diff options
Diffstat (limited to 'config/snort-dev/snort.inc')
| -rw-r--r-- | config/snort-dev/snort.inc | 2706 |
1 files changed, 2706 insertions, 0 deletions
diff --git a/config/snort-dev/snort.inc b/config/snort-dev/snort.inc new file mode 100644 index 00000000..3a1df760 --- /dev/null +++ b/config/snort-dev/snort.inc @@ -0,0 +1,2706 @@ +<?php +/* + snort.inc + Copyright (C) 2006 Scott Ullrich + Copyright (C) 2009-2010 Robert Zelaya + Copyright (C) 2011 Ermal Luci + part of pfSense + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("pfsense-utils.inc"); +require_once("config.inc"); +require_once("functions.inc"); + +// Needed on 2.0 because of filter_get_vpns_list() +require_once("filter.inc"); + +/* package version */ +$snort_package_version = 'Snort-dev 2.9.2.3 pkg v. 3.0'; +$snort_rules_file = "snortrules-snapshot-2922.tar.gz"; + +/* Allow additional execution time 0 = no limit. */ +ini_set('max_execution_time', '9999'); +ini_set('max_input_time', '9999'); + +/* define oinkid */ +if ($config['installedpackages']['snortglobal']) + $oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; +else + $config['installedpackages']['snortglobal'] = array(); + +/* find out if were in 1.2.3-RELEASE */ +if (intval($config['version']) > 6) + $snort_pfsense_basever = 'no'; +else + $snort_pfsense_basever = 'yes'; + +/* find out what arch where in x86 , x64 */ +global $snort_arch; +$snort_arch = 'x86'; +$snort_arch_ck = php_uname("m"); +if ($snort_arch_ck == 'i386') + $snort_arch = 'x86'; +else if ($snort_arch_ck == "amd64") + $snort_arch = 'x64'; +else + $snort_arch = "Unknown"; + +/* tell me my theme */ +$pfsense_theme_is = $config['theme']; + +/* func builds custom white lists */ +function find_whitelist_key($find_wlist_number) { + global $config, $g; + + if (!is_array($config['installedpackages']['snortglobal']['whitelist'])) + $config['installedpackages']['snortglobal']['whitelist'] = array(); + if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) + return 0; /* XXX */ + + foreach ($config['installedpackages']['snortglobal']['whitelist']['item'] as $w_key => $value) { + if ($value['name'] == $find_wlist_number) + return $w_key; + } +} + +/* func builds custom suppress lists */ +function find_suppress_key($find_slist_number) { + global $config, $g; + + if (!is_array($config['installedpackages']['snortglobal']['suppress'])) + $config['installedpackages']['snortglobal']['suppress'] = array(); + if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) + return 0; /* XXX */ + + foreach ($config['installedpackages']['snortglobal']['suppress']['item'] as $s_key => $value) { + if ($value['name'] == $find_slist_number) + return $s_key; + } +} + +function snort_find_interface_ipv6($interface, $flush = false) +{ + global $interface_ipv6_arr_cache; + global $interface_snv6_arr_cache; + global $config; + + $interface = trim($interface); + $interface = get_real_interface($interface); + + if (!does_interface_exist($interface)) + return; + + /* Setup IP cache */ + if (!isset($interface_ipv6_arr_cache[$interface]) or $flush) { + $ifinfo = pfSense_get_interface_addresses($interface); + // FIXME: Add IPv6 support to the pfSense module + exec("/sbin/ifconfig {$interface} inet6", $output); + foreach($output as $line) { + if(preg_match("/inet6/", $line)) { + $parts = explode(" ", $line); + if(preg_match("/fe80::/", $parts[1])) { + $ifinfo['ipaddrv6'] = $parts[1]; + if($parts[2] == "-->") { + $parts[5] = "126"; + $ifinfo['subnetbitsv6'] = $parts[5]; + } else { + $ifinfo['subnetbitsv6'] = $parts[3]; + } + } + } + } + $interface_ipv6_arr_cache[$interface] = $ifinfo['ipaddrv6']; + $interface_snv6_arr_cache[$interface] = $ifinfo['subnetbitsv6']; + } + + return $interface_ipv6_arr_cache[$interface]; +} + +function snort_get_interface_ipv6($interface = "wan") +{ + global $config; + $realif = get_failover_interface($interface); + switch($config['interfaces'][$interface]['ipaddrv6']) { + case "6rd": + case "6to4": + $realif = "stf0"; + break; + } + if (!$realif) { + if (preg_match("/^carp/i", $interface)) + $realif = $interface; + else if (preg_match("/^[a-z0-9]+_vip/i", $interface)) + $realif = $interface; + else + return null; + } + + $curip = snort_find_interface_ipv6($realif); + + if (strstr($curip, '%', TRUE)) { + $curip = strstr($curip, '%', TRUE); + }else if (is_ipaddrv6($curip)){ + $curip = $curip; + } + + if ($curip && is_ipaddrv6($curip) && ($curip != "::")) + return $curip; + else + return null; +} + +/* func builds custom whitelests */ +function build_base_whitelist($build_netlist, $wanip, $wangw, $wandns, $vips, $vpns, $userwips) { + global $config, $g, $snort_pfsense_basever; + + // build an interface array list + $int_array = get_configured_interface_list(); + + /* calculate ipv4 interface subnet information */ + $home_net = ''; + $snort_calc_iface_subnet_list = function($int) use(&$home_net) { + + $subnet = get_interface_ip($int); + $sn = get_interface_subnet($int); + $subnet_v6 = snort_get_interface_ipv6($int); + $sn_v6 = get_interface_subnetv6($int); + + if (is_ipaddr($subnet) && !empty($subnet)) { + $home_net .= "{$subnet}/{$sn},"; + } + + if (is_ipaddr($subnet_v6) && !empty($subnet_v6)) { + $home_net .= "{$subnet_v6}/{$sn_v6},"; + } + + }; + + /* Add Gateway on WAN interface to whitelist (For RRD graphs) */ + $snort_calc_gateway_list = function($int) use (&$home_net) { + + $gw = get_interface_gateway($int); + $sn = get_interface_subnet($int); + $gw_v6 = get_interface_gateway_v6($int); + $sn_v6 = get_interface_subnetv6($int); + + + if(!empty($gw) && is_ipaddr($gw)) { + $home_net .= "{$gw}/{$sn},"; + } + + if(!empty($gw_v6) && is_ipaddr($gw_v6)) { + $home_net .= "{$gw_v6}/{$sn_v6},"; + } + + }; + + // iterate through interface list and write out whitelist items and also compile a home_net list for snort. + foreach ($int_array as $int) { + + if (!empty($int)) { + $snort_calc_iface_subnet_list($int); + + if ($wangw == 'yes') + $snort_calc_gateway_list($int); + + } + + } + + /* + * Add DNS server for WAN interface to whitelist + * + * NOTE: does this get ipv6 ips + */ + $snort_dns_list = function() use(&$home_net) { + + $dns_servers = get_dns_servers(); + foreach ($dns_servers as $dns) { + if(!empty($dns) && is_ipaddr($dns)) { + $home_net .= "{$dns},"; + } + } + + }; + + if($wandns == 'yes') { + $snort_dns_list(); + } + + /* + * iterate all vips and add to whitelist + * NOTE: does this get ipv6 ips + * + */ + $snort_vips_list = function() use(&$home_net, &$config) { + + if (is_array($config['virtualip']) && is_array($config['virtualip']['vip'])) { + foreach($config['virtualip']['vip'] as $vip) + if(!empty($vip['subnet'])) + $home_net .= "{$vip['subnet']},"; + } + + }; + + if($vips == 'yes') { + $snort_vips_list(); + } + + /* + * grab a list of vpns and whitelist if user desires added by nestorfish 954 + * + * NOTE: does this get ipv6 ips + */ + $snort_vpns_list = function() use(&$home_net, &$config) { + $vpns_list = filter_get_vpns_list(); + + if (!empty($vpns_list)) { + // convert spaces to , returns + $vpns_list = str_replace(' ', ",", $vpns_list); + $vpns_list = str_replace(' ', ",", $vpns_list); + + $home_net .= "{$vpns_list},"; + } + + }; + + if ($vpns == 'yes') { + $snort_vpns_list(); + } + + $snort_userwips_list = function() use(&$home_net, &$userwips, &$config) { + + if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) + $config['installedpackages']['snortglobal']['whitelist']['item'] = array(); + + $home_net .= $config['installedpackages']['snortglobal']['whitelist']['item'][$userwips]['address'] . ','; + + }; + + if ($userwips > -1) { + $snort_userwips_list(); + } + + // add loopback iface + $home_net .= '127.0.0.1,'; + $home_net .= '::1,'; + + /* + * makes sure there is no duplicates + * splits $home_net to (ipv6 ip), (ipv6 cidr), (ipv4 ip), (ipv4 cidr) + */ + $snort_clean_home_net = function() use(&$home_net) { + + $home_net = trim($home_net); + $home_net = explode(',', $home_net); + $net_ipv4_cidr = array(); + $net_ipv4 = array(); + $net_ipv6_cidr = array(); + $net_ipv6 = array(); + + // split into 4 arrays + foreach ($home_net as $net_ip) { + + if (preg_match("/\./", $net_ip)) { + if (preg_match("/\//", $net_ip)) { + if (!in_array($net_ip, $net_ipv4_cidr)) + array_push($net_ipv4_cidr, $net_ip); + }else{ + if (!in_array($net_ip, $net_ipv4)) + array_push($net_ipv4, $net_ip); + } + } + + if (preg_match("/:/", $net_ip)) { + if (preg_match("/\//", $net_ip)) { + if (!in_array($net_ip, $net_ipv6_cidr)) + array_push($net_ipv6_cidr, $net_ip); + }else{ + if (!in_array($net_ip, $net_ipv6)) + array_push($net_ipv6, $net_ip); + } + } + } // end foreach + + // TODO: make sure that ips are not in cidr + + $home_net = ''; + foreach ($net_ipv4_cidr as $net_ipv4_cidr_ip) { + if (!empty($net_ipv4_cidr_ip)) + $home_net .= $net_ipv4_cidr_ip . ','; + } + foreach ($net_ipv4 as $net_ipv4_ip) { + if (!empty($net_ipv4_ip)) + $home_net .= $net_ipv4_ip . ','; + } + foreach ($net_ipv6_cidr as $net_ipv6_cidr_ip) { + if (!empty($net_ipv6_cidr_ip)) + $home_net .= $net_ipv6_cidr_ip . ','; + } + foreach ($net_ipv6 as $net_ipv6_ip) { + if (!empty($net_ipv6_ip)) + $home_net .= $net_ipv6_ip . ','; + } + + // remove , if its the last char + if($home_net[strlen($home_net)-1] === ',') { + $home_net = substr_replace($home_net, '', -1); + } + + }; + + $snort_clean_home_net(); + + return $home_net; + +} // end func builds custom whitelests + + +/* checks to see if snort is running yes/no and stop/start */ +function snortRunningChk($type, $snort_uuid, $if_real) { + global $config; + + if ($type === 'snort') { + $snort_pgrep_chk = exec("/bin/pgrep -f 'snort.*R {$snort_uuid}'"); + } + + if ($type === 'barnyard2') { + $snort_pgrep_chk = exec("/bin/pgrep -f 'barnyard2.