diff options
43 files changed, 1989 insertions, 720 deletions
diff --git a/config/apache_mod_security-dev/apache_balancer.template b/config/apache_mod_security-dev/apache_balancer.template index 361a5ed4..06422125 100644 --- a/config/apache_mod_security-dev/apache_balancer.template +++ b/config/apache_mod_security-dev/apache_balancer.template @@ -6,7 +6,7 @@ $balancer_config= <<<EOF # then edit /usr/local/pkg/apache_* files. # # # # And don't forget to submit your changes to: # -# https://github.com/bsdperimeter/pfsense-packages # +# https://github.com/pfsense/pfsense-packages # ################################################################################## SetOutputFilter DEFLATE SetInputFilter DEFLATE @@ -37,4 +37,4 @@ Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ EOF; -?>
\ No newline at end of file +?> diff --git a/config/apache_mod_security-dev/apache_mod_security.inc b/config/apache_mod_security-dev/apache_mod_security.inc index cdee4f6b..57f5407b 100644 --- a/config/apache_mod_security-dev/apache_mod_security.inc +++ b/config/apache_mod_security-dev/apache_mod_security.inc @@ -321,7 +321,7 @@ function generate_apache_configuration() { # then edit /usr/local/pkg/apache_* files. # # # # And don't forget to submit your changes to: # -# https://github.com/bsdperimeter/pfsense-packages # +# https://github.com/pfsense/pfsense-packages # ################################################################################## diff --git a/config/bandwidthd/bandwidthd.inc b/config/bandwidthd/bandwidthd.inc index 8821ac76..829cdf59 100644 --- a/config/bandwidthd/bandwidthd.inc +++ b/config/bandwidthd/bandwidthd.inc @@ -46,6 +46,8 @@ function bandwidthd_install_deinstall() { exec("rm -f /usr/local/etc/rc.d/bandwidthd*"); exec("rm -rf " . PKG_BANDWIDTHD_BASE . "/htdocs"); exec("rm -f /usr/local/www/bandwidthd"); + // Remove the cron job, if it is there + install_cron_job("/bin/kill -HUP `cat /var/run/bandwidthd.pid`", false); conf_mount_ro(); config_unlock(); } @@ -62,44 +64,47 @@ function bandwidthd_install_config() { config_lock(); /* user defined values */ - $meta_refresh = $config['installedpackages']['bandwidthd']['config'][0]['meta_refresh']; + $bandwidthd_config = $config['installedpackages']['bandwidthd']['config'][0]; + $meta_refresh = $bandwidthd_config['meta_refresh']; if($meta_refresh) $meta_refresh = "meta_refresh $meta_refresh\n"; - $graph = $config['installedpackages']['bandwidthd']['config'][0]['drawgraphs']; + $graph = $bandwidthd_config['drawgraphs']; if($graph) $graph = "graph true\n"; else $graph = "graph false\n"; - $filter_text = $config['installedpackages']['bandwidthd']['config'][0]['filter']; + $filter_text = $bandwidthd_config['filter']; if($filter_text) $filter_text = "filter $filter_text\n"; - $recover_cdf = $config['installedpackages']['bandwidthd']['config'][0]['recovercdf']; + $recover_cdf = $bandwidthd_config['recovercdf']; if($recover_cdf) $recover_cdf = "recover_cdf true\n"; - $output_cdf = $config['installedpackages']['bandwidthd']['config'][0]['outputcdf']; + $output_cdf = $bandwidthd_config['outputcdf']; if($output_cdf) - $output_cdf = "output_cdf true\n"; - $promiscuous = $config['installedpackages']['bandwidthd']['config'][0]['promiscuous']; + $output_cdf_string = "output_cdf true\n"; + else + $output_cdf_string = ""; + $promiscuous = $bandwidthd_config['promiscuous']; if($promiscuous) $promiscuous = "promiscuous true\n"; else $promiscuous = "promiscuous false\n"; - $graph_cutoff = $config['installedpackages']['bandwidthd']['config'][0]['graphcutoff']; + $graph_cutoff = $bandwidthd_config['graphcutoff']; if($graph_cutoff) $graph_cutoff = "graph_cutoff $graph_cutoff\n"; - $skip_intervals = $config['installedpackages']['bandwidthd']['config'][0]['skipintervals']; + $skip_intervals = $bandwidthd_config['skipintervals']; if($skip_intervals) $skip_intervals = "skip_intervals $skip_intervals\n"; - if($config['installedpackages']['bandwidthd']['config'][0]['active_interface']){ - $ifdescrs = array($config['installedpackages']['bandwidthd']['config'][0]['active_interface']); + if($bandwidthd_config['active_interface']){ + $ifdescrs = array($bandwidthd_config['active_interface']); } else { log_error("You should specify an interface for bandwidthd to listen on. Exiting."); } - $subnets_custom = explode(';',str_replace(' ','',$config['installedpackages']['bandwidthd']['config'][0]['subnets_custom'])); + $subnets_custom = explode(';',str_replace(' ','',$bandwidthd_config['subnets_custom'])); /* initialize to "" */ $subnets = ""; @@ -180,7 +185,7 @@ $graph_cutoff $promiscuous #Log data to cdf file htdocs/log.cdf -$output_cdf +$output_cdf_string #Read back the cdf file on startup $recover_cdf @@ -208,26 +213,40 @@ EOF; fwrite($fd, $config_file); fclose($fd); + if ($g['platform'] == 'nanobsd') { + $bandwidthd_nano_dir = "/var/bandwidthd"; + $bandwidthd_htdocs_dir = $bandwidthd_nano_dir . "/htdocs"; + if (!is_dir($bandwidthd_nano_dir)) { + if (file_exists($bandwidthd_nano_dir)) { + unlink($bandwidthd_nano_dir); + } + mkdir($bandwidthd_nano_dir); + } + } else { + $bandwidthd_htdocs_dir = $bandwidthd_base_dir . "/htdocs"; + } + $rc = array(); $rc['file'] = 'bandwidthd.sh'; $rc['stop'] = <<<EOD /usr/bin/killall bandwidthd EOD; - if ($g['platform'] == 'nanobsd') { - // On nanobsd, /var/bandwidthd is created. - // In that is a real /var/bandwidth/htdocs, where the graph data is written - // A soft link to the real bandwidth program is made - /var/bandwidthd/bandwidthd - // A soft link to the etc folder with the conf file is made - /var/bandwidthd/etc - // bandwidthd is started from /var/bandwidthd with the current dir /var/bandwidth - // This way, it: - // looks in ./etc for the conf file - // writes graph files in ./htdocs - // writes cdf log files (if selected in the config) to ./ - // All of this is on the /var filesystem, which is a read-write memory disk on nanobsd - $bandwidthd_nano_dir = "/var/bandwidthd"; - $bandwidthd_htdocs_dir = $bandwidthd_nano_dir . "/htdocs"; - $rc['start'] = <<<EOD + // If this is an old config before the enable checkbox was added, then enable by default + $bandwidthd_enable = (!isset($bandwidthd_config['enable']) || ($bandwidthd_config['enable'])); + if ($bandwidthd_enable) { + if ($g['platform'] == 'nanobsd') { + // On nanobsd, /var/bandwidthd is created. + // In that is a real /var/bandwidth/htdocs, where the graph data is written + // A soft link to the real bandwidth program is made - /var/bandwidthd/bandwidthd + // A soft link to the etc folder with the conf file is made - /var/bandwidthd/etc + // bandwidthd is started from /var/bandwidthd with the current dir /var/bandwidth + // This way, it: + // looks in ./etc for the conf file + // writes graph files in ./htdocs + // writes cdf log files (if selected in the config) to ./ + // All of this is on the /var filesystem, which is a read-write memory disk on nanobsd + $rc['start'] = <<<EOD if [ ! -d "{$bandwidthd_nano_dir}" ] ; then if [ -e "{$bandwidthd_nano_dir}" ] ; then /bin/rm -f {$bandwidthd_nano_dir} @@ -252,22 +271,25 @@ if [ ! -L "{$bandwidthd_nano_dir}/etc" ] ; then fi /bin/ln -s {$bandwidthd_config_dir} {$bandwidthd_nano_dir}/etc fi - +if [ ! -f "{$bandwidthd_htdocs_dir}/legend.gif" ] ; then + /bin/cp {$bandwidthd_base_dir}/htdocs/legend.gif {$bandwidthd_htdocs_dir} +fi +if [ ! -f "{$bandwidthd_htdocs_dir}/logo.gif" ] ; then + /bin/cp {$bandwidthd_base_dir}/htdocs/logo.gif {$bandwidthd_htdocs_dir} +fi cd {$bandwidthd_nano_dir} {$bandwidthd_nano_dir}/bandwidthd cd - EOD; - if (!is_dir($bandwidthd_nano_dir)) { - if (file_exists($bandwidthd_nano_dir)) { - unlink($bandwidthd_nano_dir); - } - mkdir($bandwidthd_nano_dir); - } - } else { - $bandwidthd_htdocs_dir = $bandwidthd_base_dir . "/htdocs"; - $rc['start'] = <<<EOD + } else { + $rc['start'] = <<<EOD /usr/local/bandwidthd/bandwidthd EOD; + } + } else { + // bandwidthd is disabled, so do not put any real start commands in the script. + // This effectively disables it but keeps all the files in place (e.g. saved logs) ready to reload when it is enabled. + $rc['start'] = "return"; } /* write out rc.d start/stop file */ @@ -292,10 +314,22 @@ EOD; if (!file_exists($bandwidthd_index_file)) { exec("echo \"Please start bandwidthd to populate this directory.\" > " . $bandwidthd_index_file); } + + if (($bandwidthd_enable) && ($output_cdf)) { + // Use cron job to rotate logs every day at 00:01 + install_cron_job("/bin/kill -HUP `cat /var/run/bandwidthd.pid`", true, "1", "0"); + } + else + { + // Remove the cron job, if it is there + install_cron_job("/bin/kill -HUP `cat /var/run/bandwidthd.pid`", false); + } conf_mount_ro(); config_unlock(); stop_service("bandwidthd"); - start_service("bandwidthd"); + if ($bandwidthd_enable) { + start_service("bandwidthd"); + } } ?> diff --git a/config/bandwidthd/bandwidthd.xml b/config/bandwidthd/bandwidthd.xml index f82ac69d..f306546a 100644 --- a/config/bandwidthd/bandwidthd.xml +++ b/config/bandwidthd/bandwidthd.xml @@ -7,7 +7,7 @@ /* $Id$ */ /* ========================================================================== */ /* - authng.xml + bandwidthd.xml part of pfSense (http://www.pfSense.com) Copyright (C) 2007 to whom it may belong All rights reserved. @@ -41,10 +41,10 @@ */ /* ========================================================================== */ ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> <name>bandwidthd</name> <version>2.0.1.4</version> <title>Bandwidthd</title> @@ -60,7 +60,7 @@ <name>bandwidthd</name> <rcfile>bandwidthd.sh</rcfile> <executable>bandwidthd</executable> - </service> + </service> <tabs> <tab> <text>BandwidthD</text> @@ -80,6 +80,12 @@ </additional_files_needed> <fields> <field> + <fielddescr>Enable bandwidthd</fielddescr> + <fieldname>enable</fieldname> + <type>checkbox</type> + <description></description> + </field> + <field> <fielddescr>Interface</fielddescr> <fieldname>active_interface</fieldname> <description>The interface that bandwidthd will bind to.</description> @@ -96,7 +102,7 @@ <field> <fielddescr>Skip intervals</fielddescr> <fieldname>skipintervals</fieldname> - <description>Number of intervals (2.5 minute) to skip between graphing. Default 0.</description> + <description>Number of intervals to skip between graphing. Default 0. Each interval is 200 seconds = 3 min 20 sec.</description> <type>input</type> </field> <field> @@ -108,19 +114,20 @@ <field> <fielddescr>Promiscuous</fielddescr> <fieldname>promiscuous</fieldname> - <description>Put interface in promiscuous mode to score to traffic that may not be routing through the host machine.</description> + <description>Put interface in promiscuous mode to see traffic that may not be routing through the host machine.<br> + Note: If the interface is connected to a switch then the interface will only see the traffic on its port.</description> <type>checkbox</type> </field> <field> <fielddescr>output_cdf</fielddescr> <fieldname>outputcdf</fieldname> - <description>Log data to cdf file htdocs/log.cdf</description> + <description>Log data to cdf files log*.cdf</description> <type>checkbox</type> </field> <field> <fielddescr>recover_cdf</fielddescr> <fieldname>recovercdf</fieldname> - <description>Read back the cdf file on startup</description> + <description>Read back the cdf files on startup</description> <type>checkbox</type> </field> <field> @@ -139,9 +146,24 @@ <field> <fielddescr>Meta Refresh</fielddescr> <fieldname>meta_refresh</fieldname> - <description>Set META REFRESH seconds (default 150, use 0 to disable).</description> + <description>Sets the interval (seconds) at which the browser graph display refreshes (default 150, use 0 to disable).</description> <type>input</type> </field> + <field> + <fielddescr>Graph and Log Info</fielddescr> + <fieldname>graph_log_info</fieldname> + <description>If draw graphs is on, then the daily report and graph html data is regenerated every (skip intervals + 1) * 200 seconds. The data volumes in the report are for the same period as the span of the graph.<br> + If output_cdf is on, then a cron job is added to rotate the log files at 00:01 each day. 6 log files are kept for each log frequency (daily, weekly, monthly, yearly). At the respective rotation intervals, the oldest log is deleted, the others are shuffled back and a new log is created.<br> + <table cellpadding=1 cellspacing=0 style="text-align: left;"> <tbody> + <tr><th> </th><th> Data Interval </th><th> Graph Span </th><th> Log Rotation </th><th> Log File Name </th></tr> + <tr><th> Daily </th><td> 200 seconds </td><td> 2 days </td><td> 1 day </td><td> log.1.[0-5].cdf </td></tr> + <tr><th> Weekly </th><td> 10 minutes </td><td> 7 days </td><td> 7 days </td><td> log.2.[0-5].cdf </td></tr> + <tr><th> Monthly </th><td> 1 hour </td><td> 35 days </td><td> 35 days </td><td> log.3.[0-5].cdf </td></tr> + <tr><th> Yearly </th><td> 12 hours </td><td> 412.5 days </td><td> 412.5 days </td><td> log.4.[0-5].cdf </td></tr> + </tbody> </table> + </description> + <type>info</type> + </field> </fields> <custom_php_resync_config_command> bandwidthd_install_config(); diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index 89103ef8..4f02b4d4 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -582,7 +582,7 @@ function haproxy_writeconf() { //ssl crt ./server.pem ca-file ./ca.crt verify optional crt-ignore-err all crl-file ./ca_crl.pem $ssl_crt=" crt /var/etc/{$backend['name']}.{$backend['port']}.crt"; $cert = lookup_cert($backend['ssloffloadcert']); - $certcontent = base64_decode($cert['crt']).base64_decode($cert['prv']); + $certcontent = base64_decode($cert['crt'])."\r\n".base64_decode($cert['prv']); file_put_contents("/var/etc/{$backend['name']}.{$backend['port']}.crt", $certcontent); unset($certcontent); }else{ diff --git a/config/mailreport/mail_reports.inc b/config/mailreport/mail_reports.inc index 8ab31301..85b67ddf 100644 --- a/config/mailreport/mail_reports.inc +++ b/config/mailreport/mail_reports.inc @@ -29,6 +29,7 @@ POSSIBILITY OF SUCH DAMAGE. */ +require_once("globals.inc"); require_once("config.inc"); require_once("filter.inc"); require_once("rrd.inc"); @@ -42,6 +43,28 @@ $graph_length = array( "year" => 31622400, "4year" => 126489600); +$logfile_friendly = array( + "dhcpd" => "DHCP", + "filter" => "Firewall (raw)", + "gateways" => "Gateway Events", + "installer" => "Installation", + "ipsec" => "IPsec VPN", + "l2tps" => "L2TP Server (raw)", + "lighttpd" => "Web Server (lighttpd)", + "ntpd" => "NTP", + "openvpn" => "OpenVPN", + "poes" => "PPPoE Server (raw)", + "portalauth" => "Captive Portal Authentication", + "ppp" => "PPP", + "pptps" => "PPTP Server (raw)", + "relayd" => "Load Balancer (relayd)", + "resolver" => "DNS Resolver", + "routing" => "Routing", + "system" => "System", + "vpn" => "PPTP/L2TP/PPPoE Server Login Events", + "wireless" => "Wireless" +); + function get_dates($curperiod, $graph) { global $graph_length; $now = time(); @@ -162,7 +185,7 @@ function set_mail_report_cron_jobs($a_mailreports) { include('phpmailer/class.phpmailer.php'); -function mail_report_send($headertext, $attachments) { +function mail_report_send($headertext, $cmdtext, $logtext, $attachments) { global $config, $g; if (empty($config['notifications']['smtp']['ipaddress'])) @@ -191,7 +214,11 @@ function mail_report_send($headertext, $attachments) { $address = $config['notifications']['smtp']['notifyemailaddress']; $mail->AddAddress($address, "Report Recipient"); $mail->Subject = "{$config['system']['hostname']}.{$config['system']['domain']} Graph Report: {$headertext}"; - $mail->Body .= "This is a periodic graph report from your firewall, {$config['system']['hostname']}.{$config['system']['domain']}.<br/><br/>Current report: {$headertext}\n"; + $mail->Body .= "This is a periodic report from your firewall, {$config['system']['hostname']}.{$config['system']['domain']}.<br /><br />Current report: {$headertext}<br />\n<br />\n"; + if (!empty($cmdtext)) + $mail->Body .= $cmdtext; + if (!empty($logtext)) + $mail->Body .= $logtext; if(is_array($attachments)) { foreach($attachments as $filename) { $shortname = basename($filename); @@ -203,7 +230,7 @@ function mail_report_send($headertext, $attachments) { if(!$mail->Send()) { echo "Mailer Error: " . $mail->ErrorInfo; } else { - echo "<strong>Message sent to {$userid}!</strong>\n"; + echo "<strong>Message sent to {$address}!</strong>\n"; } } @@ -1201,4 +1228,32 @@ function timeDiff($time, $opt = array()) { return $str; } +function mail_report_get_log($logfile, $tail, $grepfor) { + global $g, $config; + $logfile = "{$g['varlog_path']}/{$logfile}"; + $logarr = ""; + $grepline = " "; + if(is_array($grepfor)) + foreach($grepfor as $agrep) + $grepline .= " | grep \"$agrep\""; + if($config['system']['disablesyslogclog']) { + exec("cat {$logfile}{$grepline} | /usr/bin/tail -n {$tail}", $logarr); + } else { + if(isset($config['system']['usefifolog'])) { + exec("/usr/sbin/fifolog_reader {$logfile}{$grepline} | /usr/bin/tail -n {$tail}", $logarr); + } else { + exec("/usr/sbin/clog {$logfile}{$grepline}| grep -v \"CLOG\" | grep -v \"\033\" | /usr/bin/tail -n {$tail}", $logarr); + } + } + return($logarr); +} + +function get_friendly_log_name($logfile) { + global $logfile_friendly; + $friendly = str_replace(".log", "", $logfile); + if (!empty($logfile_friendly[$friendly])) + $friendly = $logfile_friendly[$friendly]; + return $friendly; +} + ?> diff --git a/config/mailreport/mail_reports_generate.php b/config/mailreport/mail_reports_generate.php index 7ff7b71e..a784c596 100644 --- a/config/mailreport/mail_reports_generate.php +++ b/config/mailreport/mail_reports_generate.php @@ -53,17 +53,42 @@ if (!$config['mailreports']['schedule'][$id]) exit; $thisreport = $config['mailreports']['schedule'][$id]; +$cmds = $thisreport['cmd']['row']; +$logs = $thisreport['log']['row']; $graphs = $thisreport['row']; -// No graphs on the report, bail! -if (!is_array($graphs) || !(count($graphs) > 0)) - exit; +// If there is nothing to do, bail! +if ((!is_array($cmds) || !(count($cmds) > 0)) + && (!is_array($logs) || !(count($logs) > 0)) + && (!is_array($graphs) || !(count($graphs) > 0))) + return; // Print report header +// Print command output +$cmdtext = ""; +foreach ($cmds as $cmd) { + $output = ""; + $cmdtext .= "Command output: {$cmd['descr']} (" . htmlspecialchars($cmd['detail']) . ")<br />\n"; + exec($cmd['detail'], $output); + $cmdtext .= "<pre>\n"; + $cmdtext .= implode("\n", $output); + $cmdtext .= "\n</pre>"; +} + +// Print log output +$logtext = ""; +foreach ($logs as $log) { + $lines = empty($log['lines']) ? 50 : $log['lines']; + $filter = empty($log['detail']) ? null : array($log['detail']); + $logtext .= "Log output: " . get_friendly_log_name($log['logfile']) . " ({$log['logfile']})<br />\n"; + $logtext .= "<pre>\n"; + $logtext .= implode("\n", mail_report_get_log($log['logfile'], $lines, $filter)); + $logtext .= "\n</pre>"; +} + // For each graph, print a header and the graph $attach = array(); -$idx=0; foreach ($graphs as $thisgraph) { $dates = get_dates($thisgraph['period'], $thisgraph['timespan']); $start = $dates['start']; @@ -71,6 +96,6 @@ foreach ($graphs as $thisgraph) { $attach[] = mail_report_generate_graph($thisgraph['graph'], $thisgraph['style'], $thisgraph['timespan'], $start, $end); } -mail_report_send($thisreport['descr'], $attach); +mail_report_send($thisreport['descr'], $cmdtext, $logtext, $attach); ?>
\ No newline at end of file diff --git a/config/mailreport/mailreport.xml b/config/mailreport/mailreport.xml index 613ac42f..d27d3a28 100644 --- a/config/mailreport/mailreport.xml +++ b/config/mailreport/mailreport.xml @@ -37,7 +37,7 @@ ]]> </copyright> <name>mailreport</name> - <version>1.0</version> + <version>2.0.4</version> <title>Status: Mail Reports</title> <additional_files_needed> <prefix>/usr/local/bin/</prefix> @@ -70,11 +70,19 @@ </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/</prefix> + <item>http://www.pfsense.com/packages/config/mailreport/status_mail_report_add_cmd.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <item>http://www.pfsense.com/packages/config/mailreport/status_mail_report_add_log.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> <item>http://www.pfsense.com/packages/config/mailreport/status_mail_report_add_graph.php</item> </additional_files_needed> <menu> - <name>RRD E-Mail Reports</name> - <tooltiptext>Setup periodic e-mail reports with RRD graphs.</tooltiptext> + <name>E-Mail Reports</name> + <tooltiptext>Setup periodic e-mail reports.</tooltiptext> <section>Status</section> <url>/status_mail_report.php</url> </menu> diff --git a/config/mailreport/status_mail_report.php b/config/mailreport/status_mail_report.php index 4dc195bc..b1705fac 100644 --- a/config/mailreport/status_mail_report.php +++ b/config/mailreport/status_mail_report.php @@ -74,11 +74,13 @@ include("head.inc"); <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td><div id="mainarea"> <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td colspan="4">Here you can define a list of reports, containing multiple RRD graphs, to be sent by e-mail. </td></tr> + <tr><td colspan="4">Here you can define a list of reports to be sent by e-mail. </td></tr> <tr><td> </td></tr> <tr> - <td width="45%" class="listhdr"><?=gettext("Description");?></td> - <td width="35%" class="listhdr"><?=gettext("Schedule");?></td> + <td width="35%" class="listhdr"><?=gettext("Description");?></td> + <td width="25%" class="listhdr"><?=gettext("Schedule");?></td> + <td width="10%" class="listhdr"><?=gettext("Cmds");?></td> + <td width="10%" class="listhdr"><?=gettext("Logs");?></td> <td width="10%" class="listhdr"><?=gettext("Graphs");?></td> <td width="10%" class="list"><a href="status_mail_report_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> </tr> @@ -86,6 +88,8 @@ include("head.inc"); <tr ondblclick="document.location='status_mail_report_edit.php?id=<?=$i;?>'"> <td class="listlr"><?php echo $mailreport['descr']; ?></td> <td class="listlr"><?php echo $mailreport['schedule_friendly']; ?></td> + <td class="listlr"><?php echo count($mailreport['cmd']['row']); ?></td> + <td class="listlr"><?php echo count($mailreport['log']['row']); ?></td> <td class="listlr"><?php echo count($mailreport['row']); ?></td> <td valign="middle" nowrap class="list"> <a href="status_mail_report_edit.php?id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0"></a> @@ -95,7 +99,7 @@ include("head.inc"); </tr> <?php $i++; endforeach; ?> <tr> - <td class="list" colspan="3"></td> + <td class="list" colspan="5"></td> <td class="list"><a href="status_mail_report_edit.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> </tr> <tr> diff --git a/config/mailreport/status_mail_report_add_cmd.php b/config/mailreport/status_mail_report_add_cmd.php new file mode 100644 index 00000000..7693f7a4 --- /dev/null +++ b/config/mailreport/status_mail_report_add_cmd.php @@ -0,0 +1,146 @@ +<?php +/* $Id$ */ +/* + status_rrd_graph.php + Part of pfSense + Copyright (C) 2011 Jim Pingle <jimp@pfsense.org> + Portions Copyright (C) 2007-2011 Seth Mos <seth.mos@dds.nl> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* + pfSense_MODULE: system +*/ + +##|+PRIV +##|*IDENT=page-status-rrdgraphs +##|*NAME=Status: RRD Graphs page +##|*DESCR=Allow access to the 'Status: RRD Graphs' page. +##|*MATCH=status_rrd_graph.php* +##|-PRIV + +require("guiconfig.inc"); +require_once("mail_reports.inc"); + +$reportid = $_REQUEST['reportid']; +$id = $_REQUEST['id']; + +if (!is_array($config['mailreports']['schedule'])) + $config['mailreports']['schedule'] = array(); + +$a_mailreports = &$config['mailreports']['schedule']; + +if (!isset($reportid) || !isset($a_mailreports[$reportid])) { + header("Location: status_mail_report.php"); + return; +} + +if (!is_array($a_mailreports[$reportid]['cmd']['row'])) { + $a_mailreports[$reportid]['cmd'] = array(); + $a_mailreports[$reportid]['cmd']['row'] = array(); +} +$a_cmds = $a_mailreports[$reportid]['cmd']['row']; + +if (isset($id) && $a_cmds[$id]) { + $pconfig = $a_cmds[$id]; +} else { + $pconfig = array(); +} + +if (isset($id) && !($a_cmds[$id])) { + header("Location: status_mail_report_edit.php?id={$reportid}"); + return; +} + +if ($_POST) { + unset($_POST['__csrf_magic']); + $pconfig = $_POST; + + if (isset($id) && $a_cmds[$id]) + $a_cmds[$id] = $pconfig; + else + $a_cmds[] = $pconfig; + + $a_mailreports[$reportid]['cmd']['row'] = $a_cmds; + + write_config(); + header("Location: status_mail_report_edit.php?id={$reportid}"); + return; +} + + +$pgtitle = array(gettext("Status"),gettext("Add Mail Report Command")); +include("head.inc"); +?> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td><div id="mainarea"> + <form action="status_mail_report_add_cmd.php" method="post" name="iform" id="iform"> + <table class="tabcont" width="100%" border="0" cellpadding="1" cellspacing="1"> + <tr> + <td class="listtopic" colspan="2">Command Settings</td> + </tr> + <tr> + <td width="20%" class="listhdr"> + <?=gettext("Name:");?