfsense.com/packages/config/snort/snort_whitelist.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> + <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_whitelist.xml</item> + <item>http://www.pfsense.com/packages/config/snort/snort_alerts.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_barnyard.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/</prefix> + <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort/snort_blocked.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_define_servers.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_download_rules.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/snort/</prefix> <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort/snort_check_for_rule_updates.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/</prefix> + <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_alerts.php</item> + <item>http://www.pfsense.com/packages/config/snort/snort_help_info.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/pf/</prefix> + <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_dynamic_ip_reload.php</item> + <item>http://www.pfsense.com/packages/config/snort/help_and_info.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_interfaces.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_interfaces_edit.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_interfaces_global.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> + <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_advanced.xml</item> + <item>http://www.pfsense.com/packages/config/snort/snort_rules.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> + <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_define_servers.xml</item> + <item>http://www.pfsense.com/packages/config/snort/snort_rules_edit.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> + <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/snort_threshold.xml</item> + <item>http://www.pfsense.com/packages/config/snort/snort_rulesets.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> + <prefix>/usr/local/www/snort/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/snort/pfsense_rules/local.rules</item> + <item>http://www.pfsense.com/packages/config/snort/snort_preprocessors.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/etc/rc.d/</prefix> + <chmod>755</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort.sh</item> </additional_files_needed> <fields> - <field> - <fielddescr>Interface</fielddescr> - <fieldname>iface_array</fieldname> - <description>Select the interface(s) Snort will listen on.</description> - <type>interfaces_selection</type> - <size>3</size> - <value>lan</value> - <multiple>true</multiple> - </field> - <field> - <fielddescr>Memory Performance</fielddescr> - <fieldname>performance</fieldname> - <description>Lowmem and ac-bnfa are recommended for low end systems, Ac: high memory, best performance, ac-std: moderate memory,high performance, acs: small memory, moderateperformance, ac-banded: small memory,moderate performance, ac-sparsebands: small memory, high performance.</description> - <type>select</type> - <options> - <option> - <name>ac-bnfa</name> - <value>ac-bnfa</value> - </option> - <option> - <name>lowmem</name> - <value>lowmem</value> - </option> - <option> - <name>ac-std</name> - <value>ac-std</value> - </option> - <option> - <name>ac</name> - <value>ac</value> - </option> - <option> - <name>ac-banded</name> - <value>ac-banded</value> - </option> - <option> - <name>ac-sparsebands</name> - <value>ac-sparsebands</value> - </option> - <option> - <name>acs</name> - <value>acs</value> - </option> - </options> - </field> - <field> - <fielddescr>Oinkmaster code</fielddescr> - <fieldname>oinkmastercode</fieldname> - <description>Obtain a snort.org Oinkmaster code and paste here.</description> - <type>input</type> - <size>60</size> - <value></value> - </field> - <field> - <fielddescr>Snort.org subscriber</fielddescr> - <fieldname>subscriber</fieldname> - <description>Check this box if you are a Snort.org subscriber (premium rules).</description> - <type>checkbox</type> - <size>60</size> - </field> - <field> - <fielddescr>Block offenders</fielddescr> - <fieldname>blockoffenders7</fieldname> - <description>Checking this option will automatically block hosts that generate a snort alert.</description> - <type>checkbox</type> - <size>60</size> - </field> - <field> - <fielddescr>Remove blocked hosts every</fielddescr> - <fieldname>rm_blocked</fieldname> - <description>Please select the amount of time hosts are blocked</description> - <type>select</type> - <options> - <option> - <name>never</name> - <value>never_b</value> - </option> - <option> - <name>1 hour</name> - <value>1h_b</value> - </option> - <option> - <name>3 hours</name> - <value>3h_b</value> - </option> - <option> - <name>6 hours</name> - <value>6h_b</value> - </option> - <option> - <name>12 hours</name> - <value>12h_b</value> - </option> - <option> - <name>1 day</name> - <value>1d_b</value> - </option> - <option> - <name>4 days</name> - <value>4d_b</value> - </option> - <option> - <name>7 days</name> - <value>7d_b</value> - </option> - <option> - <name>28 days</name> - <value>28d_b</value> - </option> - </options> - </field> - <field> - </field> - <field> - <fielddescr>Update rules automatically</fielddescr> - <fieldname>autorulesupdate7</fieldname> - <description>Please select the update times for rules.</description> - <type>select</type> - <options> - <option> - <name>never</name> - <value>never_up</value> - </option> - <option> - <name>6 hours</name> - <value>6h_up</value> - </option> - <option> - <name>12 hours</name> - <value>12h_up</value> - </option> - <option> - <name>1 day</name> - <value>1d_up</value> - </option> - <option> - <name>4 days</name> - <value>4d_up</value> - </option> - <option> - <name>7 days</name> - <value>7d_up</value> - </option> - <option> - <name>28 days</name> - <value>28d_up</value> - </option> - </options> - </field> - <field> - <fielddescr>Whitelist VPNs automatically</fielddescr> - <fieldname>whitelistvpns</fieldname> - <description>Checking this option will install whitelists for all VPNs.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Convert Snort alerts urls to clickable links</fielddescr> - <fieldname>clickablalerteurls</fieldname> - <description>Checking this option will automatically convert URLs in the Snort alerts tab to clickable links.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Associate events on Blocked tab</fielddescr> - <fieldname>associatealertip</fieldname> - <description>Checking this option will automatically associate the blocked reason from the snort alerts file.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Install emergingthreats rules.</fielddescr> - <fieldname>emergingthreats</fieldname> - <description>Emerging Threats is an open source community that produces fastest moving and diverse Snort Rules.</description> - <type>checkbox</type> - </field> - </fields> - <custom_php_resync_config_command> - sync_package_snort(); - </custom_php_resync_config_command> + </fields> <custom_add_php_command> </custom_add_php_command> - <custom_php_install_command> - sync_package_snort_reinstall(); - </custom_php_install_command> + <custom_php_resync_config_command> + sync_snort_package(); + </custom_php_resync_config_command> + <custom_php_install_command> + snort_postinstall(); + </custom_php_install_command> <custom_php_deinstall_command> snort_deinstall(); </custom_php_deinstall_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index e67b9b5f..4f0ddb03 100644 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -6,7 +6,11 @@ Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>. Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + Copyright (C) 2006 Scott Ullrich All rights reserved. + + Modified for the Pfsense snort package v. 1.8+ + Copyright (C) 2009 Robert Zelaya Sr. Developer Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -30,95 +34,597 @@ POSSIBILITY OF SUCH DAMAGE. */ -require("globals.inc"); -require("guiconfig.inc"); -require("/usr/local/pkg/snort.inc"); +require_once("globals.inc"); +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); -$snort_logfile = "{$g['varlog_path']}/snort/alert"; +$snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype']; +$snort_logfile = '/var/log/snort/alert'; -$nentries = $config['syslog']['nentries']; -if (!$nentries) - $nentries = 50; +$pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh']; +$pconfig['alertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber']; + +if ($pconfig['alertnumber'] == '' || $pconfig['alertnumber'] == '0') +{ + $anentries = '250'; +}else{ + $anentries = $pconfig['alertnumber']; +} + +if ($_POST['save']) +{ + + //unset($input_errors); + //$pconfig = $_POST; + + /* input validation */ + if ($_POST['save']) + { + + // if (($_POST['radiusacctport'] && !is_port($_POST['radiusacctport']))) { + // $input_errors[] = "A valid port number must be specified. [".$_POST['radiusacctport']."]"; + // } + + } + + /* no errors */ + if (!$input_errors) + { + + $config['installedpackages']['snortglobal']['alertsblocks']['arefresh'] = $_POST['arefresh'] ? on : off; + $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber'] = $_POST['alertnumber']; + + conf_mount_rw(); + write_config(); + //conf_mount_ro(); + sleep(2); + + header("Location: /snort/snort_alerts.php"); + + } + +} + + +if ($_POST['delete']) +{ -if ($_POST['clear']) { exec("killall syslogd"); conf_mount_rw(); - exec("rm {$snort_logfile}; touch {$snort_logfile}"); + if(file_exists("/var/log/snort/alert")) + { + exec('/bin/rm /var/log/snort/*'); + exec('/usr/bin/touch /var/log/snort/alert'); + } conf_mount_ro(); system_syslogd_start(); - exec("/usr/bin/killall -HUP snort"); - exec("/usr/bin/killall snort2c"); - if ($config['installedpackages']['snort']['config'][0]['blockoffenders'] == 'on') - exec("/usr/local/bin/snort2c -w /var/db/whitelist -a /var/log/snort/alert"); + //exec("/usr/bin/killall -HUP snort"); + +} + +if ($_POST['download']) +{ + + ob_start(); //importanr or other post will fail + $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); + $file_name = "snort_logs_{$save_date}.tar.gz"; + exec("/usr/bin/tar cfz /tmp/snort_logs_{$save_date}.tar.gz /var/log/snort"); + + if(file_exists("/tmp/snort_logs_{$save_date}.tar.gz")) + { + $file = "/tmp/snort_logs_{$save_date}.tar.gz"; + header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); + header("Pragma: private"); // needed for IE + header("Cache-Control: private, must-revalidate"); // needed for IE + header('Content-type: application/force-download'); + header('Content-Transfer-Encoding: Binary'); + header("Content-length: ".filesize($file)); + header("Content-disposition: attachment; filename = {$file_name}"); + readfile("$file"); + exec("/bin/rm /tmp/snort_logs_{$save_date}.tar.gz"); + od_end_clean(); //importanr or other post will fail + }else{ + echo 'Error no saved file.'; + } + +} + + +/* WARNING: took me forever to figure reg expression, dont lose */ +// $fileline = '12/09-18:12:02.086733 [**] [122:6:0] (portscan) TCP Filtered Decoy Portscan [**] [Priority: 3] {PROTO:255} 125.135.214.166 -> 70.61.243.50'; + +function get_snort_alert_date($fileline) +{ + /* date full date \d+\/\d+-\d+:\d+:\d+\.\d+\s */ + if (preg_match("/\d+\/\d+-\d+:\d+:\d\d/", $fileline, $matches1)) + { + $alert_date = "$matches1[0]"; + } + +return $alert_date; + +} + +function get_snort_alert_disc($fileline) +{ + /* disc */ + if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) + { + $alert_disc = "$matches[2]"; + } + +return $alert_disc; + +} + +function get_snort_alert_class($fileline) +{ + /* class */ + if (preg_match('/\[Classification:\s.+[^\d]\]/', $fileline, $matches2)) + { + $alert_class = "$matches2[0]"; + } + +return $alert_class; + +} + +function get_snort_alert_priority($fileline) +{ + /* Priority */ + if (preg_match('/Priority:\s\d/', $fileline, $matches3)) + { + $alert_priority = "$matches3[0]"; + } + +return $alert_priority; + +} + +function get_snort_alert_proto($fileline) +{ + /* Priority */ + if (preg_match('/\{.+\}/', $fileline, $matches3)) + { + $alert_proto = "$matches3[0]"; + } + +return $alert_proto; + +} + +function get_snort_alert_proto_full($fileline) +{ + /* Protocal full */ + if (preg_match('/.+\sTTL/', $fileline, $matches2)) + { + $alert_proto_full = "$matches2[0]"; + } + +return $alert_proto_full; + +} + +function get_snort_alert_ip_src($fileline) +{ + /* SRC IP */ + $re1='.*?'; # Non-greedy match on filler + $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 + + if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4)) + { + $alert_ip_src = $matches4[1][0]; + } + +return $alert_ip_src; + +} + +function get_snort_alert_src_p($fileline) +{ + /* source port */ + if (preg_match('/:\d+\s-/', $fileline, $matches5)) + { + $alert_src_p = "$matches5[0]"; + } + +return $alert_src_p; + +} + +function get_snort_alert_flow($fileline) +{ + /* source port */ + if (preg_match('/(->|<-)/', $fileline, $matches5)) + { + $alert_flow = "$matches5[0]"; + } + +return $alert_flow; + +} + +function get_snort_alert_ip_dst($fileline) +{ + /* DST IP */ + $re1dp='.*?'; # Non-greedy match on filler + $re2dp='(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?![\\d])'; # Uninteresting: ipaddress + $re3dp='.*?'; # Non-greedy match on filler + $re4dp='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 + + if ($c=preg_match_all ("/".$re1dp.$re2dp.$re3dp.$re4dp."/is", $fileline, $matches6)) + { + $alert_ip_dst = $matches6[1][0]; + } + +return $alert_ip_dst; + } + +function get_snort_alert_dst_p($fileline) +{ + /* dst port */ + if (preg_match('/:\d+$/', $fileline, $matches7)) + { + $alert_dst_p = "$matches7[0]"; + } + +return $alert_dst_p; + +} + +function get_snort_alert_dst_p_full($fileline) +{ + /* dst port full */ + if (preg_match('/:\d+\n[A-Z]+\sTTL/', $fileline, $matches7)) + { + $alert_dst_p = "$matches7[0]"; + } + +return $alert_dst_p; + +} + +function get_snort_alert_sid($fileline) +{ + /* SID */ + if (preg_match('/\[\d+:\d+:\d+\]/', $fileline, $matches8)) + { + $alert_sid = "$matches8[0]"; + } + +return $alert_sid; + +} + +// $pgtitle = "Services: Snort: Snort Alerts"; include("head.inc"); ?> +<link rel="stylesheet" href="/snort/css/style.css" type="text/css" media="all"> +<script type="text/javascript" src="/snort/javascript/mootools.js"></script> +<script type="text/javascript" src="/snort/javascript/sortableTable.js"></script> + <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<?php -if(!$pgtitle_output) - echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; +<?php + +include("./snort_fbegin.inc"); + +echo "<p class=\"pgtitle\">"; +if($pfsense_stable == 'yes'){echo $pgtitle;} +echo "</p>\n"; + +/* refresh every 60 secs */ +if ($pconfig['arefresh'] == 'on' || $pconfig['arefresh'] == '') +{ + echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_alerts.php\" />\n"; +} ?> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"),false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), true, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); + $tab_array[] = array("Global Settings", false, "/snort/snort_interfaces_global.php"); + $tab_array[] = array("Rule Updates", false, "/snort/snort_download_rules.php"); + $tab_array[] = array("Alerts", true, "/snort/snort_alerts.php"); + $tab_array[] = array("Blocked", false, "/snort/snort_blocked.php"); + $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml"); + $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); display_top_tabs($tab_array); ?> - </td></tr> - <tr> - <td> +</td> +</tr> + <tr> + <td> <div id="mainarea"> - <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> + <table class="tabcont" width="100%" border="1" cellspacing="0" cellpadding="0"> <tr> - <td colspan="2" class="listtopic"> - Last <?=$nentries;?> Snort Alert entries</td> + <td width="22%" colspan="0" class="listtopic"> + Last <?=$anentries;?> Alert Entries. + </td> + <td width="78%" class="listtopic"> + Latest Alert Entries Are Listed First. + </td> </tr> - <?php dump_log_file($snort_logfile, $nentries); ?> - <tr><td><br><form action="snort_alerts.php" method="post"> - <input name="clear" type="submit" class="formbtn" value="Clear log"></td></tr> + <tr> + <td width="22%" class="vncell">Save or Remove Logs</td> + <td width="78%" class="vtable"> + <form action="/snort/snort_alerts.php" method="post"> + <input name="download" type="submit" class="formbtn" value="Download"> + All log files will be saved. + <input name="delete" type="submit" class="formbtn" value="Clear"> + <span class="red"><strong>Warning:</strong></span> all log files will be deleted. + </form> + </td> + </tr> + <tr> + <td width="22%" class="vncell">Auto Refresh and Log View</td> + <td width="78%" class="vtable"> + <form action="/snort/snort_alerts.php" method="post"> + <input name="save" type="submit" class="formbtn" value="Save"> + Refresh + <input name="arefresh" type="checkbox" value="on" <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['arefresh']=="on") echo "checked"; ?>> + <strong>Default</strong> is <strong>ON</strong>. + <input name="alertnumber" type="text" class="formfld" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>"> + Enter the number of log entries to view. <strong>Default</strong> is <strong>250</strong>. + </form> + </td> + </tr> </table> </div> - </form> </td> </tr> </table> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <td width="100%"> + <br> + <div class="tableFilter"> + <form id="tableFilter" onsubmit="myTable.filter(this.id); return false;">Filter: + <select id="column"> + <option value="1">PRIORITY</option> + <option value="2">PROTO</option> + <option value="3">DESCRIPTION</option> + <option value="4">CLASS</option> + <option value="5">SRC</option> + <option value="6">SRC PORT</option> + <option value="7">FLOW</option> + <option value="8">DST</option> + <option value="9">DST PORT</option> + <option value="10">SID</option> + <option value="11">Date</option> + </select> + <input type="text" id="keyword" /> + <input type="submit" value="Submit" /> + <input type="reset" value="Clear" /> + </form> + </div> +<table class="allRow" id="myTable" width="100%" border="2" cellpadding="1" cellspacing="1"> + <thead> + <th axis="number">#</th> + <th axis="string">PRI</th> + <th axis="string">PROTO</th> + <th axis="string">DESCRIPTION</th> + <th axis="string">CLASS</th> + <th axis="string">SRC</th> + <th axis="string">SPORT</th> + <th axis="string">FLOW</th> + <th axis="string">DST</th> + <th axis="string">DPORT</th> + <th axis="string">SID</th> + <th axis="date">Date</th> + </thead> + <tbody> +<?php + + /* make sure alert file exists */ + if(!file_exists('/var/log/snort/alert')) + { + conf_mount_rw(); + exec('/usr/bin/touch /var/log/snort/alert'); + conf_mount_ro(); + } + + $logent = $anentries; + + /* detect the alert file type */ + if ($snortalertlogt == 'full') + { + $alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents('/var/log/snort/alert')))); + }else{ + $alerts_array = array_reverse(array_filter(split("\n", file_get_contents('/var/log/snort/alert')))); + } + + + +if (is_array($alerts_array)) +{ + + $counter = 0; + foreach($alerts_array as $fileline) + { + + if($logent <= $counter) + continue; + + $counter++; + + /* Date */ + $alert_date_str = get_snort_alert_date($fileline); + + if($alert_date_str != '') + { + $alert_date = $alert_date_str; + }else{ + $alert_date = 'empty'; + } + + /* Discription */ + $alert_disc_str = get_snort_alert_disc($fileline); + + if($alert_disc_str != '') + { + $alert_disc = $alert_disc_str; + }else{ + $alert_disc = 'empty'; + } + + /* Classification */ + $alert_class_str = get_snort_alert_class($fileline); + + if($alert_class_str != '') + { + + $alert_class_match = array('[Classification:',']'); + $alert_class = str_replace($alert_class_match, '', "$alert_class_str"); + }else{ + $alert_class = 'Prep'; + } + + /* Priority */ + $alert_priority_str = get_snort_alert_priority($fileline); + + if($alert_priority_str != '') + { + $alert_priority_match = array('Priority: ',']'); + $alert_priority = str_replace($alert_priority_match, '', "$alert_priority_str"); + }else{ + $alert_priority = 'empty'; + } + + /* Protocol */ + /* Detect alert file type */ + if ($snortalertlogt == 'full') + { + $alert_proto_str = get_snort_alert_proto_full($fileline); + }else{ + $alert_proto_str = get_snort_alert_proto($fileline); + } + + if($alert_proto_str != '') + { + $alert_proto_match = array(" TTL",'{','}'); + $alert_proto = str_replace($alert_proto_match, '', "$alert_proto_str"); + }else{ + $alert_proto = 'empty'; + } + + /* IP SRC */ + $alert_ip_src_str = get_snort_alert_ip_src($fileline); + + if($alert_ip_src_str != '') + { + $alert_ip_src = $alert_ip_src_str; + }else{ + $alert_ip_src = 'empty'; + } + + /* IP SRC Port */ + $alert_src_p_str = get_snort_alert_src_p($fileline); + + if($alert_src_p_str != '') + { + $alert_src_p_match = array(' -',':'); + $alert_src_p = str_replace($alert_src_p_match, '', "$alert_src_p_str"); + }else{ + $alert_src_p = 'empty'; + } + + /* Flow */ + $alert_flow_str = get_snort_alert_flow($fileline); + + if($alert_flow_str != '') + { + $alert_flow = $alert_flow_str; + }else{ + $alert_flow = 'empty'; + } + + /* IP Destination */ + $alert_ip_dst_str = get_snort_alert_ip_dst($fileline); + + if($alert_ip_dst_str != '') + { + $alert_ip_dst = $alert_ip_dst_str; + }else{ + $alert_ip_dst = 'empty'; + } + + /* IP DST Port */ + if ($snortalertlogt == 'full') + { + $alert_dst_p_str = get_snort_alert_dst_p_full($fileline); + }else{ + $alert_dst_p_str = get_snort_alert_dst_p($fileline); + } + + if($alert_dst_p_str != '') + { + $alert_dst_p_match = array(':',"\n"," TTL"); + $alert_dst_p_str2 = str_replace($alert_dst_p_match, '', "$alert_dst_p_str"); + $alert_dst_p_match2 = array('/[A-Z]/'); + $alert_dst_p = preg_replace($alert_dst_p_match2, '', "$alert_dst_p_str2"); + }else{ + $alert_dst_p = 'empty'; + } + + /* SID */ + $alert_sid_str = get_snort_alert_sid($fileline); + + if($alert_sid_str != '') + { + $alert_sid_match = array('[',']'); + $alert_sid = str_replace($alert_sid_match, '', "$alert_sid_str"); + }else{ + $alert_sid_str = 'empty'; + } + + /* NOTE: using one echo improves performance by 2x */ + if ($alert_disc != 'empty') + { + echo "<tr id=\"{$counter}\"> + <td class=\"centerAlign\">{$counter}</td> + <td class=\"centerAlign\">{$alert_priority}</td> + <td class=\"centerAlign\">{$alert_proto}</td> + <td>{$alert_disc}</td> + <td class=\"centerAlign\">{$alert_class}</td> + <td>{$alert_ip_src}</td> + <td class=\"centerAlign\">{$alert_src_p}</td> + <td class=\"centerAlign\">{$alert_flow}</td> + <td>{$alert_ip_dst}</td> + <td class=\"centerAlign\">{$alert_dst_p}</td> + <td class=\"centerAlign\">{$alert_sid}</td> + <td>{$alert_date}</td> + </tr>\n"; + } + +// <script type="text/javascript"> +// var myTable = {}; +// window.addEvent('domready', function(){ +// myTable = new sortableTable('myTable', {overCls: 'over', onClick: function(){alert(this.id)}}); +// }); +// </script> + + } +} + +?> + </tbody> + </table> + </td> +</table> + <?php include("fend.inc"); ?> -<meta http-equiv="refresh" content="60;url=<?php print $_SERVER['SCRIPT_NAME']; ?>"> -</body> -</html> -<!-- <?php echo $snort_logfile; ?> --> -<?php + <script type="text/javascript"> + var myTable = {}; + window.addEvent('domready', function(){ + myTable = new sortableTable('myTable', {overCls: 'over'}); + }); + </script> -function dump_log_file($logfile, $tail, $withorig = true, $grepfor = "", $grepinvert = "") { - global $g, $config; - $logarr = ""; - exec("cat {$logfile} | /usr/bin/tail -n {$tail}", $logarr); - foreach ($logarr as $logent) { - if(!logent) - continue; - $ww_logent = $logent; - $ww_logent = str_replace("[", " [ ", $ww_logent); - $ww_logent = str_replace("]", " ] ", $ww_logent); - echo "<tr valign=\"top\">\n"; - echo "<td colspan=\"2\" class=\"listr\">" . make_clickable($ww_logent) . " </td>\n"; - echo "</tr>\n"; - } -} - -?>
