diff options
| -rw-r--r-- | config/snort/snort.inc | 124 | ||||
| -rw-r--r-- | config/snort/snort.xml | 2 | ||||
| -rw-r--r-- | config/snort/snort_check_for_rule_updates.php | 87 | ||||
| -rw-r--r-- | config/snort/snort_preprocessors.php | 33 | ||||
| -rw-r--r-- | config/snort/snort_rulesets.php | 8 | ||||
| -rw-r--r-- | config/widget-snort/snort_alerts.inc | 20 | ||||
| -rw-r--r-- | config/widget-snort/snort_alerts.inc.php | 92 | ||||
| -rw-r--r-- | config/widget-snort/snort_alerts.js | 57 | ||||
| -rw-r--r-- | config/widget-snort/snort_alerts.widget.php | 29 | ||||
| -rw-r--r-- | config/widget-snort/snort_alerts_helper.php | 20 | ||||
| -rw-r--r-- | config/widget-snort/widget-snort.inc | 13 | ||||
| -rw-r--r-- | config/widget-snort/widget-snort.xml | 26 | ||||
| -rw-r--r-- | pkg_config.8.xml | 4 | ||||
| -rw-r--r-- | pkg_config.8.xml.amd64 | 4 | ||||
| -rw-r--r-- | pkg_config.xml | 6 |
15 files changed, 216 insertions, 309 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index a1d5a1de..f45134c5 100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -39,7 +39,7 @@ require_once("filter.inc"); /* package version */ $snort_version = "2.9.2.3"; -$pfSense_snort_version = "2.5.0"; +$pfSense_snort_version = "2.5.1"; $snort_package_version = "Snort {$snort_version} pkg v. {$pfSense_snort_version}"; $snort_rules_file = "snortrules-snapshot-2923.tar.gz"; $emerging_threats_version = "2.9.0"; @@ -115,7 +115,7 @@ function snort_find_list($find_name, $type = 'whitelist') { } /* func builds custom whitelests */ -function snort_build_list($snortcfg, $listname = "") { +function snort_build_list($snortcfg, $listname = "", $whitelist = false) { global $config, $g; /* Add loopback to whitelist (ftphelper) */ @@ -156,14 +156,20 @@ function snort_build_list($snortcfg, $listname = "") { if (function_exists('get_interface_ip')) { $subnet = get_interface_ip($int); if (is_ipaddr($subnet)) { - $sn = get_interface_subnet($int); - $home_net .= "{$subnet}/{$sn} "; + if ($whitelist == false) { + $sn = get_interface_subnet($int); + $home_net .= "{$subnet}/{$sn} "; + } else + $home_net .= "{$subnet} "; } if (function_exists("get_interface_ipv6")) { $subnet = get_interface_ipv6($int); if (is_ipaddrv6($subnet)) { - $sn = get_interface_subnetv6($int); - $home_net .= "{$subnet}/{$sn} "; + if ($whitelist == false) { + $sn = get_interface_subnetv6($int); + $home_net .= "{$subnet}/{$sn} "; + } else + $home_net .= "{$subnet} "; } } } else { @@ -217,9 +223,14 @@ function snort_build_list($snortcfg, $listname = "") { if($vips == 'yes') { /* iterate all vips and add to whitelist */ if (is_array($config['virtualip']) && is_array($config['virtualip']['vip'])) { - foreach($config['virtualip']['vip'] as $vip) - if ($vip['subnet'] && $vip['mode'] != 'proxyarp') - $home_net .= "{$vip['subnet']}/{$vip['subnet_bits']} "; + foreach($config['virtualip']['vip'] as $vip) { + if ($vip['subnet'] && $vip['mode'] != 'proxyarp') { + if ($whitelist == false) + $home_net .= "{$vip['subnet']}/{$vip['subnet_bits']} "; + else + $home_net .= "{$vip['subnet']} "; + } + } } } @@ -1002,9 +1013,9 @@ function snort_generate_conf($snortcfg) { "{$snortlogdir}/snort_{$if_real}{$snort_uuid}", "{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2", "{$snortcfgdir}/preproc_rules", - "dynamicrules" => "/usr/local/lib/snort/dynamicrules", + "dynamicrules" => "{$snortcfgdir}/dynamicrules", "dynamicengine" => "/usr/local/lib/snort/dynamicengine", - "dynamicpreprocessor" => "/usr/local/lib/snort/dynamicpreprocessor" + "dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor" ); foreach ($snort_dirs as $dir) { if (!is_dir($dir)) @@ -1036,7 +1047,8 @@ function snort_generate_conf($snortcfg) { $pfkill = ""; if ($snortcfg['blockoffenderskill'] == "on") $pfkill = "kill"; - $spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname']); + /* No subnets to default addresses */ + $spoink_wlist = snort_build_list($snortcfg, $snortcfg['whitelistname'], true); /* write whitelist */ @file_put_contents("{$snortcfgdir}/{$snortcfg['whitelistname']}", implode("\n", $spoink_wlist)); $spoink_type = "output alert_pf: {$snortcfgdir}/{$snortcfg['whitelistname']},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}"; @@ -1079,6 +1091,15 @@ function snort_generate_conf($snortcfg) { "DCERPC_BRIGHTSTORE" => "6503,6504" ); + $portvardef = ""; + foreach ($snort_ports as $alias => $avalue) { + if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) + $snort_ports[$alias] = filter_expand_alias($snortcfg["def_{$alias}"]); + $snort_ports[$alias] = str_replace(" ", ",", trim($snort_ports[$alias])); + $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n"; + } + + ///////////////////////////// /* preprocessor code */ /* def perform_stat */ @@ -1170,6 +1191,24 @@ preprocessor ftp_telnet_protocol: ftp client default \ EOD; + $pop_ports = str_replace(",", " ", $snort_ports['pop3_ports']); + $pop_preproc = <<<EOD +preprocessor pop: \ + ports { {$pop_ports} } \ + qp_decode_depth -1 \ + b64_decode_depth 0 \ + bitenc_decode_depth 100 +EOD; + + $imap_ports = str_replace(",", " ", $snort_ports['imap_ports']); + $imap_preproc = <<<EOD +preprocessor imap: \ + ports { {$imap_ports} } \ + qp_decode_depth -1 \ + b64_decode_depth 0 \ + bitenc_decode_depth 100 +EOD; + $smtp_ports = str_replace(",", " ", $snort_ports['mail_ports']); /* def smtp_preprocessor */ $smtp_preprocessor = <<<EOD @@ -1238,6 +1277,13 @@ preprocessor dns: \ EOD; + $def_ssl_ports_ignore = str_replace(",", " ", $snort_ports['ssl_ports']); + $ssl_preproc = <<<EOD +# Ignore SSL and Encryption # +preprocessor ssl: ports { {$def_ssl_ports_ignore} }, trustservers, noinspect_encrypted + +EOD; + $sensitive_data = "preprocessor sensitive_data:\n"; /* stream5 queued settings */ @@ -1268,25 +1314,36 @@ EOD; $vardef .= "var " . strtoupper($alias) . " [{$avalue}]\n"; } - $portvardef = ""; - foreach ($snort_ports as $alias => $avalue) { - if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) - $snort_ports[$alias] = filter_expand_alias($snortcfg["def_{$alias}"]); - $snort_ports[$alias] = str_replace(" ", ",", trim($snort_ports[$alias])); - $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n"; - } - $def_ssl_ports_ignore = str_replace(",", " ", $snort_ports['ssl_ports']); - + $snort_preproc_libs = array( + "dce_rpc_2" => "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc", + "pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc", + "sip_preproc" => "sip_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc", + "ssl_preproc" => "ssl_preproc" + ); $snort_preproc = array ( - "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", - "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data" + "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", + "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc" ); $snort_preprocessors = ""; foreach ($snort_preproc as $preproc) { if ($snortcfg[$preproc] == 'on') { /* NOTE: The $$ is not a bug. Its a advanced feature of php */ - $snort_preprocessors .= $$preproc; - $snort_preprocessors .= "\n"; + if (!empty($snort_preproc_libs[$preproc])) { + $preproclib = "libsf_" . $snort_preproc_libs[$preproc]; + if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) { + if (file_exists("/usr/local/lib/snort/dynamicpreprocessor/{$preproclib}.so")) { + @copy("/usr/local/lib/snort/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so"); + $snort_preprocessors .= $$preproc; + $snort_preprocessors .= "\n"; + } + } else { + $snort_preprocessors .= $$preproc; + $snort_preprocessors .= "\n"; + } + } else { + $snort_preprocessors .= $$preproc; + $snort_preprocessors .= "\n"; + } } } @@ -1297,16 +1354,16 @@ EOD; $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n"; if (is_dir("{$snortcfgdir}/preproc_rules")) { if ($snortcfg['sensitive_data'] == 'on') { - $sedcmd = "s/^# alert\(.*\)classtype:sdf;\(.*\)/alert\1classtype:sdf\2/g"; + $sedcmd = '/^#alert.*classtype:sdf/s/^#//'; if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")) $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n"; } else - $sedcmd = "s/^alert\(.*\)classtype:sdf;\(.*\)/# alert\1classtype:sdf\2/g"; + $sedcmd = '/^alert.