aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xconfig/snort/snort.inc116
-rwxr-xr-xconfig/snort/snort_alerts.php112
-rw-r--r--config/snort/snort_blocked.php21
-rwxr-xr-xconfig/snort/snort_check_for_rule_updates.php2
-rw-r--r--config/snort/snort_migrate_config.php38
-rw-r--r--config/snort/snort_post_install.php43
-rwxr-xr-xconfig/snort/snort_rules.php320
-rwxr-xr-xconfig/snort/snort_rules_edit.php7
8 files changed, 452 insertions, 207 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index 52aaed2a..d983d995 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -5,7 +5,7 @@
* Copyright (C) 2006 Scott Ullrich
* Copyright (C) 2009-2010 Robert Zelaya
* Copyright (C) 2011-2012 Ermal Luci
- * Copyright (C) 2013 Bill Meeks
+ * Copyright (C) 2013,2014 Bill Meeks
* part of pfSense
* All rights reserved.
*
@@ -1739,34 +1739,32 @@ function snort_write_enforcing_rules_file($rule_map, $rule_path) {
}
}
-function snort_load_sid_mods($sids, $value) {
+function snort_load_sid_mods($sids) {
/*****************************************/
/* This function parses the string of */
- /* SID values in $sids and returns an */
- /* array with the SID as the key and */
- /* value. The SID values in $sids are */
+ /* GID:SID values in $sids and returns */
+ /* an array with the GID and SID as the */
+ /* keys. The values in $sids are */
/* assumed to be delimited by "||". */
/* */
- /* $sids ==> string of SID values from */
- /* saved config file. */
+ /* $sids ==> string of GID:SID values */
+ /* from the config file. */
/* */
- /* $value ==> type of mod (enable or */
- /* disable). Not currently */
- /* utilized, but maintained */
- /* so as not to break legacy */
- /* code elsewhere. */
+ /* Returns ==> a multidimensional array */
+ /* with GID and SID as the */
+ /* keys ($result[GID][SID]) */
/*****************************************/
$result = array();
- if (empty($sids) || empty($value))
+ if (empty($sids))
return $result;
$tmp = explode("||", $sids);
foreach ($tmp as $v) {
- if (preg_match('/\s\d+/', $v, $match)) {
- if (!is_array($result[trim($match[0])]))
- $result[trim($match[0])] = array();
- $result[trim($match[0])] = trim($match[0]);
+ if (preg_match('/(\d+)\s*:\s*(\d+)/', $v, $match)) {
+ if (!is_array($result[$match[1]]))
+ $result[$match[1]] = array();
+ $result[$match[1]][$match[2]] = "{$match[1]}:{$match[2]}";
}
}
unset($tmp);
@@ -1791,15 +1789,15 @@ function snort_modify_sids(&$rule_map, $snortcfg) {
/* Load up our enablesid and disablesid */
/* arrays with lists of modified SIDs */
- $enablesid = snort_load_sid_mods($snortcfg['rule_sid_on'], "enablesid");
- $disablesid = snort_load_sid_mods($snortcfg['rule_sid_off'], "disablesid");
+ $enablesid = snort_load_sid_mods($snortcfg['rule_sid_on']);
+ $disablesid = snort_load_sid_mods($snortcfg['rule_sid_off']);
/* Turn on any rules that need to be */
/* forced "on" with enablesid mods. */
if (!empty($enablesid)) {
foreach ($rule_map as $k1 => $rulem) {
foreach ($rulem as $k2 => $v) {
- if (in_array($k2, $enablesid) && $v['disabled'] == 1) {
+ if (isset($enablesid[$k1][$k2]) && $v['disabled'] == 1) {
$rule_map[$k1][$k2]['rule'] = ltrim($v['rule'], " \t#");
$rule_map[$k1][$k2]['disabled'] = 0;
}
@@ -1812,7 +1810,7 @@ function snort_modify_sids(&$rule_map, $snortcfg) {
if (!empty($disablesid)) {
foreach ($rule_map as $k1 => $rulem) {
foreach ($rulem as $k2 => $v) {
- if (in_array($k2, $disablesid) && $v['disabled'] == 0) {
+ if (isset($disablesid[$k1][$k2]) && $v['disabled'] == 0) {
$rule_map[$k1][$k2]['rule'] = "# " . $v['rule'];
$rule_map[$k1][$k2]['disabled'] = 1;
}
@@ -2209,12 +2207,13 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
/* to be written. */
/***********************************************************/
- global $rebuild_rules;
+ global $g, $rebuild_rules;
$snortdir = SNORTDIR;
$flowbit_rules_file = FLOWBITS_FILENAME;
$snort_enforcing_rules_file = ENFORCING_RULES_FILENAME;
$no_rules_defined = true;
+ $enabled_rules = array();
/* If there is no reason to rebuild the rules, exit to save time. */
if (!$rebuild_rules)
@@ -2223,14 +2222,37 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
/* Log a message for rules rebuild in progress */
log_error(gettext("[Snort] Updating rules configuration for: " . snort_get_friendly_interface($snortcfg['interface']) . " ..."));
+ /* Enable all, some or none of the SDF rules depending on setting. */
+ if ($snortcfg['sensitive_data'] == 'on' && $snortcfg['protect_preproc_rules'] != 'on') {
+ if (file_exists(SNORTDIR."/preproc_rules/sensitive-data.rules")) {
+ $sdf_alert_pattern="(".preg_replace("/,/","|",$snortcfg['sdf_alert_data_type']).")";
+ $sd_tmp_file=file(SNORTDIR."/preproc_rules/sensitive-data.rules");
+ $sd_tmp_new_file="";
+ foreach ($sd_tmp_file as $sd_tmp_line)
+ $sd_tmp_new_file.=preg_match("/$sdf_alert_pattern/i",$sd_tmp_line) ? $sd_tmp_line : "";
+ file_put_contents("{$snortcfgdir}/preproc_rules/sensitive-data.rules",$sd_tmp_new_file,LOCK_EX);
+ }
+ }
+ elseif ($snortcfg['sensitive_data'] != 'on' && $snortcfg['protect_preproc_rules'] != 'on') {
+ /* Setting is "off", so disable all SDF rules. */
+ $sedcmd = '/^alert.*classtype:sdf/s/^/#/';
+ @file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd);
+ mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/sensitive-data.rules");
+ @unlink("{$g['tmp_path']}/sedcmd");
+ }
+
+ /* Load the decoder, preprocessor and sensitive-data */
+ /* rules from the interface's preproc_rule directory */
+ /* into the $enabled_rules array. */
+ $enabled_rules = snort_load_rules_map("{$snortcfgdir}/preproc_rules/");
+
/* Only rebuild rules if some are selected or an IPS Policy is enabled */
if (!empty($snortcfg['rulesets']) || $snortcfg['ips_policy_enable'] == 'on') {
- $enabled_rules = array();
$enabled_files = array();
$all_rules = array();
$no_rules_defined = false;
- /* Load up all the rules into a Rules Map array. */