\ No newline at end of file +</body> +</html> diff --git a/config/snort-dev/snort_barnyard.php b/config/snort/snort_barnyard.php index b8f05c47..7a587330 100644 --- a/config/snort-dev/snort_barnyard.php +++ b/config/snort/snort_barnyard.php @@ -128,7 +128,7 @@ if (isset($id) && $a_nat[$id]) { if (isset($_GET['dup'])) unset($id); -$if_real = convert_friendly_interface_to_real_interface_name($pconfig['interface']); +$if_real = convert_friendly_interface_to_real_interface_name2($pconfig['interface']); $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; @@ -142,7 +142,7 @@ $d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; write_config(); - sync_snort_package_all(); + sync_snort_package_all($id, $if_real, $snort_uuid); sync_snort_package(); unlink($d_snortconfdirty_path); diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index ff158853..293679d9 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -5,6 +5,9 @@ Copyright (C) 2006 Scott Ullrich All rights reserved. + Modified for the Pfsense snort package v. 1.8+ + Copyright (C) 2009 Robert Zelaya Sr. Developer + Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -27,8 +30,19 @@ POSSIBILITY OF SUCH DAMAGE. */ -require("guiconfig.inc"); -require("/usr/local/pkg/snort.inc"); +require_once("globals.inc"); +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +$pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']; +$pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber']; + +if ($pconfig['blertnumber'] == '' || $pconfig['blertnumber'] == '0') +{ + $bnentries = '500'; +}else{ + $bnentries = $pconfig['blertnumber']; +} if($_POST['todelete'] or $_GET['todelete']) { if($_POST['todelete']) @@ -38,100 +52,147 @@ if($_POST['todelete'] or $_GET['todelete']) { exec("/sbin/pfctl -t snort2c -T delete {$ip}"); } -$pgtitle = "Snort: Snort Blocked"; -include("head.inc"); +if ($_POST['remove']) { -?> +exec("/sbin/pfctl -t snort2c -T flush"); +sleep(1); +header("Location: /snort/snort_blocked.php"); -<body link="#000000" vlink="#000000" alink="#000000"> -<?php include("fbegin.inc"); ?> +} -<?php -if(!$pgtitle_output) - echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; -?> +/* TODO: build a file with block ip and disc */ +if ($_POST['download']) +{ -<form action="snort_rulesets.php" method="post" name="iform" id="iform"> -<script src="/row_toggle.js" type="text/javascript"></script> -<script src="/javascript/sorttable.js" type="text/javascript"></script> -<?php if ($savemsg) print_info_box($savemsg); ?> -<table width="99%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> -<?php - $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), true, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); - display_top_tabs($tab_array); -?> - </td> - </tr> - <tr> - <td> - <div id="mainarea"> - <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> - <table id="sortabletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr id="frheader"> - <td width="5%" class="listhdrr">Remove</td> - <td class="listhdrr">IP</td> - <td class="listhdrr">Alert Description</td> - </tr> -<?php + ob_start(); //important or other posts will fail + $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); + $file_name = "snort_blocked_{$save_date}.tar.gz"; + exec('/bin/mkdir /tmp/snort_blocked'); + exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.pf'); + + $blocked_ips_array_save = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.pf')))); + + if ($blocked_ips_array_save[0] != '') + { - $associatealertip = $config['installedpackages']['snort']['config'][0]['associatealertip']; - $ips = `/sbin/pfctl -t snort2c -T show`; - $ips_array = split("\n", $ips); - $counter = 0; - foreach($ips_array as $ip) { - if(!$ip) - continue; - $ww_ip = str_replace(" ", "", $ip); - $counter++; - if($associatealertip) - $alert_description = get_snort_alert($ww_ip); - else - $alert_description = ""; - echo "\n<tr>"; - echo "\n<td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($ww_ip)) . "'>"; - echo "\n<img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"./themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td>"; - echo "\n<td> {$ww_ip}</td>"; - echo "\n<td> {$alert_description}<!-- |{$ww_ip}| get_snort_alert($ww_ip); --></td>"; - echo "\n</tr>"; + /* build the list */ + $counter = 0; + foreach($blocked_ips_array_save as $fileline3) + { + + $counter++; + + exec("/bin/echo $fileline3 >> /tmp/snort_blocked/snort_block.pf"); + + } } - echo "\n<tr><td colspan='3'> </td></tr>"; - if($counter < 1) - echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">There are currently no items being blocked by snort.</td></tr>"; - else - echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter} items listed.</td></tr>"; -?> + exec("/usr/bin/tar cfz /tmp/snort_blocked_{$save_date}.tar.gz /tmp/snort_blocked"); - </table> - </td> - </tr> - </table> - </div> - </td> - </tr> -</table> + if(file_exists("/tmp/snort_blocked_{$save_date}.tar.gz")) + { + $file = "/tmp/snort_blocked_{$save_date}.tar.gz"; + header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); + header("Pragma: private"); // needed for IE + header("Cache-Control: private, must-revalidate"); // needed for IE + header('Content-type: application/force-download'); + header('Content-Transfer-Encoding: Binary'); + header("Content-length: ".filesize($file)); + header("Content-disposition: attachment; filename = {$file_name}"); + readfile("$file"); + exec("/bin/rm /tmp/snort_blocked_{$save_date}.tar.gz"); + exec("/bin/rm /tmp/snort_block.pf"); + exec("/bin/rm /tmp/snort_blocked/snort_block.pf"); + od_end_clean(); //importanr or other post will fail + }else{ + echo 'Error no saved file.'; + } -</form> +} -<p> +if ($_POST['save']) +{ -<?php + /* input validation */ + if ($_POST['save']) + { + + + } + + /* no errors */ + if (!$input_errors) + { + + $config['installedpackages']['snortglobal']['alertsblocks']['brefresh'] = $_POST['brefresh'] ? on : off; + $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'] = $_POST['blertnumber']; + + conf_mount_rw(); + write_config(); + //conf_mount_ro(); + sleep(2); + + header("Location: /snort/snort_blocked.php"); + + } + +} + +/* build filter funcs */ +function get_snort_alert_ip_src($fileline) +{ + /* SRC IP */ + $re1='.*?'; # Non-greedy match on filler + $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 + + if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4)) + { + $alert_ip_src = $matches4[1][0]; + } + +return $alert_ip_src; + +} -$blockedtab_msg_chk = $config['installedpackages']['snort']['config'][0]['rm_blocked']; +function get_snort_alert_disc($fileline) +{ + /* disc */ + if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) + { + $alert_disc = "$matches[2]"; + } + +return $alert_disc; + +} + +/* build sec filters */ +function get_snort_block_ip($fileline) +{ + /* ip */ + if (preg_match("/\[\d+\.\d+\.\d+\.\d+\]/", $fileline, $matches)) + { + $alert_block_ip = "$matches[0]"; + } + +return $alert_block_ip; + +} + +function get_snort_block_disc($fileline) +{ + /* disc */ + if (preg_match("/\]\s\[.+\]$/", $fileline, $matches)) + { + $alert_block_disc = "$matches[0]"; + } + +return $alert_block_disc; + +} + +/* tell the user what settings they have */ +$blockedtab_msg_chk = $config['installedpackages']['snortglobal']['rm_blocked']; if ($blockedtab_msg_chk == "1h_b") { $blocked_msg = "hour"; } @@ -157,18 +218,228 @@ $blockedtab_msg_chk = $config['installedpackages']['snort']['config'][0]['rm_blo $blocked_msg = "28 days"; } -echo "This page lists hosts that have been blocked by Snort. Hosts are automatically deleted every $blocked_msg."; +if ($blockedtab_msg_chk != "never_b") +{ +$blocked_msg_txt = "Hosts are removed every <strong>$blocked_msg</strong>."; +}else{ +$blocked_msg_txt = "Settings are set to never <strong>remove</strong> hosts."; +} + +$pgtitle = "Services: Snort Blocked Hosts"; +include("head.inc"); ?> -<?php include("fend.inc"); ?> +<body link="#000000" vlink="#000000" alink="#000000"> +<?php -</body> -</html> +include("./snort_fbegin.inc"); + +echo "<p class=\"pgtitle\">"; +if($pfsense_stable == 'yes'){echo $pgtitle;} +echo "</p>\n"; + +/* refresh every 60 secs */ +if ($pconfig['brefresh'] == 'on' || $pconfig['brefresh'] == '') +{ + echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_blocked.php\" />\n"; +} +?> + +<script src="/row_toggle.js" type="text/javascript"></script> +<script src="/javascript/sorttable.js" type="text/javascript"></script> +<?php if ($savemsg) print_info_box($savemsg); ?> +<table width="99%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> +<?php + $tab_array = array(); + $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); + $tab_array[] = array("Global Settings", false, "/snort/snort_interfaces_global.php"); + $tab_array[] = array("Rule Updates", false, "/snort/snort_download_rules.php"); + $tab_array[] = array("Alerts", false, "/snort/snort_alerts.php"); + $tab_array[] = array("Blocked", true, "/snort/snort_blocked.php"); + $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml"); + $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); + display_top_tabs($tab_array); +?> + </td> + </tr> + <tr> + <td> + <div id="mainarea"> + + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td width="22%" colspan="0" class="listtopic"> + Last <?=$bnentries;?> Blocked. + </td> + <td width="78%" class="listtopic"> + This page lists hosts that have been blocked by Snort. <?=$blocked_msg_txt;?> + </td> + </tr> + <tr> + <td width="22%" class="vncell">Save or Remove Hosts</td> + <td width="78%" class="vtable"> + <form action="/snort/snort_blocked.php" method="post"> + <input name="download" type="submit" class="formbtn" value="Download"> + All blocked hosts will be saved. + <input name="remove" type="submit" class="formbtn" value="Clear"> + <span class="red"><strong>Warning:</strong></span> all hosts will be removed. + </form> + </td> + </tr> + <tr> + <td width="22%" class="vncell">Auto Refresh and Log View</td> + <td width="78%" class="vtable"> + <form action="/snort/snort_blocked.php" method="post"> + <input name="save" type="submit" class="formbtn" value="Save"> + Refresh + <input name="brefresh" type="checkbox" value="on" <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=="on" || $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']=='') echo "checked"; ?>> + <strong>Default</strong> is <strong>ON</strong>. + <input name="blertnumber" type="text" class="formfld" id="blertnumber" size="5" value="<?=htmlspecialchars($bnentries);?>"> + Enter the number of blocked entries to view. <strong>Default</strong> is <strong>500</strong>. + </form> + </td> + </tr> + </table> + + </div> + </td> + </tr> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> + <tr> + <td> + <table id="sortabletable1" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr id="frheader"> + <td width="5%" class="listhdrr">Remove</td> + <td class="listhdrr">#</td> + <td class="listhdrr">IP</td> + <td class="listhdrr">Alert Description</td> + </tr> <?php -/* write out snort cache */ -write_snort_config_cache($snort_config); +/* set the arrays */ +exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache'); +$alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents('/var/log/snort/alert')))); +$blocked_ips_array = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.cache')))); + +$logent = $bnentries; + +if ($blocked_ips_array[0] != '' && $alerts_array[0] != '') +{ + + /* build the list and compare blocks to alerts */ + $counter = 0; + foreach($alerts_array as $fileline) + { + + $counter++; -?>
\ No newline at end of file + $alert_ip_src = get_snort_alert_ip_src($fileline); + $alert_ip_disc = get_snort_alert_disc($fileline); + $alert_ip_src_array[] = get_snort_alert_ip_src($fileline); + + if (in_array("$alert_ip_src", $blocked_ips_array)) + { + $input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n"; + } + } + + foreach($blocked_ips_array as $alert_block_ip) + { + + if (!in_array($alert_block_ip, $alert_ip_src_array)) + { + $input[] = "[$alert_block_ip] " . "[N\A]\n"; + } + } + + /* reduce double occurrences */ + $result = array_unique($input); + + /* buil final list, preg_match, buld html */ + $counter2 = 0; + + foreach($result as $fileline2) + { + if($logent <= $counter2) + continue; + + $counter2++; + + $alert_block_ip_str = get_snort_block_ip($fileline2); + + if($alert_block_ip_str != '') + { + $alert_block_ip_match = array('[',']'); + $alert_block_ip = str_replace($alert_block_ip_match, '', "$alert_block_ip_str"); + }else{ + $alert_block_ip = 'empty'; + } + + $alert_block_disc_str = get_snort_block_disc($fileline2); + + if($alert_block_disc_str != '') + { + $alert_block_disc_match = array('] [',']'); + $alert_block_disc = str_replace($alert_block_disc_match, '', "$alert_block_disc_str"); + }else{ + $alert_block_disc = 'empty'; + } + + /* use one echo to do the magic*/ + echo "<tr> + <td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($alert_block_ip)) . "'> + <img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td> + <td> {$counter2}</td> + <td> {$alert_block_ip}</td> + <td> {$alert_block_disc}</td> + </tr>\n"; + + } + +}else{ + + /* if alerts file is empty and blocked table is not empty */ + $counter2 = 0; + + foreach($blocked_ips_array as $alert_block_ip) + { + if($logent <= $counter2) + continue; + + $counter2++; + + $alert_block_disc = 'N/A'; + + /* use one echo to do the magic*/ + echo "<tr> + <td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($alert_block_ip)) . "'> + <img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td> + <td> {$counter2}</td> + <td> {$alert_block_ip}</td> + <td> {$alert_block_disc}</td> + </tr>\n"; + } +} + +if ($blocked_ips_array[0] == '') +{ + echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\"><br><strong>There are currently no items being blocked by snort.</strong></td></tr>"; +}else{ + echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter2} items listed.</td></tr>"; +} + +?> + </table> + </td> + </tr> + </table> + </td> + </tr> +</table> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 8d308245..6f95b101 100644 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -3,6 +3,7 @@ /* snort_rulesets.php Copyright (C) 2006 Scott Ullrich + Copyright (C) 2009 Robert Zelaya All rights reserved. Redistribution and use in source and binary forms, with or without @@ -28,8 +29,8 @@ */ /* Setup enviroment */ -$tmpfname = "/root/snort_rules_up"; -$snortdir = "/usr/local/etc/snort_bkup"; +$tmpfname = "/tmp/snort_rules_up"; +$snortdir = "/usr/local/etc/snort"; $snortdir_wan = "/usr/local/etc/snort"; $snort_filename_md5 = "snortrules-snapshot-2.8.tar.gz.md5"; $snort_filename = "snortrules-snapshot-2.8.tar.gz"; @@ -38,53 +39,71 @@ $emergingthreats_filename = "emerging.rules.tar.gz"; $pfsense_rules_filename_md5 = "pfsense_rules.tar.gz.md5"; $pfsense_rules_filename = "pfsense_rules.tar.gz"; -require("/usr/local/pkg/snort.inc"); -require_once("config.inc"); +require_once("globals.inc"); +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); -?> +/* define checks */ +$oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; +$snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; +$emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; +if ($oinkid == "" && $snortdownload != "off") +{ + echo "You must obtain an oinkid from snort.org and set its value in the Snort settings tab.\n"; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'You must obtain an oinkid from snort.org and set its value in the Snort settings tab.'"); + exit; +} -<?php +if ($snortdownload != "on" && $emergingthreats != "on") +{ + echo 'Snort Global Settings: download snort.org rules = off and download emergingthreat rules = off.\n'; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'No rules have been selected to download.'"); + exit; +} + +conf_mount_rw(); + +/* Time stamps define */ +$last_md5_download = $config['installedpackages']['snortglobal']['last_md5_download']; +$last_rules_install = $config['installedpackages']['snortglobal']['last_rules_install']; $up_date_time = date('l jS \of F Y h:i:s A'); -echo ""; -echo "#########################"; -echo "$up_date_time"; -echo "#########################"; -echo ""; +echo "\n"; +echo "#########################\n"; +echo "$up_date_time\n"; +echo "#########################\n"; +echo "\n\n"; + +exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Checking for needed updates...'"); /* Begin main code */ /* Set user agent to Mozilla */ ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); ini_set("memory_limit","125M"); +/* mark the time update started */ +$config['installedpackages']['snortglobal']['last_md5_download'] = date("Y-M-jS-h:i-A"); + /* send current buffer */ ob_flush(); - -/* define oinkid */ -if($config['installedpackages']['snort']) - $oinkid = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; - -/* if missing oinkid exit */ -if(!$oinkid) { - echo "Please add you oink code\n"; - exit; -} +conf_mount_rw(); /* premium_subscriber check */ //unset($config['installedpackages']['snort']['config'][0]['subscriber']); //write_config(); // Will cause switch back to read-only on nanobsd //conf_mount_rw(); // Uncomment this if the previous line is uncommented -$premium_subscriber_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -if ($premium_subscriber_chk === on) { +$premium_subscriber_chk = $config['installedpackages']['snortglobal']['snortdownload']; + +if ($premium_subscriber_chk == "premium") { $premium_subscriber = "_s"; }else{ $premium_subscriber = ""; } -$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -if ($premium_url_chk === on) { +$premium_url_chk = $config['installedpackages']['snortglobal']['snortdownload']; +if ($premium_url_chk == "premium") { $premium_url = "sub-rules"; }else{ $premium_url = "reg-rules"; @@ -92,16 +111,23 @@ if ($premium_url_chk === on) { /* send current buffer */ ob_flush(); - conf_mount_rw(); + /* remove old $tmpfname files */ if (file_exists("{$tmpfname}")) { + echo "Removing old tmp files...\n"; exec("/bin/rm -r {$tmpfname}"); apc_clear_cache(); } +/* Make shure snortdir exits */ +exec("/bin/mkdir -p {$snortdir}"); +exec("/bin/mkdir -p {$snortdir}/rules"); +exec("/bin/mkdir -p {$snortdir}/signatures"); + /* send current buffer */ ob_flush(); +conf_mount_rw(); /* If tmp dir does not exist create it */ if (file_exists($tmpfname)) { @@ -125,7 +151,7 @@ if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { } /* download md5 sig from emergingthreats.net */ -$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; +$emergingthreats_url_chk = $config['installedpackages']['snortglobal']['emergingthreats']; if ($emergingthreats_url_chk == on) { echo "Downloading md5 file...\n"; ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); @@ -151,14 +177,11 @@ if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) { echo "Done. downloading md5\n"; } -/* Time stamps define */ -$last_md5_download = $config['installedpackages']['snort']['last_md5_download']; -$last_rules_install = $config['installedpackages']['snort']['last_rules_install']; - /* If md5 file is empty wait 15min exit */ if (0 == filesize("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5")){ echo "Please wait... You may only check for New Rules every 15 minutes...\n"; echo "Rules are released every month from snort.org. You may download the Rules at any time.\n"; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Please wait... You may only check for New Rules every 15 minutes...'"); exit(0); } @@ -168,6 +191,7 @@ if (0 == filesize("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5")){ if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ echo "Please wait... You may only check for New Pfsense Rules every 15 minutes...\n"; echo "Rules are released to support Pfsense packages.\n"; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Please wait... You may only check for New Pfsense Rules every 15 minutes...'"); exit(0); } @@ -178,18 +202,18 @@ $md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 $md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); $md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; /* Write out time of last sucsessful md5 to cache */ -$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); write_config(); // Will cause switch back to read-only on nanobsd conf_mount_rw(); if ($md5_check_new == $md5_check_old) { echo "Your rules are up to date...\n"; echo "You may start Snort now, check update.\n"; $snort_md5_check_ok = on; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your snort rules are up to date...'"); } } /* Check if were up to date emergingthreats.net */ -$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; +$emergingthreats_url_chk = $config['installedpackages']['snortglobal']['emergingthreats']; if ($emergingthreats_url_chk == on) { if (file_exists("{$snortdir}/version.txt")){ $emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/version.txt"); @@ -197,13 +221,13 @@ $emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk $emerg_md5_check_old_parse = file_get_contents("{$snortdir}/version.txt"); $emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; /* Write out time of last sucsessful md5 to cache */ -$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); write_config(); // Will cause switch back to read-only on nanobsd conf_mount_rw(); if ($emerg_md5_check_new == $emerg_md5_check_old) { echo "Your emergingthreats rules are up to date...\n"; echo "You may start Snort now, check update.\n"; $emerg_md5_check_chk_ok = on; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your emergingthreats rules are up to date...'"); } } } @@ -216,39 +240,65 @@ $pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_m $pfsense_md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; if ($pfsense_md5_check_new == $pfsense_md5_check_old) { $pfsense_md5_check_ok = on; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your pfsense rules are up to date...'"); } } /* Make Clean Snort Directory emergingthreats not checked */ if ($snort_md5_check_ok == on && $emergingthreats_url_chk != on) { - echo "Cleaning the snort Directory...\n"; - echo "removing...\n"; - exec("/bin/rm {$snortdir}/rules/emerging*\n"); + update_status(gettext("Cleaning the snort Directory...")); + update_output_window(gettext("removing...")); + exec("/bin/rm {$snortdir}/rules/emerging*"); exec("/bin/rm {$snortdir}/version.txt"); + exec("/bin/rm {$snortdir_wan}/rules/emerging*"); + exec("/bin/rm {$snortdir_wan}/version.txt"); echo "Done making cleaning emrg direcory.\n"; } /* Check if were up to date exits */ if ($snort_md5_check_ok == on && $emerg_md5_check_chk_ok == on && $pfsense_md5_check_ok == on) { - echo "Your rules are up to date...\n"; - echo "You may start Snort now...\n"; + echo "Your emergingthreats rules are up to date...\n"; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your emergingthreats rules are up to date...'"); exit(0); } if ($snort_md5_check_ok == on && $pfsense_md5_check_ok == on && $emergingthreats_url_chk != on) { - echo "Your rules are up to date...\n"; - echo "You may start Snort now...\n"; + echo "Your pfsense rules are up to date...\n"; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Your pfsense rules are up to date...'"); exit(0); } /* You are Not Up to date, always stop snort when updating rules for low end machines */; echo "You are NOT up to date...\n"; -echo "Stopping Snort service...\n"; +echo "Stopping All Snort Package services...\n"; +exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'SNORT RULES ARE OUT OF DATE, UPDATING...'"); +exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Stopping All Snort Package Services...'"); $chk_if_snort_up = exec("pgrep -x snort"); if ($chk_if_snort_up != "") { - exec("/usr/bin/touch /tmp/snort_download_halt.pid"); - stop_service("snort"); - sleep(2); + + + exec("/usr/bin/touch /tmp/snort_download_halt.pid"); + + /* dont flood the syslog code */ + exec("/bin/cp /var/log/system.log /var/log/system.log.bk"); + sleep(3); + + exec("/usr/bin/killall snort"); + exec("/bin/rm /var/run/snort*"); + sleep(2); + exec("/usr/bin/killall barnyard2"); + exec("/bin/rm /var/run/barnyard2*"); + + /* stop syslog flood code */ + exec("/bin/cp /var/log/system.log /var/log/snort/snort_sys_rules_update.log"); + exec("/usr/bin/killall syslogd"); + exec("/usr/sbin/clog -i -s 262144 /var/log/system.log"); + exec("/usr/sbin/syslogd -c -ss -f /var/etc/syslog.conf"); + sleep(2); + exec("/bin/cp /var/log/system.log.bk /var/log/system.log"); + $after_mem = exec("/usr/bin/top | /usr/bin/grep Wired | /usr/bin/awk '{ print $2 }'"); + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'MEM after snort STOP {$after_mem}'"); + } /* download snortrules file */ @@ -256,7 +306,6 @@ if ($snort_md5_check_ok != on) { if (file_exists("{$tmpfname}/{$snort_filename}")) { echo "Snortrule tar file exists...\n"; } else { - echo "There is a new set of Snort rules posted. Downloading...\n"; echo "May take 4 to 10 min...