*classtype:sdf/s/^/#/'; if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules")) { @file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd); - mwexec("/usr/bin/sed -I '' -e -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules"); - mwexec("/usr/bin/sed -I '' -e -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules"); + mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules"); + mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules"); @unlink("{$g['tmp_path']}/sedcmd"); $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; @@ -1326,10 +1383,12 @@ EOD; if (!empty($snortcfg['rulesets'])) { $enabled_rulesets_array = explode("||", $snortcfg['rulesets']); foreach($enabled_rulesets_array as $enabled_item) { - if (file_exists("{$snortdir}}/rules/{$enabled_item}") && !file_exists("{$snortcfgdir}}/rules/{$enabled_item}")) - @copy("{$snortdir}/rules/{$file}", "{$rule_dir}/rules/{$file}"); + if (file_exists("{$snortdir}/rules/{$enabled_item}") && !file_exists("{$snortcfgdir}/rules/{$enabled_item}")) + @copy("{$snortdir}/rules/{$enabled_item}", "{$snortcfgdir}/rules/{$enabled_item}"); if (substr($enabled_item, 0, 5) == "snort" && substr($enabled_item, -9) == ".so.rules") { $slib = substr($enabled_item, 6, -6); + if (!file_exists("{$snort_dirs['dynamicrules']}/{$slib}")) + @copy("/usr/local/lib/snort/dynamicrules/{$slib}", "{$snort_dirs['dynamicrules']}/{$slib}"); if (file_exists("{$snort_dirs['dynamicrules']}/{$slib}") && file_exists("{$snortcfgdir}/rules/{$enabled_item}")) $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n"; @@ -1398,9 +1457,6 @@ preprocessor stream5_icmp: {$snort_preprocessors} -# Ignore SSL and Encryption # -preprocessor ssl: ports { {$def_ssl_ports_ignore} }, trustservers, noinspect_encrypted - # Snort Output Logs # output alert_csv: alert timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority {$alertsystemlog_type} diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 05e349be..07603176 100644 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -47,7 +47,7 @@ <faq>Currently there are no FAQ items provided.</faq> <name>Snort</name> <version>2.9.2.3</version> - <title>Services:2.9.2.3 pkg v. 2.5.0</title> + <title>Services:2.9.2.3 pkg v. 2.5.1</title> <include_file>/usr/local/pkg/snort/snort.inc</include_file> <menu> <name>Snort</name> diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 6c6440e9..5b357cb7 100644 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -164,6 +164,42 @@ $sedcmd .= "s/^\\talert/alert/g\n"; $sedcmd .= "s/^[ \\t]*alert/alert/g\n"; @file_put_contents("{$snortdir}/tmp/sedcmd", $sedcmd); +/* Untar emergingthreats rules to tmp */ +if ($emergingthreats == 'on') { + safe_mkdir("{$snortdir}/tmp/emerging"); + if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { + update_status(gettext("Extracting rules...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir}/tmp/emerging rules/"); + + $files = glob("{$snortdir}/tmp/emerging/rules/*.rules"); + foreach ($files as $file) { + $newfile = basename($file); + @copy($file, "{$snortdir}/rules/{$newfile}"); + } + /* IP lists */ + $files = glob("{$snortdir}/tmp/emerging/rules/*.txt"); + foreach ($files as $file) { + $newfile = basename($file); + @copy($file, "{$snortdir}/rules/{$newfile}"); + } + if ($snortdownload == 'off') { + foreach (array("classification.config", "reference.config", "sid-msg.map", "unicode.map") as $file) { + if (file_exists("{$snortdir}/tmp/emerging/rules/{$file}")) + @copy("{$snortdir}/tmp/emerging/rules/{$file}", "{$snortdir}/{$file}"); + } + } + + /* make shure default rules are in the right format */ + exec("/usr/bin/sed -I '' -f {$snortdir}/tmp/sedcmd {$snortdir}/rules/emerging*.rules"); + + /* Copy emergingthreats md5 sig to snort dir */ + if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) { + update_status(gettext("Copying md5 sig to snort directory...")); + @copy("{$tmpfname}/$emergingthreats_filename_md5", "{$snortdir}/$emergingthreats_filename_md5"); + } + } +} + /* Untar snort rules file individually to help people with low system specs */ if ($snortdownload == 'on') { if (file_exists("{$tmpfname}/{$snort_filename}")) { @@ -181,7 +217,13 @@ if ($snortdownload == 'on') { $newfile = basename($file); @copy($file, "{$snortdir}/rules/snort_{$newfile}"); } - exec("rm -r {$snortdir}/snortrules"); + /* IP lists */ + $files = glob("{$snortdir}/tmp/snortrules/rules/*.txt"); + foreach ($files as $file) { + $newfile = basename($file); + @copy($file, "{$snortdir}/rules/{$newfile}"); + } + exec("rm -r {$snortdir}/tmp/snortrules"); /* extract so rules */ exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); @@ -235,7 +277,7 @@ if ($snortdownload == 'on') { exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} preproc_rules/"); /* make shure default rules are in the right format */ - exec("/usr/bin/sed -I '' -f {$snortdir}/tmp/sedcmd {$snortdir}/rules/*.rules"); + exec("/usr/bin/sed -I '' -f {$snortdir}/tmp/sedcmd {$snortdir}/rules/snort_*.rules"); if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { update_status(gettext("Copying md5 sig to snort directory...")); @@ -245,34 +287,10 @@ if ($snortdownload == 'on') { } } -/* Untar emergingthreats rules to tmp */ -if ($emergingthreats == 'on') { - if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { - update_status(gettext("Extracting rules...