+ /* Load up all the text rules into a Rules Map array. */
$all_rules = snort_load_rules_map("{$snortdir}/rules/");
/* Create an array with the filenames of the enabled */
@@ -2320,7 +2342,8 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
/* Just put an empty file to always have the file present */
snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}");
} else {
- snort_write_enforcing_rules_file(array(), "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}");
+ /* No regular rules or policy were selected, so just use the decoder and preproc rules */
+ snort_write_enforcing_rules_file($enabled_rules, "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}");
snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}");
}
@@ -2333,7 +2356,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
/* Log a warning if the interface has no rules defined or enabled */
if ($no_rules_defined)
- log_error(gettext("[Snort] Warning - no text rules selected for: " . snort_get_friendly_interface($snortcfg['interface']) . " ..."));
+ log_error(gettext("[Snort] Warning - no text rules or IPS-Policy selected for: " . snort_get_friendly_interface($snortcfg['interface']) . " ..."));
/* Build a new sid-msg.map file from the enabled */
/* rules and copy it to the interface directory. */
@@ -3219,43 +3242,9 @@ EOD;
$snort_misc_include_rules .= "include {$snortcfgdir}/reference.config\n";
if (file_exists("{$snortcfgdir}/classification.config"))
$snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n";
- if (is_dir("{$snortcfgdir}/preproc_rules")) {
- if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") {
- $sedcmd = '/^#alert.*classtype:sdf/s/^#//';
- if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")){
- $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n";
- #enable only selected sensitive data
- if (file_exists(SNORTDIR."/preproc_rules/sensitive-data.rules")){
- $sdf_alert_pattern="(".preg_replace("/,/","|",$snortcfg['sdf_alert_data_type']).")";
- $sd_tmp_file=file(SNORTDIR."/preproc_rules/sensitive-data.rules");
- $sd_tmp_new_file="";
- foreach ($sd_tmp_file as $sd_tmp_line)
- $sd_tmp_new_file.=preg_match("/$sdf_alert_pattern/i",$sd_tmp_line) ? $sd_tmp_line : "";
- file_put_contents("{$snortcfgdir}/preproc_rules/sensitive-data.rules",$sd_tmp_new_file,LOCK_EX);
- }
- }
- } else
- $sedcmd = '/^alert.*classtype:sdf/s/^/#/';
- if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") &&
- file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "off") {
- @file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd);
- mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules");
- mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules");
- @unlink("{$g['tmp_path']}/sedcmd");
- $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n";
- $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n";
- } else if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") &&
- file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "on") {
- $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n";
- $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n";
- }
- else {
- $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n";
- log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them");
- }
- } else {
+ if (!file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") || !file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules")) {
$snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n";
- log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them");
+ log_error("[Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file.");
}
/* generate rule sections to load */
@@ -3673,9 +3662,8 @@ EOD;
ipvar HOME_NET [{$home_net}]
ipvar EXTERNAL_NET [{$external_net}]
-# Define Rule Paths #
+# Define Rule Path #
var RULE_PATH {$snortcfgdir}/rules
-var PREPROC_RULE_PATH {$snortcfgdir}/preproc_rules
# Define Servers #
{$ipvardef}
diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php
index f232f897..804c6e8a 100755
--- a/config/snort/snort_alerts.php
+++ b/config/snort/snort_alerts.php
@@ -7,6 +7,7 @@
* Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
* Copyright (C) 2006 Scott Ullrich
* Copyright (C) 2012 Ermal Luci
+ * Copyright (C) 2013,2014 Bill Meeks
* All rights reserved.
*
* Modified for the Pfsense snort package v. 1.8+
@@ -141,6 +142,14 @@ $a_instance = &$config['installedpackages']['snortglobal']['rule'];
$snort_uuid = $a_instance[$instanceid]['uuid'];
$if_real = snort_get_real_interface($a_instance[$instanceid]['interface']);
+// Load up the arrays of force-enabled and force-disabled SIDs
+$enablesid = snort_load_sid_mods($a_instance[$instanceid]['rule_sid_on']);
+$disablesid = snort_load_sid_mods($a_instance[$instanceid]['rule_sid_off']);
+
+// Grab pfSense version so we can refer to it later on this page
+$pfs_version=substr(trim(file_get_contents("/etc/version")),0,3);
+
+$pconfig = array();
if (is_array($config['installedpackages']['snortglobal']['alertsblocks'])) {
$pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh'];
$pconfig['alertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber'];
@@ -215,6 +224,64 @@ if (($_GET['act'] == "addsuppress_srcip" || $_GET['act'] == "addsuppress_dstip")
$input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!");
}
+if ($_GET['act'] == "togglesid" && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) {
+ // Get the GID tag embedded in the clicked rule icon.
+ $gid = $_GET['gen_id'];
+
+ // Get the SID tag embedded in the clicked rule icon.
+ $sid= $_GET['sidid'];
+
+ // See if the target SID is in our list of modified SIDs,
+ // and toggle it if present.
+ if (isset($enablesid[$gid][$sid]))
+ unset($enablesid[$gid][$sid]);
+ if (isset($disablesid[$gid][$sid]))
+ unset($disablesid[$gid][$sid]);
+ elseif (!isset($disablesid[$gid][$sid]))
+ $disablesid[$gid][$sid] = "disablesid";
+
+ // Write the updated enablesid and disablesid values to the config file.