\n"; ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); @@ -311,28 +360,56 @@ if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { } } +/* Compair md5 sig to file sig */ + +//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +//if ($premium_url_chk == on) { +//$md5 = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); +//$file_md5_ondisk = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; +// if ($md5 == $file_md5_ondisk) { +// update_status(gettext("Valid md5 checksum pass...")); +//} else { +// update_status(gettext("The downloaded file does not match the md5 file...P is ON")); +// update_output_window(gettext("Error md5 Mismatch...")); +// exit(0); +// } +//} + +//$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +//if ($premium_url_chk != on) { +//$md55 = `/bin/cat {$tmpfname}/{$snort_filename_md5} | /usr/bin/awk '{ print $4 }'`; +//$file_md5_ondisk2 = `/sbin/md5 {$tmpfname}/{$snort_filename} | /usr/bin/awk '{ print $4 }'`; +// if ($md55 == $file_md5_ondisk2) { +// update_status(gettext("Valid md5 checksum pass...")); +//} else { +// update_status(gettext("The downloaded file does not match the md5 file...Not P")); +// update_output_window(gettext("Error md5 Mismatch...")); +// exit(0); +// } +//} + /* Untar snort rules file individually to help people with low system specs */ if ($snort_md5_check_ok != on) { if (file_exists("{$tmpfname}/{$snort_filename}")) { echo "Extracting rules...\n"; echo "May take a while...\n"; - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} etc/"); - exec("`/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/*`"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/chat.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/dos.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/exploit.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/imap.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/misc.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/multimedia.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/netbios.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/nntp.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/p2p.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/smtp.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/sql.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-client.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-misc.rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} rules/" . + " etc/" . + " so_rules/precompiled/FreeBSD-7.0/i386/2.8.4" . + " so_rules/bad-traffic.rules/" . + " so_rules/chat.rules/" . + " so_rules/dos.rules/" . + " so_rules/exploit.rules/" . + " so_rules/imap.rules/" . + " so_rules/misc.rules/" . + " so_rules/multimedia.rules/" . + " so_rules/netbios.rules/" . + " so_rules/nntp.rules/" . + " so_rules/p2p.rules/" . + " so_rules/smtp.rules/" . + " so_rules/sql.rules/" . + " so_rules/web-client.rules/" . + " so_rules/web-misc.rules/"); echo "Done extracting Rules.\n"; } else { echo "The Download rules file missing...\n"; @@ -364,7 +441,7 @@ if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { /* Untar snort signatures */ if ($snort_md5_check_ok != on) { if (file_exists("{$tmpfname}/{$snort_filename}")) { -$signature_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['signatureinfo']; +$signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; if ($premium_url_chk == on) { echo "Extracting Signatures...\n"; echo "May take a while...\n"; @@ -377,8 +454,8 @@ if ($premium_url_chk == on) { /* Make Clean Snort Directory */ //if ($snort_md5_check_ok != on && $emerg_md5_check_chk_ok != on && $pfsense_md5_check_ok != on) { //if (file_exists("{$snortdir}/rules")) { -// echo "Cleaning the snort Directory...\n"; -// echo "removing...\n"; +// update_status(gettext("Cleaning the snort Directory...")); +// update_output_window(gettext("removing...")); // exec("/bin/mkdir -p {$snortdir}"); // exec("/bin/mkdir -p {$snortdir}/rules"); // exec("/bin/mkdir -p {$snortdir}/signatures"); @@ -386,96 +463,49 @@ if ($premium_url_chk == on) { // exec("/bin/rm {$snortdir}/rules/*"); // exec("/bin/rm {$snortdir_wan}/*"); // exec("/bin/rm {$snortdir_wan}/rules/*"); + // exec("/bin/rm /usr/local/lib/snort/dynamicrules/*"); //} else { -// echo "Making Snort Directory...\n"; -// echo "should be fast...\n"; -// exec("/bin/mkdir {$snortdir}"); -// exec("/bin/mkdir {$snortdir}/rules"); -// exec("/bin/rm {$snortdir_wan}/\*"); +// update_status(gettext("Making Snort Directory...")); +// update_output_window(gettext("should be fast...")); +// exec("/bin/mkdir -p {$snortdir}"); +// exec("/bin/mkdir -p {$snortdir}/rules"); +// exec("/bin/rm {$snortdir_wan}/*"); // exec("/bin/rm {$snortdir_wan}/rules/*"); // exec("/bin/rm /usr/local/lib/snort/dynamicrules/\*"); -// echo "Done making snort direcory.\n"; +// update_status(gettext("Done making snort direcory.")); // } //} -/* Copy so_rules dir to snort lib dir */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { - echo "Copying so_rules...\n"; - echo "May take a while...\n"; - sleep(2); - exec("`/bin/cp -f {$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/`"); - exec("/bin/cp {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/bad-traffic.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/chat.rules {$snortdir}/rules/chat.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/dos.rules {$snortdir}/rules/dos.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/exploit.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/imap.rules {$snortdir}/rules/imap.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/misc.rules {$snortdir}/rules/misc.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/multimedia.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/netbios.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/nntp.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/p2p.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/smtp.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/sql.rules {$snortdir}/rules/sql.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/web-client.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/web-misc.rules {$snortdir}/rules/web-misc.so.rules"); - exec("/bin/rm -r {$snortdir}/so_rules"); - echo "Done copying so_rules.\n"; -} else { - echo "Directory so_rules does not exist...\n"; - echo "Error copping so_rules...\n"; - exit(0); - } -} - -/* enable disable setting will carry over with updates */ -/* TODO carry signature changes with the updates */ -if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { - -if (!empty($config['installedpackages']['snort']['rule_sid_on'])) { -$enabled_sid_on = $config['installedpackages']['snort']['rule_sid_on']; -$enabled_sid_on_array = split('\|\|', $enabled_sid_on); -foreach($enabled_sid_on_array as $enabled_item_on) -$selected_sid_on_sections .= "$enabled_item_on\n"; - } - -if (!empty($config['installedpackages']['snort']['rule_sid_off'])) { -$enabled_sid_off = $config['installedpackages']['snort']['rule_sid_off']; -$enabled_sid_off_array = split('\|\|', $enabled_sid_off); -foreach($enabled_sid_off_array as $enabled_item_off) -$selected_sid_off_sections .= "$enabled_item_off\n"; - } - -$snort_sid_text = <<<EOD - -########################################### -# # -# this is auto generated on snort updates # -# # -########################################### - -path = /bin:/usr/bin:/usr/local/bin - -update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ - -url = dir:///usr/local/etc/snort_bkup/rules - -$selected_sid_on_sections - -$selected_sid_off_sections - -EOD; - - /* open snort's threshold.conf for writing */ - $oinkmasterlist = fopen("/usr/local/etc/snort_bkup/oinkmaster.conf", "w"); - - fwrite($oinkmasterlist, "$snort_sid_text"); - - /* close snort's threshold.conf file */ - fclose($oinkmasterlist); - -} +/* Copy so_rules dir to snort lib dir */ +/* Disabled untill I figure out why there is a segment falut core dump on 2.8.5.3 */ +//if ($snort_md5_check_ok != on) { +//if (file_exists("{$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { +// echo "Copying so_rules...\n"; +// echo "May take a while...\n"; +// exec("`/bin/cp -f {$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/`"); +// exec("/bin/cp {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/bad-traffic.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/chat.rules {$snortdir}/rules/chat.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/dos.rules {$snortdir}/rules/dos.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/exploit.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/imap.rules {$snortdir}/rules/imap.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/misc.rules {$snortdir}/rules/misc.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/multimedia.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/netbios.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/nntp.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/p2p.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/smtp.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/sql.rules {$snortdir}/rules/sql.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/web-client.so.rules"); +// exec("/bin/cp {$snortdir}/so_rules/web.misc.rules {$snortdir}/rules/web.misc.so.rules"); +// exec("/bin/rm -r {$snortdir}/so_rules"); +// echo "Done copying so_rules.\n"; +//} else { +// echo "Directory so_rules does not exist...\n"; +// echo "Error copying so_rules...\n"; +// exit(0); +// } +//} /* Copy configs to snort dir */ if ($snort_md5_check_ok != on) { @@ -483,9 +513,10 @@ if (file_exists("{$snortdir}/etc/Makefile.am")) { echo "Copying configs to snort directory...\n"; exec("/bin/cp {$snortdir}/etc/* {$snortdir}"); exec("/bin/rm -r {$snortdir}/etc"); + } else { - echo "The snort configs does not exist...\n"; - echo "Error copping config...\n"; + echo "The snort config does not exist...\n"; + echo "Error copying config...\n"; exit(0); } } @@ -497,7 +528,7 @@ if (file_exists("{$tmpfname}/$snort_filename_md5")) { exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); } else { echo "The md5 file does not exist...\n"; - echo "Error copping config...\n"; + echo "Error copying config...\n"; exit(0); } } @@ -510,7 +541,7 @@ if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) { exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); } else { echo "The emergingthreats md5 file does not exist...\n"; - echo "Error copping config...\n"; + echo "Error copying config...\n"; exit(0); } } @@ -523,14 +554,14 @@ if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) { exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5"); } else { echo "The Pfsense md5 file does not exist...\n"; - echo "Error copping config...\n"; + echo "Error copying config...\n"; exit(0); } } - + /* Copy signatures dir to snort dir */ if ($snort_md5_check_ok != on) { -$signature_info_chk = $config['installedpackages']['snort']['config'][0]['signatureinfo']; +$signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; if ($premium_url_chk == on) { if (file_exists("{$snortdir}/doc/signatures")) { echo "Copying signatures...\n"; @@ -540,22 +571,22 @@ if (file_exists("{$snortdir}/doc/signatures")) { echo "Done copying signatures.\n"; } else { echo "Directory signatures exist...\n"; - echo "Error copping signature...\n"; + echo "Error copying signature...\n"; exit(0); } } } -/* double make shure clean up emerg rules that dont belong */ -if (file_exists("/usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules")) { +/* double make shure cleanup emerg rules that dont belong */ +if (file_exists("/usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules")) { apc_clear_cache(); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-compromised-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-drop-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-dshield-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-rbn-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-tor-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-botcc.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-compromised-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-drop-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-dshield-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-rbn-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-tor-BLOCK.rules"); } if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) { @@ -563,72 +594,176 @@ if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*"); } +/* make shure default rules are in the right format */ +exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); +exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); +exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); + +/* create a msg-map for snort */ echo "Updating Alert Messages...\n"; echo "Please Wait...\n"; -sleep(2); -exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort_bkup/rules > /usr/local/etc/snort_bkup/sid-msg.map"); +exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/sid-msg.map"); + + +////////////////// + +/* Start the proccess for every interface rule */ +/* TODO: try to make the code smother */ + +if (!empty($config['installedpackages']['snortglobal']['rule'])) { + +$rule_array = $config['installedpackages']['snortglobal']['rule']; +$id = -1; +foreach ($rule_array as $value) { + +$id += 1; + +$result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; +$if_real = convert_friendly_interface_to_real_interface_name($result_lan); + + /* make oinkmaster.conf for each interface rule */ + oinkmaster_conf(); + + /* run oinkmaster for each interface rule */ + oinkmaster_run(); + + } +} + +/* open oinkmaster_conf for writing" function */ +function oinkmaster_conf() { + + global $config, $g, $id, $if_real, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_chk_ok, $pfsense_md5_check_ok; + +/* enable disable setting will carry over with updates */ +/* TODO carry signature changes with the updates */ +if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { + +if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'])) { +$enabled_sid_on = $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']; +$enabled_sid_on_array = split('\|\|', $enabled_sid_on); +foreach($enabled_sid_on_array as $enabled_item_on) +$selected_sid_on_sections .= "$enabled_item_on\n"; + } + +if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { +$enabled_sid_off = $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off']; +$enabled_sid_off_array = split('\|\|', $enabled_sid_off); +foreach($enabled_sid_off_array as $enabled_item_off) +$selected_sid_off_sections .= "$enabled_item_off\n"; + } + +$snort_sid_text = <<<EOD + +########################################### +# # +# this is auto generated on snort updates # +# # +########################################### + +path = /bin:/usr/bin:/usr/local/bin + +update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ + +url = dir:///usr/local/etc/snort/rules + +$selected_sid_on_sections + +$selected_sid_off_sections + +EOD; + + /* open snort's oinkmaster.conf for writing */ + $oinkmasterlist = fopen("/usr/local/etc/snort/oinkmaster_$if_real.conf", "w"); + + fwrite($oinkmasterlist, "$snort_sid_text"); + + /* close snort's oinkmaster.conf file */ + fclose($oinkmasterlist); + + } +} /* Run oinkmaster to snort_wan and cp configs */ /* If oinkmaster is not needed cp rules normally */ /* TODO add per interface settings here */ -if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { +function oinkmaster_run() { - if (empty($config['installedpackages']['snort']['rule_sid_on']) || empty($config['installedpackages']['snort']['rule_sid_off'])) { -echo "Your first set of rules are being copied...\n"; -echo "May take a while...\n"; + global $config, $g, $id, $if_real, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_chk_ok, $pfsense_md5_check_ok; - exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); - exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); +if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { + + if (empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']) || empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { + echo "Your first set of rules are being copied...\n"; + echo "May take a while...\n"; + exec("/bin/echo \"test {$snortdir} {$snortdir_wan} $id$if_real\" >> /root/debug"); + exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/snort_$id$if_real/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}/snort_$id$if_real"); } else { echo "Your enable and disable changes are being applied to your fresh set of rules...\n"; echo "May take a while...\n"; - exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); - exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); + exec("/bin/echo \"test2 {$snortdir} {$snortdir_wan} $id$if_real\" > /root/debug"); + exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/snort_$id$if_real/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}/snort_$id$if_real"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}/snort_$id$if_real"); /* oinkmaster.pl will convert saved changes for the new updates then we have to change #alert to # alert for the gui */ /* might have to add a sleep for 3sec for flash drives or old drives */ - exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort_bkup/oinkmaster.conf -o /usr/local/etc/snort/rules > /usr/local/etc/snort_bkup/oinkmaster.log"); - exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - + exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort/oinkmaster_$id$if_real.conf -o /usr/local/etc/snort/snort_$id$if_real/rules > /usr/local/etc/snort/oinkmaster_$id$if_real.log"); + + } } } +////////////// + +/* mark the time update finnished */ +$config['installedpackages']['snortglobal']['last_rules_install'] = date("Y-M-jS-h:i-A"); + /* remove old $tmpfname files */ if (file_exists("{$tmpfname}")) { echo "Cleaning up...\n"; - exec("/bin/rm -r /root/snort_rules_up"); + exec("/bin/rm -r /tmp/snort_rules_up"); +// apc_clear_cache(); } /* php code to flush out cache some people are reportting missing files this might help */ -sleep(5); +sleep(2); apc_clear_cache(); exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync"); + /* make snort the owner */ + exec("/usr/sbin/chown -R snort:snort /var/log/snort"); + exec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort"); + exec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort"); + exec("/bin/chmod -R 755 /var/log/snort"); + exec("/bin/chmod -R 755 /usr/local/etc/snort"); + exec("/bin/chmod -R 755 /usr/local/lib/snort"); + /* if snort is running hardrestart, if snort is not running do nothing */ if (file_exists("/tmp/snort_download_halt.pid")) { - start_service("snort"); + exec("/bin/sh /usr/local/etc/rc.d/snort.sh start"); echo "The Rules update finished...\n"; echo "Snort has restarted with your new set of rules...\n"; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'SNORT RULE UPDATE FINNISHED...'"); exec("/bin/rm /tmp/snort_download_halt.pid"); } else { echo "The Rules update finished...\n"; - echo "You may start snort now...\n"; + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'SNORT RULE UPDATE FINNISHED...'"); } + conf_mount_ro(); ?> diff --git a/config/snort-dev/snort_define_servers.php b/config/snort/snort_define_servers.php index dfda630b..04984300 100644 --- a/config/snort-dev/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -126,7 +126,7 @@ if (isset($_GET['dup'])) } /* convert fake interfaces to real */ -$if_real = convert_friendly_interface_to_real_interface_name($pconfig['interface']); +$if_real = convert_friendly_interface_to_real_interface_name2($pconfig['interface']); if ($_POST["Submit"]) { @@ -227,9 +227,10 @@ $if_real = convert_friendly_interface_to_real_interface_name($pconfig['interface } } +$snort_uuid = $pconfig['uuid']; /* alert file */ -$d_snortconfdirty_path = "/var/run/snort_conf_{$pconfig['uuid']}_{$if_real}.dirty"; +$d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid }_{$if_real}.dirty"; /* this will exec when alert says apply */ if ($_POST['apply']) { @@ -238,7 +239,7 @@ $d_snortconfdirty_path = "/var/run/snort_conf_{$pconfig['uuid']}_{$if_real}.dirt write_config(); - sync_snort_package_all(); + sync_snort_package_all($id, $if_real, $snort_uuid); sync_snort_package(); unlink($d_snortconfdirty_path); diff --git a/config/snort/snort_download_rules.php b/config/snort/snort_download_rules.php index 9826ba2a..b2bcb748 100644 --- a/config/snort/snort_download_rules.php +++ b/config/snort/snort_download_rules.php @@ -2,7 +2,8 @@ /* $Id$ */ /* snort_rulesets.php - Copyright (C) 2006 Scott Ullrich and Robert Zelaya + Copyright (C) 2006 Scott Ullrich + Copyright (C) 2009 Robert Zelaya All rights reserved. Redistribution and use in source and binary forms, with or without @@ -28,8 +29,15 @@ */ /* Setup enviroment */ -$tmpfname = "/root/snort_rules_up"; -$snortdir = "/usr/local/etc/snort_bkup"; + +/* TODO: review if include files are needed */ +require_once("guiconfig.inc"); +require_once("functions.inc"); +require_once("service-utils.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +$tmpfname = "/tmp/snort_rules_up"; +$snortdir = "/usr/local/etc/snort"; $snortdir_wan = "/usr/local/etc/snort"; $snort_filename_md5 = "snortrules-snapshot-2.8.tar.gz.md5"; $snort_filename = "snortrules-snapshot-2.8.tar.gz"; @@ -38,27 +46,213 @@ $emergingthreats_filename = "emerging.rules.tar.gz"; $pfsense_rules_filename_md5 = "pfsense_rules.tar.gz.md5"; $pfsense_rules_filename = "pfsense_rules.tar.gz"; -require_once("guiconfig.inc"); -require_once("functions.inc"); -require_once("service-utils.inc"); -require("/usr/local/pkg/snort.inc"); +$id_d = $_GET['id_d']; +if (isset($_POST['id_d'])) + $id_d = $_POST['id_d']; + +/* Time stamps define */ +$last_md5_download = $config['installedpackages']['snortglobal']['last_md5_download']; +$last_rules_install = $config['installedpackages']['snortglobal']['last_rules_install']; + +/* define checks */ +$oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; +$snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; +$emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; + + + if ($snortdownload == "off" && $emergingthreats != "on") + { + $snort_emrging_info = "stop"; + } + + if ($oinkid == "" && $snortdownload != "off") + { + $snort_oinkid_info = "stop"; + } + + + /* check if main rule directory is empty */ + $if_mrule_dir = "/usr/local/etc/snort/rules"; + $mfolder_chk = (count(glob("$if_mrule_dir/*")) === 0) ? 'empty' : 'full'; + + +if (file_exists('/var/run/snort.conf.dirty')) { + $snort_dirty_d = 'stop'; +} + + + +/* If no id show the user a button */ +if ($id_d == "" || $snort_emrging_info == "stop" || $snort_oinkid_info == "stop" || $snort_dirty_d == 'stop') { + +$pgtitle = "Services: Snort: Rule Updates"; + +include("head.inc"); +include("./snort_fbegin.inc"); +echo "<p class=\"pgtitle\">"; +if($pfsense_stable == 'yes'){echo $pgtitle;} +echo "</p>\n"; + + echo "<table height=\"32\" width=\"100%\">\n"; + echo " <tr>\n"; + echo " <td>\n"; + echo " <div style='background-color:#E0E0E0' id='redbox'>\n"; + echo " <table width='100%'><tr><td width='8%'>\n"; + echo " <img style='vertical-align:middle' src=\"/snort/images/icon_excli.png\" width=\"40\" height=\"32\">\n"; + echo " </td>\n"; + echo " <td width='70%'><font color='#FF850A'><b>NOTE:</b></font><font color='#000000'> Snort.org and Emergingthreats.net will go down from time to time. Please be patient.</font>\n"; + echo " </td>"; + echo " </tr></table>\n"; + echo " </div>\n"; + echo " </td>\n"; + echo "</table>\n"; + echo "<script type=\"text/javascript\">\n"; + echo "NiftyCheck();\n"; + echo "Rounded(\"div#redbox\",\"all\",\"#FFF\",\"#E0E0E0\",\"smooth\");\n"; + echo "Rounded(\"td#blackbox\",\"all\",\"#FFF\",\"#000000\",\"smooth\");\n"; + echo "</script>\n"; + echo "\n<br>\n"; + +/* make sure user has javascript on */ +echo "<style type=\"text/css\"> +.alert { + position:absolute; + top:10px; + left:0px; + width:94%; +background:#FCE9C0; +background-position: 15px; +border-top:2px solid #DBAC48; +border-bottom:2px solid #DBAC48; +padding: 15px 10px 85% 50px; +} +</style> +<noscript><div class=\"alert\" ALIGN=CENTER><img src=\"/themes/nervecenter/images/icons/icon_alert.gif\"/><strong>Please enable JavaScript to view this content</CENTER></div></noscript>\n"; +echo "<body link=\"#000000\" vlink=\"#000000\" alink=\"#000000\">\n"; + +echo "<script src=\"/row_toggle.js\" type=\"text/javascript\"></script>\n +<script src=\"/javascript/sorttable.js\" type=\"text/javascript\"></script>\n +<table width=\"99%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n + <tr>\n + <td>\n"; + + $tab_array = array(); + $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); + $tab_array[] = array("Global Settings", false, "/snort/snort_interfaces_global.php"); + $tab_array[] = array("Rule Updates", true, "/snort/snort_download_rules.php"); + $tab_array[] = array("Alerts", false, "/snort/snort_alerts.php"); + $tab_array[] = array("Blocked", false, "/snort/snort_blocked.php"); + $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml"); + $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); + display_top_tabs($tab_array); + +if ($snort_emrging_info == "stop" && $snort_oinkid_info == "stop") { +$disable_enable_button = 'onclick="this.disabled=true"'; +}else{ +$disable_enable_button = "onClick=\"parent.location='/snort/snort_download_rules.php?id_d=up'\""; +} +echo "</td>\n + </tr>\n + <tr>\n + <td>\n + <div id=\"mainarea\">\n + <table id=\"maintable\" class=\"tabcont\" width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n + <tr>\n + <td>\n +<input name=\"Submit\" type=\"submit\" class=\"formbtn\" $disable_enable_button value=\"Update Rules\" $disable_button> <br><br> \n"; + +if ($mfolder_chk == "empty") +{ +echo "<span class=\"red\"><strong>WARNING:</strong></span> The main rules <strong>directory</strong> is <strong>empty</strong>. /usr/local/etc/snort/rules <br><br>\n"; +} + +if ($snort_emrging_info == "stop") { +echo "<span class=\"red\"><strong>WARNING:</strong></span> Click on the <strong>\"Global Settings\"</strong> tab and select ether snort.org or enmergingthreats.net rules to download. <br><br> \n"; +} + +if ($snort_oinkid_info == "stop") { +echo "<span class=\"red\"><strong>WARNING:</strong></span> Click on the <strong>\"Global Settings\"</strong> tab and enter a <strong>oinkmaster</strong> code. <br><br> \n"; +} + +if ($snort_dirty_d == "stop") { +echo "<span class=\"red\"><strong>WARNING:</span> CHANGES HAVE NOT BEEN APPLIED</strong> Click on the <strong>\"Apply Settings\"</strong> button at the main interface tab.