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir} rules/"); - } - - /* make shure default rules are in the right format */ - exec("/usr/bin/sed -I '' -f {$snortdir}/tmp/sedcmd {$snortdir}/rules/emerging*.rules"); - - /* Copy emergingthreats md5 sig to snort dir */ - if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) { - update_status(gettext("Copying md5 sig to snort directory...")); - @copy("{$tmpfname}/$emergingthreats_filename_md5", "{$snortdir}/$emergingthreats_filename_md5"); - } - - if ($snortdownload == 'off') { - foreach (array("classification.config", "reference.config", "sid-msg.map", "unicode.map") as $file) { - if (file_exists("{$snortdir}/rules/{$file}")) - @copy("{$snortdir}/rules/{$file}", "{$snortdir}/{$file}"); - } - } -} - /* remove old $tmpfname files */ -if (is_dir($tmpfname)) { +if (is_dir("{$snortdir}/tmp")) { update_status(gettext("Cleaning up...")); - exec("/bin/rm -r {$tmpfname}"); + exec("/bin/rm -r {$snortdir}/tmp"); } function snort_apply_customizations($snortcfg, $if_real) { @@ -283,9 +301,16 @@ function snort_apply_customizations($snortcfg, $if_real) { else { update_status(gettext("Your set of configured rules are being copied...")); log_error(gettext("Your set of configured rules are being copied...")); - $files = explode("||", $snortcfg['rulesets']); - foreach ($files as $file) - @copy("{$snortdir}/rules/{$file}", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/rules/{$file}"); + $enabled_rulesets_array = explode("||", $snortcfg['rulesets']); + foreach($enabled_rulesets_array as $enabled_item) { + @copy("{$snortdir}/rules/{$enabled_item}", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/rules/{$enabled_item}"); + if (substr($enabled_item, 0, 5) == "snort" && substr($enabled_item, -9) == ".so.rules") { + $slib = substr($enabled_item, 6, -6); + if (file_exists("/usr/local/lib/snort/dynamicrules/{$slib}")) + @copy("/usr/local/lib/snort/dynamicrules/{$slib}", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/dynamicrules/{$slib}"); + + } + } @copy("{$snortdir}/classification.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/classification.config"); @copy("{$snortdir}/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map"); diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index e38418e5..84313577 100644 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -66,6 +66,9 @@ if (isset($id) && $a_nat[$id]) { $pconfig['dce_rpc_2'] = $a_nat[$id]['dce_rpc_2']; $pconfig['dns_preprocessor'] = $a_nat[$id]['dns_preprocessor']; $pconfig['sensitive_data'] = $a_nat[$id]['sensitive_data']; + $pconfig['ssl_preproc'] = $a_nat[$id]['ssl_preproc']; + $pconfig['pop_preproc'] = $a_nat[$id]['pop_preproc']; + $pconfig['imap_preproc'] = $a_nat[$id]['imap_preproc']; } if ($_POST) { @@ -88,6 +91,9 @@ if ($_POST) { $natent['dce_rpc_2'] = $_POST['dce_rpc_2'] ? 'on' : 'off'; $natent['dns_preprocessor'] = $_POST['dns_preprocessor'] ? 'on' : 'off'; $natent['sensitive_data'] = $_POST['sensitive_data'] ? 'on' : 'off'; + $natent['ssl_preproc'] = $_POST['ssl_preproc'] ? 'on' : 'off'; + $natent['pop_preproc'] = $_POST['pop_preproc'] ? 'on' : 'off'; + $natent['imap_preproc'] = $_POST['imap_preproc'] ? 'on' : 'off'; if (isset($id) && $a_nat[$id]) $a_nat[$id] = $natent; @@ -265,6 +271,24 @@ include_once("head.inc"); <tr> <td width="22%" valign="top" class="vncell">Enable <br> SMTP Normalizer</td> + <td width="78%" class="vtable"><input name="pop_preproc" + type="checkbox" value="on" + <?php if ($pconfig['pop_preproc']=="on") echo "checked"; ?> + onClick="enable_change(false)"><br> + Normalize/Decode POP protocol for enforcement and buffer overflows.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Enable <br> + SMTP Normalizer</td> + <td width="78%" class="vtable"><input name="imap_preproc" + type="checkbox" value="on" + <?php if ($pconfig['imap_preproc']=="on") echo "checked"; ?> + onClick="enable_change(false)"><br> + Normalize/Decode IMAP protocol for enforcement and buffer overflows.