*{$snort_uuid}_{$if_real}'"); + } + + if (!empty($snort_pgrep_chk)) { + return $snort_pgrep_chk; + } + + return NULL; + +} + +function Running_Stop($snort_uuid, $if_real, $id) { + global $config, $g; + + // if snort.sh crashed this will remove the pid + @unlink("{$g['tmp_path']}/snort.sh.pid"); + + // wait until snort stops + $snort_WaitForStop = function ($type) use (&$snort_uuid, &$if_real) { + + $snort_pgrep_chk = snortRunningChk($type, $snort_uuid, $if_real); + + if (!empty($snort_pgrep_chk)){ + exec("/usr/bin/touch /tmp/snort_{$if_real}{$snort_uuid}.stoplck"); + } + + $i = 0; + while(file_exists("/tmp/snort_{$if_real}{$snort_uuid}.stoplck") || file_exists("/var/log/snort/run/{$type}_{$if_real}{$snort_uuid}.pid")) { + $i++; + exec("/usr/bin/logger -p daemon.info -i -t SnortStop '{$type} Stop count...{$i}'"); + + $snort_pgrep_chk = snortRunningChk($type, $snort_uuid, $if_real); + + if (empty($snort_pgrep_chk)){ + @exec("/bin/rm /tmp/snort_{$if_real}{$snort_uuid}.stoplck"); + } + + sleep(2); + + } + }; + + if (isvalidpid("/var/log/snort/run/snort_{$if_real}{$snort_uuid}.pid")) { + + // send kill cmd + killbypid("/var/log/snort/run/snort_{$if_real}{$snort_uuid}.pid"); + exec("/bin/rm /var/log/snort/run/snort_{$if_real}{$snort_uuid}.pid.lck"); + + // wait until snort stops + $snort_WaitForStop('snort'); + + } + + if (isvalidpid("/var/log/snort/run/barnyard2_{$if_real}{$snort_uuid}.pid")) { + + // send kill cmd + killbypid("/var/log/snort/run/barnyard2_{$if_real}{$snort_uuid}.pid"); + exec("/bin/rm /var/log/snort/run/barnyard2_{$snort_uuid}_{$if_real}.pid.lck"); + + // wait until barnyard2 stops + $snort_WaitForStop('barnyard2'); + + } + + // TODO: Add a GUI option that lets the user keep full logs + /* + @exec("/bin/rm /var/log/snort/run/snort_{$if_real}{$snort_uuid}*"); + @exec("/bin/rm /var/log/snort/{$snort_uuid}_{$if_real}/snort.u1*"); + @exec("/bin/rm /var/log/snort/{$snort_uuid}_{$if_real}/snort.u2*"); + + @exec("/bin/rm /var/log/snort/run/barnyard2_{$snort_uuid}_{$if_real}*"); + @exec("/bin/rm /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}/snort.u1*"); + @exec("/bin/rm /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}/snort.u2*"); + */ + + // Log Iface stop + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule STOP for {$snort_uuid}_{$if_real}...'"); +} + +function Running_Start($snort_uuid, $if_real, $id) { + global $config; + + /* if snort.sh crashed this will remove the pid */ + @unlink("{$g['tmp_path']}/snort.sh.pid"); + + // wait until snort starts + $snort_WaitForStart = function ($type) use (&$snort_uuid, &$if_real) { + + // calls to see if snort or barnyard is running + $snort_pgrep_chk = snortRunningChk($type, $snort_uuid, $if_real); + + if (empty($snort_pgrep_chk)){ + exec("/usr/bin/touch /tmp/snort_{$if_real}{$snort_uuid}.startlck"); + } + + $i = 0; + while(file_exists("/tmp/snort_{$if_real}{$snort_uuid}.startlck") || !file_exists("/var/log/snort/run/{$type}_{$if_real}{$snort_uuid}.pid")) { + + $i++; + exec("/usr/bin/logger -p daemon.info -i -t SnortStart 'Snort Start count...{$i}'"); + + $snort_pgrep_chk = snortRunningChk($type, $snort_uuid, $if_real); + + // stop if snort error is in syslogd + $snort_error_chk = exec("/usr/bin/grep -e 'snort.*{$snort_pgrep_chk}.*FATAL.*ERROR.*' /var/log/system.log"); + if(!empty($snort_error_chk)) { + break; + } + + if (!empty($snort_pgrep_chk)){ + @exec("/bin/rm /tmp/snort_{$if_real}{$snort_uuid}.startlck"); + } + sleep(2); + } + }; + + // only start if iface is on or iface is not running + $snort_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['enable']; + $snortRunningChkPreStart = snortRunningChk($id, $snort_uuid, $if_real); + if ($snort_info_chk === 'on' && empty($snortRunningChkPreStart)) { + + // start snort cmd + exec("/usr/local/bin/snort -R \"{$snort_uuid}\" -D -q -l /var/log/snort/{$snort_uuid}_{$if_real} --pid-path /var/log/snort/run -G {$snort_uuid} -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}"); + + // wait until snort starts + $snort_WaitForStart('snort'); + + }else{ + return; + } + + // define snortbarnyardlog_chk + $snortbarnyardlog_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_enable']; + if ($snortbarnyardlog_info_chk == 'on') { + + // start barnyard2 cmd + exec("/usr/local/bin/barnyard2 -f \"snort.u2\" --pid-path /var/log/snort/run -c /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/{$snort_uuid}_{$if_real} -D -q"); + + // wait until snort starts + $snort_WaitForStart('barnyard2'); + + } + + /* Log Iface stop */ + exec("/usr/bin/logger -p daemon.info -i -t SnortStartup 'Interface Rule START for {$id}_{$snort_uuid}_{$if_real}...'"); +} + +function snort_get_friendly_interface($interface) { + + if (function_exists('convert_friendly_interface_to_friendly_descr')) + $iface = convert_friendly_interface_to_friendly_descr($interface); + else { + if (!$interface || ($interface == "wan")) + $iface = "WAN"; + else if(strtolower($interface) == "lan") + $iface = "LAN"; + else if(strtolower($interface) == "pppoe") + $iface = "PPPoE"; + else if(strtolower($interface) == "pptp") + $iface = "PPTP"; + else + $iface = strtoupper($interface); + } + + return $iface; +} + +/* get the real iface name of wan */ +function snort_get_real_interface($interface) { + global $config; + + $lc_interface = strtolower($interface); + if (function_exists('get_real_interface')) + return get_real_interface($lc_interface); + else { + if ($lc_interface == "lan") { + if ($config['inerfaces']['lan']) + return $config['interfaces']['lan']['if']; + return $interface; + } + if ($lc_interface == "wan") + return $config['interfaces']['wan']['if']; + $ifdescrs = array(); + for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) { + $ifname = "opt{$j}"; + if(strtolower($ifname) == $lc_interface) + return $config['interfaces'][$ifname]['if']; + if(isset($config['interfaces'][$ifname]['descr']) && (strtolower($config['interfaces'][$ifname]['descr']) == $lc_interface)) + return $config['interfaces'][$ifname]['if']; + } + } + + return $interface; +} + +/* + this code block is for deleteing logs while keeping the newest file, + snort is linked to these files while running, do not take the easy way out + by touch and rm, snort will lose sync and not log. + + this code needs to be watched. + */ + +/* list dir files */ +function snort_file_list($snort_log_dir, $snort_log_file) +{ + $dir = opendir ("$snort_log_dir"); + while (false !== ($file = readdir($dir))) { + if (strpos($file, "$snort_log_file",1) ) + $file_list[] = basename($file); + } + return $file_list; +} + +/* snort dir files */ +function snort_file_sort($snort_file1, $snort_file2) +{ + if ($snort_file1 == $snort_file2) + return 0; + + return ($snort_file1 < $snort_file2); // ? -1 : 1; // this flips the array +} + +/* build files newest first array */ +function snort_build_order($snort_list) +{ + foreach ($snort_list as $value_list) + $list_order[] = $value_list; + + return $list_order; +} + +/* keep the newest remove the rest */ +function snort_remove_files($snort_list_rm, $snort_file_safe) +{ + foreach ($snort_list_rm as $value_list) { + if ($value_list != $snort_file_safe) + @unlink("/var/log/snort/$value_list"); + else + file_put_contents("/var/log/snort/$snort_file_safe", ""); + } +} + +/* + * TODO: + * This is called by snort_alerts.php. + * + * This func needs to be made to only clear one interface rule log + * at a time. + * + */ +function post_delete_logs() +{ + global $config, $g; + + /* do not start config build if rules is empty */ + if (!is_array($config['installedpackages']['snortglobal']['rule'])) + return; + + $snort_log_dir = '/var/log/snort'; + + foreach ($config['installedpackages']['snortglobal']['rule'] as $value) { + $result_lan = $value['interface']; + $if_real = snort_get_real_interface($result_lan); + $snort_uuid = $value['uuid']; + + if ($if_real != '' && $snort_uuid != '') { + if ($value['snortunifiedlog'] == 'on') { + $snort_log_file_u2 = "snort.u2."; + $snort_list_u2 = snort_file_list($snort_log_dir, $snort_log_file_u2); + if (is_array($snort_list_u2)) { + usort($snort_list_u2, "snort_file_sort"); + $snort_u2_rm_list = snort_build_order($snort_list_u2); + snort_remove_files($snort_u2_rm_list, $snort_u2_rm_list[0]); + } + } else + exec("/bin/rm $snort_log_dir/{$snort_uuid}_{$if_real}/snort.u2*"); + + if ($value['tcpdumplog'] == 'on') { + $snort_log_file_tcpd = "snort.tcpdump."; + $snort_list_tcpd = snort_file_list($snort_log_dir, $snort_log_file_tcpd); + if (is_array($snort_list_tcpd)) { + usort($snort_list_tcpd, "snort_file_sort"); + $snort_tcpd_rm_list = snort_build_order($snort_list_tcpd); + snort_remove_files($snort_tcpd_rm_list, $snort_tcpd_rm_list[0]); + } + } else { + exec("/bin/rm $snort_log_dir/{$snort_uuid}_{$if_real}/snort.tcpdump*"); + + if ($value['perform_stat'] == 'on') + @file_put_contents("$snort_log_dirt/{$snort_uuid}_{$if_real}/snort.stats", ""); + } + } + } // end foreach +} + +function snort_postinstall() +{ + global $config, $g, $snort_pfsense_basever, $snort_arch; + + /* snort -> advanced features */ + if (is_array($config['installedpackages']['snortglobal'])) { + $bpfbufsize = $config['installedpackages']['snortglobal']['bpfbufsize']; + $bpfmaxbufsize = $config['installedpackages']['snortglobal']['bpfmaxbufsize']; + $bpfmaxinsns = $config['installedpackages']['snortglobal']['bpfmaxinsns']; + } + + /* cleanup default files */ + @rename('/usr/local/etc/snort/snort.conf-sample', '/usr/local/etc/snort/snort.conf'); + @rename('/usr/local/etc/snort/threshold.conf-sample', '/usr/local/etc/snort/threshold.conf'); + @rename('/usr/local/etc/snort/sid-msg.map-sample', '/usr/local/etc/snort/sid-msg.map'); + @rename('/usr/local/etc/snort/unicode.map-sample', '/usr/local/etc/snort/unicode.map'); + @rename('/usr/local/etc/snort/classification.config-sample', '/usr/local/etc/snort/classification.config'); + @rename('/usr/local/etc/snort/generators-sample', '/usr/local/etc/snort/generators'); + @rename('/usr/local/etc/snort/reference.config-sample', '/usr/local/etc/snort/reference.config'); + @rename('/usr/local/etc/snort/gen-msg.map-sample', '/usr/local/etc/snort/gen-msg.map'); + @unlink('/usr/local/etc/snort/sid'); + @unlink('/usr/local/etc/rc.d/snort'); + @unlink('/usr/local/etc/rc.d/bardyard2'); + + /* remove example files */ + if (file_exists('/usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so.0')) + exec('/bin/rm /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example*'); + + if (file_exists('/usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so')) + exec('/bin/rm /usr/local/lib/snort/dynamicpreprocessor/lib_sfdynamic_preprocessor_example*'); + + /* create a few directories and ensure the sample files are in place */ + if (!is_dir('/usr/local/etc/snort')) + exec('/bin/mkdir -p /usr/local/etc/snort/custom_rules'); + if (!is_dir('/usr/local/etc/snort/whitelist')) + exec('/bin/mkdir -p /usr/local/etc/snort/whitelist/'); + /* NOTE: the diff between the if check and the exec() extra run is by design */ + if (!is_dir('/var/log/snort')) + exec('/bin/mkdir -p /var/log/snort/run'); + else + exec('/bin/rm -r /var/log/snort/*; /bin/mkdir -p /var/log/snort/run'); + + if (!is_dir('/var/log/snort/barnyard2')) + exec('/bin/mkdir -p /var/log/snort/barnyard2'); + if (!is_dir('/usr/local/lib/snort/dynamicrules/')) + exec('/bin/mkdir -p /usr/local/lib/snort/dynamicrules/'); + if (!file_exists('/var/db/whitelist')) + touch('/var/db/whitelist'); + + /* XXX: These are needed if you run snort as snort user + mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true); + mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true); + mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true); + mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true); + mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true); + */ + /* important */ + mwexec('/bin/chmod 660 /var/db/whitelist', true); + mwexec('/bin/chmod -R 660 /usr/local/etc/snort/*', true); + mwexec('/bin/chmod -R 660 /tmp/snort*', true); + mwexec('/bin/chmod -R 660 /var/run/snort*', true); + mwexec('/bin/chmod -R 660 /var/snort/run/*', true); + mwexec('/bin/chmod 770 /usr/local/lib/snort', true); + mwexec('/bin/chmod 770 /usr/local/etc/snort', true); + mwexec('/bin/chmod 770 /usr/local/etc/whitelist', true); + mwexec('/bin/chmod 770 /var/log/snort', true); + mwexec('/bin/chmod 770 /var/log/snort/run', true); + mwexec('/bin/chmod 770 /var/log/snort/barnyard2', true); + + /* move files around, make it look clean */ + mwexec('/bin/mkdir -p /usr/local/www/snort/css'); + mwexec('/bin/mkdir -p /usr/local/www/snort/images'); + + chdir ("/usr/local/www/snort/css/"); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/css/style.css'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/css/sexybuttons.css'); + chdir("/usr/local/www/snort/images/"); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/alert.jpg'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/down.gif'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/down2.gif'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/icon-table-sort.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/icon-table-sort-asc.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/icon-table-sort-desc.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/up.gif'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/up2.gif'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/logo.jpg'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/icon_excli.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/arrow_down.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/awesome-overlay-sprite.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/logo22.png'); + exec('/usr/bin/fetch http://www.pfsense.com/packages/config/snort-dev/images/page_white_text.png'); + + /* remake saved settings */ + if ($config['installedpackages']['snortglobal']['forcekeepsettings'] == 'on') { + update_status(gettext("Saved settings detected...")); + update_output_window(gettext("Please wait... rebuilding files...")); + sync_snort_package_config(); + update_output_window(gettext("Finnished Rebuilding files...")); + } +} + +function snort_Getdirsize($node) { + if(!is_readable($node)) + return false; + + $blah = exec( "/usr/bin/du -kd $node" ); + return substr( $blah, 0, strpos($blah, 9) ); +} + +/* func for log dir size limit cron */ +function snort_snortloglimit_install_cron($should_install) { + global $config, $g; + + if (!is_array($config['cron']['item'])) + $config['cron']['item'] = array(); + + $x=0; + $is_installed = false; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], '/usr/local/pkg/snort/snort_check_cron_misc.inc')) { + $is_installed = true; + break; + } + $x++; + } + + switch($should_install) { + case true: + if(!$is_installed) { + + $cron_item = array(); + $cron_item['minute'] = "*/5"; + $cron_item['hour'] = "*"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc"; + $config['cron']['item'][] = $cron_item; + } + break; + case false: + if($is_installed == true) + unset($config['cron']['item'][$x]); + break; + } +} + +/* func for updating cron */ +function snort_rm_blocked_install_cron($should_install) { + global $config, $g; + + if (!is_array($config['cron']['item'])) + $config['cron']['item'] = array(); + + $x=0; + $is_installed = false; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort2c")) { + $is_installed = true; + break; + } + $x++; + } + + $snort_rm_blocked_info_ck = $config['installedpackages']['snortglobal']['rm_blocked']; + if ($snort_rm_blocked_info_ck == "1h_b") { + $snort_rm_blocked_min = "*/5"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "3600"; + } + if ($snort_rm_blocked_info_ck == "3h_b") { + $snort_rm_blocked_min = "*/15"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "10800"; + } + if ($snort_rm_blocked_info_ck == "6h_b") { + $snort_rm_blocked_min = "*/30"; + $snort_rm_blocked_hr = "*"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "21600"; + } + if ($snort_rm_blocked_info_ck == "12h_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/1"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "43200"; + } + if ($snort_rm_blocked_info_ck == "1d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/2"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "86400"; + } + if ($snort_rm_blocked_info_ck == "4d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/8"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "345600"; + } + if ($snort_rm_blocked_info_ck == "7d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "*/14"; + $snort_rm_blocked_mday = "*"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "604800"; + } + if ($snort_rm_blocked_info_ck == "28d_b") { + $snort_rm_blocked_min = "2"; + $snort_rm_blocked_hr = "0"; + $snort_rm_blocked_mday = "*/2"; + $snort_rm_blocked_month = "*"; + $snort_rm_blocked_wday = "*"; + $snort_rm_blocked_expire = "2419200"; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "$snort_rm_blocked_min"; + $cron_item['hour'] = "$snort_rm_blocked_hr"; + $cron_item['mday'] = "$snort_rm_blocked_mday"; + $cron_item['month'] = "$snort_rm_blocked_month"; + $cron_item['wday'] = "$snort_rm_blocked_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -t $snort_rm_blocked_expire snort2c"; + $config['cron']['item'][] = $cron_item; + } + break; + case false: + if ($is_installed == true) + unset($config['cron']['item'][$x]); + break; + } +} + +/* func to install snort update */ +function snort_rules_up_install_cron($should_install) { + global $config, $g; + + if(!$config['cron']['item']) + $config['cron']['item'] = array(); + + $x=0; + $is_installed = false; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "snort_check_for_rule_updates.php")) { + $is_installed = true; + break; + } + $x++; + } + $snort_rules_up_info_ck = $config['installedpackages']['snortglobal']['autorulesupdate7']; + if ($snort_rules_up_info_ck == "6h_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "*/6"; + $snort_rules_up_mday = "*"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "12h_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "*/12"; + $snort_rules_up_mday = "*"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "1d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/1"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "4d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/4"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "7d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/7"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + if ($snort_rules_up_info_ck == "28d_up") { + $snort_rules_up_min = "3"; + $snort_rules_up_hr = "0"; + $snort_rules_up_mday = "*/28"; + $snort_rules_up_month = "*"; + $snort_rules_up_wday = "*"; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "$snort_rules_up_min"; + $cron_item['hour'] = "$snort_rules_up_hr"; + $cron_item['mday'] = "$snort_rules_up_mday"; + $cron_item['month'] = "$snort_rules_up_month"; + $cron_item['wday'] = "$snort_rules_up_wday"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log"; + $config['cron']['item'][] = $cron_item; + } + break; + case false: + if($is_installed == true) + unset($config['cron']['item'][$x]); + break; + } +} + +/* Only run when all ifaces needed to sync. Expects filesystem rw */ +function sync_snort_package_config() +{ + global $config, $g; + + /* RedDevil suggested code */ + /* TODO: more testing needs to be done */ + /* may cause voip to fail */ + //exec("/sbin/sysctl net.bpf.bufsize=8388608"); + //exec("/sbin/sysctl net.bpf.maxbufsize=4194304"); + //exec("/sbin/sysctl net.bpf.maxinsns=512"); + //exec("/sbin/sysctl net.inet.tcp.rfc1323=1"); + + conf_mount_rw(); + + /* do not start config build if rules is empty */ + if (!is_array($config['installedpackages']['snortglobal']['rule'])) { + exec('/bin/rm /usr/local/etc/rc.d/snort.sh'); + conf_mount_ro(); + return; + } + + foreach ($config['installedpackages']['snortglobal']['rule'] as $id => $value) { + $if_real = snort_get_real_interface($value['interface']); + $snort_uuid = $value['uuid']; + + if ($if_real != '' && $snort_uuid != '') { + + // only build whitelist when needed + if ($value['blockoffenders7'] === 'on') { + create_snort_whitelist($id, $if_real); + } + + // only build threshold when needed + if ($value['suppresslistname'] !