aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xconfig/snort/snort.inc331
-rwxr-xr-xconfig/snort/snort.xml10
-rw-r--r--config/snort/snort_barnyard.php6
-rwxr-xr-xconfig/snort/snort_check_for_rule_updates.php459
-rwxr-xr-xconfig/snort/snort_define_servers.php4
-rwxr-xr-xconfig/snort/snort_download_updates.php77
-rwxr-xr-xconfig/snort/snort_interfaces.php8
-rwxr-xr-xconfig/snort/snort_interfaces_edit.php27
-rw-r--r--config/snort/snort_interfaces_global.php147
-rw-r--r--config/snort/snort_interfaces_suppress.php6
-rw-r--r--config/snort/snort_interfaces_whitelist.php11
-rw-r--r--config/snort/snort_log_view.php86
-rwxr-xr-xconfig/snort/snort_preprocessors.php103
-rwxr-xr-xconfig/snort/snort_rules.php39
-rwxr-xr-xconfig/snort/snort_rules_edit.php10
-rwxr-xr-xconfig/snort/snort_rulesets.php155
16 files changed, 1090 insertions, 389 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index 27d0b7e5..d8a7cc19 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -37,17 +37,46 @@ require_once("functions.inc");
// Needed on 2.0 because of filter_get_vpns_list()
require_once("filter.inc");
+// Explicitly declare these as global so they work through function call includes
+global $snort_rules_file, $snort_version, $emerging_threats_version, $snort_rules_upd_log;
+global $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules, $is_postinstall;
+global $snort_community_rules_filename, $snort_community_rules_url, $emergingthreats_filename;
+
/* package version */
$snort_version = "2.9.4.1";
-$pfSense_snort_version = "2.5.4";
+$pfSense_snort_version = "2.5.5";
$snort_package_version = "Snort {$snort_version} pkg v. {$pfSense_snort_version}";
+
+// Define SNORTDIR and SNORTLIBDIR constants according to FreeBSD version (PBI support or no PBI)
+if (floatval(php_uname("r")) >= 8.3) {
+ exec("/usr/local/sbin/pbi_info | grep 'snort-{$snort_version}' | xargs /usr/local/sbin/pbi_info | awk '/Prefix/ {print $2}'",$pbidirarray);
+ $snort_pbidir = "{$pbidirarray[0]}";
+ define("SNORTDIR", "{$snort_pbidir}/etc/snort");
+ define("SNORTLIBDIR", "{$snort_pbidir}/lib/snort");
+}
+else {
+ define("SNORTDIR", "/usr/local/etc/snort");
+ define("SNORTLIBDIR", "/usr/local/lib/snort");
+}
+
+define("SNORTLOGDIR", "/var/log/snort");
+
+/* Important file definitions */
$snort_rules_file = "snortrules-snapshot-2941.tar.gz";
$emerging_threats_version = "2.9.0";
+$emergingthreats_filename = "emerging.rules.tar.gz";
+$snort_community_rules_url = "https://s3.amazonaws.com/snort-org/www/rules/community/";
+$snort_community_rules_filename = "community-rules.tar.gz";
$flowbit_rules_file = "flowbit-required.rules";
$snort_enforcing_rules_file = "snort.rules";
+$snort_rules_upd_log = SNORTLOGDIR;
+$snort_rules_upd_log .= "/snort_rules_update.log";
-define("SNORTDIR", "/usr/local/etc/snort");
-define("SNORTLOGDIR", "/var/log/snort");
+/* Rebuild Rules Flag -- if "on", rebuild enforcing rules and flowbit-rules files */
+$rebuild_rules = "off";
+
+/* Post-install Flag -- normally "false" except during post-install of package */
+$is_postinstall = false;
if (!is_array($config['installedpackages']['snortglobal']))
$config['installedpackages']['snortglobal'] = array();
@@ -427,9 +456,14 @@ function snort_post_delete_logs($snort_uuid = 0) {
}
function snort_postinstall() {
- global $config, $g;
+ global $config, $g, $snort_rules_file, $emerging_threats_version;
+ global $snort_version, $rebuild_rules, $is_postinstall;
$snortdir = SNORTDIR;
+ $snortlibdir = SNORTLIBDIR;
+
+ /* Set flag for post-install in progress */
+ $is_postinstall = true;
/* cleanup default files */
@rename("{$snortdir}/snort.conf-sample", "{$snortdir}/snort.conf");
@@ -440,25 +474,41 @@ function snort_postinstall() {
@rename("{$snortdir}/generators-sample", "{$snortdir}/generators");
@rename("{$snortdir}/reference.config-sample", "{$snortdir}/reference.config");
@rename("{$snortdir}/gen-msg.map-sample", "{$snortdir}/gen-msg.map");
+
+ /* fix up the preprocessor rules filenames from a PBI package install */
+ $preproc_rules = array("decoder.rules", "preprocessor.rules", "sensitive-data.rules");
+ foreach ($preproc_rules as $file) {
+ if (file_exists("{$snortdir}/preproc_rules/{$file}-sample"))
+ @rename("{$snortdir}/preproc_rules/{$file}-sample", "{$snortdir}/preproc_rules/{$file}");
+ }
+
+ /* Remove any previously installed scripts since we rebuild them */
@unlink("{$snortdir}/sid");
@unlink("/usr/local/etc/rc.d/snort");
@unlink("/usr/local/etc/rc.d/barnyard2");
- /* remove example files */
- if (file_exists('/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0'))
- exec('rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*');
-
- if (file_exists('/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so'))
- exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*');
+ /* remove example library files */
+ $files = glob("{$snortlibdir}/dynamicrules/*_example*");
+ foreach ($files as $f)
+ @unlink($f);
+ $files = glob("{$snortlibdir}/dynamicpreprocessor/*_example*");
+ foreach ($files as $f)
+ @unlink($f);
/* remake saved settings */
if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') {
update_status(gettext("Saved settings detected..."));
- update_output_window(gettext("Please wait... rebuilding files..."));
+ update_output_window(gettext("Please wait... rebuilding installation with saved settings..."));
@include_once("/usr/local/pkg/snort/snort_check_for_rule_updates.php");
+ update_status(gettext("Generating snort.conf configuration file from saved settings..."));
+ $rebuild_rules = "on";
sync_snort_package_config();
- update_output_window(gettext("Finnished Rebuilding files..."));
+ $rebuild_rules = "off";
+ update_output_window(gettext("Finished rebuilding files..."));
}
+
+ /* Done with post-install, so clear flag */
+ $is_postinstall = false;
}
function snort_Getdirsize($node) {
@@ -693,12 +743,15 @@ function snort_rules_up_install_cron($should_install) {
/* Only run when all ifaces needed to sync. Expects filesystem rw */
function sync_snort_package_config() {
- global $config, $g;
+ global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file;
+ global $snort_version, $rebuild_rules;
+
+ $snortdir = SNORTDIR;
conf_mount_rw();
- /* do not start config build if rules is empty */
- if (!is_array($config['installedpackages']['snortglobal']) && !is_array($config['installedpackages']['snortglobal']['rule'])) {
+ /* do not start config build if rules is empty or there are no Snort settings */
+ if (!is_array($config['installedpackages']['snortglobal']) || !is_array($config['installedpackages']['snortglobal']['rule'])) {
exec('/bin/rm /usr/local/etc/rc.d/snort.sh');
conf_mount_ro();
return;
@@ -708,10 +761,10 @@ function sync_snort_package_config() {
foreach ($snortconf as $value) {
$if_real = snort_get_real_interface($value['interface']);
- /* create snort configuration file */
+ /* create a snort.conf file for interface */
snort_generate_conf($value);
- /* create barnyard2 configuration file */
+ /* create barnyard2.conf file for interface */
if ($value['barnyard_enable'] == 'on')
snort_create_barnyard2_conf($value, $if_real);
}
@@ -748,7 +801,7 @@ function snort_build_sid_msg_map($rules_path, $sid_file) {
/* First check if we were passed a directory, a single file */
/* or an array of filenames to read. Set our $rule_files */
/* variable accordingly. If we can't figure it out, return */
- /* an empty rules map array. */
+ /* and don't write a sid_msg_map file. */
if (is_string($rules_path)) {
if (is_dir($rules_path))
$rule_files = glob($rules_path . "*.rules");
@@ -1272,11 +1325,13 @@ function snort_write_flowbit_rules_file($flowbit_rules, $rule_file) {
/* given. */
/************************************************/
+ global $flowbit_rules_file;
+
/* See if we were passed a directory or full */
/* filename to write the rules to, and adjust */
/* the destination argument accordingly. */
if (is_dir($rule_file))
- $rule_file = rtrim($rule_file, '/').'/flowbit-required.rules';
+ $rule_file = rtrim($rule_file, '/')."/{$flowbit_rules_file}";
if (empty($flowbit_rules)) {
@file_put_contents($rule_file, "");
@@ -1363,7 +1418,7 @@ function snort_write_enforcing_rules_file($rule_map, $rule_path) {
global $snort_enforcing_rules_file;
- $rule_file = "/snort.rules";
+ $rule_file = "/{$snort_enforcing_rules_file}";
/* See if we were passed a directory or full */
/* filename to write the rules to, and adjust */
@@ -1584,6 +1639,7 @@ case $1 in
rc_stop
;;
restart)
+ rc_stop
rc_start
;;
esac
@@ -1642,7 +1698,7 @@ function snort_generate_barnyard2_conf($snortcfg, $if_real) {
config reference_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/reference.config
config classification_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/classification.config
config gen_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/gen-msg.map
-config sid_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/sid-msg.map
+config sid_file: {$snortdir}/snort_{$snort_uuid}_{$if_real}/sid-msg.map
config hostname: $snortbarnyardlog_hostname_info_chk
config interface: {$if_real}
@@ -1671,12 +1727,13 @@ EOD;
}
function snort_deinstall() {
- global $config, $g;
+
+ global $config, $g, $snort_rules_upd_log;
$snortdir = SNORTDIR;
- $snortlogdir = SNORTLOGDIR;
+ $snortlibdir = SNORTLIBDIR;
- /* decrease bpf buffers back to 4096, from 20480 */
+ /* Make sure all active Snort processes are terminated */
mwexec('/usr/bin/killall snort', true);
sleep(2);
mwexec('/usr/bin/killall -9 snort', true);
@@ -1685,9 +1742,11 @@ function snort_deinstall() {
sleep(2);
mwexec('/usr/bin/killall -9 barnyard2', true);
sleep(2);
+
+ /* Remove the snort user and group */
mwexec('/usr/sbin/pw userdel snort; /usr/sbin/pw groupdel snort', true);
- /* Remove snort cron entries Ugly code needs smoothness*/
+ /* Remove snort cron entries Ugly code needs smoothness */
if (!function_exists('snort_deinstall_cron')) {
function snort_deinstall_cron($crontask) {
global $config, $g;
@@ -1709,22 +1768,49 @@ function snort_deinstall() {
}
}
- mwexec("/bin/rm {$snortdir}/*.md5; /bin/rm -r {$snortdir}/snort_*");
+ /* Remove all the Snort cron jobs. */
snort_deinstall_cron("snort2c");
snort_deinstall_cron("snort_check_for_rule_updates.php");
snort_deinstall_cron("snort_check_cron_misc.inc");
configure_cron();
+ /**********************************************************/
+ /* Test for existence of library backup tarballs in /tmp. */
+ /* If these are present, then a package "delete" */
+ /* operation is in progress and we need to wipe out the */
+ /* configuration files. Otherwise we leave the binary- */
+ /* side configuration intact since only a GUI files */
+ /* deinstall and reinstall operation is in progress. */
+ /* */
+ /* XXX: hopefully a better method presents itself in */
+ /* future versions of pfSense. */
+ /**********************************************************/
+ if (file_exists("/tmp/pkg_libs.tgz") || file_exists("/tmp/pkg_bins.tgz")) {
+ mwexec("/bin/rm -rf {$snortdir}");
+ mwexec("/bin/rm -rf {$snortlibdir}/dynamicrules");
+ }
+
/* Keep this as a last step */
- if ($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on')
+ if ($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on') {
unset($config['installedpackages']['snortglobal']);
+ @unlink("{$snort_rules_upd_log}");
+ }
}
function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
- global $snort_enforcing_rules_file, $flowbit_rules_file;
+
+ global $snort_enforcing_rules_file, $flowbit_rules_file, $rebuild_rules;
$snortdir = SNORTDIR;
+ /* If there is no reason to rebuild the rules, exit to save time. */
+ if ($rebuild_rules == "off")
+ return;
+
+ /* Log a message for rules rebuild in progress */
+ log_error(gettext("Updating rules configuration for: " . snort_get_friendly_interface($snortcfg['interface']) . " ..."));
+
+ /* Only rebuild rules if some are selected or an IPS Policy is enabled */
if (!empty($snortcfg['rulesets']) || $snortcfg['ips_policy_enable'] == 'on') {
$enabled_rules = array();
$enabled_files = array();
@@ -1741,16 +1827,6 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
$enabled_rules = snort_load_rules_map($enabled_files);
}
- /* Remove any existing rules files (except custom rules) prior to building a new set. */
- foreach (glob("{$snortcfgdir}/rules/*.rules") as $file) {
- $tmpfile = basename($file);
- if (in_array("{$snortdir}/rules/{$tmpfile}", $enabled_files))
- continue;
- if ($tmpfile != "custom.rules" && $tmpfile != $flowbit_rules_file &&
- $tmpfile != $snort_enforcing_rules_file)
- @unlink($file);
- }
-
/* Check if a pre-defined Snort VRT policy is selected. If so, */
/* add all the VRT policy rules to our enforcing rule set. */
if (!empty($snortcfg['ips_policy'])) {
@@ -1773,9 +1849,12 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
/* Process any enablesid or disablesid modifications for the selected rules. */
snort_modify_sids($enabled_rules, $snortcfg);
- /* Check for and disable any rules dependent upon disabled preprocessors. */
- log_error('Checking for and disabling any rules dependent upon disabled preprocessors for ' . snort_get_friendly_interface($snortcfg['interface']) . '...');
- snort_filter_preproc_rules($snortcfg, $enabled_rules);
+ /* Check for and disable any rules dependent upon disabled preprocessors if */
+ /* this option is enabled for the interface. */
+ if ($snortcfg['preproc_auto_rule_disable'] == "on") {
+ log_error('Auto-disabling rules dependent on disabled preprocessors for ' . snort_get_friendly_interface($snortcfg['interface']) . '...');
+ snort_filter_preproc_rules($snortcfg, $enabled_rules);
+ }
/* Write the enforcing rules file to the Snort interface's "rules" directory. */
snort_write_enforcing_rules_file($enabled_rules, "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}");
@@ -1783,9 +1862,19 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
/* If auto-flowbit resolution is enabled, generate the dependent flowbits rules file. */
if ($snortcfg['autoflowbitrules'] == 'on') {
- log_error('Resolving and auto-enabling flowbit required rules for ' . snort_get_friendly_interface($snortcfg['interface']) . '...');
+ log_error('Resolving and auto-enabling any flowbit-required rules for ' . snort_get_friendly_interface($snortcfg['interface']) . '...');
$enabled_files[] = "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}";
- snort_write_flowbit_rules_file(snort_resolve_flowbits($enabled_files), "{$snortcfgdir}/rules/{$flowbit_rules_file}");
+ $fbits = snort_resolve_flowbits($enabled_files);
+
+ /* Check for and disable any flowbit-required rules dependent upon */
+ /* disabled preprocessors if this option is enabled for the interface. */
+ if ($snortcfg['preproc_auto_rule_disable'] == "on") {
+ log_error('Auto-disabling flowbit-required rules dependent on disabled preprocessors for ' . snort_get_friendly_interface($snortcfg['interface']) . '...');
+ snort_filter_preproc_rules($snortcfg, $fbits, true);
+ }
+ snort_filter_preproc_rules($snortcfg, $fbits, true);
+ snort_write_flowbit_rules_file($fbits, "{$snortcfgdir}/rules/{$flowbit_rules_file}");
+ unset($fbits);
} else
/* Just put an empty file to always have the file present */
snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}");
@@ -1803,10 +1892,11 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) {
/* Build a new sid-msg.map file from the enabled */
/* rules and copy it to the interface directory. */
+ log_error(gettext("Building new sig-msg.map file for " . snort_get_friendly_interface($snortcfg['interface']) . "..."));
snort_build_sid_msg_map("{$snortcfgdir}/rules/", "{$snortcfgdir}/sid-msg.map");
}
-function snort_filter_preproc_rules($snortcfg, &$active_rules) {
+function snort_filter_preproc_rules($snortcfg, &$active_rules, $persist_log = false) {
/**************************************************/
/* This function checks the $active_rules array */
@@ -1819,11 +1909,22 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) {
/* the interface */
/* $active_rules -> rules_map array of enabled */
/* rules for the interface */
+ /* */
+ /* NOTE: This feature must be enabled in the GUI */
+ /* by the user. Use of this feature can */
+ /* severely degrade Snort's ability to */
+ /* detect threats by disabling potentially */
+ /* crucial detection rules. */
/**************************************************/
global $config;
- if (empty($active_rules))
+ $snortlogdir = SNORTLOGDIR;
+ $disabled_count = 0;
+ $log_msg = array();
+
+ /* Check if no rules or if this option is disabled */
+ if (empty($active_rules) || $snortcfg['preproc_auto_rule_disable'] <> 'on')
return;
/***************************************************
@@ -1833,8 +1934,20 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) {
* IMPORTANT -- Keep this part of the code current *
* with changes to preprocessor rule options in *
* Snort VRT rules. *
+ * *
+ * *
+ * Format of array is: *
+ * "rule_option" => "dependent_preprocessor" *
+ * *
+ * Last Update: 04/05/2013 *
+ * *
+ * Added: http_inspect content modifiers and *
+ * various "service" metadata values. *
+ * *
***************************************************/
$rule_opts_preprocs = array("ssl_version:" => "ssl_preproc","ssl_state:" => "ssl_preproc",
+ "service ssl" => "ssl_preproc", "service ftp" => "ftp_preprocessor",
+ "service telnet" => "ftp_preprocessor", "service dns" => "dns_preprocessor",
"dce_iface:" => "dce_rpc_2", "dce_opnum:" => "dce_rpc_2",
"dce_stub_data;" => "dce_rpc_2", "sd_pattern:" => "sensitive_data",
"sip_method:" => "sip_preproc", "sip_stat_code:" => "sip_preproc",
@@ -1843,7 +1956,16 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) {
"gtp_version:" => "gtp_preproc", "modbus_func:" => "modbus_preproc",
"modbus_unit:" => "modbus_preproc", "modbus_data;" => "modbus_preproc",
"dnp3_func:" => "dnp3_preproc", "dnp3_obj:" => "dnp3_preproc",
- "dnp3_ind:" => "dnp3_preproc", "dnp3_data;" => "dnp3_preproc");
+ "dnp3_ind:" => "dnp3_preproc", "dnp3_data;" => "dnp3_preproc",
+ "http_client_body;" => "http_inspect", "http_cookie;" => "http_inspect",
+ "http_raw_cookie;" => "http_inspect", "http_header;" => "http_inspect",
+ "http_raw_header;" => "http_inspect", "http_method;" => "http_inspect",
+ "http_uri;" => "http_inspect", "http_raw_uri;" => "http_inspect",
+ "http_stat_code;" => "http_inspect", "http_stat_msg;" => "http_inspect",
+ "uricontent:" => "http_inspect", "urilen:" => "http_inspect",
+ "http_encode;" => "http_inspect", "service http" => "http_inspect",
+ "service imap" => "imap_preproc", "service pop2" => "pop_preproc",
+ "service pop3" => "pop_preproc", "service smtp" => "smtp_preprocessor");
/***************************************************
* Iterate the enabled rules, and check for rule *
@@ -1855,32 +1977,94 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules) {
***************************************************/
foreach ($active_rules as $k1 => $rulem) {
foreach ($rulem as $k2 => $v) {
+
/* If rule is already disabled, skip it. */
if ($v['disabled'] == 1)
continue;
+
foreach ($rule_opts_preprocs as $opt => $preproc) {
- $pcre = "/\s*\b" . $opt . "/i";
+ $pcre = "/\s*\b" . preg_quote($opt) . "/i";
if (($snortcfg[$preproc] != 'on') && preg_match($pcre, $v['rule'])) {
$active_rules[$k1][$k2]['rule'] = "# " . $v['rule'];
$active_rules[$k1][$k2]['disabled'] = 1;
+ $disabled_count++;
+
+ /* Accumulate auto-disabled rules for logging */
+ $tmp = $active_rules[$k1][$k2]['category'] . " ";
+ $tmp .= "{$k1}:{$k2} Preproc: {$preproc} Param: {$opt}";
+ $log_msg[] = $tmp;
break;
}
}
}
}
+
+ /***************************************************************/
+ /* If we are persisting the log from the last pass, then open */
+ /* the log file in append mode. Otherwise open in overwrite */
+ /* to clear the log in case we have zero disabled rules. */
+ /* */
+ /* Typically "persist log" mode is used on the second pass */
+ /* when flowbit-required rules are being assessed after the */
+ /* primary enforcing rules have been evaluated. */
+ /***************************************************************/
+ $iface = snort_get_friendly_interface($snortcfg['interface']);
+ $file = "{$snortlogdir}/{$iface}_disabled_preproc_rules.log";
+ if ($persist_log)
+ $fp = fopen($file, 'a');
+ else
+ $fp = fopen($file, 'w');
+
+ /***************************************************/
+ /* Log a warning if we auto-disabled any rules */
+ /* just so the user is aware protection is less */
+ /* than optimal with the preprocessors disabled. */
+ /***************************************************/
+ if ($disabled_count > 0) {
+ log_error(gettext("Warning: auto-disabled {$disabled_count} rules due to disabled preprocessor dependencies."));
+ natcasesort($log_msg);
+ if ($fp) {
+ /* Only write the header when not persisting the log */
+ if (!$persist_log) {
+ @fwrite($fp, "#\n# Run Time: " . date("Y-m-d H:i:s") . "\n#\n");
+ @fwrite($fp, "#\n# These rules were auto-disabled because they contain options or operators\n");
+ @fwrite($fp, "# dependent on preprocessors that are currently NOT ENABLED on the Preprocessors\n");
+ @fwrite($fp, "# tab. Without these dependent preprocessors enabled, Snort would fail to start\n");
+ @fwrite($fp, "# if the rules listed below were enabled. Therefore the listed rules have been\n");
+ @fwrite($fp, "# automatically disabled. This behavior is controlled by the Auto-Rule Disable\n");
+ @fwrite($fp, "# feature on the Preprocessors tab.\n#\n");
+ @fwrite($fp, "# WARNING: Using the auto-disable rule feature is not recommended because it can\n");
+ @fwrite($fp, "# significantly reduce the threat detection capabilities of Snort!\n#\n");
+ @fwrite($fp, "# Log Format is: RULE CATEGORY GID:SID PREPROC METADATA/CONTENT PARAMETER\n#\n");
+ }
+ foreach ($log_msg as $m) {
+ @fwrite($fp, $m . "\n");
+ }
+ }
+ log_error(gettext("See '{$file}' for list of auto-disabled rules."));
+ unset($log_msg);
+ }
+ if ($fp)
+ fclose($fp);
}
function snort_generate_conf($snortcfg) {
- global $config, $g;
+
+ global $config, $g, $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules;
$snortdir = SNORTDIR;
+ $snortlibdir = SNORTLIBDIR;
$snortlogdir = SNORTLOGDIR;
- $flowbit_rules_file = "flowbit-required.rules";
- $snort_enforcing_rules_file = "snort.rules";
if (!is_array($config['installedpackages']['snortglobal']['rule']))
return;
+ /* See if we should protect and not modify the preprocessor rules files */
+ if (!empty($snortcfg['protect_preproc_rules']))
+ $protect_preproc_rules = $snortcfg['protect_preproc_rules'];
+ else
+ $protect_preproc_rules = "off";
+
$if_real = snort_get_real_interface($snortcfg['interface']);
$snort_uuid = $snortcfg['uuid'];
$snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}";
@@ -1903,8 +2087,8 @@ function snort_generate_conf($snortcfg) {
"{$snortlogdir}/snort_{$if_real}{$snort_uuid}",
"{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2",
"{$snortcfgdir}/preproc_rules",
- "dynamicrules" => "/usr/local/lib/snort/dynamicrules",
- "dynamicengine" => "/usr/local/lib/snort/dynamicengine",
+ "dynamicrules" => "{$snortlibdir}/dynamicrules",
+ "dynamicengine" => "{$snortlibdir}/dynamicengine",
"dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor"
);
foreach ($snort_dirs as $dir) {
@@ -1912,13 +2096,24 @@ function snort_generate_conf($snortcfg) {
safe_mkdir($dir);
}
+ /********************************************************************/
+ /* For fail-safe on an initial startup following installation, and */
+ /* before a rules update has occurred, copy the default config */
+ /* files to the interface directory. If files already exist in */
+ /* the interface directory, or they are newer, that means a rule */
+ /* update has been done and we should leave the customized files */
+ /* put in place by the rules update process. */
+ /********************************************************************/
$snort_files = array("gen-msg.map", "classification.config", "reference.config",
"sid-msg.map", "unicode.map", "threshold.conf", "preproc_rules/preprocessor.rules",
"preproc_rules/decoder.rules", "preproc_rules/sensitive-data.rules"
);
foreach ($snort_files as $file) {
- if (file_exists("{$snortdir}/{$file}"))
- @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}");
+ if (file_exists("{$snortdir}/{$file}")) {
+ $ftime = filemtime("{$snortdir}/{$file}");
+ if (!file_exists("{$snortcfgdir}/{$file}") || ($ftime > filemtime("{$snortcfgdir}/{$file}")))
+ @copy("{$snortdir}/{$file}", "{$snortcfgdir}/{$file}");
+ }
}
/* define alertsystemlog */
@@ -2012,7 +2207,7 @@ EOD;
if ((!empty($snortcfg['client_flow_depth'])) || ($snortcfg['client_flow_depth'] == '0'))
$def_client_flow_depth_type = $snortcfg['client_flow_depth'];
- if ($snortcfg['noalert_http_inspect'] == 'on')
+ if ($snortcfg['noalert_http_inspect'] == 'on' || empty($snortcfg['noalert_http_inspect']))
$noalert_http_inspect = "no_alerts ";
else
$noalert_http_inspect = "";
@@ -2257,6 +2452,16 @@ EOD;
if (!empty($snortcfg['stream5_mem_cap']))
$def_stream5_mem_cap = ", memcap {$snortcfg['stream5_mem_cap']}";
+ /* Default the HTTP_INSPECT preprocessor to "on" if not set. */
+ /* The preprocessor is required by hundreds of Snort rules, */
+ /* and without it Snort may not start and/or the number of */
+ /* rules required to be disabled reduces Snort's capability. */
+ /* Alerts from the HTTP_INSPECT preprocessor default to "off" */
+ /* unless a specific value has been set by the user. */
+ /**************************************************************/
+ if (empty($snortcfg['http_inspect']))
+ $snortcfg['http_inspect'] = 'on';
+
/* define servers and ports snortdefservers */
$snort_servers = array (
"dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET",
@@ -2295,8 +2500,8 @@ EOD;
if (!empty($snort_preproc_libs[$preproc])) {
$preproclib = "libsf_" . $snort_preproc_libs[$preproc];
if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) {
- if (file_exists("/usr/local/lib/snort/dynamicpreprocessor/{$preproclib}.so")) {
- @copy("/usr/local/lib/snort/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so");
+ if (file_exists("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so")) {
+ @copy("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so");
$snort_preprocessors .= $$preproc;
$snort_preprocessors .= "\n";
} else
@@ -2318,22 +2523,26 @@ EOD;
if (file_exists("{$snortcfgdir}/classification.config"))
$snort_misc_include_rules .= "include {$snortcfgdir}/classification.config\n";
if (is_dir("{$snortcfgdir}/preproc_rules")) {
- if ($snortcfg['sensitive_data'] == 'on') {
+ if ($snortcfg['sensitive_data'] == 'on' && $protect_preproc_rules == "off") {
$sedcmd = '/^#alert.*classtype:sdf/s/^#//';
if (file_exists("{$snortcfgdir}/preproc_rules/sensitive-data.rules"))
$snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/sensitive-data.rules\n";
} else
$sedcmd = '/^alert.*classtype:sdf/s/^/#/';
if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") &&
- file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules")) {
+ file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "off") {
@file_put_contents("{$g['tmp_path']}/sedcmd", $sedcmd);
mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/preprocessor.rules");
mwexec("/usr/bin/sed -I '' -f {$g['tmp_path']}/sedcmd {$snortcfgdir}/preproc_rules/decoder.rules");
@unlink("{$g['tmp_path']}/sedcmd");
-
$snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n";
$snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n";
- } else {
+ } else if (file_exists("{$snortcfgdir}/preproc_rules/decoder.rules") &&
+ file_exists("{$snortcfgdir}/preproc_rules/preprocessor.rules") && $protect_preproc_rules == "on") {
+ $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/decoder.rules\n";
+ $snort_misc_include_rules .= "include \$PREPROC_RULE_PATH/preprocessor.rules\n";
+ }
+ else {
$snort_misc_include_rules .= "config autogenerate_preprocessor_decoder_rules\n";
log_error("Seems preprocessor/decoder rules are missing, enabling autogeneration of them");
}
diff --git a/config/snort/snort.xml b/config/snort/snort.xml
index b18e66e1..fff8d251 100755
--- a/config/snort/snort.xml
+++ b/config/snort/snort.xml
@@ -46,8 +46,8 @@
<requirements>Describe your package requirements here</requirements>
<faq>Currently there are no FAQ items provided.</faq>
<name>Snort</name>
- <version>2.9.2.3</version>
- <title>Services:2.9.2.3 pkg v. 2.5.3</title>
+ <version>2.9.4.1</version>
+ <title>Services:2.9.4.1 pkg v. 2.5.5</title>
<include_file>/usr/local/pkg/snort/snort.inc</include_file>
<menu>
<name>Snort</name>
@@ -163,6 +163,11 @@
<chmod>077</chmod>
<item>http://www.pfsense.com/packages/config/snort/snort_interfaces_suppress_edit.php</item>
</additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/snort/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/snort/snort_log_view.php</item>
+ </additional_files_needed>
<fields>
</fields>
<custom_add_php_command>
@@ -177,3 +182,4 @@
snort_deinstall();
</custom_php_deinstall_command>
</packagegui>
+
diff --git a/config/snort/snort_barnyard.php b/config/snort/snort_barnyard.php
index ccbe3c26..21763745 100644
--- a/config/snort/snort_barnyard.php
+++ b/config/snort/snort_barnyard.php
@@ -173,10 +173,10 @@ function enable_change(enable_change) {
<?php echo gettext("This will enable barnyard2 for this interface. You will also have to set the database credentials."); ?></td>
</tr>
<tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Mysql Settings"); ?></td>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("MySQL Settings"); ?></td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Log to a Mysql Database"); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Log to a MySQL Database"); ?></td>
<td width="78%" class="vtable"><input name="barnyard_mysql"
type="text" class="formfld" id="barnyard_mysql" size="100"
value="<?=htmlspecialchars($pconfig['barnyard_mysql']);?>"> <br>
@@ -207,7 +207,7 @@ function enable_change(enable_change) {
<td width="22%" valign="top">&nbsp;</td>
<td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span>
<br>
- <?php echo gettext("Please save your settings befor you click start."); ?> </td>
+ <?php echo gettext("Please save your settings before you click start."); ?> </td>
</tr>
</table>
diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php
index af5d378c..740dc591 100755
--- a/config/snort/snort_check_for_rule_updates.php