+ $tmp = "";
+ foreach (array_keys($enablesid) as $k1) {
+ foreach (array_keys($enablesid[$k1]) as $k2)
+ $tmp .= "{$k1}:{$k2}||";
+ }
+ $tmp = rtrim($tmp, "||");
+
+ if (!empty($tmp))
+ $a_instance[$instanceid]['rule_sid_on'] = $tmp;
+ else
+ unset($a_instance[$instanceid]['rule_sid_on']);
+
+ $tmp = "";
+ foreach (array_keys($disablesid) as $k1) {
+ foreach (array_keys($disablesid[$k1]) as $k2)
+ $tmp .= "{$k1}:{$k2}||";
+ }
+ $tmp = rtrim($tmp, "||");
+
+ if (!empty($tmp))
+ $a_instance[$instanceid]['rule_sid_off'] = $tmp;
+ else
+ unset($a_instance[$instanceid]['rule_sid_off']);
+
+ /* Update the config.xml file. */
+ write_config();
+
+ /*************************************************/
+ /* Update the snort.conf file and rebuild the */
+ /* rules for this interface. */
+ /*************************************************/
+ $rebuild_rules = true;
+ snort_generate_conf($a_instance[$instanceid]);
+ $rebuild_rules = false;
+
+ /* Soft-restart Snort to live-load the new rules */
+ snort_reload_config($a_instance[$instanceid]);
+
+ $savemsg = gettext("The state for rule {$gid}:{$sid} has been modified. Snort is 'live-reloading' the new rules list. Please wait at least 30 secs for the process to complete before toggling additional rules.");
+}
+
if ($_GET['action'] == "clear" || $_POST['delete']) {
snort_post_delete_logs($snort_uuid);
$fd = @fopen("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert", "w+");
@@ -264,16 +331,14 @@ include_once("head.inc");
?>
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
-
+<script src="/javascript/filter_log.js" type="text/javascript"></script>
<?php
include_once("fbegin.inc");
/* refresh every 60 secs */
if ($pconfig['arefresh'] == 'on')
echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_alerts.php?instance={$instanceid}\" />\n";
-?>
-
-<?php if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}
+if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}
/* Display Alert message */
if ($input_errors) {
print_input_errors($input_errors); // TODO: add checks
@@ -403,10 +468,17 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) {
$alert_ip_src = $fields[6];
/* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */
$alert_ip_src = str_replace(":", ":&#8203;", $alert_ip_src);
- /* Add Reverse DNS lookup icon */
- $alert_ip_src .= "<br/><a href='/diag_dns.php?host={$fields[6]}&instance={$instanceid}'>";
+ /* Add Reverse DNS lookup icons (two different links if pfSense version supports them) */
+ $alert_ip_src .= "<br/>";
+ if ($pfs_version > 2.0) {
+ $alert_ip_src .= "<a onclick=\"javascript:getURL('/diag_dns.php?host={$fields[6]}&dialog_output=true', outputrule);\">";
+ $alert_ip_src .= "<img src='../themes/{$g['theme']}/images/icons/icon_log_d.gif' width='11' height='11' border='0' ";
+ $alert_ip_src .= "title='" . gettext("Resolve host via reverse DNS lookup (quick pop-up)") . "' style=\"cursor: pointer;\"></a>&nbsp;";
+ }
+ $alert_ip_src .= "<a href='/diag_dns.php?host={$fields[6]}&instance={$instanceid}'>";
$alert_ip_src .= "<img src='../themes/{$g['theme']}/images/icons/icon_log.gif' width='11' height='11' border='0' ";
$alert_ip_src .= "title='" . gettext("Resolve host via reverse DNS lookup") . "'></a>";
+
/* Add icons for auto-adding to Suppress List if appropriate */
if (!snort_is_alert_globally_suppressed($supplist, $fields[1], $fields[2]) &&
!isset($supplist[$fields[1]][$fields[2]]['by_src'][$fields[6]])) {
@@ -421,7 +493,7 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) {
/* Add icon for auto-removing from Blocked Table if required */
if (isset($tmpblocked[$fields[6]])) {
$alert_ip_src .= "&nbsp;";
- $alert_ip_src .= "<a href='?instance={$id}&todelete=" . trim(urlencode($fields[6])) . "'>
+ $alert_ip_src .= "<a href='?instance={$instanceid}&todelete=" . trim(urlencode($fields[6])) . "'>
<img title=\"" . gettext("Remove host from Blocked Table") . "\" border=\"0\" width='12' height='12' name='todelete' id='todelete' alt=\"Remove from Blocked Hosts\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a>";
}
/* IP SRC Port */
@@ -430,8 +502,14 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) {
$alert_ip_dst = $fields[8];
/* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */
$alert_ip_dst = str_replace(":", ":&#8203;", $alert_ip_dst);
- /* Add Reverse DNS lookup icon */
- $alert_ip_dst .= "<br/><a href='/diag_dns.php?host={$fields[8]}&instance={$instanceid}'>";
+ /* Add Reverse DNS lookup icons (two different links if pfSense version supports them) */
+ $alert_ip_dst .= "<br/>";
+ if ($pfs_version > 2.0) {
+ $alert_ip_dst .= "<a onclick=\"javascript:getURL('/diag_dns.php?host={$fields[8]}&dialog_output=true', outputrule);\">";
+ $alert_ip_dst .= "<img src='../themes/{$g['theme']}/images/icons/icon_log_d.gif' width='11' height='11' border='0' ";
+ $alert_ip_dst .= "title='" . gettext("Resolve host via reverse DNS lookup (quick pop-up)") . "' style=\"cursor: pointer;\"></a>&nbsp;";
+ }
+ $alert_ip_dst .= "<a href='/diag_dns.php?host={$fields[8]}&instance={$instanceid}'>";
$alert_ip_dst .= "<img src='../themes/{$g['theme']}/images/icons/icon_log.gif' width='11' height='11' border='0' ";
$alert_ip_dst .= "title='" . gettext("Resolve host via reverse DNS lookup") . "'></a>";
/* Add icons for auto-adding to Suppress List if appropriate */
@@ -448,7 +526,7 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) {
/* Add icon for auto-removing from Blocked Table if required */
if (isset($tmpblocked[$fields[8]])) {
$alert_ip_dst .= "&nbsp;";
- $alert_ip_dst .= "<a href='?instance={$id}&todelete=" . trim(urlencode($fields[8])) . "'>
+ $alert_ip_dst .= "<a href='?instance={$instanceid}&todelete=" . trim(urlencode($fields[8])) . "'>
<img title=\"" . gettext("Remove host from Blocked Table") . "\" border=\"0\" width='12' height='12' name='todelete' id='todelete' alt=\"Remove from Blocked Hosts\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a>";
}
/* IP DST Port */
@@ -464,6 +542,18 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) {
$sidsupplink = "<img src='../themes/{$g['theme']}/images/icons/icon_plus_d.gif' width='12' height='12' border='0' ";
$sidsupplink .= "title='" . gettext("This alert is already in the Suppress List") . "'/>";
}
+ /* Add icon for toggling rule state */
+ if (isset($disablesid[$fields[1]][$fields[2]])) {
+ $sid_dsbl_link = "<a href='?instance={$instanceid}&act=togglesid&sidid={$fields[2]}&gen_id={$fields[1]}'>";
+ $sid_dsbl_link .= "<img src='../themes/{$g['theme']}/images/icons/icon_block_d.gif' width='11' height='11' border='0' ";
+ $sid_dsbl_link .= "title='" . gettext("Rule is forced to a disabled state. Click to remove the force-disable action.") . "'></a>";
+ }
+ else {
+ $sid_dsbl_link = "<a href='?instance={$instanceid}&act=togglesid&sidid={$fields[2]}&gen_id={$fields[1]}'>";