> + </td> + <td width="80%" class="listhdr"> + <input name="descr" type="text" class="formfld unknown" id="descr" size="20" value="<?=htmlspecialchars($pconfig['descr']);?>"> + </td> + </tr> + <tr> + <td class="listhdr"> + <?=gettext("Command:");?> + </td> + <td class="listhdr"> + <input name="detail" type="text" class="formfld unknown" id="detail" size="60" value="<?=htmlspecialchars($pconfig['detail']);?>"> + </td> + </tr> + <tr> + <td> </td> + <td> + <br/>NOTE: Use full paths to commands to ensure they run properly. The command will be run during the report and its stdout output will be included in the report body. Be extremely careful what commands you choose to run, the same warnings apply as those when using Diagnostics > Command. + <br/> + <br/>Do not use this solely as a way to run a command on a schedule, use the Cron package for that purpose instead. + </td> + </tr> + <tr> + <td colspan="2" align="center"> + <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>"> + <a href="status_mail_report_edit.php?id=<?php echo $reportid;?>"><input name="cancel" type="button" class="formbtn" value="<?=gettext("Cancel");?>"></a> + <input name="reportid" type="hidden" value="<?=htmlspecialchars($reportid);?>"> + <?php if (isset($id) && $a_graphs[$id]): ?> + <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>"> + <?php endif; ?> + </td> + <td></td> + </tr> + </table> + </form> + </div></td></tr> +</table> + +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/mailreport/status_mail_report_add_graph.php b/config/mailreport/status_mail_report_add_graph.php index c0287367..165124f3 100644 --- a/config/mailreport/status_mail_report_add_graph.php +++ b/config/mailreport/status_mail_report_add_graph.php @@ -50,13 +50,8 @@ if(! isset($config['rrd']['enable'])) { header("Location: status_rrd_graph_settings.php"); } -$reportid = $_GET['reportid']; -if (isset($_POST['reportid'])) - $reportid = $_POST['reportid']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; +$reportid = $_REQUEST['reportid']; +$id = $_REQUEST['id']; if (!is_array($config['mailreports']['schedule'])) $config['mailreports']['schedule'] = array(); @@ -65,7 +60,7 @@ $a_mailreports = &$config['mailreports']['schedule']; if (!isset($reportid) || !isset($a_mailreports[$reportid])) { header("Location: status_mail_report.php"); - exit; + return; } if (!is_array($a_mailreports[$reportid]['row'])) @@ -80,7 +75,7 @@ if (isset($id) && $a_graphs[$id]) { if (isset($id) && !($a_graphs[$id])) { header("Location: status_mail_report_edit.php?id={$reportid}"); - exit; + return; } @@ -159,7 +154,7 @@ if ($_POST) { write_config(); header("Location: status_mail_report_edit.php?id={$reportid}"); - exit; + return; } diff --git a/config/mailreport/status_mail_report_add_log.php b/config/mailreport/status_mail_report_add_log.php new file mode 100644 index 00000000..75d092b5 --- /dev/null +++ b/config/mailreport/status_mail_report_add_log.php @@ -0,0 +1,162 @@ +<?php +/* $Id$ */ +/* + status_rrd_graph.php + Part of pfSense + Copyright (C) 2011 Jim Pingle <jimp@pfsense.org> + Portions Copyright (C) 2007-2011 Seth Mos <seth.mos@dds.nl> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* + pfSense_MODULE: system +*/ + +##|+PRIV +##|*IDENT=page-status-rrdgraphs +##|*NAME=Status: RRD Graphs page +##|*DESCR=Allow access to the 'Status: RRD Graphs' page. +##|*MATCH=status_rrd_graph.php* +##|-PRIV + +require("guiconfig.inc"); +require_once("mail_reports.inc"); + +$reportid = $_REQUEST['reportid']; +$id = $_REQUEST['id']; + +if (!is_array($config['mailreports']['schedule'])) + $config['mailreports']['schedule'] = array(); + +$a_mailreports = &$config['mailreports']['schedule']; + +if (!isset($reportid) || !isset($a_mailreports[$reportid])) { + header("Location: status_mail_report.php"); + return; +} + +if (!is_array($a_mailreports[$reportid]['log']['row'])) { + $a_mailreports[$reportid]['log'] = array(); + $a_mailreports[$reportid]['log']['row'] = array(); +} +$a_logs = $a_mailreports[$reportid]['log']['row']; + +if (isset($id) && $a_logs[$id]) { + $pconfig = $a_logs[$id]; +} else { + $pconfig = array(); +} + +if (isset($id) && !($a_logs[$id])) { + header("Location: status_mail_report_edit.php?id={$reportid}"); + return; +} + +$logpath = "/var/log/"; +chdir($logpath); +$logfiles = glob("*.log"); + +sort($logfiles); + +if ($_POST) { + unset($_POST['__csrf_magic']); + $pconfig = $_POST; + + if (isset($id) && $a_logs[$id]) + $a_logs[$id] = $pconfig; + else + $a_logs[] = $pconfig; + + $a_mailreports[$reportid]['log']['row'] = $a_logs; + + write_config(); + header("Location: status_mail_report_edit.php?id={$reportid}"); + return; +} + + +$pgtitle = array(gettext("Status"),gettext("Add Mail Report Log")); +include("head.inc"); +?> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td><div id="mainarea"> + <form action="status_mail_report_add_log.php" method="post" name="iform" id="iform"> + <table class="tabcont" width="100%" border="0" cellpadding="1" cellspacing="1"> + <tr> + <td class="listtopic" colspan="2">Log Settings</td> + </tr> + <tr> + <td width="20%" class="listhdr"> + <?=gettext("Logs:");?> + </td> + <td width="80%" class="listhdr"> + <select name="logfile" class="formselect" style="z-index: -10;"> + <?php + foreach ($logfiles as $logfile) { + echo "<option value=\"{$logfile}\""; + if ($pconfig['logfile'] == $logfile) { + echo " selected"; + } + echo ">" . htmlspecialchars(get_friendly_log_name($logfile)) . "</option>\n"; + } + ?> + </select> + </td> + </tr> + <tr> + <td width="20%" class="listhdr"> + <?=gettext("# Rows:");?> + </td> + <td width="80%" class="listhdr"> + <input name="lines" type="text" class="formfld unknown" id="lines" size="10" value="<?=htmlspecialchars($pconfig['lines']);?>"> + </td> + </tr> + <tr> + <td class="listhdr"> + <?=gettext("Filter:");?> + </td> + <td class="listhdr"> + <input name="detail" type="text" class="formfld unknown" id="detail" size="60" value="<?=htmlspecialchars($pconfig['detail']);?>"> + </td> + </tr> + <tr> + <td colspan="2" align="center"> + <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>"> + <a href="status_mail_report_edit.php?id=<?php echo $reportid;?>"><input name="cancel" type="button" class="formbtn" value="<?=gettext("Cancel");?>"></a> + <input name="reportid" type="hidden" value="<?=htmlspecialchars($reportid);?>"> + <?php if (isset($id) && $a_logs[$id]): ?> + <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>"> + <?php endif; ?> + </td> + <td></td> + </tr> + </table> + </form> + </div></td></tr> +</table> + +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/mailreport/status_mail_report_edit.php b/config/mailreport/status_mail_report_edit.php index 3102e958..7ddb4c36 100644 --- a/config/mailreport/status_mail_report_edit.php +++ b/config/mailreport/status_mail_report_edit.php @@ -44,16 +44,13 @@ require_once("mail_reports.inc"); /* if the rrd graphs are not enabled redirect to settings page */ if(! isset($config['rrd']['enable'])) { header("Location: status_rrd_graph_settings.php"); - exit; + return; } -$graphid = $_GET['graphid']; -if (isset($_POST['graphid'])) - $graphid = $_POST['graphid']; - -$id = $_GET['id']; -if (isset($_POST['id'])) - $id = $_POST['id']; +$cmdid = $_REQUEST['cmdid']; +$logid = $_REQUEST['logid']; +$graphid = $_REQUEST['graphid']; +$id = $_REQUEST['id']; if (!is_array($config['mailreports']['schedule'])) $config['mailreports']['schedule'] = array(); @@ -63,19 +60,40 @@ if (isset($id) && $a_mailreports[$id]) { if (!is_array($a_mailreports[$id]['row'])) $a_mailreports[$id]['row'] = array(); $pconfig = $a_mailreports[$id]; + $a_cmds = $a_mailreports[$id]['cmd']['row']; + $a_logs = $a_mailreports[$id]['log']['row']; $a_graphs = $a_mailreports[$id]['row']; -} else { +} + +if (!is_array($pconfig)) $pconfig = array(); +if (!is_array($a_cmds)) + $a_cmds = array(); +if (!is_array($a_logs)) + $a_logs = array(); +if (!is_array($a_graphs)) $a_graphs = array(); -} + if ($_GET['act'] == "del") { - if ($a_graphs[$graphid]) { + if (is_numeric($cmdid) && $a_cmds[$cmdid]) { + unset($a_cmds[$cmdid]); + $a_mailreports[$id]['cmd']['row'] = $a_cmds; + write_config(); + header("Location: status_mail_report_edit.php?id={$id}"); + return; + } elseif (is_numeric($logid) && $a_logs[$logid]) { + unset($a_logs[$logid]); + $a_mailreports[$id]['log']['row'] = $a_logs; + write_config(); + header("Location: status_mail_report_edit.php?id={$id}"); + return; + } elseif (is_numeric($graphid) && $a_graphs[$graphid]) { unset($a_graphs[$graphid]); $a_mailreports[$id]['row'] = $a_graphs; write_config(); header("Location: status_mail_report_edit.php?id={$id}"); - exit; + return; } } @@ -97,7 +115,7 @@ if ($_POST) { if ($_POST['Submit'] == "Send Now") { mwexec_bg("/usr/local/bin/mail_reports_generate.php {$id}"); header("Location: status_mail_report_edit.php?id={$id}"); - exit; + return; } $friendly = ""; @@ -124,7 +142,9 @@ if ($_POST) { unset($pconfig['dayofmonth']); } - // Copy graphs back into the schedule. + // Copy back into the schedule. + $pconfig['cmd']["row"] = $a_cmds; + $pconfig['log']["row"] = $a_logs; $pconfig["row"] = $a_graphs; $pconfig['schedule_friendly'] = $friendly; @@ -139,7 +159,7 @@ if ($_POST) { write_config(); configure_cron(); header("Location: status_mail_report.php"); - exit; + return; } $pgtitle = array(gettext("Status"),gettext("Edit Mail Reports")); @@ -220,6 +240,78 @@ include("head.inc"); <td></td> </tr> <tr> + <td class="listtopic" colspan="4">Report Commands</td> + <td></td> + </tr> + <tr> + <td width="30%" class="listhdr"><?=gettext("Name");?></td> + <td width="60%" colspan="3" class="listhdr"><?=gettext("Command");?></td> + <td width="10%" class="list"> + <?php if (isset($id) && $a_mailreports[$id]): ?> + <a href="status_mail_report_add_cmd.php?reportid=<?php echo $id ;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a> + </td> + <?php else: ?> + </td> + <tr><td colspan="5" align="center"><br/>Save the report first, then items may be added.<br/></td></tr> + <?php endif; ?> + </tr> + <?php $i = 0; foreach ($a_cmds as $cmd): ?> + <tr ondblclick="document.location='status_mail_report_add_cmd.php?reportid=<?php echo $id ;?>&id=<?=$i;?>'"> + <td class="listlr"><?php echo htmlspecialchars($cmd['descr']); ?></td> + <td colspan="3" class="listlr"><?php echo htmlspecialchars($cmd['detail']); ?></td> + <td valign="middle" nowrap class="list"> + <a href="status_mail_report_add_cmd.php?reportid=<?php echo $id ;?>&id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0"></a> + + <a href="status_mail_report_edit.php?act=del&id=<?php echo $id ;?>&cmdid=<?=$i;?>" onclick="return confirm('<?=gettext("Do you really want to delete this entry?");?>')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0"></a> + </td> + </tr> + <?php $i++; endforeach; ?> + <tr> + <td class="list" colspan="4"></td> + <td class="list"> + <?php if (isset($id) && $a_mailreports[$id]): ?> + <a href="status_mail_report_add_cmd.php?reportid=<?php echo $id ;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a> + <?php endif; ?> + </td> + </tr> + <tr> + <td class="listtopic" colspan="4">Report Logs</td> + <td></td> + </tr> + <tr> + <td width="30%" class="listhdr"><?=gettext("Log");?></td> + <td width="20%" class="listhdr"><?=gettext("# Rows");?></td> + <td width="40%" colspan="2" class="listhdr"><?=gettext("Filter");?></td> + <td width="10%" class="list"> + <?php if (isset($id) && $a_mailreports[$id]): ?> + <a href="status_mail_report_add_log.php?reportid=<?php echo $id ;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a> + </td> + <?php else: ?> + </td> + <tr><td colspan="5" align="center"><br/>Save the report first, then items may be added.<br/></td></tr> + <?php endif; ?> + </tr> + <?php $i = 0; foreach ($a_logs as $log): ?> + <tr ondblclick="document.location='status_mail_report_add_log.php?reportid=<?php echo $id ;?>&id=<?=$i;?>'"> + <td class="listlr"><?php echo get_friendly_log_name($log['logfile']); ?></td> + <td class="listlr"><?php echo $log['lines']; ?></td> + <td colspan="2" class="listlr"><?php echo $log['detail']; ?></td> + <td valign="middle" nowrap class="list"> + <a href="status_mail_report_add_cmd.php?reportid=<?php echo $id ;?>&id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0"></a> + + <a href="status_mail_report_edit.php?act=del&id=<?php echo $id ;?>&logid=<?=$i;?>" onclick="return confirm('<?=gettext("Do you really want to delete this entry?");?>')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0"></a> + </td> + </tr> + <?php $i++; endforeach; ?> + <tr> + <td class="list" colspan="4"></td> + <td class="list"> + <?php if (isset($id) && $a_mailreports[$id]): ?> + <a href="status_mail_report_add_log.php?reportid=<?php echo $id ;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a> + <?php endif; ?> + </td> + </tr> + <tr> <td class="listtopic" colspan="4">Report Graphs</td> <td></td> </tr> @@ -234,7 +326,7 @@ include("head.inc"); </td> <?php else: ?> </td> - <tr><td colspan="5" align="center"><br/>Save the report first, then you may add graphs.<br/></td></tr> + <tr><td colspan="5" align="center"><br/>Save the report first, then items may be added.<br/></td></tr> <?php endif; ?> </tr> <?php $i = 0; foreach ($a_graphs as $graph): @@ -246,7 +338,7 @@ include("head.inc"); } $prettyprint = ucwords(implode(" :: ", $optionc)); ?> - <tr ondblclick="document.location='status_mail_report_edit.php?id=<?=$i;?>'"> + <tr ondblclick="document.location='status_mail_report_add_graph.php?reportid=<?php echo $id ;?>&id=<?=$i;?>'"> <td class="listlr"><?php echo $prettyprint; ?></td> <td class="listlr"><?php echo $graph['style']; ?></td> <td class="listlr"><?php echo $graph['timespan']; ?></td> diff --git a/config/openbgpd/openbgpd.inc b/config/openbgpd/openbgpd.inc index eff2855b..45449793 100644 --- a/config/openbgpd/openbgpd.inc +++ b/config/openbgpd/openbgpd.inc @@ -79,7 +79,6 @@ function openbgpd_install_conf() { $openbgpd_neighbors = &$config['installedpackages']['openbgpdneighbors']['config']; $conffile = "# This file was created by the package manager. Do not edit!\n\n"; - $setkeycf = ""; // Setup AS # if($openbgpd_conf['asnum']) @@ -114,20 +113,24 @@ function openbgpd_install_conf() { if(is_array($openbgpd_neighbors)) { foreach($openbgpd_neighbors as $neighbor) { if($neighbor['groupname'] == $group['name']) { - $conffile .= " neighbor {$neighbor['neighbor']} {\n"; - $conffile .= " descr \"{$neighbor['descr']}\"\n"; - $setkeycf .= "delete {$openbgpd_conf['listenip']} {$neighbor['neighbor']} tcp 0x1000;\n"; + $conffile .= "\tneighbor {$neighbor['neighbor']} {\n"; + $conffile .= "\t\tdescr \"{$neighbor['descr']}\"\n"; if($neighbor['md5sigpass']) { - $setkeycf .= "add {$openbgpd_conf['listenip']} {$neighbor['neighbor']} tcp 0x1000 -A tcp-md5 \"{$neighbor['md5sigpass']}\";\n"; - $conffile .= " tcp md5sig password {$neighbor['md5sigpass']}\n"; + $conffile .= "\t\ttcp md5sig password {$neighbor['md5sigpass']}\n"; } if($neighbor['md5sigkey']) { - $setkeycf .= "add {$openbgpd_conf['listenip']} {$neighbor['neighbor']} tcp 0x1000 -A tcp-md5 0x{$neighbor['md5sigkey']};\n"; - $conffile .= " tcp md5sig key {$neighbor['md5sigkey']}\n"; + $conffile .= "\t\ttcp md5sig key {$neighbor['md5sigkey']}\n"; } - foreach($neighbor['row'] as $row) { - $conffile .= " {$row['parameters']} {$row['parmvalue']} \n"; - } + $setlocaladdr = true; + if (is_array($neighbor['row'])) { + foreach($neighbor['row'] as $row) { + if ($row['parameters'] == "local-address") + $setlocaladdr = false; + $conffile .= "\t\t{$row['parameters']} {$row['parmvalue']} \n"; + } + } + if ($setlocaladdr == true) + $conffile .= "\t\tlocal-address {$openbgpd_conf['listenip']}\n"; $conffile .= "}\n"; } } @@ -142,23 +145,25 @@ function openbgpd_install_conf() { $used_this_item = false; if($neighbor['groupname'] == "") { $conffile .= "neighbor {$neighbor['neighbor']} {\n"; - $conffile .= " descr \"{$neighbor['descr']}\"\n"; - $setkeycf .= "delete {$openbgpd_conf['listenip']} {$neighbor['neighbor']} tcp 0x1000;\n"; + $conffile .= "\tdescr \"{$neighbor['descr']}\"\n"; if ($neighbor['md5sigpass']) { - $setkeycf .= "add {$openbgpd_conf['listenip']} {$neighbor['neighbor']} tcp 0x1000 -A tcp-md5 \"{$neighbor['md5sigpass']}\";\n"; - $conffile .= " tcp md5sig password {$neighbor['md5sigpass']}\n"; + $conffile .= "\ttcp md5sig password {$neighbor['md5sigpass']}\n"; } if ($neighbor['md5sigkey']) { - $setkeycf .= "add {$openbgpd_conf['listenip']} {$neighbor['neighbor']} tcp 0x1000 -A tcp-md5 0x{$neighbor['md5sigkey']};\n"; - $conffile .= " tcp md5sig key {$neighbor['md5sigkey']}\n"; + $conffile .= "\ttcp md5sig key {$neighbor['md5sigkey']}\n"; } - $used_this_item = true; - foreach($neighbor['row'] as $row) { - $conffile .= " {$row['parameters']} {$row['parmvalue']} \n"; - } + $setlocaladdr = true; + if (is_array($neighbor['row'])) { + foreach($neighbor['row'] as $row) { + if ($row['parameters'] == "local-address") + $setlocaladdr = false; + $conffile .= "\t{$row['parameters']} {$row['parmvalue']} \n"; + } + } + if ($setlocaladdr == true) + $conffile .= "\tlocal-address {$openbgpd_conf['listenip']}\n"; } - if($used_this_item) - $conffile .= "}\n"; + $conffile .= "}\n"; } } @@ -173,17 +178,13 @@ function openbgpd_install_conf() { } } safe_mkdir($bgpd_config_base); - $fd = fopen("{$bgpd_config_base}/bgpd.conf", "w"); - - // Write out the configuration file - fwrite($fd, $conffile); - - // Close file handle - fclose($fd); + // Write out the configuration file + @file_put_contents("{$bgpd_config_base}/bgpd.conf", $conffile); + @chmod("{$bgpd_config_base}/bgpd.conf", 0600); // Create rc.d file $rc_file_stop = <<<EOF -killall -9 bgpd +killall -TERM bgpd EOF; $rc_file_start = <<<EOF @@ -195,12 +196,14 @@ if [ `pw usershow {$pkg_login} 2>&1 | grep -c "pw: no such user"` -gt 0 ]; then fi /bin/mkdir -p {$bgpd_config_base} -chmod u+rw,go-rw {$bgpd_config_base}/bgpd.conf /usr/sbin/chown -R root:wheel {$bgpd_config_base} +/bin/chmod 0600 {$bgpd_config_base}/bgpd.conf NUMBGPD=`ps auxw | grep -c '[b]gpd.*parent'` if [ \${NUMBGPD} -lt 1 ] ; then {$pkg_bin}/bgpd -f {$bgpd_config_base}/bgpd.conf +else + {$pkg_bin}/bgpctl reload fi EOF; write_rcfile(array( @@ -210,17 +213,11 @@ EOF; ) ); - // TCP-MD5 support on freebsd. See tcp(5) for more - $fd = fopen("{$g['tmp_path']}/bgpdsetkey.conf", "w"); - fwrite($fd, $setkeycf ); - fclose($fd); - exec("setkey -f {$g['tmp_path']}/bgpdsetkey.conf"); - // bgpd process running? if so reload, else start. if(is_openbgpd_running() == true) { - exec("bgpctl reload"); + exec("{$pkg_bin}/bgpctl reload"); } else { - exec("bgpd"); + exec("{$pkg_bin}/bgpd -f {$bgpd_config_base}/bgpd.conf"); } conf_mount_ro(); @@ -250,21 +247,6 @@ function openbgpd_put_raw_config($conffile) { function deinstall_openbgpd() { global $config, $g; - if($config['installedpackages']['openbgpd']['config']) - $openbgpd_conf = &$config['installedpackages']['openbgpd']['config'][0]; - if($config['installedpackages']['openbgpdneighbors']['config']) - $openbgpd_neighbors = &$config['installedpackages']['openbgpdneighbors']['config']; - $setkeycf = ""; - if(is_array($openbgpd_neighbors)) { - foreach($openbgpd_neighbors as $neighbor) - $setkeycf .= "delete {$openbgpd_conf['listenip']} {$neighbor['neighbor']} tcp 0x1000;\n"; - } - // Clear all SADB entries used. - $fd = fopen("{$g['tmp_path']}/bgpdsetkey.conf", "w"); - fwrite($fd, $setkeycf ); - fclose($fd); - exec("setkey -f {$g['tmp_path']}/bgpdsetkey.conf"); - exec("rm /usr/local/etc/rc.d/bgpd.sh"); exec("rm /usr/local/www/openbgpd_status.php"); exec("killall bgpd"); @@ -369,4 +351,4 @@ function is_openbgpd_running() { return false; } -?>
\ No newline at end of file +?> diff --git a/config/openbgpd/openbgpd_neighbors.xml b/config/openbgpd/openbgpd_neighbors.xml index efa82384..5553c022 100644 --- a/config/openbgpd/openbgpd_neighbors.xml +++ b/config/openbgpd/openbgpd_neighbors.xml @@ -100,13 +100,13 @@ <field> <fielddescr>TCP-MD5 key</fielddescr> <fieldname>md5sigkey</fieldname> - <description>The md5 key to communicate with the peer. Does not work with Cisco BGP routers.</description> + <description>The md5 key to communicate with the peer. Does not work with Cisco BGP routers. If the Local Addr option is not set listening ip will be used.</description> <type>input</type> </field> <field> <fielddescr>TCP-MD5 password</fielddescr> <fieldname>md5sigpass</fieldname> - <description>The md5 password to communicate with the peer. Use this when communicating with a Cisco BGP router.</description> + <description>The md5 password to communicate with the peer. Use this when communicating with a Cisco BGP router. If the Local Addr option is not set listenning ip will be used.</description> <type>input</type> </field> <field> diff --git a/config/openbgpd/openbgpd_status.php b/config/openbgpd/openbgpd_status.php index 3db2781a..e6f69d07 100644 --- a/config/openbgpd/openbgpd_status.php +++ b/config/openbgpd/openbgpd_status.php @@ -62,6 +62,7 @@ function doCmdT($title, $command) { $fd = popen("{$command} 2>&1", "r"); while (($line = fgets($fd)) !== FALSE) { echo htmlspecialchars($line, ENT_NOQUOTES); + ob_flush(); } pclose($fd); } diff --git a/config/pf-blocker/pfblocker.inc b/config/pf-blocker/pfblocker.inc index 58b93bb5..c40d742e 100755 --- a/config/pf-blocker/pfblocker.inc +++ b/config/pf-blocker/pfblocker.inc @@ -52,29 +52,6 @@ function cb_get_real_interface_address($iface) { return array($ip, long2ip(hexdec($netmask))); } -function pfblocker_Range2CIDR($ip_min, $ip_max) { - #function called without any args - if ($ip_min == "" || $ip_max == "") - return ""; - #function called with same ip in min and max - if ($ip_min == $ip_max) - return $ip_min. "/32"; - #convert ip to decimal numbers - $ip_min_long=ip2long($ip_min); - $ip_max_long=ip2long($ip_max); - #check long results - if ($ip_min_long == -1 || $ip_max_long == -1) - return ""; - #identify bits mask - $bits=(32 -strlen(decbin($ip_max_long - $ip_min_long))); - if ($bits < 0) - return ""; - #identify first ip on range network - $network=long2ip( $ip_min_long & ((1<<32)-(1<<(32-$bits))-1) ); - #print decbin($ip_min_long)."\n".$network."\n"; - return $network . "/". $bits; -} - function sync_package_pfblocker($cron="") { global $g,$config; @@ -290,10 +267,12 @@ function sync_package_pfblocker($cron="") { foreach ($url_list as $line){ # Network range 192.168.0.0-192.168.0.254 if (preg_match("/(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)/",$line,$matches)){ - $cidr= pfblocker_Range2CIDR($matches[1],$matches[2]); - if ($cidr != ""){ - ${$alias}.= $cidr."\n"; - $new_file.= $cidr."\n"; + $a_cidr = ip_range_to_subnet_array($matches[1],$matches[2]); + if (is_array($a_cidr)) { + foreach ($a_cidr as $cidr) { + ${$alias}.= $cidr."\n"; + $new_file.= $cidr."\n"; + } } } # CIDR format 192.168.0.0/16 diff --git a/config/snort/snort.inc b/config/snort/snort.inc index c36fc873..6bf73f24 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -37,17 +37,46 @@ require_once("functions.inc"); // Needed on 2.0 because of filter_get_vpns_list() require_once("filter.inc"); +// Explicitly declare these as global so they work through function call includes +global $snort_rules_file, $snort_version, $emerging_threats_version, $snort_rules_upd_log; +global $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules, $is_postinstall; +global $snort_community_rules_filename, $snort_community_rules_url, $emergingthreats_filename; + /* package version */ -$snort_version = "2.9.2.3"; -$pfSense_snort_version = "2.5.4"; +$snort_version = "2.9.4.1"; +$pfSense_snort_version = "2.5.5"; $snort_package_version = "Snort {$snort_version} pkg v. {$pfSense_snort_version}"; -$snort_rules_file = "snortrules-snapshot-2923.tar.gz"; -$emerging_threats_version = "2.9.3"; + +// Define SNORTDIR and SNORTLIBDIR constants according to FreeBSD version (PBI support or no PBI) +if (floatval(php_uname("r")) >= 8.3) { + exec("/usr/local/sbin/pbi_info | grep 'snort-{$snort_version}' | xargs /usr/local/sbin/pbi_info | awk '/Prefix/ {print $2}'",$pbidirarray); + $snort_pbidir = "{$pbidirarray[0]}"; + define("SNORTDIR", "{$snort_pbidir}/etc/snort"); + define("SNORTLIBDIR", "{$snort_pbidir}/lib/snort"); +} +else { + define("SNORTDIR", "/usr/local/etc/snort"); + define("SNORTLIBDIR", "/usr/local/lib/snort"); +} + +define("SNORTLOGDIR", "/var/log/snort"); + +/* Important file definitions */ +$snort_rules_file = "snortrules-snapshot-2941.tar.gz"; +$emerging_threats_version = "2.9.0"; +$emergingthreats_filename = "emerging.rules.tar.gz"; +$snort_community_rules_url = "https://s3.amazonaws.com/snort-org/www/rules/community/"; +$snort_community_rules_filename = "community-rules.tar.gz"; $flowbit_rules_file = "flowbit-required.rules"; $snort_enforcing_rules_file = "snort.rules"; +$snort_rules_upd_log = SNORTLOGDIR; +$snort_rules_upd_log .