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Enable <br> + SMTP Normalizer</td> <td width="78%" class="vtable"><input name="smtp_preprocessor" type="checkbox" value="on" <?php if ($pconfig['smtp_preprocessor']=="on") echo "checked"; ?> @@ -301,6 +325,15 @@ include_once("head.inc"); vulnerabilities.</td> </tr> <tr> + <td width="22%" valign="top" class="vncell">Enable <br> SSL Data</td> + <td width="78%" class="vtable"> + <input name="ssl_preproc" type="checkbox" value="on" + <?php if ($pconfig['ssl_preproc']=="on") echo "checked"; ?> + onClick="enable_change(false)"><br> + SSL data searches for irregularities during SSL protocol exchange + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncell">Enable <br> Sensitive Data</td> <td width="78%" class="vtable"> <input name="sensitive_data" type="checkbox" value="on" diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index a3d41762..3d6de228 100644 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -177,7 +177,8 @@ if ($savemsg) { <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> <?php $isrulesfolderempty = glob("{$snortdir}/rules/*.rules"); - if (empty($isrulesfolderempty)): + $iscfgdirempty = glob("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/*.rules"); + if (empty($isrulesfolderempty) && empty($iscfgdirempty)): ?> <tr> <td> @@ -226,7 +227,10 @@ if ($savemsg) { $emergingrules = array(); $snortsorules = array(); $snortrules = array(); - $dh = opendir("{$snortdir}/rules/"); + if (empty($isrulesfolderempty)) + $dh = opendir("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/"); + else + $dh = opendir("{$snortdir}/rules/"); while (false !== ($filename = readdir($dh))) { $filename = basename($filename); if (substr($filename, -5) != "rules") diff --git a/config/widget-snort/snort_alerts.inc b/config/widget-snort/snort_alerts.inc deleted file mode 100644 index 159452dd..00000000 --- a/config/widget-snort/snort_alerts.inc +++ /dev/null @@ -1,20 +0,0 @@ -<?php - -require_once("globals.inc"); -require_once("includes/snort_alerts.inc.php"); - -$snort_alerts_title = "Snort Alerts"; -$snort_alerts_title_link = "snort/snort_alerts.php"; - -foreach (glob("{$g['varlog_path']}/snort/*/alert") as $alert) { - $snort_alerts_logfile = $alert; - $nentries = 10; - $snort_alerts = get_snort_alerts($snort_alerts_logfile, $nentries); - - /* AJAX related routines */ - handle_snort_ajax($snort_alerts_logfile, $nentries); -} -if($_GET['lastsawtime'] or $_POST['lastsawtime']) - exit; - -?> diff --git a/config/widget-snort/snort_alerts.inc.php b/config/widget-snort/snort_alerts.inc.php deleted file mode 100644 index 46d2b9a7..00000000 --- a/config/widget-snort/snort_alerts.inc.php +++ /dev/null @@ -1,92 +0,0 @@ -<? -function get_snort_alerts($snort_alerts, $nentries, $tail = 20) { - global $config, $g; - $logarr = ""; - /* Always do a reverse tail, to be sure we're grabbing the 'end' of the alerts. */ - exec("/usr/bin/tail -r -n {$tail} {$snort_alerts}", $logarr); - - $snortalerts = array(); - - $counter = 0; - - foreach ($logarr as $logent) { - if($counter >= $nentries) - break; - - $alert = parse_snort_alert_line($logent); - if ($alert != "") { - $counter++; - $snortalerts[] = $alert; - } - - } - /* Since the rules are in reverse order, flip them around if needed based on the user's preference */ - return isset($config['syslog']['reverse']) ? $snortalerts : array_reverse($snortalerts); -} - -function parse_snort_alert_line($line) { - $log_split = ""; - $datesplit = ""; - preg_match("/^(.*)\s+\[\*\*\]\s+\[(\d+\:\d+:\d+)\]\s(.*)\s(.*)\s+\[\*\*\].*\s+\[Priority:\s(\d+)\]\s{(.*)}\s+(.*)\s->\s(.*)$/U", $line, $log_split); - - list($all, $alert['time'], $alert['rule'], $alert['category'], $alert['descr'], - $alert['priority'], $alert['proto'], $alert['src'], $alert['dst']) = $log_split; - - $usableline = true; - - if(trim($alert['src']) == "") - $usableline = false; - if(trim($alert['dst']) == "") - $usableline = false; - - if($usableline == true) { - preg_match("/^(\d+)\/(\d+)-(\d+\:\d+\:\d+).