<br><br> \n"; +} + +echo " </td>\n + </tr>\n + </table>\n + </div>\n + </td>\n + </tr>\n +</table>\n +\n +</form>\n +\n +<p>\n\n"; + +if ($id_d == "") +echo "Click on the <strong>\"Update Rules\"</strong> button to start the updates. <br><br> \n"; + +if ($config['installedpackages']['snortglobal']['last_md5_download'] != "") +echo "The last time the updates were started <strong>$last_md5_download</strong>. <br><br> \n"; + +if ($config['installedpackages']['snortglobal']['last_rules_install'] != "") +echo "The last time the updates were installed <strong>$last_rules_install</strong>. <br><br> \n"; + +include("fend.inc"); + +echo "</body>"; +echo "</html>"; + +exit(0); + +} $pgtitle = "Services: Snort: Update Rules"; include("/usr/local/www/head.inc"); ?> - <script src="/javascript/scriptaculous/prototype.js" type="text/javascript"></script> +<script type="text/javascript" src="/snort/javascript/jquery-1.3.2.js"></script> +<script type="text/javascript" src="/snort/javascript/jquery.blockUI.js?v2.28"></script> + +<script type="text/javascript"> +<!-- + +function displaymessage() +{ + + $.blockUI.defaults.message = "Please be patient...."; + + $.blockUI({ + + css: { + border: 'none', + padding: '15px', + backgroundColor: '#000', + '-webkit-border-radius': '10px', + '-moz-border-radius': '10px', + opacity: .5, + color: '#fff', + } + }); + +} -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +function displaymessagestop() +{ -<?php include("/usr/local/www/fbegin.inc"); ?> +setTimeout($.unblockUI, 2000); -<?php -if(!$pgtitle_output) - echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; -?> +} + +// --> +</script> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("./snort_fbegin.inc"); ?> +<p class="pgtitle"><?if($pfsense_stable == 'yes'){echo $pgtitle;}?></p> <form action="snort_download_rules.php" method="post"> <div id="inputerrors"></div> @@ -67,23 +261,28 @@ if(!$pgtitle_output) <tr> <td> <?php - $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), true, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); - display_top_tabs($tab_array); + $tab_array = array(); + $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); + $tab_array[] = array("Global Settings", false, "/snort/snort_interfaces_global.php"); + $tab_array[] = array("Rule Updates", true, "/snort/snort_download_rules.php"); + $tab_array[] = array("Alerts", false, "/snort/snort_alerts.php"); + $tab_array[] = array("Blocked", false, "/snort/snort_blocked.php"); + $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml"); + $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php"); + display_top_tabs($tab_array); ?> - </td> - </tr> - <tr> - <td> + +<script type="text/javascript"> +<!-- + displaymessage(); +// --> +</script> + +</td> +</tr> + <br> + <tr> + <td> <div id="mainarea"> <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> @@ -92,7 +291,7 @@ if(!$pgtitle_output) <table id="progholder" width='420' style='border-collapse: collapse; border: 1px solid #000000;' cellpadding='2' cellspacing='2'> <tr> <td> - <img border='0' src='./themes/<?= $g['theme']; ?>/images/misc/progress_bar.gif' width='280' height='23' name='progressbar' id='progressbar' alt='' /> + <img border='0' src='../themes/<?= $g['theme']; ?>/images/misc/progress_bar.gif' width='280' height='23' name='progressbar' id='progressbar' alt='' /> </td> </tr> </table> @@ -112,47 +311,34 @@ if(!$pgtitle_output) </tr> </table> </form> - <?php include("fend.inc");?> <?php +conf_mount_rw(); /* Begin main code */ /* Set user agent to Mozilla */ ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); ini_set("memory_limit","125M"); +/* mark the time update started */ +$config['installedpackages']['snortglobal']['last_md5_download'] = date("Y-M-jS-h:i-A"); + /* send current buffer */ ob_flush(); +conf_mount_rw(); -/* define oinkid */ -if($config['installedpackages']['snort']) - $oinkid = $config['installedpackages']['snort']['config'][0]['oinkmastercode']; - -/* if missing oinkid exit */ -if(!$oinkid) { - $static_output = gettext("You must obtain an oinkid from snort.org and set its value in the Snort settings tab."); - update_all_status($static_output); - hide_progress_bar_status(); - exit; -} - -/* premium_subscriber check */ -//unset($config['installedpackages']['snort']['config'][0]['subscriber']); -//write_config(); // Will cause switch back to read-only on nanobsd -//conf_mount_rw(); // Uncomment this if the previous line is uncommented - -$premium_subscriber_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; +$premium_subscriber_chk = $config['installedpackages']['snortglobal']['snortdownload']; -if ($premium_subscriber_chk === on) { +if ($premium_subscriber_chk == "premium") { $premium_subscriber = "_s"; }else{ $premium_subscriber = ""; } -$premium_url_chk = $config['installedpackages']['snort']['config'][0]['subscriber']; -if ($premium_url_chk === on) { +$premium_url_chk = $config['installedpackages']['snortglobal']['snortdownload']; +if ($premium_url_chk == "premium") { $premium_url = "sub-rules"; }else{ $premium_url = "reg-rules"; @@ -163,7 +349,6 @@ hide_progress_bar_status(); /* send current buffer */ ob_flush(); - conf_mount_rw(); /* remove old $tmpfname files */ @@ -177,9 +362,11 @@ if (file_exists("{$tmpfname}")) { exec("/bin/mkdir -p {$snortdir}"); exec("/bin/mkdir -p {$snortdir}/rules"); exec("/bin/mkdir -p {$snortdir}/signatures"); +exec("/bin/mkdir -p /usr/local/lib/snort/dynamicrules/"); /* send current buffer */ ob_flush(); +conf_mount_rw(); /* If tmp dir does not exist create it */ if (file_exists($tmpfname)) { @@ -192,35 +379,39 @@ if (file_exists($tmpfname)) { unhide_progress_bar_status(); /* download md5 sig from snort.org */ -if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { - update_status(gettext("md5 temp file exists...")); -} else { - update_status(gettext("Downloading md5 file...")); - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - $image = @file_get_contents("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5?oink_code={$oinkid}"); +if ($snortdownload == "basic" || $snortdownload == "premium") +{ + if (file_exists("{$tmpfname}/{$snort_filename_md5}") && + filesize("{$tmpfname}/{$snort_filename_md5}") > 0) { + update_status(gettext("snort.org md5 temp file exists...")); + } else { + update_status(gettext("Downloading snort.org md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5?oink_code={$oinkid}"); // $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz.md5"); - $f = fopen("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5", 'w'); - fwrite($f, $image); - fclose($f); - update_status(gettext("Done. downloading md5")); + $f = fopen("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5", 'w'); + fwrite($f, $image); + fclose($f); + update_status(gettext("Done downloading snort.org md5")); + } } /* download md5 sig from emergingthreats.net */ -$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; -if ($emergingthreats_url_chk == on) { - update_status(gettext("Downloading md5 file...")); - ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); - $image = @file_get_contents("http://www.emergingthreats.net/version.txt"); +if ($emergingthreats == "on") +{ + update_status(gettext("Downloading emergingthreats md5 file...")); + ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); + $image = @file_get_contents("http://www.emergingthreats.net/version.txt"); // $image = @file_get_contents("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/version.txt"); - $f = fopen("{$tmpfname}/version.txt", 'w'); - fwrite($f, $image); - fclose($f); - update_status(gettext("Done. downloading md5")); + $f = fopen("{$tmpfname}/version.txt", 'w'); + fwrite($f, $image); + fclose($f); + update_status(gettext("Done downloading emergingthreats md5")); } /* download md5 sig from pfsense.org */ if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) { - update_status(gettext("md5 temp file exists...")); + update_status(gettext("pfsense md5 temp file exists...")); } else { update_status(gettext("Downloading pfsense md5 file...")); ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); @@ -229,23 +420,30 @@ if (file_exists("{$tmpfname}/{$pfsense_rules_filename_md5}")) { $f = fopen("{$tmpfname}/pfsense_rules.tar.gz.md5", 'w'); fwrite($f, $image); fclose($f); - update_status(gettext("Done. downloading md5")); + update_status(gettext("Done downloading pfsense md5.")); } -/* Time stamps define */ -$last_md5_download = $config['installedpackages']['snort']['last_md5_download']; -$last_rules_install = $config['installedpackages']['snort']['last_rules_install']; - /* If md5 file is empty wait 15min exit */ -if (0 == filesize("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5")){ - update_status(gettext("Please wait... You may only check for New Rules every 15 minutes...")); - update_output_window(gettext("Rules are released every month from snort.org. You may download the Rules at any time.")); - hide_progress_bar_status(); - /* Display last time of sucsessful md5 check from cache */ - echo "\n<p align=center><b>You last checked for updates: </b>{$last_md5_download}</p>\n"; - echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n"; - echo "\n\n</body>\n</html>\n"; - exit(0); +if ($snortdownload != "off") +{ + if (0 == filesize("{$tmpfname}/snortrules-snapshot-2.8.tar.gz.md5")) + { + update_status(gettext("Please wait... You may only check for New Rules every 15 minutes...")); + update_output_window(gettext("Rules are released every month from snort.org. You may download the Rules at any time.")); + hide_progress_bar_status(); + /* Display last time of sucsessful md5 check from cache */ + echo "\n\n</body>\n</html>\n"; + echo ' +<script type="text/javascript"> +<!-- + displaymessagestop(); +// --> +</script>'; +echo "</body>"; +echo "</html>"; +conf_mount_ro(); + exit(0); + } } /* If emergingthreats md5 file is empty wait 15min exit not needed */ @@ -256,89 +454,138 @@ if (0 == filesize("{$tmpfname}/$pfsense_rules_filename_md5")){ update_output_window(gettext("Rules are released to support Pfsense packages.")); hide_progress_bar_status(); /* Display last time of sucsessful md5 check from cache */ - echo "\n<p align=center><b>You last checked for updates: </b>{$last_md5_download}</p>\n"; - echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n"; echo "\n\n</body>\n</html>\n"; + echo ' +<script type="text/javascript"> +<!-- + displaymessagestop(); +// --> +</script>'; +echo "</body>"; +echo "</html>"; +conf_mount_ro(); exit(0); } /* Check if were up to date snort.org */ -if (file_exists("{$snortdir}/snortrules-snapshot-2.8.tar.gz.md5")){ -$md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); -$md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; -$md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); -$md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; -/* Write out time of last sucsessful md5 to cache */ -$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); -write_config(); // Will cause switch back to read-only on nanobsd -conf_mount_rw(); -if ($md5_check_new == $md5_check_old) { - update_status(gettext("Your rules are up to date...")); - update_output_window(gettext("You may start Snort now, check update.")); - hide_progress_bar_status(); - /* Timestamps to html */ - echo "\n<p align=center><b>You last checked for updates: </b>{$last_md5_download}</p>\n"; - echo "\n<p align=center><b>You last installed for rules: </b>{$last_rules_install}</p>\n"; -// echo "P is this code {$premium_subscriber}"; +if ($snortdownload != "off") +{ + if (file_exists("{$snortdir}/snortrules-snapshot-2.8.tar.gz.md5")) + { + $md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); + $md5_check_new = `/bin/echo "{$md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; + $md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); + $md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; + /* Write out time of last sucsessful md5 to cache */ + write_config(); // Will cause switch back to read-only on nanobsd + conf_mount_rw(); + if ($md5_check_new == $md5_check_old) + { + update_status(gettext("Your rules are up to date...")); + update_output_window(gettext("You may start Snort now, check update.")); + hide_progress_bar_status(); echo "\n\n</body>\n</html>\n"; $snort_md5_check_ok = on; - } + } + } } /* Check if were up to date emergingthreats.net */ -$emergingthreats_url_chk = $config['installedpackages']['snort']['config'][0]['emergingthreats']; -if ($emergingthreats_url_chk == on) { -if (file_exists("{$snortdir}/version.txt")){ -$emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/version.txt"); -$emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; -$emerg_md5_check_old_parse = file_get_contents("{$snortdir}/version.txt"); -$emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; -/* Write out time of last sucsessful md5 to cache */ -$config['installedpackages']['snort']['last_md5_download'] = date("Y-M-jS-h:i-A"); -write_config(); // Will cause switch back to read-only on nanobsd -conf_mount_rw(); -if ($emerg_md5_check_new == $emerg_md5_check_old) { - update_status(gettext("Your emergingthreats rules are up to date...")); - update_output_window(gettext("You may start Snort now, check update.")); +if ($emergingthreats == "on") +{ + if (file_exists("{$snortdir}/version.txt")) + { + $emerg_md5_check_new_parse = file_get_contents("{$tmpfname}/version.txt"); + $emerg_md5_check_new = `/bin/echo "{$emerg_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; + $emerg_md5_check_old_parse = file_get_contents("{$snortdir}/version.txt"); + $emerg_md5_check_old = `/bin/echo "{$emerg_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; + /* Write out time of last sucsessful md5 to cache */ + // Will cause switch back to read-only on nanobsd + write_config(); + conf_mount_rw(); + if ($emerg_md5_check_new == $emerg_md5_check_old) + { hide_progress_bar_status(); - $emerg_md5_check_chk_ok = on; - } - } + $emerg_md5_check_ok = on; + } + } } /* Check if were up to date pfsense.org */ -if (file_exists("{$snortdir}/$pfsense_rules_filename_md5")){ -$pfsense_md5_check_new_parse = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); -$pfsense_md5_check_new = `/bin/echo "{$pfsense_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; -$pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/{$snort_filename_md5}"); -$pfsense_md5_check_old = `/bin/echo "{$md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; -if ($pfsense_md5_check_new == $pfsense_md5_check_old) { + if (file_exists("{$snortdir}/pfsense_rules.tar.gz.md5")) + { + $pfsense_check_new_parse = file_get_contents("{$tmpfname}/pfsense_rules.tar.gz.md5"); + $pfsense_md5_check_new = `/bin/echo "{$pfsense_md5_check_new_parse}" | /usr/bin/awk '{ print $1 }'`; + $pfsense_md5_check_old_parse = file_get_contents("{$snortdir}/pfsense_rules.tar.gz.md5"); + $pfsense_md5_check_old = `/bin/echo "{$pfsense_md5_check_old_parse}" | /usr/bin/awk '{ print $1 }'`; + /* Write out time of last sucsessful md5 to cache */ + // Will cause switch back to read-only on nanobsd + write_config(); + conf_mount_rw(); + if ($pfsense_md5_check_new == $pfsense_md5_check_old) + { + hide_progress_bar_status(); $pfsense_md5_check_ok = on; - } -} + } + } -/* Make Clean Snort Directory emergingthreats not checked */ -if ($snort_md5_check_ok == on && $emergingthreats_url_chk != on) { - update_status(gettext("Cleaning the snort Directory...")); - update_output_window(gettext("removing...")); - exec("/bin/rm {$snortdir}/rules/emerging*"); - exec("/bin/rm {$snortdir}/version.txt"); - exec("/bin/rm {$snortdir_wan}/rules/emerging*"); - exec("/bin/rm {$snortdir_wan}/version.txt"); - update_status(gettext("Done making cleaning emrg direcory.")); +/* Check if were up to date is so, exit */ +/* WARNING This code needs constant checks */ +if ($snortdownload != "off" && $emergingthreats != "off") +{ + if ($snort_md5_check_ok == "on" && $emerg_md5_check_ok == "on") + { + update_status(gettext("All your rules are up to date...")); + update_output_window(gettext("You may start Snort now...")); + echo ' + <script type="text/javascript"> + <!-- + displaymessagestop(); + // --> + </script>'; + echo "</body>"; + echo "</html>"; + conf_mount_ro(); + exit(0); + } } -/* Check if were up to date exits */ -if ($snort_md5_check_ok == on && $emerg_md5_check_chk_ok == on && $pfsense_md5_check_ok == on) { - update_status(gettext("Your rules are up to date...")); - update_output_window(gettext("You may start Snort now...")); - exit(0); +if ($snortdownload == "on" && $emergingthreats == "off") +{ + if ($snort_md5_check_ok == "on") + { + update_status(gettext("Your snort.org rules are up to date...")); + update_output_window(gettext("You may start Snort now...")); + echo ' + <script type="text/javascript"> + <!-- + displaymessagestop(); + // --> + </script>'; + echo "</body>"; + echo "</html>"; + conf_mount_ro(); + exit(0); + } } -if ($snort_md5_check_ok == on && $pfsense_md5_check_ok == on && $emergingthreats_url_chk != on) { - update_status(gettext("Your rules are up to date...")); - update_output_window(gettext("You may start Snort now...")); - exit(0); +if ($snortdownload == "off" && $emergingthreats == "on") +{ + if ($emerg_md5_check_ok == "on") + { + update_status(gettext("Your Emergingthreats rules are up to date...")); + update_output_window(gettext("You may start Snort now...")); + echo ' + <script type="text/javascript"> + <!-- + displaymessagestop(); + // --> + </script>'; + echo "</body>"; + echo "</html>"; + conf_mount_ro(); + exit(0); + } } /* You are Not Up to date, always stop snort when updating rules for low end machines */; @@ -347,45 +594,60 @@ update_output_window(gettext("Stopping Snort service...")); $chk_if_snort_up = exec("pgrep -x snort"); if ($chk_if_snort_up != "") { exec("/usr/bin/touch /tmp/snort_download_halt.pid"); - stop_service("snort"); + exec("/bin/sh /usr/local/etc/rc.d/snort.sh stop"); sleep(2); } /* download snortrules file */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$snort_filename}")) { - update_status(gettext("Snortrule tar file exists...")); -} else { - unhide_progress_bar_status(); - update_status(gettext("There is a new set of Snort rules posted. Downloading...")); - update_output_window(gettext("May take 4 to 10 min...")); +if ($snortdownload != "off") +{ + if ($snort_md5_check_ok != on) { + if (file_exists("{$tmpfname}/{$snort_filename}")) { + update_status(gettext("Snortrule tar file exists...")); + } else { + unhide_progress_bar_status(); + update_status(gettext("There is a new set of Snort rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); // download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz", $tmpfname . "/{$snort_filename}", "read_body_firmware"); - download_file_with_progress_bar("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz?oink_code={$oinkid}", $tmpfname . "/{$snort_filename}", "read_body_firmware"); - update_all_status($static_output); - update_status(gettext("Done downloading rules file.")); - if (150000 > filesize("{$tmpfname}/$snort_filename")){ - update_status(gettext("Error with the snort rules download...")); - update_output_window(gettext("Snort rules file downloaded failed...")); - exit(0); - } - } + download_file_with_progress_bar("http://dl.snort.org/{$premium_url}/snortrules-snapshot-2.8{$premium_subscriber}.tar.gz?oink_code={$oinkid}", $tmpfname . "/{$snort_filename}", "read_body_firmware"); + update_all_status($static_output); + update_status(gettext("Done downloading rules file.")); + if (150000 > filesize("{$tmpfname}/$snort_filename")){ + update_status(gettext("Error with the snort rules download...")); + update_output_window(gettext("Snort rules file downloaded failed...")); + echo ' +<script type="text/javascript"> +<!-- + displaymessagestop(); +// --> +</script>'; +echo "</body>"; +echo "</html>"; +conf_mount_ro(); + exit(0); + } + } + } } - + /* download emergingthreats rules file */ -if ($emergingthreats_url_chk == on) { -if ($emerg_md5_check_chk_ok != on) { -if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { - update_status(gettext("Emergingthreats tar file exists...")); -} else { - update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); - update_output_window(gettext("May take 4 to 10 min...")); +if ($emergingthreats == "on") +{ + if ($emerg_md5_check_ok != on) + { + if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) + { + update_status(gettext("Emergingthreats tar file exists...")); + }else{ + update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); + update_output_window(gettext("May take 4 to 10 min...")); // download_file_with_progress_bar("http://www.mtest.local/pub-bin/oinkmaster.cgi/{$oinkid}/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware"); - download_file_with_progress_bar("http://www.emergingthreats.net/rules/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware"); - update_all_status($static_output); - update_status(gettext("Done downloading Emergingthreats rules file.")); - } - } - } + download_file_with_progress_bar("http://www.emergingthreats.net/rules/emerging.rules.tar.gz", $tmpfname . "/{$emergingthreats_filename}", "read_body_firmware"); + update_all_status($static_output); + update_status(gettext("Done downloading Emergingthreats rules file.")); + } + } +} /* download pfsense rules file */ if ($pfsense_md5_check_ok != on) { @@ -431,44 +693,65 @@ if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { //} /* Untar snort rules file individually to help people with low system specs */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$tmpfname}/{$snort_filename}")) { - update_status(gettext("Extracting rules...")); - update_output_window(gettext("May take a while...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} etc/"); - exec("`/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/*`"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/bad-traffic.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/chat.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/dos.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/exploit.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/imap.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/misc.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/multimedia.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/netbios.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/nntp.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/p2p.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/smtp.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/sql.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-client.rules/"); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} so_rules/web-misc.rules/"); - update_status(gettext("Done extracting Rules.")); -} else { - update_status(gettext("The Download rules file missing...")); - update_output_window(gettext("Error rules extracting failed...")); - exit(0); - } +if ($snortdownload != "off") +{ + if ($snort_md5_check_ok != on) { + if (file_exists("{$tmpfname}/{$snort_filename}")) { + update_status(gettext("Extracting rules...")); + update_output_window(gettext("May take a while...")); + exec("/bin/mkdir -p {$snortdir}/rules_bk/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/rules_bk rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} etc/" . + " so_rules/precompiled/FreeBSD-7.0/i386/2.8.5.1/" . + " so_rules/bad-traffic.rules/" . + " so_rules/chat.rules/" . + " so_rules/dos.rules/" . + " so_rules/exploit.rules/" . + " so_rules/imap.rules/" . + " so_rules/misc.rules/" . + " so_rules/multimedia.rules/" . + " so_rules/netbios.rules/" . + " so_rules/nntp.rules/" . + " so_rules/p2p.rules/" . + " so_rules/smtp.rules/" . + " so_rules/sql.rules/" . + " so_rules/web-client.rules/" . + " so_rules/web-misc.rules/"); + /* add prefix to all snort.org files */ + /* remove this part and make it all php with the simplst code posible */ + chdir ("/usr/local/etc/snort/rules_bk/rules"); + sleep(2); + exec('/usr/local/bin/perl /usr/local/bin/snort_rename.pl s/^/snort_/ *.rules'); + update_status(gettext("Done extracting Rules.")); + }else{ + update_status(gettext("The Download rules file missing...")); + update_output_window(gettext("Error rules extracting failed...")); + echo ' +<script type="text/javascript"> +<!