= "/snort_rules_update.log"; -define("SNORTDIR", "/usr/local/etc/snort"); -define("SNORTLOGDIR", "/var/log/snort"); +/* Rebuild Rules Flag -- if "on", rebuild enforcing rules and flowbit-rules files */ +$rebuild_rules = "off"; + +/* Post-install Flag -- normally "false" except during post-install of package */ +$is_postinstall = false; if (!is_array($config['installedpackages']['snortglobal'])) $config['installedpackages']['snortglobal'] = array(); @@ -427,9 +456,14 @@ function snort_post_delete_logs($snort_uuid = 0) { } function snort_postinstall() { - global $config, $g; + global $config, $g, $snort_rules_file, $emerging_threats_version; + global $snort_version, $rebuild_rules, $is_postinstall; $snortdir = SNORTDIR; + $snortlibdir = SNORTLIBDIR; + + /* Set flag for post-install in progress */ + $is_postinstall = true; /* cleanup default files */ @rename("{$snortdir}/snort.conf-sample", "{$snortdir}/snort.conf"); @@ -440,25 +474,41 @@ function snort_postinstall() { @rename("{$snortdir}/generators-sample", "{$snortdir}/generators"); @rename("{$snortdir}/reference.config-sample", "{$snortdir}/reference.config"); @rename("{$snortdir}/gen-msg.map-sample", "{$snortdir}/gen-msg.map"); + + /* fix up the preprocessor rules filenames from a PBI package install */ + $preproc_rules = array("decoder.rules", "preprocessor.rules", "sensitive-data.rules"); + foreach ($preproc_rules as $file) { + if (file_exists("{$snortdir}/preproc_rules/{$file}-sample")) + @rename("{$snortdir}/preproc_rules/{$file}-sample", "{$snortdir}/preproc_rules/{$file}"); + } + + /* Remove any previously installed scripts since we rebuild them */ @unlink("{$snortdir}/sid"); @unlink("/usr/local/etc/rc.d/snort"); @unlink("/usr/local/etc/rc.d/barnyard2"); - /* remove example files */ - if (file_exists('/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0')) - exec('rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*'); - - if (file_exists('/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so')) - exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*'); + /* remove example library files */ + $files = glob("{$snortlibdir}/dynamicrules/*_example*"); + foreach ($files as $f) + @unlink($f); + $files = glob("{$snortlibdir}/dynamicpreprocessor/*_example*"); + foreach ($files as $f) + @unlink($f); /* remake saved settings */ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { update_status(gettext("Saved settings detected...")); - update_output_window(gettext("Please wait... rebuilding files...")); + update_output_window(gettext("Please wait... rebuilding installation with saved settings...")); @include_once("/usr/local/pkg/snort/snort_check_for_rule_updates.php"); + update_status(gettext("Generating snort.conf configuration file from saved settings...")); + $rebuild_rules = "on"; sync_snort_package_config(); - update_output_window(gettext("Finnished Rebuilding files...")); + $rebuild_rules = "off"; + update_output_window(gettext("Finished rebuilding files...")); } + + /* Done with post-install, so clear flag */ + $is_postinstall = false; } function snort_Getdirsize($node) { @@ -693,12 +743,15 @@ function snort_rules_up_install_cron($should_install) { /* Only run when all ifaces needed to sync. Expects filesystem rw */ function sync_snort_package_config() { - global $config, $g; + global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file; + global $snort_version, $rebuild_rules; + + $snortdir = SNORTDIR; conf_mount_rw(); - /* do not start config build if rules is empty */ - if (!is_array($config['installedpackages']['snortglobal']) && !is_array($config['installedpackages']['snortglobal']['rule'])) { + /* do not start config build if rules is empty or there are no Snort settings */ + if (!is_array($config['installedpackages']['snortglobal']) || !is_array($config['installedpackages']['snortglobal']['rule'])) { exec('/bin/rm /usr/local/etc/rc.d/snort.sh'); conf_mount_ro(); return; @@ -708,10 +761,10 @@ function sync_snort_package_config() { foreach ($snortconf as $value) { $if_real = snort_get_real_interface($value['interface']); - /* create snort configuration file */ + /* create a snort.conf file for interface */ snort_generate_conf($value); - /* create barnyard2 configuration file */ + /* create barnyard2.conf file for interface */ if ($value['barnyard_enable'] == 'on') snort_create_barnyard2_conf($value, $if_real); } @@ -748,7 +801,7 @@ function snort_build_sid_msg_map($rules_path, $sid_file) { /* First check if we were passed a directory, a single file */ /* or an array of filenames to read. Set our $rule_files */ /* variable accordingly. If we can't figure it out, return */ - /* an empty rules map array. */ + /* and don't write a sid_msg_map file. */ if (is_string($rules_path)) { if (is_dir($rules_path)) $rule_files = glob($rules_path . "*.rules"); @@ -1272,11 +1325,13 @@ function snort_write_flowbit_rules_file($flowbit_rules, $rule_file) { /* given. */ /************************************************/ + global $flowbit_rules_file; + /* See if we were passed a directory or full */ /* filename to write the rules to, and adjust */ /* the destination argument accordingly. */ if (is_dir($rule_file)) - $rule_file = rtrim($rule_file, '/').'/flowbit-required.rules'; + $rule_file = rtrim($rule_file, '/')."/{$flowbit_rules_file}"; if (empty($flowbit_rules)) { @file_put_contents($rule_file, ""); @@ -1363,7 +1418,7 @@ function snort_write_enforcing_rules_file($rule_map, $rule_path) { global $snort_enforcing_rules_file; - $rule_file = "/snort.rules"; + $rule_file = "/{$snort_enforcing_rules_file}"; /* See if we were passed a directory or full */ /* filename to write the rules to, and adjust */ @@ -1402,9 +1457,17 @@ function snort_load_sid_mods($sids, $value) { /* This function parses the string of */ /* SID values in $sids and returns an */ /* array with the SID as the key and */ - /* passed $value as the value. The SID */ - /* values in $sids are assumed to be */ - /* delimited by "||". */ + /* value. The SID values in $sids are */ + /* assumed to be delimited by "||". */ + /* */ + /* $sids ==> string of SID values from */ + /* saved config file. */ + /* */ + /* $value ==> type of mod (enable or */ + /* disable). Not currently */ + /* utilized, but maintained */ + /* so as not to break legacy */ + /* code elsewhere. */ /*****************************************/ $result = array(); @@ -1413,7 +1476,7 @@ function snort_load_sid_mods($sids, $value) { $tmp = explode("||", $sids); foreach ($tmp as $v) { if (preg_match('/\s\d+/', $v, $match)) - $result[trim($match[0])] = $value; + $result[trim($match[0])] = trim($match[0]); } unset($tmp); @@ -1458,14 +1521,13 @@ function snort_modify_sids(&$rule_map, $snortcfg) { if (!empty($disablesid)) { foreach ($rule_map as $k1 => $rulem) { foreach ($rulem as $k2 => $v) { - if (in_array($k2, $disablesid) && $v['disabled'] == 0) { + if (in_array($k2, $disablesid) && $v['disabled'] == 0) { $rule_map[$k1][$k2]['rule'] = "# " . $v['rule']; $rule_map[$k1][$k2]['disabled'] = 1; } } } } - unset($enablesid, $disablesid); } @@ -1584,6 +1646,7 @@ case $1 in rc_stop ;; restart) + rc_stop rc_start ;; esac @@ -1642,7 +1705,7 @@ function snort_generate_barnyard2_conf($snortcfg, $if_real) { config reference_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/reference.config config classification_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/classification.config config gen_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/gen-msg.map -config sid_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/sid-msg.map +config sid_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/sid-msg.map config hostname: $snortbarnyardlog_hostname_info_chk config interface: {$if_real} @@ -1671,12 +1734,13 @@ EOD; } function snort_deinstall() { - global $config, $g; + + global $config, $g, $snort_rules_upd_log; $snortdir = SNORTDIR; - $snortlogdir = SNORTLOGDIR; + $snortlibdir = SNORTLIBDIR; - /* decrease bpf buffers back to 4096, from 20480 */ + /* Make sure all active Snort processes are terminated */ mwexec('/usr/bin/killall snort', true); sleep(2); mwexec('/usr/bin/killall -9 snort', true); @@ -1685,9 +1749,11 @@ function snort_deinstall() { sleep(2); mwexec('/usr/bin/killall -9 barnyard2', true); sleep(2); + + /* Remove the snort user and group */ mwexec('/usr/sbin/pw userdel snort; /usr/sbin/pw groupdel snort', true); - /* Remove snort cron entries Ugly code needs smoothness*/ + /* Remove snort cron entries Ugly code needs smoothness */ if (!function_exists('snort_deinstall_cron')) { function snort_deinstall_cron($crontask) { global $config, $g; @@ -1709,22 +1775,49 @@ function snort_deinstall() { } } - mwexec("/bin/rm {$snortdir}/*.md5; /bin/rm -r {$snortdir}/snort_*"); + /* Remove all the Snort cron jobs. */ snort_deinstall_cron("snort2c"); snort_deinstall_cron("snort_check_for_rule_updates.php"); snort_deinstall_cron("snort_check_cron_misc.inc"); configure_cron(); + /**********************************************************/ + /* Test for existence of library backup tarballs in /tmp. */ + /* If these are present, then a package "delete" */ + /* operation is in progress and we need to wipe out the */ + /* configuration files. Otherwise we leave the binary- */ + /* side configuration intact since only a GUI files */ + /* deinstall and reinstall operation is in progress. */ + /* */ + /* XXX: hopefully a better method presents itself in */ + /* future versions of pfSense. */ + /**********************************************************/ + if (file_exists("/tmp/pkg_libs.tgz") || file_exists("/tmp/pkg_bins.tgz")) { + mwexec("/bin/rm -rf {$snortdir}"); + mwexec("/bin/rm -rf {$snortlibdir}/dynamicrules"); + } + /* Keep this as a last step */ - if ($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on') + if ($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on') { unset($config['installedpackages']['snortglobal']); + @unlink("{$snort_rules_upd_log}"); + } } function snort_prepare_rule_files($snortcfg, $snortcfgdir) { - global $snort_enforcing_rules_file, $flowbit_rules_file; + + global $snort_enforcing_rules_file, $flowbit_rules_file, $rebuild_rules; $snortdir = SNORTDIR; + /* If there is no reason to rebuild the rules, exit to save time. */ + if ($rebuild_rules == "off") + return; + + /* Log a message for rules rebuild in progress */ + log_error(gettext("Updating rules configuration for: " . snort_get_friendly_interface($snortcfg['interface']) . " ...")); + + /* Only rebuild rules if some are selected or an IPS Policy is enabled */ if (!empty($snortcfg['rulesets']) || $snortcfg['ips_policy_enable'] == 'on') { $enabled_rules = array(); $enabled_files = array(); @@ -1741,16 +1834,6 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { $enabled_rules = snort_load_rules_map($enabled_files); } - /* Remove any existing rules files (except custom rules) prior to building a new set. */ - foreach (glob("{$snortcfgdir}/rules/*.rules") as $file) { - $tmpfile = basename($file); - if (in_array("{$snortdir}/rules/{$tmpfile}", $enabled_files)) - continue; - if ($tmpfile != "custom.rules" && $tmpfile != $flowbit_rules_file && - $tmpfile != $snort_enforcing_rules_file) - @unlink($file); - } - /* Check if a pre-defined Snort VRT policy is selected. If so, */ /* add all the VRT policy rules to our enforcing rule set. */ if (!empty($snortcfg['ips_policy'])) { @@ -1773,9 +1856,12 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Process any enablesid or disablesid modifications for the selected rules. */ snort_modify_sids($enabled_rules, $snortcfg); - /* Check for and disable any rules dependent upon disabled preprocessors. */ - log_error('Checking for and disabling any rules dependent upon disabled preprocessors for ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); - snort_filter_preproc_rules($snortcfg, $enabled_rules); + /* Check for and disable any rules dependent upon disabled preprocessors if */ + /* this option is enabled for the interface. */ + if ($snortcfg['preproc_auto_rule_disable'] == "on") { + log_error('Auto-disabling rules dependent on disabled preprocessors for ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); + snort_filter_preproc_rules($snortcfg, $enabled_rules); + } /* Write the enforcing rules file to the Snort interface's "rules" directory. */ snort_write_enforcing_rules_file($enabled_rules, "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"); @@ -1783,9 +1869,19 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* If auto-flowbit resolution is enabled, generate the dependent flowbits rules file. */ if ($snortcfg['autoflowbitrules'] == 'on') { - log_error('Resolving and auto-enabling flowbit required rules for ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); + log_error('Resolving and auto-enabling any flowbit-required rules for ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); $enabled_files[] = "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"; - snort_write_flowbit_rules_file(snort_resolve_flowbits($enabled_files), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); + $fbits = snort_resolve_flowbits($enabled_files); + + /* Check for and disable any flowbit-required rules dependent upon */ + /* disabled preprocessors if this option is enabled for the interface. */ + if ($snortcfg['preproc_auto_rule_disable'] == "on") { + log_error('Auto-disabling flowbit-required rules dependent on disabled preprocessors for ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); + snort_filter_preproc_rules($snortcfg, $fbits, true); + } + snort_filter_preproc_rules($snortcfg, $fbits, true); + snort_write_flowbit_rules_file($fbits, "{$snortcfgdir}/rules/{$flowbit_rules_file}"); + unset($fbits); } else /* Just put an empty file to always have the file present */ snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); @@ -1803,10 +1899,11 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Build a new sid-msg.map file from the enabled */ /* rules and copy it to the interface directory. */ + log_error(gettext("Building new sig-msg.map file for " . snort_get_friendly_interface($snortcfg['interface']) . "...")); snort_build_sid_msg_map("{$snortcfgdir}/rules/", "{$snortcfgdir}/sid-msg.map"); } -function snort_filter_preproc_rules($snortcfg, &$active_rules) { +function snort_filter_preproc_rules($snortcfg, &$active_rules, $persist_log = false) { /**************************************************/ /* This function checks the $active_rules array */ @@ -1819,11 +1916,22 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) { /* the interface */ /* $active_rules -> rules_map array of enabled */ /* rules for the interface */ + /* */ + /* NOTE: This feature must be enabled in the GUI */ + /* by the user. Use of this feature can */ + /* severely degrade Snort's ability to */ + /* detect threats by disabling potentially */ + /* crucial detection rules. */ /**************************************************/ global $config; - if (empty($active_rules)) + $snortlogdir = SNORTLOGDIR; + $disabled_count = 0; + $log_msg = array(); + + /* Check if no rules or if this option is disabled */ + if (empty($active_rules) || $snortcfg['preproc_auto_rule_disable'] <> 'on') return; /*************************************************** @@ -1833,8 +1941,20 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) { * IMPORTANT -- Keep this part of the code current * * with changes to preprocessor rule options in * * Snort VRT rules. * + * * + * * + * Format of array is: * + * "rule_option" => "dependent_preprocessor" * + * * + * Last Update: 04/05/2013 * + * * + * Added: http_inspect content modifiers and * + * various "service" metadata values. * + * * ***************************************************/ $rule_opts_preprocs = array("ssl_version:" => "ssl_preproc","ssl_state:" => "ssl_preproc", + "service ssl" => "ssl_preproc", "service ftp" => "ftp_preprocessor", + "service telnet" => "ftp_preprocessor", "service dns" => "dns_preprocessor", "dce_iface:" => "dce_rpc_2", "dce_opnum:" => "dce_rpc_2", "dce_stub_data;" => "dce_rpc_2", "sd_pattern:" => "sensitive_data", "sip_method:" => "sip_preproc", "sip_stat_code:" => "sip_preproc", @@ -1843,7 +1963,16 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) { "gtp_version:" => "gtp_preproc", "modbus_func:" => "modbus_preproc", "modbus_unit:" => "modbus_preproc", "modbus_data;" => "modbus_preproc", "dnp3_func:" => "dnp3_preproc", "dnp3_obj:" => "dnp3_preproc", - "dnp3_ind:" => "dnp3_preproc", "dnp3_data;" => "dnp3_preproc"); + "dnp3_ind:" => "dnp3_preproc", "dnp3_data;" => "dnp3_preproc", + "http_client_body;" => "http_inspect", "http_cookie;" => "http_inspect", + "http_raw_cookie;" => "http_inspect", "http_header;" => "http_inspect", + "http_raw_header;" => "http_inspect", "http_method;" => "http_inspect", + "http_uri;" => "http_inspect", "http_raw_uri;" => "http_inspect", + "http_stat_code;" => "http_inspect", "http_stat_msg;" => "http_inspect", + "uricontent:" => "http_inspect", "urilen:" => "http_inspect", + "http_encode;" => "http_inspect", "service http" => "http_inspect", + "service imap" => "imap_preproc", "service pop2" => "pop_preproc", + "service pop3" => "pop_preproc", "service smtp" => "smtp_preprocessor"); /*************************************************** * Iterate the enabled rules, and check for rule * @@ -1855,31 +1984,94 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) { ***************************************************/ foreach ($active_rules as $k1 => $rulem) { foreach ($rulem as $k2 => $v) { - if ($v['disabled'] == 0) + + /* If rule is already disabled, skip it. */ + if ($v['disabled'] == 1) continue; + foreach ($rule_opts_preprocs as $opt => $preproc) { - $pcre = "/\s*\b" . $opt . "/i"; + $pcre = "/\s*\b" . preg_quote($opt) . "/i"; if (($snortcfg[$preproc] != 'on') && preg_match($pcre, $v['rule'])) { $active_rules[$k1][$k2]['rule'] = "# " . $v['rule']; $active_rules[$k1][$k2]['disabled'] = 1; + $disabled_count++; + + /* Accumulate auto-disabled rules for logging */ + $tmp = $active_rules[$k1][$k2]['category'] . " "; + $tmp .= "{$k1}:{$k2} Preproc: {$preproc} Param: {$opt}"; + $log_msg[] = $tmp; break; } } } } + + /***************************************************************/ + /* If we are persisting the log from the last pass, then open */ + /* the log file in append mode. Otherwise open in overwrite */ + /* to clear the log in case we have zero disabled rules. */ + /* */ + /* Typically "persist log" mode is used on the second pass */ + /* when flowbit-required rules are being assessed after the */ + /* primary enforcing rules have been evaluated. */ + /***************************************************************/ + $iface = snort_get_friendly_interface($snortcfg['interface']); + $file = "{$snortlogdir}/{$iface}_disabled_preproc_rules.log"; + if ($persist_log) + $fp = fopen($file, 'a'); + else + $fp = fopen($file, 'w'); + + /***************************************************/ + /* Log a warning if we auto-disabled any rules */ + /* just so the user is aware protection is less */ + /* than optimal with the preprocessors disabled. */ + /***************************************************/ + if ($disabled_count > 0) { + log_error(gettext("Warning: auto-disabled {$disabled_count} rules due to disabled preprocessor dependencies.")); + natcasesort($log_msg); + if ($fp) { + /* Only write the header when not persisting the log */ + if (!$persist_log) { + @fwrite($fp, "#\n# Run Time: " . date("Y-m-d H:i:s") . "\n#\n"); + @fwrite($fp, "#\n# These rules were auto-disabled because they contain options or operators\n"); + @fwrite($fp, "# dependent on preprocessors that are currently NOT ENABLED on the Preprocessors\n"); + @fwrite($fp, "# tab. Without these dependent preprocessors enabled, Snort would fail to start\n"); + @fwrite($fp, "# if the rules listed below were enabled. Therefore the listed rules have been\n"); + @fwrite($fp, "# automatically disabled. This behavior is controlled by the Auto-Rule Disable\n"); + @fwrite($fp, "# feature on the Preprocessors tab.\n#\n"); + @fwrite($fp, "# WARNING: Using the auto-disable rule feature is not recommended because it can\n"); + @fwrite($fp, "# significantly reduce the threat detection capabilities of Snort!\n#\n"); + @fwrite($fp, "# Log Format is: RULE CATEGORY GID:SID PREPROC METADATA/CONTENT PARAMETER\n#\n"); + } + foreach ($log_msg as $m) { + @fwrite($fp, $m . "\n"); + } + } + log_error(gettext("See '{$file}' for list of auto-disabled rules.")); + unset($log_msg); + } + if ($fp) + fclose($fp); } function snort_generate_conf($snortcfg) { - global $config, $g; + + global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules; $snortdir = SNORTDIR; + $snortlibdir = SNORTLIBDIR; $snortlogdir = SNORTLOGDIR; - $flowbit_rules_file = "flowbit-required.rules"; - $snort_enforcing_rules_file = "snort.rules"; if (!is_array($config['installedpackages']['snortglobal']['rule'])) return; + /* See if we should protect and not modify the preprocessor rules files */ + if (!empty($snortcfg['protect_preproc_rules'])) + $protect_preproc_rules = $snortcfg['protect_preproc_rules']; + else + $protect_preproc_rules = "off"; + $if_real = snort_get_real_interface($snortcfg['interface']); $snort_uuid = $snortcfg['uuid']; $snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; @@ -1902,8 +2094,8 @@ function snort_generate_conf($snortcfg) { "{$snortlogdir}/snort_{$if_real}{$snort_uuid}", "{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2", "{$snortcfgdir}/preproc_rules", - "dynamicrules" => "/usr/local/lib/snort/dynamicrules", - "dynamicengine" => "/usr/local/lib/snort/dynamicengine", + "dynamicrules" => "{$snortlibdir}/dynamicrules", + "dynamicengine" => "{$snortlibdir}/dynamicengine", "dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor" ); foreach ($snort_dirs as $dir) { @@ -1911,13 +2103,24 @@ function snort_generate_conf($snortcfg) { safe_mkdir($dir); } + /********************************************************************/ + /* For fail-safe on an initial startup following installation, and */ + /* before a rules update has occurred, copy the default config */ + /* files to the interface directory. If files already exist in */ + /* the interface directory, or they are newer, that means a rule */ + /* update has been done and we should leave the customized files */ + /* put in place by the rules update process. */ + /********************************************************************/ $snort_files = array("gen-msg.map", "classification.config", "reference.config", "sid-msg.map", "unicode.map", "threshold.conf", "preproc_rules/preprocessor.rules", "preproc_rules/decoder.rules", "preproc_rules/sensitive-data.rules" ); foreach ($snort_files as $file) { - if (file_exists("{$snortdir}/{$file}")) - @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}"); + if (file_exists("{$snortdir}/{$file}")) { + $ftime = filemtime("{$snortdir}/{$file}"); + if (!file_exists("{$snortcfgdir}/{$file}") || ($ftime > filemtime("{$snortcfgdir}/{$file}"))) + @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}"); + } } /* define alertsystemlog */ @@ -2011,7 +2214,7 @@ EOD; if ((!empty($snortcfg['client_flow_depth'])) || ($snortcfg['client_flow_depth'] == '0')) $def_client_flow_depth_type = $snortcfg['client_flow_depth']; - if ($snortcfg['noalert_http_inspect'] == 'on') + if ($snortcfg['noalert_http_inspect'] == 'on' || empty($snortcfg['noalert_http_inspect'])) $noalert_http_inspect = "no_alerts "; else $noalert_http_inspect = ""; @@ -2256,6 +2459,16 @@ EOD; if (!empty($snortcfg['stream5_mem_cap'])) $def_stream5_mem_cap = ", memcap {$snortcfg['stream5_mem_cap']}"; + /* Default the HTTP_INSPECT preprocessor to "on" if not set. */ + /* The preprocessor is required by hundreds of Snort rules, */ + /* and without it Snort may not start and/or the number of */ + /* rules required to be disabled reduces Snort's capability. */ + /* Alerts from the HTTP_INSPECT preprocessor default to "off" */ + /* unless a specific value has been set by the user. */ + /**************************************************************/ + if (empty($snortcfg['http_inspect'])) + $snortcfg['http_inspect'] = 'on'; + /* define servers and ports snortdefservers */ $snort_servers = array ( "dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET", @@ -2294,8 +2507,8 @@ EOD; if (!empty($snort_preproc_libs[$preproc])) { $preproclib = "libsf_" . $snort_preproc_libs[$preproc]; if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) { - if (file_exists("/usr/local/lib/snort/dynamicpreprocessor/{$preproclib}.so")) { - @copy("/usr/local/lib/snort/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so"); + if (file_exists("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so")) { + @copy("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so"); $snort_preprocessors .= $$preproc; $snort_preprocessors .= "\n"; } else @@ -2317,22 +2530,26 @@ EOD; if (file_exists("{$snortcfgdir}/classification.config")) $snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n"; if (is_dir("{$snortcfgdir}/preproc_rules")) { - if ($snortcfg['sensitive_data'] == 'on') { + if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") { $sedcmd = '/^#alert.