+++ b/config/snort/snort_check_for_rule_updates.php
@@ -31,54 +31,72 @@
require_once("functions.inc");
require_once("service-utils.inc");
-require_once("/usr/local/pkg/snort/snort.inc");
+require_once "/usr/local/pkg/snort/snort.inc";
-global $snort_gui_include;
+global $snort_gui_include, $vrt_enabled, $et_enabled, $rebuild_rules, $snort_rules_upd_log;
+global $protect_preproc_rules, $is_postinstall, $snort_community_rules_filename;
+global $snort_community_rules_url, $snort_rules_file, $emergingthreats_filename;
$snortdir = SNORTDIR;
+$snortlibdir = SNORTLIBDIR;
+$snortlogdir = SNORTLOGDIR;
if (!isset($snort_gui_include))
$pkg_interface = "console";
-$tmpfname = "{$snortdir}/tmp/snort_rules_up";
-$snort_filename_md5 = "{$snort_rules_file}.md5";
-$snort_filename = "{$snort_rules_file}";
-$emergingthreats_filename_md5 = "emerging.rules.tar.gz.md5";
-$emergingthreats_filename = "emerging.rules.tar.gz";
-
/* define checks */
$oinkid = $config['installedpackages']['snortglobal']['oinkmastercode'];
$snortdownload = $config['installedpackages']['snortglobal']['snortdownload'];
$emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats'];
+$snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules'];
$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload'];
$et_enabled = $config['installedpackages']['snortglobal']['emergingthreats'];
-/* Start of code */
-conf_mount_rw();
+/* Directory where we download rule tarballs */
+$tmpfname = "{$snortdir}/tmp/snort_rules_up";
+
+/* Snort VRT rules files and URL */
+$snort_filename_md5 = "{$snort_rules_file}.md5";
+$snort_filename = "{$snort_rules_file}";
+$snort_rule_url = "http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/";
-if (!is_dir($tmpfname))
- exec("/bin/mkdir -p {$tmpfname}");
+/* Emerging Threats rules MD5 file */
+$emergingthreats_filename_md5 = "{$emergingthreats_filename}.md5";
-/* Set user agent to Mozilla */
-ini_set('user_agent','Mozilla/4.0 (compatible; MSIE 6.0)');
-ini_set("memory_limit","150M");
+/* Snort GPLv2 Community Rules MD5 file */
+$snort_community_rules_filename_md5 = "{$snort_community_rules_filename}.md5";
+
+/* Start of code */
+conf_mount_rw();
/* remove old $tmpfname files */
if (is_dir("{$tmpfname}"))
exec("/bin/rm -r {$tmpfname}");
-/* Make sure snortdir exits */
+/* Make sure required snortdirs exsist */
exec("/bin/mkdir -p {$snortdir}/rules");
exec("/bin/mkdir -p {$snortdir}/signatures");
+exec("/bin/mkdir -p {$snortdir}/preproc_rules");
exec("/bin/mkdir -p {$tmpfname}");
-exec("/bin/mkdir -p /usr/local/lib/snort/dynamicrules");
+exec("/bin/mkdir -p {$snortlibdir}/dynamicrules");
+exec("/bin/mkdir -p {$snortlogdir}");
+
+/* See if we need to automatically clear the Update Log based on 1024K size limit */
+if (file_exists($snort_rules_upd_log)) {
+ if (1048576 < filesize($snort_rules_upd_log))
+ exec("/bin/rm -r {$snort_rules_upd_log}");
+}
+
+/* Log start time for this rules update */
+error_log(gettext("Starting rules update... Time: " . date("Y-m-d H:i:s") . "\n"), 3, $snort_rules_upd_log);
/* download md5 sig from snort.org */
if ($snortdownload == 'on') {
- update_status(gettext("Downloading snort.org md5 file..."));
+ update_status(gettext("Downloading Snort VRT md5 file..."));
+ error_log(gettext("\tDownloading Snort VRT md5 file...\n"), 3, $snort_rules_upd_log);
$max_tries = 4;
while ($max_tries > 0) {
- $image = @file_get_contents("http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename_md5}");
+ $image = @file_get_contents("{$snort_rule_url}{$snort_filename_md5}");
if (false === $image) {
$max_tries--;
if ($max_tries > 0)
@@ -88,14 +106,16 @@ if ($snortdownload == 'on') {
break;
}
log_error("Snort MD5 Attempts: " . (4 - $max_tries + 1));
+ error_log("\tChecking Snort VRT md5 file...\n", 3, $snort_rules_upd_log);
@file_put_contents("{$tmpfname}/{$snort_filename_md5}", $image);
if (0 == filesize("{$tmpfname}/{$snort_filename_md5}")) {
update_status(gettext("Please wait... You may only check for New Rules every 15 minutes..."));
log_error(gettext("Please wait... You may only check for New Rules every 15 minutes..."));
update_output_window(gettext("Rules are released every month from snort.org. You may download the Rules at any time."));
$snortdownload = 'off';
+ error_log(gettext("\tSnort VRT md5 download failed. Site may be offline or Oinkcode is not authorized for this level or version.\n"), 3, $snort_rules_upd_log);
} else
- update_status(gettext("Done downloading snort.org md5"));
+ update_status(gettext("Done downloading snort.org md5."));
}
/* Check if were up to date snort.org */
@@ -104,8 +124,9 @@ if ($snortdownload == 'on') {
$md5_check_new = file_get_contents("{$tmpfname}/{$snort_filename_md5}");
$md5_check_old = file_get_contents("{$snortdir}/{$snort_filename_md5}");
if ($md5_check_new == $md5_check_old) {
- update_status(gettext("Snort rules are up to date..."));
- log_error("Snort rules are up to date...");
+ update_status(gettext("Snort VRT rules are up to date..."));
+ log_error(gettext("Snort VRT rules are up to date..."));
+ error_log(gettext("\tSnort VRT rules are up to date.\n"), 3, $snort_rules_upd_log);
$snortdownload = 'off';
}
}
@@ -113,11 +134,12 @@ if ($snortdownload == 'on') {
/* download snortrules file */
if ($snortdownload == 'on') {
- update_status(gettext("There is a new set of Snort.org rules posted. Downloading..."));
- log_error(gettext("There is a new set of Snort.org rules posted. Downloading..."));
+ update_status(gettext("There is a new set of Snort VRT rules posted. Downloading..."));
+ log_error(gettext("There is a new set of Snort VRT rules posted. Downloading..."));
+ error_log(gettext("\tThere is a new set of Snort VRT rules posted. Downloading...\n"), 3, $snort_rules_upd_log);
$max_tries = 4;
while ($max_tries > 0) {
- download_file_with_progress_bar("http://www.snort.org/pub-bin/oinkmaster.cgi/{$oinkid}/{$snort_filename}", "{$tmpfname}/{$snort_filename}");
+ download_file_with_progress_bar("{$snort_rule_url}{$snort_filename}", "{$tmpfname}/{$snort_filename}");
if (300000 > filesize("{$tmpfname}/$snort_filename")){
$max_tries--;
if ($max_tries > 0)
@@ -126,19 +148,104 @@ if ($snortdownload == 'on') {
} else
break;
}
- update_status(gettext("Done downloading rules file."));
+ update_status(gettext("Done downloading Snort VRT rules file."));
log_error("Snort Rules Attempts: " . (4 - $max_tries + 1));
+ error_log(gettext("\tDone downloading rules file.\n"),3, $snort_rules_upd_log);
if (300000 > filesize("{$tmpfname}/$snort_filename")){
- update_output_window(gettext("Snort rules file download failed..."));
- log_error(gettext("Snort rules file download failed..."));
+ update_output_window(gettext("Snort VRT rules file download failed..."));
+ log_error(gettext("Snort VRT rules file download failed..."));
log_error("Failed Rules Filesize: " . filesize("{$tmpfname}/$snort_filename"));
+ error_log(gettext("\tSnort VRT rules file download failed. Snort VRT rules will not be updated.\n"), 3, $snort_rules_upd_log);
$snortdownload = 'off';
}
}
+/* download md5 sig from Snort GPLv2 Community Rules */
+if ($snortcommunityrules == 'on') {
+ update_status(gettext("Downloading Snort GPLv2 Community Rules md5 file..."));
+ error_log(gettext("\tDownloading Snort GPLv2 Community Rules md5 file...\n"), 3, $snort_rules_upd_log);
+ $image = file_get_contents("{$snort_community_rules_url}{$snort_community_rules_filename_md5}");
+ update_status(gettext("Done downloading Snort GPLv2 Community Rules md5"));
+ error_log(gettext("\tChecking Snort GPLv2 Community Rules md5.\n"), 3, $snort_rules_upd_log);
+ @file_put_contents("{$tmpfname}/{$snort_community_rules_filename_md5}", $image);
+
+ /* See if the file download was successful, and turn off Snort GPLv2 update if it failed. */
+ if (0 == filesize("{$tmpfname}/{$snort_community_rules_filename_md5}")){
+ update_output_window(gettext("Snort GPLv2 Community Rules md5 file download failed. Community Rules will not be updated."));
+ log_error(gettext("Snort GPLv2 Community Rules md5 file download failed. Community Rules will not be updated."));
+ error_log(gettext("\tSnort GPLv2 Community Rules md5 file download failed. Community Rules will not be updated.\n"), 3, $snort_rules_upd_log);
+ $snortcommunityrules = 'off';
+ }
+
+ if (file_exists("{$snortdir}/{$snort_community_rules_filename_md5}") && $snortcommunityrules == "on") {
+ /* Check if were up to date Snort GPLv2 Community Rules */
+ $snort_comm_md5_check_new = file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}");
+ $snort_comm_md5_check_old = file_get_contents("{$snortdir}/{$snort_community_rules_filename_md5}");
+ if ($snort_comm_md5_check_new == $snort_comm_md5_check_old) {
+ update_status(gettext("Snort GPLv2 Community Rules are up to date..."));
+ log_error(gettext("Snort GPLv2 Community Rules are up to date..."));
+ error_log(gettext("\tSnort GPLv2 Community Rules are up to date.\n"), 3, $snort_rules_upd_log);
+ $snortcommunityrules = 'off';
+ }
+ }
+}
+
+/* download Snort GPLv2 Community rules file */
+if ($snortcommunityrules == "on") {
+ update_status(gettext("There is a new set of Snort GPLv2 Community Rules posted. Downloading..."));
+ log_error(gettext("There is a new set of Snort GPLv2 Community Rules posted. Downloading..."));
+ error_log(gettext("\tThere is a new set of Snort GPLv2 Community Rules posted. Downloading...\n"), 3, $snort_rules_upd_log);
+ download_file_with_progress_bar("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}");
+
+ /* Test for a valid rules file download. Turn off Snort Community update if download failed. */
+ if (150000 > filesize("{$tmpfname}/{$snort_community_rules_filename}")){
+ update_output_window(gettext("Snort GPLv2 Community Rules file download failed..."));
+ log_error(gettext("Snort GPLv2 Community Rules file download failed..."));
+ log_error("Failed Rules Filesize: " . filesize("{$tmpfname}/{$snort_community_rules_filename}"));
+ error_log(gettext("\tSnort GPLv2 Community Rules file download failed. Community Rules will not be updated.\n"), 3, $snort_rules_upd_log);
+ $snortcommunityrules = 'off';
+ }
+ else {
+ update_status(gettext('Done downloading Snort GPLv2 Community Rules file.'));
+ log_error("Snort GPLv2 Community Rules file update downloaded succsesfully");
+ error_log(gettext("\tDone downloading Snort GPLv2 Community Rules file.\n"), 3, $snort_rules_upd_log);
+ }
+}
+
+/* Untar Snort GPLv2 Community rules to tmp */
+if ($snortcommunityrules == 'on') {
+ safe_mkdir("{$snortdir}/tmp/community");
+ if (file_exists("{$tmpfname}/{$snort_community_rules_filename}")) {
+ update_status(gettext("Extracting Snort GPLv2 Community Rules..."));
+ error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, $snort_rules_upd_log);
+ exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$snortdir}/tmp/community/");
+
+ $files = glob("{$snortdir}/tmp/community/community-rules/*.rules");
+ foreach ($files as $file) {
+ $newfile = basename($file);
+ @copy($file, "{$snortdir}/rules/GPLv2_{$newfile}");
+ }
+ /* base etc files for Snort GPLv2 Community rules */
+ foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
+ if (file_exists("{$snortdir}/tmp/community/community-rules/{$file}"))
+ @copy("{$snortdir}/tmp/community/community-rules/{$file}", "{$snortdir}/tmp/GPLv2_{$file}");
+ }
+
+ /* Copy snort community md5 sig to snort dir */
+ if (file_exists("{$tmpfname}/{$snort_community_rules_filename_md5}")) {
+ update_status(gettext("Copying md5 signature to snort directory..."));
+ @copy("{$tmpfname}/$snort_community_rules_filename_md5", "{$snortdir}/{$snort_community_rules_filename_md5}");
+ }
+ update_status(gettext("Extraction of Snort GPLv2 Community Rules completed..."));
+ error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, $snort_rules_upd_log);
+ exec("rm -r {$snortdir}/tmp/community");
+ }
+}
+
/* download md5 sig from emergingthreats.net */
if ($emergingthreats == 'on') {
- update_status(gettext("Downloading emergingthreats md5 file..."));
+ update_status(gettext("Downloading EmergingThreats md5 file..."));
+ error_log(gettext("\tDownloading EmergingThreats md5 file...\n"), 3, $snort_rules_upd_log);
/* If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules. */
if ($vrt_enabled == "on")
@@ -146,17 +253,26 @@ if ($emergingthreats == 'on') {
else
$image = @file_get_contents("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/emerging.rules.tar.gz.md5");
- /* XXX: error checking */
+ update_status(gettext("Done downloading EmergingThreats md5"));
+ error_log(gettext("\tChecking EmergingThreats md5.\n"), 3, $snort_rules_upd_log);
@file_put_contents("{$tmpfname}/{$emergingthreats_filename_md5}", $image);
- update_status(gettext("Done downloading emergingthreats md5"));
- if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}")) {
+ /* See if the file download was successful, and turn off ET update if it failed. */
+ if (0 == filesize("{$tmpfname}/$emergingthreats_filename_md5")){
+ update_output_window(gettext("EmergingThreats md5 file download failed. EmergingThreats rules will not be updated."));
+ log_error(gettext("EmergingThreats md5 file download failed. EmergingThreats rules will not be updated."));
+ error_log(gettext("\tEmergingThreats md5 file download failed. EmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log);
+ $emergingthreats = 'off';
+ }
+
+ if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}") && $emergingthreats == "on") {
/* Check if were up to date emergingthreats.net */
$emerg_md5_check_new = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}");
$emerg_md5_check_old = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}");
if ($emerg_md5_check_new == $emerg_md5_check_old) {
- update_status(gettext("Emerging threat rules are up to date..."));
- log_error(gettext("Emerging threat rules are up to date..."));
+ update_status(gettext("Emerging Threats rules are up to date..."));
+ log_error(gettext("Emerging Threat rules are up to date..."));
+ error_log(gettext("\tEmerging Threats rules are up to date.\n"), 3, $snort_rules_upd_log);
$emergingthreats = 'off';
}
}
@@ -164,8 +280,9 @@ if ($emergingthreats == 'on') {
/* download emergingthreats rules file */
if ($emergingthreats == "on") {
- update_status(gettext("There is a new set of Emergingthreats rules posted. Downloading..."));
- log_error(gettext("There is a new set of Emergingthreats rules posted. Downloading..."));
+ update_status(gettext("There is a new set of EmergingThreats rules posted. Downloading..."));
+ log_error(gettext("There is a new set of EmergingThreats rules posted. Downloading..."));
+ error_log(gettext("\tThere is a new set of EmergingThreats rules posted. Downloading...\n"), 3, $snort_rules_upd_log);
/* If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules. */
if ($vrt_enabled == "on")
@@ -173,24 +290,27 @@ if ($emergingthreats == "on") {
else
download_file_with_progress_bar("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/emerging.rules.tar.gz", "{$tmpfname}/{$emergingthreats_filename}");
- update_status(gettext('Done downloading Emergingthreats rules file.'));
- log_error("Emergingthreats rules file update downloaded succsesfully");