== 'default'){ + create_snort_suppress($id, $if_real); + } + + // create snort configuration file + create_snort_conf($id, $if_real, $snort_uuid); + + // if rules exist cp rules to each iface + create_rules_iface($id, $if_real, $snort_uuid); + + // create barnyard2 configuration file + if ($value['barnyard_enable'] == 'on') { + create_barnyard2_conf($id, $if_real, $snort_uuid); + } + } + } + + /* create snort bootup file snort.sh only create once */ + create_snort_sh(); + + /* all new files are for the user snort nologin */ + if (!is_dir("/var/log/snort/{$snort_uuid}_{$if_real}")) + exec("/bin/mkdir -p /var/log/snort/{$snort_uuid}_{$if_real}"); + + if (!is_dir('/var/log/snort/run')) + exec('/bin/mkdir -p /var/log/snort/run'); + + if (!is_dir("/var/log/snort/barnyard2/{$snort_uuid}_{$if_real}")) + exec("/bin/mkdir -p /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}"); + + /* XXX: These are needed if snort is run as snort user + mwexec('/usr/sbin/chown -R snort:snort /var/log/snort', true); + mwexec('/usr/sbin/chown -R snort:snort /usr/local/etc/snort', true); + mwexec('/usr/sbin/chown -R snort:snort /usr/local/lib/snort', true); + mwexec('/usr/sbin/chown snort:snort /tmp/snort*', true); + mwexec('/usr/sbin/chown snort:snort /var/db/whitelist', true); + */ + + /* important */ + mwexec('/bin/chmod 770 /var/db/whitelist', true); + mwexec('/bin/chmod 770 /var/run/snort*', true); + mwexec('/bin/chmod 770 /tmp/snort*', true); + mwexec('/bin/chmod -R 770 /var/log/snort', true); + mwexec('/bin/chmod -R 770 /usr/local/lib/snort', true); + mwexec('/bin/chmod -R 770 /usr/local/etc/snort/', true); + + conf_mount_ro(); +} + +/* Start of main config files */ + +/* create threshold file */ +function create_snort_suppress($id, $if_real) { + global $config, $g; + + /* make sure dir is there */ + if (!is_dir('/usr/local/etc/snort/suppress')) + exec('/bin/mkdir -p /usr/local/etc/snort/suppress'); + + if (!is_array($config['installedpackages']['snortglobal']['rule'])) + return; + + if ($config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname'] != 'default') { + $whitelist_key_s = find_suppress_key($config['installedpackages']['snortglobal']['rule'][$id]['suppresslistname']); + + /* file name */ + $suppress_file_name = $config['installedpackages']['snortglobal']['suppress']['item'][$whitelist_key_s]['name']; + + /* Message */ + $s_data = '# This file is auto generated by the snort package. Please do not edit this file by hand.' . "\n\n"; + + /* user added arguments */ + $s_data .= str_replace("\r", "", base64_decode($config['installedpackages']['snortglobal']['suppress']['item'][$whitelist_key_s]['suppresspassthru'])); + + /* open snort's whitelist for writing */ + @file_put_contents("/usr/local/etc/snort/suppress/$suppress_file_name", $s_data); + } +} + +function create_snort_whitelist($id, $if_real) { + global $config, $g; + + /* make sure dir is there */ + if (!is_dir('/usr/local/etc/snort/whitelist')) + exec('/bin/mkdir -p /usr/local/etc/snort/whitelist'); + + if ($config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'] == 'default') { + + $w_data = build_base_whitelist('whitelist', 'yes', 'yes', 'yes', 'yes', 'yes', 'no'); + + /* open snort's whitelist for writing */ + @file_put_contents("/usr/local/etc/snort/whitelist/defaultwlist", $w_data); + + } else if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'])) { + $whitelist_key_w = find_whitelist_key($config['installedpackages']['snortglobal']['rule'][$id]['whitelistname']); + + if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) { + return; + } + + $whitelist = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_w]; + $w_data = build_base_whitelist($whitelist['snortlisttype'], $whitelist['wanips'], $whitelist['wangateips'], $whitelist['wandnsips'], $whitelist['vips'], $whitelist['vpnips'], $whitelist_key_w); + + // convert spaces to carriage returns + $w_data = str_replace(',', "\n", $w_data); + $w_data = str_replace(',,', "\n", $w_data); + + /* open snort's whitelist for writing */ + @file_put_contents("/usr/local/etc/snort/whitelist/" . $config['installedpackages']['snortglobal']['rule'][$id]['whitelistname'], $w_data); + } +} + +function create_snort_homenet($id, $if_real) { + global $config, $g; + + if ($config['installedpackages']['snortglobal']['rule'][$id]['homelistname'] == 'default' || $config['installedpackages']['snortglobal']['rule'][$id]['homelistname'] == '') + return build_base_whitelist('netlist', 'yes', 'yes', 'yes', 'yes', 'yes', 'no'); + else if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['homelistname'])) { + $whitelist_key_h = find_whitelist_key($config['installedpackages']['snortglobal']['rule'][$id]['homelistname']); + + if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) + return; + + $build_netlist_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['snortlisttype']; + $wanip_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wanips']; + $wangw_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wangateips']; + $wandns_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['wandnsips']; + $vips_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['vips']; + $vpns_h = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_h]['vpnips']; + + return build_base_whitelist($build_netlist_h, $wanip_h, $wangw_h, $wandns_h, $vips_h, $vpns_h, $whitelist_key_h); + } +} + +function create_snort_externalnet($id, $if_real) { + global $config, $g; + + if (!empty($config['installedpackages']['snortglobal']['rule'][$id]['externallistname'])) { + $whitelist_key_ex = find_whitelist_key($config['installedpackages']['snortglobal']['rule'][$id]['externallistname']); + + if (!is_array($config['installedpackages']['snortglobal']['whitelist']['item'])) + return; + + $build_netlist_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['snortlisttype']; + $wanip_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wanips']; + $wangw_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wangateips']; + $wandns_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['wandnsips']; + $vips_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['vips']; + $vpns_ex = $config['installedpackages']['snortglobal']['whitelist']['item'][$whitelist_key_ex]['vpnips']; + + return build_base_whitelist($build_netlist_ex, $wanip_ex, $wangw_ex, $wandns_ex, $vips_ex, $vpns_ex, $whitelist_key_ex); + } +} + +// open snort.sh for writing +function create_snort_sh() +{ + global $config, $g; + + $snortconf =& $config['installedpackages']['snortglobal']['rule']; + + // do not start config build if rules is empty + if (!is_array($snortconf) || empty($snortconf)) { + return; + } + + $i = 0; + foreach ($snortconf as $value) { + $snort_uuid = $value['uuid']; + $result_lan = $value['interface']; + $if_real = snort_get_real_interface($result_lan); + + $snortstart_list .= "{$snort_uuid}_{$if_real}_{$i}" . ','; + + $i++; + + } // end foreach + + // remove , if its the last char + if($snortstart_list[strlen($snortstart_list)-1] === ',') { + $snortstart_list = substr_replace($snortstart_list, '', -1); + } + + +$snort_sh_text = <<<EOD + +#!/bin/sh +######## +# This file was automatically generated +# by the pfSense service handler. +# Code added to protect from double starts on pfSense bootup +######## Begining of Main snort.sh + +rc_start() { + +if [ -f /tmp/snort.sh.pid ]; then + exit; +fi + +/bin/echo "snort.sh run" > /tmp/snort.sh.pid + + +/usr/local/bin/php -f /usr/local/pkg/snort/snort_startstop.php snortstart={$snortstart_list} & + + +/bin/rm /tmp/snort.sh.pid + +} + +rc_stop() { + +if [ -f /tmp/snort.sh.pid ]; then + exit; +fi + +/bin/echo "snort.sh run" > /tmp/snort.sh.pid + + +/usr/local/bin/php -f /usr/local/pkg/snort/snort_startstop.php snortstop={$snortstart_list} & + + +/bin/rm /tmp/snort.sh.pid + +} + +case $1 in + start) + rc_start + ;; + stop) + rc_stop + ;; + restart) + rc_start + ;; +esac + +EOD; + + // write out snort.sh + $bconf = fopen("/usr/local/etc/rc.d/snort.sh", "w"); + if(!$bconf) { + log_error("Could not open /usr/local/etc/rc.d/snort.sh for writing."); + return; + } + fwrite($bconf, $snort_sh_text); + fclose($bconf); + @chmod("/usr/local/etc/rc.d/snort.sh", 0755); +} + +/* if rules exist copy to new interfaces */ +function create_rules_iface($id, $if_real, $snort_uuid) +{ + global $config, $g; + + $if_rule_dir = "/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"; + $folder_chk = (count(glob("{$if_rule_dir}/rules/*")) === 0) ? 'empty' : 'full'; + + if ($folder_chk == "empty") { + if (!is_dir("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules")) + exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"); + exec("/bin/cp /usr/local/etc/snort/rules/* {$if_rule_dir}/rules"); + if (file_exists("/usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules")) + exec("/bin/cp /usr/local/etc/snort/custom_rules/local_{$snort_uuid}_{$if_real}.rules {$if_rule_dir}/local_{$snort_uuid}_{$if_real}.rules"); + } +} + +/* open barnyard2.conf for writing */ +function create_barnyard2_conf($id, $if_real, $snort_uuid) { + global $config, $g; + + if (!file_exists("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf")) + exec("/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); + + if (!file_exists("/var/log/snort/{$snort_uuid}_{$if_real}/barnyard2.waldo")) { + mwexec("/usr/bin/touch /var/log/snort/{$snort_uuid}_{$if_real}/barnyard2.waldo", true); + /* XXX: This is needed if snort is run as snort user */ + //mwexec("/usr/sbin/chown snort:snort /var/log/snort/barnyard2/{$snort_uuid}_{$if_real}.waldo", true); + mwexec("/bin/chmod 770 /var/log/snort/{$snort_uuid}_{$if_real}/barnyard2.waldo", true); + } + + $barnyard2_conf_text = generate_barnyard2_conf($id, $if_real, $snort_uuid); + + /* write out barnyard2_conf */ + $bconf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf", "w"); + if(!