-- + displaymessagestop(); +// --> +</script>'; +echo "</body>"; +echo "</html>"; +conf_mount_ro(); + exit(0); + } + } } /* Untar emergingthreats rules to tmp */ -if ($emergingthreats_url_chk == on) { -if ($emerg_md5_check_chk_ok != on) { -if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { - update_status(gettext("Extracting rules...")); - update_output_window(gettext("May take a while...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir} rules/"); - } - } +if ($emergingthreats == "on") +{ + if ($emerg_md5_check_ok != on) + { + if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) + { + update_status(gettext("Extracting rules...")); + update_output_window(gettext("May take a while...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir} rules/"); + } + } } /* Untar Pfsense rules to tmp */ @@ -483,7 +766,7 @@ if (file_exists("{$tmpfname}/{$pfsense_rules_filename}")) { /* Untar snort signatures */ if ($snort_md5_check_ok != on) { if (file_exists("{$tmpfname}/{$snort_filename}")) { -$signature_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['signatureinfo']; +$signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; if ($premium_url_chk == on) { update_status(gettext("Extracting Signatures...")); update_output_window(gettext("May take a while...")); @@ -493,74 +776,250 @@ if ($premium_url_chk == on) { } } -/* Make Clean Snort Directory */ -//if ($snort_md5_check_ok != on && $emerg_md5_check_chk_ok != on && $pfsense_md5_check_ok != on) { -//if (file_exists("{$snortdir}/rules")) { -// update_status(gettext("Cleaning the snort Directory...")); -// update_output_window(gettext("removing...")); -// exec("/bin/mkdir -p {$snortdir}"); -// exec("/bin/mkdir -p {$snortdir}/rules"); -// exec("/bin/mkdir -p {$snortdir}/signatures"); -// exec("/bin/rm {$snortdir}/*"); -// exec("/bin/rm {$snortdir}/rules/*"); -// exec("/bin/rm {$snortdir_wan}/*"); -// exec("/bin/rm {$snortdir_wan}/rules/*"); +/* Copy so_rules dir to snort lib dir */ +/* Disabed untill I find out why there is a segment failt coredump when using these rules on 2.8.5.3 */ +if ($snortdownload != "off") +{ + if ($snort_md5_check_ok != on) { + if (file_exists("{$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.5.1")) { + update_status(gettext("Copying so_rules...")); + update_output_window(gettext("May take a while...")); + exec("/bin/cp -f {$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.5.1/* /usr/local/lib/snort/dynamicrules/"); + exec("/bin/cp {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/snort_bad-traffic.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/chat.rules {$snortdir}/rules/snort_chat.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/dos.rules {$snortdir}/rules/snort_dos.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/snort_exploit.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/imap.rules {$snortdir}/rules/snort_imap.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/misc.rules {$snortdir}/rules/snort_misc.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/snort_multimedia.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/snort_netbios.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/snort_nntp.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/snort_p2p.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/snort_smtp.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/sql.rules {$snortdir}/rules/snort_sql.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/web-activex.rules {$snortdir}/rules/snort_web-activex.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/snort_web-client.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/web-iis.rules {$snortdir}/rules/snort_web-iis.so.rules"); + exec("/bin/cp {$snortdir}/so_rules/web.misc.rules {$snortdir}/rules/snort_web.misc.so.rules"); + exec("/bin/rm -r {$snortdir}/so_rules"); + update_status(gettext("Done copying so_rules.")); + }else{ + update_status(gettext("Directory so_rules does not exist...")); + update_output_window(gettext("Error copying so_rules...")); + echo ' +<script type="text/javascript"> +<!-- + displaymessagestop(); +// --> +</script>'; + echo "</body>"; + echo "</html>"; + conf_mount_ro(); + exit(0); + } + } +} + +/* Copy renamed snort.org rules to snort dir */ +if ($snortdownload != "off") +{ + if ($snort_md5_check_ok != on) + { + if (file_exists("{$snortdir}/rules_bk/rules/Makefile.am")) + { + update_status(gettext("Copying renamed snort.org rules to snort directory...")); + exec("/bin/cp {$snortdir}/rules_bk/rules/* {$snortdir}/rules/"); + }else{ + update_status(gettext("The renamed snort.org rules do not exist...")); + update_output_window(gettext("Error copying config...")); + echo ' +<script type="text/javascript"> +<!-- + displaymessagestop(); +// --> +</script>'; + echo "</body>"; + echo "</html>"; + conf_mount_ro(); + exit(0); + } + } +} + +/* Copy configs to snort dir */ +if ($snortdownload != "off") +{ + if ($snort_md5_check_ok != on) + { + if (file_exists("{$snortdir}/etc/Makefile.am")) { + update_status(gettext("Copying configs to snort directory...")); + exec("/bin/cp {$snortdir}/etc/* {$snortdir}"); + exec("/bin/rm -r {$snortdir}/etc"); + }else{ + update_status(gettext("The snort config does not exist...")); + update_output_window(gettext("Error copying config...")); + echo ' +<script type="text/javascript"> +<!-- + displaymessagestop(); +// --> +</script>'; +echo "</body>"; +echo "</html>"; +conf_mount_ro(); + exit(0); + } + } +} + + +/* Copy md5 sig to snort dir */ +if ($snortdownload != "off") +{ + if ($snort_md5_check_ok != on) { + if (file_exists("{$tmpfname}/$snort_filename_md5")) { + update_status(gettext("Copying md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); + }else{ + update_status(gettext("The md5 file does not exist...")); + update_output_window(gettext("Error copying config...")); + echo ' +<script type="text/javascript"> +<!-- + displaymessagestop(); +// --> +</script>'; + echo "</body>"; + echo "</html>"; + conf_mount_ro(); + exit(0); + } + } +} -// exec("/bin/rm /usr/local/lib/snort/dynamicrules/*"); -//} else { -// update_status(gettext("Making Snort Directory...")); -// update_output_window(gettext("should be fast...")); -// exec("/bin/mkdir -p {$snortdir}"); -// exec("/bin/mkdir -p {$snortdir}/rules"); -// exec("/bin/rm {$snortdir_wan}/*"); -// exec("/bin/rm {$snortdir_wan}/rules/*"); -// exec("/bin/rm /usr/local/lib/snort/dynamicrules/\*"); -// update_status(gettext("Done making snort direcory.")); -// } -//} +/* Copy emergingthreats md5 sig to snort dir */ +if ($emergingthreats == "on") +{ + if ($emerg_md5_check_ok != on) + { + if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) + { + update_status(gettext("Copying md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); + }else{ + update_status(gettext("The emergingthreats md5 file does not exist...")); + update_output_window(gettext("Error copying config...")); + echo "</body>"; + echo "</html>"; + conf_mount_ro(); + exit(0); + } + } +} -/* Copy so_rules dir to snort lib dir */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/")) { - update_status(gettext("Copying so_rules...")); - update_output_window(gettext("May take a while...")); - exec("`/bin/cp -f {$snortdir}/so_rules/precompiled/FreeBSD-7.0/i386/2.8.4/* /usr/local/lib/snort/dynamicrules/`"); - exec("/bin/cp {$snortdir}/so_rules/bad-traffic.rules {$snortdir}/rules/bad-traffic.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/chat.rules {$snortdir}/rules/chat.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/dos.rules {$snortdir}/rules/dos.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/exploit.rules {$snortdir}/rules/exploit.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/imap.rules {$snortdir}/rules/imap.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/misc.rules {$snortdir}/rules/misc.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/multimedia.rules {$snortdir}/rules/multimedia.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/netbios.rules {$snortdir}/rules/netbios.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/nntp.rules {$snortdir}/rules/nntp.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/p2p.rules {$snortdir}/rules/p2p.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/smtp.rules {$snortdir}/rules/smtp.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/sql.rules {$snortdir}/rules/sql.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/web-client.rules {$snortdir}/rules/web-client.so.rules"); - exec("/bin/cp {$snortdir}/so_rules/web.misc.rules {$snortdir}/rules/web.misc.so.rules"); - exec("/bin/rm -r {$snortdir}/so_rules"); - update_status(gettext("Done copying so_rules.")); +/* Copy Pfsense md5 sig to snort dir */ +if ($pfsense_md5_check_ok != on) { +if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) { + update_status(gettext("Copying Pfsense md5 sig to snort directory...")); + exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5"); } else { - update_status(gettext("Directory so_rules does not exist...")); - update_output_window(gettext("Error copying so_rules...")); - exit(0); + update_status(gettext("The Pfsense md5 file does not exist...")); + update_output_window(gettext("Error copying config...")); + echo ' +<script type="text/javascript"> +<!-- + displaymessagestop(); +// --> +</script>'; + echo "</body>"; + echo "</html>"; + conf_mount_ro(); + exit(0); } } + +/* Copy signatures dir to snort dir */ +if ($snortdownload != "off") +{ + if ($snort_md5_check_ok != on) + { + $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; + if ($premium_url_chk == on) + { + if (file_exists("{$snortdir}/doc/signatures")) { + update_status(gettext("Copying signatures...")); + update_output_window(gettext("May take a while...")); + exec("/bin/mv -f {$snortdir}/doc/signatures {$snortdir}/signatures"); + exec("/bin/rm -r {$snortdir}/doc/signatures"); + update_status(gettext("Done copying signatures.")); + }else{ + update_status(gettext("Directory signatures exist...")); + update_output_window(gettext("Error copying signature...")); + echo ' +<script type="text/javascript"> +<!-- + displaymessagestop(); +// --> +</script>'; +echo "</body>"; +echo "</html>"; +conf_mount_ro(); + exit(0); + } + } + } +} + +/* double make shure cleanup emerg rules that dont belong */ +if (file_exists("/usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules")) { + apc_clear_cache(); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-botcc-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-botcc.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-compromised-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-drop-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-dshield-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-rbn-BLOCK.rules"); + exec("/bin/rm /usr/local/etc/snort/rules/emerging-tor-BLOCK.rules"); +} + +if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) { + exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so"); + exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*"); +} + +/* make shure default rules are in the right format */ +exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); +exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); +exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); +/* create a msg-map for snort */ +update_status(gettext("Updating Alert Messages...")); +update_output_window(gettext("Please Wait...")); +exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/sid-msg.map"); + + +////////////////// + +/* open oinkmaster_conf for writing" function */ +function oinkmaster_conf($id, $if_real, $iface_uuid) +{ + + global $config, $g, $id, $if_real, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; + conf_mount_rw(); + /* enable disable setting will carry over with updates */ /* TODO carry signature changes with the updates */ -if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { +if ($snort_md5_check_ok != on || $emerg_md5_check_ok != on || $pfsense_md5_check_ok != on) { -if (!empty($config['installedpackages']['snort']['rule_sid_on'])) { -$enabled_sid_on = $config['installedpackages']['snort']['rule_sid_on']; +if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'])) { +$enabled_sid_on = $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on']; $enabled_sid_on_array = split('\|\|', $enabled_sid_on); foreach($enabled_sid_on_array as $enabled_item_on) $selected_sid_on_sections .= "$enabled_item_on\n"; } -if (!empty($config['installedpackages']['snort']['rule_sid_off'])) { -$enabled_sid_off = $config['installedpackages']['snort']['rule_sid_off']; +if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'])) { +$enabled_sid_off = $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off']; $enabled_sid_off_array = split('\|\|', $enabled_sid_off); foreach($enabled_sid_off_array as $enabled_item_off) $selected_sid_off_sections .= "$enabled_item_off\n"; @@ -578,7 +1037,7 @@ path = /bin:/usr/bin:/usr/local/bin update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ -url = dir:///usr/local/etc/snort_bkup/rules +url = dir:///usr/local/etc/snort/rules $selected_sid_on_sections @@ -586,153 +1045,99 @@ $selected_sid_off_sections EOD; - /* open snort's threshold.conf for writing */ - $oinkmasterlist = fopen("/usr/local/etc/snort_bkup/oinkmaster.conf", "w"); + /* open snort's oinkmaster.conf for writing */ + $oinkmasterlist = fopen("/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf", "w"); fwrite($oinkmasterlist, "$snort_sid_text"); - /* close snort's threshold.conf file */ + /* close snort's oinkmaster.conf file */ fclose($oinkmasterlist); + } } -/* Copy configs to snort dir */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$snortdir}/etc/Makefile.am")) { - update_status(gettext("Copying configs to snort directory...")); - exec("/bin/cp {$snortdir}/etc/* {$snortdir}"); - exec("/bin/rm -r {$snortdir}/etc"); - -} else { - update_status(gettext("The snort config does not exist...")); - update_output_window(gettext("Error copying config...")); - exit(0); - } -} +/* Run oinkmaster to snort_wan and cp configs */ +/* If oinkmaster is not needed cp rules normally */ +/* TODO add per interface settings here */ +function oinkmaster_run($id, $if_real, $iface_uuid) +{ -/* Copy md5 sig to snort dir */ -if ($snort_md5_check_ok != on) { -if (file_exists("{$tmpfname}/$snort_filename_md5")) { - update_status(gettext("Copying md5 sig to snort directory...")); - exec("/bin/cp {$tmpfname}/$snort_filename_md5 {$snortdir}/$snort_filename_md5"); -} else { - update_status(gettext("The md5 file does not exist...")); - update_output_window(gettext("Error copying config...")); - exit(0); - } -} + global $config, $g, $id, $if_real, $snortdir_wan, $snortdir, $snort_md5_check_ok, $emerg_md5_check_ok, $pfsense_md5_check_ok; + conf_mount_rw(); -/* Copy emergingthreats md5 sig to snort dir */ -if ($emergingthreats_url_chk == on) { -if ($emerg_md5_check_chk_ok != on) { -if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) { - update_status(gettext("Copying md5 sig to snort directory...")); - exec("/bin/cp {$tmpfname}/$emergingthreats_filename_md5 {$snortdir}/$emergingthreats_filename_md5"); -} else { - update_status(gettext("The emergingthreats md5 file does not exist...")); - update_output_window(gettext("Error copying config...")); - exit(0); - } - } -} + if ($snort_md5_check_ok != on || $emerg_md5_check_ok != on || $pfsense_md5_check_ok != on) + { -/* Copy Pfsense md5 sig to snort dir */ -if ($pfsense_md5_check_ok != on) { -if (file_exists("{$tmpfname}/$pfsense_rules_filename_md5")) { - update_status(gettext("Copying Pfsense md5 sig to snort directory...")); - exec("/bin/cp {$tmpfname}/$pfsense_rules_filename_md5 {$snortdir}/$pfsense_rules_filename_md5"); -} else { - update_status(gettext("The Pfsense md5 file does not exist...")); - update_output_window(gettext("Error copying config...")); - exit(0); - } -} - -/* Copy signatures dir to snort dir */ -if ($snort_md5_check_ok != on) { -$signature_info_chk = $config['installedpackages']['snort']['config'][0]['signatureinfo']; -if ($premium_url_chk == on) { -if (file_exists("{$snortdir}/doc/signatures")) { - update_status(gettext("Copying signatures...")); - update_output_window(gettext("May take a while...")); - exec("/bin/mv -f {$snortdir}/doc/signatures {$snortdir}/signatures"); - exec("/bin/rm -r {$snortdir}/doc/signatures"); - update_status(gettext("Done copying signatures.")); -} else { - update_status(gettext("Directory signatures exist...")); - update_output_window(gettext("Error copying signature...")); - exit(0); - } - } -} + if ($config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_on'] == '' && $config['installedpackages']['snortglobal']['rule'][$id]['rule_sid_off'] == '') + { + update_status(gettext("Your first set of rules are being copied...")); + update_output_window(gettext("May take a while...")); + exec("/bin/echo \"test {$snortdir} {$snortdir_wan} {$iface_uuid}_{$if_real}\" > /root/debug"); + exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + }else{ + update_status(gettext("Your enable and disable changes are being applied to your fresh set of rules...")); + update_output_window(gettext("May take a while...")); + exec("/bin/echo \"test2 {$snortdir} {$snortdir_wan} {$iface_uuid}_{$if_real}\" > /root/debug"); + exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}/rules/"); + exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/generators {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/sid {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); + exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}/snort_{$iface_uuid}_{$if_real}"); -/* double make shure cleanup emerg rules that dont belong */ -if (file_exists("/usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules")) { - apc_clear_cache(); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-botcc.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-compromised-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-drop-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-dshield-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-rbn-BLOCK.rules"); - exec("/bin/rm /usr/local/etc/snort_bkup/rules/emerging-tor-BLOCK.rules"); + /* might have to add a sleep for 3sec for flash drives or old drives */ + exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/oinkmaster_{$iface_uuid}_{$if_real}.conf -o /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules > /usr/local/etc/snort/oinkmaster_{$iface_uuid}_{$if_real}.log"); + } + } } -if (file_exists("/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so")) { - exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so"); - exec("/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example\*"); -} +/* Start the proccess for every interface rule */ +/* TODO: try to make the code smother */ -/* create a msg-map for snort */ -update_status(gettext("Updating Alert Messages...")); -update_output_window(gettext("Please Wait...")); -exec("/usr/local/bin/perl /usr/local/bin/create-sidmap.pl /usr/local/etc/snort_bkup/rules > /usr/local/etc/snort_bkup/sid-msg.map"); +if (!empty($config['installedpackages']['snortglobal']['rule'])) +{ -/* Run oinkmaster to snort_wan and cp configs */ -/* If oinkmaster is not needed cp rules normally */ -/* TODO add per interface settings here */ -if ($snort_md5_check_ok != on || $emerg_md5_check_chk_ok != on || $pfsense_md5_check_ok != on) { + $rule_array = $config['installedpackages']['snortglobal']['rule']; + $id = -1; + foreach ($rule_array as $value) { - if (empty($config['installedpackages']['snort']['rule_sid_on']) || empty($config['installedpackages']['snort']['rule_sid_off'])) { - update_status(gettext("Your first set of rules are being copied...")); - update_output_window(gettext("May take a while...")); - exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); - exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); + $id += 1; + + $result_lan = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + $if_real = convert_friendly_interface_to_real_interface_name($result_lan); + $iface_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; + + /* make oinkmaster.conf for each interface rule */ + oinkmaster_conf($id, $if_real, $iface_uuid); + + /* run oinkmaster for each interface rule */ + oinkmaster_run($id, $if_real, $iface_uuid); -} else { - update_status(gettext("Your enable and disable changes are being applied to your fresh set of rules...")); - update_output_window(gettext("May take a while...")); - exec("/bin/cp {$snortdir}/rules/* {$snortdir_wan}/rules/"); - exec("/bin/cp {$snortdir}/classification.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/gen-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/generators {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/reference.config {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/sid-msg.map {$snortdir_wan}"); - exec("/bin/cp {$snortdir}/unicode.map {$snortdir_wan}"); - - /* oinkmaster.pl will convert saved changes for the new updates then we have to change #alert to # alert for the gui */ - /* might have to add a sleep for 3sec for flash drives or old drives */ - exec("/usr/local/bin/perl /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort_bkup/oinkmaster.conf -o /usr/local/etc/snort/rules > /usr/local/etc/snort_bkup/oinkmaster.log"); - exec("/usr/local/bin/perl -pi -e 's/#alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - exec("/usr/local/bin/perl -pi -e 's/##alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - exec("/usr/local/bin/perl -pi -e 's/## alert/# alert/g' /usr/local/etc/snort/rules/*.rules"); - - } } +////////////// + +/* mark the time update finnished */ +$config['installedpackages']['snortglobal']['last_rules_install'] = date("Y-M-jS-h:i-A"); + /* remove old $tmpfname files */ -if (file_exists("{$tmpfname}")) { - update_status(gettext("Cleaning up...")); - exec("/bin/rm -r /root/snort_rules_up"); -// apc_clear_cache(); +if (file_exists("{$tmpfname}")) +{ + update_status(gettext("Cleaning up...")); + exec("/bin/rm -r /tmp/snort_rules_up"); + sleep(2); + exec("/bin/rm -r {$snortdir}/rules_bk/rules/"); + apc_clear_cache(); } /* php code to flush out cache some people are reportting missing files this might help */ @@ -740,9 +1145,18 @@ sleep(2); apc_clear_cache(); exec("/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync ;/bin/sync"); +/* make all dirs snorts */ +exec("/usr/sbin/chown -R snort:snort /var/log/snort"); +exec("/usr/sbin/chown -R snort:snort /usr/local/etc/snort"); +exec("/usr/sbin/chown -R snort:snort /usr/local/lib/snort"); +exec("/bin/chmod -R 755 /var/log/snort"); +exec("/bin/chmod -R 755 /usr/local/etc/snort"); +exec("/bin/chmod -R 755 /usr/local/lib/snort"); + + /* if snort is running hardrestart, if snort is not running do nothing */ if (file_exists("/tmp/snort_download_halt.pid")) { - start_service("snort"); + exec("/bin/sh /usr/local/etc/rc.d/snort.sh start"); update_status(gettext("The Rules update finished...")); update_output_window(gettext("Snort has restarted with your new set of rules...")); exec("/bin/rm /tmp/snort_download_halt.pid"); @@ -751,6 +1165,13 @@ if (file_exists("/tmp/snort_download_halt.pid")) { update_output_window(gettext("You may start snort now...")); } +echo ' +<script type="text/javascript"> +<!-- + displaymessagestop(); +// --> +</script>'; + /* hide progress bar and lets end this party */ hide_progress_bar_status(); conf_mount_ro(); diff --git a/config/snort/snort_dynamic_ip_reload.php b/config/snort/snort_dynamic_ip_reload.php index 0fad085b..98d9bcce 100644 --- a/config/snort/snort_dynamic_ip_reload.php +++ b/config/snort/snort_dynamic_ip_reload.php @@ -3,7 +3,7 @@ /* $Id$ */ /* snort_dynamic_ip_reload.php - Copyright (C) 2006 Scott Ullrich and Robert Zeleya + Copyright (C) 2009 Robert Zeleya All rights reserved. Redistribution and use in source and binary forms, with or without @@ -31,19 +31,20 @@ /* NOTE: this file gets included from the pfSense filter.inc plugin process */ /* NOTE: file location /usr/local/pkg/pf, all files in pf dir get exec on filter reloads */ -require_once("/usr/local/pkg/snort.inc"); -require_once("service-utils.inc"); -require_once("config.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); +/* get the varibles from the command line */ +/* Note: snort.sh sould only be using this */ +//$id = $_SERVER["argv"][1]; +//$if_real = $_SERVER["argv"][2]; -if($config['interfaces']['wan']['ipaddr'] == "pppoe" or - $config['interfaces']['wan']['ipaddr'] == "dhcp") { - create_snort_conf(); - exec("killall -HUP snort"); - /* define snortbarnyardlog_chk */ - $snortbarnyardlog_info_chk = $config['installedpackages']['snortadvanced']['config'][0]['snortbarnyardlog']; - if ($snortbarnyardlog_info_chk == on) - exec("killall -HUP barnyard2"); -} +//$test_iface = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + +//if ($id == "" || $if_real == "" || $test_iface == "") { +// exec("/usr/bin/logger -p daemon.info -i -t SnortDynIP \"ERORR starting snort_dynamic_ip_reload.php\""); +// exit; +// } + +sync_snort_package_empty(); ?>