+ $sid_dsbl_link .= "<img src='../themes/{$g['theme']}/images/icons/icon_block.gif' width='11' height='11' border='0' ";
+ $sid_dsbl_link .= "title='" . gettext("Click to force-disable rule and remove from current rules set.") . "'></a>";
+ }
+ /* DESCRIPTION */
$alert_class = $fields[11];
echo "<tr>
@@ -475,7 +565,7 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) {
<td class='listr' align='center'>{$alert_src_p}</td>
<td class='listr' align='center'>{$alert_ip_dst}</td>
<td class='listr' align='center'>{$alert_dst_p}</td>
- <td class='listr' align='center'>{$alert_sid_str}<br/>{$sidsupplink}</td>
+ <td class='listr' align='center'>{$alert_sid_str}<br/>{$sidsupplink}&nbsp;&nbsp;{$sid_dsbl_link}</td>
<td class='listr' style=\"word-wrap:break-word;\">{$alert_descr}</td>
</tr>\n";
diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php
index 8d106a90..4fc470d3 100644
--- a/config/snort/snort_blocked.php
+++ b/config/snort/snort_blocked.php
@@ -7,6 +7,7 @@
*
* Modified for the Pfsense snort package v. 1.8+
* Copyright (C) 2009 Robert Zelaya Sr. Developer
+ * Copyright (C) 2014 Bill Meeks
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
@@ -33,6 +34,9 @@
require_once("guiconfig.inc");
require_once("/usr/local/pkg/snort/snort.inc");
+// Grab pfSense version so we can refer to it later on this page
+$pfs_version=substr(trim(file_get_contents("/etc/version")),0,3);
+
if (!is_array($config['installedpackages']['snortglobal']['alertsblocks']))
$config['installedpackages']['snortglobal']['alertsblocks'] = array();
@@ -127,6 +131,7 @@ include_once("head.inc");
?>
<body link="#000000" vlink="#000000" alink="#000000">
+<script src="/javascript/filter_log.js" type="text/javascript"></script>
<?php
@@ -260,19 +265,25 @@ if ($pconfig['brefresh'] == 'on')
/* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */
$tmp_ip = str_replace(":", ":&#8203;", $blocked_ip);
-
+ /* Add reverse DNS lookup icons (two different links if pfSense version supports them) */
+ $rdns_link = "";
+ if ($pfs_version > 2.0) {
+ $rdns_link .= "<a onclick=\"javascript:getURL('/diag_dns.php?host={$blocked_ip}&dialog_output=true', outputrule);\">";
+ $rdns_link .= "<img src='../themes/{$g['theme']}/images/icons/icon_log_d.gif' width='11' height='11' border='0' ";
+ $rdns_link .= "title='" . gettext("Resolve host via reverse DNS lookup (quick pop-up)") . "' style=\"cursor: pointer;\"></a>&nbsp;";
+ }
+ $rdns_link .= "<a href='/diag_dns.php?host={$blocked_ip}'>";
+ $rdns_link .= "<img src='../themes/{$g['theme']}/images/icons/icon_log.gif' width='11' height='11' border='0' ";
+ $rdns_link .= "title='" . gettext("Resolve host via reverse DNS lookup") . "'></a>";
/* use one echo to do the magic*/
echo "<tr>
<td align=\"center\" valign=\"middle\" class=\"listr\">{$counter}</td>
- <td valign=\"middle\" class=\"listr\">{$tmp_ip}&nbsp;<a href='/diag_dns.php?host={$blocked_ip}'>
- <img src='../themes/{$g['theme']}/images/icons/icon_log.gif' width='11' height='11' border='0'
- title='" . gettext("Resolve host via reverse DNS lookup") . "'></a></td>
+ <td align=\"center\" valign=\"middle\" class=\"listr\">{$tmp_ip}<br/>{$rdns_link}</td>
<td valign=\"middle\" class=\"listr\">{$blocked_desc}</td>
<td align=\"center\" valign=\"middle\" class=\"listr\"><a href='snort_blocked.php?todelete=" . trim(urlencode($blocked_ip)) . "'>
<img title=\"" . gettext("Delete host from Blocked Table") . "\" border=\"0\" name='todelete' id='todelete' alt=\"Delete host from Blocked Table\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td>
</tr>\n";
}
-
}
?>
</tbody>
diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php
index 807b7844..0306c90d 100755
--- a/config/snort/snort_check_for_rule_updates.php
+++ b/config/snort/snort_check_for_rule_updates.php
@@ -34,7 +34,7 @@ require_once("functions.inc");
require_once("service-utils.inc");
require_once "/usr/local/pkg/snort/snort.inc";
-global $g, $pkg_interface, $snort_gui_include, $rebuild_rules;
+global $g, $config, $pkg_interface, $snort_gui_include, $rebuild_rules;
if (!defined("VRT_DNLD_URL"))
define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/");
diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php
index 61989e99..1a812b24 100644
--- a/config/snort/snort_migrate_config.php
+++ b/config/snort/snort_migrate_config.php
@@ -1,8 +1,8 @@
<?php
/*
- * snort_migrate_config.inc
+ * snort_migrate_config.php
*
- * Copyright (C) 2013 Bill Meeks
+ * Copyright (C) 2013, 2014 Bill Meeks
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -288,6 +288,40 @@ foreach ($rule as &$r) {
}
}
+ // Change any ENABLE_SID settings to new format of GID:SID
+ if (!empty($pconfig['rule_sid_on'])) {
+ $tmp = explode("||", $pconfig['rule_sid_on']);
+ $new_tmp = "";
+ foreach ($tmp as $v) {
+ if (strpos($v, ":") === false) {
+ if (preg_match('/(\d+)/', $v, $match))
+ $new_tmp .= "1:{$match[1]}||";
+ }
+ }
+ $new_tmp = rtrim($new_tmp, " ||");
+ if (!empty($new_tmp)) {
+ $pconfig['rule_sid_on'] = $new_tmp;
+ $updated_cfg = true;
+ }
+ }
+
+ // Change any DISABLE_SID settings to new format of GID:SID
+ if (!empty($pconfig['rule_sid_off'])) {
+ $tmp = explode("||", $pconfig['rule_sid_off']);
+ $new_tmp = "";
+ foreach ($tmp as $v) {
+ if (strpos($v, ":") === false) {
+ if (preg_match('/(\d+)/', $v, $match))
+ $new_tmp .= "1:{$match[1]}||";
+ }
+ }
+ $new_tmp = rtrim($new_tmp, " ||");
+ if (!empty($new_tmp)) {
+ $pconfig['rule_sid_off'] = $new_tmp;
+ $updated_cfg = true;
+ }
+ }
+
// Save the new configuration data into the $config array pointer
$r = $pconfig;
}
diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php
index 003628be..a3c8eced 100644
--- a/config/snort/snort_post_install.php
+++ b/config/snort/snort_post_install.php
@@ -793,43 +793,9 @@ EOD;
$snort_misc_include_rules .= "include {$snortcfgdir}/reference.config\n";
if (file_exists("{$snortcfgdir}/classification.config"))
$snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n";
- if (is_dir("{$snortcfgdir}/preproc_rules")) {
- if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") {
- $sedcmd = '/^#alert.*classtype:sdf/s/^#//';
- if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")){
- $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n";
- #enable only selected sensitive data
- if (file_exists(SNORTDIR."/preproc_rules/sensitive-data.rules")){
- $sdf_alert_pattern="(".preg_replace("/,/","|",$snortcfg['sdf_alert_data_type']).")";
- $sd_tmp_file=file(SNORTDIR."/preproc_rules/sensitive-data.rules");
- $sd_tmp_new_file="";
- foreach ($sd_tmp_file as $sd_tmp_line)
- $sd_tmp_new_file.=preg_match("/$sdf_alert_pattern/i",$sd_tmp_line) ? $sd_tmp_line : "";
- file_put_contents("{$snortcfgdir}/preproc_rules/sensitive-data.rules",$sd_tmp_new_file,LOCK_EX);
- }
- }
- } else
- $sedcmd = '/^alert.*classtype:sdf/s/^/#/';
- if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") &&