$bconf) { + log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf for writing."); + return; + } + fwrite($bconf, $barnyard2_conf_text); + fclose($bconf); +} + +/* open barnyard2.conf for writing" */ +function generate_barnyard2_conf($id, $if_real, $snort_uuid) { + global $config, $g; + + /* define snortbarnyardlog */ + /* TODO: add support for the other 5 output plugins */ + + $snortbarnyardlog_database_info_chk = $config['installedpackages']['snortglobal']['rule'][$id]['barnyard_mysql']; + $snortbarnyardlog_hostname_info_chk = exec("/bin/hostname"); + /* user add arguments */ + $snortbarnyardlog_config_pass_thru = str_replace("\r", "", base64_decode($config['installedpackages']['snortglobal']['rule'][$id]['barnconfigpassthru'])); + + $barnyard2_conf_text = <<<EOD + +# barnyard2.conf +# barnyard2 can be found at http://www.securixlive.com/barnyard2/index.php +# +# set the appropriate paths to the file(s) your Snort process is using + +config reference_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config +config classification_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config +config gen_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map +config sid_file: /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/sid-msg.map + +config hostname: $snortbarnyardlog_hostname_info_chk +config interface: {$snort_uuid}_{$if_real} +config decode_data_link +config waldo_file: /var/log/snort/{$snort_uuid}_{$if_real}/barnyard2.waldo + +## START user pass through ## + + {$snortbarnyardlog_config_pass_thru} + +## END user pass through ## + +# Step 2: setup the input plugins +input unified2 + +config logdir: /var/log/snort/{$snort_uuid}_{$if_real} + +# database: log to a variety of databases +# output database: log, mysql, user=xxxx password=xxxxxx dbname=xxxx host=xxx.xxx.xxx.xxxx + + $snortbarnyardlog_database_info_chk + +EOD; + + return $barnyard2_conf_text; +} + +function create_snort_conf($id, $if_real, $snort_uuid) +{ + global $config, $g; + + if (!empty($if_real)&& !empty($snort_uuid)) { + if (!is_dir("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}")) { + exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); + @touch("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf"); + } + + $snort_conf_text = generate_snort_conf($id, $if_real, $snort_uuid); + if (empty($snort_conf_text)) + return; + + /* write out snort.conf */ + $conf = fopen("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf", "w"); + if(!$conf) { + log_error("Could not open /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/snort.conf for writing."); + return -1; + } + fwrite($conf, $snort_conf_text); + fclose($conf); + } +} + +function snort_deinstall() { + global $config, $g; + + /* remove custom sysctl */ + remove_text_from_file("/etc/sysctl.conf", "sysctl net.bpf.bufsize=20480"); + + /* decrease bpf buffers back to 4096, from 20480 */ + exec('/sbin/sysctl net.bpf.bufsize=4096'); + mwexec('/usr/bin/killall snort', true); + sleep(2); + mwexec('/usr/bin/killall -9 snort', true); + sleep(2); + mwexec('/usr/bin/killall barnyard2', true); + sleep(2); + mwexec('/usr/bin/killall -9 barnyard2', true); + sleep(2); + mwexec('/usr/sbin/pw userdel snort; /usr/sbin/pw groupdel snort', true); + mwexec('/bin/rm -rf /usr/local/etc/snort*; /bin/rm -rf /usr/local/pkg/snort*', true); + mwexec('/bin/rm -r /usr/local/bin/barnyard2', true); + mwexec('/bin/rm -rf /usr/local/www/snort; /bin/rm -rf /var/log/snort; /bin/rm -rf /usr/local/lib/snort', true); + + /* Remove snort cron entries Ugly code needs smoothness*/ + if (!function_exists('snort_deinstall_cron')) { + function snort_deinstall_cron($crontask) { + global $config, $g; + + if(!is_array($config['cron']['item'])) + return; + + $x=0; + $is_installed = false; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], $crontask)) { + $is_installed = true; + break; + } + $x++; + } + if ($is_installed == true) + unset($config['cron']['item'][$x]); + } + } + + snort_deinstall_cron("snort2c"); + snort_deinstall_cron("snort_check_for_rule_updates.php"); + snort_deinstall_cron("/usr/local/pkg/snort/snort_check_cron_misc.inc"); + configure_cron(); + + /* Unset snort registers in conf.xml IMPORTANT snort will not start with out this */ + /* Keep this as a last step */ + if ($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on') + unset($config['installedpackages']['snortglobal']); +} + +function generate_snort_conf($id, $if_real, $snort_uuid) +{ + global $config, $g, $snort_pfsense_basever; + + if (!is_array($config['installedpackages']['snortglobal']['rule'])) + return; + + $snortcfg =& $config['installedpackages']['snortglobal']['rule'][$id]; + + /* custom home nets */ + $home_net = create_snort_homenet($id, $if_real); + + if ($snortcfg['externallistname'] == 'default') + $external_net = '!$HOME_NET'; + else + $external_net = create_snort_externalnet($id, $if_real); + + /* obtain external interface */ + /* XXX: make multi wan friendly */ + $snort_ext_int = $snortcfg['interface']; + + /* user added arguments */ + $snort_config_pass_thru = str_replace("\r", "", base64_decode($snortcfg['configpassthru'])); + + /* create basic files */ + if (!is_dir("/usr/local/etc/snort/snort/snort_{$snort_uuid}_{$if_real}")) + exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}"); + + exec("/bin/cp /usr/local/etc/snort/gen-msg.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/gen-msg.map"); + exec("/bin/cp /usr/local/etc/snort/classification.config /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config"); + exec("/bin/cp /usr/local/etc/snort/reference.config /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config"); + exec("/bin/cp /usr/local/etc/snort/sid-msg.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/sid-msg.map"); + exec("/bin/cp /usr/local/etc/snort/unicode.map /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/unicode.map"); + exec("/bin/cp /usr/local/etc/snort/threshold.conf /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/threshold.conf"); + exec("/usr/bin/touch /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/barnyard2.conf"); + + if (!is_dir("/usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules")) + exec("/bin/mkdir -p /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules"); + + /* define basic log filename */ + $snortunifiedlogbasic_type = ""; + if ($snortcfg['snortunifiedlogbasic'] == "on") + $snortunifiedlogbasic_type = "output unified: filename snort.u1, limit 128"; + + /* + * + * define cvs log filename + * this should be the default instead of alert_full it is much easier to parse + * + */ + $snortalertcvs_type = ""; + if ($snortcfg['snortalertcvs'] == "on") + $snortalertcvs_type = "output alert_csv: /var/log/snort/{$snort_uuid}_{$if_real}/alert.csv default 128"; + + /* define snortalertlogtype */ + if ($config['installedpackages']['snortglobal']['snortalertlogtype'] == "fast") + $snortalertlogtype_type = "output alert_fast: alert"; + else + $snortalertlogtype_type = "output alert_full: alert"; + + /* define alertsystemlog */ + $alertsystemlog_type = ""; + if ($snortcfg['alertsystemlog'] == "on") + $alertsystemlog_type = "output alert_syslog: log_alert"; + + /* define tcpdumplog */ + $tcpdumplog_type = ""; + if ($snortcfg['tcpdumplog'] == "on") + $tcpdumplog_type = "output log_tcpdump: snort.tcpdump"; + + /* define snortunifiedlog */ + $snortunifiedlog_type = ""; + if ($snortcfg['snortunifiedlog'] == "on") + $snortunifiedlog_type = "output unified2: filename snort.u2, limit 128"; + + /* define spoink */ + $spoink_type = ""; + if ($snortcfg['blockoffenders7'] == "on") { + if ($snortcfg['whitelistname'] == "default") + $spoink_whitelist_name = 'defaultwlist'; + else if (file_exists("/usr/local/etc/snort/whitelist/{$snortcfg['whitelistname']}")) + $spoink_whitelist_name = $snortcfg['whitelistname']; + + $pfkill = ""; + if ($snortcfg['blockoffenderskill'] == "on") + $pfkill = "kill"; + + $spoink_type = "output alert_pf: /usr/local/etc/snort/whitelist/{$spoink_whitelist_name},snort2c,{$snortcfg['blockoffendersip']},{$pfkill}"; + } + + /* define threshold file */ + $threshold_file_name = ""; + if ($snortcfg['suppresslistname'] != 'default') { + if (file_exists("/usr/local/etc/snort/suppress/{$snortcfg['suppresslistname']}")) + $threshold_file_name = "include /usr/local/etc/snort/suppress/{$snortcfg['suppresslistname']}"; + } + + /* define servers and ports snortdefservers */ + /* def DNS_SERVSERS */ + $def_dns_servers_info_chk = $snortcfg['def_dns_servers']; + if ($def_dns_servers_info_chk == "") + $def_dns_servers_type = "\$HOME_NET"; + else + $def_dns_servers_type = "$def_dns_servers_info_chk"; + + /* def DNS_PORTS */ + $def_dns_ports_info_chk = $snortcfg['def_dns_ports']; + if ($def_dns_ports_info_chk == "") + $def_dns_ports_type = "53"; + else + $def_dns_ports_type = "$def_dns_ports_info_chk"; + + /* def SMTP_SERVSERS */ + $def_smtp_servers_info_chk = $snortcfg['def_smtp_servers']; + if ($def_smtp_servers_info_chk == "") + $def_smtp_servers_type = "\$HOME_NET"; + else + $def_smtp_servers_type = "$def_smtp_servers_info_chk"; + + /* def SMTP_PORTS */ + $def_smtp_ports_info_chk = $snortcfg['def_smtp_ports']; + if ($def_smtp_ports_info_chk == "") + $def_smtp_ports_type = "25"; + else + $def_smtp_ports_type = "$def_smtp_ports_info_chk"; + + /* def MAIL_PORTS */ + $def_mail_ports_info_chk = $snortcfg['def_mail_ports']; + if ($def_mail_ports_info_chk == "") + $def_mail_ports_type = "25,143,465,691"; + else + $def_mail_ports_type = "$def_mail_ports_info_chk"; + + /* def HTTP_SERVSERS */ + $def_http_servers_info_chk = $snortcfg['def_http_servers']; + if ($def_http_servers_info_chk == "") + $def_http_servers_type = "\$HOME_NET"; + else + $def_http_servers_type = "$def_http_servers_info_chk"; + + /* def WWW_SERVSERS */ + $def_www_servers_info_chk = $snortcfg['def_www_servers']; + if ($def_www_servers_info_chk == "") + $def_www_servers_type = "\$HOME_NET"; + else + $def_www_servers_type = "$def_www_servers_info_chk"; + + /* def HTTP_PORTS */ + $def_http_ports_info_chk = $snortcfg['def_http_ports']; + if ($def_http_ports_info_chk == "") + $def_http_ports_type = "80"; + else + $def_http_ports_type = "$def_http_ports_info_chk"; + + /* def SQL_SERVSERS */ + $def_sql_servers_info_chk = $snortcfg['def_sql_servers']; + if ($def_sql_servers_info_chk == "") + $def_sql_servers_type = "\$HOME_NET"; + else + $def_sql_servers_type = "$def_sql_servers_info_chk"; + + /* def ORACLE_PORTS */ + $def_oracle_ports_info_chk = $snortcfg['def_oracle_ports']; + if ($def_oracle_ports_info_chk == "") + $def_oracle_ports_type = "1521"; + else + $def_oracle_ports_type = "$def_oracle_ports_info_chk"; + + /* def MSSQL_PORTS */ + $def_mssql_ports_info_chk = $snortcfg['def_mssql_ports']; + if ($def_mssql_ports_info_chk == "") + $def_mssql_ports_type = "1433"; + else + $def_mssql_ports_type = "$def_mssql_ports_info_chk"; + + /* def TELNET_SERVSERS */ + $def_telnet_servers_info_chk = $snortcfg['def_telnet_servers']; + if ($def_telnet_servers_info_chk == "") + $def_telnet_servers_type = "\$HOME_NET"; + else + $def_telnet_servers_type = "$def_telnet_servers_info_chk"; + + /* def TELNET_PORTS */ + $def_telnet_ports_info_chk = $snortcfg['def_telnet_ports']; + if ($def_telnet_ports_info_chk == "") + $def_telnet_ports_type = "23"; + else + $def_telnet_ports_type = "$def_telnet_ports_info_chk"; + + /* def SNMP_SERVSERS */ + $def_snmp_servers_info_chk = $snortcfg['def_snmp_servers']; + if ($def_snmp_servers_info_chk == "") + $def_snmp_servers_type = "\$HOME_NET"; + else + $def_snmp_servers_type = "$def_snmp_servers_info_chk"; + + /* def SNMP_PORTS */ + $def_snmp_ports_info_chk = $snortcfg['def_snmp_ports']; + if ($def_snmp_ports_info_chk == "") + $def_snmp_ports_type = "161"; + else + $def_snmp_ports_type = "$def_snmp_ports_info_chk"; + + /* def FTP_SERVSERS */ + $def_ftp_servers_info_chk = $snortcfg['def_ftp_servers']; + if ($def_ftp_servers_info_chk == "") + $def_ftp_servers_type = "\$HOME_NET"; + else + $def_ftp_servers_type = "$def_ftp_servers_info_chk"; + + /* def FTP_PORTS */ + $def_ftp_ports_info_chk = $snortcfg['def_ftp_ports']; + if ($def_ftp_ports_info_chk == "") + $def_ftp_ports_type = "21"; + else + $def_ftp_ports_type = "$def_ftp_ports_info_chk"; + + /* def SSH_SERVSERS */ + $def_ssh_servers_info_chk = $snortcfg['def_ssh_servers']; + if ($def_ssh_servers_info_chk == "") + $def_ssh_servers_type = "\$HOME_NET"; + else + $def_ssh_servers_type = "$def_ssh_servers_info_chk"; + + /* if user has defined a custom ssh port, use it */ + if(isset($config['system']['ssh']['port'])) + $ssh_port = $config['system']['ssh']['port']; + else + $ssh_port = "22"; + + /* def SSH_PORTS */ + $def_ssh_ports_info_chk = $snortcfg['def_ssh_ports']; + if ($def_ssh_ports_info_chk == "") + $def_ssh_ports_type = "{$ssh_port}"; + else + $def_ssh_ports_type = "$def_ssh_ports_info_chk"; + + /* def POP_SERVSERS */ + $def_pop_servers_info_chk = $snortcfg['def_pop_servers']; + if ($def_pop_servers_info_chk == "") + $def_pop_servers_type = "\$HOME_NET"; + else + $def_pop_servers_type = "$def_pop_servers_info_chk"; + + /* def POP2_PORTS */ + $def_pop2_ports_info_chk = $snortcfg['def_pop2_ports']; + if ($def_pop2_ports_info_chk == "") + $def_pop2_ports_type = "109"; + else + $def_pop2_ports_type = "$def_pop2_ports_info_chk"; + + /* def POP3_PORTS */ + $def_pop3_ports_info_chk = $snortcfg['def_pop3_ports']; + if ($def_pop3_ports_info_chk == "") + $def_pop3_ports_type = "110"; + else + $def_pop3_ports_type = "$def_pop3_ports_info_chk"; + + /* def IMAP_SERVSERS */ + $def_imap_servers_info_chk = $snortcfg['def_imap_servers']; + if ($def_imap_servers_info_chk == "") + $def_imap_servers_type = "\$HOME_NET"; + else + $def_imap_servers_type = "$def_imap_servers_info_chk"; + + /* def IMAP_PORTS */ + $def_imap_ports_info_chk = $snortcfg['def_imap_ports']; + if ($def_imap_ports_info_chk == "") + $def_imap_ports_type = "143"; + else + $def_imap_ports_type = "$def_imap_ports_info_chk"; + + /* def SIP_PROXY_IP */ + $def_sip_proxy_ip_info_chk = $snortcfg['def_sip_proxy_ip']; + if ($def_sip_proxy_ip_info_chk == "") + $def_sip_proxy_ip_type = "\$HOME_NET"; + else + $def_sip_proxy_ip_type = "$def_sip_proxy_ip_info_chk"; + + /* def SIP_PROXY_PORTS */ + $def_sip_proxy_ports_info_chk = $snortcfg['def_sip_proxy_ports']; + if ($def_sip_proxy_ports_info_chk == "") + $def_sip_proxy_ports_type = "5060:5090,16384:32768"; + else + $def_sip_proxy_ports_type = "$def_sip_proxy_ports_info_chk"; + + /* def SIP_SERVERS */ + $def_sip_servers_info_chk = $snortcfg['def_sip_servers']; + if ($def_sip_servers_info_chk == "") + $def_sip_servers_type = "\$HOME_NET"; + else + $def_sip_servers_type = "$def_sip_servers_info_chk"; + + /* def SIP_PORTS */ + $def_sip_ports_info_chk = $snortcfg['def_sip_ports']; + if ($def_sip_ports_info_chk == "") + $def_sip_ports_type = "5060:5090,16384:32768"; + else + $def_sip_ports_type = "$def_sip_ports_info_chk"; + + /* def AUTH_PORTS */ + $def_auth_ports_info_chk = $snortcfg['def_auth_ports']; + if ($def_auth_ports_info_chk == "") + $def_auth_ports_type = "113"; + else + $def_auth_ports_type = "$def_auth_ports_info_chk"; + + /* def FINGER_PORTS */ + $def_finger_ports_info_chk = $snortcfg['def_finger_ports']; + if ($def_finger_ports_info_chk == "") + $def_finger_ports_type = "79"; + else + $def_finger_ports_type = "$def_finger_ports_info_chk"; + + /* def IRC_PORTS */ + $def_irc_ports_info_chk = $snortcfg['def_irc_ports']; + if ($def_irc_ports_info_chk == "") + $def_irc_ports_type = "6665,6666,6667,6668,6669,7000"; + else + $def_irc_ports_type = "$def_irc_ports_info_chk"; + + /* def NNTP_PORTS */ + $def_nntp_ports_info_chk = $snortcfg['def_nntp_ports']; + if ($def_nntp_ports_info_chk == "") + $def_nntp_ports_type = "119"; + else + $def_nntp_ports_type = "$def_nntp_ports_info_chk"; + + /* def RLOGIN_PORTS */ + $def_rlogin_ports_info_chk = $snortcfg['def_rlogin_ports']; + if ($def_rlogin_ports_info_chk == "") + $def_rlogin_ports_type = "513"; + else + $def_rlogin_ports_type = "$def_rlogin_ports_info_chk"; + + /* def RSH_PORTS */ + $def_rsh_ports_info_chk = $snortcfg['def_rsh_ports']; + if ($def_rsh_ports_info_chk == "") + $def_rsh_ports_type = "514"; + else + $def_rsh_ports_type = "$def_rsh_ports_info_chk"; + + /* def SSL_PORTS */ + $def_ssl_ports_info_chk = $snortcfg['def_ssl_ports']; + if ($def_ssl_ports_info_chk == "") + $def_ssl_ports_type = "443,465,563,636,989,990,992,993,994,995"; + else + $def_ssl_ports_type = "$def_ssl_ports_info_chk"; + + /* if user is on pppoe, we really want to use ng0 interface */ + if ($snort_pfsense_basever == 'yes' && $snort_ext_int == "wan") + $snort_ext_int = get_real_wan_interface(); + + /* set the snort performance model */ + if($snortcfg['performance']) + $snort_performance = $snortcfg['performance']; + else + $snort_performance = "ac-bnfa"; + + + /* generate rule sections to load */ + $selected_rules_sections = ""; + if (!empty($snortcfg['rulesets'])) { + $enabled_rulesets_array = explode('||', $snortcfg['rulesets']); + foreach($enabled_rulesets_array as $enabled_item) + $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n"; + } + + /* preprocessor code */ + + /* def perform_stat */ + $snort_perform_stat = <<<EOD + +########################## + # +# NEW # +# Performance Statistics # + # +########################## + +preprocessor perfmonitor: time 300 file /var/log/snort/{$snort_uuid}_{$if_real}/snort.stats pktcnt 10000 + +EOD; + + $def_perform_stat_info_chk = $snortcfg['perform_stat']; + if ($def_perform_stat_info_chk == "on") + $def_perform_stat_type = "$snort_perform_stat"; + else + $def_perform_stat_type = ""; + + $def_flow_depth_info_chk = $snortcfg['flow_depth']; + if (empty($def_flow_depth_info_chk)) + $def_flow_depth_type = '0'; + else + $def_flow_depth_type = $snortcfg['flow_depth']; + + /* def http_inspect */ + $snort_http_inspect = <<<EOD + +################# + # +# HTTP Inspect # + # +################# + +preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 + +# TODO: pfsense GUI needed for ports +preprocessor http_inspect_server: server default \ + http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \ + ports { 80 8080 } \ + non_strict \ + non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ + flow_depth {$def_flow_depth_type} \ + apache_whitespace no \ + directory no \ + iis_backslash no \ + u_encode yes \ + extended_response_inspection \ + inspect_gzip \ + normalize_utf \ + unlimited_decompress \ + ascii no \ + chunk_length 500000 \ + bare_byte yes \ + double_decode yes \ + iis_unicode no \ + iis_delimiter no \ + multi_slash no \ + server_flow_depth 0 \ + client_flow_depth 0 \ + post_depth 65495 \ + oversize_dir_length 500 \ + max_header_length 750 \ + max_headers 100 \ + max_spaces 0 \ + small_chunk_length { 10 5 } \ + enable_cookie \ + normalize_javascript \ + utf_8 no \ + webroot no + +EOD; + + $def_http_inspect_info_chk = $snortcfg['http_inspect']; + if ($def_http_inspect_info_chk == "on") + $def_http_inspect_type = "$snort_http_inspect"; + else + $def_http_inspect_type = ""; + + /* def other_preprocs */ + $snort_other_preprocs = <<<EOD + +################## + # +# Other preprocs # + # +################## + +preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 +preprocessor bo + +EOD; + + $def_other_preprocs_info_chk = $snortcfg['other_preprocs']; + if ($def_other_preprocs_info_chk == "on") + $def_other_preprocs_type = "$snort_other_preprocs"; + else + $def_other_preprocs_type = ""; + + /* def ftp_preprocessor */ + $snort_ftp_preprocessor = <<<EOD + +##################### + # +# ftp preprocessor # + # +##################### + +preprocessor ftp_telnet: global \ + inspection_type stateful \ + encrypted_traffic no + +preprocessor ftp_telnet_protocol: telnet \ + normalize \ + ayt_attack_thresh 200 \ + detect_anomalies + +preprocessor ftp_telnet_protocol: \ + ftp server default \ + def_max_param_len 100 \ + # TODO add pfsense GUI + ports { 21 } \ + telnet_cmds yes \ + ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \ + ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \ + ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \ + ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \ + ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \ + ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \ + ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \ + ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \ + ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \ + ftp_cmds { XSEN XSHA1 XSHA256 } \ + alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \ + alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \ + alt_max_param_len 