\d+$/U", $alert['time'], $datesplit); - $now_time = strtotime("now"); - $checkdate = $datesplit[1] . "/" . $datesplit[2] . "/" . date("Y"); - $fulldate = $datesplit[2] . "/" . $datesplit[1] . "/" . date("Y"); - $logdate = $checkdate . " " . $datesplit[3]; - if ($now_time < strtotime($logdate)) { - $fulldate = $datesplit[2] . "/" . $datesplit[1] . "/" . ((int)date("Y") - 1); - } - - $alert['dateonly'] = $fulldate; - $alert['timeonly'] = $datesplit[3]; - $alert['category'] = strtoupper( substr($alert["category"],0 , 1) ) . strtolower( substr($alert["category"],1 ) ); - return $alert; - } else { - if($g['debug']) { - log_error("There was a error parsing line: $line. Please report to mailing list or forum."); - } - return ""; - } -} - -/* AJAX specific handlers */ -function handle_snort_ajax($snort_alerts_logfile, $nentries = 5, $tail = 50) { - if($_GET['lastsawtime'] or $_POST['lastsawtime']) { - if($_GET['lastsawtime']) - $lastsawtime = $_GET['lastsawtime']; - if($_POST['lastsawtime']) - $lastsawtime = $_POST['lastsawtime']; - /* compare lastsawrule's time stamp to alert logs. - * afterwards return the newer records so that client - * can update AJAX interface screen. - */ - $new_rules = ""; - $snort_alerts = get_snort_alerts($snort_alerts_logfile, $nentries); - foreach($snort_alerts as $log_row) { - $time_regex = ""; - preg_match("/.*([0-9][0-9])\/([0-9][0-9])-([0-9][0-9]:[0-9][0-9]:[0-9][0-9]).*/", $log_row['time'], $time_regex); - $logdate = $time_regex[1] . "/" . $time_regex[2] . "/" . date("Y") . " " . $time_regex[3]; - //preg_match("/.*([0-9][0-9])\/([0-9][0-9])-([0-9][0-9]:[0-9][0-9]:[0-9][0-9]).*/", $testsplit[1], $time_regex); - // preg_match("/.*([0-9][0-9]:[0-9][0-9]:[0-9][0-9]).*/", $log_row['time'], $time_regex); - $row_time = strtotime($logdate); - $now_time = strtotime("now"); - if($row_time > $lastsawtime and $row_time <= $nowtime) { - $new_rules .= "{$log_row['time']}||{$log_row['priority']}||{$log_row['category']}||{$log_row['src']}||{$log_row['dst']}||" . time() . "||{$log_row['timeonly']}||{$log_row['dateonly']}" . "||\n"; - } - } - echo $new_rules; - } -} -?> diff --git a/config/widget-snort/snort_alerts.js b/config/widget-snort/snort_alerts.js index 0cc76ab1..0c2d9ca6 100644 --- a/config/widget-snort/snort_alerts.js +++ b/config/widget-snort/snort_alerts.js @@ -1,63 +1,10 @@ -snortlastsawtime = '<?php echo time(); ?>'; var snortlines = Array(); var snorttimer; var snortupdateDelay = 25500; var snortisBusy = false; var snortisPaused = false; -<?php - if(isset($config['syslog']['reverse'])) - echo "var isReverse = true;\n"; - else - echo "var isReverse = false;\n"; -?> - -if (typeof getURL == 'undefined') { - getURL = function(url, callback) { - if (!url) - throw 'No URL for getURL'; - try { - if (typeof callback.operationComplete == 'function') - callback = callback.operationComplete; - } catch (e) {} - if (typeof callback != 'function') - throw 'No callback function for getURL'; - var http_request = null; - if (typeof XMLHttpRequest != 'undefined') { - http_request = new XMLHttpRequest(); - } - else if (typeof ActiveXObject != 'undefined') { - try { - http_request = new ActiveXObject('Msxml2.XMLHTTP'); - } catch (e) { - try { - http_request = new ActiveXObject('Microsoft.XMLHTTP'); - } catch (e) {} - } - } - if (!http_request) - throw 'Both getURL and XMLHttpRequest are undefined'; - http_request.onreadystatechange = function() { - if (http_request.readyState == 4) { - callback( { success : true, - content : http_request.responseText, - contentType : http_request.getResponseHeader("Content-Type") } ); - } - } - http_request.open('GET', url, true); - http_request.send(null); - } -} - -function snort_alerts_fetch_new_rules() { - if(snortisPaused) - return; - if(snortisBusy) - return; - snortisBusy = true; - getURL('widgets/helpers/snort_alerts_helper.php?lastsawtime=' + snortlastsawtime, snort_alerts_fetch_new_rules_callback); -} function snort_alerts_fetch_new_rules_callback(callback_data) { if(snortisPaused) return; @@ -75,8 +22,6 @@ function snort_alerts_fetch_new_rules_callback(callback_data) { line = '<td width="30%" class="listr" >' + row_split[6] + '<br>' + row_split[7]+ '</td>'; line += '<td width="40%" class="listr" >' + row_split[3] + '<br>' + row_split[4] + '</td>'; line += '<td width="40%" class="listr" >' + 'Pri : ' + row_split[1] + '<br>' + 'Cat : ' + row_split[2] + '</td>'; - snortlastsawtime = row_split[5]; - //alert(row_split[0]); new_data_to_add[new_data_to_add.length] = line; } snort_alerts_update_div_rows(new_data_to_add); @@ -131,7 +76,7 @@ function snort_alerts_update_div_rows(data) { } } /* rechedule AJAX interval */ - //snorttimer = setInterval('snort_alerts_fetch_new_rules()', snortupdateDelay); + snorttimer = setInterval('snort_alerts_fetch_new_rules()', snortupdateDelay); } function snort_alerts_toggle_pause() { if(snortisPaused) { diff --git a/config/widget-snort/snort_alerts.widget.php b/config/widget-snort/snort_alerts.widget.php index ad7827b7..c579a35e 100644 --- a/config/widget-snort/snort_alerts.widget.php +++ b/config/widget-snort/snort_alerts.widget.php @@ -26,6 +26,8 @@ POSSIBILITY OF SUCH DAMAGE. */ global $config, $g; +$snort_alerts_title = "Snort Alerts"; +$snort_alerts_title_link = "snort/snort_alerts.php"; /* retrieve snort variables */ require_once("/usr/local/pkg/snort/snort.inc"); @@ -38,12 +40,14 @@ $a_instance = &$config['installedpackages']['snortglobal']['rule']; $snort_alerts = array(); $tmpblocked = array_flip(snort_get_blocked_ips()); foreach ($a_instance as $instanceid => $instance) { - $snort_uuid = $a_instance[$instanceid]['uuid']; - $if_real = snort_get_real_interface($a_instance[$instanceid]['interface']); - $tmpfile = "{$g['tmp_path']}/.widget_alert_{$snort_uuid}"; + if ($instance['enable'] != 'on') + continue; /* make sure alert file exists */ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { + $snort_uuid = $instance['uuid']; + $if_real = snort_get_real_interface($instance['interface']); + $tmpfile = "{$g['tmp_path']}/.widget_alert_{$snort_uuid}"; if (isset($config['syslog']['reverse'])) exec("tail -10 /var/log/snort/snort_{$if_real}{$snort_uuid}/alert | sort -r > {$tmpfile}"); else @@ -58,7 +62,7 @@ foreach ($a_instance as $instanceid => $instance) { $fields = explode(",", $fileline); $snort_alert = array(); - $snort_alert[]['instanceid'] = snort_get_friendly_interface($a_instance[$instanceid]['interface']); + $snort_alert[]['instanceid'] = snort_get_friendly_interface($instance['interface']); $snort_alert[]['timestamp'] = $fields[0]; $snort_alert[]['timeonly'] = substr($fields[0], 6, -8); $snort_alert[]['dateonly'] = substr($fields[0], 0, -17); @@ -69,13 +73,21 @@ foreach ($a_instance as $instanceid => $instance) { $snort_alert[]['priority'] = $fields[12]; $snort_alert[]['category'] = $fields[11]; $snort_alerts[] = $snort_alert; - }; + } fclose($fd); @unlink($tmpfile); - }; - }; -}; + } + } +} + +if ($_GET['evalScripts']) { + /* AJAX specific handlers */ + $new_rules = ""; + foreach($snort_alerts as $log_row) + $new_rules .= "{$log_row['time']}||{$log_row['priority']}||{$log_row['category']}||{$log_row['src']}||{$log_row['dst']}||{$log_row['timestamp']}||{$log_row['timeonly']}||{$log_row['dateonly']}\n"; + echo $new_rules; +} else { /* display the result */ ?> <table width="100%" border="0" cellspacing="0" cellpadding="0"> @@ -96,3 +108,4 @@ foreach ($snort_alerts as $counter => $alert) { ?> </tbody> </table> +<?php } ?> diff --git a/config/widget-snort/snort_alerts_helper.php b/config/widget-snort/snort_alerts_helper.php deleted file mode 100644 index 5df0da04..00000000 --- a/config/widget-snort/snort_alerts_helper.php +++ /dev/null @@ -1,20 +0,0 @@ -<?php -require_once("globals.inc"); -require_once("guiconfig.inc"); -require_once("includes/snort_alerts.inc.php"); - -foreach (glob("{$g['varlog_path']}/snort/*/alert") as $alert) { - $snort_alerts_logfile = $alert; - $nentries = 5; - $snort_alerts = get_snort_alerts($snort_alerts_logfile, $nentries); - - /* AJAX related routines */ - handle_snort_ajax($snort_alerts_logfile, $nentries); -} -if($_GET['lastsawtime'] or $_POST['lastsawtime']) - exit; - -?> -<script src="/javascript/scriptaculous/prototype.js" type="text/javascript"></script> -<script src="/javascript/scriptaculous/scriptaculous.js" type="text/javascript"></script> -<script src="/widgets/javascript/snort_alerts.js" type="text/javascript"></script> diff --git a/config/widget-snort/widget-snort.inc b/config/widget-snort/widget-snort.inc deleted file mode 100644 index 584e5f2d..00000000 --- a/config/widget-snort/widget-snort.inc +++ /dev/null @@ -1,13 +0,0 @@ -<?php - -function widget_snort_uninstall() { - - unlink("/usr/local/www/includes/snort_alerts.inc.php"); - unlink("/usr/local/www/widgets/helpers/snort_alerts_helper.php"); - unlink("/usr/local/www/widgets/include/snort_alerts.inc"); - unlink("/usr/local/www/widgets/javascript/snort_alerts.js"); - unlink("/usr/local/www/widgets/widgets/snort_alerts.widget.php"); - -} - -?>