+ /* Test for a valid rules file download. Turn off ET update if download failed. */
+ if (150000 > filesize("{$tmpfname}/$emergingthreats_filename")){
+ update_output_window(gettext("EmergingThreats rules file download failed..."));
+ log_error(gettext("EmergingThreats rules file download failed..."));
+ log_error("Failed Rules Filesize: " . filesize("{$tmpfname}/$emergingthreats_filename"));
+ error_log(gettext("\tEmergingThreats rules file download failed. EmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log);
+ $emergingthreats = 'off';
+ }
+ else {
+ update_status(gettext('Done downloading EmergingThreats rules file.'));
+ log_error("EmergingThreats rules file update downloaded succsesfully");
+ error_log(gettext("\tDone downloading EmergingThreats rules file.\n"), 3, $snort_rules_upd_log);
+ }
}
-/* Normalize rulesets */
-$sedcmd = "s/^#alert/# alert/g\n";
-$sedcmd .= "s/^##alert/# alert/g\n";
-$sedcmd .= "s/^#[ \\t#]*alert/# alert/g\n";
-$sedcmd .= "s/^##\\talert/# alert/g\n";
-$sedcmd .= "s/^\\talert/alert/g\n";
-$sedcmd .= "s/^[ \\t]*alert/alert/g\n";
-@file_put_contents("{$snortdir}/tmp/sedcmd", $sedcmd);
-
/* Untar emergingthreats rules to tmp */
if ($emergingthreats == 'on') {
safe_mkdir("{$snortdir}/tmp/emerging");
if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) {
update_status(gettext("Extracting EmergingThreats.org rules..."));
+ error_log(gettext("\tExtracting and installing EmergingThreats.org rules...\n"), 3, $snort_rules_upd_log);
exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir}/tmp/emerging rules/");
$files = glob("{$snortdir}/tmp/emerging/rules/*.rules");
@@ -199,7 +319,7 @@ if ($emergingthreats == 'on') {
@copy($file, "{$snortdir}/rules/{$newfile}");
}
/* IP lists for Emerging Threats rules */
- $files = glob("{$snortdir}/tmp/emerging/rules/*.txt");
+ $files = glob("{$snortdir}/tmp/emerging/rules/*ips.txt");
foreach ($files as $file) {
$newfile = basename($file);
@copy($file, "{$snortdir}/rules/{$newfile}");
@@ -207,31 +327,33 @@ if ($emergingthreats == 'on') {
/* base etc files for Emerging Threats rules */
foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
if (file_exists("{$snortdir}/tmp/emerging/rules/{$file}"))
- @copy("{$snortdir}/tmp/emerging/rules/{$file}", "{$snortdir}/ET_{$file}");
+ @copy("{$snortdir}/tmp/emerging/rules/{$file}", "{$snortdir}/tmp/ET_{$file}");
}
-// /* make sure default rules are in the right format */
-// exec("/usr/bin/sed -I '' -f {$snortdir}/tmp/sedcmd {$snortdir}/rules/emerging*.rules");
-
/* Copy emergingthreats md5 sig to snort dir */
if (file_exists("{$tmpfname}/$emergingthreats_filename_md5")) {
- update_status(gettext("Copying md5 sig to snort directory..."));
+ update_status(gettext("Copying md5 signature to snort directory..."));
@copy("{$tmpfname}/$emergingthreats_filename_md5", "{$snortdir}/$emergingthreats_filename_md5");
}
update_status(gettext("Extraction of EmergingThreats.org rules completed..."));
+ error_log(gettext("\tInstallation of EmergingThreats.org rules completed.\n"), 3, $snort_rules_upd_log);
+ exec("rm -r {$snortdir}/tmp/emerging");
}
}
/* Untar snort rules file individually to help people with low system specs */
if ($snortdownload == 'on') {
if (file_exists("{$tmpfname}/{$snort_filename}")) {
- if ($pfsense_stable == 'yes')
- $freebsd_version_so = 'FreeBSD-7-2';
- else
- $freebsd_version_so = 'FreeBSD-8-1';
+
+ /* Currently, only FreeBSD-8-1 and FreeBSD-9-0 precompiled SO rules exist from Snort.org */
+ /* Default to FreeBSD 8.1, and then test for FreeBSD 9.x */
+ $freebsd_version_so = 'FreeBSD-8-1';
+ if (substr(php_uname("r"), 0, 1) == '9')
+ $freebsd_version_so = 'FreeBSD-9-0';
update_status(gettext("Extracting Snort VRT rules..."));
- /* extract snort.org rules and add prefix to all snort.org files*/
+ error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, $snort_rules_upd_log);
+ /* extract snort.org rules and add prefix to all snort.org files */
safe_mkdir("{$snortdir}/tmp/snortrules");
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp/snortrules rules/");
$files = glob("{$snortdir}/tmp/snortrules/rules/*.rules");
@@ -249,151 +371,196 @@ if ($snortdownload == 'on') {
/* extract so rules */
update_status(gettext("Extracting Snort VRT Shared Objects rules..."));
- exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/');
+ exec('/bin/mkdir -p {$snortlibdir}/dynamicrules/');
+ error_log(gettext("\tUsing Snort VRT precompiled SO rules for {$freebsd_version_so} ...\n"), 3, $snort_rules_upd_log);
$snort_arch = php_uname("m");
$nosorules = false;
if ($snort_arch == 'i386'){
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/precompiled/$freebsd_version_so/i386/{$snort_version}/");
- exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/$freebsd_version_so/i386/{$snort_version}/* /usr/local/lib/snort/dynamicrules/");
- } else if ($snort_arch == 'amd64') {
+ exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/$freebsd_version_so/i386/{$snort_version}/* {$snortlibdir}/dynamicrules/");
+ } elseif ($snort_arch == 'amd64') {
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/precompiled/$freebsd_version_so/x86-64/{$snort_version}/");
- exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/$freebsd_version_so/x86-64/{$snort_version}/* /usr/local/lib/snort/dynamicrules/");
+ exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/$freebsd_version_so/x86-64/{$snort_version}/* {$snortlibdir}/dynamicrules/");
} else
$nosorules = true;
exec("rm -r {$snortdir}/tmp/so_rules");
if ($nosorules == false) {
- /* extract so rules none bin and rename */
+ /* extract so stub rules, rename and copy to the rules folder. */
update_status(gettext("Copying Snort VRT Shared Objects rules..."));
- exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/");
+ exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp --exclude precompiled/ --exclude src/ so_rules/");
$files = glob("{$snortdir}/tmp/so_rules/*.rules");
foreach ($files as $file) {
$newfile = basename($file, ".rules");
@copy($file, "{$snortdir}/rules/snort_{$newfile}.so.rules");
}
exec("rm -r {$snortdir}/tmp/so_rules");
-
- /* extract base etc files */
- update_status(gettext("Extracting Snort VRT base config files..."));
- exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp etc/");
- foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
- if (file_exists("{$snortdir}/tmp/etc/{$file}"))
- @copy("{$snortdir}/tmp/etc/{$file}", "{$snortdir}/VRT_{$file}");
- }
- exec("rm -r {$snortdir}/tmp/etc");
-
- /* Untar snort signatures */
- $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo'];
- if ($premium_url_chk == 'on') {
- update_status(gettext("Extracting Snort VRT Signatures..."));
- exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/");
- update_status(gettext("Done extracting Signatures."));
-
- if (is_dir("{$snortdir}/doc/signatures")) {
- update_status(gettext("Copying Snort VRT signatures..."));
- exec("/bin/cp -r {$snortdir}/doc/signatures {$snortdir}/signatures");
- update_status(gettext("Done copying signatures."));
- }
+ }
+
+ /* extract base etc files */
+ update_status(gettext("Extracting Snort VRT config and map files..."));
+ exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp etc/");
+ foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
+ if (file_exists("{$snortdir}/tmp/etc/{$file}"))
+ @copy("{$snortdir}/tmp/etc/{$file}", "{$snortdir}/tmp/VRT_{$file}");
+ }
+ exec("rm -r {$snortdir}/tmp/etc");
+
+ /* Untar snort signatures */
+ $signature_info_chk = $config['installedpackages']['snortglobal']['signatureinfo'];
+ if ($premium_url_chk == 'on') {
+ update_status(gettext("Extracting Snort VRT Signatures..."));
+ exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} doc/signatures/");
+ update_status(gettext("Done extracting Signatures."));
+
+ if (is_dir("{$snortdir}/doc/signatures")) {
+ update_status(gettext("Copying Snort VRT signatures..."));
+ exec("/bin/cp -r {$snortdir}/doc/signatures {$snortdir}/signatures");
+ update_status(gettext("Done copying signatures."));
}
+ }
- foreach (glob("/usr/local/lib/snort/dynamicrules/*example*") as $file)
- @unlink($file);
-
- exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir} preproc_rules/");
-
-// /* make sure default rules are in the right format */
-// exec("/usr/bin/sed -I '' -f {$snortdir}/tmp/sedcmd {$snortdir}/rules/snort_*.rules");
+ /* Extract the Snort preprocessor rules */
+ exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp preproc_rules/");
- if (file_exists("{$tmpfname}/{$snort_filename_md5}")) {
- update_status(gettext("Copying md5 sig to snort directory..."));
- @copy("{$tmpfname}/$snort_filename_md5", "{$snortdir}/$snort_filename_md5");
- }
+ if (file_exists("{$tmpfname}/{$snort_filename_md5}")) {
+ update_status(gettext("Copying md5 signature to snort directory..."));
+ @copy("{$tmpfname}/$snort_filename_md5", "{$snortdir}/$snort_filename_md5");
}
- update_status(gettext("Extraction of Snort VRT rules completed..."));
+ update_status(gettext("Extraction of Snort VRT rules completed..."));
+ error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, $snort_rules_upd_log);
}
}
-/* remove old $tmpfname files */
-if (is_dir("{$snortdir}/tmp")) {
- update_status(gettext("Cleaning up after rules extraction..."));
- exec("/bin/rm -r {$snortdir}/tmp");
-}
-
function snort_apply_customizations($snortcfg, $if_real) {
+ global $vrt_enabled;
$snortdir = SNORTDIR;
+
+ /* Update the Preprocessor rules for the master configuration and for the interface if Snort VRT rules are in use. */
+ if ($vrt_enabled == 'on') {
+ exec("/bin/mkdir -p {$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/preproc_rules");
+ $preproc_files = glob("{$snortdir}/tmp/preproc_rules/*.rules");
+ foreach ($preproc_files as $file) {
+ $newfile = basename($file);
+ @copy($file, "{$snortdir}/preproc_rules/{$newfile}");
+ /* Check if customized preprocessor rule protection is enabled for interface before overwriting them. */
+ if ($snortcfg['protect_preproc_rules'] <> 'on')
+ @copy($file, "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/preproc_rules/{$newfile}");
+ }
+ }
+ else {
+ exec("/bin/mkdir -p {$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/preproc_rules");
+ }
+
snort_prepare_rule_files($snortcfg, "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}");
- /* Copy the master *.config and other *.map files to the interface's directory */
- @copy("{$snortdir}/classification.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/classification.config");
- @copy("{$snortdir}/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map");
- @copy("{$snortdir}/reference.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/reference.config");
- @copy("{$snortdir}/unicode.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/unicode.map");
+ /* Copy the master config and map files to the interface directory */
+ @copy("{$snortdir}/tmp/classification.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/classification.config");
+ @copy("{$snortdir}/tmp/gen-msg.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/gen-msg.map");
+ @copy("{$snortdir}/tmp/reference.config", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/reference.config");
+ @copy("{$snortdir}/tmp/unicode.map", "{$snortdir}/snort_{$snortcfg['uuid']}_{$if_real}/unicode.map");
}
-if ($snortdownload == 'on' || $emergingthreats == 'on') {
+if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules == 'on') {
update_status(gettext('Copying new config and map files...'));
+ error_log(gettext("\tCopying new config and map files...\n"), 3, $snort_rules_upd_log);
- /* Determine which base etc file set to use for the master copy. */
- /* If the Snort VRT rules are not enabled, then use Emerging Threats. */
+ /* Determine which config and map file set to use for the master copy. */
+ /* If the Snort VRT rules are not enabled, then use Emerging Threats. */
if (($vrt_enabled == 'off') && ($et_enabled == 'on')) {
foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
- if (file_exists("{$snortdir}/ET_{$file}"))
- @rename("{$snortdir}/ET_{$file}", "{$snortdir}/{$file}");
+ if (file_exists("{$snortdir}/tmp/ET_{$file}"))
+ @rename("{$snortdir}/tmp/ET_{$file}", "{$snortdir}/tmp/{$file}");
}
}
elseif (($vrt_enabled == 'on') && ($et_enabled == 'off')) {
foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
- if (file_exists("{$snortdir}/VRT_{$file}"))
- @rename("{$snortdir}/VRT_{$file}", "{$snortdir}/{$file}");
+ if (file_exists("{$snortdir}/tmp/VRT_{$file}"))
+ @rename("{$snortdir}/tmp/VRT_{$file}", "{$snortdir}/tmp/{$file}");
}
}
- else {
+ elseif (($vrt_enabled == 'on') && ($et_enabled == 'on')) {
/* Both VRT and ET rules are enabled, so build combined */
/* reference.config and classification.config files. */
- $cfgs = glob("{$snortdir}/*reference.config");
- snort_merge_reference_configs($cfgs, "{$snortdir}/reference.config");
- $cfgs = glob("{$snortdir}/*classification.config");
- snort_merge_classification_configs($cfgs, "{$snortdir}/classification.config");
- }
-
- /* Clean-up our temp versions of the config and map files. */
- update_status(gettext('Cleaning up temp files...'));
- $cfgs = glob("{$snortdir}/??*_*.config");
- foreach ($cfgs as $file) {
- if (file_exists($file))
- @unlink($file);
- }
- $cfgs = glob("{$snortdir}/??*_*.map");
- foreach ($cfgs as $file) {
- if (file_exists($file))
- @unlink($file);
+ $cfgs = glob("{$snortdir}/tmp/*reference.config");
+ snort_merge_reference_configs($cfgs, "{$snortdir}/tmp/reference.config");
+ $cfgs = glob("{$snortdir}/tmp/*classification.config");
+ snort_merge_classification_configs($cfgs, "{$snortdir}/tmp/classification.config");
+
+ /* Use the unicode.map and gen-msg.map files from VRT rules. */
+ if (file_exists("{$snortdir}/tmp/VRT_unicode.map"))
+ @rename("{$snortdir}/tmp/VRT_unicode.map", "{$snortdir}/tmp/gen-msg.map");
+ if (file_exists("{$snortdir}/tmp/VRT_gen-msg.map"))
+ @rename("{$snortdir}/tmp/VRT_gen-msg.map", "{$snortdir}/tmp/gen-msg.map");
}
+ else {
+ /* Just Snort GPLv2 Community Rules may be enabled, so make sure required */
+ /* default config files are present in the rules extraction tmp working */
+ /* directory. Only copy missing files not captured in logic above. */
+
+ $snort_files = array("gen-msg.map", "classification.config", "reference.config", "unicode.map");
+ foreach ($snort_files as $file) {
+ if (file_exists("{$snortdir}/{$file}") && !file_exists("{$snortdir}/tmp/{$file}"))
+ @copy("{$snortdir}/{$file}", "{$snortdir}/tmp/{$file}");
+ }
+ }
- /* Start the proccess for each configured interface */
+ /* Start the rules rebuild proccess for each configured interface */
if (is_array($config['installedpackages']['snortglobal']['rule'])) {
- foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) {
- /* Create configuration for each active Snort interface */
+ /* Set the flag to force rule rebuilds since we downloaded new rules, */
+ /* except when in post-install mode. Post-install does its own rebuild. */
+ if ($is_postinstall)
+ $rebuild_rules = 'off';
+ else
+ $rebuild_rules = 'on';
+
+ /* Create configuration for each active Snort interface */
+ foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) {