256 { CWD RNTO } \ + alt_max_param_len 400 { PORT } \ + alt_max_param_len 512 { SIZE } \ + chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \ + chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \ + chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \ + chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \ + chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \ + chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \ + chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \ + chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \ + cmd_validity ALLO < int [ char R int ] > \ + cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \ + cmd_validity MACB < string > \ + cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ + cmd_validity MODE < char ASBCZ > \ + cmd_validity PORT < host_port > \ + cmd_validity PROT < char CSEP > \ + cmd_validity STRU < char FRPO [ string ] > \ + cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > + +preprocessor ftp_telnet_protocol: ftp client default \ + max_resp_len 256 \ + bounce yes \ + telnet_cmds yes + +EOD; + + $def_ftp_preprocessor_info_chk = $snortcfg['ftp_preprocessor']; + if ($def_ftp_preprocessor_info_chk == "on") + $def_ftp_preprocessor_type = "$snort_ftp_preprocessor"; + else + $def_ftp_preprocessor_type = ""; + + /* def smtp_preprocessor */ + $snort_smtp_preprocessor = <<<EOD + +##################### + # +# SMTP preprocessor # + # +##################### + +# TODO add pfsense GUI +preprocessor SMTP: ports { 25 465 691 } \ + inspection_type stateful \ + b64_decode_depth 0 \ + qp_decode_depth 0 \ + bitenc_decode_depth 0 \ + uu_decode_depth 0 \ + log_mailfrom \ + log_rcptto \ + log_filename \ + log_email_hdrs \ + normalize cmds \ + normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \ + normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \ + normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \ + normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \ + max_command_line_len 512 \ + max_header_line_len 1000 \ + max_response_line_len 512 \ + alt_max_command_line_len 260 { MAIL } \ + alt_max_command_line_len 300 { RCPT } \ + alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ + alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ + alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \ + valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \ + valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \ + valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \ + valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \ + xlink2state { enabled } + +EOD; + + $def_smtp_preprocessor_info_chk = $snortcfg['smtp_preprocessor']; + if ($def_smtp_preprocessor_info_chk == "on") + $def_smtp_preprocessor_type = "$snort_smtp_preprocessor"; + else + $def_smtp_preprocessor_type = ""; + + /* def sf_portscan */ + $snort_sf_portscan = <<<EOD + +################ + # +# sf Portscan # + # +################ + +preprocessor sfportscan: scan_type { all } \ + proto { all } \ + memcap { 10000000 } \ + sense_level { medium } \ + ignore_scanners { \$HOME_NET } + +EOD; + + $def_sf_portscan_info_chk = $snortcfg['sf_portscan']; + if ($def_sf_portscan_info_chk == "on") + $def_sf_portscan_type = "$snort_sf_portscan"; + else + $def_sf_portscan_type = ""; + + /* def dce_rpc_2 */ + $snort_dce_rpc_2 = <<<EOD + +############### + # +# NEW # +# DCE/RPC 2 # + # +############### + +preprocessor dcerpc2: memcap 102400, events [smb, co, cl] +preprocessor dcerpc2_server: default, policy WinXP, \ + detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ + autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ + smb_max_chain 3, \ + smb_invalid_shares ["C$", "D$", "ADMIN$"] + +EOD; + + $def_dce_rpc_2_info_chk = $snortcfg['dce_rpc_2']; + if ($def_dce_rpc_2_info_chk == "on") + $def_dce_rpc_2_type = "$snort_dce_rpc_2"; + else + $def_dce_rpc_2_type = ""; + + /* def dns_preprocessor */ + $snort_dns_preprocessor = <<<EOD + +#################### + # +# DNS preprocessor # + # +#################### + +# TODO add pfsense GUI +preprocessor dns: \ + ports { 53 } \ + enable_rdata_overflow + +EOD; + + $def_dns_preprocessor_info_chk = $snortcfg['dns_preprocessor']; + if ($def_dns_preprocessor_info_chk == "on") + $def_dns_preprocessor_type = "$snort_dns_preprocessor"; + else + $def_dns_preprocessor_type = ""; + + /* def SSL_PORTS IGNORE */ + $def_ssl_ports_ignore_info_chk = $snortcfg['def_ssl_ports_ignore']; + if ($def_ssl_ports_ignore_info_chk == "") + $def_ssl_ports_ignore_type = "443 465 563 636 989 990 992 993 994 995"; + else + $def_ssl_ports_ignore_type = "$def_ssl_ports_ignore_info_chk"; + + /* stream5 queued settings */ + + + $def_max_queued_bytes_info_chk = $snortcfg['max_queued_bytes']; + if ($def_max_queued_bytes_info_chk == '') + $def_max_queued_bytes_type = ''; + else + $def_max_queued_bytes_type = ' max_queued_bytes ' . $snortcfg['max_queued_bytes'] . ','; + + $def_max_queued_segs_info_chk = $snortcfg['max_queued_segs']; + if ($def_max_queued_segs_info_chk == '') + $def_max_queued_segs_type = ''; + else + $def_max_queued_segs_type = ' max_queued_segs ' . $snortcfg['max_queued_segs'] . ','; + + /* build snort configuration file */ + $snort_conf_text = <<<EOD + +############################################################################## +# # +# snort configuration file generated by the pfSense package manager system # +# see /usr/local/pkg/snort.inc # +# for snort ver. 2.9.2.3 # +# more information Snort can be found at http://www.snort.org/ # +# # +############################################################################## + +######################### + # +# Define Local Network # + # +######################### + +ipvar HOME_NET [{$home_net}] +ipvar EXTERNAL_NET [{$external_net}] + +################### + # +# Define Servers # + # +################### + +ipvar DNS_SERVERS [{$def_dns_servers_type}] +ipvar SMTP_SERVERS [{$def_smtp_servers_type}] +ipvar HTTP_SERVERS [{$def_http_servers_type}] +ipvar SQL_SERVERS [{$def_sql_servers_type}] +ipvar TELNET_SERVERS [{$def_telnet_servers_type}] +ipvar FTP_SERVERS [{$def_ftp_servers_type}] +ipvar SSH_SERVERS [{$def_ssh_servers_type}] +ipvar SIP_PROXY_IP [{$def_sip_proxy_ip_type}] +ipvar SIP_SERVERS [{$def_sip_servers_type}] +ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] +# def below may have been removed +ipvar POP_SERVERS [{$def_pop_servers_type}] +ipvar IMAP_SERVERS [{$def_imap_servers_type}] +ipvar RPC_SERVERS [\$HOME_NET] +ipvar WWW_SERVERS [{$def_www_servers_type}] +ipvar SNMP_SERVERS [{$def_snmp_servers_type}] + + +######################## + # +# Define Server Ports # + # +######################## + +portvar HTTP_PORTS [{$def_http_ports_type}] +portvar SHELLCODE_PORTS !80 +portvar ORACLE_PORTS [{$def_oracle_ports_type}] +portvar FTP_PORTS [{$def_ftp_ports_type}] +portvar SSH_PORTS [{$def_ssh_ports_type}] +portvar SIP_PORTS [{$def_sip_ports_type}] +### Below ports need new gui ### +portvar FILE_DATA_PORTS [\$HTTP_PORTS,110,143] +portvar GTP_PORTS [2123,2152,3386] +portvar MODBUS_PORTS [502] +portvar DNP3_PORTS [20000] +# These ports may have been removed left here so no custom rules break +portvar AUTH_PORTS [{$def_auth_ports_type}] +portvar DNS_PORTS [{$def_dns_ports_type}] +portvar FINGER_PORTS [{$def_finger_ports_type}] +portvar IMAP_PORTS [{$def_imap_ports_type}] +portvar IRC_PORTS [{$def_irc_ports_type}] +portvar MSSQL_PORTS [{$def_mssql_ports_type}] +portvar NNTP_PORTS [{$def_nntp_ports_type}] +portvar POP2_PORTS [{$def_pop2_ports_type}] +portvar POP3_PORTS [{$def_pop3_ports_type}] +portvar SUNRPC_PORTS [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779] +portvar RLOGIN_PORTS [{$def_rlogin_ports_type}] +portvar RSH_PORTS [{$def_rsh_ports_type}] +portvar SMB_PORTS [139,445] +portvar SMTP_PORTS [{$def_smtp_ports_type}] +portvar SNMP_PORTS [{$def_snmp_ports_type}] +portvar TELNET_PORTS [{$def_telnet_ports_type}] +portvar MAIL_PORTS [{$def_mail_ports_type}] +portvar SSL_PORTS [{$def_sip_proxy_ports_type}] +portvar SIP_PROXY_PORTS [{$def_sip_ports_type}] + +# These ports may have been removed left here so no custom rules break +# DCERPC NCACN-IP-TCP +portvar DCERPC_NCACN_IP_TCP [139,445] +portvar DCERPC_NCADG_IP_UDP [138,1024:] +portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:] +portvar DCERPC_NCACN_UDP_LONG [135,1024:] +portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:] +portvar DCERPC_NCACN_TCP [2103,2105,2107] +portvar DCERPC_BRIGHTSTORE [6503,6504] + + +##################### + # +# Define Rule Paths # + # +##################### + +var RULE_PATH /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/rules +var PREPROC_RULE_PATH /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/preproc_rules +var SO_RULE_PATH /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/so_rules + +############################################################# +# # +# reputation preprocessor, ALWAYS USE FULL PATHS, BUG 89986 # +# # +############################################################# + +#var WHITE_LIST_PATH ../rules +#var BLACK_LIST_PATH ../rules + +################################ + # +# Configure the snort decoder # + # +################################ + +config checksum_mode: all +config disable_decode_alerts +config disable_tcpopt_experimental_alerts +config disable_tcpopt_obsolete_alerts +config disable_ttcp_alerts +config disable_tcpopt_alerts +config disable_tcpopt_ttcp_alerts +config disable_ipopt_alerts +config disable_decode_drops + +################ The following is for inline mode tunning ################ + +# config enable_decode_oversized_alerts +# config enable_decode_oversized_drops +# config flowbits_size: 64 + +#### make sure I enable gui for this ########## +# config ignore_ports: tcp 21 6667:6671 1356 # +# config ignore_ports: udp 1:17 53 # +############################################### + +# Configure active response for non inline +# config response: eth0 attempts 2 + +# Configure DAQ related options for inline mode +# +# config daq: <type> +# config daq_dir: <dir> +# config daq_mode: <mode> +# config daq_var: <var> +# +# <type> ::= pcap | afpacket | dump | nfq | ipq | ipfw +# <mode> ::= read-file | passive | inline +# <var> ::= arbitrary <name>=<value passed to DAQ +# <dir> ::= path as to where to look for DAQ module so's + +## gui needed for pfsense ## +# config daq: afpacket + +############################################################# + +######################################## +# Configure specific UID and GID +# to run snort as after dropping privs +# +# config set_gid: +# config set_uid: +######################################## + +######################################## +# +# Configure default snaplen. Snort +# defaults to MTU of in use interface +# +# config snaplen: +# +# TODO: gui needed for pfsense +# +######################################## + +################################################################ +# +# Configure default bpf_file to use for filtering what traffic +# reaches snort. options (-F) +# +# config bpf_file: +# +# TODO: gui needed for pfsense +# +############################################################### + +##################################################################### +# +# Configure default log directory for snort to log to. options (-l) +# +# config logdir: +# +##################################################################### + +################################### + # +# Configure the detection engine # +# Use lower memory models # + # +################################### + +# TODO: gui needed for pfsense +# Configure PCRE match limitations +config pcre_match_limit: 3500 +config pcre_match_limit_recursion: 1500 + +############################################################################# +# # +# Configure the detection engine # +# Use lower memory models for pfsense # +# # +# # +# Notes # +# # +# ac, ac-q, ac-bnfa, ac-bnfa-q, lowmem, lowmem-q # +# ac-split shorthand for search-method ac, split-any-any, intel-cpm,ac-nq, # +# ac-bnfa-nq This is the default search method if none is specified. # +# lowmem-nq, ac-std, acs, ac-banded, ac-sparsebands # +# # +############################################################################# + +config detection: search-method {$snort_performance} search-optimize max-pattern-len 20 +config event_queue: max_queue 8 log 3 order_events content_length + +################################################### +# Configure GTP if it is to be used +#################################################### + +# TODO: gui needed for pfsense +# config enable_gtp + +################################################### +# Per packet and rule latency enforcement, README.ppm +################################################### + +# Per Packet latency configuration +#config ppm: max-pkt-time 250, \ +# fastpath-expensive-packets, \ +# pkt-log + +# Per Rule latency configuration +#config ppm: max-rule-time 200, \ +# threshold 3, \ +# suspend-expensive-rules, \ +# suspend-timeout 20, \ +# rule-log alert + +################################################### +# Configure Perf Profiling for debugging, README.PerfProfiling +################################################### + +#config profile_rules: print all, sort avg_ticks +#config profile_preprocs: print all, sort avg_ticks + +################################################### +# Configure protocol aware flushing. README.stream5 +################################################### +config paf_max: 16000 + +################################################## +# Configure dynamic loaded libraries +################################################## + +dynamicpreprocessor directory /usr/local/lib/snort/dynamicpreprocessor +dynamicengine /usr/local/lib/snort/dynamicengine/libsf_engine.so +dynamicdetection directory /usr/local/lib/snort/dynamicrules + +################### + # +# Flow and stream # + # +################### + +# TODO: gui needed for pfsense +# GTP Control Channle Preprocessor, README.GTP +# preprocessor gtp: ports { 2123 3386 2152 } + +#################################################### +# Inline packet normalization, README.normalize +# Does nothing in IDS mode +# +# preprocessor normalize_ip4 +# preprocessor normalize_tcp: ips ecn stream +# preprocessor normalize_icmp4 +# preprocessor normalize_ip6 +# preprocessor normalize_icmp6 +#################################################### + +# this tuning ,may need testing +preprocessor frag3_global: max_frags 65536 +preprocessor frag3_engine: policy bsd detect_anomalies + +preprocessor stream5_global: track_tcp yes, track_udp yes, track_icmp yes, max_tcp 262144, max_udp 131072, max_active_responses 2, min_response_seconds 5 + +preprocessor stream5_tcp: policy BSD, ports both all, timeout 180, {$def_max_queued_bytes_type}{$def_max_queued_segs_type} +preprocessor stream5_udp: timeout 180 +preprocessor stream5_icmp: + + {$def_perform_stat_type} + + {$def_http_inspect_type} + + {$def_other_preprocs_type} + + {$def_ftp_preprocessor_type} + + {$def_smtp_preprocessor_type} + + {$def_sf_portscan_type} + +######################## + # +# ARP spoof detection. # + # +######################## + +# preprocessor arpspoof +# preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 + +########################## + # +# SSH anomaly detection # + # +########################## + +preprocessor ssh: server_ports { 22 } \ + autodetect \ + max_client_bytes 19600 \ + max_encrypted_packets 20 \ + max_server_version_len 100 \ + enable_respoverflow enable_ssh1crc32 \ + enable_srvoverflow enable_protomismatch + + + {$def_dce_rpc_2_type} + + {$def_dns_preprocessor_type} + +############################## + # +# NEW # +# Ignore SSL and Encryption # + # +############################## + +preprocessor ssl: ports { {$def_ssl_ports_ignore_type} }, trustservers, noinspect_encrypted + + +########################################################### + # +# SDF sensitive data preprocessor, README.sensitive_data # + # +########################################################### + +# TODO: add pfsense GUI +preprocessor sensitive_data: alert_threshold 20 + +############################################################# + # +# SIP Session Initiation Protocol preprocessor, README.sip # + # +############################################################# + +# TODO: add pfsense GUI +preprocessor sip: max_sessions 40000, \ + ports { 5060 5061 5600 }, \ + methods { invite \ + cancel \ + ack \ + bye \ + register \ + options \ + refer \ + subscribe \ + update \ + join \ + info \ + message \ + notify \ + benotify \ + do \ + qauth \ + sprack \ + publish \ + service \ + unsubscribe \ + prack }, \ + max_uri_len 512, \ + max_call_id_len 80, \ + max_requestName_len 20, \ + max_from_len 256, \ + max_to_len 256, \ + max_via_len 1024, \ + max_contact_len 512, \ + max_content_len 2048 + +################################## + # +# IMAP preprocessor, README.imap # + # +################################## + +# TODO: add pfsense GUI +preprocessor imap: \ + ports { 143 } \ + b64_decode_depth 0 \ + qp_decode_depth 0 \ + bitenc_decode_depth 0 \ + uu_decode_depth 0 + +################################## + # +# POP preprocessor, README.pop # + # +################################## + +# TODO: add pfsense GUI +preprocessor pop: \ + ports { 110 } \ + b64_decode_depth 0 \ + qp_decode_depth 0 \ + bitenc_decode_depth 0 \ + uu_decode_depth 0 + +####################################### + # +# Modbus preprocessor, README.modbus # +# Used for SCADA # + # +####################################### + +# TODO: add pfsense GUI +preprocessor modbus: ports { 502 } + + +############################################### + # +# DNP3 preprocessor, EADME.dnp3 # + # +############################################### + +# TODO: add pfsense GUI +preprocessor dnp3: ports { 20000 } \ + memcap 262144 \ + check_crc + +############################################### + # +# Reputation preprocessor, README.reputation # + # +############################################### + +#preprocessor reputation: \ +# memcap 500, \ +# priority whitelist, \ +# nested_ip inner, \ +# whitelist \$WHITE_LIST_PATH/white_list.rules, \ +# blacklist \$BLACK_LIST_PATH/black_list.rules + + +##################### + # +# Snort Output Logs # + # +##################### + +$snortalertlogtype_type +$alertsystemlog_type +$tcpdumplog_type +$snortunifiedlogbasic_type +$snortunifiedlog_type +$snortalertcvs_type +$spoink_type + +################# + # +# Misc Includes # + # +################# + +include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/reference.config +include /usr/local/etc/snort/snort_{$snort_uuid}_{$if_real}/classification.config +$threshold_file_name + +# Snort user pass through configuration +{$snort_config_pass_thru} + +################### + # +# Rules Selection # + # +################### + + +{$selected_rules_sections} + + +EOD; + + return $snort_conf_text; +} + +/* hide progress bar */ +function hide_progress_bar_status() { + global $snort_filename, $snort_filename_md5, $console_mode; + + ob_flush(); + if(!$console_mode) + echo "\n<script type=\"text/javascript\">document.progressbar.style.visibility='hidden';\n</script>"; +} + +/* unhide progress bar */ +function unhide_progress_bar_status() { + global $snort_filename, $snort_filename_md5, $console_mode; + + ob_flush(); + if(!$console_mode) + echo "\n<script type=\"text/javascript\">document.progressbar.style.visibility='visible';\n</script>"; +} + +/* update both top and bottom text box during an operation */ +function update_all_status($status) { + global $snort_filename, $snort_filename_md5, $console_mode; + + ob_flush(); + if(!$console_mode) { + update_status($status); + update_output_window($status); + } +} + +######## new + +// returns array that matches pattern, option to replace objects in matches +function snortScanDirFilter($arrayList, $pattmatch, $pattreplace, $pattreplacewith) +{ + foreach ( $arrayList as $val ) + { + if (preg_match($pattmatch, $val, $matches)) { + if ($pattreplace != '') { + $matches2 = preg_replace($pattreplace, $pattreplacewith, $matches[0]); + $filterDirList[] = $matches2; + }else{ + $filterDirList[] = $matches[0]; + } + } + } + return $filterDirList; +} + +?> |