*classtype:sdf/s/^#//'; if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules")) $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n"; } else $sedcmd = '/^alert.*classtype:sdf/s/^/#/'; if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && - file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules")) { + file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "off") { @file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd); mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules"); mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules"); @unlink("{$g['tmp_path']}/sedcmd"); - $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; - } else { + } else if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") && + file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "on") { + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n"; + $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n"; + } + else { $snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n"; log_error("Seems preprocessor/decoder rules are missing, enabling autogeneration of them"); } diff --git a/config/snort/snort.xml b/config/snort/snort.xml index b18e66e1..fff8d251 100755 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -46,8 +46,8 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>Snort</name> - <version>2.9.2.3</version> - <title>Services:2.9.2.3 pkg v. 2.5.3</title> + <version>2.9.4.1</version> + <title>Services:2.9.4.1 pkg v. 2.5.5</title> <include_file>/usr/local/pkg/snort/snort.inc</include_file> <menu> <name>Snort</name> @@ -163,6 +163,11 @@ <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/snort/snort_interfaces_suppress_edit.php</item> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/snort/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/snort/snort_log_view.php</item> + </additional_files_needed> <fields> </fields> <custom_add_php_command> @@ -177,3 +182,4 @@ snort_deinstall(); </custom_php_deinstall_command> </packagegui> + diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php index ccbe3c26..21763745 100644 --- a/config/snort/snort_barnyard.php +++ b/config/snort/snort_barnyard.php @@ -173,10 +173,10 @@ function enable_change(enable_change) { <?php echo gettext("This will enable barnyard2 for this interface. You will also have to set the database credentials."); ?></td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Mysql Settings"); ?></td> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("MySQL Settings"); ?></td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Log to a Mysql Database"); ?></td> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Log to a MySQL Database"); ?></td> <td width="78%" class="vtable"><input name="barnyard_mysql" type="text" class="formfld" id="barnyard_mysql" size="100" value="<?=htmlspecialchars($pconfig['barnyard_mysql']);?>"> <br> @@ -207,7 +207,7 @@ function enable_change(enable_change) { <td width="22%" valign="top"> </td> <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span> <br> - <?php echo gettext("Please save your settings befor you click start."); ?> </td> + <?php echo gettext("Please save your settings before you click start."); ?> </td> </tr> </table> diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index af5d378c..740dc591 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -31,54 +31,72 @@ require_once("functions.inc"); require_once("service-utils.inc"); -require_once("/usr/local/pkg/snort/snort.inc"); +require_once "/usr/local/pkg/snort/snort.inc"; -global $snort_gui_include; +global $snort_gui_include, $vrt_enabled, $et_enabled, $rebuild_rules, $snort_rules_upd_log; +global $protect_preproc_rules, $is_postinstall, $snort_community_rules_filename; +global $snort_community_rules_url, $snort_rules_file, $emergingthreats_filename; $snortdir = SNORTDIR; +$snortlibdir = SNORTLIBDIR; +$snortlogdir = SNORTLOGDIR; if (!isset($snort_gui_include)) $pkg_interface = "console"; -$tmpfname = "{$snortdir}/tmp/snort_rules_up"; -$snort_filename_md5 = "{$snort_rules_file}.md5"; -$snort_filename = "{$snort_rules_file}"; -$emergingthreats_filename_md5 = "emerging.rules.tar.gz.md5"; -$emergingthreats_filename = "emerging.rules.tar.gz"; - /* define checks */ $oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; +$snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules']; $vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload']; $et_enabled = $config['installedpackages']['snortglobal']['emergingthreats']; -/* Start of code */ -conf_mount_rw(); +/* Directory where we download rule tarballs */ +$tmpfname = "{$snortdir}/tmp/snort_rules_up"; + +/* Snort VRT rules files and URL */ +$snort_filename_md5 = "{$snort_rules_file}.md5"; +$snort_filename = "{$snort_rules_file}"; +$snort_rule_url = "http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/"; -if (!is_dir($tmpfname)) - exec("/bin/mkdir -p {$tmpfname}"); +/* Emerging Threats rules MD5 file */ +$emergingthreats_filename_md5 = "{$emergingthreats_filename}.md5"; -/* Set user agent to Mozilla */ -ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)'); -ini_set("memory_limit","150M"); +/* Snort GPLv2 Community Rules MD5 file */ +$snort_community_rules_filename_md5 = "{$snort_community_rules_filename}.md5"; + +/* Start of code */ +conf_mount_rw(); /* remove old $tmpfname files */ if (is_dir("{$tmpfname}")) exec("/bin/rm -r {$tmpfname}"); -/* Make sure snortdir exits */ +/* Make sure required snortdirs exsist */ exec("/bin/mkdir -p {$snortdir}/rules"); exec("/bin/mkdir -p {$snortdir}/signatures"); +exec("/bin/mkdir -p {$snortdir}/preproc_rules"); exec("/bin/mkdir -p {$tmpfname}"); -exec("/bin/mkdir -p /usr/local/lib/snort/dynamicrules"); +exec("/bin/mkdir -p {$snortlibdir}/dynamicrules"); +exec("/bin/mkdir -p {$snortlogdir}"); + +/* See if we need to automatically clear the Update Log based on 1024K size limit */ +if (file_exists($snort_rules_upd_log)) { + if (1048576 < filesize($snort_rules_upd_log)) + exec("/bin/rm -r {$snort_rules_upd_log}"); +} + +/* Log start time for this rules update */ +error_log(gettext("Starting rules update... Time: " . date("Y-m-d H:i:s") . "\n"), 3, $snort_rules_upd_log); /* download md5 sig from snort.org */ if ($snortdownload == 'on') { - update_status(gettext("Downloading snort.org md5 file...")); + update_status(gettext("Downloading Snort VRT md5 file...")); + error_log(gettext("\tDownloading Snort VRT md5 file...\n"), 3, $snort_rules_upd_log); $max_tries = 4; while ($max_tries > 0) { - $image = @file_get_contents("http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename_md5}"); + $image = @file_get_contents("{$snort_rule_url}{$snort_filename_md5}"); if (false === $image) { $max_tries--; if ($max_tries > 0) @@ -88,14 +106,16 @@ if ($snortdownload == 'on') { break; } log_error("Snort MD5 Attempts: " . (4 - $max_tries + 1)); + error_log("\tChecking Snort VRT md5 file...\n", 3, $snort_rules_upd_log); @file_put_contents("{$tmpfname}/{$snort_filename_md5}", $image); if (0 == filesize("{$tmpfname}/{$snort_filename_md5}")) { update_status(gettext("Please wait... You may only check for New Rules every 15 minutes...")); log_error(gettext("Please wait... You may only check for New Rules every 15 minutes...")); update_output_window(gettext("Rules are released every month from snort.org. You may download the Rules at any time.")); $snortdownload = 'off'; + error_log(gettext("\tSnort VRT md5 download failed. Site may be offline or Oinkcode is not authorized for this level or version.\n"), 3, $snort_rules_upd_log); } else - update_status(gettext("Done downloading snort.org md5")); + update_status(gettext("Done downloading snort.org md5.")); } /* Check if were up to date snort.org */ @@ -104,8 +124,9 @@ if ($snortdownload == 'on') { $md5_check_new = file_get_contents("{$tmpfname}/{$snort_filename_md5}"); $md5_check_old = file_get_contents("{$snortdir}/{$snort_filename_md5}"); if ($md5_check_new == $md5_check_old) { - update_status(gettext("Snort rules are up to date...")); - log_error("Snort rules are up to date..."); + update_status(gettext("Snort VRT rules are up to date...")); + log_error(gettext("Snort VRT rules are up to date...")); + error_log(gettext("\tSnort VRT rules are up to date.\n"), 3, $snort_rules_upd_log); $snortdownload = 'off'; } } @@ -113,11 +134,12 @@ if ($snortdownload == 'on') { /* download snortrules file */ if ($snortdownload == 'on') { - update_status(gettext("There is a new set of Snort.org rules posted. Downloading...")); - log_error(gettext("There is a new set of Snort.org rules posted. Downloading...")); + update_status(gettext("There is a new set of Snort VRT rules posted. Downloading...")); + log_error(gettext("There is a new set of Snort VRT rules posted. Downloading...")); + error_log(gettext("\tThere is a new set of Snort VRT rules posted. Downloading...\n"), 3, $snort_rules_upd_log); $max_tries = 4; while ($max_tries > 0) { - download_file_with_progress_bar("http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename}", "{$tmpfname}/{$snort_filename}"); + download_file_with_progress_bar("{$snort_rule_url}{$snort_filename}", "{$tmpfname}/{$snort_filename}"); if (300000 > filesize("{$tmpfname}/$snort_filename")){ $max_tries--; if ($max_tries > 0) @@ -126,19 +148,104 @@ if ($snortdownload == 'on') { } else break; } - update_status(gettext("Done downloading rules file.")); + update_status(gettext("Done downloading Snort VRT rules file.")); log_error("Snort Rules Attempts: " . (4 - $max_tries + 1)); + error_log(gettext("\tDone downloading rules file.\n"),3, $snort_rules_upd_log); if (300000 > filesize("{$tmpfname}/$snort_filename")){ - update_output_window(gettext("Snort rules file download failed...")); - log_error(gettext("Snort rules file download failed...")); + update_output_window(gettext("Snort VRT rules file download failed...")); + log_error(gettext("Snort VRT rules file download failed...")); log_error("Failed Rules Filesize: " . filesize("{$tmpfname}/$snort_filename")); + error_log(gettext("\tSnort VRT rules file download failed. Snort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log); $snortdownload = 'off'; } } +/* download md5 sig from Snort GPLv2 Community Rules */ +if ($snortcommunityrules == 'on') { + update_status(gettext("Downloading Snort GPLv2 Community Rules md5 file...")); + error_log(gettext("\tDownloading Snort GPLv2 Community Rules md5 file...\n"), 3, $snort_rules_upd_log); + $image = file_get_contents("{$snort_community_rules_url}{$snort_community_rules_filename_md5}"); + update_status(gettext("Done downloading Snort GPLv2 Community Rules md5")); + error_log(gettext("\tChecking Snort GPLv2 Community Rules md5.\n"), 3, $snort_rules_upd_log); + @file_put_contents("{$tmpfname}/{$snort_community_rules_filename_md5}", $image); + + /* See if the file download was successful, and turn off Snort GPLv2 update if it failed. */ + if (0 == filesize("{$tmpfname}/{$snort_community_rules_filename_md5}")){ + update_output_window(gettext("Snort GPLv2 Community Rules md5 file download failed. Community Rules will not be updated.")); + log_error(gettext("Snort GPLv2 Community Rules md5 file download failed. Community Rules will not be updated.")); + error_log(gettext("\tSnort GPLv2 Community Rules md5 file download failed. Community Rules will not be updated.\n"), 3, $snort_rules_upd_log); + $snortcommunityrules = 'off'; + } + + if (file_exists("{$snortdir}/{$snort_community_rules_filename_md5}") && $snortcommunityrules == "on") { + /* Check if were up to date Snort GPLv2 Community Rules */ + $snort_comm_md5_check_new = file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}"); + $snort_comm_md5_check_old = file_get_contents("{$snortdir}/{$snort_community_rules_filename_md5}"); + if ($snort_comm_md5_check_new == $snort_comm_md5_check_old) { + update_status(gettext("Snort GPLv2 Community Rules are up to date...")); + log_error(gettext("Snort GPLv2 Community Rules are up to date...")); + error_log(gettext("\tSnort GPLv2 Community Rules are up to date.\n"), 3, $snort_rules_upd_log); + $snortcommunityrules = 'off'; + } + } +} + +/* download Snort GPLv2 Community rules file */ +if ($snortcommunityrules == "on") { + update_status(gettext("There is a new set of Snort GPLv2 Community Rules posted. Downloading...")); + log_error(gettext("There is a new set of Snort GPLv2 Community Rules posted. Downloading...")); + error_log(gettext("\tThere is a new set of Snort GPLv2 Community Rules posted. Downloading...\n"), 3, $snort_rules_upd_log); + download_file_with_progress_bar("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}"); + + /* Test for a valid rules file download. Turn off Snort Community update if download failed. */ + if (150000 > filesize("{$tmpfname}/{$snort_community_rules_filename}")){ + update_output_window(gettext("Snort GPLv2 Community Rules file download failed...")); + log_error(gettext("Snort GPLv2 Community Rules file download failed...")); + log_error("Failed Rules Filesize: " . filesize("{$tmpfname}/{$snort_community_rules_filename}")); + error_log(gettext("\tSnort GPLv2 Community Rules file download failed. Community Rules will not be updated.\n"), 3, $snort_rules_upd_log); + $snortcommunityrules = 'off'; + } + else { + update_status(gettext('Done downloading Snort GPLv2 Community Rules file.')); + log_error("Snort GPLv2 Community Rules file update downloaded succsesfully"); + error_log(gettext("\tDone downloading Snort GPLv2 Community Rules file.\n"), 3, $snort_rules_upd_log); + } +} + +/* Untar Snort GPLv2 Community rules to tmp */ +if ($snortcommunityrules == 'on') { + safe_mkdir("{$snortdir}/tmp/community"); + if (file_exists("{$tmpfname}/{$snort_community_rules_filename}")) { + update_status(gettext("Extracting Snort GPLv2 Community Rules...")); + error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, $snort_rules_upd_log); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$snortdir}/tmp/community/"); + + $files = glob("{$snortdir}/tmp/community/community-rules/*.rules"); + foreach ($files as $file) { + $newfile = basename($file); + @copy($file, "{$snortdir}/rules/GPLv2_{$newfile}"); + } + /* base etc files for Snort GPLv2 Community rules */ + foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { + if (file_exists("{$snortdir}/tmp/community/community-rules/{$file}")) + @copy("{$snortdir}/tmp/community/community-rules/{$file}", "{$snortdir}/tmp/GPLv2_{$file}"); + } + + /* Copy snort community md5 sig to snort dir */ + if (file_exists("{$tmpfname}/{$snort_community_rules_filename_md5}")) { + update_status(gettext("Copying md5 signature to snort directory...")); + @copy("{$tmpfname}/$snort_community_rules_filename_md5", "{$snortdir}/{$snort_community_rules_filename_md5}"); + } + update_status(gettext("Extraction of Snort GPLv2 Community Rules completed...")); + error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, $snort_rules_upd_log); + exec("rm -r {$snortdir}/tmp/community"); + } +} + /* download md5 sig from emergingthreats.net */ if ($emergingthreats == 'on') { - update_status(gettext("Downloading emergingthreats md5 file...")); + update_status(gettext("Downloading EmergingThreats md5 file...")); + error_log(gettext("\tDownloading EmergingThreats md5 file...\n"), 3, $snort_rules_upd_log); /* If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules. */ if ($vrt_enabled == "on") @@ -146,17 +253,26 @@ if ($emergingthreats == 'on') { else $image = @file_get_contents("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/emerging.rules.tar.gz.md5"); - /* XXX: error checking */ + update_status(gettext("Done downloading EmergingThreats md5")); + error_log(gettext("\tChecking EmergingThreats md5.\n"), 3, $snort_rules_upd_log); @file_put_contents("{$tmpfname}/{$emergingthreats_filename_md5}", $image); - update_status(gettext("Done downloading emergingthreats md5")); - if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}")) { + /* See if the file download was successful, and turn off ET update if it failed. */ + if (0 == filesize("{$tmpfname}/$emergingthreats_filename_md5")){ + update_output_window(gettext("EmergingThreats md5 file download failed. EmergingThreats rules will not be updated.")); + log_error(gettext("EmergingThreats md5 file download failed. EmergingThreats rules will not be updated.")); + error_log(gettext("\tEmergingThreats md5 file download failed. EmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log); + $emergingthreats = 'off'; + } + + if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}") && $emergingthreats == "on") { /* Check if were up to date emergingthreats.net */ $emerg_md5_check_new = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"); $emerg_md5_check_old = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}"); if ($emerg_md5_check_new == $emerg_md5_check_old) { - update_status(gettext("Emerging threat rules are up to date...")); - log_error(gettext("Emerging threat rules are up to date...")); + update_status(gettext("Emerging Threats rules are up to date...")); + log_error(gettext("Emerging Threat rules are up to date...")); + error_log(gettext("\tEmerging Threats rules are up to date.\n"), 3, $snort_rules_upd_log); $emergingthreats = 'off'; } } @@ -164,8 +280,9 @@ if ($emergingthreats == 'on') { /* download emergingthreats rules file */ if ($emergingthreats == "on") { - update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); - log_error(gettext("There is a new set of Emergingthreats rules posted. Downloading...")); + update_status(gettext("There is a new set of EmergingThreats rules posted. Downloading...")); + log_error(gettext("There is a new set of EmergingThreats rules posted. Downloading...")); + error_log(gettext("\tThere is a new set of EmergingThreats rules posted. Downloading...\n"), 3, $snort_rules_upd_log); /* If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules. */ if ($vrt_enabled == "on") @@ -173,24 +290,27 @@ if ($emergingthreats == "on") { else download_file_with_progress_bar("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/emerging.rules.tar.gz", "{$tmpfname}/{$emergingthreats_filename}"); - update_status(gettext('Done downloading Emergingthreats rules file.')); - log_error("Emergingthreats rules file update downloaded succsesfully"); + /* Test for a valid rules file download. Turn off ET update if download failed. */ + if (150000 > filesize("{$tmpfname}/$emergingthreats_filename")){ + update_output_window(gettext("EmergingThreats rules file download failed...")); + log_error(gettext("EmergingThreats rules file download failed...")); + log_error("Failed Rules Filesize: " . filesize("{$tmpfname}/$emergingthreats_filename")); + error_log(gettext("\tEmergingThreats rules file download failed. EmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log); + $emergingthreats = 'off'; + } + else { + update_status(gettext('Done downloading EmergingThreats rules file.')); + log_error("EmergingThreats rules file update downloaded succsesfully"); + error_log(gettext("\tDone downloading EmergingThreats rules file.\n"), 3, $snort_rules_upd_log); + } } -/* Normalize rulesets */ -$sedcmd = "s/^#alert/# alert/g\n"; -$sedcmd .= "s/^##alert/# alert/g\n"; -$sedcmd .= "s/^#[ \\t#]*alert/# alert/g\n"; -$sedcmd .= "s/^##\\talert/# alert/g\n"; -$sedcmd .= "s/^\\talert/alert/g\n"; -$sedcmd .= "s/^[ \\t]*alert/alert/g\n"; -@file_put_contents("{$snortdir}/tmp/sedcmd", $sedcmd); - /* Untar emergingthreats rules to tmp */ if ($emergingthreats == 'on') { safe_mkdir("{$snortdir}/tmp/emerging"); if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { update_status(gettext("Extracting EmergingThreats.org rules...")); + error_log(gettext("\tExtracting and installing EmergingThreats.org rules...\n"), 3, $snort_rules_upd_log); exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir}/tmp/emerging rules/"); $files = glob("{$snortdir}/tmp/emerging/rules/*.rules"); @@ -199,7 +319,7 @@ if ($emergingthreats == 'on') { @copy($file, "{$snortdir}/rules/{$newfile}"); } /* IP lists for Emerging Threats rules */ - $files = glob("{$snortdir}/tmp/emerging/rules/*.txt"); + $files = glob("{$snortdir}/tmp/emerging/rules/*ips.txt"); foreach ($files as $file) { $newfile = basename($file); @copy($file, "{$snortdir}/rules/{$newfile}"); @@ -207,31 +327,33 @@ if ($emergingthreats == 'on') { /* base etc files for Emerging Threats rules */ foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { if (file_exists("{$snortdir}/tmp/emerging/rules/{$file}")) - @copy("{$snortdir}/tmp/emerging/rules/{$file}", "{$snortdir}/ET_{$file}"); + @copy("{$snortdir}/tmp/emerging/rules/{$file}", "{$snortdir}/tmp/ET_{$file}"); } -// /* make sure default rules are in the right format */ -// exec("/usr/bin/sed -I '' -f {$snortdir}/tmp/sedcmd {$snortdir}/rules/emerging*.rules"); - /* Copy emergingthreats md5 sig to snort dir */ if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) { - update_status(gettext("Copying md5 sig to snort directory...")); + update_status(gettext("Copying md5 signature to snort directory...")); @copy("{$tmpfname}/$emergingthreats_filename_md5", "{$snortdir}/$emergingthreats_filename_md5"); } update_status(gettext("Extraction of EmergingThreats.org rules completed...")); + error_log(gettext("\tInstallation of EmergingThreats.org rules completed.\n"), 3, $snort_rules_upd_log); + exec("rm -r {$snortdir}/tmp/emerging"); } } /* Untar snort rules file individually to help people with low system specs */ if ($snortdownload == 'on') { if (file_exists("{$tmpfname}/{$snort_filename}")) { - if ($pfsense_stable == 'yes') - $freebsd_version_so = 'FreeBSD-7-2'; - else - $freebsd_version_so = 'FreeBSD-8-1'; + + /* Currently, only FreeBSD-8-1 and FreeBSD-9-0 precompiled SO rules exist from Snort.org */ + /* Default to FreeBSD 8.1, and then test for FreeBSD 9.x */ + $freebsd_version_so = 'FreeBSD-8-1'; + if (substr(php_uname("r"), 0, 1) == '9') + $freebsd_version_so = 'FreeBSD-9-0'; update_status(gettext("Extracting Snort VRT rules...")); - /* extract snort.org rules and add prefix to all snort.org files*/ + error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, $snort_rules_upd_log); + /* extract snort.org rules and add prefix to all snort.org files */ safe_mkdir("{$snortdir}/tmp/snortrules"); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp/snortrules rules/"); $files = glob("{$snortdir}/tmp/snortrules/rules/*.rules"); @@ -249,151 +371,196 @@ if ($snortdownload == 'on') { /* extract so rules */ update_status(gettext("Extracting Snort VRT Shared Objects rules...")); - exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); + exec('/bin/mkdir -p {$snortlibdir}/dynamicrules/'); + error_log(gettext("\tUsing Snort VRT precompiled SO rules for {$freebsd_version_so} ...\n"), 3, $snort_rules_upd_log); $snort_arch = php_uname("m"); $nosorules = false; if ($snort_arch == 'i386'){ exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/precompiled/$freebsd_version_so/i386/{$snort_version}/"); - exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/$freebsd_version_so/i386/{$snort_version}/* /usr/local/lib/snort/dynamicrules/"); - } else if ($snort_arch == 'amd64') { + exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/$freebsd_version_so/i386/{$snort_version}/* {$snortlibdir}/dynamicrules/"); + } elseif ($snort_arch == 'amd64') { exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/precompiled/$freebsd_version_so/x86-64/{$snort_version}/"); - exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/$freebsd_version_so/x86-64/{$snort_version}/* /usr/local/lib/snort/dynamicrules/"); + exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/$freebsd_version_so/x86-64/{$snort_version}/* {$snortlibdir}/dynamicrules/"); } else $nosorules = true; exec("rm -r {$snortdir}/tmp/so_rules"); if ($nosorules == false) { - /* extract so rules none bin and rename */ + /* extract so stub rules, rename and copy to the rules folder. */ update_status(gettext("Copying Snort VRT Shared Objects rules...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/"); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp --exclude precompiled/ --exclude src/ so_rules/"); $files = glob("{$snortdir}/tmp/so_rules/*.rules"); foreach ($files as $file) { $newfile = basename($file, ".rules"); @copy($file, "{$snortdir}/rules/snort_{$newfile}.so.rules"); } exec("rm -r {$snortdir}/tmp/so_rules"); - - /* extract base etc files */ - update_status(gettext("Extracting Snort VRT base config files...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp etc/"); - foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { - if (file_exists("{$snortdir}/tmp/etc/{$file}")) - @copy("{$snortdir}/tmp/etc/{$file}", "{$snortdir}/VRT_{$file}"); - } - exec("rm -r {$snortdir}/tmp/etc"); - - /* Untar snort signatures */ - $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; - if ($premium_url_chk == 'on') { - update_status(gettext("Extracting Snort VRT Signatures...")); - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); - update_status(gettext("Done extracting Signatures.")); - - if (is_dir("{$snortdir}/doc/signatures")) { - update_status(gettext("Copying Snort VRT signatures...")); - exec("/bin/cp -r {$snortdir}/doc/signatures {$snortdir}/signatures"); - update_status(gettext("Done copying signatures.")); - } + } + + /* extract base etc files */ + update_status(gettext("Extracting Snort VRT config and map files...