$if_real = snort_get_real_interface($value['interface']);
$tmp = "Updating rules configuration for: " . snort_get_friendly_interface($value['interface']) . " ...";
update_status(gettext($tmp));
- log_error($tmp);
snort_apply_customizations($value, $if_real);
+
+ /* Log a message in Update Log if protecting customized preprocessor rules. */
+ $tmp = "\t" . $tmp . "\n";
+ if ($value['protect_preproc_rules'] == 'on') {
+ $tmp .= gettext("\tPreprocessor text rules flagged as protected and not updated for ");
+ $tmp .= snort_get_friendly_interface($value['interface']) . "...\n";
+ }
+ error_log($tmp, 3, $snort_rules_upd_log);
}
}
- update_status(gettext('Restarting Snort to activate the new set of rules...'));
- exec("/bin/sh /usr/local/etc/rc.d/snort.sh restart");
- sleep(20);
- if (!is_process_running("snort"))
- exec("/bin/sh /usr/local/etc/rc.d/snort.sh start");
- update_output_window(gettext("Snort has restarted with your new set of rules..."));
- log_error("Snort has restarted with your new set of rules...");
+ else {
+ update_output_window(gettext("Warning: No interfaces configured for Snort were found..."));
+ error_log(gettext("\tWarning: No interfaces configured for Snort were found...\n"), 3, $snort_rules_upd_log);
+ }
+
+ /* Clear the rebuild rules flag. */
+ $rebuild_rules = 'off';
+
+ /* remove old $tmpfname files */
+ if (is_dir("{$snortdir}/tmp")) {
+ update_status(gettext("Cleaning up after rules extraction..."));
+ exec("/bin/rm -r {$snortdir}/tmp");
+ }
+
+ /* Restart snort if already running to pick up the new rules. */
+ if (is_process_running("snort")) {
+ update_status(gettext('Restarting Snort to activate the new set of rules...'));
+ error_log(gettext("\tRestarting Snort to activate the new set of rules...\n"), 3, $snort_rules_upd_log);
+ exec("/bin/sh /usr/local/etc/rc.d/snort.sh restart");
+ update_output_window(gettext("Snort has restarted with your new set of rules..."));
+ log_error(gettext("Snort has restarted with your new set of rules..."));
+ error_log(gettext("\tSnort has restarted with your new set of rules.\n"), 3, $snort_rules_upd_log);
+ }
}
update_status(gettext("The Rules update has finished..."));
-log_error("The Rules update has finished...");
+log_error(gettext("The Rules update has finished."));
+error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, $snort_rules_upd_log);
conf_mount_ro();
?>
diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php
index 4085b325..7fb435ed 100755
--- a/config/snort/snort_define_servers.php
+++ b/config/snort/snort_define_servers.php
@@ -126,7 +126,9 @@ if ($_POST) {
write_config();
- sync_snort_package_config();
+ /* Update the snort conf file for this interface. */
+ $rebuild_rules = "off";
+ snort_generate_conf($a_nat[$id]);
/* after click go to this page */
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php
index 0c879e44..369e3094 100755
--- a/config/snort/snort_download_updates.php
+++ b/config/snort/snort_download_updates.php
@@ -36,16 +36,18 @@
require_once("guiconfig.inc");
require_once("/usr/local/pkg/snort/snort.inc");
-global $g;
+global $g, $snort_rules_upd_log, $snort_rules_file, $emergingthreats_filename;
$snortdir = SNORTDIR;
-$snort_upd_log = "/tmp/snort_update.log";
+
+$log = $snort_rules_upd_log;
/* load only javascript that is needed */
$snort_load_jquery = 'yes';
$snort_load_jquery_colorbox = 'yes';
$snortdownload = $config['installedpackages']['snortglobal']['snortdownload'];
$emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats'];
+$snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules'];
/* quick md5s chk */
$snort_org_sig_chk_local = 'N/A';
@@ -53,13 +55,28 @@ if (file_exists("{$snortdir}/{$snort_rules_file}.md5"))
$snort_org_sig_chk_local = file_get_contents("{$snortdir}/{$snort_rules_file}.md5");
$emergingt_net_sig_chk_local = 'N/A';
-if (file_exists("{$snortdir}/emerging.rules.tar.gz.md5"))
- $emergingt_net_sig_chk_local = file_get_contents("{$snortdir}/emerging.rules.tar.gz.md5");
+if (file_exists("{$snortdir}/{$emergingthreats_filename}.md5"))
+ $emergingt_net_sig_chk_local = file_get_contents("{$snortdir}/{$emergingthreats_filename}.md5");
+
+$snort_community_sig_chk_local = 'N/A';
+if (file_exists("{$snortdir}/{$snort_community_rules_filename}.md5"))
+ $snort_community_sig_chk_local = file_get_contents("{$snortdir}/{$snort_community_rules_filename}.md5");
+
+/* Check for postback to see if we should clear the update log file. */
+if (isset($_POST['clear'])) {
+ if (file_exists("{$snort_rules_upd_log}"))
+ mwexec("/bin/rm -f {$snort_rules_upd_log}");
+}
+
+if (isset($_POST['update'])) {
+ header("Location: /snort/snort_download_rules.php");
+ exit;
+}
/* check for logfile */
-$update_logfile_chk = 'no';
-if (file_exists("{$snort_upd_log}"))
- $update_logfile_chk = 'yes';
+$snort_rules_upd_logfile_chk = 'no';
+if (file_exists("{$snort_rules_upd_log}"))
+ $snort_rules_upd_logfile_chk = 'yes';
$pgtitle = "Services: Snort: Updates";
include_once("head.inc");
@@ -78,12 +95,14 @@ function popup(url)
params += ', top=0, left=0'
params += ', fullscreen=yes';
- newwin=window.open(url,'windowname4', params);
+ newwin=window.open(url,'LogViewer', params);
if (window.focus) {newwin.focus()}
return false;
}
</script>
+<form action="snort_download_updates.php" method="post" name="iform" id="iform">
+
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr><td>
<?php
@@ -101,8 +120,7 @@ function popup(url)
<tr>
<td>
<div id="mainarea3">
- <table id="maintable4" class="tabcont" width="100%" border="0"
- cellpadding="0" cellspacing="0">
+ <table id="maintable4" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
<tr align="center">
<td>
<br/>
@@ -112,14 +130,15 @@ function popup(url)
<td id="download_rules_td" style="background-color: #eeeeee">
<div height="32" width="725px" style="background-color: #eeeeee">
- <font color="#777777" size="1.5px">
+ <font color="#777777" size="2.5px">
<p style="text-align: left; margin-left: 225px;">
- <b><?php echo gettext("INSTALLED SIGNATURE RULESET"); ?></b></font><br>
- <br>
- <font color="#FF850A" size="1px"><b>SNORT.ORG >>></b></font>
+ <b><?php echo gettext("INSTALLED RULESET SIGNATURES"); ?></b></font><br/>
+ <font color="#FF850A" size="1px"><b>SNORT.ORG&nbsp;&nbsp;--></b></font>
<font size="1px" color="#000000">&nbsp;&nbsp;<? echo $snort_org_sig_chk_local; ?></font><br>
- <font color="#FF850A" size="1px"><b>EMERGINGTHREATS.NET >>></b></font>
+ <font color="#FF850A" size="1px"><b>EMERGINGTHREATS.NET&nbsp;&nbsp;--></b></font>
<font size="1px" color="#000000">&nbsp;&nbsp;<? echo $emergingt_net_sig_chk_local; ?></font><br>
+ <font color="#FF850A" size="1px"><b>SNORT GPLv2 COMMUNITY RULES&nbsp;&nbsp;--></b></font>
+ <font size="1px" color="#000000">&nbsp;&nbsp;<? echo $snort_community_sig_chk_local; ?></font><br>
</p>
</div>
</td>
@@ -133,14 +152,14 @@ function popup(url)
<div height="32" width="725px" style='background-color: #eeeeee'>
<p style="text-align: left; margin-left: 225px;">
- <font color='#777777' size='1.5px'><b><?php echo gettext("UPDATE YOUR RULES"); ?></b></font><br>
+ <font color='#777777' size='2.5px'><b><?php echo gettext("UPDATE YOUR RULESET"); ?></b></font><br>
<br/>
<?php
if ($snortdownload != 'on' && $emergingthreats != 'on') {
echo '
- <button disabled="disabled"><span class="download">' . gettext("Update Rules") . '&nbsp;&nbsp;&nbsp;&nbsp;</span></button><br/>
+ <button disabled="disabled"><span class="download">' . gettext("Update Rules") . '</span></button><br/>
<p style="text-align:left; margin-left:150px;">
<font color="#fc3608" size="2px"><b>' . gettext("WARNING:") . '</b></font><font size="1px" color="#000000">&nbsp;&nbsp;' . gettext('No rule types have been selected for download. "Global Settings Tab"') . '</font><br>';
@@ -148,7 +167,7 @@ function popup(url)
} else {
echo '
- <a href="/snort/snort_download_rules.php"><button ><span class="download">' . gettext("Update Rules") . '&nbsp;&nbsp;&nbsp;&nbsp;</span></button></a><br/>' . "\n";
+ <input type="submit" value="' . gettext("Update Rules") . '" name="update" id="Submit" class="formbtn" /><br/>' . "\n";
}
@@ -166,19 +185,19 @@ function popup(url)
<div height="32" width="725px" style='background-color: #eeeeee'>
<p style="text-align: left; margin-left: 225px;">
- <font color='#777777' size='1.5px'><b><?php echo gettext("VIEW UPDATE LOG"); ?></b></font><br>
+ <font color='#777777' size='2.5px'><b><?php echo gettext("VIEW UPDATE LOG"); ?></b></font><br>
<br>
-
<?php
- if ($update_logfile_chk == 'yes') {
+ if ($snort_rules_upd_logfile_chk == 'yes') {
echo "
- <button href='/snort/snort_rules_edit.php?openruleset={$snort_upd_log}'><span class='pwhitetxt'>" . gettext("Update Log") . "&nbsp;&nbsp;&nbsp;&nbsp;</span></button>\n";
+ <button class=\"formbtn\" onclick=\"popup('snort_log_view.php?logfile={$log}')\"><span class='pwhitetxt'>" . gettext("View Log") . "</span></button>";
+ echo "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type=\"submit\" value=\"Clear Log\" name=\"clear\" id=\"Submit\" class=\"formbtn\" />\n";
}else{
echo "
- <button disabled='disabled' href='/snort/snort_rules_edit.php?openruleset={$snort_upd_log}'><span class='pwhitetxt'>" . gettext("Update Log") . "&nbsp;&nbsp;&nbsp;&nbsp;</span></button>\n";
+ <button disabled='disabled'><span class='pwhitetxt'>" . gettext("View Log") . "</span></button>&nbsp;&nbsp;&nbsp;" . gettext("Log is empty.") . "\n";
}
-
+ echo '<br><br>' . gettext("The log file is limited to 1024K in size and automatically clears when the limit is exceeded.");
?>
<br/>
</p>
@@ -194,8 +213,8 @@ function popup(url)
<tr>
<td id="download_rules_td" style='background-color: #eeeeee'>
<div height="32" width="725px" style='background-color: #eeeeee'>
- <font color='#FF850A' size='1px'><b><?php echo gettext("NOTE:"); ?></b></font><font size='1px'
- color='#000000'>&nbsp;&nbsp;<?php echo gettext("Snort.org and Emergingthreats.net " .
+ <font size='1px'><span class="red"><b><?php echo gettext("NOTE:"); ?></b></span></font><font size='1px'
+ color='#000000'>&nbsp;&nbsp;<?php echo gettext("Snort.org and EmergingThreats.net " .
"will go down from time to time. Please be patient."); ?>
</font>
</div>
@@ -207,16 +226,12 @@ function popup(url)
</tr>
</table>
</div>
-
-
-
-
-
<br>
</td>
</tr>
</table>
<!-- end of final table --></div>
+ </form>
<?php include("fend.inc"); ?>
</body>
</html>
diff --git a/config/snort/snort_interfaces.php b/config/snort/snort_interfaces.php
index e8e690a8..4f85c1f4 100755
--- a/config/snort/snort_interfaces.php
+++ b/config/snort/snort_interfaces.php
@@ -61,10 +61,14 @@ if (isset($_POST['del_x'])) {
}
conf_mount_ro();
+ /* If all the Snort interfaces are removed, then unset the config array. */
+ if (empty($a_nat))
+ unset($a_nat);
+
write_config();
sleep(2);
- /* if there are no ifaces do not create snort.sh */
+ /* if there are no ifaces remaining do not create snort.sh */
if (!empty($config['installedpackages']['snortglobal']['rule']))
snort_create_rc();
else {
@@ -228,7 +232,7 @@ if ($pfsense_stable == 'yes')
else
$biconfn = 'block';
- ?>
+?>
<td class="listt">
<input type="checkbox" id="frc<?=$nnats;?>" name="rule[]" value="<?=$i;?>" onClick="fr_bgcolor('<?=$nnats;?>')" style="margin: 0; padding: 0;"></td>
<td class="listr"
diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php
index d0fabbf4..76763553 100755
--- a/config/snort/snort_interfaces_edit.php
+++ b/config/snort/snort_interfaces_edit.php
@@ -31,7 +31,7 @@
require_once("guiconfig.inc");
require_once("/usr/local/pkg/snort/snort.inc");
-global $g;
+global $g, $rebuild_rules;
if (!is_array($config['installedpackages']['snortglobal']))
$config['installedpackages']['snortglobal'] = array();
@@ -50,10 +50,15 @@ if (is_null($id)) {
}
$pconfig = array();
-if (empty($snortglob['rule'][$id]['uuid']))
+if (empty($snortglob['rule'][$id]['uuid'])) {
+ /* Adding new interface, so flag rules to build. */
$pconfig['uuid'] = snort_generate_id();
-else
+ $rebuild_rules = "on";
+}
+else {
$pconfig['uuid'] = $a_rule[$id]['uuid'];
+ $rebuild_rules = "off";
+}
$snort_uuid = $pconfig['uuid'];
if (isset($id) && $a_rule[$id]) {
@@ -77,14 +82,6 @@ if ($_POST["Submit"]) {
if (!$_POST['interface'])
$input_errors[] = "Interface is mandatory";
-/*
- foreach ($a_rule as $natent) {
- if (isset($id) && ($a_rule[$id]) && ($a_rule[$id] === $natent))
- continue;
- if ($natent['interface'] == $_POST['interface'])
- $input_errors[] = "This interface is already configured for another instance";
- }
-*/
/* if no errors write to conf */
if (!$input_errors) {
@@ -118,10 +115,16 @@ if ($_POST["Submit"]) {
} else
$a_rule[] = $natent;
+ /* If Snort is disabled on this interface, stop any running instance */
if ($natent['enable'] != 'on')
snort_stop($natent, $if_real);
+
+ /* Save configuration changes */
write_config();
- sync_snort_package_config();
+
+ /* Update snort.conf file for this interface */
+ $rebuild_rules = "off";
+ snort_generate_conf($a_rule[$id]);
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php
index 9dde8aaf..9c63ac04 100644
--- a/config/snort/snort_interfaces_global.php
+++ b/config/snort/snort_interfaces_global.php
@@ -50,6 +50,8 @@ $pconfig['snortloglimit'] = $config['installedpackages']['snortglobal']['snortlo
$pconfig['snortloglimitsize'] = $config['installedpackages']['snortglobal']['snortloglimitsize'];
$pconfig['autorulesupdate7'] = $config['installedpackages']['snortglobal']['autorulesupdate7'];
$pconfig['forcekeepsettings'] = $config['installedpackages']['snortglobal']['forcekeepsettings'];
+$pconfig['snortcommunityrules'] = $config['installedpackages']['snortglobal']['snortcommunityrules'];
+
/* if no errors move foward */
if (!$input_errors) {
@@ -58,7 +60,9 @@ if (!$input_errors) {
$config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload'];
$config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode'];
+ $config['installedpackages']['snortglobal']['snortcommunityrules'] = $_POST['snortcommunityrules'] ? 'on' : 'off';
$config['installedpackages']['snortglobal']['emergingthreats'] = $_POST['emergingthreats'] ? 'on' : 'off';
+
$config['installedpackages']['snortglobal']['rm_blocked'] = $_POST['rm_blocked'];
if ($_POST['snortloglimitsize']) {
$config['installedpackages']['snortglobal']['snortloglimit'] = $_POST['snortloglimit'];
@@ -110,6 +114,20 @@ if ($input_errors)
?>
+<script language="JavaScript">
+<!--
+function enable_snort_vrt(btn) {
+ if (btn == 'off') {
+ document.iform.oinkmastercode.disabled = "true";
+ }
+ if (btn == 'on') {
+ document.iform.oinkmastercode.disabled = "";
+ }
+}
+//-->
+</script>
+
+
<form action="snort_interfaces_global.php" method="post" enctype="multipart/form-data" name="iform" id="iform">
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr><td class="tabnavtbl">
@@ -124,7 +142,8 @@ if ($input_errors)
$tab_array[6] = array(gettext("Suppress"), false, "/snort/snort_interfaces_suppress.php");
display_top_tabs($tab_array);
?>
-</td></tr>
+</td>
+</tr>
<tr>
<td class="tabcont">
<table width="100%" border="0" cellpadding="6" cellspacing="0">
@@ -132,55 +151,69 @@ if ($input_errors)
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("Please Choose The " .
