diff options
| -rwxr-xr-x | config/snort/snort.inc | 10 | ||||
| -rwxr-xr-x | config/snort/snort.xml | 5 | ||||
| -rw-r--r-- | config/snort/snort_pkg.sh | 29 | ||||
| -rw-r--r-- | config/snort/snort_post_install.php | 3 | ||||
| -rw-r--r-- | config/snort/snort_service_utils.php | 6 |
5 files changed, 51 insertions, 2 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc index c4f01e1d..ca527b31 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -2996,10 +2996,16 @@ function snort_deinstall() { log_error(gettext("[Snort] Snort package uninstall in progress...")); + /* Remove our rc.d startup shell script */ + unlink_if_exists("{$rcdir}snort_pkg.sh"); + /* Make sure all active Snort processes are terminated */ /* Log a message only if a running process is detected */ - if (is_service_running("snort")) + if (is_process_running("snort")) { log_error(gettext("[Snort] Snort STOP for all interfaces...")); + snort_stop_all_interfaces(); + } + sleep(2); mwexec('/usr/bin/killall -z snort', true); sleep(2); mwexec('/usr/bin/killall -9 snort', true); @@ -3009,7 +3015,7 @@ function snort_deinstall() { /* Make sure all active Barnyard2 processes are terminated */ /* Log a message only if a running process is detected */ - if (is_service_running("barnyard2")) + if (is_process_running("barnyard2")) log_error(gettext("[Snort] Barnyard2 STOP for all interfaces...")); mwexec('/usr/bin/killall -z barnyard2', true); sleep(2); diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 573f8914..dcad30f3 100755 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -91,6 +91,11 @@ </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/snort/</prefix> + <chmod>755</chmod> + <item>https://packages.pfsense.org/packages/config/snort/snort_pkg.sh</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/snort/</prefix> <chmod>077</chmod> <item>https://packages.pfsense.org/packages/config/snort/snort_sync.xml</item> </additional_files_needed> diff --git a/config/snort/snort_pkg.sh b/config/snort/snort_pkg.sh new file mode 100644 index 00000000..a19adf4d --- /dev/null +++ b/config/snort/snort_pkg.sh @@ -0,0 +1,29 @@ +#!/usr/local/bin/php -f +<?php +require_once("/usr/local/pkg/snort/snort.inc"); +global $g; +switch (strtolower($argv[1])) { + case "start": + if (!file_exists("{$g['varrun_path']}/snort_pkg_starting.lck")) { + touch("{$g['varrun_path']}/snort_pkg_starting.lck"); + snort_start_all_interfaces(); + unlink_if_exists("{$g['varrun_path']}/snort_pkg_starting.lck"); + } + break; + + case "stop": + snort_stop_all_interfaces(); + unlink_if_exists("{$g['varrun_path']}/snort_pkg_starting.lck"); + break; + + case "restart": + snort_stop_all_interfaces(); + touch("{$g['varrun_path']}/snort_pkg_starting.lck"); + snort_start_all_interfaces(); + unlink_if_exists("{$g['varrun_path']}/snort_pkg_starting.lck"); + break; + + default: + echo "WARNING: ignoring unsupported command - '{$argv[1]}'\n"; +} +?> diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php index f84cfc55..a7693f1a 100644 --- a/config/snort/snort_post_install.php +++ b/config/snort/snort_post_install.php @@ -305,6 +305,9 @@ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { } } +/* Move our startup shell script to the RC directory (usually /usr/local/etc/rc.d) */ +@rename("/usr/local/pkg/snort/snort_pkg.sh", "{$rcdir}snort_pkg.sh" ); + /* We're finished with conf partition mods, return to read-only */ conf_mount_ro(); diff --git a/config/snort/snort_service_utils.php b/config/snort/snort_service_utils.php index f04987b2..a40260d3 100644 --- a/config/snort/snort_service_utils.php +++ b/config/snort/snort_service_utils.php @@ -65,6 +65,12 @@ foreach ($config['installedpackages']['snortglobal']['rule'] as $rule) { if ($rule['uuid'] == $uuid) { $if_real = get_real_interface($rule['interface']); + // Block changes when package is being started from shell script + if (file_exists("{$g['varrun_path']}/snort_pkg_starting.lck") { + log_error(gettext("[Snort] interface service start/stop commands locked-out during package start/restart.")); + return TRUE; + } + // If interface is manually stopped, then don't try to start it if (($action == 'start' || $action == 'restart') && file_exists("{$g['varrun_path']}/{$service}_{$uuid}.disabled")) { log_error(gettext("[Snort] auto-start locked out by previous manual shutdown...must be started using Snort INTERFACES tab.")); |