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp etc/"); + foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { + if (file_exists("{$snortdir}/tmp/etc/{$file}")) + @copy("{$snortdir}/tmp/etc/{$file}", "{$snortdir}/tmp/VRT_{$file}"); + } + exec("rm -r {$snortdir}/tmp/etc"); + + /* Untar snort signatures */ + $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo']; + if ($premium_url_chk == 'on') { + update_status(gettext("Extracting Snort VRT Signatures...")); + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/"); + update_status(gettext("Done extracting Signatures.")); + + if (is_dir("{$snortdir}/doc/signatures")) { + update_status(gettext("Copying Snort VRT signatures...")); + exec("/bin/cp -r {$snortdir}/doc/signatures {$snortdir}/signatures"); + update_status(gettext("Done copying signatures.")); } + } - foreach (glob("/usr/local/lib/snort/dynamicrules/*example*") as $file) - @unlink($file); - - exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} preproc_rules/"); - -// /* make sure default rules are in the right format */ -// exec("/usr/bin/sed -I '' -f {$snortdir}/tmp/sedcmd {$snortdir}/rules/snort_*.rules"); + /* Extract the Snort preprocessor rules */ + exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp preproc_rules/"); - if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { - update_status(gettext("Copying md5 sig to snort directory...")); - @copy("{$tmpfname}/$snort_filename_md5", "{$snortdir}/$snort_filename_md5"); - } + if (file_exists("{$tmpfname}/{$snort_filename_md5}")) { + update_status(gettext("Copying md5 signature to snort directory...")); + @copy("{$tmpfname}/$snort_filename_md5", "{$snortdir}/$snort_filename_md5"); } - update_status(gettext("Extraction of Snort VRT rules completed...")); + update_status(gettext("Extraction of Snort VRT rules completed...")); + error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, $snort_rules_upd_log); } } -/* remove old $tmpfname files */ -if (is_dir("{$snortdir}/tmp")) { - update_status(gettext("Cleaning up after rules extraction...")); - exec("/bin/rm -r {$snortdir}/tmp"); -} - function snort_apply_customizations($snortcfg, $if_real) { + global $vrt_enabled; $snortdir = SNORTDIR; + + /* Update the Preprocessor rules for the master configuration and for the interface if Snort VRT rules are in use. */ + if ($vrt_enabled == 'on') { + exec("/bin/mkdir -p {$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/preproc_rules"); + $preproc_files = glob("{$snortdir}/tmp/preproc_rules/*.rules"); + foreach ($preproc_files as $file) { + $newfile = basename($file); + @copy($file, "{$snortdir}/preproc_rules/{$newfile}"); + /* Check if customized preprocessor rule protection is enabled for interface before overwriting them. */ + if ($snortcfg['protect_preproc_rules'] <> 'on') + @copy($file, "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/preproc_rules/{$newfile}"); + } + } + else { + exec("/bin/mkdir -p {$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/preproc_rules"); + } + snort_prepare_rule_files($snortcfg, "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}"); - /* Copy the master *.config and other *.map files to the interface's directory */ - @copy("{$snortdir}/classification.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/classification.config"); - @copy("{$snortdir}/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map"); - @copy("{$snortdir}/reference.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/reference.config"); - @copy("{$snortdir}/unicode.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/unicode.map"); + /* Copy the master config and map files to the interface directory */ + @copy("{$snortdir}/tmp/classification.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/classification.config"); + @copy("{$snortdir}/tmp/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map"); + @copy("{$snortdir}/tmp/reference.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/reference.config"); + @copy("{$snortdir}/tmp/unicode.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/unicode.map"); } -if ($snortdownload == 'on' || $emergingthreats == 'on') { +if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules == 'on') { update_status(gettext('Copying new config and map files...')); + error_log(gettext("\tCopying new config and map files...\n"), 3, $snort_rules_upd_log); - /* Determine which base etc file set to use for the master copy. */ - /* If the Snort VRT rules are not enabled, then use Emerging Threats. */ + /* Determine which config and map file set to use for the master copy. */ + /* If the Snort VRT rules are not enabled, then use Emerging Threats. */ if (($vrt_enabled == 'off') && ($et_enabled == 'on')) { foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { - if (file_exists("{$snortdir}/ET_{$file}")) - @rename("{$snortdir}/ET_{$file}", "{$snortdir}/{$file}"); + if (file_exists("{$snortdir}/tmp/ET_{$file}")) + @rename("{$snortdir}/tmp/ET_{$file}", "{$snortdir}/tmp/{$file}"); } } elseif (($vrt_enabled == 'on') && ($et_enabled == 'off')) { foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { - if (file_exists("{$snortdir}/VRT_{$file}")) - @rename("{$snortdir}/VRT_{$file}", "{$snortdir}/{$file}"); + if (file_exists("{$snortdir}/tmp/VRT_{$file}")) + @rename("{$snortdir}/tmp/VRT_{$file}", "{$snortdir}/tmp/{$file}"); } } - else { + elseif (($vrt_enabled == 'on') && ($et_enabled == 'on')) { /* Both VRT and ET rules are enabled, so build combined */ /* reference.config and classification.config files. */ - $cfgs = glob("{$snortdir}/*reference.config"); - snort_merge_reference_configs($cfgs, "{$snortdir}/reference.config"); - $cfgs = glob("{$snortdir}/*classification.config"); - snort_merge_classification_configs($cfgs, "{$snortdir}/classification.config"); - } - - /* Clean-up our temp versions of the config and map files. */ - update_status(gettext('Cleaning up temp files...')); - $cfgs = glob("{$snortdir}/??*_*.config"); - foreach ($cfgs as $file) { - if (file_exists($file)) - @unlink($file); - } - $cfgs = glob("{$snortdir}/??*_*.map"); - foreach ($cfgs as $file) { - if (file_exists($file)) - @unlink($file); + $cfgs = glob("{$snortdir}/tmp/*reference.config"); + snort_merge_reference_configs($cfgs, "{$snortdir}/tmp/reference.config"); + $cfgs = glob("{$snortdir}/tmp/*classification.config"); + snort_merge_classification_configs($cfgs, "{$snortdir}/tmp/classification.config"); + + /* Use the unicode.map and gen-msg.map files from VRT rules. */ + if (file_exists("{$snortdir}/tmp/VRT_unicode.map")) + @rename("{$snortdir}/tmp/VRT_unicode.map", "{$snortdir}/tmp/gen-msg.map"); + if (file_exists("{$snortdir}/tmp/VRT_gen-msg.map")) + @rename("{$snortdir}/tmp/VRT_gen-msg.map", "{$snortdir}/tmp/gen-msg.map"); } + else { + /* Just Snort GPLv2 Community Rules may be enabled, so make sure required */ + /* default config files are present in the rules extraction tmp working */ + /* directory. Only copy missing files not captured in logic above. */ + + $snort_files = array("gen-msg.map", "classification.config", "reference.config", "unicode.map"); + foreach ($snort_files as $file) { + if (file_exists("{$snortdir}/{$file}") && !file_exists("{$snortdir}/tmp/{$file}")) + @copy("{$snortdir}/{$file}", "{$snortdir}/tmp/{$file}"); + } + } - /* Start the proccess for each configured interface */ + /* Start the rules rebuild proccess for each configured interface */ if (is_array($config['installedpackages']['snortglobal']['rule'])) { - foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { - /* Create configuration for each active Snort interface */ + /* Set the flag to force rule rebuilds since we downloaded new rules, */ + /* except when in post-install mode. Post-install does its own rebuild. */ + if ($is_postinstall) + $rebuild_rules = 'off'; + else + $rebuild_rules = 'on'; + + /* Create configuration for each active Snort interface */ + foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { $if_real = snort_get_real_interface($value['interface']); $tmp = "Updating rules configuration for: " . snort_get_friendly_interface($value['interface']) . " ..."; update_status(gettext($tmp)); - log_error($tmp); snort_apply_customizations($value, $if_real); + + /* Log a message in Update Log if protecting customized preprocessor rules. */ + $tmp = "\t" . $tmp . "\n"; + if ($value['protect_preproc_rules'] == 'on') { + $tmp .= gettext("\tPreprocessor text rules flagged as protected and not updated for "); + $tmp .= snort_get_friendly_interface($value['interface']) . "...\n"; + } + error_log($tmp, 3, $snort_rules_upd_log); } } - update_status(gettext('Restarting Snort to activate the new set of rules...')); - exec("/bin/sh /usr/local/etc/rc.d/snort.sh restart"); - sleep(20); - if (!is_process_running("snort")) - exec("/bin/sh /usr/local/etc/rc.d/snort.sh start"); - update_output_window(gettext("Snort has restarted with your new set of rules...")); - log_error("Snort has restarted with your new set of rules..."); + else { + update_output_window(gettext("Warning: No interfaces configured for Snort were found...")); + error_log(gettext("\tWarning: No interfaces configured for Snort were found...\n"), 3, $snort_rules_upd_log); + } + + /* Clear the rebuild rules flag. */ + $rebuild_rules = 'off'; + + /* remove old $tmpfname files */ + if (is_dir("{$snortdir}/tmp")) { + update_status(gettext("Cleaning up after rules extraction...")); + exec("/bin/rm -r {$snortdir}/tmp"); + } + + /* Restart snort if already running to pick up the new rules. */ + if (is_process_running("snort")) { + update_status(gettext('Restarting Snort to activate the new set of rules...')); + error_log(gettext("\tRestarting Snort to activate the new set of rules...\n"), 3, $snort_rules_upd_log); + exec("/bin/sh /usr/local/etc/rc.d/snort.sh restart"); + update_output_window(gettext("Snort has restarted with your new set of rules...")); + log_error(gettext("Snort has restarted with your new set of rules...")); + error_log(gettext("\tSnort has restarted with your new set of rules.\n"), 3, $snort_rules_upd_log); + } } update_status(gettext("The Rules update has finished...")); -log_error("The Rules update has finished..."); +log_error(gettext("The Rules update has finished.")); +error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, $snort_rules_upd_log); conf_mount_ro(); ?> diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index 4085b325..7fb435ed 100755 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -126,7 +126,9 @@ if ($_POST) { write_config(); - sync_snort_package_config(); + /* Update the snort conf file for this interface. */ + $rebuild_rules = "off"; + snort_generate_conf($a_nat[$id]); /* after click go to this page */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php index 0c879e44..369e3094 100755 --- a/config/snort/snort_download_updates.php +++ b/config/snort/snort_download_updates.php @@ -36,16 +36,18 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g; +global $g, $snort_rules_upd_log, $snort_rules_file, $emergingthreats_filename; $snortdir = SNORTDIR; -$snort_upd_log = "/tmp/snort_update.log"; + +$log = $snort_rules_upd_log; /* load only javascript that is needed */ $snort_load_jquery = 'yes'; $snort_load_jquery_colorbox = 'yes'; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; +$snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules']; /* quick md5s chk */ $snort_org_sig_chk_local = 'N/A'; @@ -53,13 +55,28 @@ if (file_exists("{$snortdir}/{$snort_rules_file}.md5")) $snort_org_sig_chk_local = file_get_contents("{$snortdir}/{$snort_rules_file}.md5"); $emergingt_net_sig_chk_local = 'N/A'; -if (file_exists("{$snortdir}/emerging.rules.tar.gz.md5")) - $emergingt_net_sig_chk_local = file_get_contents("{$snortdir}/emerging.rules.tar.gz.md5"); +if (file_exists("{$snortdir}/{$emergingthreats_filename}.md5")) + $emergingt_net_sig_chk_local = file_get_contents("{$snortdir}/{$emergingthreats_filename}.md5"); + +$snort_community_sig_chk_local = 'N/A'; +if (file_exists("{$snortdir}/{$snort_community_rules_filename}.md5")) + $snort_community_sig_chk_local = file_get_contents("{$snortdir}/{$snort_community_rules_filename}.md5"); + +/* Check for postback to see if we should clear the update log file. */ +if (isset($_POST['clear'])) { + if (file_exists("{$snort_rules_upd_log}")) + mwexec("/bin/rm -f {$snort_rules_upd_log}"); +} + +if (isset($_POST['update'])) { + header("Location: /snort/snort_download_rules.php"); + exit; +} /* check for logfile */ -$update_logfile_chk = 'no'; -if (file_exists("{$snort_upd_log}")) - $update_logfile_chk = 'yes'; +$snort_rules_upd_logfile_chk = 'no'; +if (file_exists("{$snort_rules_upd_log}")) + $snort_rules_upd_logfile_chk = 'yes'; $pgtitle = "Services: Snort: Updates"; include_once("head.inc"); @@ -78,12 +95,14 @@ function popup(url) params += ', top=0, left=0' params += ', fullscreen=yes'; - newwin=window.open(url,'windowname4', params); + newwin=window.open(url,'LogViewer', params); if (window.focus) {newwin.focus()} return false; } </script> +<form action="snort_download_updates.php" method="post" name="iform" id="iform"> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php @@ -101,8 +120,7 @@ function popup(url) <tr> <td> <div id="mainarea3"> - <table id="maintable4" class="tabcont" width="100%" border="0" - cellpadding="0" cellspacing="0"> + <table id="maintable4" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> <tr align="center"> <td> <br/> @@ -112,14 +130,15 @@ function popup(url) <td id="download_rules_td" style="background-color: #eeeeee"> <div height="32" width="725px" style="background-color: #eeeeee"> - <font color="#777777" size="1.5px"> + <font color="#777777" size="2.5px"> <p style="text-align: left; margin-left: 225px;"> - <b><?php echo gettext("INSTALLED SIGNATURE RULESET"); ?></b></font><br> - <br> - <font color="#FF850A" size="1px"><b>SNORT.ORG >>></b></font> + <b><?php echo gettext("INSTALLED RULESET SIGNATURES"); ?></b></font><br/> + <font color="#FF850A" size="1px"><b>SNORT.ORG --></b></font> <font size="1px" color="#000000"> <? echo $snort_org_sig_chk_local; ?></font><br> - <font color="#FF850A" size="1px"><b>EMERGINGTHREATS.NET >>></b></font> + <font color="#FF850A" size="1px"><b>EMERGINGTHREATS.NET --></b></font> <font size="1px" color="#000000"> <? echo $emergingt_net_sig_chk_local; ?></font><br> + <font color="#FF850A" size="1px"><b>SNORT GPLv2 COMMUNITY RULES --></b></font> + <font size="1px" color="#000000"> <? echo $snort_community_sig_chk_local; ?></font><br> </p> </div> </td> @@ -133,14 +152,14 @@ function popup(url) <div height="32" width="725px" style='background-color: #eeeeee'> <p style="text-align: left; margin-left: 225px;"> - <font color='#777777' size='1.5px'><b><?php echo gettext("UPDATE YOUR RULES"); ?></b></font><br> + <font color='#777777' size='2.5px'><b><?php echo gettext("UPDATE YOUR RULESET"); ?></b></font><br> <br/> <?php if ($snortdownload != 'on' && $emergingthreats != 'on') { echo ' - <button disabled="disabled"><span class="download">' . gettext("Update Rules") . ' </span></button><br/> + <button disabled="disabled"><span class="download">' . gettext("Update Rules") . '</span></button><br/> <p style="text-align:left; margin-left:150px;"> <font color="#fc3608" size="2px"><b>' . gettext("WARNING:") . '</b></font><font size="1px" color="#000000"> ' . gettext('No rule types have been selected for download. "Global Settings Tab"') . '</font><br>'; @@ -148,7 +167,7 @@ function popup(url) } else { echo ' - <a href="/snort/snort_download_rules.php"><button ><span class="download">' . gettext("Update Rules") . ' </span></button></a><br/>' . "\n"; + <input type="submit" value="' . gettext("Update Rules") . '" name="update" id="Submit" class="formbtn" /><br/>' . "\n"; } @@ -166,19 +185,19 @@ function popup(url) <div height="32" width="725px" style='background-color: #eeeeee'> <p style="text-align: left; margin-left: 225px;"> - <font color='#777777' size='1.5px'><b><?php echo gettext("VIEW UPDATE LOG"); ?></b></font><br> + <font color='#777777' size='2.5px'><b><?php echo gettext("VIEW UPDATE LOG"); ?></b></font><br> <br> - <?php - if ($update_logfile_chk == 'yes') { + if ($snort_rules_upd_logfile_chk == 'yes') { echo " - <button href='/snort/snort_rules_edit.php?openruleset={$snort_upd_log}'><span class='pwhitetxt'>" . gettext("Update Log") . " </span></button>\n"; + <button class=\"formbtn\" onclick=\"popup('snort_log_view.php?logfile={$log}')\"><span class='pwhitetxt'>" . gettext("View Log") . "</span></button>"; + echo " <input type=\"submit\" value=\"Clear Log\" name=\"clear\" id=\"Submit\" class=\"formbtn\" />\n"; }else{ echo " - <button disabled='disabled' href='/snort/snort_rules_edit.php?openruleset={$snort_upd_log}'><span class='pwhitetxt'>" . gettext("Update Log") . " </span></button>\n"; + <button disabled='disabled'><span class='pwhitetxt'>" . gettext("View Log") . "</span></button> " . gettext("Log is empty.") . "\n"; } - + echo '<br><br>' . gettext("The log file is limited to 1024K in size and automatically clears when the limit is exceeded."); ?> <br/> </p> @@ -194,8 +213,8 @@ function popup(url) <tr> <td id="download_rules_td" style='background-color: #eeeeee'> <div height="32" width="725px" style='background-color: #eeeeee'> - <font color='#FF850A' size='1px'><b><?php echo gettext("NOTE:"); ?></b></font><font size='1px' - color='#000000'> <?php echo gettext("Snort.org and Emergingthreats.net " . + <font size='1px'><span class="red"><b><?php echo gettext("NOTE:"); ?></b></span></font><font size='1px' + color='#000000'> <?php echo gettext("Snort.org and EmergingThreats.net " . "will go down from time to time. Please be patient."); ?> </font> </div> @@ -207,16 +226,12 @@ function popup(url) </tr> </table> </div> - - - - - <br> </td> </tr> </table> <!-- end of final table --></div> + </form> <?php include("fend.inc"); ?> </body> </html> diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php index e8e690a8..4f85c1f4 100755 --- a/config/snort/snort_interfaces.php +++ b/config/snort/snort_interfaces.php @@ -61,10 +61,14 @@ if (isset($_POST['del_x'])) { } conf_mount_ro(); + /* If all the Snort interfaces are removed, then unset the config array. */ + if (empty($a_nat)) + unset($a_nat); + write_config(); sleep(2); - /* if there are no ifaces do not create snort.sh */ + /* if there are no ifaces remaining do not create snort.sh */ if (!empty($config['installedpackages']['snortglobal']['rule'])) snort_create_rc(); else { @@ -228,7 +232,7 @@ if ($pfsense_stable == 'yes') else $biconfn = 'block'; - ?> +?> <td class="listt"> <input type="checkbox" id="frc<?=$nnats;?>" name="rule[]" value="<?=$i;?>" onClick="fr_bgcolor('<?=$nnats;?>')" style="margin: 0; padding: 0;"></td> <td class="listr" diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index d0fabbf4..76763553 100755 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -31,7 +31,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g; +global $g, $rebuild_rules; if (!is_array($config['installedpackages']['snortglobal'])) $config['installedpackages']['snortglobal'] = array(); @@ -50,10 +50,15 @@ if (is_null($id)) { } $pconfig = array(); -if (empty($snortglob['rule'][$id]['uuid'])) +if (empty($snortglob['rule'][$id]['uuid'])) { + /* Adding new interface, so flag rules to build. */ $pconfig['uuid'] = snort_generate_id(); -else + $rebuild_rules = "on"; +} +else { $pconfig['uuid'] = $a_rule[$id]['uuid']; + $rebuild_rules = "off"; +} $snort_uuid = $pconfig['uuid']; if (isset($id) && $a_rule[$id]) { @@ -77,14 +82,6 @@ if ($_POST["Submit"]) { if (!$_POST['interface']) $input_errors[] = "Interface is mandatory"; -/* - foreach ($a_rule as $natent) { - if (isset($id) && ($a_rule[$id]) && ($a_rule[$id] === $natent)) - continue; - if ($natent['interface'] == $_POST['interface']) - $input_errors[] = "This interface is already configured for another instance"; - } -*/ /* if no errors write to conf */ if (!$input_errors) { @@ -118,10 +115,16 @@ if ($_POST["Submit"]) { } else $a_rule[] = $natent; + /* If Snort is disabled on this interface, stop any running instance */ if ($natent['enable'] != 'on') snort_stop($natent, $if_real); + + /* Save configuration changes */ write_config(); - sync_snort_package_config(); + + /* Update snort.conf file for this interface */ + $rebuild_rules = "off"; + snort_generate_conf($a_rule[$id]); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php index 9dde8aaf..9c63ac04 100644 --- a/config/snort/snort_interfaces_global.php +++ b/config/snort/snort_interfaces_global.php @@ -50,6 +50,8 @@ $pconfig['snortloglimit'] = $config['installedpackages']['snortglobal']['snortlo $pconfig['snortloglimitsize'] = $config['installedpackages']['snortglobal']['snortloglimitsize']; $pconfig['autorulesupdate7'] = $config['installedpackages']['snortglobal']['autorulesupdate7']; $pconfig['forcekeepsettings'] = $config['installedpackages']['snortglobal']['forcekeepsettings']; +$pconfig['snortcommunityrules'] = $config['installedpackages']['snortglobal']['snortcommunityrules']; + /* if no errors move foward */ if (!$input_errors) { @@ -58,7 +60,9 @@ if (!$input_errors) { $config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload']; $config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode']; + $config['installedpackages']['snortglobal']['snortcommunityrules'] = $_POST['snortcommunityrules'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['emergingthreats'] = $_POST['emergingthreats'] ? 'on' : 'off'; + $config['installedpackages']['snortglobal']['rm_blocked'] = $_POST['rm_blocked']; if ($_POST['snortloglimitsize']) { $config['installedpackages']['snortglobal']['snortloglimit'] = $_POST['snortloglimit']; @@ -110,6 +114,20 @@ if ($input_errors) ?> +<script language="JavaScript"> +<!-- +function enable_snort_vrt(btn) { + if (btn == 'off') { + document.iform.oinkmastercode.disabled = "true"; + } + if (btn == 'on') { + document.iform.oinkmastercode.disabled = ""; + } +} +//--> +</script> + + <form action="snort_interfaces_global.php" method="post" enctype="multipart/form-data" name="iform" id="iform"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td class="tabnavtbl"> @@ -124,7 +142,8 @@ if ($input_errors) $tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php"); display_top_tabs($tab_array); ?> -</td></tr> +</td> +</tr> <tr> <td class="tabcont"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> @@ -132,55 +151,69 @@ if ($input_errors) <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Please Choose The " . "Type Of Rules You Wish To Download"); ?></td> </tr> - <td width="22%" valign="top" class="vncell"><?php echo gettext("Install Snort.org rules"); ?></td> + <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sSnort VRT%s rules"), '<strong>' , '</strong>'); ?></td> <td width="78%" class="vtable"> - <table cellpadding="0" cellspacing="0"> + <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> - <td colspan="2"><input name="snortdownload" type="radio" - id="snortdownload" value="off" -<?php if($pconfig['snortdownload']=='off' || $pconfig['snortdownload']=='') echo 'checked'; ?>> - <?php printf(gettext("Do %sNOT%s Install"), '<strong>', '</strong>'); ?></td> + <td><input name="snortdownload" type="radio" id="snortdownload" value="off" onclick="enable_snort_vrt('off')" + <?php if($pconfig['snortdownload']=='off' || $pconfig['snortdownload']=='') echo 'checked'; ?> > </td> + <td><span class="vexpl"><?php printf(gettext("Do %sNOT%s Install"), '<strong>', '</strong>'); ?></span></td> </tr> <tr> - <td colspan="2"><input name="snortdownload" type="radio" - id="snortdownload" value="on" - <?php if($pconfig['snortdownload']=='on') echo 'checked'; ?>> <?php echo gettext("Install " . - "Basic Rules or Premium rules"); ?> <br> - <a - href="https://www.snort.org/signup" target="_blank"><?php echo gettext("Sign Up for a " . - "Basic Rule Account"); ?></a><br> - <a - href="http://www.snort.org/vrt/buy-a-subscription" - target="_blank"><?php echo gettext("Sign Up for Sourcefire VRT Certified Premium " . - "Rules. This Is Highly Recommended"); ?></a></td> - </tr> + <td><input name="snortdownload" type="radio" id="snortdownload" value="on" onclick="enable_snort_vrt('on')" + <?php if($pconfig['snortdownload']=='on') echo 'checked'; ?>></td> + <td><span class="vexpl"><?php echo gettext("Install Basic Rules or Premium rules"); ?></span></td> <tr> <td> </td> + <td><a href="https://www.snort.org/signup" target="_blank"><?php echo gettext("Sign Up for a Basic Rule Account"); ?> </a><br> + <a href="http://www.snort.org/vrt/buy-a-subscription" target="_blank"> + <?php echo gettext("Sign Up for Sourcefire VRT Certified Premium Rules. This Is Highly Recommended"); ?