"Type Of Rules You Wish To Download"); ?></td>
</tr>
- <td width="22%" valign="top" class="vncell"><?php echo gettext("Install Snort.org rules"); ?></td>
+ <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sSnort VRT%s rules"), '<strong>' , '</strong>'); ?></td>
<td width="78%" class="vtable">
- <table cellpadding="0" cellspacing="0">
+ <table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
- <td colspan="2"><input name="snortdownload" type="radio"
- id="snortdownload" value="off"
-<?php if($pconfig['snortdownload']=='off' || $pconfig['snortdownload']=='') echo 'checked'; ?>>
- <?php printf(gettext("Do %sNOT%s Install"), '<strong>', '</strong>'); ?></td>
+ <td><input name="snortdownload" type="radio" id="snortdownload" value="off" onclick="enable_snort_vrt('off')"
+ <?php if($pconfig['snortdownload']=='off' || $pconfig['snortdownload']=='') echo 'checked'; ?> >&nbsp;&nbsp;</td>
+ <td><span class="vexpl"><?php printf(gettext("Do %sNOT%s Install"), '<strong>', '</strong>'); ?></span></td>
</tr>
<tr>
- <td colspan="2"><input name="snortdownload" type="radio"
- id="snortdownload" value="on"
- <?php if($pconfig['snortdownload']=='on') echo 'checked'; ?>> <?php echo gettext("Install " .
- "Basic Rules or Premium rules"); ?> <br>
- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a
- href="https://www.snort.org/signup" target="_blank"><?php echo gettext("Sign Up for a " .
- "Basic Rule Account"); ?></a><br>
- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a
- href="http://www.snort.org/vrt/buy-a-subscription"
- target="_blank"><?php echo gettext("Sign Up for Sourcefire VRT Certified Premium " .
- "Rules. This Is Highly Recommended"); ?></a></td>
- </tr>
+ <td><input name="snortdownload" type="radio" id="snortdownload" value="on" onclick="enable_snort_vrt('on')"
+ <?php if($pconfig['snortdownload']=='on') echo 'checked'; ?>></td>
+ <td><span class="vexpl"><?php echo gettext("Install Basic Rules or Premium rules"); ?></span></td>
<tr>
<td>&nbsp;</td>
+ <td><a href="https://www.snort.org/signup" target="_blank"><?php echo gettext("Sign Up for a Basic Rule Account"); ?> </a><br>
+ <a href="http://www.snort.org/vrt/buy-a-subscription" target="_blank">
+ <?php echo gettext("Sign Up for Sourcefire VRT Certified Premium Rules. This Is Highly Recommended"); ?></a></td>
</tr>
- </table>
- <table width="100%" border="0" cellpadding="6" cellspacing="0">
<tr>
- <td colspan="2" valign="top" class="optsect_t2"><?php echo gettext("Oinkmaster code"); ?></td>
+ <td colspan="2">&nbsp;</td>
</tr>
+ </table>
+ <table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
- <td class="vncell" valign="top"><?php echo gettext("Code"); ?></td>
- <td class="vtable"><input name="oinkmastercode" type="text"
+ <td colspan="2" valign="top"><b><span class="vexpl"><?php echo gettext("Oinkmaster Configuration"); ?></span></b></td>
+ </tr>
+ <tr>
+ <td valign="top"><span class="vexpl"><strong><?php echo gettext("Code"); ?><strong></span</td>
+ <td><input name="oinkmastercode" type="text"
class="formfld" id="oinkmastercode" size="52"
- value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>"><br>
- <?php echo gettext("Obtain a snort.org Oinkmaster code and paste here."); ?></td>
-
+ value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>"
+ <?php if($pconfig['snortdownload']<>'on') echo 'disabled'; ?>><br>
+ <?php echo gettext("Obtain a snort.org Oinkmaster code and paste it here."); ?></td>
+ </tr>
</table>
-
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sEmergingthreats%s " .
+ <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sSnort Community%s " .
"rules"), '<strong>' , '</strong>'); ?></td>
- <td width="78%" class="vtable"><input name="emergingthreats"
- type="checkbox" value="yes"
- <?php if ($config['installedpackages']['snortglobal']['emergingthreats']=="on") echo "checked"; ?>
- ><br>
- <?php echo gettext("Emerging Threats is an open source community that produces fastest " .
- "moving and diverse Snort Rules."); ?></td>
+ <td width="78%" class="vtable">
+ <table width="100%" border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td valign="top" width="8%"><input name="snortcommunityrules" type="checkbox" value="yes"
+ <?php if ($config['installedpackages']['snortglobal']['snortcommunityrules']=="on") echo "checked"; ?> ></td>
+ <td><span class="vexpl"><?php echo gettext("The Snort Community Ruleset is a GPLv2 VRT certified ruleset that is distributed free of charge " .
+ "without any VRT License restrictions. This ruleset is updated daily and is a subset of the subscriber ruleset."); ?>
+ <br/><br/><?php printf(gettext("%sNote: %sIf you are a Snort VRT Paid Subscriber, the community ruleset is already built into your download of the Snort VRT rules, and there is no benefit in adding this rule set."),'<span class="red"><strong>' ,'</strong></span>'); ?></span><br></td>
+ </tr>
+ </table></td>
+</tr>
+<tr>
+ <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sEmerging Threats%s " .
+ "rules"), '<strong>' , '</strong>'); ?></td>
+ <td width="78%" class="vtable">
+ <table width="100%" border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td valign="top" width="8%"><input name="emergingthreats" type="checkbox" value="yes"
+ <?php if ($config['installedpackages']['snortglobal']['emergingthreats']=="on") echo "checked"; ?>>
+ <td><span class="vexpl"><?php echo gettext("Emerging Threats is an open source community that produces fast " .
+ "moving and diverse Snort Rules."); ?></span></td>
+ </tr>
+ </table>
+ </td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Update rules " .
@@ -194,9 +227,9 @@ if ($input_errors)
<?php if ($iface3 == $pconfig['autorulesupdate7']) echo "selected"; ?>>
<?=htmlspecialchars($ifacename3);?></option>
<?php endforeach; ?>
- </select><br>
- <span class="vexpl"><?php echo gettext("Please select the update times for rules."); ?><br>
- <?php echo gettext("Hint: in most cases, every 12 hours is a good choice."); ?></span></td>
+ </select><span class="vexpl">&nbsp;&nbsp;<?php echo gettext("Please select the update times for rules."); ?><br/><br/>
+
+ <?php printf(gettext("%sHint%s: in most cases, every 12 hours is a good choice."), '<span class="red"><strong>','</strong></span>'); ?></span></td>
</tr>
<tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Settings"); ?></td>
@@ -209,20 +242,20 @@ if ($input_errors)
<br/>
<br/>
<span class="red"><strong><?php echo gettext("Note"); ?></span>:</strong><br>
- <?php echo gettext("Available space is"); ?> <strong><?php echo $snortlogCurrentDSKsize; ?>MB</strong></td>
+ <?php echo gettext("Available space is"); ?> <strong><?php echo $snortlogCurrentDSKsize; ?>&nbsp;MB</strong></td>
<td width="78%" class="vtable">
<table cellpadding="0" cellspacing="0">
<tr>
<td colspan="2"><input name="snortloglimit" type="radio"
id="snortloglimit" value="on"
-<?php if($pconfig['snortloglimit']=='on') echo 'checked'; ?>>
- <strong><?php echo gettext("Enable"); ?></strong> <?php echo gettext("directory size limit"); ?> (<strong><?php echo gettext("Default"); ?></strong>)</td>
+<?php if($pconfig['snortloglimit']=='on') echo 'checked'; ?>><span class="vexpl">
+ <strong><?php echo gettext("Enable"); ?></strong> <?php echo gettext("directory size limit"); ?> (<strong><?php echo gettext("Default"); ?></strong>)</span></td>
</tr>
<tr>
<td colspan="2"><input name="snortloglimit" type="radio"
id="snortloglimit" value="off"
-<?php if($pconfig['snortloglimit']=='off') echo 'checked'; ?>> <strong><?php echo gettext("Disable"); ?></strong>
- <?php echo gettext("directory size limit"); ?><br>
+<?php if($pconfig['snortloglimit']=='off') echo 'checked'; ?>> <span class="vexpl"><strong><?php echo gettext("Disable"); ?></strong>
+ <?php echo gettext("directory size limit"); ?></span><br>
<br>
<span class="red"><strong><?php echo gettext("Warning"); ?></span>:</strong> <?php echo gettext("Nanobsd " .
"should use no more than 10MB of space."); ?></td>
@@ -231,18 +264,16 @@ if ($input_errors)
<td>&nbsp;</td>
</tr>
</table>
- <table width="100%" border="0" cellpadding="6" cellspacing="0">
+ <table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
- <td class="vncell3"><?php echo gettext("Size in"); ?> <strong>MB</strong></td>
- <td class="vtable"><input name="snortloglimitsize" type="text"
- class="formfld" id="snortloglimitsize" size="7"
- value="<?=htmlspecialchars($pconfig['snortloglimitsize']);?>">
- <?php echo gettext("Default is"); ?> <strong>20%</strong> <?php echo gettext("of available space."); ?></td>
-
+ <td><span class="vexpl"><?php echo gettext("Size in"); ?> <strong>MB</strong><span></td>
+ <td><input name="snortloglimitsize" type="text" class="formfld" id="snortloglimitsize" size="7" value="
+ <?=htmlspecialchars($pconfig['snortloglimitsize']);?>">&nbsp;&nbsp;
+ <?php printf(gettext("Default is %s20%%%s of available space."), '<strong>', '</strong>'); ?></td>
+ </tr>
</table>
</tr>
-
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Remove blocked hosts " .
"every"); ?></td>
@@ -255,10 +286,9 @@ if ($input_errors)
<?php if ($iface3 == $pconfig['rm_blocked']) echo "selected"; ?>>
<?=htmlspecialchars($ifacename3);?></option>
<?php endforeach; ?>
- </select><br>
- <span class="vexpl"><?php echo gettext("Please select the amount of time you would like " .
- "hosts to be blocked for."); ?><br>
- <?php echo gettext("Hint: in most cases, 1 hour is a good choice."); ?></span></td>
+ </select>&nbsp;&nbsp;
+ <?php echo gettext("Please select the amount of time you would like hosts to be blocked for."); ?><br/><br/>
+ <?php printf(gettext("%sHint:%s in most cases, 1 hour is a good choice."), '<span class="red"><strong>', '</strong></span>'); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Keep snort settings " .
@@ -266,8 +296,7 @@ if ($input_errors)
<td width="78%" class="vtable"><input name="forcekeepsettings"
id="forcekeepsettings" type="checkbox" value="yes"
<?php if ($config['installedpackages']['snortglobal']['forcekeepsettings']=="on") echo "checked"; ?>
- ><br>
- <?php echo gettext("Settings will not be removed during deinstall."); ?></td>
+ >&nbsp;&nbsp;<?php echo gettext("Settings will not be removed during deinstall."); ?></td>
</tr>
<tr>
<td width="22%" valign="top">
@@ -279,8 +308,8 @@ if ($input_errors)
<td width="22%" valign="top">&nbsp;</td>
<td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?><br>
</strong></span> <?php echo gettext("Changing any settings on this page will affect all " .
- "interfaces. Please, double check if your oink code is correct and " .
- "the type of snort.org account you hold."); ?></span></td>
+ "interfaces. Double check that your oink code is correct, and verify the " .
+ "type of Snort.org account you hold."); ?></span></td>
</tr>
</table>
</td></tr>
diff --git a/config/snort/snort_interfaces_suppress.php b/config/snort/snort_interfaces_suppress.php
index 93d3f2dc..32f2f6ba 100644
--- a/config/snort/snort_interfaces_suppress.php
+++ b/config/snort/snort_interfaces_suppress.php
@@ -134,10 +134,10 @@ if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}
</table>
</td></tr>
<tr>
- <td colspan="3" width="100%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span>
+ <td colspan="3" width="100%"><br/><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span>
<p><span class="vexpl"><?php echo gettext("Here you can create event filtering and " .
- "suppression for your snort package rules."); ?><br>
- <?php echo gettext("Please note that you must restart a running rule so that changes can " .
+ "suppression for your snort package rules."); ?><br/><br/>
+ <?php echo gettext("Please note that you must restart a running Interface so that changes can " .
"take effect."); ?></span></p></td>
</tr>
</table>
diff --git a/config/snort/snort_interfaces_whitelist.php b/config/snort/snort_interfaces_whitelist.php
index f90cbe1f..a925ad45 100644
--- a/config/snort/snort_interfaces_whitelist.php
+++ b/config/snort/snort_interfaces_whitelist.php
@@ -154,15 +154,20 @@ if ($savemsg) print_info_box($savemsg);
</tr>
</table>
<br>
-<table width="100%" border="0" cellpadding="0"
- cellspacing="0">
+<table width="100%" border="0" cellpadding="1"
+ cellspacing="1">
+ <tr>
<td width="100%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span>
<p><span class="vexpl"><?php echo gettext("Here you can create whitelist files for your " .
"snort package rules."); ?><br>
<?php echo gettext("Please add all the ips or networks you want to protect against snort " .
"block decisions."); ?><br>
<?php echo gettext("Remember that the default whitelist only includes local networks."); ?><br>
- <?php echo gettext("Be careful, it is very easy to get locked out of you system."); ?></span></p></td>
+ <?php echo gettext("Be careful, it is very easy to get locked out of your system."); ?></span></p></td>
+ </tr>
+ <tr>
+ <td width="100%"><span class="vexpl"><?php echo gettext("Remember you must restart Snort on the interface for changes to take effect!"); ?></span></td>
+ </tr>
</table>
</form>
<?php include("fend.inc"); ?>
diff --git a/config/snort/snort_log_view.php b/config/snort/snort_log_view.php
new file mode 100644
index 00000000..6d38a8cb
--- /dev/null
+++ b/config/snort/snort_log_view.php
@@ -0,0 +1,86 @@
+<?php
+/*
+ * snort_log_view.php
+ *
+ * Copyright (C) 2004, 2005 Scott Ullrich
+ * Copyright (C) 2011 Ermal Luci
+ * All rights reserved.
+ *
+ * Adapted for FreeNAS by Volker Theile (votdev@gmx.de)
+ * Copyright (C) 2006-2009 Volker Theile
+ *
+ * Adapted for Pfsense Snort package by Robert Zelaya
+ * Copyright (C) 2008-2009 Robert Zelaya
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("/usr/local/pkg/snort/snort.inc");
+
+$contents = '';
+
+// Read the contents of the argument passed to us.
+// Is it a fully qualified path and file?