\ No newline at end of file diff --git a/config/snort-dev/snort_fbegin.inc b/config/snort/snort_fbegin.inc index b8faff09..b8faff09 100644 --- a/config/snort-dev/snort_fbegin.inc +++ b/config/snort/snort_fbegin.inc diff --git a/config/snort-dev/snort_gui.inc b/config/snort/snort_gui.inc index 95a0e597..95a0e597 100644 --- a/config/snort-dev/snort_gui.inc +++ b/config/snort/snort_gui.inc diff --git a/config/snort-dev/snort_help_info.php b/config/snort/snort_help_info.php index 5355ec77..5355ec77 100644 --- a/config/snort-dev/snort_help_info.php +++ b/config/snort/snort_help_info.php diff --git a/config/snort-dev/snort_interfaces.php b/config/snort/snort_interfaces.php index b2f72aad..cb51df44 100644 --- a/config/snort-dev/snort_interfaces.php +++ b/config/snort/snort_interfaces.php @@ -141,7 +141,7 @@ if (isset($_POST['del_x'])) { /* stop syslog flood code */ //$if_real_wan_rulei = $a_nat[$rulei]['interface']; - //$if_real_wan_rulei2 = convert_friendly_interface_to_real_interface_name2($if_real_wan_rulei); + //$if_real_wan_rulei2 = convert_friendly_interface_to_real_interface_name($if_real_wan_rulei); //exec("/sbin/ifconfig $if_real_wan_rulei2 -promisc"); //exec("/bin/cp /var/log/system.log /var/log/snort/snort_sys_$rulei$if_real.log"); //exec("/usr/bin/killall syslogd"); @@ -156,18 +156,21 @@ if (isset($_POST['del_x'])) { } } - - unset($a_nat[$rulei]); - } - - conf_mount_rw(); + + /* for every iface do these steps */ + conf_mount_rw(); exec("/bin/rm /var/log/snort/snort.u2_{$snort_uuid}_{$if_real}*"); exec("/bin/rm -r /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); + conf_mount_ro(); - + + unset($a_nat[$rulei]); + + } + write_config(); - touch("/var/run/snort_conf_delete.dirty"); + //touch("/var/run/snort_conf_delete.dirty"); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); @@ -176,7 +179,7 @@ if (isset($_POST['del_x'])) { header( 'Pragma: no-cache' ); sleep(2); header("Location: /snort/snort_interfaces.php"); - exit; + //exit; } } @@ -211,7 +214,7 @@ if ($_GET['act'] == 'toggle' && $_GET['id'] != '') }else{ - sync_snort_package_all($id, $if_real); + sync_snort_package_all($id, $if_real, $snort_uuid); sync_snort_package(); Running_Start($snort_uuid, $if_real, $id); @@ -228,7 +231,7 @@ if ($_GET['act'] == 'toggle' && $_GET['id'] != '') -$pgtitle = "Services: Snort 2.8.5.3 pkg v. 1.18 RC Final"; +$pgtitle = "Services: Snort 2.8.5.3 pkg v. 1.19"; include("head.inc"); ?> diff --git a/config/snort-dev/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index 164f154a..dddca3af 100644 --- a/config/snort-dev/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -158,14 +158,16 @@ $d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; /* this will exec when alert says apply */ if ($_POST['apply']) { - if (file_exists("/var/run/snort_conf_{$snort_uuid}_.dirty")) { - - write_config(); + if (file_exists("/var/run/snort_conf_{$snort_uuid}_.dirty")) { + + write_config(); - sync_snort_package_empty(); - sync_snort_package(); + $if_real = convert_friendly_interface_to_real_interface_name($a_nat[$id]['interface']); + + sync_snort_package_all($id, $if_real, $snort_uuid); + sync_snort_package(); - unlink("/var/run/snort_conf_{$snort_uuid}_.dirty"); + unlink("/var/run/snort_conf_{$snort_uuid}_.dirty"); } @@ -173,7 +175,7 @@ $d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; write_config(); - sync_snort_package_all(); + sync_snort_package_all($id, $if_real, $snort_uuid); sync_snort_package(); unlink($d_snortconfdirty_path); @@ -314,7 +316,7 @@ if ($_POST["Submit"]) { if ($_POST["Submit2"]) { - sync_snort_package_all(); + sync_snort_package_all($id, $if_real, $snort_uuid); sync_snort_package(); sleep(1); diff --git a/config/snort/snort_interfaces_edit_bkup.php b/config/snort/snort_interfaces_edit_bkup.php new file mode 100644 index 00000000..92bc7c5a --- /dev/null +++ b/config/snort/snort_interfaces_edit_bkup.php @@ -0,0 +1,609 @@ +<?php +/* $Id$ */ +/* + snort_interfaces.php + part of m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + Copyright (C) 2008-2009 Robert Zelaya. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); + + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} + +$a_nat = $config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($_GET['dup'])) { + $id = $_GET['dup']; + $after = $_GET['dup']; +} + +/* always have a limit of (65535) numbers only or snort will not start do to id limits */ +/* TODO: When inline gets added make the uuid the port number lisstening */ +//function gen_snort_uuid($fileline) +//{ + /* return the first 5 */ + //if (preg_match("/...../", $fileline, $matches1)) + //{ + //$uuid_final = "$matches1[0]"; + //} +//return $uuid_final; +//} + +/* gen uuid for each iface !inportant */ +if ($config['installedpackages']['snortglobal']['rule'][$id]['uuid'] == '') { + //$snort_uuid = gen_snort_uuid(strrev(uniqid(true))); +$snort_uuid = 0; +while ($snort_uuid > 65535 || $snort_uuid == 0) { + $snort_uuid = mt_rand(1, 65535); + $pconfig['uuid'] = $snort_uuid; + } +} + +if ($config['installedpackages']['snortglobal']['rule'][$id]['uuid'] != '') { + $snort_uuid = $config['installedpackages']['snortglobal']['rule'][$id]['uuid']; +} + + +/* convert fake interfaces to real */ +$if_real = convert_friendly_interface_to_real_interface_name2($config['installedpackages']['snortglobal']['rule'][$id]['interface']); + + +if (isset($id) && $a_nat[$id]) { + + /* old options */ + $pconfig['def_ssl_ports_ignore'] = $a_nat[$id]['def_ssl_ports_ignore']; + $pconfig['flow_depth'] = $a_nat[$id]['flow_depth']; + $pconfig['perform_stat'] = $a_nat[$id]['perform_stat']; + $pconfig['http_inspect'] = $a_nat[$id]['http_inspect']; + $pconfig['other_preprocs'] = $a_nat[$id]['other_preprocs']; + $pconfig['ftp_preprocessor'] = $a_nat[$id]['ftp_preprocessor']; + $pconfig['smtp_preprocessor'] = $a_nat[$id]['smtp_preprocessor']; + $pconfig['sf_portscan'] = $a_nat[$id]['sf_portscan']; + $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; + $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; + $pconfig['def_dns_servers'] = $a_nat[$id]['def_dns_servers']; + $pconfig['def_dns_ports'] = $a_nat[$id]['def_dns_ports']; + $pconfig['def_smtp_servers'] = $a_nat[$id]['def_smtp_servers']; + $pconfig['def_smtp_ports'] = $a_nat[$id]['def_smtp_ports']; + $pconfig['def_mail_ports'] = $a_nat[$id]['def_mail_ports']; + $pconfig['def_http_servers'] = $a_nat[$id]['def_http_servers']; + $pconfig['def_www_servers'] = $a_nat[$id]['def_www_servers']; + $pconfig['def_http_ports'] = $a_nat[$id]['def_http_ports']; + $pconfig['def_sql_servers'] = $a_nat[$id]['def_sql_servers']; + $pconfig['def_oracle_ports'] = $a_nat[$id]['def_oracle_ports']; + $pconfig['def_mssql_ports'] = $a_nat[$id]['def_mssql_ports']; + $pconfig['def_telnet_servers'] = $a_nat[$id]['def_telnet_servers']; + $pconfig['def_telnet_ports'] = $a_nat[$id]['def_telnet_ports']; + $pconfig['def_snmp_servers'] = $a_nat[$id]['def_snmp_servers']; + $pconfig['def_snmp_ports'] = $a_nat[$id]['def_snmp_ports']; + $pconfig['def_ftp_servers'] = $a_nat[$id]['def_ftp_servers']; + $pconfig['def_ftp_ports'] = $a_nat[$id]['def_ftp_ports']; + $pconfig['def_ssh_servers'] = $a_nat[$id]['def_ssh_servers']; + $pconfig['def_ssh_ports'] = $a_nat[$id]['def_ssh_ports']; + $pconfig['def_pop_servers'] = $a_nat[$id]['def_pop_servers']; + $pconfig['def_pop2_ports'] = $a_nat[$id]['def_pop2_ports']; + $pconfig['def_pop3_ports'] = $a_nat[$id]['def_pop3_ports']; + $pconfig['def_imap_servers'] = $a_nat[$id]['def_imap_servers']; + $pconfig['def_imap_ports'] = $a_nat[$id]['def_imap_ports']; + $pconfig['def_sip_proxy_ip'] = $a_nat[$id]['def_sip_proxy_ip']; + $pconfig['def_sip_proxy_ports'] = $a_nat[$id]['def_sip_proxy_ports']; + $pconfig['def_auth_ports'] = $a_nat[$id]['def_auth_ports']; + $pconfig['def_finger_ports'] = $a_nat[$id]['def_finger_ports']; + $pconfig['def_irc_ports'] = $a_nat[$id]['def_irc_ports']; + $pconfig['def_nntp_ports'] = $a_nat[$id]['def_nntp_ports']; + $pconfig['def_rlogin_ports'] = $a_nat[$id]['def_rlogin_ports']; + $pconfig['def_rsh_ports'] = $a_nat[$id]['def_rsh_ports']; + $pconfig['def_ssl_ports'] = $a_nat[$id]['def_ssl_ports']; + $pconfig['barnyard_enable'] = $a_nat[$id]['barnyard_enable']; + $pconfig['barnyard_mysql'] = $a_nat[$id]['barnyard_mysql']; + $pconfig['enable'] = $a_nat[$id]['enable']; + $pconfig['uuid'] = $a_nat[$id]['uuid']; + $pconfig['interface'] = $a_nat[$id]['interface']; + $pconfig['descr'] = $a_nat[$id]['descr']; + $pconfig['performance'] = $a_nat[$id]['performance']; + $pconfig['blockoffenders7'] = $a_nat[$id]['blockoffenders7']; + $pconfig['snortalertlogtype'] = $a_nat[$id]['snortalertlogtype']; + $pconfig['alertsystemlog'] = $a_nat[$id]['alertsystemlog']; + $pconfig['tcpdumplog'] = $a_nat[$id]['tcpdumplog']; + $pconfig['snortunifiedlog'] = $a_nat[$id]['snortunifiedlog']; + $pconfig['rulesets'] = $a_nat[$id]['rulesets']; + $pconfig['rule_sid_off'] = $a_nat[$id]['rule_sid_off']; + $pconfig['rule_sid_on'] = $a_nat[$id]['rule_sid_on']; + + + if (!$pconfig['interface']) { + $pconfig['interface'] = "wan"; + } else { + $pconfig['interface'] = "wan"; + } +} + +if (isset($_GET['dup'])) + unset($id); + +/* alert file */ +$d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; + + /* this will exec when alert says apply */ + if ($_POST['apply']) { + + if (file_exists("/var/run/snort_conf_{$snort_uuid}_.dirty")) { + + write_config(); + + sync_snort_package_empty(); + sync_snort_package(); + + unlink("/var/run/snort_conf_{$snort_uuid}_.dirty"); + + } + + if (file_exists($d_snortconfdirty_path)) { + + write_config(); + + sync_snort_package_all($id, $if_real, $snort_uuid); + sync_snort_package(); + + unlink($d_snortconfdirty_path); + + } + + } + +if ($_POST["Submit"]) { + + + + // if ($config['installedpackages']['snortglobal']['rule']) { + if ($_POST['descr'] == '' && $pconfig['descr'] == '') { + $input_errors[] = "Please enter a description for your reference."; + } + + if ($id == "" && $config['installedpackages']['snortglobal']['rule'][0]['interface'] != "") { + + $rule_array = $config['installedpackages']['snortglobal']['rule']; + $id_c = -1; + foreach ($rule_array as $value) { + + $id_c += 1; + + $result_lan = $config['installedpackages']['snortglobal']['rule'][$id_c]['interface']; + $if_real = convert_friendly_interface_to_real_interface_name2($result_lan); + + if ($_POST['interface'] == $result_lan) { + $input_errors[] = "Interface $result_lan is in use. Please select another interface."; + } + } + } + + /* check for overlaps */ + foreach ($a_nat as $natent) { + if (isset($id) && ($a_nat[$id]) && ($a_nat[$id] === $natent)) + continue; + if ($natent['interface'] != $_POST['interface']) + continue; + } + + /* if no errors write to conf */ + if (!$input_errors) { + $natent = array(); + + /* write to conf for 1st time or rewrite the answer */ + $natent['interface'] = $_POST['interface'] ? $_POST['interface'] : $pconfig['interface']; + /* if post write to conf or rewite the answer */ + $natent['enable'] = $_POST['enable'] ? on : off; + $natent['uuid'] = $pconfig['uuid']; + $natent['descr'] = $_POST['descr'] ? $_POST['descr'] : $pconfig['descr']; + $natent['performance'] = $_POST['performance'] ? $_POST['performance'] : $pconfig['performance']; + /* if post = on use on off or rewrite the conf */ + if ($_POST['blockoffenders7'] == "on") { $natent['blockoffenders7'] = on; }else{ $natent['blockoffenders7'] = off; } if ($_POST['enable'] == "") { $natent['blockoffenders7'] = $pconfig['blockoffenders7']; } + $natent['snortalertlogtype'] = $_POST['snortalertlogtype'] ? $_POST['snortalertlogtype'] : $pconfig['snortalertlogtype']; + if ($_POST['alertsystemlog'] == "on") { $natent['alertsystemlog'] = on; }else{ $natent['alertsystemlog'] = off; } if ($_POST['enable'] == "") { $natent['alertsystemlog'] = $pconfig['alertsystemlog']; } + if ($_POST['tcpdumplog'] == "on") { $natent['tcpdumplog'] = on; }else{ $natent['tcpdumplog'] = off; } if ($_POST['enable'] == "") { $natent['tcpdumplog'] = $pconfig['tcpdumplog']; } + if ($_POST['snortunifiedlog'] == "on") { $natent['snortunifiedlog'] = on; }else{ $natent['snortunifiedlog'] = off; } if ($_POST['enable'] == "") { $natent['snortunifiedlog'] = $pconfig['snortunifiedlog']; } + /* if optiion = 0 then the old descr way will not work */ + + /* rewrite the options that are not in post */ + /* make shure values are set befor repost or conf.xml will be broken */ + if ($pconfig['def_ssl_ports_ignore'] != "") { $natent['def_ssl_ports_ignore'] = $pconfig['def_ssl_ports_ignore']; } + if ($pconfig['flow_depth'] != "") { $natent['flow_depth'] = $pconfig['flow_depth']; } + if ($pconfig['perform_stat'] != "") { $natent['perform_stat'] = $pconfig['perform_stat']; } + if ($pconfig['http_inspect'] != "") { $natent['http_inspect'] = $pconfig['http_inspect']; } + if ($pconfig['other_preprocs'] != "") { $natent['other_preprocs'] = $pconfig['other_preprocs']; } + if ($pconfig['ftp_preprocessor'] != "") { $natent['ftp_preprocessor'] = $pconfig['ftp_preprocessor']; } + if ($pconfig['smtp_preprocessor'] != "") { $natent['smtp_preprocessor'] = $pconfig['smtp_preprocessor']; } + if ($pconfig['sf_portscan'] != "") { $natent['sf_portscan'] = $pconfig['sf_portscan']; } + if ($pconfig['dce_rpc_2'] != "") { $natent['dce_rpc_2'] = $pconfig['dce_rpc_2']; } + if ($pconfig['dns_preprocessor'] != "") { $natent['dns_preprocessor'] = $pconfig['dns_preprocessor']; } + if ($pconfig['def_dns_servers'] != "") { $natent['def_dns_servers'] = $pconfig['def_dns_servers']; } + if ($pconfig['def_dns_ports'] != "") { $natent['def_dns_ports'] = $pconfig['def_dns_ports']; } + if ($pconfig['def_smtp_servers'] != "") { $natent['def_smtp_servers'] = $pconfig['def_smtp_servers']; } + if ($pconfig['def_smtp_ports'] != "") { $natent['def_smtp_ports'] = $pconfig['def_smtp_ports']; } + if ($pconfig['def_mail_ports'] != "") { $natent['def_mail_ports'] = $pconfig['def_mail_ports']; } + if ($pconfig['def_http_servers'] != "") { $natent['def_http_servers'] = $pconfig['def_http_servers']; } + if ($pconfig['def_www_servers'] != "") { $natent['def_www_servers'] = $pconfig['def_www_servers']; } + if ($pconfig['def_http_ports'] != "") { $natent['def_http_ports'] = $pconfig['def_http_ports']; } + if ($pconfig['def_sql_servers'] != "") { $natent['def_sql_servers'] = $pconfig['def_sql_servers']; } + if ($pconfig['def_oracle_ports'] != "") { $natent['def_oracle_ports'] = $pconfig['def_oracle_ports']; } + if ($pconfig['def_mssql_ports'] != "") { $natent['def_mssql_ports'] = $pconfig['def_mssql_ports']; } + if ($pconfig['def_telnet_servers'] != "") { $natent['def_telnet_servers'] = $pconfig['def_telnet_servers']; } + if ($pconfig['def_telnet_ports'] != "") { $natent['def_telnet_ports'] = $pconfig['def_telnet_ports']; } + if ($pconfig['def_snmp_servers'] != "") { $natent['def_snmp_servers'] = $pconfig['def_snmp_servers']; } + if ($pconfig['def_snmp_ports'] != "") { $natent['def_snmp_ports'] = $pconfig['def_snmp_ports']; } + if ($pconfig['def_ftp_servers'] != "") { $natent['def_ftp_servers'] = $pconfig['def_ftp_servers']; } + if ($pconfig['def_ftp_ports'] != "") { $natent['def_ftp_ports'] = $pconfig['def_ftp_ports']; } + if ($pconfig['def_ssh_servers'] != "") { $natent['def_ssh_servers'] = $pconfig['def_ssh_servers']; } + if ($pconfig['def_ssh_ports'] != "") { $natent['def_ssh_ports'] = $pconfig['def_ssh_ports']; } + if ($pconfig['def_pop_servers'] != "") { $natent['def_pop_servers'] = $pconfig['def_pop_servers']; } + if ($pconfig['def_pop2_ports'] != "") { $natent['def_pop2_ports'] = $pconfig['def_pop2_ports']; } + if ($pconfig['def_pop3_ports'] != "") { $natent['def_pop3_ports'] = $pconfig['def_pop3_ports']; } + if ($pconfig['def_imap_servers'] != "") { $natent['def_imap_servers'] = $pconfig['def_imap_servers']; } + if ($pconfig['def_imap_ports'] != "") { $natent['def_imap_ports'] = $pconfig['def_imap_ports']; } + if ($pconfig['def_sip_proxy_ip'] != "") { $natent['def_sip_proxy_ip'] = $pconfig['def_sip_proxy_ip']; } + if ($pconfig['def_sip_proxy_ports'] != "") { $natent['def_sip_proxy_ports'] = $pconfig['def_sip_proxy_ports']; } + if ($pconfig['def_auth_ports'] != "") { $natent['def_auth_ports'] = $pconfig['def_auth_ports']; } + if ($pconfig['def_finger_ports'] != "") { $natent['def_finger_ports'] = $pconfig['def_finger_ports']; } + if ($pconfig['def_irc_ports'] != "") { $natent['def_irc_ports'] = $pconfig['def_irc_ports']; } + if ($pconfig['def_nntp_ports'] != "") { $natent['def_nntp_ports'] = $pconfig['def_nntp_ports']; } + if ($pconfig['def_rlogin_ports'] != "") { $natent['def_rlogin_ports'] = $pconfig['def_rlogin_ports']; } + if ($pconfig['def_rsh_ports'] != "") { $natent['def_rsh_ports'] = $pconfig['def_rsh_ports']; } + if ($pconfig['def_ssl_ports'] != "") { $natent['def_ssl_ports'] = $pconfig['def_ssl_ports']; } + if ($pconfig['barnyard_enable'] != "") { $natent['barnyard_enable'] = $pconfig['barnyard_enable']; } + if ($pconfig['barnyard_mysql'] != "") { $natent['barnyard_mysql'] = $pconfig['barnyard_mysql']; } + if ($pconfig['rulesets'] != "") { $natent['rulesets'] = $pconfig['rulesets']; } + if ($pconfig['rule_sid_off'] != "") { $natent['rule_sid_off'] = $pconfig['rule_sid_off']; } + if ($pconfig['rule_sid_on'] != "") { $natent['rule_sid_on'] = $pconfig['rule_sid_on']; } + + + if (isset($id) && $a_nat[$id]) + $a_nat[$id] = $natent; + else { + if (is_numeric($after)) + array_splice($a_nat, $after+1, 0, array($natent)); + else + $a_nat[] = $natent; + } + + write_config(); + + touch("$d_snortconfdirty_path"); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + sleep(2); + header("Location: /snort/snort_interfaces_edit.php?id=$id"); + + //exit; + } +} + + if ($_POST["Submit2"]) { + + sync_snort_package_all($id, $if_real, $snort_uuid); + sync_snort_package(); + sleep(1); + + Running_Start($snort_uuid, $if_real, $id); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + sleep(2); + header("Location: /snort/snort_interfaces_edit.php?id=$id"); + } + + if ($_POST["Submit3"]) + { + + Running_Stop($snort_uuid, $if_real, $id); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + sleep(2); + header("Location: /snort/snort_interfaces_edit.php?id=$id"); + + } + + /* This code needs to be below headers */ + if (isset($config['installedpackages']['snortglobal']['rule'][$id]['interface'])) + { + + $snort_up_ck2_info = Running_Ck($snort_uuid, $if_real, $id); + + if ($snort_up_ck2_info == 'no') { + $snort_up_ck = '<input name="Submit2" type="submit" class="formbtn" value="Start" onClick="enable_change(true)">'; + }else{ + $snort_up_ck = '<input name="Submit3" type="submit" class="formbtn" value="Stop" onClick="enable_change(true)">'; + } + + }else{ + $snort_up_ck = ''; + } + + +$pgtitle = "Snort: Interface Edit: $id $snort_uuid $if_real"; +include("head.inc"); + +?> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php +include("./snort_fbegin.inc"); +?> +<style type="text/css"> +.alert { + position:absolute; + top:10px; + left:0px; + width:94%; +background:#FCE9C0; +background-position: 15px; +border-top:2px solid #DBAC48; +border-bottom:2px solid #DBAC48; +padding: 15px 10px 85% 50px; +} +</style> +<noscript><div class="alert" ALIGN=CENTER><img src="/themes/nervecenter/images/icons/icon_alert.gif"/><strong>Please enable JavaScript to view this content</strong></div></noscript> +<script language="JavaScript"> +<!-- + +function enable_change(enable_change) { + endis = !(document.iform.enable.checked || enable_change); + // make shure a default answer is called if this is envoked. + endis2 = (document.iform.enable); + +<?php +/* make shure all the settings exist or function hide will not work */ +/* if $id is emty allow if and discr to be open */ +if($config['installedpackages']['snortglobal']['rule'][$id]['interface'] != '') +{ +echo " + document.iform.interface.disabled = endis2; + document.iform.descr.disabled = endis;\n"; +} +?> + document.iform.performance.disabled = endis; + document.iform.blockoffenders7.disabled = endis; + document.iform.alertsystemlog.disabled = endis; + document.iform.tcpdumplog.disabled = endis; + document.iform.snortunifiedlog.disabled = endis; +} +//--> +</script> +<p class="pgtitle"><?php if($pfsense_stable == 'yes'){echo $pgtitle;}?></p> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + +<form action="snort_interfaces_edit.php<?php echo "?id=$id";?>" method="post" enctype="multipart/form-data" name="iform" id="iform"> + +<?php + + /* Display Alert message */ + + if ($input_errors) { + print_input_errors($input_errors); // TODO: add checks + } + + if ($savemsg) { + print_info_box2($savemsg); + } + + //if (file_exists($d_snortconfdirty_path)) { + if (file_exists($d_snortconfdirty_path) || file_exists("/var/run/snort_conf_{$snort_uuid}_.dirty")) { + echo '<p>'; + + if($savemsg) { + print_info_box_np2("{$savemsg}"); + }else{ + print_info_box_np2(' + The Snort configuration has changed and snort needs to be restarted on this interface.<br> + You must apply the changes in order for them to take effect.<br> + '); + } + } + +?> + +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td class="tabnavtbl"> +<?php +if ($a_nat[$id]['interface'] != '') { + /* get the interface name */ + $first = 0; + $snortInterfaces = array(); /* -gtm */ + + $if_list = $config['installedpackages']['snortglobal']['rule'][$id]['interface']; + $if_array = split(',', $if_list); + //print_r($if_array); + if($if_array) { + foreach($if_array as $iface2) { + $if2 = convert_friendly_interface_to_real_interface_name2($iface2); + + if($config['interfaces'][$iface2]['ipaddr'] == "pppoe") { + $if2 = "ng0"; + } + + /* build a list of user specified interfaces -gtm */ + if($if2){ + array_push($snortInterfaces, $if2); + $first = 1; + } + } + + if (count($snortInterfaces) < 1) { + log_error("Snort will not start. You must select an interface for it to listen on."); + return; + } + } + +} + $tab_array = array(); + if (!file_exists("/var/run/snort_conf_{$snort_uuid}_.dirty")) { + $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); + } + $tab_array[] = array("If Settings", true, "/snort/snort_interfaces_edit.php?id={$id}"); + /* hide user tabs when no settings have be saved */ + if ($config['installedpackages']['snortglobal']['rule'][$id]['interface'] != '') { + if (!file_exists("/var/run/snort_conf_{$snort_uuid}_.dirty")) { + //$tab_array[] = array("upload", false, "/snort/snort_conf_upload.php?id={$id}"); + $tab_array[] = array("Categories", false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array("Rules", false, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array("Servers", false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array("Preprocessors", false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array("Barnyard2", false, "/snort/snort_barnyard.php?id={$id}"); + } + } + display_top_tabs($tab_array); + +?> +</td> +</tr> + <tr> + <td class="tabcont"> + <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td width="22%" valign="top" class="vtable"> </td> + <td width="78%" class="vtable"> + <?php + // <input name="enable" type="checkbox" value="yes" checked onClick="enable_change(false)"> + // care with spaces + if ($pconfig['enable'] == "on") + $checked = checked; + + $onclick_enable = "onClick=\"enable_change(false)\">"; + + echo " + <input name=\"enable\" type=\"checkbox\" value=\"on\" $checked $onclick_enable + <strong>Enable Interface</strong></td>\n\n"; + ?> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Interface</td> + <td width="78%" class="vtable"> + <select name="interface" class="formfld"> + <?php + $interfaces = array('wan' => 'WAN', 'lan' => 'LAN'); + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + $interfaces['opt' . $i] = $config['interfaces']['opt' . $i]['descr']; + } + foreach ($interfaces as $iface => $ifacename): ?> + <option value="<?=$iface;?>" <?php if ($iface == $pconfig['interface']) echo "selected"; ?>> + <?=htmlspecialchars($ifacename);?> + </option> + <?php endforeach; ?