></a></td> </tr> - </table> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> - <td colspan="2" valign="top" class="optsect_t2"><?php echo gettext("Oinkmaster code"); ?></td> + <td colspan="2"> </td> </tr> + </table> + <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> - <td class="vncell" valign="top"><?php echo gettext("Code"); ?></td> - <td class="vtable"><input name="oinkmastercode" type="text" + <td colspan="2" valign="top"><b><span class="vexpl"><?php echo gettext("Oinkmaster Configuration"); ?></span></b></td> + </tr> + <tr> + <td valign="top"><span class="vexpl"><strong><?php echo gettext("Code"); ?><strong></span</td> + <td><input name="oinkmastercode" type="text" class="formfld" id="oinkmastercode" size="52" - value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>"><br> - <?php echo gettext("Obtain a snort.org Oinkmaster code and paste here."); ?></td> - + value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>" + <?php if($pconfig['snortdownload']<>'on') echo 'disabled'; ?>><br> + <?php echo gettext("Obtain a snort.org Oinkmaster code and paste it here."); ?></td> + </tr> </table> - </tr> <tr> - <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sEmergingthreats%s " . + <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sSnort Community%s " . "rules"), '<strong>' , '</strong>'); ?></td> - <td width="78%" class="vtable"><input name="emergingthreats" - type="checkbox" value="yes" - <?php if ($config['installedpackages']['snortglobal']['emergingthreats']=="on") echo "checked"; ?> - ><br> - <?php echo gettext("Emerging Threats is an open source community that produces fastest " . - "moving and diverse Snort Rules."); ?></td> + <td width="78%" class="vtable"> + <table width="100%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td valign="top" width="8%"><input name="snortcommunityrules" type="checkbox" value="yes" + <?php if ($config['installedpackages']['snortglobal']['snortcommunityrules']=="on") echo "checked"; ?> ></td> + <td><span class="vexpl"><?php echo gettext("The Snort Community Ruleset is a GPLv2 VRT certified ruleset that is distributed free of charge " . + "without any VRT License restrictions. This ruleset is updated daily and is a subset of the subscriber ruleset."); ?> + <br/><br/><?php printf(gettext("%sNote: %sIf you are a Snort VRT Paid Subscriber, the community ruleset is already built into your download of the Snort VRT rules, and there is no benefit in adding this rule set."),'<span class="red"><strong>' ,'</strong></span>'); ?></span><br></td> + </tr> + </table></td> +</tr> +<tr> + <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sEmerging Threats%s " . + "rules"), '<strong>' , '</strong>'); ?></td> + <td width="78%" class="vtable"> + <table width="100%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td valign="top" width="8%"><input name="emergingthreats" type="checkbox" value="yes" + <?php if ($config['installedpackages']['snortglobal']['emergingthreats']=="on") echo "checked"; ?>> + <td><span class="vexpl"><?php echo gettext("Emerging Threats is an open source community that produces fast " . + "moving and diverse Snort Rules."); ?></span></td> + </tr> + </table> + </td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Update rules " . @@ -194,9 +227,9 @@ if ($input_errors) <?php if ($iface3 == $pconfig['autorulesupdate7']) echo "selected"; ?>> <?=htmlspecialchars($ifacename3);?></option> <?php endforeach; ?> - </select><br> - <span class="vexpl"><?php echo gettext("Please select the update times for rules."); ?><br> - <?php echo gettext("Hint: in most cases, every 12 hours is a good choice."); ?></span></td> + </select><span class="vexpl"> <?php echo gettext("Please select the update times for rules."); ?><br/><br/> + + <?php printf(gettext("%sHint%s: in most cases, every 12 hours is a good choice."), '<span class="red"><strong>','</strong></span>'); ?></span></td> </tr> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Settings"); ?></td> @@ -209,20 +242,20 @@ if ($input_errors) <br/> <br/> <span class="red"><strong><?php echo gettext("Note"); ?></span>:</strong><br> - <?php echo gettext("Available space is"); ?> <strong><?php echo $snortlogCurrentDSKsize; ?>MB</strong></td> + <?php echo gettext("Available space is"); ?> <strong><?php echo $snortlogCurrentDSKsize; ?> MB</strong></td> <td width="78%" class="vtable"> <table cellpadding="0" cellspacing="0"> <tr> <td colspan="2"><input name="snortloglimit" type="radio" id="snortloglimit" value="on" -<?php if($pconfig['snortloglimit']=='on') echo 'checked'; ?>> - <strong><?php echo gettext("Enable"); ?></strong> <?php echo gettext("directory size limit"); ?> (<strong><?php echo gettext("Default"); ?></strong>)</td> +<?php if($pconfig['snortloglimit']=='on') echo 'checked'; ?>><span class="vexpl"> + <strong><?php echo gettext("Enable"); ?></strong> <?php echo gettext("directory size limit"); ?> (<strong><?php echo gettext("Default"); ?></strong>)</span></td> </tr> <tr> <td colspan="2"><input name="snortloglimit" type="radio" id="snortloglimit" value="off" -<?php if($pconfig['snortloglimit']=='off') echo 'checked'; ?>> <strong><?php echo gettext("Disable"); ?></strong> - <?php echo gettext("directory size limit"); ?><br> +<?php if($pconfig['snortloglimit']=='off') echo 'checked'; ?>> <span class="vexpl"><strong><?php echo gettext("Disable"); ?></strong> + <?php echo gettext("directory size limit"); ?></span><br> <br> <span class="red"><strong><?php echo gettext("Warning"); ?></span>:</strong> <?php echo gettext("Nanobsd " . "should use no more than 10MB of space."); ?></td> @@ -231,18 +264,16 @@ if ($input_errors) <td> </td> </tr> </table> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> - <td class="vncell3"><?php echo gettext("Size in"); ?> <strong>MB</strong></td> - <td class="vtable"><input name="snortloglimitsize" type="text" - class="formfld" id="snortloglimitsize" size="7" - value="<?=htmlspecialchars($pconfig['snortloglimitsize']);?>"> - <?php echo gettext("Default is"); ?> <strong>20%</strong> <?php echo gettext("of available space."); ?></td> - + <td><span class="vexpl"><?php echo gettext("Size in"); ?> <strong>MB</strong><span></td> + <td><input name="snortloglimitsize" type="text" class="formfld" id="snortloglimitsize" size="7" value=" + <?=htmlspecialchars($pconfig['snortloglimitsize']);?>"> + <?php printf(gettext("Default is %s20%%%s of available space."), '<strong>', '</strong>'); ?></td> + </tr> </table> </tr> - <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Remove blocked hosts " . "every"); ?></td> @@ -255,10 +286,9 @@ if ($input_errors) <?php if ($iface3 == $pconfig['rm_blocked']) echo "selected"; ?>> <?=htmlspecialchars($ifacename3);?></option> <?php endforeach; ?> - </select><br> - <span class="vexpl"><?php echo gettext("Please select the amount of time you would like " . - "hosts to be blocked for."); ?><br> - <?php echo gettext("Hint: in most cases, 1 hour is a good choice."); ?></span></td> + </select> + <?php echo gettext("Please select the amount of time you would like hosts to be blocked for."); ?><br/><br/> + <?php printf(gettext("%sHint:%s in most cases, 1 hour is a good choice."), '<span class="red"><strong>', '</strong></span>'); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Keep snort settings " . @@ -266,8 +296,7 @@ if ($input_errors) <td width="78%" class="vtable"><input name="forcekeepsettings" id="forcekeepsettings" type="checkbox" value="yes" <?php if ($config['installedpackages']['snortglobal']['forcekeepsettings']=="on") echo "checked"; ?> - ><br> - <?php echo gettext("Settings will not be removed during deinstall."); ?></td> + > <?php echo gettext("Settings will not be removed during deinstall."); ?></td> </tr> <tr> <td width="22%" valign="top"> @@ -279,8 +308,8 @@ if ($input_errors) <td width="22%" valign="top"> </td> <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?><br> </strong></span> <?php echo gettext("Changing any settings on this page will affect all " . - "interfaces. Please, double check if your oink code is correct and " . - "the type of snort.org account you hold."); ?></span></td> + "interfaces. Double check that your oink code is correct, and verify the " . + "type of Snort.org account you hold."); ?></span></td> </tr> </table> </td></tr> diff --git a/config/snort/snort_interfaces_suppress.php b/config/snort/snort_interfaces_suppress.php index 93d3f2dc..32f2f6ba 100644 --- a/config/snort/snort_interfaces_suppress.php +++ b/config/snort/snort_interfaces_suppress.php @@ -134,10 +134,10 @@ if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} </table> </td></tr> <tr> - <td colspan="3" width="100%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span> + <td colspan="3" width="100%"><br/><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span> <p><span class="vexpl"><?php echo gettext("Here you can create event filtering and " . - "suppression for your snort package rules."); ?><br> - <?php echo gettext("Please note that you must restart a running rule so that changes can " . + "suppression for your snort package rules."); ?><br/><br/> + <?php echo gettext("Please note that you must restart a running Interface so that changes can " . "take effect."); ?></span></p></td> </tr> </table> diff --git a/config/snort/snort_interfaces_whitelist.php b/config/snort/snort_interfaces_whitelist.php index f90cbe1f..a925ad45 100644 --- a/config/snort/snort_interfaces_whitelist.php +++ b/config/snort/snort_interfaces_whitelist.php @@ -154,15 +154,20 @@ if ($savemsg) print_info_box($savemsg); </tr> </table> <br> -<table width="100%" border="0" cellpadding="0" - cellspacing="0"> +<table width="100%" border="0" cellpadding="1" + cellspacing="1"> + <tr> <td width="100%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span> <p><span class="vexpl"><?php echo gettext("Here you can create whitelist files for your " . "snort package rules."); ?><br> <?php echo gettext("Please add all the ips or networks you want to protect against snort " . "block decisions."); ?><br> <?php echo gettext("Remember that the default whitelist only includes local networks."); ?><br> - <?php echo gettext("Be careful, it is very easy to get locked out of you system."); ?></span></p></td> + <?php echo gettext("Be careful, it is very easy to get locked out of your system."); ?></span></p></td> + </tr> + <tr> + <td width="100%"><span class="vexpl"><?php echo gettext("Remember you must restart Snort on the interface for changes to take effect!"); ?></span></td> + </tr> </table> </form> <?php include("fend.inc"); ?> diff --git a/config/snort/snort_log_view.php b/config/snort/snort_log_view.php new file mode 100644 index 00000000..6d38a8cb --- /dev/null +++ b/config/snort/snort_log_view.php @@ -0,0 +1,86 @@ +<?php +/* + * snort_log_view.php + * + * Copyright (C) 2004, 2005 Scott Ullrich + * Copyright (C) 2011 Ermal Luci + * All rights reserved. + * + * Adapted for FreeNAS by Volker Theile (votdev@gmx.de) + * Copyright (C) 2006-2009 Volker Theile + * + * Adapted for Pfsense Snort package by Robert Zelaya + * Copyright (C) 2008-2009 Robert Zelaya + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/snort/snort.inc"); + +$contents = ''; + +// Read the contents of the argument passed to us. +// Is it a fully qualified path and file? +if (file_exists($_GET['logfile'])) + $contents = file_get_contents($_GET['logfile']); +// It is not something we can display, so print an error. +else + $contents = gettext("\n\nERROR -- File: {$_GET['logfile']} not found!"); + +$pgtitle = array(gettext("Snort"), gettext("Log File Viewer")); +?> + +<?php include("head.inc");?> + +<body link="#000000" vlink="#000000" alink="#000000"> +<?php if ($savemsg) print_info_box($savemsg); ?> +<?php include("fbegin.inc");?> + +<form action="snort_log_view.php" method="post"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr> + <td class="tabcont"> + <table width="100%" cellpadding="0" cellspacing="6" bgcolor="#eeeeee"> + <tr> + <td align="left" width="20%"> + <input type="button" class="formbtn" value="Return" onclick="window.close()"> + </td> + <td align="right"> + <b><?php echo gettext("Log File: ") . '</b> ' . $_GET['logfile']; ?> + </td> + </tr> + <tr> + <td colspan="2" valign="top" class="label"> + <div style="background: #eeeeee;" id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> + <textarea readonly wrap="off" rows="33" cols="90" name="code2"><?=$contents;?></textarea> + </div> + </td> + </tr> + </table> + </td> +</tr> +</table> +</form> +<?php include("fend.inc");?> +</body> +</html> diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 7d0348e9..5cd5a408 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -34,7 +34,12 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g; +global $g, $rebuild_rules; + +if (!is_array($config['installedpackages']['snortglobal'])) { + $config['installedpackages']['snortglobal'] = array(); +} +$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload']; if (!is_array($config['installedpackages']['snortglobal']['rule'])) { $config['installedpackages']['snortglobal']['rule'] = array(); @@ -77,6 +82,13 @@ if (isset($id) && $a_nat[$id]) { $pconfig['dnp3_preproc'] = $a_nat[$id]['dnp3_preproc']; $pconfig['modbus_preproc'] = $a_nat[$id]['modbus_preproc']; $pconfig['gtp_preproc'] = $a_nat[$id]['gtp_preproc']; + $pconfig['preproc_auto_rule_disable'] = $a_nat[$id]['preproc_auto_rule_disable']; + $pconfig['protect_preproc_rules'] = $a_nat[$id]['protect_preproc_rules']; + + /* If not using the Snort VRT rules, then disable */ + /* the Sensitive Data (sdf) preprocessor. */ + if ($vrt_enabled == "off") + $pconfig['sensitive_data'] = "off"; } if ($_POST) { @@ -120,6 +132,8 @@ if ($_POST) { $natent['sip_preproc'] = $_POST['sip_preproc'] ? 'on' : 'off'; $natent['modbus_preproc'] = $_POST['modbus_preproc'] ? 'on' : 'off'; $natent['gtp_preproc'] = $_POST['gtp_preproc'] ? 'on' : 'off'; + $natent['preproc_auto_rule_disable'] = $_POST['preproc_auto_rule_disable'] ? 'on' : 'off'; + $natent['protect_preproc_rules'] = $_POST['protect_preproc_rules'] ? 'on' : 'off'; if (isset($id) && $a_nat[$id]) $a_nat[$id] = $natent; @@ -132,8 +146,15 @@ if ($_POST) { write_config(); - $if_real = snort_get_real_interface($pconfig['interface']); - sync_snort_package_config(); + /* Set flag to rebuild rules for this interface */ + $rebuild_rules = "on"; + + /*************************************************/ + /* Update the snort conf file and rebuild the */ + /* rules for this interface. */ + /*************************************************/ + snort_generate_conf($natent); + $rebuild_rules = "off"; /* after click go to this page */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -191,32 +212,69 @@ include_once("head.inc"); <tr><td class="tabcont"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> - <td colspan="2" align="center" valign="middle"> - <span class="red"><strong><?php echo gettext("NOTE"); ?></strong></span><br> + <td colspan="2" align="left" valign="middle"> <?php echo gettext("Rules may be dependent on preprocessors! Disabling preprocessors may result in "); ?> - <?php echo gettext("dependent rules being automatically disabled."); ?><br> - <?php echo gettext("Defaults will be used when there is no user input."); ?><br></td> + <?php echo gettext("Snort start failures unless dependent rules are also disabled."); ?> + <?php echo gettext("The Auto-Rule Disable feature can be used, but note the warning about compromising protection. " . + "Defaults will be used where no user input is provided."); ?></td> </tr> <tr> - <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Performance Statistics"); ?></td> + + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Preprocessors Configuration"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> - <td width="78%" class="vtable"><input name="perform_stat" - type="checkbox" value="on" + <td width="78%" class="vtable"><input name="perform_stat" type="checkbox" value="on" <?php if ($pconfig['perform_stat']=="on") echo "checked"; ?> onClick="enable_change(false)"> <?php echo gettext("Collect Performance Statistics for this interface."); ?></td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Protect Customized Preprocessor Rules"); ?></td> + <td width="78%" class="vtable"><input name="protect_preproc_rules" type="checkbox" value="on" + <?php if ($pconfig['protect_preproc_rules']=="on") echo "checked "; + if ($vrt_enabled <> 'on') echo "disabled"; ?> + onClick="enable_change(false)"> <?php echo gettext("Check this box if you maintain customized preprocessor text rules files for this interface."); ?> + <table width="100%" border="0" cellpadding="2" cellpadding="2"> + <tr> + <td width="3%"> </td> + <td><?php echo gettext("Enable this only if you use customized preprocessor text rules files and " . + "you do not want them overwritten by automatic Snort VRT rule updates. " . + "This option is disabled when Snort VRT rules download is not enabled on the Global Settings tab."); ?><br/><br/> + <?php printf(gettext("%sHint:%s Most users should leave this unchecked."), '<span class="red"><strong>', '</strong></span>'); ?></span></td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Auto Rule Disable"); ?></td> + <td width="78%" class="vtable"><input name="preproc_auto_rule_disable" type="checkbox" value="on" + <?php if ($pconfig['preproc_auto_rule_disable']=="on") echo "checked"; ?> + onClick="enable_change(false)"> <?php echo gettext("Auto-disable text rules dependent on disabled preprocessors for this interface. "); + echo gettext("Default is ") . '<strong>' . gettext("Not Checked."); ?></strong><br/> + <table width="100%" border="0" cellpadding="2" cellpadding="2"> + <tr> + <td width="3%"> </td> + <td><span class="red"><strong><?php echo gettext("Warning: "); ?></strong></span> + <?php echo gettext("Enabling this option allows Snort to automatically disable any text rules " . + "containing rule options or content modifiers that are dependent upon the preprocessors " . + "you have not enabled. This may facilitate starting Snort without errors related to " . + "disabled preprocessors, but can substantially compromise the level of protection by " . + "automatically disabling detection rules."); ?></td> + </tr> + </table> + </td> + </tr> + <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("HTTP Inspect Settings"); ?></td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td> <td width="78%" class="vtable"><input name="http_inspect" type="checkbox" value="on" - <?php if ($pconfig['http_inspect']=="on") echo "checked"; ?> + <?php if ($pconfig['http_inspect']=="on" || empty($pconfig['http_inspect'])) echo "checked"; ?> onClick="enable_change(false)"> <?php echo gettext("Use HTTP Inspect to " . - "Normalize/Decode and detect HTTP traffic and protocol anomalies."); ?></td> + "Normalize/Decode and detect HTTP traffic and protocol anomalies. Default is "); ?> + <strong><?php echo gettext("Checked."); ?></strong></td> </tr> <tr> <td valign="top" class="vncell"><?php echo gettext("HTTP server flow depth"); ?></td> @@ -241,7 +299,7 @@ include_once("head.inc"); <td width="78%" class="vtable"> <select name="http_server_profile" class="formselect" id="http_server_profile"> <?php - $profile = array('All', 'Apache', 'IIS', 'IIS_4.0', 'IIS_5.0'); + $profile = array('All', 'Apache', 'IIS', 'IIS4_0', 'IIS5_0'); foreach ($profile as $val): ?> <option value="<?=strtolower($val);?>" <?php if (strtolower($val) == $pconfig['http_server_profile']) echo "selected"; ?>> @@ -275,9 +333,10 @@ include_once("head.inc"); <td width="22%" valign="top" class="vncell"><?php echo gettext("Disable HTTP Alerts"); ?></td> <td width="78%" class="vtable"><input name="noalert_http_inspect" type="checkbox" value="on" - <?php if ($pconfig['noalert_http_inspect']=="on") echo "checked"; ?> - onClick="enable_change(false)"> <?php echo gettext("Tick to turn off alerts from the HTTP Inspect " . - "preprocessor. This has no effect on HTTP rules in the rule set."); ?></td> + <?php if ($pconfig['noalert_http_inspect']=="on" || empty($pconfig['noalert_http_inspect'])) echo "checked"; ?> + onClick="enable_change(false)"> <?php echo gettext("Turn off alerts from HTTP Inspect " . + "preprocessor. This has no effect on HTTP rules. Default is "); ?> + <strong><?php echo gettext("Checked."); ?></strong></td> </tr> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Stream5 Settings"); ?></td> @@ -469,9 +528,14 @@ include_once("head.inc"); <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("Sensitive Data"); ?></td> <td width="78%" class="vtable"> <input name="sensitive_data" type="checkbox" value="on" - <?php if ($pconfig['sensitive_data']=="on") echo "checked"; ?> + <?php if ($pconfig['sensitive_data'] == "on") + echo "checked"; + elseif ($vrt_enabled == "off") + echo "disabled"; + ?> onClick="enable_change(false)"><br> - <?php echo gettext("Sensitive data searches for credit card or Social Security numbers in data"); ?> + <?php echo gettext("Sensitive data searches for credit card or Social Security numbers and e-mail addresses in data."); ?><br/> + <span class="red"><strong><?php echo gettext("Note: "); ?></strong></span><?php echo gettext("To enable this preprocessor, you must select the Snort VRT rules on the Global Settings tab."); ?> </td> </tr> <tr> @@ -507,7 +571,8 @@ include_once("head.inc"); <td width="22%" valign="top"> </td> <td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span> <br> - <?php echo gettext("Please save your settings before you click Start."); ?> </td> + <?php echo gettext("Please save your settings before you click Start. Preprocessor changes will rebuild the rules file. "); ?> + </br><?php echo gettext("This may take several seconds. Snort must also be restarted to activate any changes made on this screen."); ?></td> </tr> </table> </td></tr></table> diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index 7457632d..5e8e145d 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -33,7 +33,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g, $flowbit_rules_file; +global $g, $flowbit_rules_file, $rebuild_rules; $snortdir = SNORTDIR; $rules_map = array(); @@ -92,6 +92,11 @@ if (empty($categories[0]) && ($currentruleset != "custom.rules")) { $currentruleset = "custom.rules"; } +/* One last sanity check -- if the rules directory is empty, default to loading custom rules */ +$tmp = glob("{$snortdir}/rules/*.rules"); +if (empty($tmp)) + $currentruleset = "custom.rules"; + $ruledir = "{$snortdir}/rules"; $rulefile = "{$ruledir}/{$currentruleset}"; if ($currentruleset != 'custom.rules') { @@ -100,7 +105,7 @@ if ($currentruleset != 'custom.rules') { if (substr($currentruleset, 0, 10) == "IPS Policy") $rules_map = snort_load_vrt_policy($a_rule[$id]['ips_policy']); elseif (!file_exists($rulefile)) - $input_errors[] = "{$currentruleset} seems to be missing!!! Please go to the Category tab and save the rule set again to regenerate it."; + $input_errors[] = gettext("{$currentruleset} seems to be missing!!! Please verify rules files have been downloaded, then go to the Categories tab and save the rule set again."); else $rules_map = snort_load_rules_map($rulefile); } @@ -221,11 +226,31 @@ if ($_POST['customrules']) { for($i = $start; $i > $end; $i--) $error .= $output[$i]; $input_errors[] = "Custom rules have errors:\n {$error}"; - } else { + } + else { header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); exit; } -} else if ($_POST) { +} + +else if ($_POST['apply']) { + + /* Save new configuration */ + write_config(); + + /*************************************************/ + /* Update the snort conf file and rebuild the */ + /* rules for this interface. */ + /*************************************************/ + $rebuild_rules = "on"; + snort_generate_conf($a_rule[$id]); + $rebuild_rules = "off"; + + /* Return to this same page */ + header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); + exit; +} +else if($_POST) { unset($a_rule[$id]['customrules']); write_config(); header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); @@ -361,7 +386,9 @@ function popup(url) <?php else: ?> <tr> <td width="3%" class="list"> </td> - <td colspan="7" class="listhdr" > </td> + <td colspan="7" class="listhdr" ><input type="submit" name="apply" id="apply" value="Apply Changes" class="formbtn"> + <?php echo gettext("Click to rebuild the rules with your changes. Snort must be restarted to use the new rules."); ?> + <input type='hidden' name='id' value='<?=$id;?>'></td> <td width="3%" align="center" valign="middle" class="listt"><a href="javascript: void(0)" onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>')"> <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_service_restart.gif" <?php @@ -449,7 +476,7 @@ function popup(url) <td width="3%" align="center" valign="middle" nowrap class="listt"> <a href="javascript: void(0)" onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>&ids=<?=$sid;?>&gid=<?=$gid;?