+if (file_exists($_GET['logfile']))
+ $contents = file_get_contents($_GET['logfile']);
+// It is not something we can display, so print an error.
+else
+ $contents = gettext("\n\nERROR -- File: {$_GET['logfile']} not found!");
+
+$pgtitle = array(gettext("Snort"), gettext("Log File Viewer"));
+?>
+
+<?php include("head.inc");?>
+
+<body link="#000000" vlink="#000000" alink="#000000">
+<?php if ($savemsg) print_info_box($savemsg); ?>
+<?php include("fbegin.inc");?>
+
+<form action="snort_log_view.php" method="post">
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+<tr>
+ <td class="tabcont">
+ <table width="100%" cellpadding="0" cellspacing="6" bgcolor="#eeeeee">
+ <tr>
+ <td align="left" width="20%">
+ <input type="button" class="formbtn" value="Return" onclick="window.close()">
+ </td>
+ <td align="right">
+ <b><?php echo gettext("Log File: ") . '</b>&nbsp;' . $_GET['logfile']; ?>&nbsp;&nbsp;&nbsp;&nbsp;
+ </td>
+ </tr>
+ <tr>
+ <td colspan="2" valign="top" class="label">
+ <div style="background: #eeeeee;" id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag must be on the same line. -->
+ <textarea readonly wrap="off" rows="33" cols="90" name="code2"><?=$contents;?></textarea>
+ </div>
+ </td>
+ </tr>
+ </table>
+ </td>
+</tr>
+</table>
+</form>
+<?php include("fend.inc");?>
+</body>
+</html>
diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php
index 7d0348e9..5cd5a408 100755
--- a/config/snort/snort_preprocessors.php
+++ b/config/snort/snort_preprocessors.php
@@ -34,7 +34,12 @@
require_once("guiconfig.inc");
require_once("/usr/local/pkg/snort/snort.inc");
-global $g;
+global $g, $rebuild_rules;
+
+if (!is_array($config['installedpackages']['snortglobal'])) {
+ $config['installedpackages']['snortglobal'] = array();
+}
+$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload'];
if (!is_array($config['installedpackages']['snortglobal']['rule'])) {
$config['installedpackages']['snortglobal']['rule'] = array();
@@ -77,6 +82,13 @@ if (isset($id) && $a_nat[$id]) {
$pconfig['dnp3_preproc'] = $a_nat[$id]['dnp3_preproc'];
$pconfig['modbus_preproc'] = $a_nat[$id]['modbus_preproc'];
$pconfig['gtp_preproc'] = $a_nat[$id]['gtp_preproc'];
+ $pconfig['preproc_auto_rule_disable'] = $a_nat[$id]['preproc_auto_rule_disable'];
+ $pconfig['protect_preproc_rules'] = $a_nat[$id]['protect_preproc_rules'];
+
+ /* If not using the Snort VRT rules, then disable */
+ /* the Sensitive Data (sdf) preprocessor. */
+ if ($vrt_enabled == "off")
+ $pconfig['sensitive_data'] = "off";
}
if ($_POST) {
@@ -120,6 +132,8 @@ if ($_POST) {
$natent['sip_preproc'] = $_POST['sip_preproc'] ? 'on' : 'off';
$natent['modbus_preproc'] = $_POST['modbus_preproc'] ? 'on' : 'off';
$natent['gtp_preproc'] = $_POST['gtp_preproc'] ? 'on' : 'off';
+ $natent['preproc_auto_rule_disable'] = $_POST['preproc_auto_rule_disable'] ? 'on' : 'off';
+ $natent['protect_preproc_rules'] = $_POST['protect_preproc_rules'] ? 'on' : 'off';
if (isset($id) && $a_nat[$id])
$a_nat[$id] = $natent;
@@ -132,8 +146,15 @@ if ($_POST) {
write_config();
- $if_real = snort_get_real_interface($pconfig['interface']);
- sync_snort_package_config();
+ /* Set flag to rebuild rules for this interface */
+ $rebuild_rules = "on";
+
+ /*************************************************/
+ /* Update the snort conf file and rebuild the */
+ /* rules for this interface. */
+ /*************************************************/
+ snort_generate_conf($natent);
+ $rebuild_rules = "off";
/* after click go to this page */
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
@@ -191,32 +212,69 @@ include_once("head.inc");
<tr><td class="tabcont">
<table width="100%" border="0" cellpadding="6" cellspacing="0">
<tr>
- <td colspan="2" align="center" valign="middle">
- <span class="red"><strong><?php echo gettext("NOTE"); ?></strong></span><br>
+ <td colspan="2" align="left" valign="middle">
<?php echo gettext("Rules may be dependent on preprocessors! Disabling preprocessors may result in "); ?>
- <?php echo gettext("dependent rules being automatically disabled."); ?><br>
- <?php echo gettext("Defaults will be used when there is no user input."); ?><br></td>
+ <?php echo gettext("Snort start failures unless dependent rules are also disabled."); ?>
+ <?php echo gettext("The Auto-Rule Disable feature can be used, but note the warning about compromising protection. " .
+ "Defaults will be used where no user input is provided."); ?></td>
</tr>
<tr>
- <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Performance Statistics"); ?></td>
+
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Preprocessors Configuration"); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
- <td width="78%" class="vtable"><input name="perform_stat"
- type="checkbox" value="on"
+ <td width="78%" class="vtable"><input name="perform_stat" type="checkbox" value="on"
<?php if ($pconfig['perform_stat']=="on") echo "checked"; ?>
onClick="enable_change(false)"> <?php echo gettext("Collect Performance Statistics for this interface."); ?></td>
</tr>
<tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Protect Customized Preprocessor Rules"); ?></td>
+ <td width="78%" class="vtable"><input name="protect_preproc_rules" type="checkbox" value="on"
+ <?php if ($pconfig['protect_preproc_rules']=="on") echo "checked ";
+ if ($vrt_enabled <> 'on') echo "disabled"; ?>
+ onClick="enable_change(false)"> <?php echo gettext("Check this box if you maintain customized preprocessor text rules files for this interface."); ?>
+ <table width="100%" border="0" cellpadding="2" cellpadding="2">
+ <tr>
+ <td width="3%">&nbsp;</td>
+ <td><?php echo gettext("Enable this only if you use customized preprocessor text rules files and " .
+ "you do not want them overwritten by automatic Snort VRT rule updates. " .
+ "This option is disabled when Snort VRT rules download is not enabled on the Global Settings tab."); ?><br/><br/>
+ <?php printf(gettext("%sHint:%s Most users should leave this unchecked."), '<span class="red"><strong>', '</strong></span>'); ?></span></td>
+ </tr>
+ </table>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Auto Rule Disable"); ?></td>
+ <td width="78%" class="vtable"><input name="preproc_auto_rule_disable" type="checkbox" value="on"
+ <?php if ($pconfig['preproc_auto_rule_disable']=="on") echo "checked"; ?>
+ onClick="enable_change(false)"> <?php echo gettext("Auto-disable text rules dependent on disabled preprocessors for this interface. ");
+ echo gettext("Default is ") . '<strong>' . gettext("Not Checked."); ?></strong><br/>
+ <table width="100%" border="0" cellpadding="2" cellpadding="2">
+ <tr>
+ <td width="3%">&nbsp;</td>
+ <td><span class="red"><strong><?php echo gettext("Warning: "); ?></strong></span>
+ <?php echo gettext("Enabling this option allows Snort to automatically disable any text rules " .
+ "containing rule options or content modifiers that are dependent upon the preprocessors " .
+ "you have not enabled. This may facilitate starting Snort without errors related to " .
+ "disabled preprocessors, but can substantially compromise the level of protection by " .
+ "automatically disabling detection rules."); ?></td>
+ </tr>
+ </table>
+ </td>
+ </tr>
+ <tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("HTTP Inspect Settings"); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
<td width="78%" class="vtable"><input name="http_inspect"
type="checkbox" value="on"
- <?php if ($pconfig['http_inspect']=="on") echo "checked"; ?>
+ <?php if ($pconfig['http_inspect']=="on" || empty($pconfig['http_inspect'])) echo "checked"; ?>
onClick="enable_change(false)"> <?php echo gettext("Use HTTP Inspect to " .
- "Normalize/Decode and detect HTTP traffic and protocol anomalies."); ?></td>
+ "Normalize/Decode and detect HTTP traffic and protocol anomalies. Default is "); ?>
+ <strong><?php echo gettext("Checked."); ?></strong></td>
</tr>
<tr>
<td valign="top" class="vncell"><?php echo gettext("HTTP server flow depth"); ?></td>
@@ -241,7 +299,7 @@ include_once("head.inc");
<td width="78%" class="vtable">
<select name="http_server_profile" class="formselect" id="http_server_profile">
<?php
- $profile = array('All', 'Apache', 'IIS', 'IIS_4.0', 'IIS_5.0');
+ $profile = array('All', 'Apache', 'IIS', 'IIS4_0', 'IIS5_0');
foreach ($profile as $val): ?>
<option value="<?=strtolower($val);?>"
<?php if (strtolower($val) == $pconfig['http_server_profile']) echo "selected"; ?>>
@@ -275,9 +333,10 @@ include_once("head.inc");
<td width="22%" valign="top" class="vncell"><?php echo gettext("Disable HTTP Alerts"); ?></td>
<td width="78%" class="vtable"><input name="noalert_http_inspect"
type="checkbox" value="on"
- <?php if ($pconfig['noalert_http_inspect']=="on") echo "checked"; ?>
- onClick="enable_change(false)"> <?php echo gettext("Tick to turn off alerts from the HTTP Inspect " .
- "preprocessor. This has no effect on HTTP rules in the rule set."); ?></td>
+ <?php if ($pconfig['noalert_http_inspect']=="on" || empty($pconfig['noalert_http_inspect'])) echo "checked"; ?>
+ onClick="enable_change(false)"> <?php echo gettext("Turn off alerts from HTTP Inspect " .
+ "preprocessor. This has no effect on HTTP rules. Default is "); ?>
+ <strong><?php echo gettext("Checked."); ?></strong></td>
</tr>
<tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("Stream5 Settings"); ?></td>
@@ -469,9 +528,14 @@ include_once("head.inc");
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?> <br> <?php echo gettext("Sensitive Data"); ?></td>
<td width="78%" class="vtable">
<input name="sensitive_data" type="checkbox" value="on"
- <?php if ($pconfig['sensitive_data']=="on") echo "checked"; ?>
+ <?php if ($pconfig['sensitive_data'] == "on")
+ echo "checked";
+ elseif ($vrt_enabled == "off")
+ echo "disabled";
+ ?>
onClick="enable_change(false)"><br>
- <?php echo gettext("Sensitive data searches for credit card or Social Security numbers in data"); ?>
+ <?php echo gettext("Sensitive data searches for credit card or Social Security numbers and e-mail addresses in data."); ?><br/>
+ <span class="red"><strong><?php echo gettext("Note: "); ?></strong></span><?php echo gettext("To enable this preprocessor, you must select the Snort VRT rules on the Global Settings tab."); ?>
</td>
</tr>
<tr>
@@ -507,7 +571,8 @@ include_once("head.inc");
<td width="22%" valign="top">&nbsp;</td>
<td width="78%"><span class="vexpl"><span class="red"><strong><?php echo gettext("Note:"); ?></strong></span>
<br>
- <?php echo gettext("Please save your settings before you click Start."); ?> </td>
+ <?php echo gettext("Please save your settings before you click Start. Preprocessor changes will rebuild the rules file. "); ?>
+ </br><?php echo gettext("This may take several seconds. Snort must also be restarted to activate any changes made on this screen."); ?></td>
</tr>
</table>
</td></tr></table>
diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php
index 7457632d..5e8e145d 100755
--- a/config/snort/snort_rules.php
+++ b/config/snort/snort_rules.php
@@ -33,7 +33,7 @@
require_once("guiconfig.inc");
require_once("/usr/local/pkg/snort/snort.inc");
-global $g, $flowbit_rules_file;
+global $g, $flowbit_rules_file, $rebuild_rules;
$snortdir = SNORTDIR;
$rules_map = array();
@@ -92,6 +92,11 @@ if (empty($categories[0]) && ($currentruleset != "custom.rules")) {
$currentruleset = "custom.rules";
}
+/* One last sanity check -- if the rules directory is empty, default to loading custom rules */
+$tmp = glob("{$snortdir}/rules/*.rules");
+if (empty($tmp))
+ $currentruleset = "custom.rules";
+
$ruledir = "{$snortdir}/rules";
$rulefile = "{$ruledir}/{$currentruleset}";
if ($currentruleset != 'custom.rules') {
@@ -100,7 +105,7 @@ if ($currentruleset != 'custom.rules') {
if (substr($currentruleset, 0, 10) == "IPS Policy")
$rules_map = snort_load_vrt_policy($a_rule[$id]['ips_policy']);
elseif (!file_exists($rulefile))
- $input_errors[] = "{$currentruleset} seems to be missing!!! Please go to the Category tab and save the rule set again to regenerate it.";
+ $input_errors[] = gettext("{$currentruleset} seems to be missing!!! Please verify rules files have been downloaded, then go to the Categories tab and save the rule set again.");
else
$rules_map = snort_load_rules_map($rulefile);
}
@@ -221,11 +226,31 @@ if ($_POST['customrules']) {
for($i = $start; $i > $end; $i--)
$error .= $output[$i];
$input_errors[] = "Custom rules have errors:\n {$error}";
- } else {
+ }
+ else {
header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}");
exit;
}
-} else if ($_POST) {
+}
+
+else if ($_POST['apply']) {
+
+ /* Save new configuration */
+ write_config();
+
+ /*************************************************/
+ /* Update the snort conf file and rebuild the */
+ /* rules for this interface. */
+ /*************************************************/
+ $rebuild_rules = "on";
+ snort_generate_conf($a_rule[$id]);
+ $rebuild_rules = "off";
+
+ /* Return to this same page */
+ header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}");
+ exit;
+}
+else if($_POST) {
unset($a_rule[$id]['customrules']);
write_config();
header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}");
@@ -361,7 +386,9 @@ function popup(url)
<?php else: ?>
<tr>
<td width="3%" class="list">&nbsp;</td>
- <td colspan="7" class="listhdr" >&nbsp;</td>
+ <td colspan="7" class="listhdr" ><input type="submit" name="apply" id="apply" value="Apply Changes" class="formbtn">
+ &nbsp;&nbsp;&nbsp;<?php echo gettext("Click to rebuild the rules with your changes. Snort must be restarted to use the new rules."); ?>
+ <input type='hidden' name='id' value='<?=$id;?>'></td>
<td width="3%" align="center" valign="middle" class="listt"><a href="javascript: void(0)"
onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>')">
<img src="../themes/<?= $g['theme']; ?>/images/icons/icon_service_restart.gif" <?php
@@ -449,7 +476,7 @@ function popup(url)
<td width="3%" align="center" valign="middle" nowrap class="listt">
<a href="javascript: void(0)"
onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>&ids=<?=$sid;?>&gid=<?=$gid;?>')"><img
- src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif"
+ src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif"
title="<?php echo gettext("Click to view rule"); ?>" width="17" height="17" border="0"></a>
<!-- Codes by Quackit.com -->
</td>
diff --git a/config/snort/snort_rules_edit.php b/config/snort/snort_rules_edit.php
index ab1a24b2..8ee6a645 100755
--- a/config/snort/snort_rules_edit.php
+++ b/config/snort/snort_rules_edit.php
@@ -62,6 +62,7 @@ $if_real = snort_get_real_interface($pconfig['interface']);
$snort_uuid = $a_rule[$id]['uuid'];
$file = $_GET['openruleset'];
$contents = '';
+$wrap_flag = "off";
// Read the contents of the argument passed to us.