- file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "off") {
- @file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd);
- mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules");
- mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules");
- @unlink("{$g['tmp_path']}/sedcmd");
- $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n";
- $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n";
- } else if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") &&
- file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "on") {
- $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n";
- $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n";
- }
- else {
- $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n";
- log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them");
- }
- } else {
+ if (!file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") || !file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules")) {
$snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n";
- log_error("[Snort] Seems preprocessor/decoder rules are missing, enabling autogeneration of them");
+ log_error("[Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file.");
}
/* generate rule sections to load */
@@ -1249,7 +1215,6 @@ ipvar EXTERNAL_NET [{$external_net}]
# Define Rule Paths #
var RULE_PATH {$snortcfgdir}/rules
-var PREPROC_RULE_PATH {$snortcfgdir}/preproc_rules
# Define Servers #
{$ipvardef}
@@ -1403,13 +1368,13 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
update_status(gettext("Saved settings detected..."));
/* Do one-time settings migration for new multi-engine configurations */
update_output_window(gettext("Please wait... migrating settings to new multi-engine configuration..."));
- include "/usr/local/pkg/snort/snort_migrate_config.php";
+ include('/usr/local/pkg/snort/snort_migrate_config.php');
update_output_window(gettext("Please wait... rebuilding installation with saved settings..."));
log_error(gettext("[Snort] Downloading and updating configured rule types..."));
update_output_window(gettext("Please wait... downloading and updating configured rule types..."));
if ($pkg_interface <> "console")
$snort_gui_include = true;
- include "/usr/local/pkg/snort/snort_check_for_rule_updates.php";
+ include('/usr/local/pkg/snort/snort_check_for_rule_updates.php');
update_status(gettext("Generating snort.conf configuration file from saved settings..."));
$rebuild_rules = true;
diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php
index a82d81d2..71fdbd16 100755
--- a/config/snort/snort_rules.php
+++ b/config/snort/snort_rules.php
@@ -5,6 +5,7 @@
* Copyright (C) 2004, 2005 Scott Ullrich
* Copyright (C) 2008, 2009 Robert Zelaya
* Copyright (C) 2011 Ermal Luci
+ * Copyright (C) 2013, 2014 Bill Meeks
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -29,7 +30,6 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
-
require_once("guiconfig.inc");
require_once("/usr/local/pkg/snort/snort.inc");
@@ -51,7 +51,6 @@ if (is_null($id)) {
}
if (isset($id) && $a_rule[$id]) {
- $pconfig['enable'] = $a_rule[$id]['enable'];
$pconfig['interface'] = $a_rule[$id]['interface'];
$pconfig['rulesets'] = $a_rule[$id]['rulesets'];
if (!empty($a_rule[$id]['customrules']))
@@ -109,8 +108,20 @@ $snort_uuid = $a_rule[$id]['uuid'];
$snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}";
$snortdownload = $config['installedpackages']['snortglobal']['snortdownload'];
$emergingdownload = $config['installedpackages']['snortglobal']['emergingthreats'];
+$etprodownload = $config['installedpackages']['snortglobal']['emergingthreats_pro'];
$categories = explode("||", $pconfig['rulesets']);
+// add the standard rules files to the categories list
+$categories[] = "custom.rules";
+$categories[] = "decoder.rules";
+$categories[] = "preprocessor.rules";
+$categories[] = "sensitive-data.rules";
+if (!empty($a_rule[$id]['ips_policy']))
+ $categories[] = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']);
+if ($a_rule[$id]['autoflowbitrules'] == 'on')
+ $categories[] = "Auto-Flowbit Rules";
+natcasesort($categories);
+
if ($_GET['openruleset'])
$currentruleset = $_GET['openruleset'];
else if ($_POST['openruleset'])
@@ -118,13 +129,6 @@ else if ($_POST['openruleset'])
else
$currentruleset = $categories[0];
-if (empty($categories[0]) && ($currentruleset != "custom.rules") && ($currentruleset != "Auto-Flowbit Rules")) {
- if (!empty($a_rule[$id]['ips_policy']))
- $currentruleset = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']);
- else
- $currentruleset = "custom.rules";
-}
-
/* One last sanity check -- if the rules directory is empty, default to loading custom rules */
$tmp = glob("{$snortdir}/rules/*.rules");
if (empty($tmp))
@@ -136,58 +140,66 @@ if ($currentruleset != 'custom.rules') {
// Read the current rules file into our rules map array.
// If it is the auto-flowbits file, set the full path.
if ($currentruleset == "Auto-Flowbit Rules")
- $rulefile = "{$snortcfgdir}/rules/" . FLOWBITS_FILENAME;
+ $rules_map = snort_load_rules_map("{$snortcfgdir}/rules/" . FLOWBITS_FILENAME);
// Test for the special case of an IPS Policy file.
- if (substr($currentruleset, 0, 10) == "IPS Policy")
+ elseif (substr($currentruleset, 0, 10) == "IPS Policy")
$rules_map = snort_load_vrt_policy($a_rule[$id]['ips_policy']);
- elseif (!file_exists($rulefile))
- $input_errors[] = gettext("{$currentruleset} seems to be missing!!! Please verify rules files have been downloaded, then go to the Categories tab and save the rule set again.");
- else
+ // Test for preproc_rules file and set the full path.
+ elseif (file_exists("{$snortdir}/preproc_rules/{$currentruleset}"))
+ $rules_map = snort_load_rules_map("{$snortdir}/preproc_rules/{$currentruleset}");
+ // Test for existence of regular text rules file and load it.
+ elseif (file_exists($rulefile))
$rules_map = snort_load_rules_map($rulefile);
+ else
+ $input_errors[] = gettext("{$currentruleset} seems to be missing!!! Please verify rules files have been downloaded, then go to the Categories tab and save the rule set again.");
}
/* Load up our enablesid and disablesid arrays with enabled or disabled SIDs */
-$enablesid = snort_load_sid_mods($a_rule[$id]['rule_sid_on'], "enablesid");
-$disablesid = snort_load_sid_mods($a_rule[$id]['rule_sid_off'], "disablesid");
+$enablesid = snort_load_sid_mods($a_rule[$id]['rule_sid_on']);
+$disablesid = snort_load_sid_mods($a_rule[$id]['rule_sid_off']);
if ($_GET['act'] == "toggle" && $_GET['ids'] && !empty($rules_map)) {
+ // Get the GID tag embedded in the clicked rule icon.
+ $gid = $_GET['gid'];
+
// Get the SID tag embedded in the clicked rule icon.
$sid= $_GET['ids'];
// See if the target SID is in our list of modified SIDs,
- // and toggle it if present; otherwise, add it to the
- // appropriate list.