>')"><img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif" + src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif" title="<?php echo gettext("Click to view rule"); ?>" width="17" height="17" border="0"></a> <!-- Codes by Quackit.com --> </td> diff --git a/config/snort/snort_rules_edit.php b/config/snort/snort_rules_edit.php index ab1a24b2..8ee6a645 100755 --- a/config/snort/snort_rules_edit.php +++ b/config/snort/snort_rules_edit.php @@ -62,6 +62,7 @@ $if_real = snort_get_real_interface($pconfig['interface']); $snort_uuid = $a_rule[$id]['uuid']; $file = $_GET['openruleset']; $contents = ''; +$wrap_flag = "off"; // Read the contents of the argument passed to us. // It may be an IPS policy string, an individual SID, @@ -69,8 +70,10 @@ $contents = ''; // Test for the special case of an IPS Policy file. if (substr($file, 0, 10) == "IPS Policy") { $rules_map = snort_load_vrt_policy($a_rule[$id]['ips_policy']); - if (isset($_GET['ids'])) + if (isset($_GET['ids'])) { $contents = $rules_map[$_GET['gid']][trim($_GET['ids'])]['rule']; + $wrap_flag = "on"; + } else { $contents = "# Snort IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']) . "\n\n"; foreach (array_keys($rules_map) as $k1) { @@ -86,6 +89,7 @@ if (substr($file, 0, 10) == "IPS Policy") { elseif (isset($_GET['ids'])) { $rules_map = snort_load_rules_map("{$snortdir}/rules/{$file}"); $contents = $rules_map[$_GET['gid']][trim($_GET['ids'])]['rule']; + $wrap_flag = "on"; } // Is it our special flowbit rules file? elseif ($file == $flowbit_rules_file) @@ -102,7 +106,7 @@ else { exit; } -$pgtitle = array(gettext("Advanced"), gettext("File Viewer")); +$pgtitle = array(gettext("Snort"), gettext("File Viewer")); ?> <?php include("head.inc");?> @@ -124,7 +128,7 @@ $pgtitle = array(gettext("Advanced"), gettext("File Viewer")); <tr> <td valign="top" class="label"> <div style="background: #eeeeee;" id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag must be on the same line. --> - <textarea wrap="off" rows="33" cols="90" name="code2"><?=$contents;?></textarea> + <textarea wrap="<?=$wrap_flag?>" rows="33" cols="90" name="code2"><?=$contents;?></textarea> </div> </td> </tr> diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index 23a24bea..1bf815fb 100755 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -32,7 +32,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g, $flowbit_rules_file; +global $g, $flowbit_rules_file, $rebuild_rules; $snortdir = SNORTDIR; @@ -62,6 +62,21 @@ $if_real = snort_get_real_interface($pconfig['interface']); $snort_uuid = $a_nat[$id]['uuid']; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingdownload = $config['installedpackages']['snortglobal']['emergingthreats']; +$snortcommunitydownload = $config['installedpackages']['snortglobal']['snortcommunityrules']; + +$no_emerging_files = false; +$no_snort_files = false; +$no_community_files = false; + +/* Test rule categories currently downloaded to $SNORTDIR/rules and set appropriate flags */ +$test = glob("{$snortdir}/rules/emerging-*.rules"); +if (empty($test)) + $no_emerging_files = true; +$test = glob("{$snortdir}/rules/snort_*.rules"); +if (empty($test)) + $no_snort_files = true; +if (!file_exists("{$snortdir}/rules/GPLv2_community.rules")) + $no_community_files = true; if (($snortdownload == 'off') || ($a_nat[$id]['ips_policy_enable'] != 'on')) $policy_select_disable = "disabled"; @@ -119,7 +134,14 @@ if ($_POST["Submit"]) { } write_config(); - sync_snort_package_config(); + + /*************************************************/ + /* Update the snort conf file and rebuild the */ + /* rules for this interface. */ + /*************************************************/ + $rebuild_rules = "on"; + snort_generate_conf($a_nat[$id]); + $rebuild_rules = "off"; header("Location: /snort/snort_rulesets.php?id=$id"); exit; @@ -142,6 +164,11 @@ if ($_POST['selectall']) { foreach ($files as $file) $rulesets[] = basename($file); } + if ($snortcommunitydownload == 'on') { + $files = glob("{$snortdir}/rules/sc_*.rules"); + foreach ($files as $file) + $rulesets[] = basename($file); + } if ($snortdownload == 'on') { $files = glob("{$snortdir}/rules/snort*.rules"); foreach ($files as $file) @@ -233,12 +260,12 @@ function enable_change() $iscfgdirempty = array(); if (file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/custom.rules")) $iscfgdirempty = (array)("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/custom.rules"); - if (empty($isrulesfolderempty) && empty($iscfgdirempty)): + if (empty($isrulesfolderempty)): ?> <tr> - <td> - <?php printf(gettext("# The rules directory is empty. %s/rules"), $snortdir); ?> <br/> - <?php echo gettext("Please go to the Updates tab to download/fetch the rules configured."); ?> + <td class="vexpl"><br/> + <?php printf(gettext("# The rules directory is empty: %s%s/rules%s"), '<strong>',$snortdir,'</strong>'); ?> <br/><br/> + <?php printf(gettext("Please go to the %sUpdates%s tab to download the rules configured on the %sGlobal%s tab."),'<strong>' ,'</strong>', '<strong>' ,'</strong>'); ?> </td> </tr> <?php else: @@ -258,28 +285,31 @@ function enable_change() </tr> <tr> <td colspan="6" valign="center" class="listn"> - <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <table width="100%" border="0" cellpadding="2" cellspacing="2"> <tr> <td width="15%" class="listn"><?php echo gettext("Resolve Flowbits"); ?></td> - <td width="85%"><input name="autoflowbits" id="autoflowbitrules" type="checkbox" value="on" <?php if ($a_nat[$id]['autoflowbitrules'] == "on") echo "checked"; ?>/></td> + <td width="85%"><input name="autoflowbits" id="autoflowbitrules" type="checkbox" value="on" + <?php if ($a_nat[$id]['autoflowbitrules'] == "on" || empty($a_nat[$id]['autoflowbitrules'])) echo "checked"; ?>/> + <span class="vexpl"><?php echo gettext("If checked, Snort will auto-enable rules required for checked flowbits. "); + echo gettext("The Default is "); ?><strong><?php echo gettext("Checked."); ?></strong></span></td> </tr> <tr> <td width="15%" class="vncell"> </td> <td width="85%" class="vtable"> - <?php echo gettext("If ticked, Snort will examine the enabled rules in your chosen " . + <?php echo gettext("Snort will examine the enabled rules in your chosen " . "rule categories for checked flowbits. Any rules that set these dependent flowbits will " . - "be automatically enabled and added to the list of files in the interface rules directory."); ?><br/><br/></td> + "be automatically enabled and added to the list of files in the interface rules directory."); ?><br/></td> </tr> <tr> <td width="15%" class="listn"><?php echo gettext("Auto Flowbit Rules"); ?></td> - <td width="85%"><input type="button" class="formbtn" value="View" onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$flowbit_rules_file;?>')" <?php echo $btn_view_flowb_rules; ?>/></td> + <td width="85%"><input type="button" class="formbtn" value="View" onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$flowbit_rules_file;?>')" <?php echo $btn_view_flowb_rules; ?>/> + <span class="vexpl"><?php echo gettext("Click to view auto-enabled rules required to satisfy flowbit dependencies"); ?></span></td> </tr> <tr> <td width="15%"> </td> <td width="85%"> - <?php echo gettext("Click to view auto-enabled rules required to satisfy flowbit " . - "dependencies from the selected rule categories below. Auto-enabled rules generating unwanted alerts " . - "should have their GID:SID added to the Suppression List for the interface."); ?><br/><br/></td> + <?php printf(gettext("%sNote: %sAuto-enabled rules generating unwanted alerts should have their GID:SID added to the Suppression List for the interface."), '<span class="red"><strong>', '</strong></span>'); ?> + <br/></td> </tr> </table> </td> @@ -289,20 +319,20 @@ function enable_change() </tr> <tr> <td colspan="6" valign="center" class="listn"> - <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <table width="100%" border="0" cellpadding="2" cellspacing="2"> <tr> <td width="15%" class="listn"><?php echo gettext("Use IPS Policy"); ?></td> <td width="85%"><input name="ips_policy_enable" id="ips_policy_enable" type="checkbox" value="on" <?php if ($a_nat[$id]['ips_policy_enable'] == "on") echo "checked"; ?> - <?php if ($snortdownload == "off") echo "disabled" ?> onClick="enable_change()"/></td> + <?php if ($snortdownload == "off") echo "disabled" ?> onClick="enable_change()"/> <span class="vexpl"> + <?php echo gettext("If checked, Snort will use rules from the pre-defined IPS policy selected below."); ?></span></td> </tr> <tr> <td width="15%" class="vncell"> </td> <td width="85%" class="vtable"> - <?php echo gettext("If ticked, Snort will use rules from the pre-defined IPS policy " . - "selected below. You must be using the Snort VRT rules to use this option."); ?><br/> + <?php printf(gettext("%sNote:%s You must be using the Snort VRT rules to use this option."),'<span class="red"><strong>','</strong></span>'); ?> <?php echo gettext("Selecting this option disables manual selection of Snort VRT categories in the list below, " . "although Emerging Threats categories may still be selected if enabled on the Global Settings tab. " . - "These will be added to the pre-defined Snort IPS policy rules from the Snort VRT."); ?><br><br/></td> + "These will be added to the pre-defined Snort IPS policy rules from the Snort VRT."); ?><br/></td> </tr> <tr> <td width="15%" class="listn"><?php echo gettext("IPS Policy"); ?></td> @@ -311,15 +341,16 @@ function enable_change() <option value="balanced" <?php if ($pconfig['ips_policy'] == "balanced") echo "selected"; ?>><?php echo gettext("Balanced"); ?></option> <option value="security" <?php if ($pconfig['ips_policy'] == "security") echo "selected"; ?>><?php echo gettext("Security"); ?></option> </select> - </td> + <span class="vexpl"><?php echo gettext("Snort IPS policies are: Connectivity, Balanced or Security."); ?></span></td> </tr> <tr> <td width="15%"> </td> <td width="85%"> - <?php echo gettext("Snort IPS policies are: Connectivity, Balanced or Security. " . - "Connectivity blocks most major threats with few or no false positives. Balanced is a good starter policy. It " . - "is speedy, has good base coverage level, and covers most threats of the day. It includes all rules in Connectivity. " . - "Security is a stringent policy. It contains everything in the first two plus policy-type rules such as Flash in an Excel file."); ?><br/><br/></td> + <?php echo gettext("Connectivity blocks most major threats with few or no false positives. " . + "Balanced is a good starter policy. It is speedy, has good base coverage level, and covers " . + "most threats of the day. It includes all rules in Connectivity." . + "Security is a stringent policy. It contains everything in the first two " . + "plus policy-type rules such as Flash in an Excel file."); ?><br/></td> </tr> </table> </td> @@ -327,27 +358,75 @@ function enable_change() <tr> <td colspan="6" class="listtopic"><?php echo gettext("Check the rulesets that you would like Snort to load at startup."); ?><br/></td> </tr> + <tr> <td colspan="6"> </td> </tr> <tr> - <td colspan="1" align="middle" valign="center"><br/><input value="Select All" type="submit" name="selectall" id="selectall" /><br/></td> - <td colspan="1" align="middle" valign="center"><br/><input value="Unselect All" type="submit" name="unselectall" id="selectall" /><br/></td> - <td colspan="1" align="middle" valign="center"><br/><input value="Save" class="formbtn" type="submit" name="Submit" id="Submit" /></td> - <td colspan="3" valign="center"><?php echo gettext("Click to save changes and auto-resolve flowbit rules (if option is selected above)"); ?><br/></td> + <td colspan="6"> + <table width=100% border="0" cellpadding="2" cellspacing="2"> + <tr> + <td valign="middle"><input value="Select All" type="submit" name="selectall" id="selectall" /></td> + <td valign="middle"><input value="Unselect All" type="submit" name="unselectall" id="selectall" /></td> + <td valign="middle"><input value="Save" class="formbtn" type="submit" name="Submit" id="Submit" /></td> + <td valign="middle"><span class="vexpl"><?php echo gettext("Click to save changes and auto-resolve flowbit rules (if option is selected above)"); ?></span></td> + </tr> + </table> </tr> - <tr> <td colspan="6"> </td> </tr> + <tr> + <td colspan="6"> </td> + </tr> + + <?php if ($no_community_files) + $msg_community = "NOTE: Snort Community Rules have not been downloaded. Perform a Rules Update to enable them."; + else + $msg_community = "Snort GPLv2 Community Rules (VRT certified)"; + ?> + <?php if ($snortcommunitydownload == 'on'): ?> + <tr id="frheader"> + <td width="5%" class="listhdrr"><?php echo gettext("Enabled"); ?></td> + <td colspan="5" class="listhdrr"><?php echo gettext('Ruleset: Snort GPLv2 Community Rules');?></td> + </tr> + <?php if (in_array("GPLv2_community.rules", $enabled_rulesets_array)): ?> + <tr> + <td width="5" class="listr" align="center" valign="top"> + <input type="checkbox" name="toenable[]" value="GPLv2_community.rules" checked="checked"/></td> + <td colspan="5" class="listr"><a href='snort_rules.php?id=<?=$id;?>&openruleset=GPLv2_community.rules'><?php echo gettext("{$msg_community}"); ?></a></td> + </tr> + <?php else: ?> + <tr> + <td width="5" class="listr" align="center" valign="top"> + <input type="checkbox" name="toenable[]" value="GPLv2_community.rules" <?php if ($snortcommunitydownload == 'off') echo "disabled"; ?>/></td> + <td colspan="5" class="listr"><?php echo gettext("{$msg_community}"); ?></td> + </tr> + + <?php endif; ?> + <?php else: ?> + <tr> + <td colspan="6"> </td> + </tr> + <?php endif; ?> + + <?php if ($no_emerging_files) + $msg_emerging = "downloaded."; + else + $msg_emerging = "enabled."; + if ($no_snort_files) + $msg_snort = "downloaded."; + else + $msg_snort = "enabled."; + ?> <tr id="frheader"> - <?php if ($emergingdownload == 'on'): ?> - <td width="5%" class="listhdrr"><?php echo gettext("Enabled"); ?></td> + <?php if ($emergingdownload == 'on' && !$no_emerging_files): ?> + <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td> <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Emerging Threats');?></td> <?php else: ?> - <td colspan="2" width="30%" class="listhdrr"><?php echo gettext("Emerging rules have not been enabled"); ?></td> + <td colspan="2" align="center" width="30%" class="listhdrr"><?php echo gettext("Emerging Threats rules not {$msg_emerging}"); ?></td> <?php endif; ?> - <?php if ($snortdownload == 'on'): ?> - <td width="5%" class="listhdrr"><?php echo gettext("Enabled"); ?></td> - <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Snort');?></td> - <td width="5%" class="listhdrr"><?php echo gettext("Enabled"); ?></td> - <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Snort SO');?></td> + <?php if ($snortdownload == 'on' && !$no_snort_files): ?> + <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td> + <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Snort Text Rules');?></td> + <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td> + <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Snort SO Rules');?></td> <?php else: ?> - <td colspan="2" width="60%" class="listhdrr"><?php echo gettext("Snort rules have not been enabled"); ?></td> + <td colspan="4" align="center" width="60%" class="listhdrr"><?php echo gettext("Snort VRT rules have not been {$msg_snort}"); ?></td> <?php endif; ?> </tr> <?php diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index fef9590c..55d4a372 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -225,6 +225,20 @@ function squid_install_command() { $config['installedpackages']['squidnac']['config'][0]['blacklist'] = $settingsnac['blacklist']; } } + + if(! empty($settingsnac['block_user_agent'])) { + if(strstr($settingsnac['block_user_agent'], ",")) { + $settingsnac['block_user_agent'] = base64_encode(implode("\n", explode(",", $settingsnac['block_user_agent']))); + $config['installedpackages']['squidnac']['config'][0]['block_user_agent'] = $settingsnac['block_user_agent']; + } + } + + if(! empty($settingsnac['block_reply_mime_type'])) { + if(strstr($settingsnac['block_reply_mime_type'], ",")) { + $settingsnac['block_reply_mime_type'] = base64_encode(implode("\n", explode(",", $settingsnac['block_reply_mime_type']))); + $config['installedpackages']['squidnac']['config'][0]['block_reply_mime_type'] = $settingsnac['block_reply_mime_type']; + } + } /*Migrate reverse settings*/ if (is_array($config['installedpackages']['squidreverse'])){ @@ -1078,6 +1092,8 @@ EOD; 'banned_hosts' => 'src', 'whitelist' => 'dstdom_regex -i', 'blacklist' => 'dstdom_regex -i', + 'block_user_agent' => 'browser -i', + 'block_reply_mime_type' => 'rep_mime_type -i', ); foreach ($options as $option => $directive) { $contents = sq_text_area_decode($settings[$option]); @@ -1291,6 +1307,18 @@ function squid_resync_auth() { $conf .= "http_access deny blacklist\n"; } } + if(! empty($settingsnac['block_user_agent'])) { + if (squid_is_valid_acl('block_user_agent')) { + $conf .= "# Block access with user agents and browsers\n"; + $conf .= "http_access deny block_user_agent\n"; + } + } + if(! empty($settingsnac['block_reply_mime_type'])) { + if (squid_is_valid_acl('block_reply_mime_type')) { + $conf .= "# Block access with mime type in the reply\n"; + $conf .= "http_reply_access deny block_reply_mime_type\n"; + } + } $transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on'); $auth_method = (($settings['auth_method'] && !$transparent_proxy) ? $settings['auth_method'] : 'none'); diff --git a/config/squid-reverse/squid_nac.xml b/config/squid-reverse/squid_nac.xml index bc4a278e..659d626f 100644 --- a/config/squid-reverse/squid_nac.xml +++ b/config/squid-reverse/squid_nac.xml @@ -139,6 +139,24 @@ <encoding>base64</encoding> </field> <field> + <fielddescr>Block user agents</fielddescr> + <fieldname>block_user_agent</fieldname> + <description>Enter each user agent on a new line that will be blocked to the users that are allowed to use the proxy. You also can use regular expressions.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Block MIME types (reply only)</fielddescr> + <fieldname>block_reply_mime_type</fieldname> + <description>Enter each MIME type on a new line that will be blocked to the users that are allowed to use the proxy. You also can use regular expressions. Useful to block javascript (application/x-javascript).</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> <name>Squid Allowed ports</name> <type>listtopic</type> </field> diff --git a/config/squidGuard/squidguard_configurator.inc b/config/squidGuard/squidguard_configurator.inc index 81f9cd96..e57b7597 100644 --- a/config/squidGuard/squidguard_configurator.inc +++ b/config/squidGuard/squidguard_configurator.inc @@ -414,7 +414,6 @@ function squid_reconfigure($remove_only = '') global $squidguard_config; $conf = ''; $cust_opt = $config['installedpackages']['squid']['config'][0]['custom_options']; - # remove old options if (!empty($cust_opt)) { $conf = explode(";", $cust_opt); @@ -444,7 +443,7 @@ function squid_reconfigure($remove_only = '') if (is_array($conf)) $conf = implode(";", $conf); /* Only update squid options if we have something to do, otherwise this can interfere with squid's default options in a new install. */ - if (!empty($conf)) { + if ($conf != $cust_opt) { $config['installedpackages']['squid']['config'][0]['custom_options'] = $conf; write_config('Update redirector options to squid config.'); } diff --git a/config/systempatches/apply_patches.php b/config/systempatches/apply_patches.php new file mode 100644 index 00000000..3ac0d671 --- /dev/null +++ b/config/systempatches/apply_patches.php @@ -0,0 +1,11 @@ +#!/usr/local/bin/php +<?php +require_once("config.inc"); +require_once("patches.inc"); + +global $g, $config; + +echo "Applying patches..."; +bootup_apply_patches(); +echo "Done.\n"; +?>
\ No newline at end of file diff --git a/config/systempatches/patches.inc b/config/systempatches/patches.inc index 89610565..9b347620 100644 --- a/config/systempatches/patches.inc +++ b/config/systempatches/patches.inc @@ -29,11 +29,19 @@ require_once("globals.inc"); require_once("util.inc"); -$git_root_url = "http://github.com/bsdperimeter/pfsense/commit/"; +$git_root_url = "http://github.com/pfsense/pfsense/commit/"; $patch_suffix = ".patch"; $patch_dir = "/var/patches"; $patch_cmd = "/usr/bin/patch"; +function patch_package_install() { + patch_add_shellcmd(); +} + +function patch_package_deinstall() { + patch_remove_shellcmd(); +} + function patch_commit($patch, $action, $test=false, $fulldetail=false) { global $patch_dir, $patch_cmd, $patch_suffix; $directory = empty($patch['basedir']) ? "/" : $patch['basedir']; @@ -139,4 +147,55 @@ function is_github_url($url) { $urlbits = explode("/", $url); return (substr($urlbits[2], -10) == "github.com"); } -?>
\ No newline at end of file + +function bootup_apply_patches() { + global $config; + + $a_patches = &$config['installedpackages']['patches']['item']; + + foreach ($a_patches as $patch) { + /* Skip the patch if it should not be automatically applied. */ + if (!isset($patch['autoapply'])) + continue; + /* If the patch can be reverted it is already applied, so skip it. */ + if (!patch_test_revert($patch)) { + /* Only attempt to apply if it can be applied. */ + if (patch_test_apply($patch)) { + patch_apply($patch); + } + } + } +} + +function patch_add_shellcmd() { + global $config; + $a_earlyshellcmd = &$config['system']['earlyshellcmd']; + if (!is_array($a_earlyshellcmd)) + $a_earlyshellcmd = array(); + $found = false; + foreach ($a_earlyshellcmd as $idx => $cmd) + if (stristr($cmd, "apply_patches.php")) + $found = true; + if (!$found) { + $a_earlyshellcmd[] = "/usr/local/bin/php -f /usr/local/bin/apply_patches.php"; + write_config("System Patches package added a shellcmd"); + } +} + +function patch_remove_shellcmd() { + global $config; + $a_earlyshellcmd = &$config['system']['earlyshellcmd']; + if (!is_array($a_earlyshellcmd)) + $a_earlyshellcmd = array(); + $removed = false; + foreach ($a_earlyshellcmd as $idx => $cmd) { + if (stristr($cmd, "apply_patches.php")) { + unset($a_earlyshellcmd[$idx]); + $removed = true; + } + } + if ($removed) + write_config("System Patches package removed a shellcmd"); +} + +?> diff --git a/config/systempatches/system_patches.php b/config/systempatches/system_patches.php index 1dd6470b..70260e4b 100644 --- a/config/systempatches/system_patches.php +++ b/config/systempatches/system_patches.php @@ -179,11 +179,12 @@ include("head.inc"); <tr id="frheader"> <td width="5%" class="list"> </td> <td width="5%" class="listhdrr"><?=gettext("Description");?></td> -<td width="65%" class="listhdrr"><?=gettext("URL/ID");?></td> +<td width="60%" class="listhdrr"><?=gettext("URL/ID");?></td> <td width="5%" class="listhdrr"><?=gettext("Fetch");?></td> <td width="5%" class="listhdrr"><?=gettext("Test");?></td> <td width="5%" class="listhdrr"><?=gettext("Apply");?></td> <td width="5%" class="listhdr"><?=gettext("Revert");?></td> +<td width="5%" class="listhdr"><?=gettext("Auto Apply");?></td> <td width="5%" class="list"> <table border="0" cellspacing="0" cellpadding="1" summary="buttons"> <tr><td width="17"> @@ -242,6 +243,9 @@ foreach ($a_patches as $thispatch): <a href="system_patches.php?id=<?=$i;?>&act=revert"><?php echo gettext("Revert"); ?></a> <?php endif; ?> </td> + <td class="listr" onclick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> + <?= isset($thispatch['autoapply']) ? "Yes" : "No" ?> + </td> <td valign="middle" class="list" nowrap> <table border="0" cellspacing="0" cellpadding="1" summary="edit"> <tr> diff --git a/config/systempatches/system_patches_edit.php b/config/systempatches/system_patches_edit.php index 260a7300..5b30c9c5 100644 --- a/config/systempatches/system_patches_edit.php +++ b/config/systempatches/system_patches_edit.php @@ -127,6 +127,8 @@ if ($_POST) { } write_config(); + if ($thispatch['autoapply']) + patch_add_shellcmd(); header("Location: system_patches.php"); return; } @@ -165,7 +167,7 @@ include("head.inc"); <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Patch Contents"); ?></td> <td width="78%" class="vtable"> - <textarea name="patch" class="" id="patch" rows="15" cols="70" wrap="off"><?=base64_decode($pconfig['patch']);?></textarea> + <textarea name="patch" class="" id="patch" rows="15" cols="70" wrap="off"><?=htmlspecialchars(base64_decode($pconfig['patch']));?></textarea> <br /> <span class="vexpl"><?=gettext("The contents of the patch. You can paste a patch here, or enter a URL/commit ID above, it can then be fetched into here automatically."); ?></span></td> </tr> <tr> @@ -192,7 +194,6 @@ include("head.inc"); <span class="vexpl"><?=gettext("Set this option to ignore whitespace in the patch."); ?></span> </td> </tr> -<!-- This isn't ready yet <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Auto Apply"); ?></td> <td width="78%" class="vtable"> @@ -201,7 +202,6 @@ include("head.inc"); <span class="vexpl"><?=gettext("Set this option to apply the patch automatically when possible, useful for patches to survive after firmware updates."); ?></span> </td> </tr> ---> <tr> <td width="22%" valign="top"> </td> <td width="78%">Patch id: <?php echo $pconfig['uniqid']; ?></td> diff --git a/config/systempatches/systempatches.xml b/config/systempatches/systempatches.xml index 3802ba58..ea0eee78 100644 --- a/config/systempatches/systempatches.xml +++ b/config/systempatches/systempatches.xml @@ -40,8 +40,9 @@ <requirements>None</requirements> <faq>Applies patches supplied by the user to the firewall.</faq> <name>System Patches</name> - <version>0.5.1</version> + <version>0.8</version> <title>System: Patches</title> + <include_file>/usr/local/pkg/patches.inc</include_file> <menu> <name>Patches</name> <tooltiptext></tooltiptext> @@ -59,8 +60,19 @@ <item>http://www.pfsense.com/packages/config/systempatches/system_patches_edit.php</item> </additional_files_needed> <additional_files_needed> + <prefix>/usr/local/bin/</prefix> + <chmod>755</chmod> + <item>http://www.pfsense.com/packages/config/systempatches/apply_patches.php</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>644</chmod> <item>http://www.pfsense.com/packages/config/systempatches/patches.inc</item> </additional_files_needed> + <custom_php_install_command> + patch_package_install(); + </custom_php_install_command> + <custom_php_deinstall_command> + patch_package_deinstall(); + </custom_php_deinstall_command> </packagegui>