// It may be an IPS policy string, an individual SID,
@@ -69,8 +70,10 @@ $contents = '';
// Test for the special case of an IPS Policy file.
if (substr($file, 0, 10) == "IPS Policy") {
$rules_map = snort_load_vrt_policy($a_rule[$id]['ips_policy']);
- if (isset($_GET['ids']))
+ if (isset($_GET['ids'])) {
$contents = $rules_map[$_GET['gid']][trim($_GET['ids'])]['rule'];
+ $wrap_flag = "on";
+ }
else {
$contents = "# Snort IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']) . "\n\n";
foreach (array_keys($rules_map) as $k1) {
@@ -86,6 +89,7 @@ if (substr($file, 0, 10) == "IPS Policy") {
elseif (isset($_GET['ids'])) {
$rules_map = snort_load_rules_map("{$snortdir}/rules/{$file}");
$contents = $rules_map[$_GET['gid']][trim($_GET['ids'])]['rule'];
+ $wrap_flag = "on";
}
// Is it our special flowbit rules file?
elseif ($file == $flowbit_rules_file)
@@ -102,7 +106,7 @@ else {
exit;
}
-$pgtitle = array(gettext("Advanced"), gettext("File Viewer"));
+$pgtitle = array(gettext("Snort"), gettext("File Viewer"));
?>
<?php include("head.inc");?>
@@ -124,7 +128,7 @@ $pgtitle = array(gettext("Advanced"), gettext("File Viewer"));
<tr>
<td valign="top" class="label">
<div style="background: #eeeeee;" id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag must be on the same line. -->
- <textarea wrap="off" rows="33" cols="90" name="code2"><?=$contents;?></textarea>
+ <textarea wrap="<?=$wrap_flag?>" rows="33" cols="90" name="code2"><?=$contents;?></textarea>
</div>
</td>
</tr>
diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php
index 23a24bea..1bf815fb 100755
--- a/config/snort/snort_rulesets.php
+++ b/config/snort/snort_rulesets.php
@@ -32,7 +32,7 @@
require_once("guiconfig.inc");
require_once("/usr/local/pkg/snort/snort.inc");
-global $g, $flowbit_rules_file;
+global $g, $flowbit_rules_file, $rebuild_rules;
$snortdir = SNORTDIR;
@@ -62,6 +62,21 @@ $if_real = snort_get_real_interface($pconfig['interface']);
$snort_uuid = $a_nat[$id]['uuid'];
$snortdownload = $config['installedpackages']['snortglobal']['snortdownload'];
$emergingdownload = $config['installedpackages']['snortglobal']['emergingthreats'];
+$snortcommunitydownload = $config['installedpackages']['snortglobal']['snortcommunityrules'];
+
+$no_emerging_files = false;
+$no_snort_files = false;
+$no_community_files = false;
+
+/* Test rule categories currently downloaded to $SNORTDIR/rules and set appropriate flags */
+$test = glob("{$snortdir}/rules/emerging-*.rules");
+if (empty($test))
+ $no_emerging_files = true;
+$test = glob("{$snortdir}/rules/snort_*.rules");
+if (empty($test))
+ $no_snort_files = true;
+if (!file_exists("{$snortdir}/rules/GPLv2_community.rules"))
+ $no_community_files = true;
if (($snortdownload == 'off') || ($a_nat[$id]['ips_policy_enable'] != 'on'))
$policy_select_disable = "disabled";
@@ -119,7 +134,14 @@ if ($_POST["Submit"]) {
}
write_config();
- sync_snort_package_config();
+
+ /*************************************************/
+ /* Update the snort conf file and rebuild the */
+ /* rules for this interface. */
+ /*************************************************/
+ $rebuild_rules = "on";
+ snort_generate_conf($a_nat[$id]);
+ $rebuild_rules = "off";
header("Location: /snort/snort_rulesets.php?id=$id");
exit;
@@ -142,6 +164,11 @@ if ($_POST['selectall']) {
foreach ($files as $file)
$rulesets[] = basename($file);
}
+ if ($snortcommunitydownload == 'on') {
+ $files = glob("{$snortdir}/rules/sc_*.rules");
+ foreach ($files as $file)
+ $rulesets[] = basename($file);
+ }
if ($snortdownload == 'on') {
$files = glob("{$snortdir}/rules/snort*.rules");
foreach ($files as $file)
@@ -233,12 +260,12 @@ function enable_change()
$iscfgdirempty = array();
if (file_exists("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/custom.rules"))
$iscfgdirempty = (array)("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/custom.rules");
- if (empty($isrulesfolderempty) && empty($iscfgdirempty)):
+ if (empty($isrulesfolderempty)):
?>
<tr>
- <td>
- <?php printf(gettext("# The rules directory is empty. %s/rules"), $snortdir); ?> <br/>
- <?php echo gettext("Please go to the Updates tab to download/fetch the rules configured."); ?>
+ <td class="vexpl"><br/>
+ <?php printf(gettext("# The rules directory is empty: %s%s/rules%s"), '<strong>',$snortdir,'</strong>'); ?> <br/><br/>
+ <?php printf(gettext("Please go to the %sUpdates%s tab to download the rules configured on the %sGlobal%s tab."),'<strong>' ,'</strong>', '<strong>' ,'</strong>'); ?>
</td>
</tr>
<?php else:
@@ -258,28 +285,31 @@ function enable_change()
</tr>
<tr>
<td colspan="6" valign="center" class="listn">
- <table width="100%" border="0" cellpadding="0" cellspacing="0">
+ <table width="100%" border="0" cellpadding="2" cellspacing="2">
<tr>
<td width="15%" class="listn"><?php echo gettext("Resolve Flowbits"); ?></td>
- <td width="85%"><input name="autoflowbits" id="autoflowbitrules" type="checkbox" value="on" <?php if ($a_nat[$id]['autoflowbitrules'] == "on") echo "checked"; ?>/></td>
+ <td width="85%"><input name="autoflowbits" id="autoflowbitrules" type="checkbox" value="on"
+ <?php if ($a_nat[$id]['autoflowbitrules'] == "on" || empty($a_nat[$id]['autoflowbitrules'])) echo "checked"; ?>/>
+ &nbsp;&nbsp;<span class="vexpl"><?php echo gettext("If checked, Snort will auto-enable rules required for checked flowbits. ");
+ echo gettext("The Default is "); ?><strong><?php echo gettext("Checked."); ?></strong></span></td>
</tr>
<tr>
<td width="15%" class="vncell">&nbsp;</td>
<td width="85%" class="vtable">
- <?php echo gettext("If ticked, Snort will examine the enabled rules in your chosen " .
+ <?php echo gettext("Snort will examine the enabled rules in your chosen " .
"rule categories for checked flowbits. Any rules that set these dependent flowbits will " .
- "be automatically enabled and added to the list of files in the interface rules directory."); ?><br/><br/></td>
+ "be automatically enabled and added to the list of files in the interface rules directory."); ?><br/></td>
</tr>
<tr>
<td width="15%" class="listn"><?php echo gettext("Auto Flowbit Rules"); ?></td>
- <td width="85%"><input type="button" class="formbtn" value="View" onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$flowbit_rules_file;?>')" <?php echo $btn_view_flowb_rules; ?>/></td>
+ <td width="85%"><input type="button" class="formbtn" value="View" onclick="popup('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$flowbit_rules_file;?>')" <?php echo $btn_view_flowb_rules; ?>/>
+ &nbsp;&nbsp;<span class="vexpl"><?php echo gettext("Click to view auto-enabled rules required to satisfy flowbit dependencies"); ?></span></td>
</tr>
<tr>
<td width="15%">&nbsp;</td>
<td width="85%">
- <?php echo gettext("Click to view auto-enabled rules required to satisfy flowbit " .
- "dependencies from the selected rule categories below. Auto-enabled rules generating unwanted alerts " .
- "should have their GID:SID added to the Suppression List for the interface."); ?><br/><br/></td>
+ <?php printf(gettext("%sNote: %sAuto-enabled rules generating unwanted alerts should have their GID:SID added to the Suppression List for the interface."), '<span class="red"><strong>', '</strong></span>'); ?>
+ <br/></td>
</tr>
</table>
</td>
@@ -289,20 +319,20 @@ function enable_change()
</tr>
<tr>
<td colspan="6" valign="center" class="listn">
- <table width="100%" border="0" cellpadding="0" cellspacing="0">
+ <table width="100%" border="0" cellpadding="2" cellspacing="2">
<tr>
<td width="15%" class="listn"><?php echo gettext("Use IPS Policy"); ?></td>
<td width="85%"><input name="ips_policy_enable" id="ips_policy_enable" type="checkbox" value="on" <?php if ($a_nat[$id]['ips_policy_enable'] == "on") echo "checked"; ?>
- <?php if ($snortdownload == "off") echo "disabled" ?> onClick="enable_change()"/></td>
+ <?php if ($snortdownload == "off") echo "disabled" ?> onClick="enable_change()"/>&nbsp;&nbsp;<span class="vexpl">
+ <?php echo gettext("If checked, Snort will use rules from the pre-defined IPS policy selected below."); ?></span></td>
</tr>
<tr>
<td width="15%" class="vncell">&nbsp;</td>
<td width="85%" class="vtable">
- <?php echo gettext("If ticked, Snort will use rules from the pre-defined IPS policy " .
- "selected below. You must be using the Snort VRT rules to use this option."); ?><br/>
+ <?php printf(gettext("%sNote:%s You must be using the Snort VRT rules to use this option."),'<span class="red"><strong>','</strong></span>'); ?>
<?php echo gettext("Selecting this option disables manual selection of Snort VRT categories in the list below, " .
"although Emerging Threats categories may still be selected if enabled on the Global Settings tab. " .
- "These will be added to the pre-defined Snort IPS policy rules from the Snort VRT."); ?><br><br/></td>
+ "These will be added to the pre-defined Snort IPS policy rules from the Snort VRT."); ?><br/></td>
</tr>
<tr>
<td width="15%" class="listn"><?php echo gettext("IPS Policy"); ?></td>
@@ -311,15 +341,16 @@ function enable_change()
<option value="balanced" <?php if ($pconfig['ips_policy'] == "balanced") echo "selected"; ?>><?php echo gettext("Balanced"); ?></option>
<option value="security" <?php if ($pconfig['ips_policy'] == "security") echo "selected"; ?>><?php echo gettext("Security"); ?></option>
</select>
- </td>
+ &nbsp;&nbsp;<span class="vexpl"><?php echo gettext("Snort IPS policies are: Connectivity, Balanced or Security."); ?></span></td>
</tr>
<tr>
<td width="15%">&nbsp;</td>
<td width="85%">
- <?php echo gettext("Snort IPS policies are: Connectivity, Balanced or Security. " .
- "Connectivity blocks most major threats with few or no false positives. Balanced is a good starter policy. It " .
- "is speedy, has good base coverage level, and covers most threats of the day. It includes all rules in Connectivity. " .
- "Security is a stringent policy. It contains everything in the first two plus policy-type rules such as Flash in an Excel file."); ?><br/><br/></td>
+ <?php echo gettext("Connectivity blocks most major threats with few or no false positives. " .
+ "Balanced is a good starter policy. It is speedy, has good base coverage level, and covers " .
+ "most threats of the day. It includes all rules in Connectivity." .
+ "Security is a stringent policy. It contains everything in the first two " .
+ "plus policy-type rules such as Flash in an Excel file."); ?><br/></td>
</tr>
</table>
</td>
@@ -327,27 +358,75 @@ function enable_change()
<tr>
<td colspan="6" class="listtopic"><?php echo gettext("Check the rulesets that you would like Snort to load at startup."); ?><br/></td>
</tr>
+ <tr> <td colspan="6">&nbsp;</td> </tr>
<tr>
- <td colspan="1" align="middle" valign="center"><br/><input value="Select All" type="submit" name="selectall" id="selectall" /><br/></td>
- <td colspan="1" align="middle" valign="center"><br/><input value="Unselect All" type="submit" name="unselectall" id="selectall" /><br/></td>
- <td colspan="1" align="middle" valign="center"><br/><input value="Save" class="formbtn" type="submit" name="Submit" id="Submit" /></td>
- <td colspan="3" valign="center"><?php echo gettext("Click to save changes and auto-resolve flowbit rules (if option is selected above)"); ?><br/></td>
+ <td colspan="6">
+ <table width=100% border="0" cellpadding="2" cellspacing="2">
+ <tr>
+ <td valign="middle"><input value="Select All" type="submit" name="selectall" id="selectall" /></td>
+ <td valign="middle"><input value="Unselect All" type="submit" name="unselectall" id="selectall" /></td>
+ <td valign="middle"><input value="Save" class="formbtn" type="submit" name="Submit" id="Submit" /></td>
+ <td valign="middle"><span class="vexpl"><?php echo gettext("Click to save changes and auto-resolve flowbit rules (if option is selected above)"); ?></span></td>
+ </tr>
+ </table>
</tr>
- <tr> <td colspan="6">&nbsp;</td> </tr>
+ <tr>
+ <td colspan="6">&nbsp;</td>
+ </tr>
+
+ <?php if ($no_community_files)
+ $msg_community = "NOTE: Snort Community Rules have not been downloaded. Perform a Rules Update to enable them.";
+ else
+ $msg_community = "Snort GPLv2 Community Rules (VRT certified)";
+ ?>
+ <?php if ($snortcommunitydownload == 'on'): ?>
+ <tr id="frheader">
+ <td width="5%" class="listhdrr"><?php echo gettext("Enabled"); ?></td>
+ <td colspan="5" class="listhdrr"><?php echo gettext('Ruleset: Snort GPLv2 Community Rules');?></td>
+ </tr>
+ <?php if (in_array("GPLv2_community.rules", $enabled_rulesets_array)): ?>
+ <tr>
+ <td width="5" class="listr" align="center" valign="top">
+ <input type="checkbox" name="toenable[]" value="GPLv2_community.rules" checked="checked"/></td>
+ <td colspan="5" class="listr"><a href='snort_rules.php?id=<?=$id;?>&openruleset=GPLv2_community.rules'><?php echo gettext("{$msg_community}"); ?></a></td>
+ </tr>
+ <?php else: ?>
+ <tr>
+ <td width="5" class="listr" align="center" valign="top">
+ <input type="checkbox" name="toenable[]" value="GPLv2_community.rules" <?php if ($snortcommunitydownload == 'off') echo "disabled"; ?>/></td>
+ <td colspan="5" class="listr"><?php echo gettext("{$msg_community}"); ?></td>
+ </tr>
+
+ <?php endif; ?>
+ <?php else: ?>
+ <tr>
+ <td colspan="6">&nbsp;</td>
+ </tr>
+ <?php endif; ?>
+
+ <?php if ($no_emerging_files)
+ $msg_emerging = "downloaded.";
+ else
+ $msg_emerging = "enabled.";
+ if ($no_snort_files)
+ $msg_snort = "downloaded.";
+ else
+ $msg_snort = "enabled.";
+ ?>
<tr id="frheader">
- <?php if ($emergingdownload == 'on'): ?>
- <td width="5%" class="listhdrr"><?php echo gettext("Enabled"); ?></td>
+ <?php if ($emergingdownload == 'on' && !$no_emerging_files): ?>
+ <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td>
<td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Emerging Threats');?></td>
<?php else: ?>
- <td colspan="2" width="30%" class="listhdrr"><?php echo gettext("Emerging rules have not been enabled"); ?></td>
+ <td colspan="2" align="center" width="30%" class="listhdrr"><?php echo gettext("Emerging Threats rules not {$msg_emerging}"); ?></td>
<?php endif; ?>
- <?php if ($snortdownload == 'on'): ?>
- <td width="5%" class="listhdrr"><?php echo gettext("Enabled"); ?></td>
- <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Snort');?></td>
- <td width="5%" class="listhdrr"><?php echo gettext("Enabled"); ?></td>
- <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Snort SO');?></td>
+ <?php if ($snortdownload == 'on' && !$no_snort_files): ?>
+ <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td>
+ <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Snort Text Rules');?></td>
+ <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td>
+ <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Snort SO Rules');?></td>
<?php else: ?>
- <td colspan="2" width="60%" class="listhdrr"><?php echo gettext("Snort rules have not been enabled"); ?></td>
+ <td colspan="4" align="center" width="60%" class="listhdrr"><?php echo gettext("Snort VRT rules have not been {$msg_snort}"); ?></td>
<?php endif; ?>
</tr>
<?php