> + </select><br> + <span class="vexpl">Choose which interface this rule applies to.<br> + Hint: in most cases, you'll want to use WAN here.</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Description</td> + <td width="78%" class="vtable"> + <input name="descr" type="text" class="formfld" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>"> + <br> <span class="vexpl">You may enter a description here for your reference (not parsed).</span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Memory Performance</td> + <td width="78%" class="vtable"> + <select name="performance" class="formfld" id="performance"> + <?php + $interfaces2 = array('ac-bnfa' => 'AC-BNFA', 'lowmem' => 'LOWMEM', 'ac-std' => 'AC-STD', 'ac' => 'AC', 'ac-banded' => 'AC-BANDED', 'ac-sparsebands' => 'AC-SPARSEBANDS', 'acs' => 'ACS'); + foreach ($interfaces2 as $iface2 => $ifacename2): ?> + <option value="<?=$iface2;?>" <?php if ($iface2 == $pconfig['performance']) echo "selected"; ?>> + <?=htmlspecialchars($ifacename2);?> + </option> + <?php endforeach; ?> + </select><br> + <span class="vexpl">Lowmem and ac-bnfa are recommended for low end systems, Ac: high memory, best performance, ac-std: moderate memory,high performance, acs: small memory, moderateperformance, ac-banded: small memory,moderate performance, ac-sparsebands: small memory, high performance.<br> + </span></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Block offenders</td> + <td width="78%" class="vtable"> + <input name="blockoffenders7" type="checkbox" value="on" <?php if ($pconfig['blockoffenders7'] == "on") echo "checked"; ?> onClick="enable_change(false)"><br> + Checking this option will automatically block hosts that generate a Snort alert.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Send alerts to main System logs</td> + <td width="78%" class="vtable"> + <input name="alertsystemlog" type="checkbox" value="on" <?php if ($pconfig['alertsystemlog'] == "on") echo "checked"; ?> onClick="enable_change(false)"><br> + Snort will send Alerts to the Pfsense system logs.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Log to a Tcpdump file</td> + <td width="78%" class="vtable"> + <input name="tcpdumplog" type="checkbox" value="on" <?php if ($pconfig['tcpdumplog'] == "on") echo "checked"; ?> onClick="enable_change(false)"><br> + Snort will log packets to a tcpdump-formatted file. The file then can be analyzed by an application such as Wireshark which understands pcap file formats. <span class="red"><strong>WARNING:</strong></span> File may become large.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Log Alerts to a snort unified2 file</td> + <td width="78%" class="vtable"> + <input name="snortunifiedlog" type="checkbox" value="on" <?php if ($pconfig['snortunifiedlog'] == "on") echo "checked"; ?> onClick="enable_change(false)"><br> + Snort will log Alerts to a file in the UNIFIED2 format. This is a requirement for barnyard2.</td> + </tr> + <tr> + <td width="22%" valign="top"></td> + <td width="78%"> + <input name="Submit" type="submit" class="formbtn" value="Save"> <?php echo $snort_up_ck; ?> <input type="button" class="formbtn" value="Cancel" onclick="history.back()"> + <?php if (isset($id) && $a_nat[$id]): ?> + <input name="id" type="hidden" value="<?=$id;?>"> + <?php endif; ?> + </td> + </tr> + <tr> + <td width="22%" valign="top"> </td> + <td width="78%"><span class="vexpl"><span class="red"><strong>Note:</strong></span> + <br> + Please save your settings before you click start. </td> + </tr> + </table> + </table> +</form> + +<script language="JavaScript"> +<!-- +enable_change(false); +//--> +</script> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/snort-dev/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php index ff3620a3..ff3620a3 100644 --- a/config/snort-dev/snort_interfaces_global.php +++ b/config/snort/snort_interfaces_global.php diff --git a/config/snort-dev/snort_preprocessors.php b/config/snort/snort_preprocessors.php index c522a643..25963cbe 100644 --- a/config/snort-dev/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -119,12 +119,12 @@ if (isset($_GET['dup'])) } /* convert fake interfaces to real */ -$if_real = convert_friendly_interface_to_real_interface_name($pconfig['interface']); - +$if_real = convert_friendly_interface_to_real_interface_name2($pconfig['interface']); +$snort_uuid = $pconfig['uuid']; /* alert file */ -$d_snortconfdirty_path = "/var/run/snort_conf_{$pconfig['uuid']}_{$if_real}.dirty"; +$d_snortconfdirty_path = "/var/run/snort_conf_{$snort_uuid}_{$if_real}.dirty"; /* this will exec when alert says apply */ if ($_POST['apply']) { @@ -133,7 +133,7 @@ $d_snortconfdirty_path = "/var/run/snort_conf_{$pconfig['uuid']}_{$if_real}.dirt write_config(); - sync_snort_package_all(); + sync_snort_package_all($id, $if_real, $snort_uuid); sync_snort_package(); unlink($d_snortconfdirty_path); diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index 94c99f0e..c95d76ca 100644 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -2,7 +2,8 @@ /* $Id$ */ /* edit_snortrule.php - Copyright (C) 2004, 2005 Scott Ullrich and Rober Zelaya + Copyright (C) 2004, 2005 Scott Ullrich + Copyright (C) 2008, 2009 Robert Zelaya All rights reserved. Redistribution and use in source and binary forms, with or without @@ -26,22 +27,45 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -require("guiconfig.inc"); -require("config.inc"); -if(!is_dir("/usr/local/etc/snort/rules")) { - conf_mount_rw(); - exec('mkdir /usr/local/etc/snort/rules/'); - conf_mount_ro(); + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} + +//nat_rules_sort(); +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +if (isset($id) && $a_nat[$id]) { + + $pconfig['enable'] = $a_nat[$id]['enable']; + $pconfig['interface'] = $a_nat[$id]['interface']; + $pconfig['rulesets'] = $a_nat[$id]['rulesets']; } +/* convert fake interfaces to real */ +$if_real = convert_friendly_interface_to_real_interface_name($pconfig['interface']); + +$iface_uuid = $a_nat[$id]['uuid']; + +// if(!is_dir("/usr/local/etc/snort/rules")) +// exec('mkdir /usr/local/etc/snort/rules/'); + /* Check if the rules dir is empy if so warn the user */ /* TODO give the user the option to delete the installed rules rules */ -$isrulesfolderempty = exec('ls -A /usr/local/etc/snort/rules/*.rules'); +$isrulesfolderempty = exec("ls -A /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/*.rules"); if ($isrulesfolderempty == "") { include("head.inc"); -include("fbegin.inc"); +include("./snort_fbegin.inc"); echo "<body link=\"#000000\" vlink=\"#000000\" alink=\"#000000\">"; @@ -51,18 +75,15 @@ echo "<script src=\"/row_toggle.js\" type=\"text/javascript\"></script>\n <tr>\n <td>\n"; - $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), true, "/snort_rules.php"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); - display_top_tabs($tab_array); + $tab_array = array(); + $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); + $tab_array[] = array("If Settings", false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array("Categories", false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array("Rules", true, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array("Servers", false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array("Preprocessors", false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array("Barnyard2", false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); echo "</td>\n </tr>\n @@ -105,8 +126,6 @@ function get_middle($source, $beginning, $ending, $init_pos) { function write_rule_file($content_changed, $received_file) { - conf_mount_rw(); - //read snort file with writing enabled $filehandle = fopen($received_file, "w"); @@ -122,7 +141,6 @@ function write_rule_file($content_changed, $received_file) //close file handle fclose($filehandle); - conf_mount_rw(); } function load_rule_file($incoming_file) @@ -137,8 +155,9 @@ function load_rule_file($incoming_file) //close handler fclose ($filehandle); + //string for populating category select - $currentruleset = substr($file, 27); + $currentruleset = basename($rulefile); //delimiter for each new rule is a new line $delimiter = "\n"; @@ -150,10 +169,13 @@ function load_rule_file($incoming_file) } -$ruledir = "/usr/local/etc/snort/rules/"; +$ruledir = "/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/"; $dh = opendir($ruledir); -$message_reload = "The Snort rule configuration has been changed.<br>You must apply the changes in order for them to take effect."; +if ($_GET['openruleset'] != '' && $_GET['ids'] != '') +{ + header("Location: /snort/snort_rules.php?id=$id&openruleset={$_GET['openruleset']}&saved=yes"); +} while (false !== ($filename = readdir($dh))) { @@ -169,19 +191,22 @@ sort($files); if ($_GET['openruleset']) { - $file = $_GET['openruleset']; + $rulefile = $_GET['openruleset']; } else { - $file = $ruledir.$files[0]; + $rulefile = $ruledir.$files[0]; } //Load the rule file -$splitcontents = load_rule_file($file); +$splitcontents = load_rule_file($rulefile); if ($_POST) { + + conf_mount_rw(); + if (!$_POST['apply']) { //retrieve POST data $post_lineid = $_POST['lineid']; @@ -258,26 +283,20 @@ if ($_POST) $splitcontents[$post_lineid] = $tempstring; //write the new .rules file - write_rule_file($splitcontents, $file); + write_rule_file($splitcontents, $rulefile); //once file has been written, reload file - $splitcontents = load_rule_file($file); + $splitcontents = load_rule_file($rulefile); $stopMsg = true; } - - if ($_POST['apply']) { -// stop_service("snort"); -// sleep(2); -// start_service("snort"); - $savemsg = "The snort rules selections have been saved. Please restart snort by clicking save on the settings tab."; - $stopMsg = false; - } - } else if ($_GET['act'] == "toggle") { - $toggleid = $_GET['id']; + + conf_mount_rw(); + + $toggleid = $_GET['ids']; //copy rule contents from array into string $tempstring = $splitcontents[$toggleid]; @@ -311,10 +330,10 @@ else if ($_GET['act'] == "toggle") $splitcontents[$toggleid] = $tempstring; //write the new .rules file - write_rule_file($splitcontents, $file); + write_rule_file($splitcontents, $rulefile); //once file has been written, reload file - $splitcontents = load_rule_file($file); + $splitcontents = load_rule_file($rulefile); $stopMsg = true; @@ -326,20 +345,22 @@ else if ($_GET['act'] == "toggle") // sid being turned off $sid_off = str_replace("sid:", "", $sid_off_cut); // rule_sid_on registers - $sid_on_pieces = $config['installedpackages']['snort']['rule_sid_on']; + $sid_on_pieces = $a_nat[$id]['rule_sid_on']; // if off sid is the same as on sid remove it $sid_on_old = str_replace("||enablesid $sid_off", "", "$sid_on_pieces"); // write the replace sid back as empty - $config['installedpackages']['snort']['rule_sid_on'] = $sid_on_old; + $a_nat[$id]['rule_sid_on'] = $sid_on_old; // rule sid off registers - $sid_off_pieces = $config['installedpackages']['snort']['rule_sid_off']; + $sid_off_pieces = $a_nat[$id]['rule_sid_off']; // if off sid is the same as off sid remove it $sid_off_old = str_replace("||disablesid $sid_off", "", "$sid_off_pieces"); // write the replace sid back as empty - $config['installedpackages']['snort']['rule_sid_off'] = $sid_off_old; + $a_nat[$id]['rule_sid_off'] = $sid_off_old; // add sid off registers to new off sid - $config['installedpackages']['snort']['rule_sid_off'] = "||disablesid $sid_off" . $config['installedpackages']['snort']['rule_sid_off']; + $a_nat[$id]['rule_sid_off'] = "||disablesid $sid_off" . $a_nat[$id]['rule_sid_off']; write_config(); + conf_mount_rw(); + } else { @@ -349,39 +370,55 @@ else if ($_GET['act'] == "toggle") // sid being turned off $sid_on = str_replace("sid:", "", $sid_on_cut); // rule_sid_off registers - $sid_off_pieces = $config['installedpackages']['snort']['rule_sid_off']; + $sid_off_pieces = $a_nat[$id]['rule_sid_off']; // if off sid is the same as on sid remove it $sid_off_old = str_replace("||disablesid $sid_on", "", "$sid_off_pieces"); // write the replace sid back as empty - $config['installedpackages']['snort']['rule_sid_off'] = $sid_off_old; + $a_nat[$id]['rule_sid_off'] = $sid_off_old; // rule sid on registers - $sid_on_pieces = $config['installedpackages']['snort']['rule_sid_on']; + $sid_on_pieces = $a_nat[$id]['rule_sid_on']; // if on sid is the same as on sid remove it $sid_on_old = str_replace("||enablesid $sid_on", "", "$sid_on_pieces"); // write the replace sid back as empty - $config['installedpackages']['snort']['rule_sid_on'] = $sid_on_old; + $a_nat[$id]['rule_sid_on'] = $sid_on_old; // add sid on registers to new on sid - $config['installedpackages']['snort']['rule_sid_on'] = "||enablesid $sid_on" . $config['installedpackages']['snort']['rule_sid_on']; + $a_nat[$id]['rule_sid_on'] = "||enablesid $sid_on" . $a_nat[$id]['rule_sid_on']; write_config(); + conf_mount_rw(); } } +if ($_GET['saved'] == 'yes') +{ + $message = "The Snort rule configuration has been changed.<br>You must restart this snort interface in order for the changes to take effect."; + +// stop_service("snort"); +// sleep(2); +// start_service("snort"); +// $savemsg = ""; +// $stopMsg = false; +} + +$currentruleset = basename($rulefile); + +$ifname = strtoupper($pconfig['interface']); -$pgtitle = "Snort: Rules"; require("guiconfig.inc"); include("head.inc"); + +$pgtitle = "Snort: $id $iface_uuid $if_real Category: $currentruleset"; + ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> +<?php include("./snort_fbegin.inc"); ?> +<p class="pgtitle"><?if($pfsense_stable == 'yes'){echo $pgtitle;}?></p> + <?php -if(!$pgtitle_output) - echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; +echo "<form action=\"snort_rules.php?id={$id}\" method=\"post\" name=\"iform\" id=\"iform\">"; ?> -<form action="snort_rules.php" method="post" name="iform" id="iform"> -<?php if ($savemsg){print_info_box($savemsg);} else if ($stopMsg){print_info_box_np($message_reload);}?> -<br> +<?php if ($_GET['saved'] == 'yes') {print_info_box_np2($message);}?> </form> <script type="text/javascript" language="javascript" src="row_toggle.js"> <script src="/javascript/sorttable.js" type="text/javascript"> @@ -403,28 +440,40 @@ function go() } // --> </script> +<script type="text/javascript"> +<!-- +function popup(url) +{ + params = 'width='+screen.width; + params += ', height='+screen.height; + params += ', top=0, left=0' + params += ', fullscreen=yes'; + + newwin=window.open(url,'windowname4', params); + if (window.focus) {newwin.focus()} + return false; +} +// --> +</script> <table width="99%" border="0" cellpadding="0" cellspacing="0"> <tr> <td> <?php - $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), true, "/snort_rules.php"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); + $tab_array = array(); + $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); + $tab_array[] = array("If Settings", false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array("Categories", false, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array("Rules", true, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array("Servers", false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array("Preprocessors", false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array("Barnyard2", false, "/snort/snort_barnyard.php?id={$id}"); display_top_tabs($tab_array); ?> - </td> - </tr> - <tr> - <td> + </td> + </tr> + <tr> + <td> <div id="mainarea"> <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> @@ -447,7 +496,8 @@ function go() echo "<br>Category: "; //string for populating category select - $currentruleset = substr($file, 27); + $currentruleset = basename($rulefile); + ?> <form name="forms"> <select name="selectbox" class="formfld" onChange="go()"> @@ -459,7 +509,7 @@ function go() if ($files[$i] === $currentruleset) $selectedruleset = "selected"; ?> - <option value="?&openruleset=<?=$ruledir;?><?=$files[$i];?>" <?=$selectedruleset;?>><?=$files[$i];?></option>" + <option value="?id=<?=$id;?>&openruleset=<?=$ruledir;?><?=$files[$i];?>" <?=$selectedruleset;?>><?=$files[$i];?></option>" <?php $i++; @@ -512,7 +562,13 @@ function go() $textss = $textse = ""; $iconb = "icon_block.gif"; } - + + if ($disabled_pos !== false){ + $ischecked = ""; + }else{ + $ischecked = "checked"; + } + $rule_content = explode(' ', $tempstring); $protocol = $rule_content[$counter2];//protocol location @@ -525,87 +581,93 @@ function go() $counter2++; $destination_port = $rule_content[$counter2];//destination port location - $message = get_middle($tempstring, 'msg:"', '";', 0); + if (strstr($tempstring, 'msg: "')) + $message = get_middle($tempstring, 'msg: "', '";', 0); + if (strstr($tempstring, 'msg:"')) + $message = get_middle($tempstring, 'msg:"', '";', 0); - echo "<tr>"; - echo "<td class=\"listt\">"; - echo $textss; + echo "<tr> + <td class=\"listt\"> + $textss\n"; ?> - <a href="?&openruleset=<?=$file;?>&act=toggle&id=<?=$counter;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/<?=$iconb;?>" width="11" height="11" border="0" title="click to toggle enabled/disabled status"></a> + <a href="?id=<?=$id;?>&openruleset=<?=$rulefile;?>&act=toggle&ids=<?=$counter;?>"><img src="../themes/<?= $g['theme']; ?>/images/icons/<?=$iconb;?>" width="10" height="10" border="0" title="click to toggle enabled/disabled status"></a> + <!-- <input name="enable" type="checkbox" value="yes" <?= $ischecked; ?> onClick="enable_change(false)"> --> + <!-- TODO: add checkbox and save so that that disabling is nicer --> <?php - echo $textse; - echo "</td>"; - - - echo "<td class=\"listlr\">"; - echo $textss; - echo $sid; - echo $textse; - echo "</td>"; - - echo "<td class=\"listlr\">"; - echo $textss; - echo $protocol; + echo "$textse + </td> + <td class=\"listlr\"> + $textss + $sid + $textse + </td> + <td class=\"listlr\"> + $textss + $protocol"; + ?> + <?php $printcounter++; - echo $textse; - echo "</td>"; - echo "<td class=\"listlr\">"; - echo $textss; - echo $source; - echo $textse; - echo "</td>"; - echo "<td class=\"listlr\">"; - echo $textss; - echo $source_port; - echo $textse; - echo "</td>"; - echo "<td class=\"listlr\">"; - echo $textss; - echo $destination; - echo $textse; - echo "</td>"; - echo "<td class=\"listlr\">"; - echo $textss; - echo $destination_port; - echo $textse; - echo "</td>"; + echo "$textse + </td> + <td class=\"listlr\"> + $textss + $source + $textse + </td> + <td class=\"listlr\"> + $textss + $source_port + $textse + </td> + <td class=\"listlr\"> + $textss + $destination + $textse + </td> + <td class=\"listlr\"> + $textss + $destination_port + $textse + </td>"; ?> <td class="listbg"><font color="white"> <?php - echo $textss; - echo $message; - echo $textse; - echo "</td>"; + echo "$textss + $message + $textse + </td>"; ?> <td valign="middle" nowrap class="list"> <table border="0" cellspacing="0" cellpadding="1"> <tr> - <td><a href="snort_rules_edit.php?openruleset=<?=$file;?>&id=<?=$counter;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit rule" width="17" height="17" border="0"></a></td> + <td><a href="javascript: void(0)"onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$rulefile;?>&ids=<?=$counter;?>')"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="edit rule" width="17" height="17" border="0"></a></td> + <!-- Codes by Quackit.com --> </tr> </table> </td> <?php } } - echo " "; - echo "There are "; - echo $printcounter; - echo " rules in this category. <br><br>"; + echo " There are $printcounter rules in this category. <br><br>"; ?> </table> </td> </tr> <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> - <td width="16"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" width="11" height="11"></td> + <td width="16"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" width="11" height="11"></td> <td>Rule Enabled</td> </tr> <tr> - <td><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_block_d.gif" width="11" height="11"></td> + <td><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_block_d.gif" width="11" height="11"></td> <td nowrap>Rule Disabled</td> - - + </tr> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> + <tr> + <!-- TODO: add save and cancel for checkbox options --> + <!-- <td><pre><input name="Submit" type="submit" class="formbtn" value="Save"> <input type="button" class="formbtn" value="Cancel" onclick="history.back()"><pre></td> --> </tr> + </table> <tr> <td colspan="10"> <p> @@ -615,12 +677,11 @@ function go() </tr> </table> </table> - </td> </tr> + </table> - <?php include("fend.inc"); ?> </div></body> -</html>
\ No newline at end of file +</html> diff --git a/config/snort/snort_rules_edit.php b/config/snort/snort_rules_edit.php index cbabce73..b770867f 100644 --- a/config/snort/snort_rules_edit.php +++ b/config/snort/snort_rules_edit.php @@ -1,40 +1,72 @@ +#!/usr/local/bin/php <?php -/* $Id$ */ /* - snort_rules_edit.php - Copyright (C) 2004, 2005 Scott Ullrich - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. + system_edit.php + Copyright (C) 2004, 2005 Scott Ullrich + All rights reserved. + + Adapted for FreeNAS by Volker Theile (votdev@gmx.de) + Copyright (C) 2006-2009 Volker Theile + + Adapted for Pfsense Snort package by Robert Zelaya + Copyright (C) 2008-2009 Robert Zelaya + + Using dp.SyntaxHighlighter for syntax highlighting + http://www.dreamprojections.com/SyntaxHighlighter + Copyright (C) 2004-2006 Alex Gorbatchev. All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. */ -function get_middle($source, $beginning, $ending, $init_pos) { - $beginning_pos = strpos($source, $beginning, $init_pos); - $middle_pos = $beginning_pos + strlen($beginning); - $ending_pos = strpos($source, $ending, $beginning_pos); - $middle = substr($source, $middle_pos, $ending_pos - $middle_pos); - return $middle; +require_once("guiconfig.inc"); +require_once("config.inc"); + + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} + +//nat_rules_sort(); +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + +$ids = $_GET['ids']; +if (isset($_POST['ids'])) + $ids = $_POST['ids']; + + +if (isset($id) && $a_nat[$id]) { + + $pconfig['enable'] = $a_nat[$id]['enable']; + $pconfig['interface'] = $a_nat[$id]['interface']; + $pconfig['rulesets'] = $a_nat[$id]['rulesets']; } +/* convert fake interfaces to real */ +$if_real = convert_friendly_interface_to_real_interface_name($pconfig['interface']); + $file = $_GET['openruleset']; @@ -42,10 +74,10 @@ $file = $_GET['openruleset']; $filehandle = fopen($file, "r"); //get rule id -$lineid = $_GET['id']; +$lineid = $_GET['ids']; //read file into string, and get filesize -$contents = fread($filehandle, filesize($file)); +$contents2 = fread($filehandle, filesize($file)); //close handler fclose ($filehandle); @@ -54,154 +86,158 @@ fclose ($filehandle); $delimiter = "\n"; //split the contents of the string file into an array using the delimiter -$splitcontents = explode($delimiter, $contents); +$splitcontents = explode($delimiter, $contents2); //copy rule contents from array into string $tempstring = $splitcontents[$lineid]; -//explode rule contents into an array, (delimiter is space) -$rule_content = explode(' ', $tempstring); +function write_rule_file($content_changed, $received_file) +{ + //read snort file with writing enabled + $filehandle = fopen($received_file, "w"); + + //delimiter for each new rule is a new line + $delimiter = "\n"; -//search string -$findme = "# alert"; //find string for disabled alerts + //implode the array back into a string for writing purposes + $fullfile = implode($delimiter, $content_changed); -//find if alert is disabled -$disabled = strstr($tempstring, $findme); + //write data to file + fwrite($filehandle, $fullfile); -//get sid -$sid = get_middle($tempstring, 'sid:', ';', 0); + //close file handle + fclose($filehandle); +} -//if find alert is false, then rule is disabled -if ($disabled !== false) -{ - //move counter up 1, so we do not retrieve the # in the rule_content array - $counter2 = 2; + + +if($_POST['highlight'] <> "") { + if($_POST['highlight'] == "yes" or + $_POST['highlight'] == "enabled") { + $highlight = "yes"; + } else { + $highlight = "no"; + } +} else { + $highlight = "no"; } + +if($_POST['rows'] <> "") + $rows = $_POST['rows']; else + $rows = 1; + +if($_POST['cols'] <> "") + $cols = $_POST['cols']; +else + $cols = 66; + +if ($_POST) { - $counter2 = 1; + if ($_POST['save']) { + + /* get the changes */ + $rule_content2 = $_POST['code']; + + //copy string into file array for writing + $splitcontents[$lineid] = $rule_content2; + + //write the new .rules file + write_rule_file($splitcontents, $file); + + header("Location: /snort/snort_rules_edit.php?id=$id&openruleset=$file&ids=$ids"); + + } } +$pgtitle = array(gettext("Advanced"), gettext("File Editor")); -$protocol = $rule_content[$counter2];//protocol location -$counter2++; -$source = $rule_content[$counter2];//source location -$counter2++; -$source_port = $rule_content[$counter2];//source port location -$counter2++; -$direction = $rule_content[$counter2]; -$counter2++; -$destination = $rule_content[$counter2];//destination location -$counter2++; -$destination_port = $rule_content[$counter2];//destination port location -$message = get_middle($tempstring, 'msg:"', '";', 0); - -$content = get_middle($tempstring, 'content:"', '";', 0); -$classtype = get_middle($tempstring, 'classtype:', ';', 0); -$revision = get_middle($tempstring, 'rev:', ';',0); - -$pgtitle = "Snort: Edit Rule"; -require("guiconfig.inc"); -include("head.inc"); +// ?