\ No newline at end of file diff --git a/pkg_config.8.xml b/pkg_config.8.xml index 308c02c9..3f0a09fa 100644 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -193,7 +193,7 @@ <depends_on_package_pbi>haproxy-devel-1.5-dev18-i386.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/net/haproxy-devel</build_port_path> <build_pbi> - <ports_before>security/openssl/</ports_before> + <ports_before>security/openssl</ports_before> <custom_name>haproxy-devel</custom_name> <port>/usr/ports/net/haproxy-devel</port> </build_pbi> @@ -491,72 +491,34 @@ <descr>Snort is an open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection.</descr> <category>Security</category> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> - <depends_on_package>mysql-client-5.1.53.tbz</depends_on_package> - <depends_on_package>barnyard2-1.9_2.tbz</depends_on_package> - <depends_on_package>libnet11-1.1.2.1_3,1.tbz</depends_on_package> + <depends_on_package>mysql-client-5.5.30.tbz</depends_on_package> + <depends_on_package>barnyard2-1.12.tbz</depends_on_package> + <depends_on_package>libnet11-1.1.6,1.tbz</depends_on_package> <depends_on_package>libdnet-1.11_3.tbz</depends_on_package> - <depends_on_package>libpcap-1.1.1_1.tbz</depends_on_package> - <depends_on_package>daq-0.6.2.tbz</depends_on_package> - <depends_on_package>snort-2.9.2.3.tbz</depends_on_package> - <depends_on_package_pbi>snort-2.9.2.3-i386.pbi</depends_on_package_pbi> + <depends_on_package>libpcap-1.3.0.tbz</depends_on_package> + <depends_on_package>daq-2.0.0.tbz</depends_on_package> + <depends_on_package>snort-2.9.4.1.tbz</depends_on_package> + <depends_on_package_pbi>snort-2.9.4.1-i386.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/devel/pcre</build_port_path> <build_port_path>/usr/ports/net/daq</build_port_path> <build_port_path>/usr/ports/net/libnet</build_port_path> <build_port_path>/usr/ports/security/barnyard2</build_port_path> - <build_port_path>/usr/ports/databases/mysql51-client</build_port_path> + <build_port_path>/usr/ports/databases/mysql55-client</build_port_path> <build_port_path>/usr/ports/security/snort</build_port_path> <build_pbi> <port>security/snort</port> <ports_after>security/barnyard2</ports_after> </build_pbi> <!-- Use both styles for now, since our snort port isn't yet optionsng, but barnyard2 and others are. --> - <build_options>barnyard2_UNSET=ODBC PGSQL PRELUDE;barnyard2_SET=GRE IPV6 MPLS MYSQL;snort_UNSET=TARGETBASED;snort_SET=DECODERPRE FLEXRESP3 GRE IPV6 MPLS NORMALIZER PERFPROFILE REACT SNORTSAM ZLIB;perl_SET=THREADS;WITH_THREADS=yes;WITH_IPV6=true;WITH_MPLS=true;WITH_GRE=true;WITHOUT_TARGETBASED=true;WITH_DECODERPRE=true;WITH_ZLIB=true;WITH_NORMALIZER=true;WITH_REACT=true;WITH_FLEXRESP3=true;WITHOUT_ODBC=true;WITHOUT_POSTGRESQL=true;WITHOUT_PRELUDE=true;WITH_SNORTSAM=true;NOPORTDOCS=true</build_options> + <build_options>barnyard2_UNSET=ODBC PGSQL PRELUDE;barnyard2_SET=GRE IPV6 MPLS MYSQL;snort_UNSET=TARGETBASED PERFPROFILE REACT;snort_SET=DECODERPRE FLEXRESP3 GRE IPV6 MPLS NORMALIZER ZLIB;perl_SET=THREADS;WITH_THREADS=yes;WITH_IPV6=true;WITH_MPLS=true;WITH_GRE=true;WITHOUT_TARGETBASED=true;WITH_DECODERPRE=true;WITH_ZLIB=true;WITH_NORMALIZER=true;WITHOUT_REACT=true;WITH_FLEXRESP3=true;WITHOUT_ODBC=true;WITHOUT_POSTGRESQL=true;WITHOUT_PRELUDE=true;NOPORTDOCS=true</build_options> <config_file>http://www.pfsense.com/packages/config/snort/snort.xml</config_file> - <version>2.9.2.3 pkg v. 2.5.4</version> + <version>2.9.4.1 pkg v. 2.5.5</version> <required_version>2.0</required_version> <status>Stable</status> <configurationfile>/snort.xml</configurationfile> <after_install_info>Please visit the Snort settings tab and enter your oinkid code. Afterwards visit the update rules tab to download the snort rules.</after_install_info> </package> <package> - <name>snort-dev</name> - <internal_name>snort</internal_name> - <pkginfolink>http://forum.pfsense.org/index.php/topic,16847.0.html</pkginfolink> - <website>http://www.snort.org</website> - <descr>Snort-dev is a development branch.</descr> - <category>Security</category> - <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> - <depends_on_package_pbi>snort-2.9.2.3-i386.pbi</depends_on_package_pbi> - <depends_on_package>mysql-client-5.1.53.tbz</depends_on_package> - <depends_on_package>barnyard2-1.9_2.tbz</depends_on_package> - <depends_on_package>libnet11-1.1.2.1_3,1.tbz</depends_on_package> - <depends_on_package>libdnet-1.11_3.tbz</depends_on_package> - <depends_on_package>libpcap-1.1.1_1.tbz</depends_on_package> - <depends_on_package>daq-0.6.2.tbz</depends_on_package> - <depends_on_package>snort-2.9.2.3.tbz</depends_on_package> - <depends_on_package>perl-threaded-5.12.4_4.tbz</depends_on_package> - <build_port_path>/usr/ports/devel/pcre</build_port_path> - <build_port_path>/usr/ports/net/daq</build_port_path> - <build_port_path>/usr/ports/net/libnet</build_port_path> - <build_port_path>/usr/ports/lang/perl5.14</build_port_path> - <build_port_path>/usr/ports/security/barnyard2</build_port_path> - <build_port_path>/usr/ports/databases/mysql51-client</build_port_path> - <build_port_path>/usr/ports/security/snort</build_port_path> - <build_pbi> - <custom_name>snort-dev</custom_name> - <port>security/snort</port> - <ports_after>security/barnyard2</ports_after> - </build_pbi> - <!-- Use both styles for now, since our snort port isn't yet optionsng, but barnyard2 and others are. --> - <build_options>barnyard2_UNSET=ODBC PGSQL PRELUDE;barnyard2_SET=GRE IPV6 MPLS MYSQL;snort_UNSET=TARGETBASED;snort_SET=DECODERPRE FLEXRESP3 GRE IPV6 MPLS NORMALIZER PERFPROFILE REACT SNORTSAM ZLIB;perl_SET=THREADS;WITH_THREADS=yes;WITH_IPV6=true;WITH_MPLS=true;WITH_GRE=true;WITHOUT_TARGETBASED=true;WITH_DECODERPRE=true;WITH_ZLIB=true;WITH_NORMALIZER=true;WITH_REACT=true;WITH_FLEXRESP3=true;WITHOUT_ODBC=true;WITHOUT_POSTGRESQL=true;WITHOUT_PRELUDE=true;WITH_SNORTSAM=true;NOPORTDOCS=true</build_options> - <config_file>http://www.pfsense.com/packages/config/snort-dev/snort.xml</config_file> - <version>2.9.2.3 pkg v. 3.0</version> - <required_version>2.0</required_version> - <status>Stable</status> - <configurationfile>/snort.xml</configurationfile> - <after_install_info>Please visit the Snort settings tab and enter your oinkid code. Afterwards visit the update rules tab to download the snort rules.</after_install_info> - </package> - <package> <name>olsrd</name> <website>http://www.olsr.org/</website> <descr>The olsr.org OLSR daemon is an implementation of the Optimized Link State Routing protocol. OLSR is a routing protocol for mobile ad-hoc networks. The protocol is pro-active, table driven and utilizes a technique called multipoint relaying for message flooding.</descr> @@ -896,7 +858,7 @@ <descr>VMware Tools</descr> <website>http://open-vm-tools.sourceforge.net/</website> <category>Services</category> - <version>8.7.0.3046 (build-313025)</version> + <version>8.7.0.3046 (build-425873)</version> <status>Stable</status> <pkginfolink>http://doc.pfsense.org/index.php/Open_VM_Tools_package</pkginfolink> <required_version>2.0</required_version> @@ -904,27 +866,27 @@ <configurationfile>open-vm-tools.xml</configurationfile> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> <build_port_path>/usr/ports/emulators/open-vm-tools-nox11/</build_port_path> - <depends_on_package>open-vm-tools-nox11-313025_2.tbz</depends_on_package> - <depends_on_package>icu-4.8.1.1_1.tbz</depends_on_package> + <depends_on_package>open-vm-tools-nox11-425873_3,1.tbz</depends_on_package> + <depends_on_package>icu-50.1.2.tbz</depends_on_package> <build_port_path>/usr/ports/devel/icu</build_port_path> - <depends_on_package>fusefs-kmod-0.3.9.p1.20080208_7.tbz</depends_on_package> + <depends_on_package>fusefs-kmod-0.3.9.p1.20080208_11.tbz</depends_on_package> <build_port_path>/usr/ports/sysutils/fusefs-kmod</build_port_path> - <depends_on_package>fusefs-libs-2.7.4.tbz</depends_on_package> + <depends_on_package>fusefs-libs-2.9.2.tbz</depends_on_package> <build_port_path>/usr/ports/sysutils/fusefs-libs</build_port_path> - <depends_on_package>glib-2.28.8_3.tbz</depends_on_package> + <depends_on_package>glib-2.28.8_5.tbz</depends_on_package> <build_port_path>/usr/ports/devel/glib20</build_port_path> <depends_on_package>libdnet-1.11_3.tbz</depends_on_package> <build_port_path>/usr/ports/net/libdnet</build_port_path> - <depends_on_package>libiconv-1.13.1_1.tbz</depends_on_package> + <depends_on_package>libiconv-1.14.tbz</depends_on_package> <build_port_path>/usr/ports/converters/libiconv</build_port_path> - <depends_on_package>pcre-8.21_1.tbz</depends_on_package> + <depends_on_package>pcre-8.32.tbz</depends_on_package> <build_port_path>/usr/ports/devel/pcre</build_port_path> - <depends_on_package>perl-5.12.3.tbz</depends_on_package> + <depends_on_package>perl-5.14.2_2.tbz</depends_on_package> <build_port_path>/usr/ports/lang/perl5.14</build_port_path> - <depends_on_package>pkg-config-0.25_1.tbz</depends_on_package> + <depends_on_package>pkgconf-0.8.9.tbz</depends_on_package> <build_port_path>/usr/ports/devel/pkg-config</build_port_path> <depends_on_package>python27-2.7.2_3.tbz</depends_on_package> - <build_port_path>/usr/ports/lang/python27</build_port_path> + <build_port_path>python27-2.7.3_6.tbz</build_port_path> <build_pbi> <port>emulators/open-vm-tools-nox11</port> </build_pbi> @@ -1164,11 +1126,11 @@ <website>http://bandwidthd.sourceforge.net/</website> <descr>BandwidthD tracks usage of TCP/IP network subnets and builds html files with graphs to display utilization. Charts are built by individual IPs, and by default display utilization over 2 day, 8 day, 40 day, and 400 day periods. Furthermore, each ip address's utilization can be logged out at intervals of 3.3 minutes, 10 minutes, 1 hour or 12 hours in cdf format, or to a backend database server. HTTP, TCP, UDP, ICMP, VPN, and P2P traffic are color coded.</descr> <category>System</category> - <version>2.0.1.4</version> + <version>2.0.1_5</version> <status>BETA</status> <required_version>1.2.1</required_version> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> - <depends_on_package>bandwidthd-2.0.1_4.tbz</depends_on_package> + <depends_on_package>bandwidthd-2.0.1_5.tbz</depends_on_package> <depends_on_package>libpcap-1.1.1.tbz</depends_on_package> <depends_on_package>postgresql-client-8.4.12.tbz</depends_on_package> <depends_on_package_pbi>bandwidthd-2.0.1_5-i386.pbi</depends_on_package_pbi> @@ -1432,7 +1394,7 @@ <depends_on_package_pbi>zip-3.0-i386.pbi p7zip-9.20.1-i386.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/archivers/p7zip</build_port_path> <build_port_path>/usr/ports/archivers/zip</build_port_path> - <version>1.0.4</version> + <version>1.0.5</version> <status>RELEASE</status> <required_version>2.0</required_version> <config_file>http://www.pfsense.com/packages/config/openvpn-client-export/openvpn-client-export.xml</config_file> @@ -1665,9 +1627,9 @@ </package> <package> <name>mailreport</name> - <descr>Allows you to setup periodic e-mail reports containing RRD graphs.</descr> + <descr>Allows you to setup periodic e-mail reports containing command output, log file contents, and RRD graphs.</descr> <category>Network Management</category> - <version>1.2</version> + <version>2.0.4</version> <status>BETA</status> <required_version>2.0</required_version> <config_file>http://www.pfsense.com/packages/config/mailreport/mailreport.xml</config_file> @@ -1721,7 +1683,7 @@ <name>System Patches</name> <descr>A package to apply and maintain custom system patches.</descr> <maintainer>jimp@pfsense.org</maintainer> - <version>0.7.2</version> + <version>0.8</version> <category>System</category> <status>BETA</status> <config_file>http://www.pfsense.com/packages/config/systempatches/systempatches.xml</config_file> diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64 index 41b3715b..2fdbf5a7 100644 --- a/pkg_config.8.xml.amd64 +++ b/pkg_config.8.xml.amd64 @@ -180,7 +180,7 @@ <depends_on_package_pbi>haproxy-devel-1.5-dev18-amd64.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/net/haproxy-devel</build_port_path> <build_pbi> - <ports_before>security/openssl/</ports_before> + <ports_before>security/openssl</ports_before> <custom_name>haproxy-devel</custom_name> <port>/usr/ports/net/haproxy-devel</port> </build_pbi> @@ -478,72 +478,34 @@ <descr>Snort is an open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection.</descr> <category>Security</category> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> - <depends_on_package>mysql-client-5.1.53.tbz</depends_on_package> - <depends_on_package>barnyard2-1.9_2.tbz</depends_on_package> - <depends_on_package>libnet11-1.1.2.1_3,1.tbz</depends_on_package> + <depends_on_package>mysql-client-5.5.30.tbz</depends_on_package> + <depends_on_package>barnyard2-1.12.tbz</depends_on_package> + <depends_on_package>libnet11-1.1.6,1.tbz</depends_on_package> <depends_on_package>libdnet-1.11_3.tbz</depends_on_package> - <depends_on_package>libpcap-1.1.1_1.tbz</depends_on_package> - <depends_on_package>daq-0.6.2.tbz</depends_on_package> - <depends_on_package>snort-2.9.2.3.tbz</depends_on_package> - <depends_on_package_pbi>snort-2.9.2.3-amd64.pbi</depends_on_package_pbi> + <depends_on_package>libpcap-1.3.0.tbz</depends_on_package> + <depends_on_package>daq-2.0.0.tbz</depends_on_package> + <depends_on_package>snort-2.9.4.1.tbz</depends_on_package> + <depends_on_package_pbi>snort-2.9.4.1-amd64.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/devel/pcre</build_port_path> <build_port_path>/usr/ports/net/daq</build_port_path> <build_port_path>/usr/ports/net/libnet</build_port_path> <build_port_path>/usr/ports/security/barnyard2</build_port_path> - <build_port_path>/usr/ports/databases/mysql51-client</build_port_path> + <build_port_path>/usr/ports/databases/mysql55-client</build_port_path> <build_port_path>/usr/ports/security/snort</build_port_path> <build_pbi> <port>security/snort</port> <ports_after>security/barnyard2</ports_after> </build_pbi> <!-- Use both styles for now, since our snort port isn't yet optionsng, but barnyard2 and others are. --> - <build_options>barnyard2_UNSET=ODBC PGSQL PRELUDE;barnyard2_SET=GRE IPV6 MPLS MYSQL;snort_UNSET=TARGETBASED;snort_SET=DECODERPRE FLEXRESP3 GRE IPV6 MPLS NORMALIZER PERFPROFILE REACT SNORTSAM ZLIB;perl_SET=THREADS;WITH_THREADS=yes;WITH_IPV6=true;WITH_MPLS=true;WITH_GRE=true;WITHOUT_TARGETBASED=true;WITH_DECODERPRE=true;WITH_ZLIB=true;WITH_NORMALIZER=true;WITH_REACT=true;WITH_FLEXRESP3=true;WITHOUT_ODBC=true;WITHOUT_POSTGRESQL=true;WITHOUT_PRELUDE=true;WITH_SNORTSAM=true;NOPORTDOCS=true</build_options> + <build_options>barnyard2_UNSET=ODBC PGSQL PRELUDE;barnyard2_SET=GRE IPV6 MPLS MYSQL;snort_UNSET=TARGETBASED PERFPROFILE REACT;snort_SET=DECODERPRE FLEXRESP3 GRE IPV6 MPLS NORMALIZER ZLIB;perl_SET=THREADS;WITH_THREADS=yes;WITH_IPV6=true;WITH_MPLS=true;WITH_GRE=true;WITHOUT_TARGETBASED=true;WITH_DECODERPRE=true;WITH_ZLIB=true;WITH_NORMALIZER=true;WITHOUT_REACT=true;WITH_FLEXRESP3=true;WITHOUT_ODBC=true;WITHOUT_POSTGRESQL=true;WITHOUT_PRELUDE=true;NOPORTDOCS=true</build_options> <config_file>http://www.pfsense.com/packages/config/snort/snort.xml</config_file> - <version>2.9.2.3 pkg v. 2.5.4</version> + <version>2.9.4.1 pkg v. 2.5.5</version> <required_version>2.0</required_version> <status>Stable</status> <configurationfile>/snort.xml</configurationfile> <after_install_info>Please visit the Snort settings tab and enter your oinkid code. Afterwards visit the update rules tab to download the snort rules.</after_install_info> </package> <package> - <name>snort-dev</name> - <internal_name>snort</internal_name> - <pkginfolink>http://forum.pfsense.org/index.php/topic,16847.0.html</pkginfolink> - <website>http://www.snort.org</website> - <descr>Snort-dev is a development branch.</descr> - <category>Security</category> - <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> - <depends_on_package_pbi>snort-2.9.2.3-amd64.pbi</depends_on_package_pbi> - <depends_on_package>mysql-client-5.1.53.tbz</depends_on_package> - <depends_on_package>barnyard2-1.9_2.tbz</depends_on_package> - <depends_on_package>libnet11-1.1.2.1_3,1.tbz</depends_on_package> - <depends_on_package>libdnet-1.11_3.tbz</depends_on_package> - <depends_on_package>libpcap-1.1.1_1.tbz</depends_on_package> - <depends_on_package>daq-0.6.2.tbz</depends_on_package> - <depends_on_package>snort-2.9.2.3.tbz</depends_on_package> - <depends_on_package>perl-threaded-5.12.4_4.tbz</depends_on_package> - <build_port_path>/usr/ports/devel/pcre</build_port_path> - <build_port_path>/usr/ports/net/daq</build_port_path> - <build_port_path>/usr/ports/net/libnet</build_port_path> - <build_port_path>/usr/ports/lang/perl5.14</build_port_path> - <build_port_path>/usr/ports/security/barnyard2</build_port_path> - <build_port_path>/usr/ports/databases/mysql51-client</build_port_path> - <build_port_path>/usr/ports/security/snort</build_port_path> - <build_pbi> - <custom_name>snort-dev</custom_name> - <port>security/snort</port> - <ports_after>security/barnyard2</ports_after> - </build_pbi> - <!-- Use both styles for now, since our snort port isn't yet optionsng, but barnyard2 and others are. --> - <build_options>barnyard2_UNSET=ODBC PGSQL PRELUDE;barnyard2_SET=GRE IPV6 MPLS MYSQL;snort_UNSET=TARGETBASED;snort_SET=DECODERPRE FLEXRESP3 GRE IPV6 MPLS NORMALIZER PERFPROFILE REACT SNORTSAM ZLIB;perl_SET=THREADS;WITH_THREADS=yes;WITH_IPV6=true;WITH_MPLS=true;WITH_GRE=true;WITHOUT_TARGETBASED=true;WITH_DECODERPRE=true;WITH_ZLIB=true;WITH_NORMALIZER=true;WITH_REACT=true;WITH_FLEXRESP3=true;WITHOUT_ODBC=true;WITHOUT_POSTGRESQL=true;WITHOUT_PRELUDE=true;WITH_SNORTSAM=true;NOPORTDOCS=true</build_options> - <config_file>http://www.pfsense.com/packages/config/snort-dev/snort.xml</config_file> - <version>2.9.2.3 pkg v. 3.0</version> - <required_version>2.0</required_version> - <status>Stable</status> - <configurationfile>/snort.xml</configurationfile> - <after_install_info>Please visit the Snort settings tab and enter your oinkid code. Afterwards visit the update rules tab to download the snort rules.</after_install_info> - </package> - <package> <name>olsrd</name> <website>http://www.olsr.org/</website> <descr>The olsr.org OLSR daemon is an implementation of the Optimized Link State Routing protocol. OLSR is a routing protocol for mobile ad-hoc networks. The protocol is pro-active, table driven and utilizes a technique called multipoint relaying for message flooding.</descr> @@ -883,7 +845,7 @@ <descr>VMware Tools</descr> <website>http://open-vm-tools.sourceforge.net/</website> <category>Services</category> - <version>8.7.0.3046 (build-313025)</version> + <version>8.7.0.3046 (build-425873)</version> <status>Stable</status> <pkginfolink>http://doc.pfsense.org/index.php/Open_VM_Tools_package</pkginfolink> <required_version>2.0</required_version> @@ -891,27 +853,27 @@ <configurationfile>open-vm-tools.xml</configurationfile> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> <build_port_path>/usr/ports/emulators/open-vm-tools-nox11/</build_port_path> - <depends_on_package>open-vm-tools-nox11-313025_2.tbz</depends_on_package> - <depends_on_package>icu-4.8.1.1_1.tbz</depends_on_package> + <depends_on_package>open-vm-tools-nox11-425873_3,1.tbz</depends_on_package> + <depends_on_package>icu-50.1.2.tbz</depends_on_package> <build_port_path>/usr/ports/devel/icu</build_port_path> - <depends_on_package>fusefs-kmod-0.3.9.p1.20080208_7.tbz</depends_on_package> + <depends_on_package>fusefs-kmod-0.3.9.p1.20080208_11.tbz</depends_on_package> <build_port_path>/usr/ports/sysutils/fusefs-kmod</build_port_path> - <depends_on_package>fusefs-libs-2.7.4.tbz</depends_on_package> + <depends_on_package>fusefs-libs-2.9.2.tbz</depends_on_package> <build_port_path>/usr/ports/sysutils/fusefs-libs</build_port_path> - <depends_on_package>glib-2.28.8_3.tbz</depends_on_package> + <depends_on_package>glib-2.28.8_5.tbz</depends_on_package> <build_port_path>/usr/ports/devel/glib2</build_port_path> <depends_on_package>libdnet-1.11_3.tbz</depends_on_package> <build_port_path>/usr/ports/net/libdnet</build_port_path> - <depends_on_package>libiconv-1.13.1_1.tbz</depends_on_package> + <depends_on_package>libiconv-1.14.tbz</depends_on_package> <build_port_path>/usr/ports/converters/libiconv</build_port_path> - <depends_on_package>pcre-8.21_1.tbz</depends_on_package> + <depends_on_package>pcre-8.32.tbz</depends_on_package> <build_port_path>/usr/ports/devel/pcre</build_port_path> - <depends_on_package>perl-5.12.3.tbz</depends_on_package> + <depends_on_package>perl-5.14.2_2.tbz</depends_on_package> <build_port_path>/usr/ports/lang/perl5.14</build_port_path> - <depends_on_package>pkg-config-0.25_1.tbz</depends_on_package> + <depends_on_package>pkgconf-0.8.9.tbz</depends_on_package> <build_port_path>/usr/ports/devel/pkg-config</build_port_path> <depends_on_package>python27-2.7.2_3.tbz</depends_on_package> - <build_port_path>/usr/ports/lang/python27</build_port_path> + <build_port_path>python27-2.7.3_6.tbz</build_port_path> <build_pbi> <port>emulators/open-vm-tools-nox11</port> </build_pbi> @@ -1151,11 +1113,11 @@ <website>http://bandwidthd.sourceforge.net/</website> <descr>BandwidthD tracks usage of TCP/IP network subnets and builds html files with graphs to display utilization. Charts are built by individual IPs, and by default display utilization over 2 day, 8 day, 40 day, and 400 day periods. Furthermore, each ip address's utilization can be logged out at intervals of 3.3 minutes, 10 minutes, 1 hour or 12 hours in cdf format, or to a backend database server. HTTP, TCP, UDP, ICMP, VPN, and P2P traffic are color coded.</descr> <category>System</category> - <version>2.0.1.4</version> + <version>2.0.1_5</version> <status>BETA</status> <required_version>1.2.1</required_version> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> - <depends_on_package>bandwidthd-2.0.1_4.tbz</depends_on_package> + <depends_on_package>bandwidthd-2.0.1_5.tbz</depends_on_package> <depends_on_package>libpcap-1.1.1.tbz</depends_on_package> <depends_on_package>postgresql-client-8.4.12.tbz</depends_on_package> <depends_on_package_pbi>bandwidthd-2.0.1_5-amd64.pbi</depends_on_package_pbi> @@ -1419,7 +1381,7 @@ <depends_on_package_pbi>p7zip-9.20.1-amd64.pbi zip-3.0-amd64.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/archivers/p7zip</build_port_path> <build_port_path>/usr/ports/archivers/zip</build_port_path> - <version>1.0.4</version> + <version>1.0.5</version> <status>RELEASE</status> <required_version>2.0</required_version> <config_file>http://www.pfsense.com/packages/config/openvpn-client-export/openvpn-client-export.xml</config_file> @@ -1652,9 +1614,9 @@ </package> <package> <name>mailreport</name> - <descr>Allows you to setup periodic e-mail reports containing RRD graphs.</descr> + <descr>Allows you to setup periodic e-mail reports containing command output, log file contents, and RRD graphs.</descr> <category>Network Management</category> - <version>1.2</version> + <version>2.0.4</version> <status>BETA</status> <required_version>2.0</required_version> <config_file>http://www.pfsense.com/packages/config/mailreport/mailreport.xml</config_file> @@ -1708,7 +1670,7 @@ <name>System Patches</name> <descr>A package to apply and maintain custom system patches.</descr> <maintainer>jimp@pfsense.org</maintainer> - <version>0.7.2</version> + <version>0.8</version> <category>System</category> <status>BETA</status> <config_file>http://www.pfsense.com/packages/config/systempatches/systempatches.xml</config_file> |