- if (isset($enablesid[$sid])) {
- unset($enablesid[$sid]);
- if (!isset($disablesid[$sid]))
- $disablesid[$sid] = "disablesid";
- }
- elseif (isset($disablesid[$sid])) {
- unset($disablesid[$sid]);
- if (!isset($enablesid[$sid]))
- $enablesid[$sid] = "enablesid";
- }
+ // and toggle it back to default if present; otherwise,
+ // add it to the appropriate modified SID list.
+ if (isset($enablesid[$gid][$sid]))
+ unset($enablesid[$gid][$sid]);
+ elseif (isset($disablesid[$gid][$sid]))
+ unset($disablesid[$gid][$sid]);
else {
- if ($rules_map[1][$sid]['disabled'] == 1)
- $enablesid[$sid] = "enablesid";
+ if ($rules_map[$gid][$sid]['disabled'] == 1)
+ $enablesid[$gid][$sid] = "enablesid";
else
- $disablesid[$sid] = "disablesid";
+ $disablesid[$gid][$sid] = "disablesid";
}
// Write the updated enablesid and disablesid values to the config file.
$tmp = "";
- foreach ($enablesid as $k => $v) {
- $tmp .= "||{$v} {$k}";
+ foreach (array_keys($enablesid) as $k1) {
+ foreach (array_keys($enablesid[$k1]) as $k2)
+ $tmp .= "{$k1}:{$k2}||";
}
+ $tmp = rtrim($tmp, "||");
+
if (!empty($tmp))
$a_rule[$id]['rule_sid_on'] = $tmp;
else
unset($a_rule[$id]['rule_sid_on']);
+
$tmp = "";
- foreach ($disablesid as $k => $v) {
- $tmp .= "||{$v} {$k}";
+ foreach (array_keys($disablesid) as $k1) {
+ foreach (array_keys($disablesid[$k1]) as $k2)
+ $tmp .= "{$k1}:{$k2}||";
}
+ $tmp = rtrim($tmp, "||");
+
if (!empty($tmp))
$a_rule[$id]['rule_sid_off'] = $tmp;
else
@@ -197,7 +209,7 @@ if ($_GET['act'] == "toggle" && $_GET['ids'] && !empty($rules_map)) {
write_config();
$_GET['openruleset'] = $currentruleset;
- $anchor = "rule_{$sid}";
+ $anchor = "rule_{$gid}_{$sid}";
}
if ($_GET['act'] == "disable_all" && !empty($rules_map)) {
@@ -205,28 +217,37 @@ if ($_GET['act'] == "disable_all" && !empty($rules_map)) {
// Mark all rules in the currently selected category "disabled".
foreach (array_keys($rules_map) as $k1) {
foreach (array_keys($rules_map[$k1]) as $k2) {
- if (isset($enablesid[$k2]))
- unset($enablesid[$k2]);
- $disablesid[$k2] = "disablesid";
+ if (isset($enablesid[$k1][$k2]))
+ unset($enablesid[$k1][$k2]);
+ $disablesid[$k1][$k2] = "disablesid";
}
}
+
// Write the updated enablesid and disablesid values to the config file.
$tmp = "";
- foreach ($enablesid as $k => $v) {
- $tmp .= "||{$v} {$k}";
+ foreach (array_keys($enablesid) as $k1) {
+ foreach (array_keys($enablesid[$k1]) as $k2)
+ $tmp .= "{$k1}:{$k2}||";
}
+ $tmp = rtrim($tmp, "||");
+
if (!empty($tmp))
$a_rule[$id]['rule_sid_on'] = $tmp;
else
unset($a_rule[$id]['rule_sid_on']);
+
$tmp = "";
- foreach ($disablesid as $k => $v) {
- $tmp .= "||{$v} {$k}";
+ foreach (array_keys($disablesid) as $k1) {
+ foreach (array_keys($disablesid[$k1]) as $k2)
+ $tmp .= "{$k1}:{$k2}||";
}
+ $tmp = rtrim($tmp, "||");
+
if (!empty($tmp))
$a_rule[$id]['rule_sid_off'] = $tmp;
else
unset($a_rule[$id]['rule_sid_off']);
+
write_config();
$_GET['openruleset'] = $currentruleset;
@@ -239,28 +260,36 @@ if ($_GET['act'] == "enable_all" && !empty($rules_map)) {
// Mark all rules in the currently selected category "enabled".
foreach (array_keys($rules_map) as $k1) {
foreach (array_keys($rules_map[$k1]) as $k2) {
- if (isset($disablesid[$k2]))
- unset($disablesid[$k2]);
- $enablesid[$k2] = "enablesid";
+ if (isset($disablesid[$k1][$k2]))
+ unset($disablesid[$k1][$k2]);
+ $enablesid[$k1][$k2] = "enablesid";
}
}
// Write the updated enablesid and disablesid values to the config file.
$tmp = "";
- foreach ($enablesid as $k => $v) {
- $tmp .= "||{$v} {$k}";
+ foreach (array_keys($enablesid) as $k1) {
+ foreach (array_keys($enablesid[$k1]) as $k2)
+ $tmp .= "{$k1}:{$k2}||";
}
+ $tmp = rtrim($tmp, "||");
+
if (!empty($tmp))
$a_rule[$id]['rule_sid_on'] = $tmp;
else
unset($a_rule[$id]['rule_sid_on']);
+
$tmp = "";
- foreach ($disablesid as $k => $v) {
- $tmp .= "||{$v} {$k}";
+ foreach (array_keys($disablesid) as $k1) {
+ foreach (array_keys($disablesid[$k1]) as $k2)
+ $tmp .= "{$k1}:{$k2}||";
}
+ $tmp = rtrim($tmp, "||");
+
if (!empty($tmp))
$a_rule[$id]['rule_sid_off'] = $tmp;
else
unset($a_rule[$id]['rule_sid_off']);
+
write_config();
$_GET['openruleset'] = $currentruleset;
@@ -273,30 +302,38 @@ if ($_GET['act'] == "resetcategory" && !empty($rules_map)) {
// Reset any modified SIDs in the current rule category to their defaults.
foreach (array_keys($rules_map) as $k1) {
foreach (array_keys($rules_map[$k1]) as $k2) {
- if (isset($enablesid[$k2]))
- unset($enablesid[$k2]);
- if (isset($disablesid[$k2]))
- unset($disablesid[$k2]);
+ if (isset($enablesid[$k1][$k2]))
+ unset($enablesid[$k1][$k2]);
+ if (isset($disablesid[$k1][$k2]))
+ unset($disablesid[$k1][$k2]);
}
}
// Write the updated enablesid and disablesid values to the config file.