\ No newline at end of file diff --git a/config/widget-snort/widget-snort.xml b/config/widget-snort/widget-snort.xml index 1644181c..785ac5b1 100644 --- a/config/widget-snort/widget-snort.xml +++ b/config/widget-snort/widget-snort.xml @@ -46,29 +46,8 @@ <requirements>Dashboard package and Snort</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>widget-snort</name> - <version>0.2</version> + <version>0.5</version> <title>Widget - Snort</title> - <include_file>/usr/local/pkg/widget-snort.inc</include_file> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/widget-snort/widget-snort.inc</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/includes/</prefix> - <chmod>0644</chmod> - <item>http://www.pfsense.com/packages/config/widget-snort/snort_alerts.inc.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/widgets/helpers/</prefix> - <chmod>0644</chmod> - <item>http://www.pfsense.com/packages/config/widget-snort/snort_alerts_helper.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/widgets/include/</prefix> - <chmod>0644</chmod> - <item>http://www.pfsense.com/packages/config/widget-snort/snort_alerts.inc</item> - </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/widgets/javascript/</prefix> <chmod>0644</chmod> @@ -79,7 +58,4 @@ <chmod>0644</chmod> <item>http://www.pfsense.com/packages/config/widget-snort/snort_alerts.widget.php</item> </additional_files_needed> - <custom_php_deinstall_command> - widget_snort_uninstall(); - </custom_php_deinstall_command> </packagegui> diff --git a/pkg_config.8.xml b/pkg_config.8.xml index 64ae2af0..3b7ea13c 100644 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -406,7 +406,7 @@ </package> <package> <name>snort</name> - <pkginfolink>http://forum.pfsense.org/index.php/topic,16847.0.html</pkginfolink> + <pkginfolink></pkginfolink> <website>http://www.snort.org</website> <descr>Snort is an open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection.</descr> <category>Security</category> @@ -431,7 +431,7 @@ </build_pbi> <build_options>WITH_THREADS=yes WITH_IPV6=true WITH_MPLS=true WITH_GRE=true WITHOUT_TARGETBASED=true WITH_DECODERPRE=true WITH_ZLIB=true WITH_NORMALIZER=true WITH_REACT=true WITH_PERFPROFILE=true WITH_FLEXRESP3=true WITH_MYSQL=true WITHOUT_ODBC=true WITHOUT_POSTGRESQL=true WITHOUT_PRELUDE=true WITH_SNORTSAM=true NOPORTDOCS=true</build_options> <config_file>http://www.pfsense.com/packages/config/snort/snort.xml</config_file> - <version>2.9.2.3 pkg v. 2.5.0</version> + <version>2.9.2.3 pkg v. 2.5.1</version> <required_version>2.0</required_version> <status>Stable</status> <configurationfile>/snort.xml</configurationfile> diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64 index 76607b60..05d8ee8f 100644 --- a/pkg_config.8.xml.amd64 +++ b/pkg_config.8.xml.amd64 @@ -393,7 +393,7 @@ </package> <package> <name>snort</name> - <pkginfolink>http://forum.pfsense.org/index.php/topic,16847.0.html</pkginfolink> + <pkginfolink></pkginfolink> <website>http://www.snort.org</website> <descr>Snort is an open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection.</descr> <category>Security</category> @@ -418,7 +418,7 @@ </build_pbi> <build_options>WITH_THREADS=yes WITH_IPV6=true WITH_MPLS=true WITH_GRE=true WITHOUT_TARGETBASED=true WITH_DECODERPRE=true WITH_ZLIB=true WITH_NORMALIZER=true WITH_REACT=true WITH_PERFPROFILE=true WITH_FLEXRESP3=true WITH_MYSQL=true WITHOUT_ODBC=true WITHOUT_POSTGRESQL=true WITHOUT_PRELUDE=true WITH_SNORTSAM=true NOPORTDOCS=true</build_options> <config_file>http://www.pfsense.com/packages/config/snort/snort.xml</config_file> - <version>2.9.2.3 pkg v. 2.5.0</version> + <version>2.9.2.3 pkg v. 2.5.1</version> <required_version>2.0</required_version> <status>Stable</status> <configurationfile>/snort.xml</configurationfile> diff --git a/pkg_config.xml b/pkg_config.xml index 270bbf3a..6d7a2a1c 100644 --- a/pkg_config.xml +++ b/pkg_config.xml @@ -115,9 +115,9 @@ technique called multipoint relaying for message flooding.</descr> <descr>Dashboard widget for Snort.</descr> <category>System</category> <config_file>http://www.pfsense.com/packages/config/widget-snort/widget-snort.xml</config_file> - <version>0.3</version> - <status>BETA</status> - <required_version>1.2</required_version> + <version>0.5</version> + <status>Stable</status> + <required_version>2.0</required_version> <configurationfile>widget-snort.xml</configurationfile> </package> <package> |