> -<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> - -<?php include("fbegin.inc"); ?> -<?php -if(!$pgtitle_output) - echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; -?> -<table width="99%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> -<?php - $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), true, "/snort_rules.php?openruleset=/usr/local/etc/snort/rules/attack-responses.rules"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); - display_top_tabs($tab_array); -?> - </td> - </tr> - <tr> - <td> - <div id="mainarea"> - <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td> - <form action="snort_rules.php?openruleset=<?=$file;?>&id=<?=$lineid;?>" target="" method="post" name="editform" id="editform"> - <table id="edittable" class="sortable" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr> - <td class="listhdr" width="10%">Enabled: </td> - <td class="listlr" width="30%"><input name="enabled" type="checkbox" id="enabled" value="yes" <?php if ($disabled === false) echo "checked";?>></td> - </tr> - <tr> - <td class="listhdr" width="10%">SID: </td> - <td class="listlr" width="30%"><?php echo $sid; ?></td> - </tr> - <tr> - <td class="listhdr" width="10%">Protocol: </td> - <td class="listlr" width="30%"><?php echo $protocol; ?></td> - </tr> - <tr> - <td class="listhdr" width="10%">Source: </td> - <td class="listlr" width="30%"><input name="src" type="text" id="src" size="20" value="<?php echo $source;?>"></td> - </tr> - <tr> - <td class="listhdr" width="10%">Source Port: </td> - <td class="listlr" width="30%"><input name="srcport" type="text" id="srcport" size="20" value="<?php echo $source_port;?>"></td> - </tr> - <tr> - <td class="listhdr" width="10%">Direction:</td> - <td class="listlr" width="30%"><?php echo $direction;?></td> - </tr> - <tr> - <td class="listhdr" width="10%">Destination:</td> - <td class="listlr" width="30%"><input name="dest" type="text" id="dest" size="20" value="<?php echo $destination;?>"></td> - </tr> - <tr> - <td class="listhdr" width="10%">Destination Port: </td> - <td class="listlr" width="30%"><input name="destport" type="text" id="destport" size="20" value="<?php echo $destination_port;?>"></td> - </tr> - <tr> - <td class="listhdr" width="10%">Message: </td> - <td class="listlr" width="30%"><?php echo $message; ?></td> - </tr> - <tr> - <td class="listhdr" width="10%">Content: </td> - <td class="listlr" width="30%"><?php echo $content; ?></td> - </tr> - <tr> - <td class="listhdr" width="10%">Classtype: </td> - <td class="listlr" width="30%"><?php echo $classtype; ?></td> - </tr> - <tr> - <td class="listhdr" width="10%">Revision: </td> - <td class="listlr" width="30%"><?php echo $revision; ?></td> - </tr> - <tr><td> </td></tr> - <tr> - <td><input name="lineid" type="hidden" value="<?=$lineid;?>"></td> - <td><input class="formbtn" value="Save" type="submit" name="editsave" id="editsave">   <input type="button" class="formbtn" value="Cancel" onclick="history.back()"></td> - </tr> - </table> - </form> - </td> - </tr> - </table> - </td> -</tr> +<?php include("head.inc");?> + +<body link="#000000" vlink="#000000" alink="#000000"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td class="tabcont"> + <form action="snort_rules_edit.php?id=<?=$id; ?>&openruleset=<?=$file; ?>&ids=<?=$ids; ?>" method="post"> + <?php if ($savemsg) print_info_box($savemsg);?> + <table width="100%" cellpadding='9' cellspacing='9' bgcolor='#eeeeee'> + <tr> + <td> + <input name="save" type="submit" class="formbtn" id="save" value="save" /> <input type="button" class="formbtn" value="Cancel" onclick="history.back()"> + <hr noshade="noshade" /> + <?=gettext("Disable original rule"); ?>: + <input id="highlighting_enabled" name="highlight2" type="radio" value="yes" <?php if($highlight == "yes") echo " checked=\"checked\""; ?> /> + <label for="highlighting_enabled"><?=gettext("Enabled"); ?></label> + <input id="highlighting_disabled" name="highlight2" type="radio" value="no"<?php if($highlight == "no") echo " checked=\"checked\""; ?> /> + <label for="highlighting_disabled"><?=gettext("Disabled"); ?></label> + </td> + </tr> + </table> + <table width='100%'> + <tr> + <td valign="top" class="label"> + <div style="background: #eeeeee;" id="textareaitem"> + <!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> + <textarea wrap="off" style="width: 98%; margin: 7px;" class="<?php echo $language; ?>:showcolumns" rows="<?php echo $rows; ?>" cols="<?php echo $cols; ?>" name="code"><?php echo $tempstring;?></textarea> + </div> + </td> + </tr> + </table> + <table width='100%'> + <tr> + <td valign="top" class="label"> + <div style="background: #eeeeee;" id="textareaitem"> + <!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> + <textarea disabled wrap="off" style="width: 98%; margin: 7px;" class="<?php echo $language; ?>:showcolumns" rows="33" cols="<?php echo $cols; ?>" name="code2"><?php echo $contents2;?></textarea> + </div> + </td> + </tr> + </table> + <?php // include("formend.inc");?> + </form> + </td> + </tr> </table> +<script class="javascript" src="/snort/syntaxhighlighter/shCore.js"></script> +<script class="javascript" src="/snort/syntaxhighlighter/shBrushCSharp.js"></script> +<script class="javascript" src="/snort/syntaxhighlighter/shBrushPhp.js"></script> +<script class="javascript" src="/snort/syntaxhighlighter/shBrushJScript.js"></script> +<script class="javascript" src="/snort/syntaxhighlighter/shBrushJava.js"></script> +<script class="javascript" src="/snort/syntaxhighlighter/shBrushVb.js"></script> +<script class="javascript" src="/snort/syntaxhighlighter/shBrushSql.js"></script> +<script class="javascript" src="/snort/syntaxhighlighter/shBrushXml.js"></script> +<script class="javascript" src="/snort/syntaxhighlighter/shBrushDelphi.js"></script> +<script class="javascript" src="/snort/syntaxhighlighter/shBrushPython.js"></script> +<script class="javascript" src="/snort/syntaxhighlighter/shBrushRuby.js"></script> +<script class="javascript" src="/snort/syntaxhighlighter/shBrushCss.js"></script> +<script class="javascript"> +<!-- + // Set focus. + document.forms[0].savetopath.focus(); + + // Append css for syntax highlighter. + var head = document.getElementsByTagName("head")[0]; + var linkObj = document.createElement("link"); + linkObj.setAttribute("type","text/css"); + linkObj.setAttribute("rel","stylesheet"); + linkObj.setAttribute("href","/snort/syntaxhighlighter/SyntaxHighlighter.css"); + head.appendChild(linkObj); + + // Activate dp.SyntaxHighlighter? + <?php + if($_POST['highlight'] == "yes") { + echo "dp.SyntaxHighlighter.HighlightAll('code', true, true);\n"; + // Disable 'Save' button. + echo "document.forms[0].Save.disabled = 1;\n"; + } +?> +//--> +</script> +<?php //include("fend.inc");?> -<?php include("fend.inc"); ?> -</div></body> -</html>
\ No newline at end of file +</body> +</html> diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index d839ae7a..d232c097 100644 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -3,6 +3,7 @@ /* snort_rulesets.php Copyright (C) 2006 Scott Ullrich + Copyright (C) 2009 Robert Zelaya All rights reserved. Redistribution and use in source and binary forms, with or without @@ -28,43 +29,68 @@ */ require("guiconfig.inc"); -require_once("service-utils.inc"); -require("/usr/local/pkg/snort.inc"); +//require_once("filter.inc"); +//require_once("service-utils.inc"); +include_once("/usr/local/pkg/snort/snort.inc"); +require_once("/usr/local/pkg/snort/snort_gui.inc"); -if(!is_dir("/usr/local/etc/snort/rules")) { - conf_mount_rw(); - exec('mkdir /usr/local/etc/snort/rules/'); - conf_mount_ro(); + +if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + $config['installedpackages']['snortglobal']['rule'] = array(); +} + +//nat_rules_sort(); +$a_nat = &$config['installedpackages']['snortglobal']['rule']; + +$id = $_GET['id']; +if (isset($_POST['id'])) + $id = $_POST['id']; + + +if (isset($id) && $a_nat[$id]) { + + $pconfig['enable'] = $a_nat[$id]['enable']; + $pconfig['interface'] = $a_nat[$id]['interface']; + $pconfig['rulesets'] = $a_nat[$id]['rulesets']; } +/* convert fake interfaces to real */ +$if_real = convert_friendly_interface_to_real_interface_name2($pconfig['interface']); + + +$iface_uuid = $a_nat[$id]['uuid']; + +$pgtitle = "Snort: Interface $id $iface_uuid $if_real Categories"; + + /* Check if the rules dir is empy if so warn the user */ /* TODO give the user the option to delete the installed rules rules */ -$isrulesfolderempty = exec('ls -A /usr/local/etc/snort/rules/*.rules'); +$isrulesfolderempty = exec("ls -A /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/*.rules"); if ($isrulesfolderempty == "") { include("head.inc"); -include("fbegin.inc"); +include("./snort_fbegin.inc"); + +echo "<p class=\"pgtitle\">"; +if($pfsense_stable == 'yes'){echo $pgtitle;} +echo "</p>\n"; echo "<body link=\"#000000\" vlink=\"#000000\" alink=\"#000000\">"; -echo "<script src=\"/row_toggle.js\" type=\"text/javascript\"></script>\n -<script src=\"/javascript/sorttable.js\" type=\"text/javascript\"></script>\n +echo " <table width=\"99%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n <tr>\n <td>\n"; - $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), true, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); - display_top_tabs($tab_array); + $tab_array = array(); + $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); + $tab_array[] = array("If Settings", false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array("Categories", true, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array("Rules", false, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array("Servers", false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array("Preprocessors", false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array("Barnyard2", false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); echo "</td>\n </tr>\n @@ -74,7 +100,7 @@ echo "</td>\n <table id=\"maintable\" class=\"tabcont\" width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">\n <tr>\n <td>\n -# The rules directory is empty.\n +# The rules directory is empty. /usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules \n </td>\n </tr>\n </table>\n @@ -87,7 +113,7 @@ echo "</td>\n \n <p>\n\n"; -echo "Please click on the Update Rules tab to install your selected rule sets."; +echo "Please click on the Update Rules tab to install your selected rule sets. $isrulesfolderempty"; include("fend.inc"); echo "</body>"; @@ -97,66 +123,117 @@ exit(0); } -if($_POST) { + /* alert file */ +$d_snortconfdirty_path = "/var/run/snort_conf_{$iface_uuid}_{$if_real}.dirty"; + + /* this will exec when alert says apply */ + if ($_POST['apply']) { + + if (file_exists($d_snortconfdirty_path)) { + + write_config(); + + sync_snort_package_all($id, $if_real, $iface_uuid); + sync_snort_package(); + + unlink($d_snortconfdirty_path); + + } + + } + + if ($_POST["Submit"]) { $enabled_items = ""; $isfirst = true; + if (is_array($_POST['toenable'])) { foreach($_POST['toenable'] as $toenable) { if(!$isfirst) $enabled_items .= "||"; $enabled_items .= "{$toenable}"; $isfirst = false; } - $config['installedpackages']['snort']['rulesets'] = $enabled_items; + }else{ + $enabled_items = $_POST['toenable']; + } + $a_nat[$id]['rulesets'] = $enabled_items; + write_config(); - stop_service("snort"); - create_snort_conf(); - sleep(2); - start_service("snort"); - $savemsg = "The snort ruleset selections have been saved."; + + touch($d_snortconfdirty_path); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + sleep(2); + sync_snort_package_all($id, $if_real, $iface_uuid); + header("Location: /snort/snort_rulesets.php?id=$id"); + } -$enabled_rulesets = $config['installedpackages']['snort']['rulesets']; +$enabled_rulesets = $a_nat[$id]['rulesets']; if($enabled_rulesets) $enabled_rulesets_array = split("\|\|", $enabled_rulesets); -$pgtitle = "Snort: Categories"; include("head.inc"); ?> <body link="#000000" vlink="#000000" alink="#000000"> -<?php include("fbegin.inc"); ?> +<?php include("./snort_fbegin.inc"); ?> +<p class="pgtitle"><?php if($pfsense_stable == 'yes'){echo $pgtitle;}?></p> +<?php + +echo "<form action=\"snort_rulesets.php?id={$id}\" method=\"post\" name=\"iform\" id=\"iform\">"; + +?> <?php -if(!$pgtitle_output) - echo "<p class=\"pgtitle\"><?=$pgtitle?></p>"; + + /* Display message */ + + if ($input_errors) { + print_input_errors($input_errors); // TODO: add checks + } + + if ($savemsg) { + print_info_box2($savemsg); + } + + if (file_exists($d_snortconfdirty_path)) { + echo '<p>'; + + if($savemsg) { + print_info_box_np2("{$savemsg}"); + }else{ + print_info_box_np2(' + The Snort configuration has changed and snort needs to be restarted on this interface.<br> + You must apply the changes in order for them to take effect.<br> + '); + } + } + ?> -<form action="snort_rulesets.php" method="post" name="iform" id="iform"> -<script src="/row_toggle.js" type="text/javascript"></script> -<script src="/javascript/sorttable.js" type="text/javascript"></script> -<?php if ($savemsg) print_info_box($savemsg); ?> <table width="99%" border="0" cellpadding="0" cellspacing="0"> <tr> <td> <?php - $tab_array = array(); - $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0"); - $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php"); - $tab_array[] = array(gettext("Categories"), true, "/snort_rulesets.php"); - $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php"); - $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&id=0"); - $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php"); - $tab_array[] = array(gettext("Whitelist"), false, "/pkg.php?xml=snort_whitelist.xml"); - $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml"); - $tab_array[] = array(gettext("Alerts"), false, "/snort_alerts.php"); - $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0"); - display_top_tabs($tab_array); + $tab_array = array(); + $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php"); + $tab_array[] = array("If Settings", false, "/snort/snort_interfaces_edit.php?id={$id}"); + $tab_array[] = array("Categories", true, "/snort/snort_rulesets.php?id={$id}"); + $tab_array[] = array("Rules", false, "/snort/snort_rules.php?id={$id}"); + $tab_array[] = array("Servers", false, "/snort/snort_define_servers.php?id={$id}"); + $tab_array[] = array("Preprocessors", false, "/snort/snort_preprocessors.php?id={$id}"); + $tab_array[] = array("Barnyard2", false, "/snort/snort_barnyard.php?id={$id}"); + display_top_tabs($tab_array); ?> - </td> - </tr> - <tr> - <td> + </td> + </tr> + <tr> + <td> <div id="mainarea"> <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> @@ -168,7 +245,7 @@ if(!$pgtitle_output) <!-- <td class="listhdrr">Description</td> --> </tr> <?php - $dir = "/usr/local/etc/snort/rules/"; + $dir = "/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/"; $dh = opendir($dir); while (false !== ($filename = readdir($dh))) { $files[] = $filename; @@ -177,7 +254,7 @@ if(!$pgtitle_output) foreach($files as $file) { if(!stristr($file, ".rules")) continue; - echo "<tr>"; + echo "<tr>\n"; echo "<td align=\"center\" valign=\"top\">"; if(is_array($enabled_rulesets_array)) if(in_array($file, $enabled_rulesets_array)) { @@ -187,11 +264,11 @@ if(!$pgtitle_output) } else $CHECKED = ""; - echo " <input type='checkbox' name='toenable[]' value='$file' {$CHECKED} />"; - echo "</td>"; - echo "<td>"; - echo "<a href='snort_rules.php?openruleset=/usr/local/etc/snort/rules/" . urlencode($file) . "'>{$file}</a>"; - echo "</td>"; + echo " \n<input type='checkbox' name='toenable[]' value='$file' {$CHECKED} />\n"; + echo "</td>\n"; + echo "<td>\n"; + echo "<a href='snort_rules.php?id={$id}&openruleset=/usr/local/etc/snort/snort_{$iface_uuid}_{$if_real}/rules/" . urlencode($file) . "'>{$file}</a>\n"; + echo "</td>\n</tr>\n\n"; //echo "<td>"; //echo "description"; //echo "</td>"; @@ -204,7 +281,7 @@ if(!$pgtitle_output) <tr><td> </td></tr> <tr><td>Check the rulesets that you would like Snort to load at startup.</td></tr> <tr><td> </td></tr> - <tr><td><input value="Save" type="submit" name="save" id="save" /></td></tr> + <tr><td><input value="Save" type="submit" name="Submit" id="Submit" /></td></tr> </table> </div> </td> @@ -227,4 +304,4 @@ if(!$pgtitle_output) } -?>
\ No newline at end of file +?> diff --git a/config/snort/snort_whitelist.xml b/config/snort/snort_whitelist.xml index 42769e4e..d98f83fa 100644 --- a/config/snort/snort_whitelist.xml +++ b/config/snort/snort_whitelist.xml @@ -45,52 +45,40 @@ <description>Describe your package here</description> <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> - <name>snort-whitelist</name> + <name>snortglobal</name> <version>0.1.0</version> <title>Snort: Whitelist</title> - <include_file>/usr/local/pkg/snort.inc</include_file> + <include_file>/usr/local/pkg/snort/snort.inc</include_file> <!-- Menu is where this packages menu will appear --> <tabs> <tab> - <text>Settings</text> - <url>/pkg_edit.php?xml=snort.xml&id=0</url> + <text>Snort Interfaces</text> + <url>/snort/snort_interfaces.php</url> </tab> <tab> - <text>Update Rules</text> - <url>/snort_download_rules.php</url> + <text>Global Settings</text> + <url>/snort/snort_interfaces_global.php</url> </tab> <tab> - <text>Categories</text> - <url>/snort_rulesets.php</url> + <text>Rule Updates</text> + <url>/snort/snort_download_rules.php</url> </tab> <tab> - <text>Rules</text> - <url>/snort_rules.php</url> - </tab> - <tab> - <text>Servers</text> - <url>/pkg_edit.php?xml=snort_define_servers.xml&id=0</url> + <text>Alerts</text> + <url>/snort/snort_alerts.php</url> </tab> <tab> <text>Blocked</text> - <url>/snort_blocked.php</url> + <url>/snort/snort_blocked.php</url> </tab> <tab> <text>Whitelist</text> - <url>/pkg.php?xml=snort_whitelist.xml</url> + <url>/pkg.php?xml=/snort/snort_whitelist.xml</url> <active/> </tab> <tab> - <text>Threshold</text> - <url>/pkg.php?xml=snort_threshold.xml</url> - </tab> - <tab> - <text>Alerts</text> - <url>/snort_alerts.php</url> - </tab> - <tab> - <text>Advanced</text> - <url>/pkg_edit.php?xml=snort_advanced.xml&id=0</url> + <text>Help Info</text> + <url>/snort/snort_help_info.php</url> </tab> </tabs> <adddeleteeditpagefields> @@ -124,6 +112,6 @@ <custom_delete_php_command> </custom_delete_php_command> <custom_php_resync_config_command> - create_snort_conf(); + sync_snort_package_empty(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/pkg_config.7.xml b/pkg_config.7.xml index 51184854..b4563e46 100755 --- a/pkg_config.7.xml +++ b/pkg_config.7.xml @@ -329,10 +329,10 @@ <configurationfile>vhosts.xml</configurationfile> </package> <package> - <name>snort</name> + <name>snort-old</name> <pkginfolink>http://forum.pfsense.org/index.php/topic,16847.0.html</pkginfolink> <website>http://www.snort.org</website> - <descr>Used by fortune 500 companies and goverments Snort is the most widely deployed IDS/IPS technology worldwide. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more.</descr> + <descr>WARNING: This is the old snort package. A few current snort.org rules are not supported in this package. This package will not be supported in Pfsense 2.0.</descr> <category>Security</category> <depends_on_package_base_url>http://files.pfsense.org/packages/70/All/</depends_on_package_base_url> <depends_on_package>libdnet-1.11_3.tbz</depends_on_package> @@ -340,30 +340,30 @@ <depends_on_package>perl-5.8.9_3.tbz</depends_on_package> <depends_on_package>mysql-client-5.1.34.tbz</depends_on_package> <depends_on_package>snort-2.8.4.1_1.tbz</depends_on_package> - <config_file>http://www.pfsense.com/packages/config/snort/snort.xml</config_file> + <config_file>http://www.pfsense.com/packages/config/snort-old/snort.xml</config_file> <version>2.8.4.1_5 pkg v.1.7</version> <required_version>1.2.2</required_version> - <status>Stable</status> + <status>legacy</status> <configurationfile>snort.xml</configurationfile> <after_install_info>Please visit the Snort settings tab and enter your oinkid code. Afterwards visit the update rules tab to download the snort rules.</after_install_info> </package> <package> - <name>snort-dev</name> + <name>snort</name> <pkginfolink>http://forum.pfsense.org/index.php/topic,16847.0.html</pkginfolink> <website>http://www.snort.org</website> - <descr>WARNING: This is the final RC before release.</descr> + <descr>Used by fortune 500 companies and goverments Snort is the most widely deployed IDS/IPS technology worldwide. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more.</descr> <category>Security</category> - <depends_on_package_base_url>http://www.pfsense.com/packages/config/snort-dev/bin/7.2.x86/</depends_on_package_base_url> + <depends_on_package_base_url>http://www.pfsense.com/packages/config/snort/bin/7.2.x86/</depends_on_package_base_url> <depends_on_package>pcre-8.00.tbz</depends_on_package> <depends_on_package>perl-5.10.1.tbz</depends_on_package> <depends_on_package>mysql-client-5.1.44_1.tbz</depends_on_package> <depends_on_package>snort-2.8.5.3.tbz</depends_on_package> - <config_file>http://www.pfsense.com/packages/config/snort-dev/snort.xml</config_file> - <version>2.8.5.3 pkg v. 1.18</version> + <config_file>http://www.pfsense.com/packages/config/snort/snort.xml</config_file> + <version>2.8.5.3 pkg v. 1.19</version> <required_version>1.2.3</required_version> - <status>RC</status> + <status>Stable</status> <configurationfile>/snort.xml</configurationfile> - <after_install_info>This is the Snort-dev branch and is stable as of RC.</after_install_info> + <after_install_info>This is the Snort branch and is stable.</after_install_info> </package> <package> <name>siproxd</name> diff --git a/pkg_config.8.xml b/pkg_config.8.xml index 4dc116d0..b92e2262 100755 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -239,36 +239,17 @@ <website>http://www.snort.org</website> <descr>Used by fortune 500 companies and goverments Snort is the most widely deployed IDS/IPS technology worldwide. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more.</descr> <category>Security</category> - <depends_on_package_base_url>http://files.pfsense.org/packages/70/All/</depends_on_package_base_url> - <depends_on_package>libdnet-1.11_3.tbz</depends_on_package> - <depends_on_package>pcre-7.9.tbz</depends_on_package> - <depends_on_package>perl-5.8.9_3.tbz</depends_on_package> - <depends_on_package>mysql-client-5.1.34.tbz</depends_on_package> - <depends_on_package>snort-2.8.4.1_1.tbz</depends_on_package> - <config_file>http://www.pfsense.com/packages/config/snort/snort.xml</config_file> - <version>2.8.4.1_4 pkg v.1.7</version> - <required_version>3.0</required_version> - <status>Stable</status> - <configurationfile>snort.xml</configurationfile> - <after_install_info>Please visit the Snort settings tab and enter your oinkid code. Afterwards visit the update rules tab to download the snort rules.</after_install_info> - </package> - <package> - <name>snort-dev</name> - <pkginfolink>http://forum.pfsense.org/index.php/topic,16847.0.html</pkginfolink> - <website>http://www.snort.org</website> - <descr>WARNING: This is the final RC before release.</descr> - <category>Security</category> - <depends_on_package_base_url>http://www.pfsense.com/packages/config/snort-dev/bin/8.0.x86/</depends_on_package_base_url> + <depends_on_package_base_url>http://www.pfsense.com/packages/config/snort/bin/8.0.x86/</depends_on_package_base_url> <depends_on_package>pcre-8.00.tbz</depends_on_package> <depends_on_package>perl-5.10.1.tbz</depends_on_package> <depends_on_package>mysql-client-5.1.45.tbz</depends_on_package> <depends_on_package>snort-2.8.5.3.tbz</depends_on_package> - <config_file>http://www.pfsense.com/packages/config/snort-dev/snort.xml</config_file> - <version>2.8.5.3 pkg v. 1.18</version> + <config_file>http://www.pfsense.com/packages/config/snort/snort.xml</config_file> + <version>2.8.5.3 pkg v. 1.19</version> <required_version>2.0</required_version> - <status>RC</status> + <status>Stable</status> <configurationfile>/snort.xml</configurationfile> - <after_install_info>This is the Snort-dev branch and is stable as of RC.</after_install_info> + <after_install_info>This is the Snort branch and is stable.</after_install_info> </package> <package> <name>spamd</name> |