$tmp = "";
- foreach ($enablesid as $k => $v) {
- $tmp .= "||{$v} {$k}";
+ foreach (array_keys($enablesid) as $k1) {
+ foreach (array_keys($enablesid[$k1]) as $k2)
+ $tmp .= "{$k1}:{$k2}||";
}
+ $tmp = rtrim($tmp, "||");
+
if (!empty($tmp))
$a_rule[$id]['rule_sid_on'] = $tmp;
else
unset($a_rule[$id]['rule_sid_on']);
+
$tmp = "";
- foreach ($disablesid as $k => $v) {
- $tmp .= "||{$v} {$k}";
+ foreach (array_keys($disablesid) as $k1) {
+ foreach (array_keys($disablesid[$k1]) as $k2)
+ $tmp .= "{$k1}:{$k2}||";
}
+ $tmp = rtrim($tmp, "||");
+
if (!empty($tmp))
$a_rule[$id]['rule_sid_off'] = $tmp;
else
unset($a_rule[$id]['rule_sid_off']);
+
write_config();
$_GET['openruleset'] = $currentruleset;
@@ -416,15 +453,15 @@ if ($savemsg) {
display_top_tabs($tab_array);
echo '</td></tr>';
echo '<tr><td class="tabnavtbl">';
- $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface ");;
- $tab_array = array();
- $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}");
- $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}");
- $tab_array[] = array($menu_iface . gettext("Rules"), true, "/snort/snort_rules.php?id={$id}");
- $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}");
- $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}");
- $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}");
- display_top_tabs($tab_array);
+ $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface ");
+ $tab_array = array();
+ $tab_array[] = array($menu_iface . gettext("Settings"), false, "/snort/snort_interfaces_edit.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Categories"), false, "/snort/snort_rulesets.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Rules"), true, "/snort/snort_rules.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Variables"), false, "/snort/snort_define_servers.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Preprocessors"), false, "/snort/snort_preprocessors.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/snort/snort_barnyard.php?id={$id}");
+ display_top_tabs($tab_array);
?>
</td></tr>
<tr><td><div id="mainarea">
@@ -435,19 +472,14 @@ if ($savemsg) {
<tr>
<td class="vncell" height="30px"><strong><?php echo gettext("Category:"); ?></strong>&nbsp;&nbsp;<select id="selectbox" name="selectbox" class="formselect" onChange="go()">
- <option value='?id=<?=$id;?>&openruleset=custom.rules'>custom.rules</option>
<?php
- $files = explode("||", $pconfig['rulesets']);
- if ($a_rule[$id]['ips_policy_enable'] == 'on')
- $files[] = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']);
- if ($a_rule[$id]['autoflowbitrules'] == 'on')
- $files[] = "Auto-Flowbit Rules";
- natcasesort($files);
- foreach ($files as $value) {
+ foreach ($categories as $value) {
if ($snortdownload != 'on' && substr($value, 0, 6) == "snort_")
continue;
if ($emergingdownload != 'on' && substr($value, 0, 8) == "emerging")
continue;
+ if ($etprodownload != 'on' && substr($value, 0, 6) == "etpro-")
+ continue;
if (empty($value))
continue;
echo "<option value='?id={$id}&openruleset={$value}' ";
@@ -491,7 +523,7 @@ if ($savemsg) {
<input type='hidden' name='id' value='<?=$id;?>'/>
<input type='hidden' name='openruleset' value='<?=$currentruleset;?>'/><br/><br/>
<span class="vexpl"><span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" .
- gettext("Snort must be restarted to activate any SID enable/disable changes made on this tab."); ?></span></td>
+ gettext("Snort must be restarted to activate any rule enable/disable changes made on this tab."); ?></span></td>
<td class="vexpl" valign="middle"><?php echo "<a href='?id={$id}&openruleset={$currentruleset}&act=resetcategory'>
<img src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\" width=\"15\" height=\"15\"
onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"'
@@ -543,11 +575,14 @@ if ($savemsg) {
</tr>
<tr>
<td>
+
+ <?php if ($currentruleset != 'decoder.rules' && $currentruleset != 'preprocessor.rules'): ?>
<table id="myTable" class="sortable" style="table-layout: fixed;" width="100%" border="0" cellpadding="0" cellspacing="0">
<colgroup>
<col width="15" align="left" valign="middle">
- <col width="9%" align="center" axis="number">
- <col width="60" align="center" axis="string">
+ <col width="6%" align="center" axis="number">
+ <col width="8%" align="center" axis="number">
+ <col width="54" align="center" axis="string">
<col width="14%" align="center" axis="string">
<col width="11%" align="center" axis="string">
<col width="14%" align="center" axis="string">
@@ -558,6 +593,7 @@ if ($savemsg) {
<thead>
<tr>
<th class="list">&nbsp;</th>
+ <th class="listhdrr"><?php echo gettext("GID"); ?></th>
<th class="listhdrr"><?php echo gettext("SID"); ?></th>
<th class="listhdrr"><?php echo gettext("Proto"); ?></th>
<th class="listhdrr"><?php echo gettext("Source"); ?></th>
@@ -579,24 +615,24 @@ if ($savemsg) {
$counter = $enable_cnt = $disable_cnt = 0;
foreach ($rules_map as $k1 => $rulem) {
foreach ($rulem as $k2 => $v) {
- $sid = snort_get_sid($v['rule']);
- $gid = snort_get_gid($v['rule']);
+ $sid = $k2;
+ $gid = $k1;
- if (isset($disablesid[$sid])) {
+ if (isset($disablesid[$gid][$sid])) {
$textss = "<span class=\"gray\">";
$textse = "</span>";
$iconb = "icon_reject_d.gif";
$disable_cnt++;
$title = gettext("Disabled by user. Click to toggle to enabled state");
}
- elseif (($v['disabled'] == 1) && (!isset($enablesid[$sid]))) {
+ elseif (($v['disabled'] == 1) && (!isset($enablesid[$gid][$sid]))) {
$textss = "<span class=\"gray\">";
$textse = "</span>";
$iconb = "icon_block_d.gif";
$disable_cnt++;
$title = gettext("Disabled by default. Click to toggle to enabled state");
}
- elseif (isset($enablesid[$sid])) {
+ elseif (isset($enablesid[$gid][$sid])) {
$textss = $textse = "";
$iconb = "icon_reject.gif";
$enable_cnt++;
@@ -630,13 +666,16 @@ if ($savemsg) {
$message = snort_get_msg($v['rule']);
echo "<tr><td class=\"listt\" align=\"left\" valign=\"middle\"> $textss
- <a id=\"rule_{$sid}\" href='?id={$id}&openruleset={$currentruleset}&act=toggle&ids={$sid}'>
+ <a id=\"rule_{$gid}_{$sid}\" href='?id={$id}&openruleset={$currentruleset}&act=toggle&gid={$gid}&ids={$sid}'>
<img src=\"../themes/{$g['theme']}/images/icons/{$iconb}\"
width=\"11\" height=\"11\" border=\"0\"
title='{$title}'></a>
$textse
</td>
<td class=\"listlr\" align=\"center\">
+ {$textss}{$gid}{$textse}
+ </td>
+ <td class=\"listlr\" align=\"center\">
{$textss}{$sid}{$textse}
</td>
<td class=\"listlr\" align=\"center\">
@@ -673,6 +712,119 @@ if ($savemsg) {
?>
</tbody>
</table>
+
+ <?php else: ?>
+
+ <table id="myTable" class="sortable" style="table-layout: fixed;" width="100%" border="0" cellpadding="0" cellspacing="0">
+ <colgroup>
+ <col width="15" align="left" valign="middle">
+ <col width="6%" align="center" axis="number">
+ <col width="6%" align="center" axis="number">
+ <col width="22%" align="center" axis="string">
+ <col width="15%" align="center" axis="string">
+ <col align="left" axis="string">
+ <col width="22" align="right" valign="middle">
+ </colgroup>
+ <thead>
+ <tr>
+ <th class="list">&nbsp;</th>
+ <th class="listhdrr"><?php echo gettext("GID"); ?></th>
+ <th class="listhdrr"><?php echo gettext("SID"); ?></th>
+ <th class="listhdrr"><?php echo gettext("Classification"); ?></th>
+ <th class="listhdrr"><?php echo gettext("IPS Policy"); ?></th>
+ <th class="listhdrr"><?php echo gettext("Message"); ?></th>
+ <th class="list"><a href="javascript: void(0)"
+ onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>','FileViewer',800,600)">
+ <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_service_restart.gif" <?php
+ echo "onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_services_restart_mo.gif\"'
+ onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_service_restart.gif\"' ";?>
+ title="<?php echo gettext("Click to view full text of all the category rules"); ?>" width="17" height="17" border="0"></a></th>
+ </tr>
+ </thead>
+ <tbody>
+ <?php
+ $counter = $enable_cnt = $disable_cnt = 0;
+ foreach ($rules_map as $k1 => $rulem) {
+ foreach ($rulem as $k2 => $v) {
+ $sid = snort_get_sid($v['rule']);
+ $gid = snort_get_gid($v['rule']);
+ if (isset($disablesid[$gid][$sid])) {
+ $textss = "<span class=\"gray\">";
+ $textse = "</span>";
+ $iconb = "icon_reject_d.gif";
+ $disable_cnt++;
+ $title = gettext("Disabled by user. Click to toggle to default state");
+ }
+ elseif (($v['disabled'] == 1) && (!isset($enablesid[$gid][$sid]))) {
+ $textss = "<span class=\"gray\">";
+ $textse = "</span>";
+ $iconb = "icon_block_d.gif";
+ $disable_cnt++;
+ $title = gettext("Disabled by default. Click to toggle to enabled state");
+ }
+ elseif (isset($enablesid[$gid][$sid])) {
+ $textss = $textse = "";
+ $iconb = "icon_reject.gif";
+ $enable_cnt++;
+ $title = gettext("Enabled by user. Click to toggle to default state");
+ }
+ else {
+ $textss = $textse = "";
+ $iconb = "icon_block.gif";
+ $enable_cnt++;
+ $title = gettext("Enabled by default. Click to toggle to disabled state");
+ }
+ $message = snort_get_msg($v['rule']);
+ $matches = array();
+ if (preg_match('/(?:classtype\b\s*:)\s*(\S*\s*;)/iU', $v['rule'], $matches))
+ $classtype = trim($matches[1], " ;");
+ else
+ $classtype = "No Classtype Defined";
+ $matches = array();
+ if (preg_match_all('/(\S*-ips)(?:\s*drop|alert)(?:,|\s*|;)/i', $v['rule'], $matches))
+ $policy = implode("<br/>", $matches[1]);
+ else
+ $policy = "none";
+
+ echo "<tr><td class=\"listt\" align=\"left\" valign=\"middle\"> $textss
+ <a id=\"rule_{$sid}\" href='?id={$id}&openruleset={$currentruleset}&act=toggle&ids={$sid}&gid={$gid}'>
+ <img src=\"../themes/{$g['theme']}/images/icons/{$iconb}\"
+ width=\"11\" height=\"11\" border=\"0\"
+ title='{$title}'></a>
+ $textse
+ </td>
+ <td class=\"listlr\" align=\"center\">
+ {$textss}{$gid}{$textse}
+ </td>
+ <td class=\"listlr\" align=\"center\">
+ {$textss}{$sid}{$textse}
+ </td>
+ <td class=\"listlr\" align=\"center\">
+ {$textss}{$classtype}</span>
+ </td>
+ <td class=\"listlr\" align=\"center\">
+ {$textss}{$policy}</span>
+ </td>
+ <td class=\"listbg\" style=\"word-wrap:break-word; whitespace:pre-line;\"><font color=\"white\">
+ {$textss}{$message}{$textse}</font>
+ </td>";
+ ?>
+ <td align="right" valign="middle" nowrap class="listt">
+ <a href="javascript: void(0)"
+ onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>&ids=<?=$sid;?>&gid=<?=$gid;?>','FileViewer',800,600)">
+ <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif"
+ title="<?php echo gettext("Click to view the entire rule text"); ?>" width="17" height="17" border="0"></a>
+ </td>
+ </tr>
+ <?php
+ $counter++;
+ }
+ }
+ unset($rulem, $v);
+ ?>
+ </tbody>
+ </table>
+ <?php endif;?>
</td>
</tr>
<tr>
diff --git a/config/snort/snort_rules_edit.php b/config/snort/snort_rules_edit.php
index c0087464..28deccd5 100755
--- a/config/snort/snort_rules_edit.php
+++ b/config/snort/snort_rules_edit.php
@@ -4,6 +4,7 @@
*
* Copyright (C) 2004, 2005 Scott Ullrich
* Copyright (C) 2011 Ermal Luci
+ * Copyright (C) 2014 Bill Meeks
* All rights reserved.
*
* Adapted for FreeNAS by Volker Theile (votdev@gmx.de)
@@ -97,18 +98,22 @@ elseif (isset($_GET['ids'])) {
// If flowbit rule, point to interface-specific file
if ($file == "Auto-Flowbit Rules")
$rules_map = snort_load_rules_map("{$snortcfgdir}/rules/" . FLOWBITS_FILENAME);
+ elseif (file_exists("{$snortdir}/preproc_rules/{$file}"))
+ $rules_map = snort_load_rules_map("{$snortdir}/preproc_rules/{$file}");
else
$rules_map = snort_load_rules_map("{$snortdir}/rules/{$file}");
$contents = $rules_map[$_GET['gid']][trim($_GET['ids'])]['rule'];
$wrap_flag = "soft";
}
-
// Is it our special flowbit rules file?
elseif ($file == "Auto-Flowbit Rules")
$contents = file_get_contents("{$snortcfgdir}/rules/{$flowbit_rules_file}");
// Is it a rules file in the ../rules/ directory?
elseif (file_exists("{$snortdir}/rules/{$file}"))
$contents = file_get_contents("{$snortdir}/rules/{$file}");
+// Is it a rules file in the ../preproc_rules/ directory?
+elseif (file_exists("{$snortdir}/preproc_rules/{$file}"))
+ $contents = file_get_contents("{$snortdir}/preproc_rules/{$file}");
// Is it a fully qualified path and file?
elseif (file_exists($file))
$contents = file_get_contents($file);